Independent review – Independent advisory group on new and emerging technologies in policing: final report

Appendix C

Key considerations

Ch3 research evidence key considerations

3.1 All business cases (and hence templates) completed by policing bodies should require the inclusion of a basic assessment of the evidence base, drawing on available research (and learning from other jurisdictions) and including both benefits and dis-benefits. The level of risk (see chapter 8) should determine the level of evidence gathering required. For medium-risk projects (or projects with high value investment) an evidence review should be required. For all high-risk projects a more thorough evidence review (ideally with external input or review) should be required, or indeed in some cases the generation of further independent research may be necessary (particularly if the evidence base is lacking) to inform decision making regarding adoption. [covered in Recommendation 1]

3.2 Policing bodies should also draw together the evidence base to support consultation and public engagement work. A balanced, clear and succinct public facing summary of the existing research and other evidence (acknowledging any limitations and gaps in knowledge) should be developed (with input from independent external stakeholders, particularly for high-risk projects) in order to be shared during public engagement and consultation exercises. [R 9]

3.3 The decision about whether an evaluation of the impact of new technologies in policing is needed should be informed by the level of risk and the existing evidence base. For existing systems with a history of safe operation an evaluation would only be necessary if they undergo significant changes in their design or intended purpose. For high-risk projects an evaluation should be carried out and commenced at the earliest point possible prior to development, acquisition or adoption of a new tool, means or method of policing. Third party support (e.g. through SIPR) with commissioning research should be sought very early on and the evaluation should include baseline impact measurements. Steps should be taken to safeguard the quality and independence of the evaluation e.g. establishing a Research Advisory Group and peer reviewing of reports. [R 11]

3.4 In addition to accessing learning and research on best practice in the use of emerging technologies from other jurisdictions (including from other police forces) to inform decision making (e.g. business cases and sixth case assessment) and design processes, opportunities for knowledge exchange (where possible in open fora) should continue to be maximised by policing bodies throughout implementation and ongoing review. [learning point]

3.5 The existing knowledge base and suggestions for further research identified by Connon et al. (2023) should be reviewed by policing bodies and key stakeholders in order to prioritise areas for further research. An assessment should be undertaken of the level strategic importance, level of risk, and potential value of the research in order to guide decision making on which areas should be prioritised for funding by various partners (Scottish Government, Police Scotland, Scottish Police Authority, the Scottish Institute for Policing Research etc.). In addition, suggestions should be shared with SIPR and wider the academic community who are keen to undertake independent research and leverage external funding e.g. from research councils. [learning point]

Ch 4 Legal Frameworks key considerations

4.1The continued implementation andreinforcement of a human rights-based approach to policing in Scotland. Police Scotland should continue to embrace and implement a human-rights based, ethical and proportionate model for police use of technologies, in accordance with international best practices and with community input and engagement. These international best practices include European Convention on Human Rights and their interpretation by the European Court of Human Rights and should be adhered to by Police Scotland regardless of whether the UK decides to repeal the Human Rights Act and/or leave the European Convention on Human Rights. In such a case, action by the Scottish Government may be required e.g. to incorporate these provisions into Scots law if possible. This approach should include Police Scotland providing more analysis and engagement of human rights and equalities with technology use; and Police Scotland's duty to assess and review relevant equality impacts of policies on technologies when at a developmental stage. The enhanced human rights-based and ethical approach should take place across the following domains: Policy and strategic decision making; Operational planning and deployment; Training and guidance; Use and control; and Investigation, monitoring and scrutiny. We suggest that Police Scotland formally commit to adopting this approach which would ideally be accomplished through further internalising human rights knowledge and capacity. For example, Police Scotland could employ equality and human rights experts in order to assist in policy design, analysis and assessment. [R 2, R 5]

