Enhanced oversight of biometric data: consultation

4. A Scottish Biometrics Commissioner

Why do we need a Scottish Biometrics Commissioner?

29. As outlined earlier, it is widely accepted that the use of biometric data is critical to policing and community safety activity in Scotland. It is also accepted that the biometrics field is highly complex, with successful adoption of techniques often involving the careful consideration of a number of factors.

30. Whilst there is currently evidence of strong governance and practice within both Police Scotland and the SPA with regard to the use of such data and techniques, the establishment of a source of independent expert advice and support is likely to strengthen this further.

31. We believe that an independent Scottish Biometrics Commissioner would support the effective, proportionate and ethical use of such data, ultimately leading to better outcomes and maximising the value of biometric technologies.

The Evidence Base

32. The proposals in this consultation build on a significant body of existing work to explore the benefits of enhanced independent oversight in relation to biometrics.

33. In 2007, Professor Jim Fraser was asked by Scottish Ministers to review and report on the operation and effectiveness of the statutory regime governing fingerprint and DNA data, with his work informing subsequent amendments to the 1995 Act. His report also highlighted the need for the establishment of independent oversight arrangements in this area.

34. More recently, HMICS published its ‘Audit and Assurance Review of the Use of the Facial Search functionality within the UK Police National Database ( PND) by Police Scotland’ in January 2016. Through that report, HMICS recommended that the Scottish Government consider the establishment of a Scottish Biometrics Commissioner to provide independent oversight of biometric databases and records held in Scotland.

35. The IAG built on this evidence base when making their recommendations for strengthened oversight earlier this year. The fast paced evolution of relevant technology, as well as the particular scientific and human rights implications associated with biometrics, was fundamental to this conclusion.

36. There are a number of public bodies already undertaking investigative, enforcement and scrutiny activity which has some relevance to the use of biometric data and techniques in a justice and community safety context in Scotland. However, we believe those bodies do not currently have the remit or expertise to effectively address the gap outlined above.

37. As already outlined, HMICS play an important role in scrutinising policing in Scotland, as does PIRC. In the case of HMICS, we consider that the incorporation of the functions of a Scottish Biometrics Commissioner would fundamentally change the purpose of that organisation and could dilute its effectiveness in undertaking wider scrutiny of policing in Scotland. This is a view shared by HMICS. In the case of PIRC, it is important to note that the Commissioner would have a role in advising and guiding the practice of that body. Clearly, their ability to do so in a way which is independent, both in practice and perception, would be hindered if they were to sit within PIRC.

38. Importantly, the UK Information Commissioner’s Office has an important role to play in advising on data protection matters which are of direct relevance when processing biometric data. Other oversight bodies such as the Scottish Human Rights Commission also have a strong interest and it will be important for the Scottish Biometrics Commissioner to develop strong partnerships with those organisations.

39. When considering the value of a Scottish Biometrics Commissioner, it is helpful to examine the arrangements which exist elsewhere in the UK, with the appointment of a Biometrics Commissioner in England and Wales having delivered significant benefits in those jurisdictions. The latest annual report of the Biometrics Commissioner for England and Wales can be viewed on the Gov.uk website: https://www.gov.uk/government/publications/biometrics-commissioner-annual-report-2017

Question 5

Do you believe a Scottish Biometrics Commissioner is required?

Please tick:

Yes / No / Don’t know

Please expand on the reasons for your answer.

What will the Commissioner do?

40. The Scottish Biometrics Commissioner will be established through primary legislation and will have statutory powers in relation to Police Scotland and the SPA.

41. The Commissioner will also oversee the practice of those other bodies who may collect biometric data whilst exercising powers of arrest for devolved purposes in Scotland, including the exercise of any of the powers and privileges of a Constable when investigating a matter under the direction of the COPFS. This would include, for example, PIRC.

Question 6

Do you believe the Commissioner’s statutory remit extends to the correct individuals/agencies?

Please tick:

Yes / No / Don’t know

Please expand on the reasons for your answer.

General Functions

42. As part of their 'general functions' the Commissioner would:

• have a general function of promoting compliance with an independently established framework of standards against which to measure the quality of systems and practices currently adopted. Those standards would be set out through Codes of Practice relating to the handling of biometric data. Such a Code has been published for views as part of this consultation.
• review any such Codes of Practice, making representations with a view to protecting the rights of children, vulnerable adults and protected characteristic groups, particularly where issues of consent arise.
• be able to begin investigations into the acquisition, retention, use and disposal of biometric data from their own mandate where an ethical or human rights concern has arisen. The Commissioner will not require access to biometric materials or databases but should have a statutory power to request specific information. For example, the Commissioner might require information on biometric data volumes currently held in relation to children and young people, broken down by age and gender, to help assess the effectiveness of youth justice policy objectives. There would be a statutory requirement on relevant bodies to comply with such requests.
• conduct or assist with specific reviews requested by the Parliament or specified bodies/office holders including Scottish Ministers, the Lord Advocate, the Chief Constable of Police Scotland, the Board of the SPA, HMICS and PIRC.

• have a statutory power to issue improvement notices where there are systemic breaches of Codes of Practice. Whilst there would be no enforcement power and no official sanction for failing to comply with such an improvement notice, any instances of failure to act on an improvement notice within reasonable timescales would be reported to the Scottish Parliament through the annual reporting mechanisms of the Commissioner.

