Oversight, scrutiny and review workstream report

Part One – Oversight, scrutiny and review

Introduction

Technology now touches every corner of our lives. Policing is no different, with police services across the globe increasingly looking to technology to support them in their role to keep people and communities safe. However, the adoption of technology is not always straightforward, and may pose ethical dilemmas that need to be taken into account in decision making.

In June 2019 the then Cabinet Secretary for Justice announced the formation of an Independent Advisory Group (IAG) to scope the possible legal and ethical issues arising from emerging technological developments in policing. The purpose of the IAG is to ensure Police Scotland and the policing system's use of emerging technologies in relation to their role to keep people and communities safe through operational policing is compatible with equality and human right legislation and best practice.

Work stream 4 is focused on the Oversight, Scrutiny and Review of projects and initiatives that look to achieve benefits to communities through the implementation of new and emerging technology in Policing.

The Policing of Scotland gains its legitimacy through the principle of policing by consent. That consent is based on the decisions of the Chief Constable and the Police Service of Scotland being legal, explainable, justifiable, and proportionate whilst being subject to the oversight of the Scottish Police Authority who do so with a focus on the public interest.

It is understood that ambiguity and uncertainty will feature regularly when considering novel policing technology and deployments. When faced with this ambiguity, assessing the available evidence, identified risk and associated mitigation and ensuring transparency will contribute to an informed assessment of the benefits and potential dis-benefits with the potential implementation of any new technology.

In justifying decisions and making them explainable, the policing system must be able to demonstrate that it has taken into account legal, ethical and human rights considerations in arriving at those decisions, balancing the rights of the individual with the need to protect all citizens in their communities. It is this balance that must be judged in taking forward proposals for the adoption of new technologies that assist policing in its primary function of ensuring safety and wellbeing.

Given this balance of the rights of the individual with the need to protect citizens in their communities there must be avoidance of an overemphasis on the 'precautionary principle' as the basis for decisions in the face of uncertainty. Some may interpret the principle as having a default position of change only when there is persuasive evidence that the introduction of a novel policing technology process or deployment has no risk of causing future harm. That means favouring a presumption against innovation on the grounds of uncertain evidence and potential however small, for causing future harm. Decision makers should have regard to the precautionary principle but should not rely on a narrow interpretation for their final assessments. If this was the dominant principle it is unlikely there would be any positive decisions to support the introductions new technologies.

Instead the introduction of new and emerging technology in policing should be guided by the 'proportionality principle' in approaching the challenge of uncertainty when considering a public interest assessment of a proposed new technology or deployment. The 'proportionality principle' is based on what is legal, legitimate and democratic, but take cognisance that many operational policing scenarios involve the need to carefully balance the rights of individuals to address threat, risk and harm. Decision makers should have particular regard for the following:

1. Intended purpose and benefits realised under the policing purposes as defined under section 32 of the Police and Fire Reform (Scotland) Act 2012 regarding the duty to improve the safety and wellbeing of individuals and communities.

2. Lawfulness and regulatory compliance with particular regard to intrusion into citizens privacy and private lives such as surveillance techniques. The introduction of novel technologies by police services will regularly be the subject of challenge in the media and the courts. Open and transparent debate is a crucial aspect of public confidence.

3. Balance of evidence of future benefits offered and/or harm prevented with potential future dis-benefit or harm caused. Decision makers should exercise a 'public interest' approach with great care and with a clear view to protecting citizens safety and wellbeing and preventing harm while preserving all individual civil and human rights.

4. Affordability and best value.

5. Mitigating actions to reduce potential harms. This aspect is critical and in the hands of the Policing System in Scotland to ensure appropriate planning is in place.

Considered innovation is an essential component of the 'proportionality principle', allowing Police Scotland to continually improve its ability to address threat, risk and harm.

Police Scotland and the Scottish Police Authority, through the personal commitments of the Chief Constable and Chair, have published a memorandum of understanding that outlines the principles through which decision making and engagement will be conducted to ensure the principles of policing by consent are safeguarded, this includes any decisions on the introduction of new and emerging technology.

There has been a great deal of progress since 2019 to establish robust processes and mechanisms to underpin this ethos. Her Majesty's Inspectorate of Constabulary (HMICS), the inspection body for Policing and the Scottish Police Authority (SPA) have stated:

"HMICS considers the governance arrangements, which the Scottish Police Authority (SPA) and Police have in place, are continuing to mature and evolve to meet the ongoing needs of both organisations."^[1]

"HMICS found evidence of genuine progress at the Scottish Police Authority over the previous 18 - 24 months. The appointment of experienced and talented individuals to both the Police Scotland senior leadership team and to the SPA Board, was a significant achievement. A new governance framework with a focus on transparency and accountability was put in place in May 2018 and is now being reviewed to address a number of areas for improvement and reflect the ever-changing policing landscape."^[2]

The following document provides an overview of the existing decision making, oversight and scrutiny framework that is in place to support the assessment of the potential adoption of new technology across the Policing System in Scotland.

