Legal frameworks and ethical standards workstream report: Final Report

5. Lessons learned and good practices

5.1 This section looks at the lessons that can be learned from previous attempts by Police Scotland to adopt new technologies from a legal and ethical standpoint to inform future decision-making and operational use of technology.

5.2 From an organisational perspective, knowledge is typically generated before technology is deployed in the form of Business Cases, Appraisals and Impact Assessments (all of which are assumed to be written, engaged upon and reviewed prior to procurement and deployment). Throughout live change processes or trials, documentation is written and retained to contribute to a post-implementation approach to knowledge production – where the 'lessons learned' can often be found. Once a project has reached completion and becomes part of Business As Usual, many documents are often produced to review and assess the implementation of the change.

5.3 Four case studies from a Scottish perspective are considered: cyber kiosks, mobile working, body worn video, and drones. Through the corroboration of multiple pieces of documentation associated with past implementation of technologies, this section culminates in a discussion about lessons learned from an ethical and legal perspective, taking account of international and comparative developments in this area which may be useful to inform the Scottish perspective.

Cyber kiosks

5.4 In 2016, Police Scotland conducted a trial utilising a digital forensic technology product known as Digital Triage Devices, also referred to as Cyber Kiosks. Cellebrite's Cyber Kiosk technology allows frontline investigating officers to bypass security protections and passwords in order to access data held on an individual's mobile device (like a mobile phone or tablet) seized under a warrant. Cyber kiosks are able to search through SMS and internet messages, images and other forms of media, SIM contacts, and other data held on a personal device allowing lines of enquiry to be progressed quicker. No data is held or stored on the cyber kiosk systems – they are only able to 'triage' or visibly search through devices. Police Scotland have a process in place whereby only trained officers are able to use the devices after a 2-step approval process. It also again must be emphasised that no data is retained on the kiosks, instead they are used to scope contents to determine if any data is held which is of evidential value.

5.5 Prior to Police Scotland procuring the kiosks, a formal business case was not written. As a result, impact assessments were not carried out, stakeholder engagement or public consultation was not conducted, and assurance or oversight mechanisms had not been organised. The primary driver for change identified from the outset was the opportunity for the police to be able to quickly return devices to victims in order to encourage victim and witness engagement.

5.6 It had been previously identified that there were issues associated with long term denial of access to personal devices during investigations which consequently discouraged co-operation from witness and victims.

5.7 Further benefits to using the cyber kiosks were also acknowledged, ranging from:

a) reduced intrusion of individual privacy,

b) early identification of evidence,

c) fewer devices being submitted to Cybercrime Units (improved efficiency),

d) Criminal Justice partners receive a faster and improved quality of service with regard evidential requests (increased effectiveness),

e) Furthermore, they are understood to be resource saving (since less data processing and storage is required, resulting in less transfer implications and associated costs).

5.8 These benefits can be understood and appreciated to be acting in the public interest. However, without relevant legal frameworks which have been consulted upon and ethical issues associated with the technology's introduction having been rigorously accounted for, any initiative which reshapes the dynamic of police work and police powers (such as the cyber kiosk project) may be perceived as problematic by stakeholders and the wider public.

5.9 Whilst the implementation of the Cyber Kiosk project was in a state of limbo from 2018-2020, the Scottish Parliament's Justice Sub-Committee on Policing held an inquiry in order to determine the legal basis for this technology. Open Rights Group, Privacy International, and the Scottish Human Rights Commission were among many stakeholders who believed there was a lack of a clear legal basis for the use of cyber kiosks by Police Scotland. The Scottish Human Rights Commission noted that cyber kiosks have "the potential to be highly intrusive of [the right to privacy, and therefore wanted] to see clear rules and safeguards in place to regulate the use of this technology, and to guarantee robust and independent oversight" (SHRC, 2019).

5.10 Although data retention issues can be understood to be mitigated with the above processes, when thinking about scoping and viewing the contents of an individual's mobile device, there are many ethical and legal contentions that arise. From an ethical standpoint, there is the potential for collateral intrusion to occur (defined as intrusion into private life of friends, family, and other people situated in the social network of the individual). Additionally, there is the potential for police overreach (if not targeted searches of personal data may be viewed and invasive levels of privacy interference may occur).

5.11 In the ICO's investigation report Mobile phone data extraction by police in Scotland, Police Scotland's level of compliance was assessed in relation to the data processing principles outlined in Part 3 of the DPA 2018 which apply to the processing of personal data for law enforcement purposes. The findings of the report found some inconsistencies in relation to meeting the six principles that apply to personal data processing for law enforcement purposes, and more generally made recommendations when considering mobile phone extraction in Scotland.

5.12 The report includes a number of recommendations for Police Scotland including: the reviewing and updating of Data Protection Impact Assessments (DPIA); consultation with the ICO when any new, high risk processing of data is proposed; implementation and maintenance of the ISO/IEC17025 certification standards; the revision of privacy information documents supplied to the public, and the revision of internal policy data management respectively.

5.13 These recommendations should also be considered as opportunities for lessons to be learned as a result of the Cyber Kiosks project – but these recommendations can also be extrapolated when thinking about any future implementation of new and emerging technology. Had the ICO been consulted or a DPIA been conducted prior to the Cyber Kiosks deployment, legal issues may have been identified and mitigated against prior to parliamentary action taking place.

