Independent review – Independent advisory group on new and emerging technologies in policing: final report

8. Oversight, scrutiny and review

This chapter is derived from the IAG's workstream 4 report (Ross et al., 2023) and provides an overview of the existing decision making, oversight and scrutiny framework that is in place to support the assessment of the potential adoption of new technology across the policing system in Scotland. It also highlights recent steps to bring improvements and proposes further potential routes to enhancement. It follows the consideration and decision-making pathway of technology adoption from initial concept assessment, case for change development, decision making, governance approvals, project delivery and into business-as-usual adoption.

Introduction:

There is an acknowledgement that the legitimacy of policing in Scotland is connected to the principle of policing by consent, which is shaped by how legal, explainable, justifiable, and proportionate the decisions made by the Police Service of Scotland are deemed to be. This is subject to oversight, with a focus on the public interest, by the Scottish Police Authority, and a number of other bodies, including for example His Majesty's Inspectorate of Constabulary Scotland, Audit Scotland, the Information Commissioner's Office, Scottish Biometrics Commissioner and the Lord Advocate.^[26]

It is acknowledged that ambiguity and uncertainty will often feature when considering the deployment of emerging technologies in policing. Therefore, assessing the available evidence, identified risks and mitigations and ensuring transparency will contribute to an informed assessment of the probable benefits and dis-benefits associated with the potential implementation of new and emerging technologies.

In justifying decisions and making them explainable, the policing system must be able to demonstrate that it has taken into account legal, ethical and human rights considerations in arriving at those decisions, taking into account the rights of the individual and the need to protect all citizens in their communities. This must be assessed (through the DPIA and EQHRIA) when considering proposals for the adoption of new technologies which aim to assist policing in its primary function of ensuring safety and wellbeing. Whilst the language of balance is often used in this context by policing bodies, IAG members discussed how certain things cannot be balanced or traded off against others, e.g. in the equalities sphere.

Ross et al. (2023) argue that there should be an avoidance on a overemphasis on the 'precautionary principal', i.e. not favouring change or innovation when there is uncertain evidence and small potential for future harm, as a basis for decisions in the face of uncertainty. Sunstein's (2005) definition however, emphasises that a small risk of harm would be catastrophic if it occurred. Ross et al. (2023) argue that whilst decision makers should have regard to the precautionary principle, instead the introduction of emerging technology in policing should be guided by the 'proportionality principle' when considering a public interest assessment of a proposed new technology or deployment.

The 'proportionality principle' is based on what is legal, legitimate and democratic, but is also cognisant that many operational policing scenarios involve the need to carefully balance the rights of individuals and assessments of threat, risk and harm. Decision makers should have regard for the following:

1) Intended purpose and benefits (under S32 of Police and Fire Reform Scotland Act) regarding the duty to improve the safety and wellbeing of individuals and communities.

2) Lawfulness and regulatory compliance, with particular regard to intrusion into citizens' privacy and private lives (through a DPIA and EQHRIA); open and transparent debate.

3) Balance of evidence of future benefits /harm prevented and future dis-benefit or harm caused. A 'public interest' approach to protecting safety and wellbeing and preventing harm while preserving individual civil and human rights.

4) Affordability and best value.

5) Planning of mitigating actions to reduce potential harms.

Police Scotland and the Scottish Police Authority have published a memorandum of understanding that outlines the principles through which decision making (including on the introduction of emerging technologies) and engagement will be conducted. There has been a great deal of progress since 2019 to establish robust processes and mechanisms to underpin this ethos. Indeed, His Majesty's Inspectorate of Constabulary (HMICS), have stated^[27] that the governance arrangements are continuing to mature and evolve.

Overview of existing governance and assurance framework:

Figure 1 (Ross et al., 2023: 6) outlines the programme and project lifecycle process, which a proposal would follow in Police Scotland (it would be similar in SPA Forensic Services) as it develops: from initial concept assessment, to case for change development, informing decision making, followed by governance approvals, and through to project delivery and transition into Business as Usual.