The document is structured so as to follow the consideration and decision making pathway of technology adoption from initial idea/concept to business as usual adoption of the technology.

Overview of existing governance and assurance framework

The following diagram details the current process that any new and emerging technology project would now adhere to.

Although this diagram describes the process for a proposal originating and being developed by Police Scotland and that example is carried through this document for illustrative purposes, a similar process would be followed for any proposal being originated and developed through SPA Forensics Services. It should be noted that this process is able to be scaled depending on the size of the project.

It should also be noted that the consideration of new and emerging technology often commences prior to the formal governance route that is detailed below. An example of this would include during the development of strategies which will often involve complimentary research to identify a direction of travel and ambition for policing. These considerations can begin ahead of project initiation however will need to progress through the governance process detailed below.

Figure 1. Programme and Project Lifecycle Process

SPA Programme and Project Lifecycle Process

Initial Consent Assessment

Internal PS Development

• Project potential assessment
• Project Board
• Programme Board
• Portfolio management group

Joint and SPA Evidence Review

• SPA/PS Joint Evidence and Research Forum
• SIPR
• Wider Academia
• Policy Advisors in SG
• College of Policing
• Police Foundation
• PIRC Insight
• HMICS Insight

External Agency Partner and Public Input

• PS Regional and National Ethics panels
• Impacted Citizen Focus Groups
• Public Survey and Polling
• Impact Assessment
• External advice / representative organisations / reference groups

Case for Change Development

Internal PS Development

• SG Police Divisions
• Previous Evaluations
• Test of Change or Pilot
• PS Futures Programme
• Design Approach
• EQHRIA DPIA
• Data Ethics Framework

Joint and SPA Activity

• SPA/PS Joint Evidence and Research ForumOpinion
• SPA/Legal SIPR & Wider Academia
• College of Policing
• Police Foundation
• PIRC Insight
• HMICS Insight

External Agency Partner and Public Input

• PS Independent Ethics Panel
• Local Authority Engagement
• Human Rights Commissioner
• Biometrics Commissioner
• ICO
• Audit Scotland
• Children and YP Commissioner
• Third Sector Groups

Informed Decision Making

Internal PS Development

• Initial business case
• Project Board
• Programme Board
• Police Scotland internal quality assurance
• Portfolio Management Group
• Change Board
• Strategic Leadership Board

Joint and SPA Activity

• SPA Board Seminar/Briefing
• SPA Resources Committee (IBC)

External Agency Public and Partner Input

• SPF ASPS
• Trade Unions
• PS Futures Programme
• Human Rights Commissioner
• Biometrics Commissioner
• ICO
• Audit Scotland
• Children and YP Commissioner
• Third Sector Groups

Governance Approvals

Internal PS Development

• Full business case
• Impact Assessments
• Benefits Realisation
• Project/Programme Board
• Portfolio Management Group
• PS Internal QA
• Change Board/SLB

Joint and SPA Activity

• SPA Resources Committee (FBC)
• SPA Board (FBC)
• SG if required

External Agency Public and Partner Input

• SPA Resources Committee and SPA Board seek assurance at this stage that external agencies, public sector organisations and partners have had input and advised Police Scotland and where this advice has lead to changes or otherwise.

All above is underpinned by joint MoU

Project Delivery

Internal PS Development

• Change Control Processes
• Project/Programme Board
• Portfolio Management Group
• Change Board/SLB

Joint and SPA Activity

• SPA ARAC
• SPA Resources Committee
• SPA Policing Performance Committee
• HMICS Insight
• Internal Audit

External Agency Public and Partner Input

• External Reference Groups
• SG Gateway/ Technology Assurance Framework

Transition into Business as Usual

PS Performance Management

• Performance Reporting
• Local Policing Board
• Crime and Operations Board
• People and Professionalism Board
• Corporate Management Board
• Operational Delivery Board
• Strategic Leadership board

SPA Oversight

• SPA Internal Audit
• SPA ARAC
• SPA Policing Performance Committee
• SPA Oversight Groups
• SPA Board

External Agency Public and Partner Input

• HMICS Inspection
• Local Scrutiny Convenors
• Public Survey and Polling
• Justice Committee

Memorandum of understanding

Underpinned by Joint MoU

The Authority's approach to the oversight of new and emerging technology is focused across the widest possible interpretation of change and continues to mature in partnership with Police Scotland and SPA Forensic Services. This partnership approach has benefited from early engagement between the Authority and the Policing System in a number of key areas.

