SAFR Implementation Best Practices

Considerations for Privacy by Design

Privacy by Design stands for the principle that any product or service should be designed with privacy in mind so that the design will proactively support privacy principles. SAFR has been designed with this approach and has specific tools to safeguard privacy. These include access controls, data security, and data management. When an organization implements SAFR, it should adopt an implementation that makes full use of these tools to protect the privacy of its users: such as spectators in a stadium or customers at a retail store, who will engage with SAFR. We highly recommend communicating with your users regarding the privacy practices you implement.

To this end, the following recommendations are provided by the SAFR team:


  • Provide clear notification to users before they encounter cameras that gather biometric data.
  • Avoid placing cameras in sensitive areas—such as bathrooms, dressing rooms, or medical offices.
  • Disclose any practices that link users’ biometric data to information from third parties or from publicly available sources.
  • Provide clear notice if your organization will use biometric data for a purpose outside the reasonably expected uses.


  • Obtain affirmative and express consent before using a user’s image or any biometric data derived from that image.
  • Consent should at all times be appropriate to the context. For example in case of minors, the consent should be obtained from the parents or guardians. Please note that local laws may require additional steps for obtaining consent.
  • If the biometric data that is gathered for one purpose is to be used for a secondary purpose, then present the user with a second opportunity to provide express consent.
  • Ensure that the request for consent for biometric data collection and use is easy to find and understand.
  • Ensure that the user can revoke his/her consent at any time.
  • If your implementation includes user profiles, and a user deletes his/her account/profile, you should interpret this as a revocation of consent.
  • Do not use facial recognition to identify images of a user to someone who is not authorized, without obtaining the user’s affirmative express consent.
  • Provide the user with an opportunity to control sharing of his/her image and/or biometric data with an unaffiliated third party that does not already have access to this information.

Data Security Protections

  • Maintain appropriate administrative, technical, and physical safeguards.
  • Periodically review security policies.
  • Have reasonable data security protections in place for access to computers and servers to prevent unauthorized access or unintended disclosures.
  • Restrict access to a limited number of administrators. Do not write down or share logins/passwords.
  • Initiate examinations and audits of security policies which will also help discover unauthorized access and catch and address critical issues that may have been overlooked.

Data Retention Policies

  • Establish and maintain appropriate retention and disposal practices for the images and biometric data collected.
    • Include specific retention periods that should be for the shortest period necessary to achieve the intended use.
    • Address disposal of images once they are no longer needed when given by the user for a specific purpose.
  • If a user deletes his/her account/profile, or a user’s image and/or biometric data are no longer necessary for the purpose of the technology, the image and/or data should be deleted, even if the retention period has not expired.

Provide Additional Information Relating to the Use

  • Inform the user of the length of time you will store images and/or biometric data and who will have access to images and/or biometric data.
  • Inform the user of his/her rights regarding the deletion of stored images or biometric data.
  • Provide policies and disclosures to users in a reasonably accessible manner and location.
  • Update policies and disclosures when technical design decisions materially change the data management practices.
  • Establish policies that describe how the technology will be used and reasonably foreseeable uses of images or biometric data.
  • Establish policies that describe the reasonably foreseeable functionality that permit review, correction, or deletion of images and/or biometric data.
  • Provide a description of your data retention and de-identification practices.
  • Provide a process for users to contact you regarding your use of images and/or biometric data.