As Chair I note that it mentions a range of organisations which may potentially be engaged with during this process, though whilst there is no obligation to engage with many of them, some of them, e.g. various boards mentioned represent key steps in the process. It would be worthwhile to highlight which steps or organisations are required to be engaged and which are not. Based on input provided by Dr Genevieve Lennon, it is important that the SPA should, independently of Police Scotland, obtain a technological assessment of the new practice or technology. There are a range of organisations listed, some of whom must be notified and consulted at the earliest stages (e.g. for new technology with some impact of biometrics, the Scottish Biometrics Commissioner should be involved from the outset). The requirement rather than option to consult ensures independence, a key principle for accountability (Lennon and Fyfe, 2022). Further, there should be sufficient resources to enable the independent bodies to best function, e.g., discretionary funding for the SPA, HMICS, PIRC and other oversight bodies to ensure they get an independent explanation of the emerging technology, independent of Police Scotland.

Memorandum of understanding:

In 2021 Police Scotland and the SPA jointly developed a Memorandum of Understanding - SPA website) (MoU) which aims to ensure early visibility and oversight of any new and emerging strategy, policy or practice under consideration by Police Scotland or SPA Forensic Services that is likely to be of significant public interest. This is a step forward as previously only cases for change beyond a certain financial threshold would be presented to the SPA for consideration. It is underpinned by the overarching principles of early engagement and communication. This is in line with the statutory duty to work collaboratively with partners and in a manner that is accessible and engaged with local communities. The joint objective is to generate early and transparent public discussion and engagement on the issue and inform decision-making.

The MoU focuses on significant equalities, human rights, privacy or ethical concerns raised, or where the issue will have a significant impact on public perceptions of policing. It is also seeks to ensure that the intended benefits of proposed changes are clearly laid out and technological adoption improves the ability of policing to address threat, risk and harm.

The MoU also aims to ensure people's rights are considered and there is sufficient engagement with stakeholders and the public to inform the development in question. It provides opportunities for public discussion, local engagement and formal oversight and review. An early assessment and prioritisation approach is there to ensure innovations are planned and trialled in an engaging and inclusive way which considered a wide range of views and opinions in order to inform decision making on robust and transparent impact assessments.

The MoU involves the following stages: identification and assessment (with a strong focus on key ethical, privacy or human rights considerations); and communication, engagement and delivery. There is a stated focus on testing ethical, privacy and human rights issues; an engagement and communications plan to work with key stakeholders, the public and staff; full and transparent discussion; and informed decision making. There is also mention of use of best available evidence, consideration of testing with potential evaluation prior to full implementation, and a baseline and post-implementation review process to evaluate the impact delivered and any organisational learning.

SPA excellence framework:

It is acknowledged that effective scrutiny and oversight are key elements in ensuring that the public have trust and confidence in policing. The SPA Excellence Framework is part of the SPA's overall Governance Framework and it provides a conceptual structure intended to guide the development of Audit, Risk and Assurance Programme to deliver excellence within SPA and assurance around excellence within Scottish policing. In this context 'excellence' is said to involve ensuring organisations have a clear understanding of their stakeholders, develop ways to achieve or exceed expectations. achieve excellent results and communicate assurance effectively. The 'Four Lines of Defence' model (see diagram Ross et al., 2023: 9) is a core component of the Excellence Framework.

The assurance at the first line of defence (management) is provided by staff and management within or managing operations at divisional or functional level using business as usual activities such as good policy, performance data, risk registers, DPIAs, reports and other management information. Whilst functional teams have ownership, responsibility and accountability for controlling and mitigating risks and this level of assurance provides an indication that performance is being monitored, this level lacks independence and objectivity.

At the second line of defence (oversight function) assurance is still within-organisation, but is provided by those separate from delivery and independent of the management chain, i.e. Police Scotland's Risk, Assurance and Inspection Team, Data Protection Officers (statutory role) and the SPA's Audit Committee. This line of defence monitors and facilitates the effective implementation of the first line of defence activity.

The third line of defence (independent internal audit) involves the SPA appointing independent internal auditors to report to the SPA's Audit Committee on how well the organisation assesses and manages its risks, including a review the first and second lines of defence.

In this context the fourth line of defence (external audit inspection and review) involves an independent assessment of the first three lines of defence and is undertaken primarily by external bodies including HMICS, Audit Scotland, the Police Investigations Review Commissioner, the Investigatory Powers Commissioner's Office (IPCO), the Information Commissioner's Office, local authorities and at a secondary level by the parliamentary Justice Committee, the Scottish Human Rights Commission and other regulatory/inspectorate bodies that oversee corporate bodies e.g. the Health and Safety Executive, See figure 2 for more information (Ross et al., 2023: 11).

