Facial Recognition FAQ’s

Last updated: 4th April 2024

What's new: we have updated these FAQs following the decision to introduce LFRT to our Palm Beach Casino on a longer-term basis.

1. WHERE DO YOU MAKE USE OF LFRT?

Following a successful trial period between October 2023 – January 2024, we have introduced Live Facial Recognition Technology (LFRT) at our Palm Beach Casino, 30 Berkeley St, Mayfair, London W1J 8EH on a longer term basis with effect from 9th January 2024. You can find posters on display in club providing more information and a link to these FAQs.

Our use of LFRT will be subject to periodic review to ensure it remains a reasonable and proportionate means of achieving its objectives. In the future, we may decide to extend LFRT to our other UK casinos. Where that is the case, we will make further updates to the Genting Privacy Notice and these FAQs.

Genting Casinos UK Limited acts as independent Data Controller of personal data collected and processed through our use of LFRT, including for all biometric data. We are registered with the Information Commissioner's Office.

2. What is LFRT and how does it process my personal data?

LFRT involves comparing a person's unique facial features against a database to identify 'persons of interest'. If you enter the Palm Beach Casino, LFRT cameras located at reception and cash desk will scan your face to produce a unique biometric template. This is then compared against biometric templates held on the database. If there is a match to a 'person of interest', the system will alert our staff to your presence in the casino. A manager will then hold an interaction with you, and you may be asked to leave the premises depending on the circumstances.

We only use LFRT to identify the following categories of persons of interest, each of whom will have an entry on the database:

• A sample group of people who are already suspended / barred from Genting Casinos for responsible gambling reasons.
• People who are already suspended / barred from Genting Casinos further to the prevention or detection of crime, unlawful acts and disorder.

We do not make use of LFRT for any other purpose, nor will it be used to identify people outside of these groups.

3. Where does the 'persons of interest database' come from?

The 'persons of interest database' is created by Genting using data from our existing casino management and security records only. We use photographs of individuals within our existing records who are currently recorded as suspended / barred from Genting premises for responsible gambling reasons or further to the prevention or detection of crime, unlawful acts or disorder. We do not use data from other sources (including from the self-enrolment national self-exclusion database directly (SENSE)) or from other third parties, such as commercially or publicly available databases or social media websites. .

Clarification re. SENSE: following recent feedback, we are updating this section of the FAQs to clarify that the data used to identify persons suspended / barred for responsible gambling reasons (including where previously referred to as “SENSE” registered individuals) originates from Genting's own casino management and security records and not from the SENSE self-exclusion database as a third-party scheme. We have therefore removed references to “SENSE” to clarify that SENSE is not affiliated with the Palm Beach Casino, it does not share data with Genting Casinos for LFRT purposes, nor does it act as a data controller or processor at any stage of the process.

In the future, we may explore working with SENSE more formally to help identify and safeguard all individuals with a live SENSE self-exclusion agreement in place, but this is subject to further review and industry engagement. Both Genting and SENSE will update their privacy information if they agree to work together in this way in the future. If you have questions regarding this section, please contact our Data Protection Officer on DPO@gentinguk.com who will be happy to clarify.

4. Why are you using LFRT?

LFRT helps us to meet our legal and regulatory obligations to identify at risk individuals and to help keep our customers, employees and premises safe. Compared to manual procedures, LFRT offers a very accurate and efficient way of identifying persons of interest while reducing registration formalities, admin and queuing times for customers, particularly during open-door hours and busy periods.

5. How is your use of LFRT lawful?

Genting has identified the following lawful bases under the UK data protection laws (including the UK GDPR and Data Protection Act 2018) to support its use of LFRT for the purposes described above:

• further to our legal obligations under the UK Gambling Commission's Licensing Conditions and Codes of Practice (LCCP) to protect vulnerable persons from being harmed by gambling and to prevent gambling from being associated with crime and disorder ;
• further to our legitimate interests; and
• in the substantial public interests of safeguarding individuals at risk and preventing or detecting unlawful acts - this also applies to the processing of special category biometric data created in the use of LFRT.

Genting has also carried out a detailed Data Protection Impact Assessment (DPIA) to support its use of LFRT and has reviewed the prevailing guidance on LFRT and biometric data processing from the ICO and the Biometrics and Surveillance Camera Commissioner.

6. What personal data will LFRT collect?

The following types of data are collected or created as part of the end-to-end LFRT process:

• Live-stream recording on entry to the Palm Beach Casino - this operates in a similar way to traditional CCTV.
• Facial extract from live-stream recording - these are images of a person's face cropped from the live stream.
• Unique biometric template created from facial extract - this is generated by the LFRT software and takes the form of a binary, numerical value that cannot be used by anyone else to identify you. The biometric template is sent to the database and compared against customer photographs already held in our casino management and security records for existing ID verification purposes.
• Positive result alerts and associated data - positive alerts are recorded in writing and retained as part of the customer record. Details of any interaction carried out by our staff and subsequent action is also recorded.

7. How do I know if I'm on the 'persons of interest database'?

In most cases, you will already know if you meet the criteria of a person of interest, i.e. you will know if you are currently suspended / barred from Genting Casinos for responsible gambling reasons or for the prevention or detection of crime, unlawful acts or disorder.

