Legal frameworks and ethical standards workstream report: Final Report

3. Processes and ethical considerations

3.1 In this section we further consider the processes and ethical issues in police use of technology. We focus again on processes for establishing legal basis and other tools such as impact assessments. We look more broadly at the notion of 'ethics' in Scottish policing, including the role of ethics boards.

Policing practices, processes and legal bases: A view from Police Scotland

Police Scotland (PS) primarily uses the established frameworks of a Data Protection Impact Assessment (DPIA) and Equality and Human Rights Assessment (EQHRIA), under the Data Protection Act 2018 and the Equality Act 2010 respectively, to establish, define and document the legal basis it relies on for the use of new technology.

Police Scotland assert that for them, a DPIA is not simply a 'checklist document' to be completed by a project ahead of implementation. Rather, it is treated as a framework of questions that when fully answered will allow projects introducing new technologies (as well as a wider range of new or alternative processing) to fully consider the legal basis for that new technology as well as designing the necessary legislative and regulatory compliance into it.

The legal basis for new technology is at the heart of a DPIA, addressing the legislative requirement that processing must be both legal and fair. Police Scotland have learned that an indicative legal basis can be established early in the assessment process, generally based on a particular piece of legislation that either obliges or permits an action/task/service. According to Police Scotland, legislation and regulation are however rarely explicit in defining how an action/task/service is undertaken which allows for the evolution of service provision though new technology among other things.

Police Scotland must test an indicative legal basis, such as those defined in the Police and Fire Reform (Scotland) Act 2012, ethical, equality and public opinion considerations. These elements are necessary to make an assessment of 'fairness' and proportionality and as a consequence more work is now undertaken at a granular level to ensure that the legal basis can be both understood and explained in detail internally and externally.

For Police Scotland to come to a decision about a legal basis, this can involve a range of specialisms including but not limited to Operational SMEs, Chief Data Office (CDO), DPO, Legal Services, external consultation groups, SPA and Ethics panels before a final recommendation is made to, and decision taken by, a member of the Force Executive acting as Strategic Information Asset Owner. This is done in the formal DPIA document. As an example, the collaborative work undertaken with the Advisory Groups for Cyber Kiosks and engagement with the ICO on that technology set the base standard within PS that we now expect in relation to understanding and explaining the legal basis underpinning complex new technologies or innovative processing.

In Police Scotland assessing the legal basis for emerging technologies, it is important to separate decisions about the purpose and the manner of processing. This may appear counter-intuitive because technology may be facilitating a change, however if focus is lost on the purpose and outcome that PS is seeking and is concentrated on the proposed technology, we run the risk of becoming a technology-driven organisation, rather than one that has a policing purpose and outcome at its core.

Realistically, this can mean that the purpose of processing – the 'why/what' - may have a legal basis, however a proposed emerging technology – the 'how' - may not, or it may need development and amendment to be compliant with both primary and secondary legislation and ethically valid. The development or amendment that is required to technology may not however always be a technical one as highlighted in the earlier paper; procedural and behavioural controls can be options for consideration.

The objective legal basis for any processing (and technology) must first have a basis in operational policing/business and the legislation that underpins it. Technology should be facilitative, providing a method of delivering an outcome, but is not an end in itself. Therefore, when a proposal for new technology arises, PS must be able to determine and define the legal basis for the operational purpose and outcome sought that it wishes to apply the technology to. The learning experience from the Cyber Kiosks showed that PS needs to be able to express the fundamental legal basis for its purpose, outcome and operational activity more clearly in order to then best use technology to deliver those purposes, outcomes and operational activities.

The legislative provisions that Police Scotland relies upon as legal bases are many and lengthy and will be based on each purpose, operational activity and outcome. Many of the legislative provisions that underpin operational activities are embedded in Force Standard Operating Procedures (SOPs), Guidance and Training products but are not always bespoke or aligned to a particular technology. Whilst the Police and Fire (Reform) Scotland Act 2012 forms a backbone to many police activities, it is only one element in a much wider legislative remit of tasks either required of the Force, or which it is permitted to undertake. These are not limited to 'policing' activities, but also include the 'corporate' management of the organisation. In addition, there are a range of common law powers that officers will rely on to carry out their duties.