Decision making, governance, oversight and scrutiny:

Although there is no specific board in Police Scotland or the SPA that considers emerging technology or ethics alone, many of the boards mentioned that have a role to play may be found in figure 3 (Ross et al., 2023: 12). As covered in Chapter 3, the potential governance route for new and emerging technology (see figure 4) involves six of the most relevant boards and relevant aspects of their role and remit are laid out on pages 13-14 (Ross et al. 2023).

Initial concept assessment:

As mentioned in Chapter 3, when a new concept or potential project arises, a Project Potential Assessment (PPA) template is completed in order to assess whether or not an idea is a Programme, Project, Business as Usual, Continuous Improvement or Small Change activity. It covers topics such as potential benefits, risks, impact on the organisation and costs/resources. The PPA is submitted to an internal Project board, Programme Board and then Portfolio Management Group. The PMG is an internal forum where the Senior Responsible Owner, Programme Mangers, Project Managers and Change Staff give approval, challenge and appraise papers and business cases. Data Protection Officers are also integral here.

Existing evidence from a range of sources (e.g. SPA/PS Joint Research and Evidence Forum, SIPR, SG Policy Advisors, College of Policing, PIRC, HMICS etc.) may be used to inform the PPA. Also, available information may be drawn together from internal engagements (e.g. Police Scotland regional and national ethics panels) or involving external agencies (e.g. advice from reference groups), partners and regulators like SBC and ICO (e.g. on impact assessments) and potentially the public (e.g. public service polling).

Case for change development and informing decision making:

Both of these stages are connected and lead to the creation of the Initial Business Case. Its purpose is to begin exploring various options of how an idea could be delivered, and to assess the ethical, human rights, data privacy and compliance with DP law, equalities and other impacts of the proposed idea. Some of the areas it focuses on include high-level benefits and risks to the organisation that the project helps manage, impact assessment, dependencies, lessons learned, cost and resources needed for the next stage. The IBC goes to the Project Board, Programme Board, Police Scotland internal quality assurance, Portfolio Management Group, Change Board and Senior Leadership Board internally, before being presented to the SPA Resources Committee. Note senior staff who attend boards will keep the Data Protection Officer (DPO) cited.

There are clear expectations that output from internal and external engagement undertaken by Police Scotland should be incorporated into the IBC. This would include engagement with SG Police Division; assessed previous evaluations, potential test of change/pilot; Design consideration, EqHRIA and DPIAs, assessment through the Data Ethics Framework and consideration through Ethics Advisory Panels. The concept could be discussed through joint PS and SPA activity e.g. at joint evidence and research forum, legal opinion, SIPR and academia and other stakeholder engagement mentioned in the previous step. Similarly external agency, partner and public input may also include Independent Ethics Panels, Local Authority Scrutiny Convenors, Information Commissioner's Office, Human Rights Commissioner, Children and Young People's Commissioner, Scottish Police Federation and association of Police Superintendents. Input could also be gathered from frontline officers which would be important in terms of demonstrating an organisationally just approach and supporting meaningful organisational change (Aston et al., 2021b).

Governance and approvals:

This stage involves the SPA seeking assurance and evidence that the appropriate engagement has been undertaken with external agencies, public sector organisations, partners and the public as appropriate and research and an evidence base is presented to the SPA in the Full Business Case in order that they can make a decision on funding a project. The FBC should detail the engagement and advice given and what impact or substantial changes have been made to the proposed approach. Its purpose is to develop the options identified in the IBC and recommend a preferred option for the governance board to consider. The FBC is based on the UK Government project management guidance document The Green Book. This Five Case Business Model covered: the Strategic, Economic, Financial, Commercial and Management Case. The FBC should be accompanied by key assurance documents including Impact Assessments, Project Management plan, Benefits Realisation Plan and Risk Register.

