12.5 Persons of Interest Images
Images (‘mug shots’) in hard copy or electronic form may be distributed for the purpose of identifying persons of interest who are; suspected of criminal or terrorist activity, hostile reconnaissance, anti-social behaviour or banned from the area of surveillance.
Subject Access Request –
Consent – due to the lawful basis of this processing, consent would not be required.
Archive Retention – the need for retention must be routinely reviewed and all copies are to be permanently deleted or otherwise destroyed when retention can no longer be reasonably justified.
Privacy – any printed copies must be watermarked with a unique reference number and display the text – ‘NOT TO BE SHOWN IN PUBLIC VIEW’.
Access to images shall be password protected and managed on computer devices identified by unique reference numbers logged in a Controlled Data Register. The recording must be deleted at the end of the archive period.
Process – To be documented using the VeriFi EIDOS Management Information System.
Before entering images of suspects into the persons of interest database it must be recorded in writing how the suspect has demonstrated such behaviour and activity.
The decision to produce and distribute images must be justified and documented by the data controller. However, this may be delegated to the data processor if the assignment instructions agreed between the Controller and Processor specifically allow it.
Images may be either electronic or hard copy and must be:-
- of sufficient quality so as to reduce the possibility of false matches;
- watermarked with a unique reference number as a ‘Controlled Copy’;
- subject of formal cradle to grave distribution control; and
- routinely reviewed and permanently deleted when retention can no longer be reasonably justified.
Distribution must be strictly controlled and limited to the following:-
- law enforcement agencies (police);
- government intelligence agencies;
- the Health and Safety Executive;
- individuals who have made a subject access request (see section 8.1)
- insurance companies and legal representatives that have a legitimate interest in the data and have given a written statement of purpose and an undertaking to comply with data protection legislation in respect of any data released to them;
- others, as required by law or court order; and
- security service providers and their operatives.
In the event that it is necessary to release to organisations or individuals other than those listed above, a Data Sharing Agreement should ideally be put in place between the receiving party and the disclosing data controller (see section 14).