Facial recognition technology latest woe at national children’s hospital

Net Results: Apart from expense, Hikvision cameras bring GDPR issues into focus

“Contracting face surveillance technology for children accessing medical care would be incredibly invasive.”
“Contracting face surveillance technology for children accessing medical care would be incredibly invasive.”

For the new national children's hospital, 2019 has been bookended by criticisms over escalating costs: in January Fianna Fáil's health spokesperson Stephen Donnelly accused the project of being a "complete and catastrophic failure".

Last week chairman Fred Barry told the Public Accounts Committee that "theoretically, things could cost anything" as it risks passing its current predicted spend of €1.73 billion.

Part of this much-talked about budget has included the purchase of equipment from Chinese video surveillance firm Hikvision, specifically cameras with facial recognition technology (FRT). Hikvision might not be a well-known brand among consumers but it cornered almost half of the global facial recognition technology market in 2018 according to UK analyst firm IHS Markit.

The hospital’s use of Hikvision’s FRT could be problematic for two reasons. First, the company’s technology has been banned from use in US federal government buildings following fears of espionage while the cameras have also been linked to human rights abuses in China.

READ MORE

Hikvision is the surveillance technology of choice for the Chinese government, which has come under fire for use of facial recognition technology for everything from monitoring children’s attentiveness in the classroom to tracking people for placement in “re-education centres”, which the UN has described as comparable to concentration camps.

In 2018, a ban on Hikvision technology was written into US law ordering all federal government bodies to stop buying their cameras following fears that they could be used for the unlawful purposes of spying on Americans.

This is in stark contrast to the fact that Hikvision cameras and CCTV systems (both with and without facial recognition capabilities) are used in their tens of thousands by public and private entities across the globe. In fact, Hikvision recently celebrated its 10-year anniversary in Europe.

Biometric data

Here in Ireland, it was announced in September that Hikvision was one of the newest members of the Irish Security Industry Association’s Trusted Suppliers Network.

What is perhaps just as important to focus on is how the use of such facial recognition technology aligns with protections afforded to EU citizens by the GDPR (General Data Protection Regulation). Facial images gathered by FRT are classified as biometric data. This is a specific form of sensitive personal data, the collection of which is restricted under GDPR rules.

Judging by the fine slapped on a high school in the Skelleftea municipality of Sweden earlier this year by the Swedish Data Protection Authority (DPA), the use of such technology for processing the data of minors could be deemed unlawful. So why is it being purchased for the new national children's hospital?

Given that the hospital is being touted as “Ireland’s first public digital hospital” there is an understandable concern that facial recognition technology could be used as part of plans for an Electronic Healthcare Record (EHR) but in a statement from Children’s Health Ireland and the National Paediatric Hospital Development Board, The Irish Times was told this equipment would not form part of patients’ EHR.

Elizabeth Farries, privacy rights expert for the Irish Council for Civil Liberties (ICCL) came out in criticism of the purchase, saying: “Contracting face surveillance technology for children accessing medical care would be incredibly invasive.”

“Children are afforded enhanced personal data protections under the law. Deploying this tech in this manner would run foul of those protections. It’s expensive, inaccurate, discriminatory, and in this situation, likely unlawful,” she added.

Consent of minors

There’s a lot to unpack here. The invasive aspect of facial recognition technology is that it can be used to automatically identify people, minors or otherwise. Under GDPR, individuals must give explicit consent to have their facial image processed in this manner.

This kind of consent includes the phrase “freely given”, meaning that someone cannot be forced to consent to passing through these cameras as a condition of accessing a service ie were the national children’s hospital to use Hikvision’s cameras to process facial images for security purposes, all entrants to the hospital could in theory refuse to comply with the full expectation of access to the services of the hospital.

Farries has called for a data protection impact assessment to be carried out by the hospital in order to demonstrate the risks involved. The Irish Times asked if such as assessment had already been carried out but didn’t get a clear yes or no.

So, again, the question is: why purchase these cameras?

The national children’s hospital board told The Irish Times that however these high-tech cameras are used, they “will be fully in line with Irish and European data protection and privacy legislation and guidelines, to ensure that the occupants of the hospital have the appropriate protections and security afforded to them, in line with their privacy rights”.

However, “it has not yet been decided which aspect of the security systems’ capabilities will be used”.

When it comes to such an intrusive method of identification that may run up against the GDPR on several counts – the processing of sensitive personal data and freely given consent, including the consent of minors – there is an argument to be made here: if they don’t know why they need it, then they don’t need it and they shouldn’t have bought it in the first place.