Body Worn Video (BWV) devices can provide prosecutors with high quality evidence to support investigations and prosecutions. Furthermore, they support investigations by Police Scotland and the Police Investigations and Review Commissioner (PIRC) in respect of investigations concerning the policing response to a particular matter. There are recognised privacy, data and policy concerns. To anticipate and mitigate against potential privacy and third-party concerns, Police Scotland completed a full Equalities and Human Rights Impact Assessment (EqHRIA), and Data Protection Impact Assessment (DPIA). Impact assessments are treated as live documents and therefore reviewed or updated annually to reflect changes in legislation, policy and technology. Police Scotland have also developed and published a detailed Code of Practice which outlines how BWV will be used by armed policing.

Legal bases and processes – Wider views

3.2 While Police Scotland have outlined the approach they take to establishing a legal basis for their technology-related activities above, others consider that there is a lack of clarity or even insufficient legislation in Scotland to facilitate and justify police use of technologies, especially ones which are currently emerging.

3.3 There has been significant controversy and disagreement among stakeholders in Scotland about whether there is an appropriate basis for Police Scotland to use cyber kiosks: Police Scotland has claimed that the legal basis exists, but others such as the Scottish Human Rights Commission were of the view that there is an insufficiently clear legal basis for this. The extraction of data from devices remains a live issue, and is the subject of a new draft code of practice from the UK Government. Although Police Scotland do specify the legal basis in DPIAs, given the potential for differing interpretations, legal basis (and opinions being drawn on) should be shared with key stakeholders as a matter of course in order that they may be questioned and tested and this must be reviewed in light of further developments (such as change in use case or additional information coming to light).

3.4 Further controversies may arise given the lack of clear and explicit legal framework and policy guidance for other technologies such as: facial recognition technologies; unmanned aerial systems/vehicles (drone); body worn cameras; data driven analysis, AI systems and the use of the personal data collected and processed by these technologies. The ICO has produced guidance on a number of these issues including live facial recognition use by law enforcement and more generally in public places, the use of video surveillance, and on AI and data protection. The June 2022 Independent Review of the governance of biometric data in England and Wales ('the Ryder Review') has recommended that a legally binding code of practice for live facial recognition use should be formulated, with a specific code for police use and another code which regulates other uses of live facial recognition. Until those are in place, the use of live facial recognition should be suspended.

3.5 Data-sharing by the police with other agencies may also give rise to concern, which may impact negatively on human rights. There is insufficient knowledge of the extent of such data sharing in Scotland, but in England there have been reports of disabled people who were allegedly photographed by English police forces at an Extinction Rebellion protest and their details passed to the Department of Work and Pensions. Human rights standards prohibit collection of personal data to intimidate participants in a protest.

3.6 The police play a key role in the task of investigating allegations of criminal behaviour. This includes a number of activities with technological implications such as carrying out searches, undertaking surveillance (e.g. collecting facial images), interrogating suspects and witnesses, and generally securing evidence (e.g. collecting DNA and fingerprints) – triggering the application of Articles 5, 6 and 8 of the ECHR, and which may result in unlawful discrimination under the EA 2010. National and international courts have found violation of human rights in the blanket retention of biometric data: DNA profiles (cellular samples and fingerprints and custody photographs) and bulk surveillance of the public.