5.14 Police Scotland produced an End of Project Report (EPR) for Cyber Kiosks in April 2021. The report recognised that there was not full consideration or consultation towards relevant stakeholders concerns in relation to the use of cyber kiosks. The force note that the technology was already being used in different areas of the service (i.e. cybercrime hubs), however Police Scotland subsequently recognise they did not anticipate or spend enough time considering public concern or perceptions regarding the new use of the technology.

5.15 Within this commendable self-recognised misjudgement, it can be observed that there is a lesson to be learned in that public consent and public concern was not identified or anticipated adequately enough. An effective risk management approach attuned to external publics and effected groups may have mapped and spotted this issue. Ultimately, public discontent with police use of technology can become an ethical risk due to communities who are alarmed or apprehensive about the potential misuse or intrusive processing of data and/or unnecessary retention (which contributes to a legal data protection implication also). Negative sentiment or perceptions may potentially lead to loss of confidence in policing and the exacerbation of misunderstandings about police policies or practices. Furthermore, the lack of a formal business case being produced meant other mitigation assurances (such as impact assessments or governance/assurance structures) and lack of engagement (or consultation) can all be considered areas where there are lessons to be learned. Going forward, any proposed technology procurement project must follow the HM Treasury Green Book's business case framework.

5.16 Reasonable consideration was not paid to the notion that that there was a reshaping of police powers by virtue of the cyber kiosk technology's adoption. Previously the kind of forensic technological capability cyber kiosks enabled was only in use in Cyber Crime hubs in Scotland, with accredited digital forensic practitioners able to utilise such technology. This gave rise to critical consideration towards the legality of the cyber kiosks' use and legal basis for their deployment being questioned. Furthermore the cyber kiosk initiative highlighted the need for police organisations to be able to communicate to the public what a technology or novel practice entails, informing the communities that a force serves with objective information detailing any new capabilities.

5.17 The Justice-Sub Committee on Policing inquiry found that Police Scotland used the cyber kiosks to "search the mobile phones of suspects, witnesses and victims of crimes […] without undertaking the required governance, scrutiny, and impact assessments" (SPJSoP, 2019: 12). From a legal perspective, Police Scotland had been treating mobile devices as they would physical property in terms of their seizure and examination procedures – however laws relating to physical property fail to account for the unprecedented scope and granular quality of potentially intimate personal data and information which can exist on an individual's personal device.

5.18 In the Conclusion of the Scottish Parliament Justice Sub-Committee on Policing Report Police Scotland's use of remote piloted aircraft systems and body worn cameras, the following is found:

The previous inquiries undertaken by the Sub-Committee into Police Scotland's plans to introduce digital device triage systems and facial recognition technology, demonstrates the risks involved in introducing new technologies to policing. It confirmed the need for necessary assessments to be undertaken, the legal basis for the use of such technologies to be confirmed, and relevant stakeholders to be consulted prior to a decision being made.

5.19 While Cyber Kiosks are an example of such measures not being well implemented and followed, Police Scotland assert that it has learned lessons from the Cyber Kiosks scenario in how to go about implementing policing technologies in appropriate ways from a societal perspective. Various tools are used by Police Scotland to achieve this, including post implementation reviews and external evaluations.

Lessons learned & good practices: A view from Police Scotland

Post implementation reviews

Police Scotland utilise a Post Implementation Review (PIR) process. A PIR is a formal review of a project and part of Police Scotland's project assurance framework. It is used to answer the question, "did we [Police Scotland] achieve what we set out to do in business terms and if not, what should be done?" In relation to Police Scotland's roll out of Cyber Kiosks in 2021, it issued an Update paper in June 2021 which identified some of the key findings (similar to the External Debrief). The themes identified in the update paper as part of the PIR were: Governance, Teamwork, and External Consultation.

Governance

The lack of governance at the outset resulted in many key challenges and obstacles that required to be addressed before the project could progress. It is understood within Police Scotland, that had a Business Case, Equality, Human Rights Impact Assessment (EqHRIA) and a Data Protection Impact Assessment (DPIA) been completed in advance, the project would have had a greater understanding and would have been more fully equipped to address the challenges that subsequently ensued. The procurement exercise was carried out by Operational Policing, however the required consultation did not commence until after the purchase of the Kiosks. This is now something that would be managed within the Transformation Portfolio and forms part of project governance guidelines.

Teamwork

The review team noted that working relationships between the external stakeholders and the project team was challenging to begin with. This was due to a number of misconceptions surrounding the proposed use of Kiosks. The team worked hard to build confidence and relationships, improving rapport between the internal and external focus groups over time, which did not come without its challenges.

External consultation

The review team also noted that failure to consult with a wide range of external stakeholders and reference groups from the outset led to a lengthy engagement and debate process including an investigation into the use of Kiosks by the Scottish Parliament Justice Sub Committee. During this time a wide range of concerned bodies were heard on issues relating to introduction of Kiosks and a total of five evidence sessions were held. This lack of consultation resulted in a lengthy delay in the rollout of Kiosks. These key learnings relating to police use of technology and data, and the key requirement for consultation have been captured in the Lessons Learned exercise undertaken by the project team and documented within the EPR.

