Enhanced oversight of biometric data: consultation

1. There should be national debate to improve public understanding of, and confidence in, the retention and use of biometric data in Scotland for policing, law enforcement and other public protection purposes. Ideally, this should start before and continue during the Scottish Government’s public consultation, as well as featuring in ongoing discussion after consultation.

Accept. There is a risk that the considerable benefits arising from the use of biometric data and technologies are undermined if there is a lack of public understanding and confidence in the way they are used by the police. We will hold a public consultation later this year on our proposals to strengthen the legislative, governance and oversight framework which will seek views on the use of biometric data and technologies, including ethical and human rights aspects. The publication of the advisory group’s report provides the opportunity to begin the public debate in Scotland.

Ongoing: The then Cabinet Secretary for Justice officially launched the IAG’s report on 22 March and work is now underway to develop an engagement plan to drive a series of stakeholder engagement activities at key milestones.

As part of this, we continue to explore opportunities for parliamentary engagement around our consultation proposals following summer recess. In the meantime, Scottish Government officials will undertake consultation events aimed at specific interest groups, bilateral meetings with key stakeholders and further engagement with members of the Scottish Youth Parliament’s Justice committee. The IAG, chaired by John Scott QC, will continue to meet with a revised remit to support progress on this recommendation.

2. Legislation should establish a Code of Practice covering the acquisition, retention, use and disposal of DNA, fingerprints, facial and other photographic images (including custody images) and all existing, emerging and future biometrics for Police Scotland, the Scottish Police Authority and other bodies working in the field of law enforcement. The legislation should outline matters relating to review of the Code by the Scottish Parliament.

Accept. We intend to bring forward legislation on biometrics in the current Parliamentary session. This will enable us to introduce a statutory biometrics code of practice and progress other aspects of the advisory group’s report including establishing a statutory framework to govern and regulate police retention and use of facial images and use of facial recognition technology. A biometrics code of practice will complement existing law enforcement codes of practice in Scotland and provide a framework of ethical and human rights respecting principles against which the use of biometric data and technologies can be assured.

Work is already underway to develop an outline code of practice and we will further develop and trial the code with Police Scotland and the Scottish Police Authority ahead of it being given a statutory basis.

Ongoing: It remains our intention to bring forward legislation on biometrics in the current Parliamentary session. The legislation would provide for a statutory Code of Practice, an outline of which is presented within this consultation for views.

The Code describes the legal framework concerning the acquisition, retention, use and disposal of biometric data for justice and community safety purposes in Scotland. It will apply on a statutory basis to Police Scotland, the Scottish Police Authority ( SPA) and those other individuals exercising the powers and privileges of a constable for devolved purposes in Scotland.

3. The Code of Practice should be the subject of detailed consultation. It should contain relevant human rights and ethical principles, address the implications of any presumption regarding retention and specify relevant procedures for applications from private citizens for deletion of biometric data. It should contain specific reference to validation of biometric technologies.

Accept. We will develop the detail of the code of practice through public consultation and further stakeholder engagement (see recommendation 1 above).

Ongoing: As part of this consultation, we have published a draft Code of Practice which describes the statutory responsibilities of those to whom the Code applies. The Code contains a set of General Principles which embody all relevant legal, ethical, human rights, and data protection considerations when using biometric data for policing and community safety purposes. It also outlines the special considerations to be made for children, vulnerable adults and protected characteristic groups.

This Code of Practice requires that public bodies using biometric data for justice and community safety purposes should have internal validation systems, processes and procedures in place in respect of each biometric technology and database that they operate as part of internal governance regimes. Such validation mechanisms would be kept under review by the newly established Scottish Biometrics Commissioner.

Following analysis of consultation responses, the draft Code of Practice will be further developed and finalised in the autumn. Police Scotland will then pilot the Code of Practice to assess the extent to which the General Principles and associated guidance contained therein assist in relation to the overall governance regime around biometric technologies and data. Should unanticipated practical or operational difficulties be identified, the Code will be further defined as necessary prior to the appointment of the Scottish Biometrics Commissioner.

4. Distinct policies should be formulated for the acquisition, retention, use and disposal of the biometric data of children aged between 12 and 17. In each case involving a child, consideration should be given to the proportionality and necessity of obtaining biometric data for the purposes of recording on the biometric databases, ensuring that the best interests of the individual child are taken into account in the decision making process. Where the decision is to obtain and retain biometric data, the reasons should be recorded and subject to review and scrutiny. Appropriate consideration should be given, and adaptation made, in the treatment of the data of those (children and adults) with specific vulnerabilities.

