What the ICO Sandbox is and how Yoti have used it to forward their facial age estimation technology to safeguard children online27th May 2022
What is the ICO Sandbox?
Before we explain how the ICO have changed their position on facial recognition and whether it is ALWAYS classed as special category data as a result of YOTI entering the Sandbox, let us first explain what the ICO Sandbox is.
According to the ICO themselves, the Sandbox is:
“A service developed by the ICO, to support organisations who are creating products and services which utilise personal data in innovative and safe ways.”
The beta phase of the ICO Sandbox was launched in September 2019 with an initial 10 projects. It then re-opened applications for new participants in August 2020 with a focus on 2 key themes: Children’s Privacy and Data Sharing.
To be successful in entering the ICO Sandbox, projects needed to be highly innovative and addressing an issue with data protection challenges and uncertainties.
Who are Yoti? With their headquarters in London, Yoti are a global organisation with a range of products and services around digital identity. Their application to the Sandbox and this project is regarding their Age Verification service. Their service offers their customers the option of adding up to six methods of verifying age when users visit the customer website.
The method that Yoti entered the Sandbox to explore is narrowed down to just one:
The use of age estimation technology by using their algorithms and assessing the users’ facial features, specifically in this case, to identify if the users is aged between 6 and 12 years old.
The power of being able to do this (safely) is that it would enable providers of children’s services (such as online games or forums for example) to create a safe virtual environment that only children inhabit.
Yoti officially entered the ICO Sandbox in November 2020, however, due to the global Covid pandemic the nature of the work and objectives and third parties involved shifted as time progressed. Ultimately, however, the scope was to explore the collection of data used to train Yoti’s age estimation software in order to assess the age of young people.
The ICO advised Yoti on the data protection risks associated with processing children’s data to retrain their model to work with this young age group (6- 12 years old).
One of the key considerations during the course of the Sandbox was around whether Yoti was processing ‘biometric’ data – because biometric data is classed as special category data under the UK GDPR if it is used to uniquely identify that person.
Yoti were looking at young people and personal images. Two very challenging areas from a privacy and data protection point of view. Hence the Sandbox. Is Yoti uniquely identifying a living individual and a child at that?
Facial Age Estimation
Fascinating stuff for those of us previously unaware of how this works. Yoti state that:
“The facial age estimation is based on a computing technique known as a neural network’. Yoti has trained the neural network to be able to estimate human age using a process of machine learning, a form of artificial intelligence. . . the facial age estimation product breaks the image down into component pixels, each pixel is just a set of numbers”
In layman’s terms, Yoti gives the system a large number of facial images where they already know the subject’s age and the system processes that data and eventually creates a formula.
Prior to the Yoti Sandbox project, the ICO’s position on biometric data was relatively clear in that it stated that “all biometric facial templates collected and compared to a watchlist will constitute special category data regardless of whether there is a match . . . all biometric data is personal data”.
However as a result of the Sandbox, the ICO reconsidered their guidance in this area and revised its position to make a caveat to allow for the kind of processing that Yoti is doing – so long as whoever is doing such processing submits documentary evidence and rational alongside a risk-based analysis to enable their DPIA to confirm the decision it doesn’t need to be classed as special category data because no living individual is being identified.
The ICO concluded that Yoti’s age estimation tool does not result in the processing of special category data.
The innovative age assurance sector is one to watch. Let’s hope the above, along with the Children’s code are going to be able to work together to keep future generations safe online.
If you need any guidance for your organisation as to whether the data you are processing might be classed as special category, or indeed any other data protection or governance issues, the specialists here at the Griffin House Consultancy would be delighted to help. The best thing to do is for you to book your complimentary half-hour consultation here.