Tony Porter, Chief Privacy Officer at Corsight AI, takes a look at the potential impact of Martyn’s Law, a new legislation that will strengthen security provisions at venues across the UK. Martyn’s Law is a tribute to Martyn Hett, who was killed alongside 21 others in the Manchester Arena terrorist attack in 2017.
‘Martyn’s Law’ (the Counter Terrorism Protection Bill) when enacted will create new and important opportunities to protect the public from violent terror threats at public events.
Those who suffered from the bombing attack at the Manchester Arena on 22nd May 2017 are particularly aware of how events happening elsewhere in the world can motivate terrorists to unleash death and carnage at home. We live in an increasingly globalised, diverse, and fractious world. We face a whole manner of threats often enabled by technological sophistication.
There are 650,000 crowded places in the UK of which only 0.2% are currently prioritised to receive support from the state’s counter terrorism experts. It is against that backdrop the government has introduced ‘Martyn’s Law.’ The essence of this proposed legislation is to confer a statutory duty upon those responsible for publicly accessible locations being used for events to protect people attending those events. In essence they will be required to produce a plan.
I don’t believe that any right-minded person would argue against the importance for stadium or designated event leaders, to embrace and exploit the safety potential provided by modern technologies. The provision of a comprehensive suite of effective security measures at these events, delivered by trained and highly competent operators, is surely non-controversial. It is reassuring therefore that Martyn’s Law will apportion statutory responsibilities for which people will be held to account.
Specifically, those responsibilities will include;
- engaging with freely available counter- terrorism advice and training,
- conducting vulnerability assessments of their operating places and spaces,
- implementing measures which mitigate the risks created by the vulnerabilities identified by their assessment processes,
- to have a counter-terrorism plan,
- a requirement for local authorities to plan for the threat of terrorism.
It is against that context that questions as to the role of facial recognition (FR) technology arises as a legitimate protective measure. In particular the use of ‘live-time’ facial recognition (LFR) in public spaces frequently generates a good deal of debate, often around legitimacy, proportionality, equality and privacy. The potential headaches for event organisers are obvious but the learning from the Manchester Arena bombing illustrates that the stakes are as high as they get if you get things wrong in a counter terrorism context.
My experiences as former national counter terrorism leader of the UK National Counter Terrorism Police Network and also as the Surveillance Camera Commissioner (the former regulator of the police use of surveillance camera systems including facial recognition cameras) has given me a unique platform to opine on these issues. I am very much in favour of stadium managers lawfully utilising facial recognition technology to protect the public in attendance.
Indeed, I believe that so significant are the capabilities and public safety potential within FR to protect people whilst proportionality protecting privacy, that the debate is no longer whether it should be deployed as a counter terrorism protective measure but how it can be properly delivered within the context of current law at large events. It does not have to be an obstacle course to be navigated between conflicting positions provided you take a careful and well-informed approach. Just because you can, doesn’t mean you should so you must be aware of the requisite detail.
In furtherance of these new statutory duties, event organisers and others bound by the provisions of Martyn’s Law will have to work closely with the emergency services and local authorities amongst others. There will be sensitivities of confidentiality where national security considerations apply. Other considerations include high performing credentials of the system in meeting national and internationally accredited standards of performance.
Governance, responsibility for data protection compliance, number and location of cameras, the standards of cyber security to protect the system from third party intrusion, conduct of the Public Sector Equality Duty and training of human intervenors are just some of the issues which have to be worked through. The requisite governance and accountability arrangements should be agreed between the partners and set out in a protocol so that each organisation is clear about their responsibilities with details provided as to obligations, expectations, and contingencies.
You may be aware that the Information Commissioner’s Office (ICO), the regulator of data laws in the UK, has scrutinised the use of FR by a private company, Face Watch, who deploy the technology at several commercial venues in London. The ICO is satisfied that in the context of the GDPR and Data Protection Act 2018, Face Watch has a legal basis of legitimate interest to use the technology in the manner that it currently employs. The technology is in use at a large sporting venue by the police in Cardiff, and is also currently being used successfully in the nation’s capital by the largest police force in the UK.
Further afield it is a reassuringly significant development within the European Union that those responsible for creating the EU Artificial Intelligence Act have opted for a more pragmatic compromised approach by setting out the terms and safeguards which enable such use of LFR by law enforcement to protect the public. Such a pragmatic approach recognises that often well considered yet idealistic sensibilities can rapidly dissolve when real world problems arrive in the shape of a dangerous needle requiring weeding from a crowded places haystack.
Anyone who has attended a public event recently will have submitted their handbag together with its personal contents to a search by a security guard, or had to turn out their pockets and be the subject of a handheld body scan as a condition of entry to the event. A negligible degree of intrusion is often a price worth paying for a safe and confident event in the modern era. That is the real world. Those who think otherwise should think again as such matters will often amount to at best a personal inconvenience in pursuit of public safety and not the actions of a dystopian state seeking to subjugate its people.
The guidance that I would offer to those who are seeking to apply FR as a protective measure in the context of Martyn’s Law is to use the highest performing equipment which meets or exceeds national/international standards. Make a detailed, well considered, and compelling case for justification and be clear as to the legal foundation. Be transparent in setting out the case of necessity and proportionality, be meticulous in terms of equality impact, data protection impact and other risk assessment processes. Apply rigorous safeguards, follow existing guidance, consult widely in cooperation with your partners and work in cooperation with the data regulator.
Seems a tall order? Well so is holding the responsibility for the protection and well-being of innocent members of the public attending an event and expecting to go home to their loved ones at the end of an evening. Tread confidently, tread wisely and with integrity, take your legal advisor, data protection expert, your partners and their advisors with you, so that those attending your venue can step safely and with confidence in to, throughout, and out of an enjoyable experience.
Tony Porter is Corsight AI’s Chief Privacy Officer and the former UK Surveillance Camera Commissioner. Corsight AI is a leading provider of facial recognition solutions for corporations, law enforcement and other government agencies.
Porter was appointed Surveillance Camera Commissioner in March 2014 and served until December 2020. He developed and implemented the National Surveillance Camera Strategy and provided expert witness testimony at High Court and Court of Appeal in Bridges v South Wales Police (face recognition). He has a combination of business and law enforcement expertise and is an intelligence specialist and retired senior police leader. His experience spans community and business engagement, international counter terrorism and serious and organised crime.
He received a QPM in the 2008 New Year’s Honours for services to National Security and in the 2022 New Year’s Honours was awarded an OBE for services to Human Rights and Security.
Corsight AI is a sponsor of TheStadiumBusiness Summit 2024, which will take place at Emirates Old Trafford in Manchester on June 18-19.