3.7 The recent investigation by the House of Lords Justice and Home Affairs Committee into how advanced technologies are used in the justice system in England and Wales led the Committee to be, 'taken aback by the proliferation of Artificial Intelligence (AI) tools potentially being used without proper oversight, particularly by police forces.' The Committee acknowledged that AI offers a huge opportunity to better prevent crime but stressed there is also a risk it could exacerbate discrimination. In the Committee's view, 'without sufficient safeguards, supervision and caution, advanced technologies may have a chilling effect on a range of human rights, undermine the fairness of trials, weaken the rule of law, further exacerbate existing inequalities and fail to produce the promised effectiveness and efficiency gains.' In July 2022 the UK Government released a policy paper, Establishing a pro-innovation approach to regulating AI, in which it considers that any regulatory activity should be directed towards AI presenting 'real, identifiable, unacceptable levels of risk', but for now it does not consider legislation to be necessary; instead it plans to introduce a set of non-statutory cross-sectoral principles on AI.

3.8 The Scottish Government launched its own AI Strategy in March 2021, in which it set out its vision to become 'a leader in the development and use of trustworthy, ethical and inclusive AI'. There is no mention of police use of AI in the paper. The Scottish Government has also set out its vision to be an 'Ethical Digital Nation' and behave in ways which generate trust among the public in the use of data and technology. Again, policing/law enforcement are not mentioned in this strategy.

ETIAG public consultation

3.9 A Call for Evidence was issued as part of the IAG's activities. Some responses received discussed ethical and legal dimensions in which two mechanisms were offered to address complex challenges relating to ethical standards. A breadth of responses discussed the utility of both an 'Ethical and legal assessment framework' and an 'Ethics panel' to inform a nuanced and multifaceted discussion surrounding police use of emerging technologies on a case-by-case basis.

3.10 Many responses identified that introducing technology into operational domains without proper ethical and legal frameworks to engage critical assessment or external consultation, will likely result in negative outcomes for all stakeholders. These potential risks were noted to include: eroding public trust; fostering feelings of oppression and surveillance; increasing more marginal forms of discrimination and violence (including non-violent discrimination and bias motivated violence). These assessments are also understood to allow analysis into equality and human rights impacts of proposed technology. Furthermore, it was emphasised that the legislative framework in which a technology is operating must be well-defined and have exact parameters before technology is introduced. A strong ethical and legal assessment framework would likely mitigate legal, jurisdictional, and operational challenges from transpiring.

3.11 Another mechanism which was frequently noted was an 'Ethics panel'. These forums can allow subject matter experts from a range of disciplines to independently grapple with the ethical and legal issues associated with emergent policing technologies. Practitioner, professional, community and academic voices were recommended to be included on such forums. It was strongly suggested by one response that ethics panels should include people who understand the power asymmetries in the use of technologies.

3.12 Ethics panels were also assumed to be a space which did not include individuals or groups with financial interests, as this was thought to influence decision making which would inform public policy.

3.13 Both the assessment frameworks and ethics panels, it was suggested, should embrace an equality and human rights-based approach to understand impacts on individuals (including witnesses, victims, suspects, members of the public and protected characteristic groups). Outcomes of both of these assurance mechanisms should provide strong and unbiased evidence, prior to its real world implementation, that the proposed technology is non-discriminatory and will not further entrench existing inequalities and explain why it is necessary and proportionate.

Ethics advisory panels: A view from Police Scotland

In addition to the formal governance channels outlined above, Police Scotland have introduced Ethics Advisory Panels (EAPs) to provide an opportunity for staff, officers and external participants to come together and discuss ethical dilemmas within Police Scotland.

Police Scotland's operating model includes a four tier structure of panels. Ethics panels are not decision making bodies, but are instead advisory in nature and provide advice and support to the decision maker. The decision maker (or dilemma holder) remains responsible for taking the decision with due consideration of the panel's views within their rationale.

Ethics panels have a number of objectives. These include: (i) improve service delivery; (ii) support police officers and staff; (iii) support police leaders; (iv) develop and enhance visible ethics culture and (v) support organisational learning.

It should be noted that Ethics Advisory Panels will consider a whole range of ethical dilemmas, not just those posed by the adoption of new and emerging technology.

