South Wales Police used facial recognition software to identify and arrest three people during the Six Nations match in Cardiff on Saturday.

The first arrest was made within an hour of the software being activated, according to inspector Scott Lloyd. Lloyd revealed on Twitter that a second male was arrested a couple of hours later and found to be in possession of drugs.

A third person was arrested later in the day after being identified using the software. “It’s another UK Policing first,” Lloyd said. “Positively identified from night club CCTV a month ago using the technology and located in Cardiff during today’s deployment.”

Facial recognition software has faced mounting resistance from civil liberty groups in recent months. Critics note that it regularly delivers false positives and that there is no framework for its application in policing.

The chair of the science and technology select committee, MP Norman Lamb, wrote to the Home Office in December to seek “full clarity” on the reasons for the “continuing delay” to the publication of the government’s biometrics strategy.

“What aspects of the proposed strategy has caused particular problems?” he asked. “It would be helpful to know when a draft first reached ministers for consideration.”

“It would be helpful also, not least for the Committee in planning its future scrutiny work, to have a more precise estimate – beyond ‘next year’ – for when the Strategy will appear,” he added.

In an interview with NS Tech in September, Lamb warned that the government’s failure to publish the framework “massively increases the risk of abuse”. He said it was “extraordinary” that police forces are starting to apply facial recognition technology “in a policy-free vacuum”.

The Home Office had been due to publish a joint forensics and biometrics strategy by the end of 2013. But in March 2016, it published the forensics strategy without the biometrics component.

In the same month, it confirmed in a Freedom of Information request that the biometrics component was “in the final stages of completion”. A spokesperson told NS Tech in September that it would be published “in due course”.

Biometrics commissioner Paul Wiley noted in his annual report last year that thousands of people are at risk of being unduly targeted by the police because their images are stored in a vast facial recognition database.

The National Police Database now contains at least 19 million custody images, hundreds of thousands of which belong to people who were later acquitted or never charged with a crime, according to Wiles.

The retention of innocent people’s facial images was deemed unlawful by a court more than five years ago, but a Home Office review published last year said police should delete images only if the subject asks them to do so.

Wiles said it remained to be seen how many people would take up the opportunity. “The evidence from a similar application process to the police, to delete [Police National Computer] and biometric records, is not encouraging,” he wrote.

The commissioner also warned that there is no independent oversight of the police’s retention of secondary biometric data such as facial images and voice recordings.

“This whole process is in the hands of the police itself,” he said. “What we’ve got is a legislative deficit. I think that’s very worrying because if we’re not careful the public will lose confidence in the police.”