4.2 Further consideration of impacts of new technologies on human rights and equalities needed. The impacts of new technologies specifically on human rights and equalities need to be further considered. A multi-level analysis of rights and equalities impacts should be taken into account (e.g. through sixth ethics -case see ch8) to embed and enhance Police Scotland practice, i.e. looking at the impact at the individual, community and societal levels. There are existing requirements under data protection law (Data Protection by Design and Default, Data Protection Impact Assessment) that place an obligation on controllers to ensure that the data protection principles are adhered to and that any impact on individual rights and freedoms are identified, assessed and mitigated. There are also existing relevant obligations under equalities law and human rights legislation. In this key consideration we seek to aid compliance and raise the bar. From a data protection point of view, specific actions could ensure that: Data Protection Impact Assessments (DPIAs) are developed alongside Equality and Human Rights Impact Assessments (EqHRIAs) and Children's Rights and Wellbeing Impact Assessments (CRWIAs), that Police Scotland refer to the ICO's Overview of Data Protection Harms when considering risks associated with processing and ensure that risks to individuals' rights and freedoms are fully considered, assessed and mitigated in DPIAs. Further that these risks should continue to be identified, assessed and mitigated throughout the lifecycle of a new technology (i.e. not only at the 'developmental stage'). From an equalities and human rights perspective, Police Scotland need to assure themselves when undertaking EqHRIAs that any proposals are compliant with the Human Rights Act 1998 and the Equality Act 2010, and also satisfy the requirements of the Equality Act 2010 (Specific Duties) (Scotland) Regulations 2012, including the duty to assess the impact of applying new or revised policy or practice and publishing the results of these assessments in a manner that is accessible. [R 2]

4.3 Legal basis for using policing powers vis-à-vis technologies must be clearly specified and shared with key stakeholders. Police Scotland need to be able to demonstrate that the application of the policing power as set out in law must be clear and foreseeable and refer to and use proportionality and necessity testing; accurate and reliable/scientific standards, EqHRIA and community impact assessments. Although Police Scotland do specify the legal basis in DPIAs, given the potential for differing interpretations, legal basis (and opinions being drawn on) should be shared with key stakeholders as a matter of course in order that they may be questioned and tested and this must be reviewed in light of further developments (such as change in use case or additional information coming to light). Police Scotland need to be able to understand and articulate to diverse stakeholders the power which comes from the specific law which sanctions the use of a technology and refer to and use proportionality and necessity testing; accurate and reliable/scientific standards, EqHRIA and community impact assessments. There should be more transparency with regards to the legal basis of police use of technologies and awareness raising with the public. [R 10]

4.4. Whilst significant legislative gaps were not found, Scottish Government (and where appropriate SBC) should seek to keep the legislative landscape under review and consider whether future technological deployments would benefit from the introduction of statutory codes of practice in order to provide greater clarity and safeguards on the application of emerging technologies in policing (such as Live Facial Recognition and certain applications of AI, e.g. in predictive policing). In future if there were plans to consider the deployment of autonomous security robotic devices in policing for enforcement purposes new legislation should be introduced in advance. However, the possibility that certain applications of some technologies in policing should be categorically prohibited from use, either because they are unacceptably risky even with mitigation in place, or because they are intrinsically incompatible with human rights, should be considered in this context by Government. [R 12]

4.5 Special regard for the interests of children and vulnerable persons. When using new technologies in this context, law enforcement actors must have special regard to the interests of children and vulnerable persons and how the technologies may impact upon them. We suggest that Police Scotland conduct, embed and enhance Child Rights and Wellbeing Impact Assessments (CRWIAs) alongside DPIAs and EqHRIAs. [R 2]

4.6 The use of new technologies should not unlawfully or unjustly adversely impact an individual or group of individuals (which may potentially be discriminatory under the Equality Act 2010) and the processing should be within the reasonable expectations of the public. Positive impacts should also be considered and taken into account. The legal requirement to carry out an Equality Impact Assessment for any revised policy or practice includes the requirement (legislation.gov website link) to consider evidence relating to or received from people with protected characteristics. [R 2]

4.7 Police Scotland should seek to publish Operational Practice Codes as soon as reasonably possible prior to the implementation of technology. Police Scotland should seek to produce proactive communications on the use and effectiveness of specific technology post implementation, this should be a concerted effort to ensure as wide an audience as possible. Future Scottish Government Crime and Justice Surveys could include questions to benchmark awareness and attitudes of drones. The necessity of drone deployment rather than other means of investigation must be considered by Police Scotland given the likelihood drones will capture sensitive personal data and have a high risk of collateral intrusion. [R 11, learning point]