There are lessons learned to be observed surrounding:

• Legal assessment
• DPIA
• EqHRIA
• Engagement with stakeholders
• Consultation
• The need for clear safeguards being a requirement.

Mobile working devices

5.20 Starting in summer 2019, a roll out of Mobile Devices to community and response officers was initiated as part of the Mobile Working Project (Phase 1). This project saw the deployment of 10,809 mobile devices and a suite of associated policing applications to operational officers. The Mobile Working Project is a part of the larger 'Digitally Enabled Policing Programme' (DEPP), and aimed to equip officers with a digital mobile policing device to replace the outdated paper notebook system. Increasing efficiency, it was also slated to provide remote, live access to key policing information systems.

5.21 A research team from Robert Gordon University (RGU) and Abertay University were appointed to evaluate the implementation and impact of the national roll-out, and to inform the final stages of roll-out to 10,000 police officers across Scotland. The findings of the research were largely positive. The research team were able to identify long-term potential benefits in five main areas with a number of sub-themes as highlighted below:

• Productivity - Efficiency, Increased capacity, Proactive policing, Time management, Time saving.
• Information - Access to information, Information accuracy, Immediacy of information, Additional information sources, Information sharing, Security of information.
• Connectivity and Communication – Connectivity, Real time communication, Team Communication, External communication, Increased visibility.
• Officer wellbeing and safety – Officer wellbeing, officer morale, officer safety, autonomy, Covid-19.
• Technology and Culture change – Officers attitudes to technology, Members of public attitude to technology, Culture change, Logistics, New working practices, Collaboration, Improved relationships.

5.212 There were also a number of recommendations reached as a result of the research, to complement the realisation of the benefits identified. These recommendations can act as an indicator at areas for future learning as an example of a largely positive and frictionless attempt to implement new technology.

5.23 Recommendations

Training - Generally positive comments about practical training session, less positive about Moodle training: a blended approach was identified to be ideal in the future;

Engagement with officers in device development - Officers are interested in identifying ways to improve the device, and have been using the 'feedback function' to do so (user feedback);

Timeline for requested additional functions communicated – User suggestions for functions that would be helpful, e.g. VPD. Keeping officers informed of developments may encourage continued engagement;

Need for a strategy for maintenance and replacement of devices with financial and organisational backing. There was concern expressed about the sustainability of the devices as technology improved;

Interoperability of systems - While many interviewed highlighted the collaboration and better information sharing that the devices allowed, some commented that this needs to be increased;

All processes and governance with the new ways of working be reviewed regularly to create timely new systems - There was a realisation that the existing procedures based on the traditional notebook system might need some review and that might need to be ongoing.

5.24 In comparison to the Cyber Kiosk project, the Mobile Working project suffered relatively low levels of contention and resistance. This could be attributed to the fact that the technologies are relatively non-intrusive and do not directly interfere with the rights or impact upon citizens directly. A formal business case was written for both phases of the project, and subsequent impact assessments and engagement had been carried out. The mobile working devices' main benefits relate to their ability to expedite outmoded processes – i.e. to increase efficiency and effectiveness. As such, there were limited legal or ethical concerns in which lessons could be learned apart from the aspects of the project related to data security (covered in Police Scotland's data protection impact assessment); or the proficiencies offered to frontline officers (e.g. which saw increased communication benefits). However, both of these legal and ethical concerns associated with the mobile working technologies can be understood to contribute to positive legal and ethical impacts: e.g. owing to the strengthening of data security, increased access to information and more efficient communication which contributes to a more effective delivery of justice.

Drones (RPAS)

5.25 The use of remote pilot aircraft systems (RPAS), otherwise known as drones, by police, commercial organisations and individuals has increased hugely over the course of the last decade. NESTA reported that in 2010, there were five commercial permissions for drone operation and, by 2018, there were 4,530. Drone registration was extended in 2019, with all drones above 250g in weight or equipped with a video camera, whether operated by commercial or individual users, with around 200,000 registrations as of March 2021. Despite this huge increase, research suggests that there is some public concern around the use of drones, not just for policing but more generally.

5.26 Drones are now used by police forces across the UK, including in Scotland, and in a range of different types of activity, from surveillance to assisting in finding missing persons or road traffic incidents. The technological capability of drones raises legal and ethical issues that need to be considered in their deployment. As an emerging technology, drones are capable of viewing people from vantage points in which there might otherwise be an expectation of privacy, at distances where there may be limited appreciation that drones are in operation, with infrared or low light capability, and potentially using automatic number plate recognition or facial recognition technologies.

5.27 Drones engage some specific issues as an emerging technology and also share issues in common with other emerging technologies, such as facial recognition; though it is noted that the Police Scotland fleet does not currently have facial recognition capacity, nor is there any current intention to include this. In considering deployment of drones in a policing context, it is important to recognise the different contexts in which drones may be deployed. Legal issues, such as the right to privacy may engage to very different degrees depending on the deployment context, for instance, between supporting a search for a missing person in a rural area to surveillance at a large scale public event.