The refreshed oversight approach, focused on the content, progress, pace and impact of change, will be driven and underpinned by a recently adopted Memorandum of Understanding (MoU) – developed jointly by the Authority and Police Scotland - which aims to ensure early visibility and oversight of any new and emerging strategy, policy or practice under consideration by Police Scotland or SPA Forensic Services. It is anticipated the adoption of new and emerging technology will be an area of significant consideration. The Authority's main focus will be on significant equalities, human rights, privacy or ethical concerns raised, or where the issue will have a significant impact on public perceptions of, or confidence in, policing. It also seeks to ensure the intended benefits of any new and emerging strategy, policy or practice is clearly set out by Police Scotland and that the adoption of technology improves the ability of operational policing to address threat, risk and harm.

The MoU provides appropriate opportunities for public discussion, local engagement and formal oversight and review. It aims to ensure that potential impacts on the public's rights, for example rights to safety and privacy, are considered, and that there is sufficient engagement by Police Scotland or SPA Forensic Services with stakeholders and the public to inform the development process.

This process is further enabled by an early assessment and prioritisation approach to innovations which will deliver impactful change, ensuring new innovations, such as new and emerging technologies, are planned and trialled in an engaging and inclusive way, which considers a wide range of views and opinions in order to inform decision making based on robust and transparent impact assessments.

The establishment of the MoU represents a significant step forward in the oversight of policing. Specifically, the MOU commits to early engagement between the SPA and Police Scotland 'when Police Scotland is considering a new and emerging strategy, policy or practice to improve the safety and wellbeing of persons, localities and communities in Scotland, and which are likely to be of significant public interest'. Previously only cases for change beyond certain financial thresholds would be presented to the SPA for consideration.

Given how recently the MoU has been adopted the full impact that this new way of working will have on the oversight and scrutiny of new and emerging technology remains to be assessed. As this approach is embedded over the coming months, case studies and lessons learned will be compiled.

Key Consideration 1: The SPA and PS should continue to use and enhance the arrangements set out in the MoU to ensure any future implementation of technology has had the widest possible appropriate and early engagement and consideration.

SPA excellence framework

Underpinned by SPA Excellence Framework

Effective Scrutiny and oversight are key elements that ensure that policing retains the trust and confidence of Scotland. The SPA Excellence Framework is part of the SPA's overall Governance Framework. It provides a conceptual structure intended to serve as a guide for the building, and ongoing development, of an Audit, Risk and Assurance Programme to deliver excellence within SPA, and derive assurance around excellence within Scottish policing.

Practically, 'excellence' means ensuring that organisations have a clear understanding of their stakeholders, they develop ways to achieve or exceed expectations, they achieve excellent results today and in the future, and they communicate assurance effectively.

Recent experience has highlighted that this is particularly important when it comes to the adoption of new and emerging technology within policing.

A core component of the Excellence Framework is the 'Four Lines of Defence' model which is designed to assure effective and transparent management of control and risk by making accountabilities clear. The below diagram outlines how the four lines of defence model is applied by the SPA and other oversight functions.

SPA Board/Audit Committee

Management Boards

(Across SPA and Police Scotland)

1st Line of Defence

• Management
  • Business and usual activity, assurance coming from those responsible for delivering specific objectives or processes and having ownership and accountability
  • Divisional / Functional Management

2nd Line of Defence

• Oversight Function
  • Assurance that is provided which is separate from those responsible for delivery but independent of the overall management chain. Police Scotland's Risk, Assurance and Inspection Team provide this service to Police Scotland, and the SPA's Risk, Audit and Assurance Forum for SPA.

Internal Scrutiny

3rd Line of Defence

• Internal Audit
  • The SPA appoints independent internal auditors who, on behalf of the SPA, are responsible for reviewing the first and second lines of defence within the SPA and Police Scotland, identifying areas of improvement and recommending and encouraging best practice. The Internal Auditors report to the SPA's Audit Committee.

Internal External Scrutiny

4th Line of Defence

• External Audit, Inspection and Review
  • This is undertaken by bodies external to the SPA and Police Scotland, and includes: HMICS, Audit Scotland, the PIRC, and other regulatory/ inspectorate bodies that oversee corporate bodies, such as the Health and Safety Executive, or the Information Commissioner's Office. The external bodies provide an independent assessment of the first three lines of defence

First line of defence

Within the SPA there are many arrangements already in place that are used to derive assurance on how well objectives are being met and risks managed.

