British Columbia's Crown-owned insurance corporation can't allow the police to use its facial recognition software to catch Stanley Cup rioters -- or any other suspect -- without a court order, the province's privacy watchdog ruled Thursday.

While the Vancouver police declined the Insurance Corp. of B.C.'s offer to help with the riot investigation, Elizabeth Denham released a report that says the agency has allowed police to access its database in the past -- a practice she concluded violates provincial privacy laws and raises important questions about the use of sensitive biometric data.

Denham's ruling was released the same day a judge was scheduled to sentence the first person convicted for rioting last June 15 after the Vancouver Canucks lost the Stanley Cup final to the Boston Bruins.

Ryan Dickinson, 20, pleaded guilty last month and is likely facing jail time for trashing an unmarked police car and vandalizing a clothing store. The Crown has asked he be sentenced to between 15 and 18 months for rioting, while his lawyer has recommended a sentence of one year.

Soon after the riot, ICBC offered to help Vancouver police by using its facial recognition software to match photographs of rioters with names in its database.

The corporation offered to run a photo of a rioter through its system and let police know whether there was a match. If there was, ICBC proposed police would then require a court order to see the results.

But Denham said even that violates privacy laws, which say public bodies can only use information about citizens for the purpose it was originally collected for.

In this case, Denham said ICBC collected photos for detecting and preventing driver's licence fraud, which means it is prohibited from using them for any other purpose, including aiding law enforcement.

"We certainly agree that any disclosure of the details of a match would require a court order," Denham said in an interview.

"We think that even running external data against this database that was compiled just for driver's licence fraud is a change in use of that data, not allowed under the (Freedom of Information and Protection of Privacy) Act."

Denham said her office identified 15 instances in which ICBC received requests to use its facial recognition software to identify a suspect.

In at least one of those cases, Denham's report says, ICBC handed over the possible identity of a suspect.

"They ran the information and disclosed it to the police without a subpoena or a court order," Denham said.

Denham also said ICBC hadn't adequately informed the public that it was using facial recognition software internally and recommended the agency better communicate that to its customers.

ICBC spokesman Adam Grossman noted the agency had yet to provide any information to riot investigators, and he said all of Denham's recommendations would be adopted.

"What I think the report is saying is that a court order is needed to share any information, but we shouldn't be making those kinds of pro-active offers without a court order," said Grossman.

"And we think that's a good clarification for the way we use the technology going forward."

Vancouver police issued a news release pointing out that it had declined ICBC's offer, "recognizing a judicial authorization would be required and the technology served no advantage for our investigation."

Denham said the use of what she described as biometric information should be treated with special care.

"The (biometric) information is our most sensitive type of information," she said.

"It's not just somebody's name and their address. It's their image -- it's themselves. And in that case, the state should have very stringent rules and stringent controls about how that data can be used."