Public Sector Data Protection Impact Assessments and the equality requirement

In August 2020 the Court of Appeal, the second highest in England and Wales, handed down a judgement based upon an appeal from the High Court.  The case in question Bridges v South Wales Police (Hereafter SWP).[2]

In summary, SWP had been using facial recognition in Cardiff City Centre against a picture database of known “wanted” persons.  If a “wanted” person was pinged then an arrest was made, all other faces deleted.  Bridges brought forward a case in the High Court that the use of technology was unlawful on the following grounds:

The grounds of challenge were that AFR is not compatible with the right to respect for private and family life, under Article 8 of the European Convention on Human Rights (“the Convention”), which is one of the Convention rights set out in Schedule 1 of the Human Rights Act 1998 (HRA); data protection legislation; the Public Sector Equality Duty (PSDE) in section 149 of the Equality Act 2010.[3]

The latter challenge will be the focus on for this article. Let us first look at the duty that public sector organisations have when implementing business change under section 149 of the Equality Act 2010[4].  Public Authorities are required when implementing business change to have due regard to the effect that change will have on those with protected characteristics.[5]   A close examination of the protected characteristics show that some of these marry those defined in the UK GDPR Article 9.[6]  This would therefore need alignment with the DPIA process to ensure that the Public Sector Duty of Equality (PSDE) assessment was undertaken at the time of the DPIA.

The PSDE in legal terms is defined in section 149 as:

The terms of the PSDE are set out in section 149(1) of the Equality Act 2010 as follows:

A public authority must, in the exercise of its functions, have due regard to the need to—

(a) eliminate discrimination, harassment, victimisation and any other conduct that is prohibited by or under this Act.

(b) advance equality of opportunity between persons who share a relevant protected characteristic and persons who do not share it.

(c) foster good relations between persons who share a relevant protected characteristic and persons who do not share it.

In the case brought forward by Bridges on Appeal, the challenge based upon the discrimination of both sex and race was that:

The two protected characteristics that are relevant in the present case are race and sex. It is submitted on behalf of the Appellant that SWP are in breach of the PSDE because they have never had due regard to the need to eliminate discrimination on those two grounds, which may arise from the software which is used in the deployment of AFR Locate. It is said that there is scientific evidence that facial recognition software can be biased and create a greater risk of false identifications in the case of people from black, Asian and other minority ethnic (“BAME”) backgrounds, and also in the case of women. [7]

The Court made it clear that the PSDE should be:

• Assessed when policy is being derived.
• Rigorous in nature and not a tick box exercise.
• A continuous one and one “one and done” event.
• Wide consultation is undertaken, and relevant information sought.
• A clear evidence trail exists to support the assessment.

In essence, the Court accepted that the process should be locked into any consideration of business change that affects those with special characteristics.  

The Court found that:

The Respondent did not comply with the Public Sector Equality Duty in section 149 of the Equality Act 2010, prior to or in the course of its use of Live Automated Facial Recognition technology on 21 December 2017 and 27 March 2018 and on an ongoing basis.[8]

So what next?

Now the Covid fog is lifting, the Court ruling has a binding requirement on Public Sector Data Controllers to marry their DPIA with the assessment of the equalities impact of a business change.  With my own public sector clients, I have ensured that they are clear that their DPIA needs to assess the section 149 obligations on those with special characteristics, and the best place to start this is at the DPIA start phase.

It is clear that Bridges was a landmark case for the public sector, and the marrying of the two processes which are not “one and done”, are key to meeting compliance requirements, but more importantly, good ethical standards in business change.

#keepattacking

[1] https://gdpr-info.eu/art-35-gdpr/

[2] Bridges v South Wales Police [2020] EWCA Civ 1058

[3] Bridges v South Wales Police [2020] EWCA Civ 1058 Para 2

[4] Equality Act 2010 c.15

[5] https://www.legislation.gov.uk/ukpga/2010/15/part/2/chapter/1

[6] https://gdpr-info.eu/art-9-gdpr/

[7] Bridges v South Wales Police [2020] EWCA Civ 1058 Para 164

[8] Bridges v South Wales Police [2020] EWCA Civ 1058 Para 210

cut out images of the public with a world map behind them

RECENT POSTS

Data, a new Direction?

Considerable column inches have been written over “Data, a new direction”, the UKGovernment’s title of their “tweaking” of the existing UK-GDPR provisions within the 2018Data

Read More »