The FBC goes through internal PS governance (approval at Project Board, Programme Board, Portfolio Management group, Change Board, Senior Leadership Board.). It then goes for external approval at the SPA Resource Committee, SPA Authority Board and SG if required. The SPA should ensure the appropriate impact assessments have been undertaken, the previous steps of initial concept design, case for change development and informing decision making have undertaken the appropriate engagement, input and assurance from key stakeholders, subject matter expects and the public; and appropriate consideration has been given to equalities, human rights, privacy or ethical concerns raised. When SPA officers are briefing SPA board members they seek to highlight good practice, gaps or areas of concern in the FBC, in order to enhance scrutiny and requests for additional information. Therefore, scrutiny would be strengthened by inviting subject matter experts or representatives from professional reference or advisory panels to provide evidence or advice to members on the impact that an emerging technology may have on society, in order to inform their consideration of proposals.

Project delivery:

During this phase the project is subject to Change Control Processes and has to report to the Project Board, Programme Board, Portfolio Management Group, Change Board and Senior Leadership Board if certain thresholds are reached (e.g. 10% overspend). The project may be subject to an external reference group with independent external advisors which offers guidance to Police Scotland on delivery. The project could also be subject to SG Gateway Revises and SG Technical Assurance framework reviews, conducted by individuals independent of Police Scotland who would offer red, amber and green states on a number of categories including cost, benefit, resource, timescale or increasing risk. The project should still be engaging with external experts and regulators, the public and academia where appropriate in the design and implementation of the technology to ensure equalities, human rights, privacy or ethical concerns raised are being addressed. However, in my view as Chair, at a minimum engagement with external experts should continue during the project delivery phase, particularly for high-risk projects, or emerging technologies with a limited evidence base (and an evaluation of its implementation should be strongly considered). Novel projects that have mitigated risks at the outset should have continued monitoring and oversight.

Transition into business as usual:

A number of boards and performance reporting mechanisms could assess the impact that a project is having on service delivery. This may be done internally via PS boards (e.g. Local Policing Board, Operational Delivery Board, Senior Leadership Board). It may also be monitored through external groups and agencies including SPA (Internal Audit, Audit Risk and Assurance Committee, Policing Performance Committee, SPA Oversight Groups, SPA Board), HMICS Inspection, local scrutiny convenors, public survey and polling (by Police Scotland and or SPA) and Justice Committee.

The SPA should continue to require assurance that external evidence and advice has been sought and considered and that engagement with partners and the public has been undertaken to inform the approach to embedding specific technologies in policing and that risks and measures to mitigate risks are monitored and implemented. In my view as Chair, consideration should be given to routine collection of data (for research purposes and where possible made public to enhance transparency) on the impact (on various possible intended outcomes and unintended consequences) of the use of emerging technologies, particularly for high-risk projects, or emerging technologies with a limited evidence base (and an evaluation of its impact should be strongly considered).

Ethics panels:

In addition to the formal governance channels outlined above, Police Scotland have introduced four tiers of Ethics Advisory Panels (EAPs), which provide an opportunity for staff, officers, and external participants to discuss ethical dilemmas. The ethics panels are not decision-making bodies but provide advice and support to the decision maker (or dilemma holder), who remains responsible for taking the decisions, with due consideration of the panel's views in their rationale. For more information see chapter 5.

Additional oversight 1 - Scottish government, Parliament and HMICS:

The Scottish Police Authority is accountable (for its activities and use of resources) to Scottish Minsters, who are in turn accountable to the Scottish Parliament. The SPA must comply with any direction given by Scottish Minsters and the SPA Chief Executive is answerable to the Scottish Parliament for the exercise of their functions. The Scottish Parliament (in practice most scrutiny is through the Criminal Justice Committee) is responsible for scrutinising policy and legislative proposals of the Scottish Government. The Justice Sub-Committee on Policing was established to consider the operation of the Police and Fire Reform Scotland Act (2012), and it had a significant focus on new and emerging technology in policing (RPAS, BWV, Digital Triage devices, Facial recognition) but it was discontinued in 2021.

