Use of biometric data: report of the independent advisory group

9 Oversight – Scottish Biometrics Commissioner

9.1 ‘Changes in technology happen at a pace that the legislature fails to keep up with. This is a challenge for all Governments across the world, but it isn’t insurmountable. Creating independent bodies of experts that are able to track the changes in technology, how those technologies are put into practice, and whether the legislative framework continues to serve its original purpose, is a good approach to meeting the challenges of an ever-changing technological landscape ^[109] .’

9.2 There is currently no independent governance or oversight of the use of biometric data in policing in Scotland. This gap was highlighted in the Fraser Report in 2008 and, again, in the HMICS Report in 2016. The latter report specifically recommended the creation of a Scottish Biometrics Commissioner. There are distinct considerations in biometrics in policing which underline the need for specific scrutiny, many of which have been addressed elsewhere in this report.

The need for a Commissioner

9.3 It is instructive to consider the oversight picture for biometric data in England and Wales. There, independent oversight involves several bodies which contribute to the overall picture, with each offering different perspectives and emphasis – the National DNA Database Strategy Board ^[110] , the UK Biometrics Commissioner, the Forensic Science Regulator (England and Wales), and the Biometrics and Forensics Ethics Group. The position there is complicated but apparently clear enough to those involved and generally well understood.

9.4 In addition, the Information Commissioner’s Office ( ICO) has general oversight of all personal data usage, whether of a biometric kind or not, although the new GDPR and the law enforcement provisions of the DPB do specifically highlight such data. The new data protection regime, although basically following present regulation, will give the ICO more power and will especially give more rights for data subjects to both be informed and challenge the holding of data about them. This will not necessarily change the situation as regards the PoFA and police use and holding of DNA and fingerprints, but it may well mean that the police will need to be more transparent and provide a mechanism for data subjects to exercise their strengthened rights. It may have a more significant effect on those second generation biometrics outwith the PoFA and currently governed either by the England and Wales Management of Police Information Code of Practice or not at all, an area likely to be considered by the Forensic Science Regulator (England and Wales) in relation to quality aspects of the biometrics as opposed to issues relating to retention.

9.5 The UK Biometrics Commissioner liaises regularly with the ICO. It is understood that arrangements work well generally without the need for a formal Memorandum of Understanding.

9.6 The Forensic Science Regulator (England and Wales) has oversight of the scientific quality of forensic evidence and her oversight has been strengthened. Her role is clear. The UK Biometrics Commissioner liaises regularly with her and they work together on the limited areas where there is a shared interest. Currently, they are working together to try and improve the understanding and ability across the criminal justice system to use scientific evidence.

9.7 The Surveillance Camera Commissioner has responsibility for drawing up a voluntary Code of Practice for the use of public camera systems. Recently, however, he has written to all police forces saying that he has control of the use of facial imaging (because it uses cameras) and they should not use facial imaging in public places without his permission. This has caused some concern about clarity around the PoFA and the role of the Information Commissioner.

9.8 Given the presumption against the creation of new public bodies in Scotland, we considered the question of whether oversight in this area might be added to the responsibilities of an existing commissioner or public body. Having examined the various options, it appears to us that there is no body within the competence of the Scottish Parliament to which oversight in this area could readily be given. More generally, as can be seen from England and Wales, there is some overlap of responsibility with the ICO which is a UK body. Data protection is a reserved matter and therefore the ICO exercises these powers in Scotland as well as the rest of the UK, albeit with a Scottish presence.

9.9 The existence of the ICO in England and Wales did not preclude the need to establish a separate Biometrics Commissioner and, although there is some overlap, each oversees distinct areas which are widely recognised as requiring separate scrutiny. The reports and other work of the UK Biometrics Commissioner, generally accepted and welcomed by the UK Parliament, have highlighted the need for specific oversight in this complex and developing field. Finally, a majority of the responses and submissions we received supported the creation of a new body to provide independent oversight in this area.

The Commissioner’s Role

9.10 Written submissions to the IAG addressed various possible aspects of the role of the Commissioner. We found these submissions helpful and quote from some here where we accept them and wish to include them as part of this report.