This form of assurance is produced by staff and management within or managing operations at a functional level, using business as usual activities such as good policy, performance data, risk registers, reports on routine system controls and other management information. Functional areas report into a Director, who in turns reports into the Chief Executive Officer.

Assurance in SPA Forensic Services operates through a separate Quality Management Framework that governs practices across the first two lines of defence, and reports into the SPA's Audit Committee and Forensic Services Committee.

This level of assurance provides indication that performance is being monitored, risks are being identified and addressed, and objectives linked to SPA plans such as the long term Strategic Police Plan Forensics Strategy and SPA Corporate Strategy are being achieved, however it may lack independence and objectivity. It does ensure that functional teams have ownership, responsibility and accountability for controlling and mitigating risks through their processes and day to day activities.

Second line of defence

The second line of defence is a within-organisation oversight function. It is a step away from those who are responsible for delivery, but still not independent of the SPA. The SPA's Risk, Audit and Assurance function falls into this level of defence responsible for conducting compliance assessments and reviews to determine that policies and procedures are being met in line with the expectations obligations. This line of defence assures, monitors and facilitates the effective implementation of the first line of defence activity. In Police Scotland, a Risk, Assurance & Inspection team carries out assurance activity at the second line of defence stage.

Third line of defence

This is objective and independent assurance, with the SPA's internal auditor forming SPA's third line of defence. An independent internal audit function will, through a risk-based approach to its work, provide assurance to the SPA, senior management, and our stakeholders. This assurance will cover how effectively the organisation assesses and manages its risks and will include assurance on the effectiveness of the first and second lines of defence.

Importantly, in the context of SPA's role and its relationship with Police Scotland, the Third Line of Defence (Internal Auditors) extends and acts as a Third Line of Defence for Police Scotland.

Fourth line of defence

Assurance from external independent bodies, such as the external auditors Audit Scotland and other external scrutiny bodies form the fourth line of defence.

External bodies may not have the existing familiarity with the organisation that an internal audit function has, but they can bring a new and valuable perspective. Additionally, their outsider status is clearly visible to third parties, so that they can be independent, and also seen as being independent, for example HMICS, Audit Scotland, the Health and Safety Executive and the Information Commissioner's Office. The below figure summarises the key organisations that provide external assurance of Police Scotland activity. Some of these bodies such as the ICO will have greater involvement in activities related to new and emerging technology.

Figure 2. Scottish Policing Scrutiny Landscape

Primary

Her Majesty's Inspectorate of Constabulary in Scotland (HMICS)

• Provides independent scrutiny of both Police Scotland and the SPA
• Published an annual scrutiny plan and conducts various different types of 'reviews' with a focus towards operational matters. Also alongside Audit Scotland has a Best Value inspection role

Police Investigations and Review Commissioner (PIRC)

• Undertakes independent investigations into the most serious incidents involving the police
• Provides independent scrutiny of the way police bodies operating in Scotland respond to complaints from the public

Information Commissioner's Office (ICO)

• Independent authority that upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals

Audit Scotland

• Statutory external auditor of the SPA
• Also provides independent assurance on value for money/ Best Value in addition to further wider scope responsibilities

Investigatory Powers Commissioner's Office (IPCO)

• Independent oversight of the use of investigatory powers by intelligence agencies, police forces and other public authorities

Local Authorities

• Each of Scotland's local authorities have scrutiny arrangements in place to allow them to influence policing at a local level

Secondary

Scottish Parliament

• Justice committee & justice sub-committee on policing
• Remit includes all matters within responsibility for Cabinet Secretary for Justice
• PAPALS committee consider accounts, auditor general reports and post-legislative scrutiny

Judicial Commissioners

• Judicial Commissioners provide functions relating to the Investigatory Powers Act 2016
• Maintains a programme of retrospective inspection and audit by Judicial Commissioners and IPCO's inspectors

Scottish Human Rights Commission

• Promotes and protects human rights

Scottish Information Commission

• Promotes and enforces Freedom of Information

Health and Safety Executive

• UK government agency responsible for the encouragement, regulation and enforcement of workplace health, safety and welfare

Forensic Science Regulator

• Issues codes of practice and provides guidance

United Kingdom Accreditation Service (UKAS)

• UK accreditation body of certification and testing (Forensics)

Decision making governance, oversight and scrutiny

The MoU described above is an addition, and does not replace any component, of the existing governance system that is in place across Police Scotland and the SPA.