HMICS has powers to look into the 'state, effectiveness and efficiency of Police Scotland' and the Chief Constable must provide inspectors of constabulary with assistance and cooperation for the purpose of carrying out their function. These powers allow HMICS to investigate the effectiveness of the use of new and emerging technologies if deemed appropriate. However, it is more likely that HMICS will look at the service that the technology implementation will impact and take a view from an outcome perspective of whether the new/emergent technology has improved the delivery of policing, has delivered against the benefits from the business case and is compliant with law and ethical standards. Whilst the scrutiny plan for HMICS does not define any consideration of a technology implementation in its own right, as this is seen to be too narrow a focus, HMICS is planning a Cyber inspection within the next two years and is likely to look at issues around the delivery of new technology with an operational and best value lens.

Additional oversight 2 - For example, SBC, ICO, Police Investigations and Review Commissioner, Human Rights Commissioner, Audit Scotland, Children and Young People Commissioner:

Emerging technology is likely to engage a number of areas already overseen by independent bodies. For example, data is likely to engage the ICO (regulatory scrutiny), while data of a biometric nature will engage the Scottish Biometrics Commissioner. The role of PIRC is to provide independent oversight, investigating incidents involving the police and reviewing the way the police handle complaints from the public. Audit Scotland provide independent assurance that public money is spent properly, efficiently and effectively and they report annually on the performance, governance and finances of SPA and Police Scotland. At the UK level there is also the Investigatory Powers Commissioner's Office which provides independent oversight and authorisation of the use of investigatory powers by intelligence agencies, police forces and other public authorities. Furthermore, there is the Surveillance Camera Commissioner, Forensic Science Regulator and a range of other biometrics and forensics ethics groups and strategy boards which may be of relevance.

As analysis from Dr Genevieve Lennon outlines, oversight bodies may struggle to fully comprehend the nature or function of emerging technology. To ensure their independence it is necessary that they are appropriately resourced to meet this need, for example funded to hire a non-Police Scotland technical advisor to explain the technology, including likely benefits and costs (see Principle 2: Independence in Lennon and Fyfe, 2022). There should also be calculation of the likely impact on their independent bodies' roles, with resources adjusted as needed (e.g., a new, routine biometric practice could put substantial strain on the Biometrics Commissioner and require additional staffing).

It may be that these bodies identify costs in practice when the project is rolled out. While some may instigate their own investigations, others cannot (e.g., PIRC). Being able to launch an investigation themselves is particularly important in relation to emerging technologies that people may not be aware they are subject to (see Principle 3: compellability, Lennon and Fyfe, 2022). The power to instigate an investigation would require legislative change.

Rapid technological change can lead to the ossification of Codes of Practice (Kleinig 1996). All independent bodies, as well as the SPA and Police Scotland, should reflect on their codes of practice and comparable regulations in light of the adoption of new practices or technologies.

Finally, the 12 Principles of Accountable Policing outlined by Lennon and Fyfe (2022) provide a useful basis for enhancing oversight, scrutiny and review. These cover: Universality (covering the whole system); Independence (oversight bodies should not be dependent on the police for resources); Compellability (power to compel to provide information); Enforceability and redress (means to enforce and monitor progress); Legality (accountable to law); Constructiveness (dialogic process with feedback loop); Clarity (of oversight, expectations, expression and data); Transparency (provide accurate relevant timely information and public data on performance); Pluralism and multi-level participation (combination of democratic processes and consultative forums); 'Recognition' and 'Reason' (pubic deliberation); Commit to Robust Evidence and Independent Evaluation (evidence and evaluation to guide decision making and deliberations of oversight bodies); Be a Learning Organisation (modifying behaviour to reflect new knowledge and insights).

Additional oversight 3 - policing and oversight bodies in other countries:

Effective oversight requires a feed-back loop, for learning and good practice. In addition to the Scottish organisations listed above, the police and SPA should ensure shared learning with other forces and oversight bodies, including England/Wales and Northern Ireland, as well as beyond the UK, and establish a learning loop from those bodies also. This is particularly important with emerging technology where there may be limited data on its use and impacts.