Accept. In many areas of policing decisions are based on an assessment of risk on a case by case basis and this recommendation is based on a proposal put forward by Police Scotland. We agree with the advisory group that there are strong arguments for taking a different approach to children aged between 12 and 17 to ensure that their biometric data is taken, used and retained in a proportionate manner that reduces any unintended negative risks or consequences. This approach is consistent with other Scottish policy approaches including Getting it Right for Every Child and the Whole System Approach for Children and Young People who Offend. The Age of Criminal Responsibility (Scotland) Bill which was introduced on 13 March 2018 sets out arrangements for taking and using biometric data from children under 12.

We will liaise with Police Scotland, SPA and other stakeholders to develop a more proportionate approach to taking, using, retaining and disposing of biometric data from children and adults with specific vulnerabilities.

Ongoing: Police Scotland will lead on the development of a new policy and a new investigative options and decision making model in relation to whether and in what circumstances it is necessary to acquire or retain biometric data from 12-17 year olds.

Police Scotland have established a Short Life Working Group ( SLWG) to develop the work required to progress this recommendation. This new policy will also implement any new arrangements required as a result of anticipated changes to the minimum age of criminal responsibility ( MACR).

The Scottish Government will continue to engage with Police Scotland and SPA on progress, with Police Scotland submitting update reports on progress at relevant stages.

5. There should be a review of the rules on retention of biometric data in sections 18 to 19C of the Criminal Procedure (Scotland) Act 1995, considering all questions of proportionality and necessity. The review should be research led and consider not only the gravity of the offending but also the value of biometrics in the investigation of certain offences, re-offending rates relating to different crimes, the escalation of offending, and the value that biometric retention has in the investigation of this escalation. It should be informed by any developments in the law in Scotland, England and the European Court of Human Rights.

Accept. This recommendation links to recommendation 7. We will review current legislation in the light of the developing evidence base and any relevant legal judgments.

Planned: The Scottish Biometrics Commissioner will ensure that the retention of biometric data by Police Scotland, the Scottish Police Authority and other specified bodies is necessary and proportionate, and in accordance with the law.

Once appointed, the Commissioner will play a key role in developing the evidence base to inform any future decisions on rules around the retention of biometric data, including those set out through the Criminal Procedure (Scotland) Act 1995.

6. There should be a presumption of deletion of biometric data after the expiry of prescribed minimum retention periods.

Accept. We agree that a guiding principle should be that biometric data should only be retained for the purposes prescribed in law and that data should not be retained in circumstances where an accused person (who has no previous convictions) is not subsequently convicted or where there are no proceedings.

Currently, custody images are retained on the Criminal History System and on custody systems. While the deletion of records from the Criminal History System complies with the existing legal framework in relation to DNA and fingerprints, at the time of the HMICS report in 2016, there was no national custody IT system in place in Scotland and Police Scotland were retaining custody images on the different custody systems of the eight legacy police forces. Legacy systems do not have the functionality or flexibility to identify and remove custody images of people who are not convicted/not proceeded against. Therefore, images were, and are, retained by Police Scotland under general data retention policies for a minimum period of one (current year) + six years. This means that photographs of people are routinely retained by Police Scotland for a period of up to seven years, including those of individuals not convicted of any offence.

Police Scotland rolled out a new national custody solution in 2017 to manage custody episodes in a single and consistent way across Scotland. Police Scotland have indicated that the new custody software will have the technical capability to remove and dispose of the custody images of individuals who are not convicted/not proceeded against in a way that is consistent with the existing legal framework in relation to DNA and fingerprints.

We will liaise with Police Scotland to identify a technical solution to enable full implementation of this recommendation in relation to custody images held on the national custody system. Police Scotland has confirmed that all custody images of unconvicted individuals held on legacy custody systems will be deleted by 2023 under the existing data retention policy.

Ongoing: Police Scotland has committed to reviewing current DNA Database and Criminal History System biometric weeding arrangements to align retention/weeding as appropriate. The SLWG has been appointed to progress this work. Police Scotland will review policy decisions as a result of the SLWG and make any relevant recommendations for change as a result.