The following section outlines the decision making governance framework that exists in Police Scotland and the Scottish Police Authority.

Although neither Police Scotland nor the SPA have a specific Board for consideration of new and emerging technology or ethics alone, many of the Boards detailed above will have a role to play in ensuring the highest standards are maintained.

For example, in the Terms of Reference (ToR) of the Corporate Management Board the 'purpose' includes:

• National consistent and equitable access to police services
• Improved outcomes for communities in Scotland

Figure 4 below outlines the most likely governance route that would be followed when considering the adoption of new technology.

The role and remit of each of these boards is laid out in the Terms of Reference. The following section highlights any aspects of the ToR that are particularly pertinent to new or emerging technologies.

Change Board

To ensure all change activity aligns to Police Scotland's long term strategy

To provide scrutiny and ensure accountability is being maintained by Senior Responsible Officers

To consider, scrutinise and where appropriate, authorise requests for transformation budget spend

Demand, Design and Resources Board

To enable Police Scotland to strategically (re)align resources & develop capabilities to address threat, risk and demand in the short, medium and long term and progress from its current operating model to its Target Operating Model (TOM)

Strategic Leadership Board

To review and consider brief updates from Primary Boards and where relevant, ratify Primary Board decisions

To discuss other relevant matters affecting the Force and approve, where appropriate, an agreed course of action

SPA Policing Performance Committee

Policing Performance Committee will not approve the adoption of new technology, however it will oversee and scrutinise the performance and implications of any adoption.

The purpose of this Committee is to provide oversight and scrutiny of continuous improvement in policing. It will do this through scrutinising policing performance against agreed strategies, plans and statutory requirements. The Committee will seek to continuously improve the way in which policing performance is measured and reported. The Committee will also consider any proposed changes to operational policing which may have particular public interest, ethical or human rights implications.

SPA Resources Committee

The Resources Committee will review and scrutinise business cases for adoption of technology and make recommendations to the SPA Board

The purpose of this Committee is to provide oversight, scrutiny and assurance to the Board on all significant resources matters, including financial planning, performance and financial stewardship, and on significant people-related matters. The Committee will provide advice and assurance to the Board on these matters and any other specific items which the SPA Board requests of it in relation to financial sustainability, employee-related and other resourcing aspects of Police Scotland and the SPA. In addition the Committee will seek to ensure that continuous improvement is embedded within financial and people-management and development processes and procedures in line with Best Value principles, and will seek evidence of Police Scotland and SPA operating as responsible employers and of progress being made towards mainstreaming of equality, diversity and human rights.

SPA Board

As described above, the SPA's Resources and Policing Performance Committee will oversee and scrutinise situations where new and emerging technology meet certain thresholds or are of significant public interest. However, certain matters which may have implications for technology adoption are reserved for the SPA Board. These include, but are not limited to:

• Recommendation the Strategic Police Plan to SG for approval
• Approval of local police plans
• Approval of the strategic performance framework
• Approval of organisational / transformational change proposals

Initial concept assessment

Internal police Scotland development

A proposal for a Project can arise from many different avenues and the organisation supports ideas from all parts of the organisation.

When a new concept or potential project is identified, including one containing a new and emerging Technology aspect, a Project Potential Assessment (PPA) is completed. This is a template and process for assessing whether or not an idea is a Programme, Project, Business as Usual, Continuous Improvement or Small Change Activity.

The PPA will ask high level questions regarding the idea on the following topics:

• Whether or not the idea has Business Change, Technology, Property, Construction
• Fit to Strategic Aims
• Benefits the idea may accrue
• Potential Risks the idea will manage
• Impact on business areas and the organisation
• Any high-level dependencies or stakeholders
• Initial/Potential timescales for delivery
• Any initial or potential costs known at this time
• Any initial or potential resources needed

The PPA is then submitted to an internal Project Board, Programme Board and ultimately the Portfolio Management Group. Portfolio Management Group is an internal forum where the Senior Responsible Owner for the Portfolio, Programme Managers, Project Managers and Change Staff give approval, challenge and appraise papers and business cases prior to them being submitted.

Evidence that may inform the PPA could come from a variety of different sources including the SPA and PS Joint Evidence and Research Forum, Scottish Institute for Policing Research, wider academia, Policy Advisors in Scottish Government, the College of Policing, Police Foundation, Police Investigation and Review Commissioner (PIRC) insight and HMICS insight. At this early stage of the project the information would already be available and it is expected that more bespoke research would form part of future phases in the project lifecycle.