Below is a brief description of the four tier structure of panels (see Figure below for illustration):

• Regional Panels - 150 staff and officers across Police Scotland are trained to sit on Regional Panels. These panels are planned to meet every three months in the East, North and West Regions. Each panel will comprise 15-20 staff and officers and are chaired from a cadre of senior officers and staff members trained for the role. Regional Panels ordinarily consider ethical dilemmas which impact upon local and/or operational decision making with Subject experts (if required), staff associations, unions and human resources represented. Recent examples of subjects discussed at a Regional Panel include Body Worn Video and Gifts, Gratuities, Hospitality and Sponsorship.
• National Panel - 50 senior officers and staff members are trained to sit on National Panels. Membership includes those who have a national remit, representatives from staff associations, unions and human resources in addition to representatives from the Regional Panels. As the last tier of panels yet to formally sit, their timetable will align with Regional Panels sitting quarterly, chaired from a cadre of senior officers and staff members trained for the role. The National Panel is intended to consider ethical dilemmas which impact upon national, strategical and tactical decision making across most, if not all of Police Scotland. National panels will also act as a governance route for potential further discussion around dilemmas discussed at Regional Panels.
• Independent Panel - Currently 30 members are drawn from a broad spectrum of society in Scotland, with development ongoing to establish a cadre of 35-50 individuals. The Independent Panel will consider dilemmas that impact public service and confidence, providing external consideration, scrutiny and advice to the decision maker. Panels can be convened with 4 weeks' notice on a demand led basis and are chaired by an Independent Member with DCC Professionalism holding the position of co-chair. Recent examples of subjects discussed at the Independent Advisory Panel include Remote Piloted Aircraft Systems (RPAS), the Domestic Abuse Scotland Bill and Body Worn Video.
• Youth Panel - Working in partnership with the Scottish Youth Parliament (SYP) the Youth panel was established in April 2021 with a trained cadre of 15-20 MSYPs engaging the voice of Scotland's young people in police decision making. The panel is scheduled to sit 3 times a year and will consider dilemmas that impact public service and confidence. The Youth Panel sits parallel to the Independent Panel, ensuring that the diverse and representative democratically elected voice of Scotland's young people is heard. Youth panels are independently chaired by the Convener of the SYP's Justice Committee with CI Ethics and Preventions holding the role of Police Scotland Delegate on the panel. The first subject discussed at the Youth Advisory Panel was the policing of COP26 with a future dilemma around the implementation of the UNCRC Bill scheduled.

Ethics advisory panels in Police Scotland: A view from Marion Oswald

It would be useful to link this framework to the administrative/committee arrangements that are being established to 'operationalise' this framework - otherwise, there will be a risk that it will principles on paper, but without any oversight processes to ensure that the framework is implemented.

This structure is quite different to the West Midlands PCC (Terms of Reference) and Police Data ethics Committee which was established to oversee technological developments, and has specific terms of reference detailing its aims, principles against which projects will be reviewed, transparency, independence etc.

I believe this structure is generally regarded as best practice in the absence of any nationally agreed model because of its semi-independence and the commitment of the force to the model. However, there are still many issues with this sort of oversight, including the relationship with legal compliance and practical issues around budget and resourcing - A Three-Pillar Approach to Achieving Trustworthy and Accountable Use of AI and Emerging Technology in Policing in England and Wales: Lessons From the West Midlands Data Ethics Model. The big question that I would have around the current Police Scotland ethics panels is whether there have the expertise and independence to influence technological developments within the force.

Data ethics in Police Scotland - A view from Police Scotland

Governance that allows reflection and research ahead of continuous service improvement is important to the decision of what technology to implement and how to achieve it in a compliant manner that adds value to the service as a whole. For that reason, CDO works closely with the PS Strategy and Innovation team to undertake early discussions on potential technologies and identify early challenges, which can include the legal basis and provides advice on the work that would be required if there was a decision to consider certain technologies.

A new Data Ethics Framework is being introduced to ensure that any 'data-driven technology' solutions are using data responsibly, and any associated data ethics risks are identified, managed, scrutinised (internally and externally) appropriately.