5.28 The use of drones is subject to a number of legal requirements, including compliance with human rights and data protection requirements, equality requirements, and Civil Aviation authority regulations. The need for robust impact assessments is critical. As drones will likely capture sensitive personal data – likely to be gender and race at least - there is a requirement to demonstrate that no less intrusive means are suitable. For drones, the risk of 'collateral intrusion' may be more extensive than for other means and demonstrating this necessity will be an important element of any impact assessment process. One of the categories that constitute sensitive personal data is political belief so deployment, for instance, at a public protest would require detailed justification.

5.29 There is detailed guidance from the ICO on the use of drones. Measures required may include the prohibition of continuous recording, restriction of recording at lower altitudes, restricted field of vision or other means. One particular challenge may be the requirement to provide notification of drone operation in an area. It may be easier to deploy signage for a drone deployment to assist with a traffic incident than for a missing persons search over a wide geographic area. Privacy by design is required, and this will include the development of specifications for police drones and their procurement. For example, any data stored locally on a drone should be encrypted, in the event that the drone should crash and be retrieved by a third party.

5.30 Though the use of drones has not seen significant challenge in courts in Scotland, because of the commonality of the legal framework across the UK, court decisions elsewhere have considered similar issues. For instance, in the aforementioned Bridges case in England and Wales, the legality of drone deployment at public events was considered, although the case was about live facial recognition use.

5.31 Internationally, the use of drones in a policing context is still at an early stage. Some jurisdictions have considered the legality of the use of drones under prior legal frameworks, testing the legality of drones on the basis of prior frameworks around police helicopter surveillance, intentional interception of oral communications, or the 'extra-human' capability of police canine deployments. A number of states in the US have prohibited the use of drones for police or other surveillance on constitutional grounds, including Florida and Texas, though in the latter a judgment upheld the legality of drone surveillance by investigative journalists as a protection of the First Amendment right to freedom of speech.

Body worn video

5.32 The Lady Elish Angiolini Independent Review into complaints handling, investigation and misconduct issues, published on 11 November 2020, recommended that Police Scotland should accelerate its plans to expand the use of body worn video (BWV) technology. Furthermore, in January 2021, Chief Constable Iain Livingstone stated that there was a "pressing, critical, ethical and operational imperative" to ensure armed officers were equipped with the devices in time for COP26 in November 2021. Armed policing is an area of high risk and understandably high public scrutiny, therefore the business case outlining the requirement to invest in BWV technology was presented to the Board of the Scottish Police Authority during the June 2021 Authority meeting.

5.33 BWV is understood to provide several benefits for armed police officers given the specialist and potentially life-critical nature of their work. BWV increases the transparency of policing as any footage recorded can be subsequently reviewed, scrutinised and submitted as evidence, making officers as well as offenders, more accountable. A major advantage of BWV is the provision of increased evidential quality. Traditionally, a police officer will make a written record of an incident (including language and gestures that were used) as soon as possible after the incident occurs. When BWV is used, the incident is recorded in real time, limited by the field of view and audio range of the device. This evidence is deemed to be more accurate and detailed than was previously possible.

5.34 BWV footage has similarly been used to resolve complaints made against police officers by members of the public. This reduces investigative time and provides an accurate record of the situation. There is also evidence to suggest that the conduct and behaviour of both the public and officers is improved when BWV is in use. When all parties are aware that they are being surveilled, evidence suggests anti-social behaviour is reduced and the subjects involved internalise an external value system – signalling that they may consider the perception of their actions and conduct more closely.

5.35 Whilst there are many potential benefits which could provide a positive ethical impacts, there are also associated risks with police use of BWV if the technology is not subject to sufficient governance, oversight, or ethical consideration. For example, non-profit international digital rights group Electronic Frontier Foundation outline potential threats such as:

• The capturing of audio and visual data/footage of victims of domestic violence or sexual assault; of children or people suffering trauma-related distress;
• The requirement to safeguard vulnerable individuals from being recorded without their informed consent;
• The potential systematic surveillance of people engaging in the right to freedom of assembly or freedom of association - with subsequent chilling effect on those communities;
• Issues associated with editing or deletion of footage; or with officer discretion deciding when and what to record.

5.36 BWV has been used a limited extent by Police Scotland, primarily in the North East of the country used since June 2010. This began with a pilot for the use of BWV in a designated area within legacy Grampian Police. The pilot showed that BWV offered significant organisational benefits ranging from evidence gathering, enhanced prosecution evidence, and for use in the event of a complaint against the police. This resulted in greater uptake of BWV device use across the region.

5.37 Police Scotland rolled out BWV to armed police officers prior to the COP26 conference in Glasgow in November 2021. Armed policing is a particularly high risk area of policing; scrutiny and the roll out of BWV is thought to help improve transparency and accountability.

5.38 From a legal perspective, BWV devices have the potential to provide the Crown Office and Procurator Fiscal Service with high quality evidence to support investigations and prosecutions. Furthermore, they support investigations by Police Scotland and the Police Investigations and Review Commissioner (PIRC) in respect of investigations concerning the policing response to a particular matter.

