Legal frameworks and ethical standards workstream report: Final Report

Final Report of the Legal frameworks and ethical standards workstream of the Independent advisory group on emerging technologies in policing.

Executive summary

This report sets out the research and views collected by workstream 1 of the Independent Advisory Group (IAG) on Policing and Technology. We have considered relevant legal frameworks in Scotland, legal bases, processes and ethical considerations that Police Scotland use vis-à-vis new technologies, procedures and evidence gathering involving technology issues, lessons learned from past and current use of technologies, and international comparisons and examples which can inform our work.

Police use of technology operates within and spans many spheres of legislation. Here we have focused on the Human Rights Act 1998, Data Protection Act 2019 (in particular Part 3 of the Act which applies to authorities processing data for law enforcement purposes) and the statutory equality duties enshrined within the Equality Act 2010 which have been found to be applicable when considering the impact of technology on Scotland's diverse communities. Mechanisms to address and manage the associated concerns around legal issues and impacts of technology were found to range from legislative guidance, to toolkits produced by organisations, and a range of impact assessments. In Scotland, the Biometric Commissioner Act 2020 is a major statutory intervention into this field of legal frameworks and technological capabilities. More codes of practice, such as that for biometrics in Scotland in the course of implementation, are identified as key to resolving issues about a lack of clarity or proportionality in police technology use.

Ethics takes an important role alongside legal framework. It is challenging to operationalise – and in the domain of policing it can be particularly difficult or contentious. However, the ethics associated with emerging technology in policing can be found to be brought into practical terms through the use of impact assessments (understood to be 'live documents' able to adapt to new knowledge), and through advisory engagement or debate on proposed initiatives through the organisational practise of consultation and panels/forums. Taking more ethical approaches reflects Police Scotland's lessons learned from past experience, and may improve social acceptance of their technology-relevant practices. Force policies, guidance, and training are also able to inform officers and staff about ethical standards and the methods in which behaviour is compliant with bias mitigating efforts. Ethical considerations around emergent technology in police work can relate to ensuring and communicating the legal basis for police use of a technology, but also typically consider how technology reifies or augments power relations. Examples of this could include technology enabled mass surveillance or social sorting, expansion of use cases of technology (i.e. function creep), potential chilling effect on populations, collateral intrusion, and insufficient safeguards surrounding analytical capabilities. Police Scotland has many governance processes in place to address the ethical issues discussed in this section, in order to best serve and protect the communities of Scotland from harm. It will be crucial that independent oversight of these ethics processes and due transparency over them are guaranteed and implemented in order to ensure ethical outcomes.

Digital evidence gathering via and from new technologies remains a challenging subject, especially as regards compliance with human rights and equalities objectives. The implementation of the biometrics code of practice in Scotland is a positive step, and this implementation and its evaluation should inform further how procedures and evidence gathering can be improved further to reflect best practice in human rights, equalities and data protection.

In Scotland, the main areas in which lessons can be learned relating to the adoption of emerging technology relate to the following 6 considerations: (1) How capabilities are communicated by police (to multiple stakeholders); (2) Engagement and consultation; (3) Governance structures and oversight process; (4) Identified legal basis; (5) Effective and matured risk management processes; and (6) Horizon Scanning.

(1) How capabilities are communicated by police (to multiple stakeholders) – it is crucial that communication regarding substantial changes to the nature of police work mediated by technology is clear, publicly facing and speaks equitably to a broad range of publics.

(2) Engagement and consultation – a strong democratic engagement and/or consultation process must be enacted upon in order to gain insights from the communities that a police service works for. In Scotland, if the policing by consent model is to be adhered to, then the public should be involved in changes to the policing system which could change the fabric of society.

(3) Governance structures and oversight process – this area has seen the most amount of positive work in Scotland, whereby robust structures which allow governance processes to be followed and effective oversight to be attained are now frequent features of new change initiatives in Scotland. Learning from past mistakes has allowed for the Memorandum of Understanding to be built which addresses this area.

(4) Identified legal basis – some kind of legal basis assessment must be considered before any new technology is implicated in policing to understand the power which comes from what law which sanction the use of a technology (then for example; proportionality and necessity testing; accurate and reliable/scientific standards, EqHRIA and community impact assessments should follow). This must be clearly communicated to stakeholders and the public.

(5) Effective and matured risk management processes – the continued improvement of a risk management throughout an organisation will be crucial in scoping, mapping, identifying and addressing any risk, opportunity or issue which may become associated with the adoption of a new technology. With a risk-based approach to understanding contexts and stakeholders, there will be greater emphasis placed on considering social impacts of technology and ways to understand how communities will respond to proposals.

(6) Horizon Scanning - Elsewhere around the world, there are also lessons to be learned from similar jurisdiction. The methodology to gain insights in this regard is known as horizon scanning, and will continue to be crucial in knowledge exchange, information on best practice, and the consideration of high risk initiatives which may not be acceptable in Scottish society.

