12.6 Persons of Interest Images
Persons of interest images (mug shots), in hard copy or electronic form, may be disseminated subject to strict control for the purpose of identifying persons of interest who are; suspected of criminal or terrorist activity, hostile reconnaissance, anti-social behaviour or are banned from the area of surveillance.
Subject Access Request – refer to section 8.1.
Consent – due to the lawful basis of this processing, consent would not be required.
Archive Retention – the need for retention must be routinely reviewed and all copies are to be permanently deleted or otherwise destroyed when retention can no longer be reasonably justified.
Privacy – Any printed copies must be watermarked or otherwise indelibly labelled with a unique reference number and display the text ‘NOT TO BE SHOWN IN PUBLIC VIEW’. Access to electronic images shall be password protected and managed on computer devices identified by unique reference numbers logged in a Controlled Data Register. The recording must be deleted at the end of the archive period.
The decision to produce and distribute images must be justified and documented by the data controller. However, this may be delegated to the data processor if the assignment instructions agreed between the controller and processor specifically allow it.
* It is planned that the VeriFi EIDOS Activity Log will be updated to include Persons of Interest management in Q2 2022.
Before entering images of suspects into a database it must be recorded in writing how the suspect has demonstrated such behaviour and activity.
Images may be either electronic or hard copy and must be:-
- of sufficient quality so as to reduce the possibility of false matches;
- watermarked or tamper evident labelled with a unique reference number as a ‘Controlled Copy’;
- subject of formal cradle to grave distribution control; and
- routinely reviewed and permanently deleted when retention can no longer be reasonably justified.
Distribution must be strictly controlled and limited to the following:-
- law enforcement agencies (police);
- government intelligence agencies;
- Health and Safety Executive;
- individuals who have made a data subject access request that has been approved (see section 8.1);
- insurance companies and legal representatives that have a legitimate interest in the data and have given a written statement of purpose and an undertaking to comply with data protection legislation in respect of any data released to them;
- others, as required by law or court order; and
- security service providers and their operatives.