4.8 Attention should be paid to the personal data generated by technologies used by policing bodies. It is critical that mission creep is managed. Data must be processed for a specific, explicit and legitimate purpose and in line with the data minimisation and data limitation principle. Any onward data sharing must be in line with the ICOs Data Sharing Code of Practice and DPIAs and Data Sharing Agreements should be in place. Regular reviews should be carried out. Additional safeguards should apply where processing relates to children and vulnerable people as the risks of harm is likely to be higher. All new systems must be capable of compliance with data protection law. [R 15]

4.9 New technologies often involve complex data flows with multiple partners. It is critical that before implementation due diligence is carried out so that data flows are mapped and understood and the roles and the obligations of all partners under data protection law are understood. Particular attention needs to be paid in the context of competent authorities commissioning private vendors to process personal data to develop and train algorithmic systems. Any data sharing must be compliant with data protection law and policing bodies should be particularly careful that personal data processed for law enforcement purposes is not shared with non- law enforcement partners unless it is authorised by law. [R 15]

Ch 5 Ethical and social implications & best practice considerations

5.1 Ongoing evaluations and reflections on police use of technology: Police Scotland should continue to evaluate and reflect on its uses of technologies, recognising lessons learnt and the implementation of measures such as ethics panels, improved internal processes, engagement, transparency and external evaluations. [learning point]

5.2 The SPA and PS should continue to use, embed and continually improve the processes set out in relation to Ethics Advisory Panels (EAPs). For example, Regional and National EAPs should invite external subject matter experts. Police Scotland should publish anonymised minutes of EAPs (or at least a summary of meeting discussions and outcomes) in order to enhance transparency. A clear explanation of how the findings and advice of EAPs helped shape the solution, planned implementation or preferred option for a new technology should be required in a new section of the Full Business Case template. Police Scotland should consider how the EAPs can be involved in a system of rolling review, from proposal/pilot to implementation, in order to track progress of technology projects and to give ongoing advice. Police Scotland's EAP framework, including Terms of Reference and relationship with legal compliance should be reviewed in order to ensure the framework is being appropriately operationalised, sufficiently transparent, independent and appropriately resourced. Note an independent data ethics group is being set up. [R 9, 17]

5.3 Consideration could be taken of a number of potential policy and practice recommendations are highlighted by Connon et al. (2023: 134-139), relating to various technologies (electronic database technologies, biometric identification systems and AI technologies, surveillance systems and tracking devices) which will be of interest and may be found in full on pages 4-7 and 142-143 of the Stirling report. [learning points]

5.4 a) Policing bodies and scrutiny bodies should ensure a monitoring mechanism to record data on its equality and human rights impacts, is incorporated into the design and implementation of an emerging technology. Ethnicity data should be collected and reported transparently in order to help protect minority groups. In order to demonstrate due regard to the 3 needs general equality duty, Police Scotland should routinely gather and use equality information relevant to all protected characteristics. Policing bodies should make data on the equality impacts of trial use of technologies publicly available. [R 18]

b) Training should be given (linked to Codes of Practice and Standard Operating Procedures) to all officers involved in the use or monitoring of emerging technologies to ensure they are aware of their equality and human rights obligations in the context of its use. Force polices, guidance, and training (developed in accordance with EA2010 and PSED) may be used to inform officers and staff about ethical standards and the methods in which behaviour is compliant with bias mitigating efforts. [R 5]

Ch 6 Consultation and public engagement key considerations

[all Ch 6 considerations incorporated into recommendation 9]

6.1Policing bodies should ensure engagement and consultation considerations align effectively with both legal and governance frameworks, and consideration of ethics via an appropriate organisational model.

6.2 Policing bodies should be clear on the purpose of the engagement process from the outset – what people are going to influence, why and how.

6.3 Policing bodies should engage at an early stage in the governance process to understand views and sub-groups where a greater understanding of concerns is needed. Using focus groups and other methods can give an early overview of key areas for consideration. This is critical for complex or less understood technology (such as AI and predictive analytics) and high-risk projects.