9.11 The Commissioner should ^[111] :

• have an independent complaints mechanism
• be able to begin investigations from their own mandate
• be able to develop Codes of Practice relating to the handling of biometric data, and hold bodies to account for following the rules set out
• report to the Scottish Parliament and publish findings each year of the reviews they undertake and the outcome of their investigations.

9.12 ‘The Commissioner should also have a large part of public education and public engagement. One of the areas the public is continually let down on is the delivery of clear, jargon free information to help them understand the powers authorities have, the powers they [the public] have to hold those authorities to account, and how to exercise those powers. A commissioner with a mission statement relating to public engagement and education would go some distance to maintaining a public feedback loop for the Commissioner, noting the shifting expectations of the public, and reacting to those changes with new guidance, or public education initiatives ^[112] .’

9.13 Oversight by the Commissioner should extend to all aspects of policing and law enforcement subject to the competence of the Scottish Parliament. Specifically, this will include Police Scotland and the SPA, as well as any other related public bodies. The Commissioner should be able to issue guidance to public bodies in the criminal justice field, as well as offering support in their ethical use of biometric data – existing, emerging and future.

9.14 There are other areas of Government in which biometric data feature (for example, health and education), although these fall outwith our Terms of Reference. Consideration can be given as to whether the role of the Scottish Biometrics Commissioner should be extended to these.

9.15 It is, as yet, impossible to assess the scale of the role of a Biometrics Commissioner in Scotland. Ideally, in terms of recognised good practice for such bodies, it may be that there would be a commission rather than a singleton commissioner ^[113] . This was put to us in written submission. On the other hand, we recognise that a Commission might seem disproportionate in the Scottish context given that we have only a single primary Scottish police service as opposed to the 43 constabularies that are subject to scrutiny in this area by one part-time UK Biometrics Commissioner. The size of the population and the amount of biometric data is also relevant, although we see the role in Scotland developing and increasing with advances in related technologies. The Commissioner can keep the Scottish Parliament advised on their ability to offer meaningful oversight and scrutiny.

9.16 Public consultation can consider the role, powers and functions of the Commissioner in parallel with consultation on the potential content of a Code of Practice. This should include the suggestions in this chapter.

9.17 The Commissioner should have powers to investigate compliance with any Code of Practice by the bodies to which it applies, making recommendations, and following up those recommendations, as well as reporting publicly on the outcomes ^[114] .

9.18 In Scotland there is no Surveillance Camera Commissioner. One respondent suggested a commissioner whose oversight covered biometrics and CCTV where biometric data can be captured without knowledge or consent. This area extends beyond our Terms of Reference, and we make no recommendation, but it is a matter which can be considered in due course. It could also be the subject of consultation.

9.19 On the remit of the Commissioner, see also the submission to the IAG from the Open Rights Group (pages 17/18).

Ethics Advisory Group

9.20 As will be apparent from previous Chapters, biometrics and biometric data in policing are areas with significant ethical issues, challenges and concerns. In recognition of this, some work is already being done to promote specific consideration of ethical issues within Police Scotland and the SPA.

9.21 In this area, we have been impressed by the contribution in England and Wales of the Biometrics and Forensics Ethics Group. The BFEG has 13 members. Although it has only four plenary meetings annually, much work is done through sub-groups. It produces an annual report. Its last report ^[115] , published on 30 October 2017, includes updates on its work in 2016:

• the use of next generation sequencing technologies
• a pilot project on the international exchange of DNA
• the development of a set of high level ethical principles for stakeholders
• the retention and use of custody images
• the role of forensics in achieving criminal justice outcomes
• developments in rapid DNA and Y-Short Tandem Repeat technologies
• ground-truth databases
• DNA paternity testing for child maintenance cases

9.22 We recommend that there should be an Ethics Advisory Group on Biometrics in Scotland. This Group can support, test and challenge the Commissioner and other relevant bodies. Liaising with others working in relevant areas of ethics, the Group will offer advice on options as to how, or whether, to proceed with proposed developments in technology. We see considerable scope for liaison with the BFEG, possibly to include observers from each Group attending meetings of the other.