We have devised a number of specific recommendations relating to legal and ethical uses of technology by Police Scotland:

1. The continued implementation and reinforcement of a human rights-based approach to policing in Scotland

Police Scotland should continue to embrace and implement a human-rights based, ethical and proportionate model for police use of technologies, in accordance with international best practices and with community input and engagement.

These international best practices include European Convention on Human Rights and their interpretation by the European Court of Human Rights and should be adhered to by Police Scotland regardless of whether the UK decides to repeal the Human Rights Act and/or leave the European Convention on Human Rights. In such a case, action by the Scottish Government may be required e.g. to incorporate these provisions into Scots law if possible.

This approach should include Police Scotland providing more analysis and engagement of human rights and equalities with technology use; specific references to Police Scotland's duty to assess and review relevant equality impacts of policies on technologies when at a developmental stage. The enhanced human rights-based and ethical approach should take place across the following domains: Policy and strategic decision making; Operational planning and deployment; Training and guidance; Use and control; and Investigation, monitoring and scrutiny. We recommend Police Scotland formally commit to adopting this approach which would ideally be accomplished through further internalising human rights knowledge and capacity. For example Police Scotland could employ equality and human rights experts in order to assist in policy design, analysis and assessment.

2. Further consideration of impacts on new technologies on human rights and equalities needed

The impacts of new technologies specifically on human rights and equalities need to be further considered. A multi-level analysis of rights and equalities impacts should be taken into account to embed and enhance Police Scotland practice, i.e. looking at the impact at the individual, community and societal levels. There are existing requirements under data protection law (Data Protection by Design and Default, Data Protection Impact Assessment) that place an obligation on controllers to ensure that the data protection principles are adhered to and that any impact on individual rights and freedoms are identified, assessed and mitigated. There are also existing relevant obligations under equalities law and human rights legislation. In this recommendation we seek to aid compliance and raise the bar. In terms of raising the bar from a data protection point of view, specific actions could ensure that: Data Protection Impact Assessments (DPIAs) are developed alongside Equality and Human Rights Impact Assessments (EqHRIAs) and Children's Rights and Wellbeing Impact Assessments (CRWIAs), that Police Scotland refer to the ICO's Overview of Data Protection Harms when considering risks associated with processing and ensure that risks to individual's rights and freedoms are fully considered, assessed and mitigated in DPIAs. Further that these risks should continue to be identified, assessed and mitigated throughout the lifecycle of a new technology (i.e. not only at the 'developmental stage'). From an equalities and human rights perspective, Police Scotland need to assure themselves when undertaking Equality and Human Rights Impact Assessments (EqHRIAs) that any proposals are compliant with the Human Rights Act 1998 and the Equality Act 2010, and also satisfy the requirements of the Equality Act 2010 (Specific Duties) (Scotland) Regulations 2012, including the duty to assess the impact of applying new or revised policy or practice and publishing the results of these assessments in a manner that is accessible.

3. Strong democratic engagement and consultation processes should be used to gain insights from the communities that a police service works for

These communities should include engagement with the protected groups defined in Equality Act 2010. In Scotland, if policing is to be done with public acceptance and agreement, then the public should be involved in changes to the policing system which could change the fabric of society, effect social relations, or impact democratic values. Complaints processes involving police use of technology must be accessible to all members of the public including those with disabilities.

4. Legal basis for using policing powers vis-a-vis technologies must be clearly specified and shared with key stakeholders

Police Scotland need to be able to demonstrate that the application of the policing power as set out in law must be clear and foreseeable and refer to and use proportionality and necessity testing; accurate and reliable/scientific standards, EqHRIA and community impact assessments. Although Police Scotland do specify the legal basis in DPIAs, given the potential for differing interpretations, legal basis (and opinions being drawn on) should be shared with key stakeholders as a matter of course in order that they may be questioned and tested and this must be reviewed in light of further developments (such as change in use case or additional information coming to light). Police Scotland need to be able to understand and articulate to diverse stakeholders the power which comes from the specific law which sanctions the use of a technology and refer to and use proportionality and necessity testing; accurate and reliable/scientific standards, EqHRIA and community impact assessments. There should be more transparency with regards to the legal basis of police use of technologies and awareness raising with the public.

5. Further clarifications of legal basis via legislation or code of practice may be desirable

Further clarifications of legal basis for police use of technologies may be desirable, such as through legislation or a code of practice as we see for biometrics. Government should consider whether additional statutory codes of practice may be required to provide greater clarity and safeguards on the application of new technologies. Such new technologies might include AI for which a binding code for policing use may be desirable.

6. Special regard for the interests of children and vulnerable persons

When using new technologies in this context, law enforcement actors must have special regard to the interests of children and vulnerable persons and how the technologies may impact upon them. We recommend that Police Scotland conduct, embed and enhance Children's Rights and Wellbeing Impact Assessments (CRWIAs) alongside DPIAs and EqHIAs.

7. More communication with the public and other stakeholders about police technology

Communication with the public and other stakeholders is needed about police technology capabilities and substantial changes to the dynamic of police work mediated by technology. This communication must be clear, publicly facing and speak equitably to a broad range of publics. Doing this is important both in terms of understanding and mitigating potential risks and harms but also ensuring fairness. The use of new technologies should not unjustly adversely impact an individual or group of individuals (which may potentially be discriminatory under the Equality Act 2010) and the processing should be within the reasonable expectations of the public.

