# Data Protection Impact Assessment (DPIA)
## EchoDepth — Pre-Match Press Conference Emotional Analysis

**Controller:** Cavefish Ltd (Reg. 15127122)  
**ICO Registration:** ZB915633  
**Document ref:** DPIA-ED-SPORT-001  
**Linked LIA:** LIA-ED-SPORT-001  
**Version:** 1.0  
**Date:** January 2026  
**Author:** Jonathan Prescott, Founder & CEO  
**Review date:** January 2027 or upon material change to processing  

---

## 1. Is a DPIA Required?

**Yes.** The ICO's list of processing types likely requiring a DPIA includes:

- Systematic processing of biometric data (likely applicable — see Article 9 position below)
- Processing involving evaluation or scoring of individuals
- Processing involving innovative technology
- Processing that may prevent individuals from exercising rights

This processing engages at minimum the second and third criteria. A DPIA is therefore conducted as a precautionary measure regardless of the Article 9 determination.

---

## 2. Description of Processing

**What data is processed:**  
Video footage of named professional football managers taken from publicly broadcast pre-match press conferences. Footage is sourced from official club/league broadcast feeds, broadcaster platforms, or publicly available recordings.

**Processing operations:**  
Footage is processed through FACS-based facial action unit detection (via Hume AI API as processing bridge). 44 Action Units are mapped to VAD (Valence, Arousal, Dominance) scores. Three composite outputs are derived: Genuine Confidence (0–1), Instability Index (0–1), Net Confidence (−1 to 1).

**Output and use:**  
Composite scores are used for (a) editorial sports journalism published on echodepthsports.com and (b) commercial data feed distribution to trading desks, quant funds, and alternative data aggregators under B2B data partnership agreements.

**Data subjects:**  
Professional football managers in the Premier League, Championship, and other competitions. All are adults in professional public-facing roles. None are members of vulnerable groups.

**Volume:**  
Approximately 40–60 managers per season across covered competitions. 2–3 press conferences per manager per match week.

**Retention:**  
Raw video footage: not retained after processing. AU vector outputs from Hume AI pipeline: subject to Hume AI's own DPA and retention terms — see Section 6. Composite scores: retained as part of the data product.

**Third parties:**  
Hume AI (processing partner — DPA in place). Data feed subscribers (B2B — subject to subscriber data use agreement). No transfer outside UK/EU without appropriate safeguards.

---

## 3. Necessity and Proportionality

Processing is limited to the minimum necessary to produce the analytical output. Specifically:

- Only footage from public professional press conferences is used (not private life, training, or personal contexts)
- Only composite behavioural scores are retained (not raw AU vectors or video)
- Processing is limited to the professional context in which managers have a public role
- Outputs are not used to make automated decisions affecting the data subject's employment, legal status, or financial position
- The processing serves a clear, documented commercial and editorial purpose

---

## 4. Risk Identification and Assessment

| Risk | Likelihood | Severity | Overall | Mitigation |
|---|---|---|---|---|
| ICO enforcement action for unlawful biometric processing | Low-Medium | High | Medium | Article 9 position documented; LIA on file; processing limited to public figures in public contexts |
| Defamation claim from data subject based on published score | Low-Medium | High | Medium | Outputs framed as analytical inference not objective fact; methodology caveats in all publications |
| Data subject objection under Article 21 | Low | Medium | Low | Objection process documented; balancing test in LIA supports compelling legitimate grounds |
| Hume AI retention of biometric vectors | Medium | High | High | Obtain and review Hume AI DPA; update public statements if retention confirmed |
| Misuse of data feed by downstream subscriber | Low | Medium | Low | B2B data use agreements restricting downstream use; GDPR flow-down clauses |
| Broadcaster/copyright claim on source footage | Medium | Medium | Medium | Source footage from official/public distribution channels; terms of use review required |
| Reputational harm to data subject from inaccurate score | Low | Medium | Low | Methodology caveat; editorial framing; human review before publication |
| Challenge to Article 9 position | Low-Medium | High | Medium | Dual Article 9(2) position documented (j and g); LIA supports primary position that Article 9 not engaged |

