Legal Basis Guidance

Version 1.0 — DRAFT for review · Effective date: [EFFECTIVE DATE]

⚠ GUIDANCE, NOT LEGAL ADVICE. This explains how to think about lawful bases for facial recognition under UK law. It does not establish a lawful basis for you and is not a substitute for advice from your own data‑protection adviser. Review by a qualified professional is required before relying on it.

As a Pariah customer you are the data controller for the facial recognition you operate. You must identify and document both:

1. a lawful basis under UK GDPR Article 6; and
2. a separate condition under UK GDPR Article 9 (because facial templates are special‑category biometric data used for unique identification).

You cannot process biometric data on Article 6 alone.

1. Article 6 — lawful basis

For commercial premises security, controllers most commonly consider:

• Legitimate interests (Art. 6(1)(f)) — often the most realistic basis, requiring a documented Legitimate Interests Assessment (LIA) showing your security purpose, necessity, and that it is not overridden by individuals' rights. Facial recognition is intrusive, so the balancing test is demanding.
• Consent (Art. 6(1)(a)) — rarely workable for indiscriminate public‑space capture (consent must be freely given, specific, informed, unambiguous), but may suit access‑control scenarios.
• Legal obligation / public task — generally only relevant to specific regulated or public bodies.

2. Article 9 — special‑category condition

You must also satisfy an Article 9 condition. The realistic candidates for private security are narrow:

• Substantial public interest (Art. 9(2)(g)) with a basis in the Data Protection Act 2018, Schedule 1 — e.g. the preventing or detecting unlawful acts condition — which carries its own appropriate policy document requirement.
• Explicit consent (Art. 9(2)(a)) — high bar; usually impractical for general surveillance.

If you cannot meet an Article 9 condition, you must not process biometric data through the Platform.

3. Necessity, proportionality, and the DPIA

Even with a basis and a condition, processing must be necessary and proportionate. A DPIA is mandatory for facial recognition (see /legal/dpia). Consider whether a less intrusive measure would achieve your aim, minimise the people enrolled, set short retention, and provide strong notice.

4. Practical checklist

• [ ] Documented Article 6 basis (+ LIA if legitimate interests).
• [ ] Documented Article 9 condition (+ DPA 2018 Sch.1 appropriate policy document where required).
• [ ] Completed DPIA, kept under review.
• [ ] Signage and privacy notice in place.
• [ ] Watchlist entries individually justified and proportionate.
• [ ] Retention periods set and enforced.
• [ ] Process for data‑subject rights, including erasure for listed individuals.
• [ ] Human review before significant decisions.

5. How Pariah helps

Pariah is your processor. Architecture choices that support proportionality include on‑premises (local) continuous processing, configurable retention, role‑based access, and audit logging. These help, but the lawful basis, DPIA, and notices are your responsibility.

This guidance references the ICO's published materials on facial recognition and live facial recognition. Consult ico.org.uk and your own adviser. Questions: [email protected]