5.39 There are recognised privacy, data and policy concerns. To anticipate and mitigate against potential privacy and third-party concerns, Police Scotland completed a full Equalities and Human Rights Impact Assessment (EqHRIA), and Data Protection Impact Assessment (DPIA). These impact assessments are treated as live documents and therefore reviewed or updated annually to reflect changes in legislation, policy and technology. Police Scotland have also developed and published a detailed Code of Practice which outlines how BWV will be used by armed policing.

5.40 Furthermore, on 3 February 2021 Police Scotland launched a survey engaging with the public to obtain their views on the Use of BWV. The purpose of the 3 week survey was to help inform the deployment of BWV for armed response officers across Scotland, capturing the views of 8,835 respondents. Overall, Police Scotland report that there is widespread support for the use of BWV (90% of respondents felt that Body Worn Video should be worn "often" or "always"); with BWV having the potential to increase trust and confidence in Police Scotland (78% of respondents reported that BWV would increase their trust in Police Scotland, and 72% of respondents reported that BWV would make them feel "much safer").

Body worn cameras pilot – A view from Police Scotland

In June 2010 legacy Grampian Police, now North East (NE) Division, Police Scotland carried out a pilot programme using body worn video cameras. The following information is drawn from the trial of the BWV technology. The evaluation work was overseen by a Project Board, made up of senior staff from legacy Strathclyde Police, Grampian Police and the Crown Office and Procurator Fiscal Service. A Project Team, including operational staff from each of these organisations and from Renfrewshire Council, led in the evidence gathering to support the evaluation.

A Data Protection Impact Assessment (DPIA) was completed and approved for the use of BWV within NE Division. It acknowledged that BWV would capture personal data visual and audio formats and identified how that data would be stored and managed. The BWV devices and back office systems have end-to-end encryption and footage is automatically deleted from the devices upon docking and being successfully uploaded to the main server. Recorded footage is the responsibility of all trained users as designated through Role Based Access Control (RBAC). Footage that is not required for evidential purposes is automatically deleted after a specified period of time, currently set at 31 days. Evidential footage is marked by the officer for retention and then stored on a secure server. The retention of this footage is then subject to the Police Scotland data retention policy.

NE Division completed an Equality and Human Rights Impact assessment (EqHRIA) and included reference in the Guidance Document that officers should be cognisant at all times of the impact that the use of BWV could have on an individual's Human Rights.

As part of the North-East evaluation, a number of lessons are identified from a public interest perspective. This research noted:

Lessons learned

• Vulnerable individuals may have already have negative experiences of the Police or other public services. How can we ensure that BWV builds the trust of these individuals?
• How do we communicate how BWV will be used and reduce the public's concerns about privacy and GDPR?
• How should BWV be used in sensitive situations or with vulnerable individuals, if at all?
• How do we balance an individual's right to privacy and permission with officer and public safety?

In terms of the lessons learned from the trial implementation of BWV technology, most of the ethical and legal considerations arise from concerns associated with citizen's rights and communication endeavours to promote trust. Scrutiny of proposed procedures and engagement with relevant stakeholders would attribute itself to consolidating many of the identified ethical and legal issues. Transparently publishing documentation including Standard Operating Procedure (SOP), Code of Practice (CoP), Data Protection Impact Assessment (DPIA) and Equality and Human Rights Impact Assessment (EQHRIA) would probably be beneficial. Furthermore this would generate democratic discussion and engagement in order to ascertain social acceptability of proposed future implementations of new technologies.

Insights from other jurisdictions

5.41 The Call for Evidence responses generally compared Scotland to England and Wales in terms of policing, technology and legal frameworks. There were examples of highly localised initiatives within justice from areas of the United States and Canada. The Fractals submission contained a number of links to literature relating to global practices. Ethics review panels were highlighted as a feature of NZ and England and Wales frameworks. The UK processes for data sharing are of particular importance as they incorporate and interact with Scottish databases in a number of areas albeit within different ethical and legal frameworks.

Canada

5.42 Equivalence has been drawn in this context between Art 8 ECHR and, in Canadian domestic law, section 8 of the Charter of rights and freedoms which provides that everyone has the right to be secure against unreasonable search and seizure.

5.43 The Canadian Supreme Court has developed a growing body of jurisprudence distinguishing between traditional searches of physical spaces and searches of devices and cyber space. The case of R v Vu was cited in the legal advice to Police Scotland on the legal basis for Cyber kiosks including the following paragraph (R v Vu 2013 SCC 32 at 45):

'These numerous and striking differences between computers and traditional "receptacles" call for distinctive treatment under s. 8 of the Charter. The animating assumption of the traditional rule — that if the search of a place is justified, so is the search of receptacles found within it — simply cannot apply with respect to computer searches…'

5.44 The superior case of Fearon determined that a search of a mobile phone was not "inevitable a breach of privacy". Fearon is a useful discussion point as it was decided on a 4-3 majority with a strong dissenting opinion provided. Both opinions agreed on the basis set out in Vu that searches of digital devices were distinguished from searches on premises and engaged a potential for far greater intrusion. Both agreed that the potential value for law enforcement of a search of a digital device was very useful. Where Judge Cromwell led was in determining that privacy safeguards could be arrived upon that would preserve the human rights of the target of the search

"In his view, three such modifications would do this:

The scope of the search must be tailored for the purpose for which it may be lawfully conducted. That is, the "nature and extent" of the search must be truly incidental to the particular arrest for the particular offence. In practice, this will mean that, generally, only recently sent or drafted emails, texts, and photos, and the call log may be searched. However, this is not a hard and fast rule – the test is whether the nature and extent of the search are tailored to the search's purpose.