9.23 It seems to us that there are individuals in Scotland, especially in our universities, who would be ideal to perform such a role. We received considerable assistance from them and, whether or not directly involved in such a Group, we are confident that they would have a useful role to play in the oversight landscape, especially when we are recommending greater transparency and evidence-gathering.

9.24 Some additional scoping work might usefully be carried out in advance of public consultation to explore various options for the establishment of such a Group and appointment of its members. We thought it useful to look at the requirements for BFEG members which include full compliance with the requirements of the Office of the Commissioner for Public Appointments. Appendix 8 contains the information published last year when the BFEG was seeking new members. This is included for information only, and we make no specific recommendation about the process for establishment of, or appointments to, such a body.

9.25 For the avoidance of doubt, we do not suggest replication of the full oversight regime in England and Wales.

Reporting

9.26 The Commissioner should report annually to the Scottish Parliament. The Commissioner should be responsible for publication of a report. Periodic review by the Parliament should be at regular intervals, perhaps every three to five years. Earlier review might be appropriate in the early stages of the new oversight regime but that would be a matter for the Parliament. In addition, it should be possible for a review by the Parliament to be requested by specified bodies or office-holders, specifically the Scottish Biometrics Commissioner, the Cabinet Secretary for Justice, the Lord Advocate, the Chief Constable of Police Scotland, the Board of the SPA, HMICS and the Police Investigations and Review Commissioner.

‘The Commissioner’s mandate should involve giving expert evidence in policy deliberations that are within its remit. This helps to ensure the relevance of the Commissioner and provide opportunity for regular contact between the Commissioner, the Scottish Parliament, and the public.’ ^[116]

Support

9.27 The Scottish Biometrics Commissioner should have a secretariat. This might usefully be shared with another organisation independent of government, possibly a Non-Departmental Government Body. Alternatively, it might be based at a university. The latter possibility may have advantages when it comes to establishing an Ethics Advisory Group, for reasons outlined above.

Legislation

9.28 In addition to provisions regarding the Commissioner, legislation should also address certain other key areas.

9.29 To ensure practice in this area is in accordance with the law, data collection, processing, storage, retention, use and disposal must be governed by clear, accessible and enforceable rules set out in primary legislation and a statutory Code of Practice, and enforced by the Commissioner. Voluntary policies are not sufficient. We see a need for consistency of rules, regulations and procedures across different biometric data. Consistency will assist with compliance, as will the existence of a single regulator. At present, different policies for retention of custody images on different police databases represents a potential source of confusion. Having a single policy, based on legislation, should also assist the public in understanding their rights and obligations in relation to biometric data.

9.30 Legislation should explicitly provide for the police to take photographs and prohibit the taking of any samples other than as prescribed.

9.31 Given the significance of retention periods, we suggest that these should continue to be specified in primary legislation, as is the case at present for DNA and fingerprints.

9.32 Biometrics and biometric data should be described in general terms, in the Code of Practice and primary legislation, to avoid missing a new source of data by having too narrow a definition or too exhaustive a list.

Private sector

9.33 While not involved in direct regulation of private sector bodies in this area, the Commissioner should have oversight of their work where it is done at the request of, or feeds into work by, Police Scotland, the SPA or any other relevant public body. In such cases, the relevant public body should specify a requirement on the part of the private body to comply with relevant legislation and any codes.

Recommendation 8

There should be legislation to create an independent Scottish Biometrics Commissioner. The Commissioner should be answerable to the Scottish Parliament, and report to the Parliament. The Commissioner should keep under review the acquisition, retention, use and disposal of all biometric data by the police, SPA and other public bodies. The Commissioner should promote good practice amongst relevant public and private bodies, and monitor compliance with the Code of Practice.

Recommendation 9

An ethics advisory group should be established as part of the oversight arrangements. This group should work with the Commissioner and others to promote ethical considerations in the acquisition, retention, use and disposal of biometric technologies and biometric data.