• report to the Scottish Parliament via an annual report and publish findings each year of the reviews undertaken and the outcome of reviews.
• submit, as appropriate, reports to international human rights and other relevant bodies pursuant to Scotland’s international obligations and submit general recommendations to bodies on any matter relevant to the Commissioner’s remit.
• commission research into the appropriateness of biometric retention policies and collaborate more broadly in academic research including on the effectiveness of retention periods.
• involve an independent case review mechanism. In line with their statutory remit, the UK Information Commissioner will continue to consider concerns raised by members of the public regarding the accessing or handling of their personal information by Police Scotland, the SPA and those other individuals exercising powers of arrest in Scotland for devolved purposes. Should the Information Commissioner, in the course of considering an individual case, identify the potential for systemic learning and improvement in relation to the use of biometric data for justice and community safety purposes in Scotland, details may be shared with the Scottish Biometrics Commissioner. It would then be open to the Scottish Biometrics Commissioner to consider whether a specific review was required. The Scottish Biometrics Commissioner would have a statutory power to require information from those bodies listed at paragraphs 40 and 41 to aid them in undertaking a review. This information would pertain to the taking of biometric data as opposed to the data itself. The Scottish Biometric Commissioner would publish their findings in a manner that protects the identity of any appellant. Whilst there would be no formal recourse in respect of the individual, it would be open to the Scottish Biometric Commissioner to issue an improvement notice.

43. The below Concept of Operations more fully describes the proposed role of the Scottish Biometrics Commissioner. www.gov.scot/publications/consultation-enhanced-oversight-biometric-data-justice-community-safety-purposes//downloads

Question 7

Do you believe the proposed general functions of the Scottish Biometrics Commissioner are the right ones?

Please tick:

Yes / No / Don’t know

Please expand on the reasons for your answer.

Distinct approach to children

44. The Scottish Biometrics Commissioner will oversee an appropriately distinct and proportionate approach to the acquisition, retention, use and disposal of biometric data relating to children under the age of 18 in the criminal justice system. The number of children entering the criminal justice system in Scotland is small and we believe there are situations in which biometric data need not be captured in relation to each of these individuals.

45. The Commissioner will oversee a Code of Practice which will reflect the following:

• For children under 12 who, under the Age of Criminal Responsibility (Scotland) Bill, will no longer be capable of being held criminally responsible, biometrics will not be obtained except where they are needed for the investigation of a very serious incident. The capture or use of biometrics will have to be authorised by a Sheriff and biometric data taken from children under 12 will have to be destroyed as soon as they are no longer needed for the specific investigation and any resulting Children’s Hearings System proceedings. They will not be placed on the Police Scotland Criminal History System ( CHS) or the PND.
• For children aged 12 to 17 years, in each case, consideration should be given as to whether it is proportionate and necessary to obtain biometric data for the purposes of recording on the biometric databases, with the best interests of the child specifically considered in the decision making process, along with the child’s offending behaviour. Where biometric data is obtained the reasons should be subject to review and scrutiny within a reasonable time frame, both internally by supervising officers and by the Scottish Biometrics Commissioner.

46. This approach will seek to minimise the number of children who have biometric data captured, reducing stigmatisation and improving life chances.

Question 8

Do you believe the proposed approach to the acquisition of biometric data from children and young people in the justice system is the right one?

Please tick:

Yes / No / Don’t know

Please expand on the reasons for your answer.

Potential beyond the Scottish justice landscape

47. It is clear that the Commissioner will require particular expertise and experience if they are to advise on the specific legal and scientific considerations which need to be made when using biometric data. We expect that this expertise may also prove valuable to agencies other than those falling within the statutory remit of the office holder. In this context, we are proposing that the Commissioner may also provide, on an administrative basis, advice to those other public and private sector organisations who collect biometric data.

48. It is also important to note that Police Scotland and the SPA use several common policing biometric databases maintained by the Home Office. We would therefore expect the Commissioner to represent Scottish interests through liaison with corresponding regulatory office holders in other parts of the UK.

How will the Commissioner be appointed and held accountable?

49. The Commissioner will play a central role in driving improvement and protecting the rights of individuals. If they are to do this in a way which commands the confidence of partners and the public, the role will have to be delivered in a way which is, and is seen to be, transparent, accountable and free of any undue influence.

50. Given that the above mentioned regulatory framework for biometrics is set at a national level and consistently applied across the country, it is clear that oversight of those arrangements is also best dealt with nationally. That oversight has to be delivered in a way which complements wider scrutiny arrangements and, for reasons outlined earlier, we believe the best way to achieve this is through an independent Scottish Biometrics Commissioner, liaising closely with other relevant bodies.

51. Whilst the Commissioner will play a key role in advising on and guiding the practice of service providers, their work will undoubtedly also inform the views of those policy makers with responsibility for setting the overarching regulatory framework for biometrics, including the legislative framework.

52. A transparent relationship with government, including specific protection for the independence of some functions, will therefore be crucial. It will help to foster a sense of trust in the organisation's ability to make impartial, professional decisions and ensure that confidence in the integrity of Ministers and the organisation is maintained.

53. A final decision on the appointment arrangements for the Commissioner has yet to be taken, including whether they are accountable to Scottish Ministers or the Scottish Parliament. A decision on this point will follow this consultation exercise.

Question 9

Do you have any views on the appointment and accountability arrangements for the Commissioner?

Please tick:

Yes / No / Don’t know

Please expand on the reasons for your answer.