---

## 5. Article 9 Assessment

### Primary position: Article 9 not engaged

EchoDepth FACS AU analysis measures emotional state from observable facial movements. The data subject (the manager) is **not identified by the processing** — they are identified by the event context. The AU outputs answer "what emotional state is this person displaying?" not "who is this person?". Article 4(14) defines biometric data as processing which "allows or confirms the unique identification of a natural person." EchoDepth outputs do not enable identification.

This is analogous to a human observer watching a press conference and noting the manager's demeanour — the observation draws on physical signals but does not constitute biometric identification processing.

### Alternative position: Article 9(2) conditions if primary position fails

If a regulator or court determines the primary position is incorrect and Article 9 is engaged, Cavefish relies on two alternative conditions:

**Article 9(2)(j) — Scientific/statistical research:** FACS methodology validation, sports analytics research, and backtesting dataset development constitute scientific/statistical purposes. Appropriate safeguards: data minimisation, no re-identification, aggregate output design, no decisions based solely on processing.

**Article 9(2)(g) — Substantial public interest:** Editorial sports journalism under DPA 2018 Schedule 1 Part 2 Paragraph 8. The ICO has consistently interpreted sports journalism and analytical commentary as falling within the journalism/public interest condition. The editorial output on echodepthsports.com constitutes this use.

**Note:** The commercial data feed (for-trading-desks) is harder to bring within Article 9(2)(g). This use case relies more heavily on the primary position (Article 9 not engaged) and the Article 6(1)(f) LIA position. This is the highest-risk element of the processing and should be reviewed if the primary Article 9 position is challenged.

---

## 6. Third Party Processor — Hume AI

Hume AI processes video data as a sub-processor. Key questions to verify against Hume AI's DPA:

- [ ] Does Hume retain AU vectors after API response is returned?
- [ ] Does Hume use submitted data for model training?
- [ ] What is Hume's data residency (UK/EU or US)?
- [ ] Does Hume's DPA include UK GDPR Article 28 compliant clauses?
- [ ] Does Hume's retention policy conflict with "no raw biometric retention" claims on Cavefish sites?

**Action required:** Cavefish must obtain and review Hume AI's current DPA before continuing to publish retention claims. If Hume retains data, all public statements about ephemeral processing must be updated to reflect actual retention periods.

---

## 7. Data Subject Rights

| Right | Position |
|---|---|
| Right to information (Articles 13/14) | Addressed via LIA publication and privacy policy. Direct notification impractical given scale — public transparency adopted. |
| Right of access (Article 15) | Data subjects may request their scores via hello@cavefish.co.uk |
| Right to erasure (Article 17) | Future processing can be stopped; historical editorial content may be retained under journalism exemption |
| Right to object (Article 21) | Objection process in place; overriding legitimate grounds documented in LIA |
| Rights re automated decision-making (Article 22) | Not applicable — outputs are not used for automated decisions affecting the data subject |

---

## 8. Consultation

No prior ICO consultation is considered necessary at this stage given the public figure / public context nature of the processing and the documented Article 9 position. If the commercial data feed scales materially or enforcement guidance changes, ICO consultation should be considered.

---

## 9. DPO / Legal Review Recommendation

This DPIA has been prepared by the data controller. Independent legal review by a UK GDPR specialist is recommended before the commercial data feed product goes to market at scale. Specifically, counsel should review the Article 9 primary position and the commercial data feed characterisation.

---

## 10. Sign-off

| Role | Name | Date |
|---|---|---|
| Data Controller | Jonathan Prescott, Founder & CEO, Cavefish Ltd | January 2026 |
| Independent review | Recommended — not yet completed | — |
| Review trigger | Material change to processing, Hume AI change, or regulatory guidance update | — |