Legal frameworks and ethical standards workstream report: Final Report

4. Procedures and evidence gathering

4.1 Policing procedures and evidence gathering present legal and ethical issues, which we explore here. In particular, we consider issues surrounding digital evidence, looking at the procedures which should be followed in order to ensure that best digital evidence is gathered and fed into the criminal justice process right through to trial.

4.2 Some commentators consider that there are gaps in the case law of Scottish and English courts in dealing with the expanded scale and scope of interference with Article 8 of the ECHR (respect for private and family life, home and correspondence). Smartphones, the devices being examined by police, are incomparable to paper documents and more basic computers. They store, transmit, communicate and identify data in large amounts, often without the users' control or informed consent. They also often contain jointly owned data or data belonging to others that can be obtained without their consent. For example, a device that identifies locations often cross-references location information with other users in order to determine directions or details about the location. This information may be collected from people who do not and/or cannot consent to its use. Such a conundrum would behave been impossible prior to the advent of smartphones; now it is routine. The information found on a device may provide profound insights into an individual's behaviour, beliefs, and emotional state. Evidence extracted from a digital device may be critical to a criminal investigation, however, not all devices require to be reviewed and they should not be seized and examined as a matter of routine.

4.3 In relation to a criminal investigation, a device should only be reviewed, and information extracted, where it represents a reasonable line of enquiry. What constitutes a reasonable line of enquiry will depend on the facts and circumstances of each case and the changing context of an ongoing investigation. What is also an issue is the technology used to extract this information including bypassing security protocols and analysing metadata. In the Fearon case in Canada, where the prosecutor refused to disclose their methodology to overcome encryption software, and made an application for public interest immunity. When considering these applications, the court must apply a balancing exercise to determine the interests of the defendant in receiving all the information relevant to their defence with the interest of the state in protecting sensitive information. The court in that instance deemed there to be a high level of public interest in allowing the prosecutor to withhold their methodology, as doing so did not preclude a fair trial taking place. This was a case in which the position of the accused was one of disowning the e-mails entirely. The prosecutor accepted that there had been a risk of corruption or destruction of the data in their exercise and there was a discrepancy in their analysis of the numbers of e-mails. Had the defence been of a different nature then there was a possibility that a fair trial would not have been possible. This would have had a considerable impact on the interests of relevant victims. There is a real danger of this sort of capability continuing to exist without scrutiny where a piecemeal approach to regulation is taken.

4.4 When a technology such as cyber kiosks is looked at through the lens of the rationale in the Marper case, it is apparent why there is widespread concern. In Marper the court remarked about the abundant unique and personal data within a DNA sample that police considered themselves entitled to retain and interrogate without limitation. The fair balance of private and public interest was not achieved by the UK policy given its indefinite nature and the lack of scrutiny applicable to the decision-making process to retain the data. The parallels with cyber kiosks are plainly evident. The finding of the High Court in the aforementioned Bridges case on facial recognition that the question of legality was simple and binary contrasts sharply with the holistic approach taken by the Court of Appeal in Marper. The court clarified that clear guidance on the use of the technology and who could be targeted were issues of legality and, in the absence of such guidance, a finding that the interference was in accordance with the law was not sound. Further the DPIA was inadequate because it assumed legality without recognising that it was required to assess the rights and freedoms of data subjects and address them accordingly. The Court also agreed that the PSED had been breached because the police did not investigate the possibility of bias on the grounds of ethnicity (race) or gender.

4.5 As mentioned earlier, Scotland is set to become a forerunner in the regulation of biometric data use by police. The SBC draft Code of Practice, once assented by the Scottish Parliament, will become the first of its kind and Scotland will become the first UK country to have detailed legislation, and a statutory Code of Practice on the acquisition, retention, use and destruction of biometric data for criminal justice and police purposes.

Summary of section

4.6 Digital evidence gathering via and from new technologies remains a challenging subject, especially as regards compliance with human rights and equalities objectives. The implementation of the biometrics code of practice in Scotland is a positive step, and this implementation and its evaluation should inform further how procedures and evidence gathering can be improved further to reflect best practice in human rights, equalities and data protection.