The Australian Federal Police (AFP) has been ordered to strengthen its privacy governance following an investigation into its use of the Clearview AI facial recognition tool by the Australian Information Commissioner and Privacy Commissioner, Angelene Falk.
Commissioner Falk said Clearview AI’s facial recognition tool allowed users to upload a photo of an individual’s face, match it to photos of that person’s face collected from the internet and “it then links to where the photos appeared”.
“The AFP failed to complete a privacy impact assessment (PIA) before using the tool, in breach of clause 12 of the Australian Government Agencies Privacy Code, which requires a PIA for all high privacy risk projects,” she said.
“The AFP also breached Australian Privacy Principle (APP) 1.2 by failing to take reasonable steps to implement practices, procedures and systems in relation to its use of Clearview AI to ensure it complied with clause 12 of the Code.”
The Commissioner said that, between 2 November 2019 and 22 January 2020, Clearview AI provided free trials of the facial recognition tool to members of the AFP-led Australian Centre to Counter Child Exploitation (ACCCE).
Commissioner Falk said ACCCE members uploaded facial images of Australians to test the functionality of the tool and, in some cases, to try to identify persons of interest and victims in active investigations.
“The AFP did not assess the risks to providing personal information to a third party located overseas, assess its security practices, accuracy, or safeguards,” she said.
“I recognise that facial recognition and other high privacy impact technologies may provide public benefit where they are accompanied by appropriate safeguards.
“But there were a number of red flags about this third party offering that should have prompted a careful privacy assessment.”
Commissioner Falk said by uploading information about persons of interest and victims, the ACCCE was handling personal information in a way that could “have serious consequences for individuals whose information was collected”.
The Commissioner said she recognised the AFP’s commitment to reviewing and strengthening its privacy governance framework and embedding a culture of privacy compliance across the Agency.
“This determination should provide additional assurance to Australians that deficiencies in the AFP’s privacy governance framework will be addressed, under the Office of the Australian Information Commissioner’s (OAIC) oversight,” she said.
Commissioner Falk directed the AFP to engage an independent assessor to review and report to the OAIC on residual deficiencies in its practices, procedures, systems and training in relation to privacy assessments and to ensure that relevant AFP personnel completed an updated privacy training program.