6.4 Policing bodies should include an element of formal consultation in the approach to ensure that the views of the public and communities are both appropriately considered and embedded at an appropriate point e.g. in decision making, a pilot or prior to the roll out of all new and emerging technology. A formal consultation process has the safeguard of judicial review processes where the public and communities are able to challenge.

6.5 Policing bodies should set out to have anongoing dialogue with the public utilising participatory approaches where appropriate, as the technology is considered and during/ after implementation. This will enable concerns, risks, and suggestions for improvement to be considered and addressed at all stages of the governance process.

6.6 Policing bodies should use a clear and transparent engagement framework underpinned by engagement principles and quality assurance to ensure the process, explanation of risk and benefit and ethical and human rights considerations are clear and well-articulated. This will guide the design of engagement which can be tailored, in terms of levels of participation and methods, to meet the individual considerations of the technology and potential impacts.

6.7 Policing bodies should ensure all engagement and consultation processes are inclusive and accessible for everyone, including protected groups defined in the Equality Act 2010 and ensure representation from a variety of Scotland's communities. This should occur at as early a stage as possible.

6.8 Policing bodies should enable the colleague voice to be heard as a key element of shaping proposals. For effective service delivery, an open two-way dialogue that is safe and inclusive, and facilitates a reciprocal exchange of ideas and feedback should identify any problems or conflicts, and solutions to improve the quality of police-citizen interactions, as technology is introduced and embedded (with appropriate training, communications, Code of Practice, assurance and transparency). This can contribute to ensuring transparency and justifying proportionality.

6.9 Policing bodies should ensure engagement insights, providing a clear narrative of the views of the public and communities, are considered and scrutinised by governance bodies. This must include areas of concern and how these are being balanced, addressed and mitigated.

6.10 Policing bodies should make a public, open and transparent commitment to how the insights from the engagement process will be used to shape the consideration and implementation of new technology and also report back with details, which are made publicly available and scrutinised. As part of this, details should be included on the manner in which the use of new and emerging technology will be monitored post implementation. Clear routes should be provided for the public to provide feedback, raise concerns or suggest improvements. How these have been addressed should be visible for scrutiny bodies and reported in an open and transparent manner.

6.11 Policing bodies must communicate with the public and other stakeholders about police technology capabilities and substantial changes to the dynamic of police work mediated by technology. This communication must be clear, public facing and speak equitably to a broad range of publics. Doing this is important both in terms of understanding and mitigating potential risks and harms but also ensuring fairness.

6.12 Policing bodies should involve key stakeholders and members of the public in the formulation of police guidelines in the use of technologies (such as surveillance systems and tracking devices e.g. BWV) to involve them and provide understanding of the rules.This should reduce controversy regarding their implementation with the public and stakeholders.

Ch7 Technological Innovation and Scientific Standards considerations

7.1 Technology innovation is not just about getting the technology right, but about socio-technical change, which includes cultural change in practice, institutions, and oversight. In order to facilitate successful adoption into practice, policing bodies should prepare an implementation plan which assesses and takes into consideration stakeholder perceptions, existing systems and practices at practitioner, policy and oversight levels and a variety of other elements that may be impacted on and are likely to have to innovate at the same time. [learning point]

7.2 Technology innovation is a longer-term process, including at the implementation level. In relation to decisions about procurement, replacing systems or changes to practice, policing bodies should focus on establishing understanding and the willingness to experiment e.g. in small-scale test-runs. [R 6]

7.3 Partnerships are important for technological innovation and can strengthen the capacity for socio-technical change, encourage benefits to arise from such change and render innovation more socially acceptable. Organisations in the policing system and their partners should invest in developing stable, longer-term mutual collaboration between industry, academia and public organisations. [learning point]

7.4 Policing bodies should adopt next generation standards designed to meet the needs of the user and enable interoperabilitywithin and between forces to reduce cost, risk and complexity and conform to published specifications for storage, sharing and security and ensure a common understanding of what good looks like. For example, policing bodies should put a stronger focus on inter-agency approaches to secure data sharing, including the adoption of POLE and MAIT. More broadly policing bodies should integrate with developing standards from outside policing and should consider suggestions (Buchanan et al., 2023: 28-29). [R 7]

