Secondary purposes: Training and improving AI models and systems

To fulfil secondary purposes, Mobai stores encrypted facial images in a central database for a period of time limited by an internal policy. Mobai has indicated that they would only need a subset of images for training. The policy for what subset and percentage of data that is needed for training has not been specified, but the fraction, according to Mobai, could be as low as 10% of all images potentially available. However, the percentage could differ based on need, i.e., when there are situations or events that indicate a need to tune or train the models for specific reasons. An active and well documented practice for such data minimalization principles for model training will be important and central for the solution to be considered to have privacy by design and by default implemented.

The main difference from a technical point of view from the primary purpose is that the primary purpose includes several actors and usage of the biometric data across several organizational boundaries. That is also the reasoning for the described use of extended security measures (incl. homomorphic encryption) for the primary purpose.

For the secondary purpose, it is the understanding of the Norwegian Data Protection Authority that Mobai will not store biometric data. This is because facial images that are not specifically processed to become templates is not considered to be biometric data. However, the centrally stored data (facial images) do represent a similar risk as biometric data, as it represents a collection of data. The requirements for protecting this data are for that reason considerable. This report has not evaluated the specific security measures applied for storing data for secondary use.

The data controller should perform adequate risk assessment and implement adequate security measures for storing and processing facial images for the secondary purpose, including proper evaluation of necessity and proportionally.