Enhanced oversight of biometric data: consultation

3. A Statutory Code of Practice covering biometric data and technologies

Why do we need a Code of Practice?

Legislation governing retention of biometrics

14. The Criminal Procedure (Scotland) Act 1995 (‘the 1995 Act’) is the primary Scottish legislation allowing the retention of fingerprints and other biometric samples from a person arrested by the police. Sections 18 to 19C stipulate the conditions under which samples may be taken by the police, as well as rules for retention and specification of the purposes of use of samples. It should also be noted that Section 18G permits biometric data to be retained for reserved matters, notably under national security determinations. The existing law may be summarised as follows:

• fingerprint and DNA data from convicted persons can be retained indefinitely. This legal entitlement applies on the basis of a single criminal conviction for any type of offence, regardless of gravity;
• data from children dealt with through the Children’s Hearings System may be retained only where the grounds for referral are established (whether through acceptance by the child at such a hearing or a finding in court) in relation to a prescribed sexual or violent offence. Such data can only be retained for three years unless the police apply for, and are granted, an extension by a Sheriff. For less serious offences, and where grounds are not established, there is no retention in relation to children;
• data from individuals who accept an offer from the procurator fiscal may be retained for three years in relation to a prescribed sexual or violent offence, with the Chief Constable able to apply to the Sheriff Court for further two-year extensions (there is no limit on the number of two-year extensions that can be granted in respect of a particular person’s data); data may be retained for two years in relation to non-sexual or non-violent offences which are the subject of a ‘Fiscal Offer’ or fixed penalty notice from the police;
• data from individuals prosecuted for certain sexual and violent offences may be retained for three years (whether or not they are convicted), with the Chief Constable able to apply to the Sheriff Court for further two-year extensions (there is no limit on the number of two-year extensions that can be granted in respect of a person’s data); and
• subject to the exception just stated, data from individuals arrested for any offences (and who have no previous convictions) must be destroyed immediately if they are not convicted or if they are given an absolute discharge.

15. Whilst the data obtained under those sections will account for a significant proportion of the biometric data held and used for justice and community safety purposes, biometric data is also captured by the police in other circumstances. For example, there are situations where victims and witnesses agree to their biometric data being held in order to support investigative activity. In addition, police officers share their biometric data in order that they can be eliminated from investigations in circumstances where, for example, their fingerprints are found at the scene of an incident following their attendance in the course of their duties. Finally, there will be occasions where Police Scotland hold and use biometric data which has been provided by another agency, for example CCTV provided by a local council or data provided by an NHS Scotland Health Board.

16. It is important to note that, whilst intelligence products obtained by the police from crime scenes (for example, hair samples) do not themselves fall within the scope of the proposals in this consultation, any biometric data derived from those samples which is subsequently attributed to an individual would be relevant.

17. We believe there is scope to develop a more comprehensive framework of standards and guidance against which to measure the quality of systems and practices currently adopted for the management of the above data. The Code of Practice will address this gap without impacting the existing legislative framework. Rather it will seek to ensure that that is understood, and that the retention of biometric data is both necessary and proportionate, and in accordance with the law.

Question 1

Do you believe a statutory Code of Practice covering the acquisition, use, retention and disposal of biometric data for justice and community safety purposes is required?

Please tick:

Yes / No / Don’t know

Please expand on the reasons for your answer.

Who does the Code apply to?

Authorities to whom this Code should apply on a statutory basis

18. There will be a statutory power for Scottish Ministers to publish a Code of Practice. The Code of Practice will provide guidance in relation to the acquisition, retention, use and disposal of biometric data for justice and community safety purposes in Scotland and would apply on a statutory basis to Police Scotland and the SPA.

19. It would also apply to any other bodies who may collect biometric data whilst exercising powers of arrest for devolved purposes in Scotland. This will include the exercise of any of the powers and privileges of a Constable when investigating a matter under the direction of the Crown Office and Procurator Fiscal Service ( COPFS) including, for example, where Police Scotland and SPA collect and store data on behalf of the Police Investigations and Review Commissioner ( PIRC).

20. The Code of Practice does not extend to national security activity conducted in Scotland. Such matters fall within the jurisdiction of the UK Parliament and feature within the remit of the Biometrics Commissioner for England and Wales who has responsibility for certain matters related to UK national security.

Adoption by Police Scotland on a voluntary basis

21. Subject to the views expressed through this consultation we will encourage voluntary adoption of the Code of Practice by Police Scotland in order to test and refine its content prior to it being placed on a statutory footing.

Adoption by other public authorities in Scotland on a voluntary basis

22. Although the primary purpose of the Code of Practice is to ensure statutory regulation in relation to the above mentioned bodies, there are many other public bodies who collect biometric data from citizens engaged in routine activity. These include, for example, local authorities and others operating public space CCTV surveillance systems. In addition, biometric data is also collected and retained with consent in various health and education contexts.

23. We believe that many of the principles and practices set out in the Code will also be of interest to those organisations and for that reason we would encourage, as appropriate, their adoption on a voluntary basis.

The Private sector

24. The statutory requirement to comply with the Code of Practice will not apply directly to private sector organisations. However, where such an organisation is collecting, using or retaining biometric data on behalf of one of the bodies to whom the Code applies on a statutory basis, there should be a requirement made by the commissioning body to ensure the private sector organisation complies with the Code.

Question 2

Do you believe the proposed statutory Code of Practice is being applied to the correct individuals/agencies?

Please tick:

Yes / No / Don’t know

Please expand on the reasons for your answer.

What are the Code’s principles?

General Principles

25. The Code of Practice will include a set of written rules or 'General Principles' outlining the responsibilities of those to whom it applies. Those General Principles embody wider legal, ethical, human rights, and data protection considerations including the special considerations to be made for children, vulnerable adults and protected characteristic groups.

26. The IAG, in their 2018 Report on the use of biometric data, advised Scottish Ministers on the General Principles that should be adopted. Specifically, they recommended that the acquisition, use, retention and disposal of biometric data, in addition to being lawful, proportionate, and necessary, should:

• enhance public safety and the public good;
• advance the interests of justice;
• demonstrate respect for the human rights of individuals and groups;
• respect the dignity of all individuals;
• take particular account of the rights of children;
• take particular account of the rights of other vulnerable groups and individuals;
• protect the right to respect for private and family life;
• encourage scientific and technological developments to be harnessed to promote the swift exoneration of the innocent, afford protection and resolution for victims, and assist the criminal justice process; and
• be based on validated evidence.

27. These General Principles form the basis of the proposed statutory Code of Practice and will be used by Police Scotland and the SPA as part of internal self-assessment processes, procedures, and governance mechanisms around the management of biometric data and their supporting technologies. These General Principles also provide a framework against which compliance may be assessed by the proposed Scottish Biometrics Commissioner.

Question 3

Do you believe the General Principles outlined in the statutory Code of Practice are the right ones?

Please tick:

Yes / No / Don’t know

Please expand on the reasons for your answer.

The draft Code

28. A suggested draft Code of Practice can be viewed at www.gov.scot/publications/consultation-enhanced-oversight-biometric-data-justice-community-safety-purposes//downloads

Question 4

Do you believe the statutory Code of Practice covers all relevant issues which require consideration when decisions are being taken about the acquisition, use, retention and disposal of biometric data?

Please tick:

Yes / No / Don’t know

Please expand on the reasons for your answer.