7.5 Policing bodies should consider establishing a national technology clearing house to ensure robust scientific standards for AI technologies. [R 7]

Ch 8 Oversight, Scrutiny and Review key considerations

8.1 The SPA and Police Scotland (PS) should continue to use and enhance the arrangements set out in the MoUto ensure any future implementation of technology has had the widest possible appropriate and early engagement and consideration and external oversight. [Recommendation 16]

8.2 SPA Board and Committees (and other bodies with decision making, oversight scrutiny and review functions) should consider enhancing the informed nature of their consideration of proposals by inviting external subject matter experts or representativesfrom professional reference or ethics panels to provide evidence or advice on the impact that a specific technology may, or is, having on society. [R 16]

8.3 The SPA (and other bodies) should continue to require assurance that external evidence and advice has been sought and considered and that engagement with partners and the public has been undertaken to inform the approach to embeddingspecific technologies in policing. [R 16]

8.4 Policing bodies should consider theroutine collection, publication and accessibility of data on police use of emerging technologies and their impacts, certainly for high-risk projects,in order to facilitate ongoing scrutiny and review. This should be made available to oversight bodies, for research purposes (certainly where there is a limited evidence base) and where possible made accessible to the public in order to provide transparency, promote public confidence, support learning and knowledge exchange and demonstrate effective oversight. More information should be published and made accessible publicly, for example Police Scotland should regularly publish data on biometrics they hold, e.g. how many Scottish images are in CHS and PND in the same way that SPA publish data on DNA and fingerprints. The minutes of relevant bodies e.g. Biometrics Oversight Board should also be published in a manner that enhances accessibility of the information. [R 18]

8.5 The SPA and PS should continue to develop a wider framework which sets out a systematic process for all ethical considerations, this should serve to guide the creation of a sixth ethics and human rights case which would be included in Initial and Full Business Cases. The framework should inform decision making through consideration of data ethics and wider consideration of equality, privacy and human rights issues. (Appendix 3 Ross et al. 2023). [R 2]

8.6 The Scottish Government should take the learning from the 'Draft Proposals for Oversight of Ethical Considerations in Policing' and consider endorsing a similar approach to enhancement of the Scottish Public Finance Manual (which incorporates the Green Book) as good practice across all public bodies [R 13]

8.7 Policing bodies should implement the Data Ethics Framework (and its key aspects) across the policing system and an effectiveness review should be undertaken 12 months after the roll-out to ascertain the benefits realised and lessons learned during implementation. [R 4]

8.8 Policing bodies and scrutiny bodies must ensure that procurement processes used for new technologies are compliant with all statutory requirements and best practice including a focus on data protection, human rights and qualities impacts. For example, the HM Treasury Green Book's business case framework will be enhanced by the inclusion of a sixth ethics and human rights case. Whilst Police Scotland work on the principle of 'Re-use, before Buy, Before Build', in house development may be preferable in some situations, in which case robust design guidance such as data protection by design should be followed and a system of independent quality checking would be desirable. [learning point]

8.9 Police Scotland should continue to enhance its approach to ensuring effective and ongoing risk management processes by scoping, mapping, identifying and mitigating any risk, opportunity or issue which may become associated with the adoption of a new technology, and continuing tore-assess and evaluate risks throughout the lifecycle of any new technology. With this risk based approach greater emphasis should be placed on considering future impacts of technology and ways to understand how communities may respond to proposals. Scrutiny bodies ensuring that policing bodies continually evaluate risks throughout the lifecycle of the technology will also allow them to ensure risks which become evident after deployment are acted on. [R 8]

8.10 Policing bodies' complaints processes regarding police use of technology must be accessible to all members of the public including those with disabilities. Where an adverse human rights impact to a person is the direct result of implementation of a new technology, those responsible for its implementation should provide an effective remedy. An effective remedy may include an apology, provisions to ensure the harm cannot recur, compensation (financial or other) for the harm, restitution or cessation of a particular activity or some other form of remedy agreed by the parties. [R 14]