As Chair I would also note that with regard to strengthening accountability, lessons can be learned from other jurisdictions and the literature, some of which were drawn out earlier (particularly in chapters 4 and 5). Furthermore, useful insights come from accountability principles that have been researched and developed for specific technologies. For example, building on Lennon and Fyfe's principles (2022), the empirically verified AP4AI Principles (Akhgar et al., 2022: 64) define requirements to be fulfilled to ensure Accountability for AI utilisation. The principles include: Legality (lawful plus where any gaps in the law exist, the protection and promotion of fundamental rights and freedoms should prevail); Enforceability and Redress (requiring independent and effective oversight and mechanisms to respond to instances of non-compliance); Universality (covering all processes, design, development and supply, use etc., in the AI lifecycle); Compellability (formal obligations from competent authorities and oversight bodies to compel those deploying or utilising AI to provide access to necessary information/systems); Pluralism (oversight to involve all relevant stakeholders engaged in and affected by AI); Explainability (information about use to be accessible and easily understood); Transparency (making available clear, accurate and meaningful information about AI processes and deployment to make informed judgements); Constructiveness (constructive dialogue with relevant stakeholders); Independence (of competent authorities performing oversight and in avoiding any conflict of interest); Conduct, (principles, professional standards and expected behaviours in a role, including integrity and ethical considerations); Commitment to Robust Evidence (requiring detailed, accurate and up to date record-keeping); and Learning Organisation (willingness to apply new knowledge and insights to bring improvements).

Part 2 ensuring ethical considerations are central to decision making in Scotland's policing system:

The need for innovation and technological adoption in policing is clear but this cannot be based purely on value for money -decisions must be made with the highest possible regard for ethical standards. The decision-making process in place has been outlined above, but through the work of workstream 4 of the IAG there was a recognition that there was an opportunity to ensure that ethical considerations are at the heart of the decision making by formalising the process. The approach should make use of a range of existing tools that can be applied proportionately to provide clarity in supporting the decision-making process. It should be flexible, scalable and provide a clear audit train in order to fulfil public accountability.

A sixth case model - the ethics and human rights case:

The Five Case Model outlined earlier in this chapter provides limited opportunity within it to assess the ethical implications of a project business case. It is therefore recommended that the present framework be enhanced to enable it to assist in determining, evaluating and balancing the ethical impacts of a business case. This would introduce a sixth case: the Ethical Case. This would consider the impact of change on a variety of aspects of ethics including human rights, the impact on individuals, society and on public confidence.

It is suggested that the use of the 'sixth case' should be proportionate so an independent triage process could be introduced to understand whether there are ethical implications that need to be discussed and addressed, thereby focusing resources towards areas of higher risk. A proposal to triage issues relating to data ethics across the policing system is presented in the next section on the Data Ethics Framework. Therefore, the SPA and Police Scotland should continue to develop a wider framework which sets out a systematic process for all ethical considerations, this should serve to guide the creation of a sixth ethics and human rights case which would be included in the Initial and Full Business Cases. For Draft proposals for Oversight of Ethical Considerations in Policing see Appendix 3 in Ross et al. (2023).

Data ethics governance framework:

Following the establishment of the IAG, Police Scotland have developed a data ethics framework (introduced in chapter 5), which sets out how policing should cover its development and deployment of data-driven technology. It proposes new checks and governance tools be embedded into existing change processes and internal and independent advice will be sought to ensure the adoption of new technologies is proportionate, ethically justifiable and aligned with Police Scotland and the SPA's commitment to policing by consent. Policing bodies should implement the Data Ethics Framework across the policing system continues and that an effectiveness review should be undertaken 12 months after the roll out to ascertain the benefits realised and lessons learned during implementation.

The data ethics framework will provide the governance required to identify and address ethical challenges posed by novel uses of data and data-driven technology and guide its responsible use (and will provide valuable input into the DPIA). As outlined in chapter 5 the responses provided to framework questions relating to value and impact, effectiveness and accuracy, necessity and proportionality, transparency and explainability, and reliability and security should be open to internal and external scrutiny.

Although its focus is on data and data-driven technology, the methods and use of the sixth case approach can be applied to technologies that have limited or no data collection elements. Furthermore, it is proposed that the Data Ethics Framework provides a methodology and mechanism to ensure that the goals of the aforementioned Memorandum of Understanding in relation to data ethics are implemented in a consistent and repeatable way, and indeed can be used to cover a wider consideration of equality and human rights issues (see Appendix 3 in Ross et al., 2023).