If you know yourself to be a 'person of interest' based on the above criteria, we advise you not to enter the casino. Prominent signage is also on display at the Palm Beach Casino to notify individuals that LFRT is in use before they enter the premises.

8. I am not a person of interest, why are you using LFRT on me?

We need to screen all persons entering the premises against the database to check if a person of interest has entered. If there is no match, no personal data is retained and biometric templates are deleted immediately once the check has been carried out. In most cases, this means all biometric data has been deleted within moments of the check having been carried out and, at the latest, within moments of you having left the casino at the end of your visit.

9. What if I am a non-member (open-door customer) and you don't have any existing information about me - how will LFRT identify me then?

Many of our clubs, including the Palm Beach Casino, now operate an open-door policy, meaning non-members are welcome to play without formal registration up to a threshold limit of £1,600. This means we may not have any personal data relating to you if you haven't visited us before. If you are a non-member who is suspended / barred following an open-door visit, we may review our CCTV images or the live-stream from the time of your visit to create an entry for you in the database. This is so that we can identify you via LFRT as a person of interest if you attempt to re-enter the casino in the future.

10. How accurate is LFRT?

The LFRT software operates with a high degree of accuracy and has been subject to careful review by our third-party software partner during the development and testing stages. The specialist nature of the technology means it is much more accurate in recognising faces than manual, human methods of identification alone. We will routinely review the performance of the software to verify the accuracy of its results and have policies and procedures in place to address discrepancies if and as they arise.

11. How long is my personal data kept for?

All biometric data is deleted as soon as the check has been carried out against the database. We apply the following retention periods for each part of the data collection process:

• Live camera stream - this is generally retained for 30 days in line with our CCTV retention period, but may be shorter or longer depending on the circumstances, e.g. if footage is archived following a specific incident.
• Facial extracts - deleted immediately after check against database is complete.
• Biometric template - deleted immediately after check against database is complete.
• Positive result alerts and associated data - positive alerts are recorded in writing and retained on our casino management system as part of the customer record. Details of any interaction carried out and subsequent action is also recorded. No biometric data is retained. The customer record is retained in line with the retention periods set out in the Genting Casinos Privacy Notice.

12. Can you tell if I have a criminal record from your use of LFRT of if I am wanted by the police?

No. We can only tell if you are currently suspended or barred from Genting premises due to responsible gambling reasons or for the prevention or detection of crime, unlawful acts or disorder. We cannot find out any other information about you through our use of LFRT.

13. Do you share LFRT data with anyone else?

Not usually. We may share limited amounts of data with our third-party software partner, the Face Recognition Company Limited, for maintenance and technology support, or with law enforcement agencies if we receive a lawful request for data for the purposes of the prevention or detection of crime. Data will only be shared if a legitimate request has been received from the relevant authorities in accordance with our Law Enforcement Data Access Request Policy and no biometric data will be shared due to the very short retention period.

Otherwise, we do not share data collected using LFRT with anyone else or use it for any other purposes not listed in these FAQs.

14. How secure is my data and can it be used by anyone else?

We implement strict security protocols to safeguard personal data, including data collected or generated through our use of LFRT. All biometric data is held in a secure numerical format that cannot be easily reconstructed or decoded by third parties or machines. This means in the event of a data security incident, it is highly unlikely that anybody could identify you from this information alone. Our data retention policy ensures biometric data is erased within moments of the check having been carried out which means there is very limited opportunity for this data to be compromised or misused.

15. Will you transfer LFRT data outside of the UK?

No, all personal data is processed in the United Kingdom.

16. Does LFRT rely on automated decision making?

No. All alerts are manually reviewed by our casino management staff before an interaction takes place and individuals will be asked to provide ID before any decisions are made. This means we do not rely solely on automated means to make decisions about you if an alert is triggered by LFRT.

17. How can I enforce my data subject rights?

Your data subject rights, including the right of access and the right to make a complaint to the ICO continue to apply to our use of LFRT. You can find out more about your data protection rights, and how to exercise them here in the full Genting Casinos Privacy Notice.

18. Can I object to the use of LFRT?

The 'right to object' under the data protection laws only applies in limited circumstances. Because we are using LFRT to meet our legal obligations, the right to object does not apply. Genting is committed to transparency around data protection and advises persons on entry that LFRT is in use. If you do not want to be subject to LFRT, we advise that you do not enter the casino premises.

19. I've heard that LFRT can produce discriminatory results - have you considered this?

Genting has partnered with a specialist third-party software partner in its use of LFRT. We recognise that there may be a small risk of bias in innovative technologies potentially leading to discriminatory outcomes for some demographic groups, particularly when being used live for the first time. For this reason, we have carried out thorough due diligence and testing of the software prior to live use to minimise this risk. The results of the software are also routinely reviewed to detect and address any unacceptable patterns of bias in its performance.

20. Who can I contact if I have a question about Genting's use of LFRT or if I want to provide feedback?

These FAQs are designed to provide the necessary information under the UK data protection laws to explain how we will collect and process personal data as part of our use of LFRT .

Genting is committed to transparency and welcomes ongoing engagement with our customers about our data protection practices- we'd love to hear you views and your feedback on our use of LFRT. We encourage comments, questions and feedback from customers, employees and visitors. You can find a comments box and cards at the Palm Beach Casino reception for this purpose. Alternatively, you can contact the Data Protection Officer on DPO@gentinguk.com.