Since the publication of the 2016 HMICS Audit and Assurance Review of the use of the Facial Search functionality within the UK Police National Database ( PND), Police Scotland has successfully delivered a new national custody episode management system and is currently exploring a technical solution which will enable custody images to be automatically weeded from that system when the corresponding image is similarly deleted from the Criminal History System. This development, once delivered, will fully address concerns previously identified by HMICS.

Police Scotland will continue to report on progress with this work at appropriate stages.

7. Evidence should be gathered from which continuing assessment can be made about appropriate periods of retention of biometric data. Public consultation should include specific questions on retention periods.

Accept. The advisory group note that developing the robust evidence required to point to a specific timescale for retention of biometric records has proved challenging in the past. The risk of offending or reoffending can be driven by a range of factors, many specific to the individual. Therefore, it is not possible to determine a timescale for retention that will eliminate the risk of an individual offending after records have been deleted. The most effective way to achieve proportionality is to base it on an assessment of the risk an individual poses and the value that biometric retention has in the investigation of each case. However, any approach needs to be designed in such a way that is operationally deliverable for justice bodies.

There is clearly a need to better understand the benefits of using and retaining biometrics to ensure that policy and practice is proportionate and justifiable. A number of Scottish universities have expertise in this field and the advisory group report also highlights forthcoming work by the Biometric Commissioner’s Office to review cases where applications to retain DNA and fingerprints have been granted to assess subsequent investigative value and reconviction rates.

We will work with stakeholders to review and strengthen the evidence base and develop proposals for further work to build our understanding of the benefits of using and retaining biometric data.

Planned: The Scottish Biometrics Commissioner will ensure that the retention of biometric data by Police Scotland, the Scottish Police Authority and other specified bodies is necessary and proportionate, and in accordance with the law.

Once appointed, the Commissioner will play a key role in developing the evidence base to inform any future decisions on rules around the retention of biometric data .

8. There should be legislation to create an independent Scottish Biometrics Commissioner. The Commissioner should be answerable to the Scottish Parliament, and report to the Parliament. The Commissioner should keep under review the acquisition, retention, use and disposal of all biometric data by the police, SPA and other public bodies. The Commissioner should promote good practice amongst relevant public and private bodies, and monitor compliance with the Code of Practice.

Accept in principle. As highlighted above, the biometrics field is evolving rapidly and the use of biometric data and technologies for law enforcement purposes raises a range of human rights and ethical considerations. The ten year Policing Strategy published by the Scottish Police Authority and Police Scotland in 2017 sets expectations for greater use of new and emerging technologies. Governance and oversight needs to keep pace with developments to ensure that their use balances law enforcement and ethical considerations.

The policy of Scottish Ministers is that the number of new public bodies should be kept to a minimum and, as the advisory group note in their report, there is a strong presumption against setting up entirely new bodies. A rigorous assessment has to take place to evidence the need for a new public body, before consideration is given to developing formal proposals. Parliamentary Commissioners are appointed by the Scottish Parliamentary Corporate Body ( SPCB) with the approval of the Scottish Parliament. Any proposed additions to this group are discussed with the relevant Parliamentary authorities given the SPCB's oversight of these office holders.

We will progress this recommendation in the context of the Scottish Government’s policy on establishing new public bodies and subject to wider public consultation and agreement from the Scottish Parliament appoint a Commissioner with responsibility for biometrics.

Ongoing: This consultation seeks views on an independent Scottish Biometrics Commissioner. The results of this consultation will inform further development of proposals and the delivery of primary legislation focussing on biometrics in this parliamentary session.

9. An ethics advisory group should be established as part of the oversight arrangements. This group should work with the Commissioner and others to promote ethical considerations in the acquisition, retention, use and disposal of biometric technologies and biometric data.

Accept. We agree that an ethics advisory group would provide a valuable forum for considering the ethical impact on society, groups and individuals of taking, using and retaining biometric data and using biometric technologies. We agree with the biometrics advisory group that an ethics group should advise Scottish Ministers on a non-statutory basis. We will develop proposals for its remit and membership in discussion with stakeholders, drawing on the connections and relationships that have been developed through the work of the advisory group.

Planned: The Scottish Government will later this year consult the IAG on proposals to establish an Ethics Advisory group on Biometrics for Scotland which would work with the Commissioner and others to promote ethical considerations in the acquisition, retention, use and disposal of biometric technologies and biometric data.