8. Unacceptably risky technologies

Police Scotland should consider that in some cases a technology may be too controversial and pose unacceptably high risks to use even if there may be a legal basis for using it. A current example may be live facial recognition. Not using certain technologies and applications must be an option. Police and other actors in government should seek to understand why such technologies are considered controversial and risky and draw on lessons learned. Further work needs to be done on how unacceptability of risk may be assessed. Regard could be paid to the EU's proposed AI Act framework for risk in doing this. A category of 'unacceptable risk' could be added to Police Scotland's data ethics process to add to the current low, medium and high risk categories. In addition or as an alternative, the Scottish Government and Parliament could enact legislation defining what unacceptable risk means and designating technologies or application which pose such risks, e.g. those systems whose use is intrinsically incompatible with human dignity (similar to the categorical prohibition of torture).

9. Ongoing evaluations and reflections on police use of technology

Police Scotland should continue to evaluate and reflect on its uses of technologies, recognising lessons learnt and the implementation of measures such as ethics panels, improved internal processes, engagement, transparency and external evaluations.

10. Drone awareness and impact

Police Scotland should raise awareness of its use of drones among the general public, clearly communicate to the general public how and when drones are deployed and how personal data is processed and should publish its draft Code of Practice on the use of drones and impact assessments, including the technical capacity of drone platforms to ensure privacy and data protection by design. Future Scottish Government Crime and Justice Surveys could include questions to benchmark awareness and attitudes of drones. The necessity of drone deployment rather than other means of investigation must be explained and justified by Police Scotland given the likelihood drones will capture sensitive personal data and have a high risk of collateral intrusion. Police Scotland should ensure that drone footage secured in criminal investigations from other parties, whether other public bodies, commercial organisations or others complies with the relevant legal and ethical safeguards.

11. Cross-border dialogues

Police Scotland should look across borders to access and share learning about best practice and acceptable use of new technologies. Evidence collected in trials, risk assessment and ethical studies elsewhere in the UK and further afield may be particularly helpful.

12. Lessons learned forum for police within the UK

A 'lessons learned' forum/knowledge exchange event could be established for police in Scotland, along with police in other parts of the UK, to share, showcase and discuss organisational knowledge from previous endeavours. This would mitigate continual institutional failures or mistakes relating to ethical and legal concerns, and allow best practice to be communicated in a transparent and open manner.

13. Continued enhanced risk management

Police Scotland should continue to enhance its approach to ensure effective and mature risk management processes (note link to workstream 4) to scope, map, identify and address any risk, opportunity or issue which may become associated with the adoption of a new technology, and continue to reassess and evaluate risks throughout the lifecycle of any new technology. With this risk-based approach to understanding contexts and stakeholders, there should be greater emphasis placed on considering future impacts of technology and ways to understand how communities will respond to proposals. Evaluating risks throughout the lifecycle of the technology will also allow Police Scotland to act on risks which only become evident after the technology is deployed.

14. Technology procurement and provenance

More attention should be paid to the procurement and provenance of the technologies used by Police Scotland. In order to ensure enhanced cyber- and data security, the police and public sector more widely may need to consider developing technology solutions in-house rather than outsourcing them to private companies. Police Scotland should ensure that there are robust procurement processes in place to ensure that procured technologies are compliant with existing data protection, human rights and equalities obligations. National standards or a national Code of Conduct setting out these standards may be helpful here. Any proposed technology procurement project should follow the HM Treasury Green Book's business case framework, and make public an abridged version which includes an account of ethical issues. Where the police and public sector are developing technology solutions in-house rather than outsourcing to private companies robust design guidance that facilitates a data protection by design and default approach should be in place. A system of independent quality checking of such technologies may be desirable.

15. Police data sharing

More attention should be paid to the sharing of personal data generated by technologies used by police. Further safeguards may be needed for data sharing with other agencies and retention periods. There should be a review of the rules on retention considering questions of utility, lawfulness, proportionality and necessity. Rules around data sharing for the police should be legislated. A separate regime for children's data compared to that of adults may be advisable too. More research and discussion is needed on this topic, with the possible outcomes of further guidance, legislation and/or policy from relevant bodies such as the Scottish Government, Scottish Biometrics Commissioner and the ICO.

16. Biometrics transparency

More information could be published by Police Scotland publicly about biometrics they hold, for instance how many images they hold. The minutes of the Biometrics Oversight Board should also be published.

17. Evaluation of new Biometrics Commissioner

The establishment and effectiveness of the new Biometrics Commissioner in safeguarding human rights and upholding high ethical standards should be evaluated. There is already a reporting mechanism in the Scottish Biometrics Commissioner Act (SBCA) 20202 (section 6). We reiterate the need for this reporting to be done in a way which involves wide consultation with relevant stakeholder groups and the public. We also consider that there should be a review of areas of police technology usage not currently covered by the SBCA, for the consideration of further policy, legislative and guidance reform.



Back to top