A number of external agencies, partner and public input may also be gathered at this initial stage, this information could come from: PS Regional and National Ethics Panels; Citizen Focus Groups; Public Survey and Polling; Impact Assessments; External Advice from representative organisations or reference groups. As per the above at this early stage of the project the information would already be available and it is expected that more external agency, partner and public input would come at a later stage.

Case for change development and informing decision making

The Case for Change Development and Informing Decision Making steps should be detailed together. These two stages are connected and will ultimately lead to the creation of the Initial Business Case. The purpose of the Initial Business Case it to expand on the idea and to start exploring how the idea can be delivered as well as assessing the ethical, human rights, data privacy, equalities and other impacts of the proposed idea. The Initial Business Case should still be high level and should not identify the final method by which the idea will be delivered, instead it should touch on several options for delivery.

The Initial Business Case will focus on a few main areas:

• High-level Benefit Identification
• Risks to the organisation the project will help manage
• Impact assessment and consideration
• Dependencies that BAU activity or other projects have on the project delivering and where the project would be dependent on another project or BAU activity
• Incorporating any previous lessons learned by the organisation
• An indication of any cost associated with the project and its potential options
• An indication of any resources needed to complete the next stage in the governance process: The Full Business Case.

The governance route for the Initial Business Case is Project Board, Programme Board, Police Scotland internal quality assurance, Portfolio Management Group, Change Board and Senior Leadership Board internally. The Initial Business Case is then presented the SPA Resources Committee and may also appear at a SPA Board Seminar or briefing session. At this stage the Initil Business Case is for discussion only and is an opportunity for members to express their views and seek that these are addresses as part of the Full Business Case (please see the Governance and Approvals section).

There are clear expectations that as part of the Case for Change Development and Informing Decision Making stage that PS should have undertaken several steps to assess the idea. From an internal perspective these would include where appropriate: engagement with SG Police Division; assessing previous evaluations on the same topic, potential test of Change or Pilot; Design consideration, EqHRIA and DPIAs, assessment through the Data Ethics Framework and consideration through Ethics Advisory Panels (please see section on Ethics Panels).

The new concept could be discussed/appraised through joint PS and SPA activity, for example: the joint evidence and research forum; legal opinion from the SPA legal team, Scottish Institute for policing research and wider academia, College of Policing, Police Foundation, PIRC Insight and HMICS Insight. External stakeholder engagement would also be undertaken as part of any wider strategy development activity.

The new concept could also be subject to several external agency, partner and public input, for example: Independent Ethics Panels (See Ethics Panel section); Local Authority Scrutiny Convenors; Human Rights Commissioner; Biometrics Commissioner; Information Commissioner's Office; Audit Scotland, Children and Young People Commissioner; Scottish Police Federation and the Association of Police Superintendents. Furthermore, input could also be gathered from frontline officers – this will be important in terms of demonstrating an organisationally just approach and supporting meaningful organisational change at the implementation stage.

The output from external and internal engagement should be incorporated into the Initial Business Case prior to presentation to the Scottish Police Authority.

Governance and approvals

This stage in the process requires the Scottish Police Authority to make a decision on funding the Project. It seeks assurance and evidence that the appropriate engagement has been undertaken with external agencies, public sector organisations, partners and the public as appropriate. It also seeks assurance that the previous steps have been undertaken and research and an evidence base is presented to the SPA. It is expected that the main document associated with this stage, the Full Business Case, detailed this engagement and what advice was given and what impact or substantial changes this has made to the proposed approach.

The purpose of the Full Business Case is to expand the IBC, develop further the options identified within the IBC and recommend a preferred option for the appropriate governance board to consider.

The template for the FBC is based on the key UK Government project management guidance document The Green Book (also known as The Five Case Business Model – see Part two of this report).

The Full Business Case will focus on these main areas:

• The Strategic Case – the FBC must clearly indicate how the project will align with the organisations strategy
• The Economic Case – the main purpose of the Economic Case is to demonstrate that the spending proposal optimises public value/interest
• The Financial Case – the Financial Case demonstrates that the preferred option will result in a fundable and affordable deal
• The Commercial Case – the Commercial Case demonstrates that the preferred option will result in a viable procurement and well-structured deal.
• The Management Case – the Management Case demonstrates that the preferred option is capable of being delivered successfully.

The FBC should also be accompanied by key assurance documents including:

• Impact Assessments (EqHRIA, DPIA, CRIA etc).
• Project Management Plan.
• Benefits Realisation Plan and Profiles
• Risk Register

The FBC then goes through internal PS governance, requiring approval at: Project Board, Programme Board, Portfolio Management Group, Change Board, Senior Leadership Board.

