UK Data Regulator Issues First Audit Summary of Police Facial Recognition Use
London, 29 August 2025 — The Information Commissioner’s Office (ICO) has published the findings from its inaugural data protection audit of police facial recognition technology (FRT), focusing on the operations of South Wales Police and Gwent Police. The regulator said it was “encouraged” by the results, which point to compliance with data protection laws.
According to an executive summary issued on 20 August, the audit examined whether these two police forces meet key data protection requirements, including necessity, proportionality, fairness, and accuracy in their deployment of FRT, whether live or retrospective. The audit also assessed whether the entire process—from image capture to decision-making—conforms to UK data protection regulations.
ICO Deputy Commissioner for Regulatory Policy Emily Keaney said the findings offer a “high level of assurance” that the forces have implemented compliant processes and procedures. She noted that the forces ensure human oversight by trained personnel to mitigate risks of bias, and that no decisions are made solely via automation. Formal procedures are in place to assess necessity and proportionality before each live FRT deployment.
The audit revealed that both South Wales and Gwent Police have clearly mapped data flows, established the lawful origins of images used for biometric templates, and conducted appropriate Data Protection Impact Assessments (DPIAs). The ICO also found that the data collected is limited to what is necessary for its intended purpose, and that individuals are informed of its use in a clear and accessible manner.
Chief Superintendent Tim Morgan, leading the joint digital services unit for the two forces, welcomed the audit. He emphasized that the high level of independent oversight and scrutiny enables them to demonstrate that their facial recognition deployments are ethical, legitimate, fair, proportional and compliant with legislation. Morgan also highlighted that there have been no wrongful arrests or false alerts in South Wales in recent years.
Despite the positive tone, Keaney stressed that the audit represents only a “snapshot in time.” It does not imply a blanket approval for all police forces across the UK. Rather, she suggested other forces can learn from areas where the audited forces performed well, as well as from areas identified for improvement.
The ICO provided a number of recommendations but the summary did not detail them beyond indicating whether they applied to live or retrospective FRT and their priority level.
Questions raised by Computer Weekly highlighted lingering concerns. Of particular interest were whether South Wales Police still derive their watchlist images based on crime categories — rather than context-specific threats — as previously admitted to a House of Lords committee in December 2023; and whether unlawfully held custody images in the Police National Database are excluded from watchlists. The ICO did not respond to requests for clarification.
When asked why the ICO was only now auditing police use of FRT, given its deployment since 2016, an ICO spokesperson pointed to the regulator’s ongoing role. The ICO has previously issued opinions, intervened in the case of Ed Bridges, and developed guidance on use of facial recognition. The spokesperson maintained that FRT must be used lawfully, proportionately, and with proper safeguards—noting that existing Metropolitan Police policy falls short of this standard.
The ICO also confirmed it is planning further audits of other forces, including the Metropolitan Police, Essex Police, and Leicestershire Police, and expects to publish additional findings and a detailed outcomes report in due course.
Public sentiment remains cautious. ICO research from earlier in the year noted that while 63 percent of people surveyed felt comfortable with police using facial recognition, their support hinges on the technology being accurate, unbiased, privacy-conscious, and demonstrably beneficial to society.
As the ICO presses on with its AI and biometrics strategy, the audit marks one piece of a broader effort to strike a balance between effective policing and civil liberties. The regulator continues to engage with the government, police forces, and other stakeholders to reinforce governance and public trust.