The Data Ethics Framework has been developed in conjunction with the Centre for Data Ethics & Innovations (CDEI). Internal Police Scotland approval has been gained, and we are currently in early stages of the implementation plan, which includes wider socialisation initially with the Scottish Police Authority, and the Scottish Government, thereafter.

A new Digital and Data Design Authority proposal is also current in development, which will ensure that solution designs receive the appropriate level of initial direction setting and guidance from subject matter experts, and also provide a technical review process to formally assess a solution design against agreed architecture standards.

Police Scotland acknowledges that with such a new post of Data Ethics, there is more work to be undertaken to align and integrate the Ethics assessments effectively and with value into the overall decision on determining the legal basis and compliance with legislation. Data cannot be used responsibly or fairly if it is used without a legal basis and vice-versa.

The Data Ethics framework is at an early stage of its development, and from the review comments, it looks like there is some confusion over the difference between the existing Independent Ethics Advisory Panels, and the new proposed Data Ethics governance framework. The new Data Ethics proposals include an additional Independent Data Ethics Group, which follows a similar pattern established by West Midlands Police.

In simplistic terms, the existing Independent Ethics Advisory Panels address the "should we …" type of individual ethical dilemmas.

The proposed Independent Data Ethics Group will focus on the 'how do we …..' implement new data-driven technologies, typically reviewing project proposals.

So, both should be complementary to each other.

Data ethics governance framework proposal by Police Scotland: A view from Marion Oswald

Much thought has clearly gone into this document and I can see that a version of the guidance/triage process developed alongside the CDEI is included. A triage process in order to identify the most high risk applications is certainly a good idea in order to focus effort.

While data is certainly an 'asset', this phraseology may seem odd in a policing document, as it tends to reflect the corporate/commercial way of looking at data. It might be better rather to consider data as one of the fundamentals of fulfilling the policing task – i.e. without accurate data, it is not possible to make legitimate decisions and opportunities to protect the public might be missed.

The document should not only talk about bias etc, but highlight that data and outputs of data-driven technology must not be wrong or misleading, and must not lead to detrimental unintended consequences i.e. these tools must work in the policing context. This means that evaluation methods must be long-term and robust, and that outputs of data analytics should often be regarded as 'intelligence' i.e. with a level of uncertainty attached.

I see also that no decision has yet been made on the structure of any independent oversight committee, and a number of factors for consideration are laid out. While I appreciate the concerns around full transparency, I think these are rather overstated in the document. Not publishing the papers, minutes and advice of such a group is likely to have more significant reputational issues for Police Scotland than publishing minutes with appropriate redactions for any sensitive matters. In addition, the need for appropriate secretariat support for such a body should not be underestimated, and this will have some budget implications.

Summary of section

3.14 The general notion of ethics is challenging to operationalise – and in the domain of policing it can be particularly difficult or contentious. However, the ethics associated with emerging technology in policing can be found to be brought into practical terms through the use of impact assessments (understood to be 'live documents' able to adapt to new knowledge), as already implemented by Police Scotland, and through advisory engagement or debate on proposed initiatives through the organisational practise of consultation and panels/forums. Taking more ethical approaches reflects Police Scotland's lessons learned from past experience, and may improve social acceptance of their technology- relevant practices.

Force policies, guidance, and training are also able to inform officers and staff about ethical standards and the methods in which behaviour is compliant with bias mitigating efforts. Ethical considerations around emergent technology in police work can relate to ensuring and communicating the legal basis for police use of a technology, but also typically consider how technology reifies or augments power relations. Examples of this could include technology enabled mass surveillance or social sorting, expansion of use cases of technology (i.e. function creep), potential chilling effect on populations, collateral intrusion, and insufficient safeguards surrounding analytical capabilities. Police Scotland has many governance processes in place to address the ethical issues discussed in this section, in order to best serve and protect the communities of Scotland from harm. It will be crucial that independent oversight of these ethics processes and due transparency over them are guaranteed and implemented in order to ensure ethical outcomes.