Legal frameworks and ethical standards workstream report: Final Report

7. Recommendations

7.1 At a discursive level, observing the above examples of technologies and the subsequent lessons learned, there is a clear notion which challenges the rhetoric of techno-optimism which is found around the world in numerous sectors. Police Scotland have shown in their own 'lessons learned' that examples of emerging technology in itself do not offer a solution to social problems such as crime prevention, and public and officer safety – rather there is the mature and more energising comprehension drawn out from past implementations that technology should be thought of as 'an enabler' and a system of tools to assist in police work to gain new insights or overcome ineffective shortcomings inherited by analogue technologies. Drawing on the previous sections, we present our recommendations here:

1. The continued implementation and reinforcement of a human rights-based approach to policing in Scotland

Police Scotland should continue to embrace and implement a human-rights based, ethical and proportionate model for police use of technologies, in accordance with international best practices and with community input and engagement.

These international best practices include European Convention on Human Rights and their interpretation by the European Court of Human Rights and should be adhered to by Police Scotland regardless of whether the UK decides to repeal the Human Rights Act and/or leave the European Convention on Human Rights. In such a case, action by the Scottish Government may be required e.g. to incorporate these provisions into Scots law if possible.

This approach should include Police Scotland providing more analysis and engagement of human rights and equalities with technology use; specific references to Police Scotland's duty to assess and review relevant equality impacts of policies on technologies when at a developmental stage. The enhanced human rights-based and ethical approach should take place across the following domains: Policy and strategic decision making; Operational planning and deployment; Training and guidance; Use and control; and Investigation, monitoring and scrutiny. We recommend Police Scotland formally commit to adopting this approach which would ideally be accomplished through further internalising human rights knowledge and capacity. For example Police Scotland could employ equality and human rights experts in order to assist in policy design, analysis and assessment.

2. Further consideration of impacts on new technologies on human rights and equalities needed

The impacts of new technologies specifically on human rights and equalities need to be further considered. A multi-level analysis of rights and equalities impacts should be taken into account to embed and enhance Police Scotland practice, I.e. looking at the impact at the individual, community and societal levels. There are existing requirements under data protection law (Data Protection by Design and Default, Data Protection Impact Assessment) that place an obligation on controllers to ensure that the data protection principles are adhered to and that any impact on individual rights and freedoms are identified, assessed and mitigated. There are also existing relevant obligations under equalities law and human rights legislation. In this recommendation we seek to aid compliance and raise the bar. In terms of raising the bar from a data protection point of view, specific actions could ensure that: Data Protection Impact Assessments (DPIAs) are developed alongside Equality and Human Rights Impact Assessments (EqHRIAs) and Children's Rights and Wellbeing Impact Assessments (CRWIAs), that Police Scotland refer to the ICO's Overview of Data Protection Harms when considering risks associated with processing and ensure that risks to individual's rights and freedoms are fully considered, assessed and mitigated in DPIAs. Further that these risks should continue to be identified, assessed and mitigated throughout the lifecycle of a new technology (i.e. not only at the 'developmental stage'). From an equalities and human rights perspective, Police Scotland need to assure themselves when undertaking Equality and Human Rights Impact Assessments (EqHRIAs) that any proposals are compliant with the Human Rights Act 1998 and the Equality Act 2010, and also satisfy the requirements of the Equality Act 2010 (Specific Duties) (Scotland) Regulations 2012, including the duty to assess the impact of applying new or revised policy or practice and publishing the results of these assessments in a manner that is accessible.

3. Strong democratic engagement and consultation processes should be used to gain insights from the communities that a police service works for

These communities should include engagement with the protected groups defined in Equality Act 2010. In Scotland, if policing is to be done with public acceptance and agreement, then the public should be involved in changes to the policing system which could change the fabric of society, effect social relations, or impact democratic values. Complaints processes involving police use of technology must be accessible to all members of the public including those with disabilities.

4. Legal basis for using policing powers vis-a-vis technologies must be clearly specified and shared with key stakeholders

Police Scotland need to be able to demonstrate that the application of the policing power as set out in law must be clear and foreseeable and refer to and use proportionality and necessity testing; accurate and reliable/scientific standards, EqHRIA and community impact assessments. Although Police Scotland do specify the legal basis in DPIAs, given the potential for differing interpretations, legal basis (and opinions being drawn on) should be shared with key stakeholders as a matter of course in order that they may be questioned and tested and this must be reviewed in light of further developments (such as change in use case or additional information coming to light). Police Scotland need to be able to understand and articulate to diverse stakeholders the power which comes from the specific law which sanctions the use of a technology and refer to and use proportionality and necessity testing; accurate and reliable/scientific standards, EqHRIA and community impact assessments. There should be more transparency with regards to the legal basis of police use of technologies and awareness raising with the public.

5. Further clarifications of legal basis via legislation or code of practice may be desirable

Further clarifications of legal basis for police use of technologies may be desirable, such as through legislation or a code of practice as we see for biometrics. Government should consider whether additional statutory codes of practice may be required to provide greater clarity and safeguards on the application of new technologies. Such new technologies might include AI for which a binding code for policing use may be desirable.

6. Special regard for the interests of children and vulnerable persons

When using new technologies in this context, law enforcement actors must have special regard to the interests of children and vulnerable persons and how the technologies may impact upon them. We recommend that Police Scotland conduct, embed and enhance Children's Rights and Wellbeing Impact Assessments (CRWIAs) alongside DPIAs and EqHIAs.