The discovery of evidence purpose for a search incidental to arrest must be treated restrictively. That is, a warrantless search can only be performed for the discovery of evidence when the "investigation will be stymied or significantly hampered" if the cell phone cannot be promptly searched.

Officers must make detailed notes of what they have examined on the phone. Justice Cromwell frames this as a "constitutional imperative," and writes that record keeping will facilitate after-the-fact judicial review and have the officers focus on the question of whether their conduct falls within their common law powers."

5.45 There are compelling parallels here. The decision to search a digital device here is to some degree subjective. Officers would require precise and detailed legal training in order to balance the necessity of performing a search against the rights of the individual in a proportionate manner. Following the logic of Bridges, the legality does not simply arise out of the fact of being an officer making an arrest. The officer deciding to search must be capable of comprehensively appreciating the human rights being engaged at the time. This includes an appreciation of the criteria of the person being targeted by the search. Any issues affecting accessibility of the law in this instance may reduce the legal certainty that is required under the rule of law.

5.46 There is some controversy about the clarity and ambiguity or lack thereof in the legal opinion obtained by Police Scotland which discussed these Canadian cases. Its author cited these Canadian cases explaining the complexity of the decisions to be made, but contained limited analysis of Article 8. The author points out that the common law authority on this in Scotland is dated, possibly only because it has not been challenged by an appropriate case that might revise it in a modern context. It should be borne in mind that Fearon is a 2014 Canadian case and the advance of technology has greatly increased the capabilities of both digital devices and those who would intrude upon them since then. The author made several recommendations and identified legislation and a code of practice as best practice. Asserting that the opinion was clear and unambiguous was to obscure the context of the advice and interpret it in as narrow a way as possible. It is concerning that Police Scotland considered the issue to be satisfactorily resolved without attending to these recommendations.

5.47 Considerable discussion in Canada has also taken place regarding emerging technologies and policing revolving around the use of algorithmic policing and its engagement with Section 9 of the Canadian Charter, the right not to be arbitrarily detailed or imprisoned. This has been tested in the courts finding that where police detain persons based on aggregated data analysed by artificial intelligence, Section 9 is breached as suspicion based on this sort of evidence is not held to be reasonable.

5.48 The Canadian jurisprudence has acknowledged that the profiling of suspects on the basis of their ethnicity is unlawful. In modern terms this extends to any sort of technology that relies on a data set as there is always potential within the data set to reflect bias(es).

5.49 While Canada has had some of these issues litigated it is clear that there does not yet exist a comprehensive framework covering all aspects of emerging technologies.

New Zealand

5.50 The Privacy Commissioner of New Zealand (a role similar to the UK's Information Commissioner) considers their legal framework to be adequate to address the field of biometric deployments. The principal legal instrument here is the Privacy Act 2020 which recognises the potential harms to individuals caused by breaches of privacy. They consider use of technologies such as facial recognition to fall into this context, although on the limited basis of technology for identification purposes. This can be contrasted with EU GDPR which offers protections for a variety of data use categories. NZ Authorities are considering whether the statute can be supplemented by a code of practice to give this type of effect. The Privacy Act applies to both public and private bodies, an insightful intervention given the interdependent nature of technological advance.

5.51 A feature of NZ immigration legislation is a limit on the use of artificial intelligence in decision-making and a requirement to prescribe personal responsibility to such decisions. Although limited to Immigration, the jurisprudence developed therewith may be persuasively applied across the board. As it happens, the Immigration legislation is the statutory basis for privacy impact assessments recognising the vulnerability of individuals and immigrants

5.52 Many NZ Government agencies have voluntarily subscribed to an Algorithm charter for Aotearoa New Zealand that provides a legal framework for Artificial intelligence related products and services. This shows that even where the law is reticent, NZ agencies actively seek consensus and a framework that provides accountability and transparency. The Privacy Commissioner also has the ability to establish legally binding codes of practice in a manner similar to that of the new Scottish Biometrics Commissioner. There is more of a centralisation of regulatory powers in this area in New Zealand with the Privacy commissioner having two other statutory mechanisms under their supervision in relation to electronic identification, namely Electronic Identity Verification Act 2012 and Identity Information Confirmation Act 2012.

International

5.53 There are well established international norms and international law in play when it comes to law enforcement. A respect for fundamental human rights derived from the ratification of UN treaties incorporates at an advisory level, the work of the UN Committees and the text and commentary on United Nations Treaties. In relation to the police approach to modern technology we can adapt the approach of distilling key principles from international law sources such as Article 17 ICCPR. This declares a right to privacy and freedom from arbitrary, unnecessary, disproportionate intrusion. Police searches should not be more intrusive than absolutely necessary to achieve their purpose and should not be disproportionate in scope certain types of intrusion such as phone tapping reserved for most serious crimes.

