Tap a region to visit the official Facebook page.
Effective date: December 2025
Status: Active – subject to ongoing review and governance oversight
This Facial Recognition and Biometric Data Processing Policy (“Biometric Policy”) sets out, in comprehensive detail, the legal basis, technical design, operational safeguards, governance controls, and risk mitigation measures governing the use of facial recognition and biometric data processing by Red Rose UK.
This Policy is drafted to demonstrate compliance with:
This Policy must be read alongside Red Rose UK’s Privacy Policy, Data Retention & Disposal Policy, Data Subject Rights & Erasure Handling Policy, and internal Data Protection Impact Assessment (DPIA).
Red Rose UK operates a safeguarding and public awareness platform concerned with serious criminal behaviour that presents ongoing risk to vulnerable individuals and the wider public. As part of this mission, Red Rose UK has implemented a facial recognition capability intended to support awareness, identification assistance, and informed safeguarding decisions.
The facial recognition capability is not designed, marketed, or operated as:
The purpose of the system is limited and specific: to assist users in determining whether an image they already possess may correspond to an individual already associated with verified safeguarding-relevant information on the Red Rose UK platform.
The system operates within a broader safeguarding ecosystem that prioritises proportionality, transparency, human judgment, and harm prevention.
This Policy applies to all biometric processing conducted by or on behalf of Red Rose UK, including:
This Policy does not apply to:
Only images that are already associated with verified profiles on the Red Rose UK platform are enrolled into the facial recognition system. These images are sourced from:
No images are collected covertly. No images are scraped from private accounts. No images are uploaded by third parties for enrollment.
Enrollment is a controlled administrative process subject to audit logging and oversight.
Facial templates are generated using standard feature-extraction techniques that convert pixel data into numerical vectors representing facial geometry. These templates:
Users may upload a single image for comparison. User uploads are:
User-uploaded images are not added to the template database and are not reused for any purpose beyond the immediate comparison session.
Red Rose UK expressly confirms that:
The system is therefore not considered “systematic monitoring of publicly accessible places” within the meaning of Article 35 UK GDPR or ICO guidance on live facial recognition.
Biometric processing is carried out under Article 6(1)(f) UK GDPR (legitimate interests).
The legitimate interests pursued include:
These interests are assessed as compelling given the nature of the offences involved and the platform’s protective objectives.
As biometric data constitutes special category data, Red Rose UK relies on Article 9(2)(g) UK GDPR – processing necessary for reasons of substantial public interest.
The substantial public interest relied upon includes:
This processing is supported by appropriate safeguards, including strict purpose limitation, data minimisation, retention controls, and human oversight.
Red Rose UK does not rely on consent as a lawful basis or Article 9 condition for biometric processing.
This is because:
Users are provided with transparency and choice regarding use of the feature, but consent is not relied upon as the legal basis.
Red Rose UK does not make decisions producing legal effects or similarly significant effects solely by automated means.
Facial recognition outputs:
Accordingly, Article 22 UK GDPR does not apply to the facial recognition system.
Red Rose UK acknowledges that facial recognition systems are not infallible and may generate false positives or false negatives.
To mitigate this risk:
The system is designed to support awareness, not replace human judgment.
Red Rose UK recognises industry-wide concerns regarding demographic bias in facial recognition technologies.
Mitigation measures include:
No automated outcomes are applied that could disproportionately affect individuals based on protected characteristics.
Facial templates derived from verified profile images are retained for as long as the underlying profile remains active and subject to retention review.
User-uploaded images are retained for no longer than 24 hours and are automatically deleted.
Biometric data is protected by layered technical and organisational measures, including:
Red Rose UK recognises that facial recognition and biometric processing constitute high-risk processing within the meaning of Article 35 UK GDPR.
Accordingly, biometric processing is governed by a dedicated Data Protection Impact Assessment (“DPIA”), which:
This Biometric Policy is designed to operate in direct alignment with the DPIA. Where the DPIA identifies elevated or changing risk, this Policy may be amended, restricted, or suspended accordingly.
The DPIA is maintained as a living document and is subject to periodic review, including when:
Red Rose UK has identified the following biometric-specific risks:
Each risk is assessed internally by reference to:
Risks are categorised as low, medium, or high prior to mitigation, and reassessed following implementation of controls.
Red Rose UK explicitly states that its facial recognition system:
The system operates only in response to a deliberate, user-initiated upload and therefore falls outside the scope of “systematic monitoring” contemplated by Article 35 UK GDPR and ICO live facial recognition guidance.
Red Rose UK is not a law enforcement authority and does not purport to exercise law enforcement powers.
Facial recognition outputs are not:
Any interaction with law enforcement occurs only following independent reporting by users or Red Rose UK and is based on corroborated information, not biometric output alone.
Human oversight is central to the biometric processing framework.
Oversight measures include:
No automated output triggers irreversible actions without human consideration.
Data subjects may exercise rights under UK GDPR in relation to biometric data, including:
Requests relating to biometric processing are subject to heightened scrutiny due to the sensitivity of the data and are overseen by the Data Protection Officer.
Any suspected or confirmed personal data breach involving biometric data is treated as a high-severity incident.
Incident response includes:
Red Rose UK recognises that biometric processing must remain proportionate and defensible.
Accordingly, Red Rose UK reserves the right to:
Triggers for restriction or suspension include:
Biometric processing may rely on infrastructure or services provided by third-party processors, including hosting and content delivery providers.
Where personal data is transferred outside the UK, Red Rose UK ensures appropriate safeguards are in place in accordance with Chapter V UK GDPR.
No third-party processors are permitted to use biometric data for their own purposes.
Information about biometric processing is made available through:
Red Rose UK recognises transparency as a core safeguard in maintaining public trust.
This Policy is reviewed periodically to ensure continued compliance with:
Where improvements are identified, Red Rose UK commits to implementing them in a timely and proportionate manner.
This Policy has been reviewed and approved by the Data Protection Officer.
Name: Oliver Fulleylove
Role: Founder & Data Protection Officer
Date: December 2025