The FBC is then submitted for external approval to SPA Resources Committee, SPA Authority Board and SG if required. At this stage the SPA should ensure it is content that the appropriate impact assessments have been undertaken and that the previous steps of initial concept design, case for change development and information decision making have undertaken the appropriate engagement, input and assurance from key stakeholders, subject matter experts and the public. It should ensure that appropriate consideration has been given to equalities, human rights, privacy or ethical concerns raised.

At this stage the project can be approved to proceed to implementation. SPA Officers seek to brief members on the initiative prior to consideration. These briefings where possible highlight any good practice, gaps or areas for concern that are present in the Full Business Case. This then allows members to scrutinise the FBC and ask for additional information and assurance where necessary. This approach could potentially be strengthened by having SPA committees inform their consideration of proposals by inviting subject matter experts to provide advice to the members.

Key Consideration 2: SPA Committees may consider to inform their consideration of proposals by inviting external subject matter experts or representation from professional reference or ethics advisory panels to provide evidence or advice on the impact that a specific technology may, or is, having on society.

Project delivery

During the Project Delivery phase there are still a number of checks and balances that projects require to have in place, especially if the project seeks to introduce novel or contentious technology.

The project is subject to Change Control Processes and has to report to Project Board, Programme Board, Portfolio Management Group, Change Board and Senior Leadership Board if certain thresholds are breached, for example if there were a projected 10% overspend.

Beyond this the project may be subject to an external reference group which has independent and external advisors which offer guidance to Police Scotland in delivery. The project can also be subject to Scottish Government Gateway Reviews and Scottish Government Technical Assurance Framework Reviews, both of these are conducted by individuals completely independent to Police Scotland and the Project and offer red, amber and green status on a number of categories including cost, benefit, resource, timescale, or increasing risk.

The project should still be engaging with external experts, the public and academia where appropriate in the design and implementation of the technology to ensure equalities, human rights, privacy or ethical concerns raised are being addressed in the design of the solution.

Transition into business as usual

When a project transitions into business as usual a number of boards and performance reporting mechanisms assess the impact that it is having on service delivery. The internal PS forms that could consider the impact of the project are: Local Policing Board, Crime and Operations Board, People and Professionalism Board, Corporate Management Board, Operational Delivery Board, Senior Leadership Board.

The impact on service delivery is then also monitored through external groups and agencies, including: SPA Internal Audit, Audit Risk and Assurance Committee, Policing Performance Committee, SPA Oversight Groups where appropriate, the SPA Board, HMICS inspection, local scrutiny convenors, public survey and polling and Justice Committee.

Key Consideration 3: Following the above process the SPA should continue to require assurance that external evidence and advice has been sought and considered and that engagement with partners and the public has been undertaken to inform the approach to embedding specific technologies in Policing.

Ethics panels

Many of the challenges in the adoption of new and emerging technology can be considered 'ethical'. For the purposes of this document, the term 'ethics' should be considered as the moral principles that guide decisions or activities. This will include consideration of aspects such as (i) human rights; (ii) equalities and (iii) data privacy.

In addition to the formal governance channels outlined above, Police Scotland have introduced Ethics Advisory Panels (EAPs) to provide an opportunity for staff, officers and external participants to come together and discuss ethical dilemmas within Police Scotland.

Police Scotland's operating model includes a four tier structure of panels. Ethics panels are not decision making bodies, but are instead advisory in nature and provide advice and support to the decision maker. The decision maker (or dilemma holder) remains responsible for taking the decision with due consideration of the panel's views within their rationale.

Ethics panels have a number of objectives. These include: (i) improve service delivery; (ii) support police officers and staff; (iii) support police leaders; (iv) develop and enhance visible ethics culture and (v) support organisational learning.

It should be noted that Ethics Advisory Panels will consider a whole range of ethical dilemmas, not just those posed by the adoption of new and emerging technology.

Below is a brief description of the four tier structure of panels:

• Regional Panels - 150 staff and officers across Police Scotland are trained to sit on Regional Panels. These panels are planned to meet every three months in the East, North and West Regions. Each panel will comprise 15-20 staff and officers and are chaired from a cadre of senior officers and staff members trained for the role. Regional Panels ordinarily consider ethical dilemmas which impact upon local and/or operational decision making with Subject experts (if required), staff associations, unions and human resources represented. Recent examples of subjects discussed at a Regional Panel include Body Worn Video and Gifts, Gratuities, Hospitality and Sponsorship.
• National Panel - 50 senior officers and staff members are trained to sit on National Panels. Membership includes those who have a national remit, representatives from staff associations, unions and human resources in addition to representatives from the Regional Panels. As the last tier of panels yet to formally sit, their timetable will align with Regional Panels sitting quarterly, chaired from a cadre of senior officers and staff members trained for the role. The National Panel is intended to consider ethical dilemmas which impact upon national, strategical and tactical decision making across most, if not all of Police Scotland. National panels will also act as a governance route for potential further discussion around dilemmas discussed at Regional Panels.
• Independent Panel - Currently 30 members are drawn from a broad spectrum of society in Scotland, with development ongoing to establish a cadre of 35-50 individuals. The Independent Panel will consider dilemmas that impact public service and confidence, providing external consideration, scrutiny and advice to the decision maker. Panels can be convened with 4 weeks' notice on a demand led basis and are chaired by an Independent Member with DCC Professionalism holding the position of co-chair. Recent examples of subjects discussed at the Independent Advisory Panel include Remote Piloted Aircraft Systems (RPAS), the Domestic Abuse Scotland Bill and Body Worn Video
• Youth Panel - Working in partnership with the Scottish Youth Parliament (SYP) the Youth panel was established in April 2021 with a trained cadre of 15-20 MSYP's engaging the voice of Scotland's young people in police decision making. The panel is scheduled to sit 3 times a year and will consider dilemmas that impact public service and confidence. The Youth Panel sits parallel to the Independent Panel, ensuring that the diverse and representative democratically elected voice of Scotland's young people is heard. Youth panels are independently chaired by the Convener of the SYP's Justice Committee with CI Ethics and Preventions holding the role of Police Scotland Delegate on the panel. The first subject discussed at the Youth Advisory Panel was the policing of COP26 with a future dilemma around the implementation of the UNCRC Bill scheduled.

It should be noted that the Regional and National EAPs described above have only internal Police Officers or Staff in attendance, the organisation would benefit from ensuring that externals are present at these to ensure variety of opinion and subject matter expertise.

The introduction of Ethics Advisory Panels will help Police Scotland to improve service delivery and consider the ethical implications when considering the implementation of new technology. The findings, advice and how this helped shape the solution, planned implementation, preferred option for the new technology or how these were considered should be demonstrated in the Full Business Case presented to the Authority. It is not clear where the most appropriate section within the FBC template would be for these considerations.

Key Consideration 4: The SPA and PS should continue to use, embed and continually improve the processes set out in the above sections. The SPA and PS should work to develop a sixth ethics and human rights case in Business Cases underpinned by a suitable framework which would inform decision making through consideration of data ethics and wider consideration of equality, privacy and human rights issues. (See Appendix 3 – Draft proposals for Oversight of Ethical Considerations in Policing)

Additional Oversight – Scottish Government, Parliament and HMICS

The Authority is accountable to Scottish Ministers who are in turn accountable to the Scottish Parliament for the activities of the Authority and its use of resources. The Authority must also comply with any direction (general or specific) given by the Scottish Ministers. The SPA Chief Executive, as designated Accountable Officer is answerable to the Scottish Parliament for the exercise of their functions.

The Scottish Parliament is responsible for scrutinising the policy and legislative proposals of the Scottish Government, and the Criminal Justice Committee fulfils much of the scrutiny in relation to criminal justice. The remit of the Justice Committee is to 'consider and report on matters falling within the responsibility of the Cabinet Secretary for Justice, and functions of the Lord Advocate other than as head of the systems of criminal prosecution and investigation of deaths in Scotland.'

A Justice Sub-Committee on Policing was established following the establishment of Police Scotland. The key role of the Sub-Committee was to consider and report on the operation of the Police and Fire Reform (Scotland) Act 2012 as it relates to policing. The 2012 Act established the Police Service of Scotland ("Police Scotland") and the Scottish Police Authority, which is charged with oversight of Police Scotland.

A significant focus for the Justice Sub-Committee on Policing was on new and emerging technology in policing. Subjects such as remotely piloted Aerial Vehicles (RPAS), Body Worn Video, Digital Triage devices and facial recognition technology received significant attention from members of the sub-committee.

In 2021 it was announced that the Justice sub-committee on policing would be discontinued and that matters relating to policing would be considered by the Justice Committee.

Additionally, Her Majesty's Inspectorate of Constabulary for Scotland (HMICS) has powers to look into the "state, effectiveness and efficiency" of Police Scotland. The Chief Constable must provide the inspectors of constabulary with such assistance and co-operation as they may require for the purposes of, or in connection with, the carrying out of their functions (and must, in particular, comply with any reasonable request made by the inspectors of constabulary in that regard). These powers would allow HMICS to investigate the effectiveness of the use of new and emerging technologies should it be deemed appropriate.