5.54 Another sphere of relevant international law and standards is the Council of Europe and its delegate bodies such as the Committee for the Prevention of Torture. These bodies have established detailed legal frameworks, some of which are binding at law, for policing and in particular the use of modern technology by policing agencies. Finally international non-governmental organisations (NGOs) such as Amnesty International and the International Committee of the Red Cross (ICRC) have published guidance on policing based on their professional functions and research.

5.55 An examination of the international sphere tells us is that Scotland is not unique in finding this area challenging. The problems and discussions have drawn the attention and efforts of an assortment of international bodies, for example the Council of Europe Convention for the Protection of Individuals related to Personal Data, paraphrased in the Biometrics IAG report:

'the introduction and use of new technologies should take full account of, and not contravene, fundamental principles as the inherent dignity of the individual and the respect for the human body, the rights of the defence and the principle of proportionality in carrying out of criminal justice'.

5.56 The UN High Commissioner for Human Rights has noted that digital technologies 'threaten to create an intrusive digital environment in which both States and business enterprises are able to conduct surveillance, analyse, predict and even manipulate people's behaviour to an unprecedented degree', and thus put the right to privacy at serious risk.

5.57 Other international standards that should be given due consideration are the jurisprudence and general comments of human rights bodies to which the UK is a member. UN independent experts have also developed relevant guiding principles concerning the use of personal and non-personal information. The UN Guiding Principles on Business and Human Rights should be also considered. There is a legitimate expectation that private actors (e.g. developing and innovating new technologies, which then may be used by police) should comply with all applicable laws and respect human rights.

5.58 The UN Secretary General has underscored, '[w]e have a collective responsibility to give direction to these technologies so that we maximize benefits and curtail unintended consequences and malicious use'.

Facial recognition internationally

5.59 Facial recognition use by police has attracted significant controversy internationally, with discussions of prohibitions of at least some police uses of it. As mentioned earlier, Scotland has at present adopted a moratorium on police use of live facial recognition technology.

5.60 Feeding into Scotland's decision were the US states and municipalities which have implemented severe restrictions on Facial recognition technology recognising the strong evidence of discrimination associated with its use. Countries such as Morocco have followed suit. Perhaps more interesting though is that In June 2020, Amazon, IBM and Microsoft all stated that they would not sell any facial recognition technology to US police forces, amid increasing concerns about racial injustice in the US and the racial bias that has been found in facial recognition software. While this distancing represents a small proportion of the market in this type of technology it shows that private actors cannot reflect societal concerns without a stringent legal framework being in place.

5.61 It is notable that the European Parliament has supported the European Commission's call for a five year ban on police use of facial recognition and predictive policing algorithms. This is part of an international campaign of concern over the levels of surveillance by states and private actors which the United Nations considers to be incompatible with fundamental human rights. Where individuals have gathered to protest for example, the use of facial recognition can serve to intimidate and deter people from protesting.

5.62 In strong contrast, England and Wales have deployed facial recognition and other technologically based policing methods for a number of years, some in partnership with private organisations. There is no specific legal framework for this type of policing with what little regulation exists being saved for fingerprints and DNA evidence. The Bridge case highlighted the need for a legal framework in England and Wales for this type or policing beyond Police common law powers which were found to be inadequate.

AI and the European Union

5.63 While the UK, and therefore Scotland, is no longer an EU Member State or subject to EU law, developments in the EU are of interest from both a comparative and trading perspective. One such development is that of the proposed AI Act, currently making its way through the legislative process in Brussels. The proposed Act, even more so than the GDPR on whose model it is built on, is a domain-neutral proposal that cuts across sectors and the private-public divide. While there are a number of exceptions, for instance uses by the military, it applies, unlike the GDPR, also to police and other law enforcement actors in the EU.

5.64 The Act lays down harmonised rules for the development, placement on the market and use of AI systems, though with a marked emphasis on the development and placement side at the expense of down-stream use.

5.65 The Act uses a risk-based approach that creates four categories of "risky" systems and their deployment), with a scale of legal constraints from the most severe (always prohibited) to the most permissive (mere encouragement of codes of practice)

5.66 In particular, it distinguishes between systems that pose:

an unacceptable risk and are therefore generally prohibited – though law enforcement enjoys a number of exceptions;

• high risk systems that are permitted but more heavily regulated;
• limited risks systems to which some regulation applies; and
• minimal risks systems that are not regulated, though the development of and adherence to codes of practice and similar frameworks is encouraged.

5.67 Uses of AI by the police potentially cut across all four categories, though it is explicitly referred to under the rules pertaining to a) and b). Given the wide definition of "AI" which includes statistical analysis software, some software used routinely by law enforcement agencies for some time, and without raising particular concerns (or at least not concerns framed in the language of trustworthy AI) could fall under the high-risk category, as no explicit grandfathering provision is in the Act. This may include tools such as automated number plate recognition or forensic DNA matching.

5.68 The EU's AI Act may have relevant implications even for a post-Brexit UK and Scotland. There are three types of implications:

• direct legal issues resulting from the extraterritorial scope of the Act;
• pragmatic, de facto regulatory pressure for UK businesses and law enforcement as result of the Act; and
• the question whether the Act provides a good blueprint for Scotland to follow, even if this is not a requirement.

a) Legal implications

5.69 Just like EU data protection law, the Act has (at least some) extraterritorial reach. It provides safeguards for residents within the EU also against the use of their data by providers of AI services located abroad, which would include organisations in Scotland.