The framework sets out how the policing system in Scotland should govern its use of data and data-driven technology and outlines mechanisms for internal input and how independent advice can inform decision making. The framework states that clear, robust governance arrangements should be established before investing in emerging technologies. In this case good governance is said to mean: establishing robust mechanisms for input (internal input/ challenge and external advice on decision-making -including proper understanding and weighing up of risks and harms); establishing clear responsibility and accountability (identifying key decision makers and decision points along the lifecycle); putting in place repeatable processes to identify, address and test ethical considerations and ensure consistency of approach and auditability. It is anticipated that as well as enhancing governance the framework will contribute to building public confidence and bring several other positive improvements (see chapter 5).

The proposed steps involved in the ethics governance framework include (see diagram in Ross et al., 2023: 31):

1. Ethics Advisory Panels discuss whether data-driven technology should be developed, ethical challenges, mitigations (at Problem Identification Stage)

2. Data Ethics Assessment (to be completed at planning stage) -to be embedded into IBC/FBC and DPIA

3. Digital & Data Design Authority (input at design stage), Data Ethics Oversight Group (internal input and oversight through project lifecycle -should include DPO)

4. Data Ethics Triage (determine whether additional internal/external scrutiny required)

5. Internal scrutiny (for high-risk projects during delivery stage. Data ethics toolkit used to identify and mitigate risks) -new internal Data Ethics Oversight Group required.

6. Independent scrutiny (again for high-risk projects during delivery and use toolkit) -new Independent Data Ethics Scrutiny Group required.

7. Ongoing Review (post-deployment monitoring)

Triage of risk -data ethics risk assessment:

In order to ensure that the highest risk projects receive the most oversight, the Data Ethics Governance Framework contains a set of eleven common triage questions to be used when considering a new project. The questions cover several dimensions including the scale and breadth of the project, the data being used, the outcome/effects, and potential disproportionality (for more information see Appendix 2 in Ross et al., 2023). Those identified as high risk through triage go through a detailed framework process, ensuring effort is focused on them.

Best practice and benchmarking:

Police Scotland have been mindful of aligning the development of the Data Ethics Governance Framework with some of the best practice in UK policing. They have drawn on the experience and learning from West Midlands Ethics Committee, for example, by including an independent external consideration and advisory. It is recommended that Scottish policing system continues to share experience with partner agencies nationally and internationally and share lessons learned in order to refine approaches.

In conclusion, it is suggested that Police Scotland continue to adopt their Data Ethics Framework and implement its key aspects including:

1. Data Ethics Triage for all new projects submissions;

2. Internal Scrutiny -set up an internal Data Ethics Oversight Group (for high-risk projects)

3. External Scrutiny -set up an external scrutiny mechanism (Independent Data Ethics Scrutiny Group) to provide external review and advice on data-driven/technology projects.

4. Accelerate development of internal Digital & Data Design Authority

5. Alignment to change process -embed guidance in Data Ethics Governance Framework into policing system Change Governance Processes

6. Maximise transparency -proactive, clear, comprehensive and accessible communications.

7. Consideration of future extension of the MoU principles and the approach of the data ethics framework and independent ethics group into broader areas across policing policy and practice to provide expert advice and assurance on human rights and ethical issues.

Finally, commentary on the workstream 4 report provided by Dr Brigit Schippers suggests that ethical decision making (including via the proposed sixth case) with respect to the deployment of emerging technologies in policing should consider several issues. Firstly, the identification and explication of ethics principles, e.g. beneficence and non-maleficence ('do no harm'); fairness, accountability, sustainability and transparency; and data protection principles for law enforcement. Secondly, the integration of ethics principles with relevant legal frameworks, for example through a combined 'ethics and law' case, including compliance with domestic and international legal frameworks of human rights, equality and data protection). Dr Schippers analysis also emphasised the importance of being clear about how Independent Ethics Advisory Panel members will be appointed and terms of reference agreed, the diversity of expertise and experience, what administrative and financial support there will be and how independence will be ensured. With regards to ethics triage consideration should also be given to protocols for recording ethics deliberations and decision-making, and the development of technology specific ethics case studies.

Chapter 8 summary and conclusions:

In justifying decisions and making them explainable, policing bodies are subject to oversight, with a focus on the public interest, by the Scottish Police Authority, and a number of other bodies, including for example His Majesty's Inspectorate of Constabulary Scotland, Audit Scotland, and the Information Commissioner's Office.