7. More communication with the public and other stakeholders about police technology

Communication with the public and other stakeholders is needed about police technology capabilities and substantial changes to the dynamic of police work mediated by technology. This communication must be clear, publicly facing and speak equitably to a broad range of publics. Doing this is important both in terms of understanding and mitigating potential risks and harms but also ensuring fairness. The use of new technologies should not unjustly adversely impact an individual or group of individuals (which may potentially be discriminatory under the Equality Act 2010) and the processing should be within the reasonable expectations of the public.

8. Unacceptably risky technologies

Police Scotland should consider that in some cases a technology may be too controversial and pose unacceptably high risks to use even if there may be a legal basis for using it. A current example may be live facial recognition. Not using certain technologies and applications must be an option. Police and other actors in government should seek to understand why such technologies are considered controversial and risky and draw on lessons learned. Further work needs to be done on how unacceptability of risk may be assessed. Regard could be paid to the EU's proposed AI Act framework for risk in doing this. A category of 'unacceptable risk' could be added to Police Scotland's data ethics process to add to the current low, medium and high risk categories. In addition or as an alternative, the Scottish Government and Parliament could enact legislation defining what unacceptable risk means and designating technologies or application which pose such risks, e.g. those systems whose use is intrinsically incompatible with human dignity (similar to the categorical prohibition of torture).

9. Ongoing evaluations and reflections on police use of technology

Police Scotland should continue to evaluate and reflect on its uses of technologies, recognising lessons learnt and the implementation of measures such as ethics panels, improved internal processes, engagement, transparency and external evaluations.

10. Drone awareness and impact

Police Scotland should raise awareness of its use of drones among the general public, clearly communicate to the general public how and when drones are deployed and how personal data is processed and should publish its draft Code of Practice on the use of drones and impact assessments, including the technical capacity of drone platforms to ensure privacy and data protection by design. Future Scottish Government Crime and Justice Surveys could include questions to benchmark awareness and attitudes of drones. The necessity of drone deployment rather than other means of investigation must be explained and justified by Police Scotland given the likelihood drones will capture sensitive personal data and have a high risk of collateral intrusion. Police Scotland should ensure that drone footage secured in criminal investigations from other parties, whether other public bodies, commercial organisations or others complies with the relevant legal and ethical safeguards.

11. Cross-border dialogues

Police Scotland should look across borders to access and share learning about best practice and acceptable use of new technologies. Evidence collected in trials, risk assessment and ethical studies elsewhere in the UK and further afield may be particularly helpful.

12. Lessons learned forum for police within the UK

A 'lessons learned' forum/knowledge exchange event could be established for police in Scotland, along with police in other parts of the UK, to share, showcase and discuss organisational knowledge from previous endeavours. This would mitigate continual institutional failures or mistakes relating to ethical and legal concerns, and allow best practice to be communicated in a transparent and open manner.

13. Continued enhanced risk management

Police Scotland should continue to enhance its approach to ensure effective and mature risk management processes (note link to workstream 4) to scope, map, identify and address any risk, opportunity or issue which may become associated with the adoption of a new technology, and continue to reassess and evaluate risks throughout the lifecycle of any new technology. With this risk-based approach to understanding contexts and stakeholders, there should be greater emphasis placed on considering future impacts of technology and ways to understand how communities will respond to proposals. Evaluating risks throughout the lifecycle of the technology will also allow Police Scotland to act on risks which only become evident after the technology is deployed.

14. Technology procurement and provenance

More attention should be paid to the procurement and provenance of the technologies used by Police Scotland. In order to ensure enhanced cyber- and data security, the police and public sector more widely may need to consider developing technology solutions in-house rather than outsourcing them to private companies. Police Scotland should ensure that there are robust procurement processes in place to ensure that procured technologies are compliant with existing data protection, human rights and equalities obligations. National standards or a national Code of Conduct setting out these standards may be helpful here. Any proposed technology procurement project should follow the HM Treasury Green Book's business case framework, and make public an abridged version which includes an account of ethical issues. Where the police and public sector are developing technology solutions in-house rather than outsourcing to private companies robust design guidance that facilitates a data protection by design and default approach should be in place. A system of independent quality checking of such technologies may be desirable.

15. Police data sharing

More attention should be paid to the sharing of personal data generated by technologies used by police. Further safeguards may be needed for data sharing with other agencies and retention periods. There should be a review of the rules on retention considering questions of utility, lawfulness, proportionality and necessity. Rules around data sharing for the police should be legislated. A separate regime for children's data compared to that of adults may be advisable too. More research and discussion is needed on this topic, with the possible outcomes of further guidance, legislation and/or policy from relevant bodies such as the Scottish Government, Scottish Biometrics Commissioner and the ICO.

16. Biometrics transparency

More information could be published by Police Scotland publicly about biometrics they hold, for instance how many images they hold. The minutes of the Biometrics Oversight Board should also be published.

17. Evaluation of new Biometrics Commissioner

The establishment and effectiveness of the new Biometrics Commissioner in safeguarding human rights and upholding high ethical standards should be evaluated. There is already a reporting mechanism in the Scottish Biometrics Commissioner Act (SBCA) 20202 (section 6). We reiterate the need for this reporting to be done in a way which involves wide consultation with relevant stakeholder groups and the public. We also consider that there should be a review of areas of police technology usage not currently covered by the SBCA, for the consideration of further policy, legislative and guidance reform.