5.70 The obligations under the AI Act are independent of any adequacy findings for EU data protection law purposes. This means that at least in principle, even when data of EU citizens has been transferred lawfully for processing to a third country outside the EU under an adequacy finding of the receiving country's data protection laws under EU data protection law, processing of that data may still fall foul of the additional requirements that the AI Act creates when this processing involves automated analysis and decision making using an AI as defined by the AI Act.

5.71 This has implications for UK businesses providing AI services that also involve residents of the EU, but it could potentially also affect cross-border police cooperation and data sharing.

b) Pragmatic implications

5.72 It is clear that the EU's aspirations are that just like the GDPR in 2018, the EU AI Act will become a global standard. While it can be doubted whether the two Acts are really sufficiently similar to have similar effects in this regard, the EU proposal is already having some international impact. In late September, Brazil's Congress for instance passed a bill that creates a legal framework for artificial intelligence that closely matches the AI Act. At the same time, the US is also stepping up its efforts to regulate development and use of AI systems.

5.73 UK based developers of AI systems and providers of AI-supported services will have to be mindful of these developments and will often have to work towards compliance with these standards. Care has therefore to be taken that any UK or Scottish initiative in the same space does not needlessly multiply compliance burdens.

c) The AI Act as regulatory blueprint within the UK including Scotland?

5.74 Some of the substantial issues of the Act for the regulation of AI by law enforcement were already discussed above. Here two key structural features of the Act are noted.

5.75 The Act's ultimate aim is to minimise trade barriers for AI products and services within the EU Single Market. This means that it preempts, possibly on a significant scale, the ability of Member States to regulate in response to local conditions, and in particular to impose more demanding rules. If a similar Act were to be adopted by the UK legislature, then similar issues for the ability of the Scottish Government to regulate AI in policing might arise.

5.76 This is related to the broad subject matter of the Act. The Act is conceived as domain independent, and in particular includes policing, unlike the GDPR. However, this aspiration is not really fulfilled, as law enforcement is subject to so many special rules (some more permissive than those for the private sector, some more demanding). The advantage is that this mitigates the problem of demarcation issues between the risk categories. All use of AI by the police, be it in their "investigative" capacity or in their role as employer are covered. Still, within the context of devolution this creates additional issues and questions – presumably a Scottish AI Act can only regulate those uses of AI that are in turn devolved matters, further diminishing the advantages of a "single" Act. For this reason alone more domain specific approaches that trace devolved powers seems preferable.

5.77 In any event, as mentioned earlier, the current UK-wide approach to AI regulation is to issue a set of non-statutory cross-sectoral principles on AI. This approach may change, as the UK Government is currently soliciting feedback on its proposals, which may alter what happens. It would be advisable for a binding code of practice to be adopted for AI uses by police in Scotland given concerns which have arisen with previous technologies by police in the absence of such a code.

Summary of section

5.78 In Scotland, the main areas in which lessons can be learned relating to the adoption of emerging technology relate to the following 6 considerations: (1) How capabilities are communicated by police (to multiple stakeholders); (2) Engagement and consultation; (3) Governance structures and oversight process; (4) Identified legal basis; (5) Effective and matured risk management processes; and (6) Horizon Scanning.

5.79 How capabilities are communicated by police (to multiple stakeholders) – it is crucial that communication regarding substantial changes to the nature of police work mediated by technology is clear, publicly facing and speaks equitably to a broad range of publics.

5.80 Engagement and consultation – a strong democratic engagement and/or consultation process must be enacted upon in order to gain insights from the communities that a police service works for. In Scotland, if the policing by consent model is to be adhered to, then the public should be involved in changes to the policing system which could change the fabric of society.

5.81 Governance structures and oversight process – this area has seen the most amount of positive work in Scotland, whereby robust structures which allow governance processes to be followed and effective oversight to be attained are now frequent features of new change initiatives in Scotland. Learning from past mistakes has allowed for the Memorandum of Understanding to be built which addresses this area.

5.82 Identified legal basis – some kind of legal basis assessment must be considered before any new technology is implicated in policing to understand the power which comes from what law which sanction the use of a technology (then for example; proportionality and necessity testing; accurate and reliable/scientific standards, EqHRIA and community impact assessments should follow). This must be clearly communicated to stakeholders and the public.

5.83 Effective and matured risk management processes – the continued improvement of a risk management throughout an organisation will be crucial in scoping, mapping, identifying and addressing any risk, opportunity or issue which may become associated with the adoption of a new technology. With a risk-based approach to understanding contexts and stakeholders, there will be greater emphasis placed on considering social impacts of technology and ways to understand how communities will respond to proposals.

5.84 Horizon Scanning - Elsewhere around the world, there are also lessons to be learned from similar jurisdiction. The methodology to gain insights in this regard is known as horizon scanning, and will continue to be crucial in knowledge exchange, information on best practice, and the consideration of high risk initiatives which may not be acceptable in Scottish society.