There has been a great deal of progress since 2019 to establish robust processes and mechanisms to underpin decision making and Police Scotland and the SPA have published a Memorandum of Understanding that outlines the principles through which decision making and engagement will be conducted. The MoU's stated focus on testing ethical, privacy and human rights issues; an engagement and communications plan to work with key stakeholders, the public and staff; full and transparent discussion; and informed decision making is certainly a positive development. There is also welcome mention of use of best available evidence, consideration of testing prior to full implementation, evaluation, and a baseline and post-implementation review process to evaluate the impact delivered and any organisational learning. Much of this will help underpin several key principles of accountable policing.

The 'four lines of defense' is a core component of SPA's Excellence Framework and the programme and project lifecycle process which a proposal would follow (as it develops from initial concept, through approvals to delivery) was outlined in detail above, and various potential enhancements are outlined below in several key considerations. As Lennon and Fyfe (2022) emphasise, independence is a key principle for accountability, and Lennon highlights the importance of consultation as a requirement, and SPA and other scrutiny bodies having sufficient resources to obtain independent input (particularly from technical advisors on technological assessments). Furthermore, as Chair I note that accountability principles such as transparency would be enhanced by routine collection and publication of data on police use of emerging technologies and their impacts, which will facilitate evaluation and ongoing scrutiny and review.

Police Scotland's proposed new Data Ethics Framework provides a methodology and mechanism to ensure that the goals of the MoU in relation to data ethics are implemented in a consistent and repeatable way, and indeed can be used to cover a wider consideration of equality and human rights issues. This would introduce a sixth ethics and human rights case. The framework is to be welcomed in that it aims to establish clear, robust governance arrangements before investment (including external challenge and advice), clear responsibility and accountability putting repeatable processes in place to address and test ethical considerations and ensure consistency and auditability. However, as Raab (2020) acknowledges ethical frameworks can be complex, with norms and values that can be difficult to comprehend, and the real work is in their application. Therefore, it will be important to continually review and enhance the various new and developing ethics frameworks as they are embedded in policing in Scotland.

Key considerations relating to oversight, scrutiny and review are outlined briefly here (see Appendix C for more information):

8.1 The SPA and Police Scotland (PS) should continue to use and enhance the arrangements set out in the MoUto ensure future implementation of technology has the widest possible early engagement, consideration and external oversight.

8.2 SPA Board and Committees(and other bodies with decision making, oversight scrutiny and review functions) should consider enhancing the informed nature of their consideration of proposals by inviting external subject matter experts to provide evidence or advice on the impact technology may have on society.

8.3 The SPA (and other bodies) should continue to require assurance that external evidence and advice has been sought and considered and that engagement with partners and the public has been undertaken to inform the approach to embeddingspecific technologies in policing.

8.4 Policing bodies should consider theroutine collection, publication and accessibility of data on police use of emerging technologies and their impacts, certainly for high-risk projects,in order to facilitate ongoing scrutiny and review.

8.5 The SPA and PS should continue to develop a wider framework which sets out a systematic process for all ethical considerations, this should serve to guide the creation of a sixth ethics and human rights case which would be included in Initial and Full Business Cases.

8.6 The Scottish Government should take the learning from the 'Draft Proposals for Oversight of Ethical Considerations in Policing' and consider endorsing a similar approach to enhancement of the Scottish Public Finance Manual as good practice across all public bodies in Scotland.

8.7 Policing bodies should implement the Data Ethics Framework across the policing system and an effectiveness review should be undertaken 12 months after the roll-out to ascertain benefits realised and lessons learned.

8.8 Policing bodies and scrutiny bodies must ensure that procurement processes used for new technologies are compliant with all statutory requirements and best practice (including data protection, human rights and equalities impacts).

8.9 Scrutiny bodies should ensure PS continues to enhance its approach to ensuring effective and ongoing risk management processes and continually re-assesses and evaluates risks throughout the lifecycle of any new technology.

8.10 Policing bodies' complaints processes (re police use of technology) must be accessible to all members of the public including those with disabilities. Where an adverse human rights impact to a person is the direct result of implementation of a new technology, those responsible for its implementation should provide an effective remedy (e.g. apology, compensation, restitution or cessation).