Oversight, scrutiny and review workstream report

Part Two - Ensuring that ethical considerations are central to decision making in Scotland's policing system

As described in the previous section, Police Scotland and SPA Forensics Services operates in a highly complex and rapidly evolving environment. The demand for police services continues to increase, resource pressures grow, criminals continue to deploy new methods and exploit our most vulnerable and cybercrime continues to accelerate at unprecedented pace. In order to keep pace with these changes, Police Scotland require to adopt new ways of working, deploy resources flexibly and exploit new technological advancements to ensure that they remain on the front foot.

For these reasons, the need for Policing Scotland and SPA to innovate and make informed decisions about the need to adopt new technologies has never been greater. However, unlike many organisations these decisions cannot be based solely on value for money, rather these decisions must be made with the highest possible regard to ethical standards, ensuring that Police Scotland and the SPA's commitment to policing by consent is continually reinforced.

Police Scotland and the SPA already have a robust decision making process in place, however following the work of the Independent Advisory Group work stream it is recognised that there is an opportunity to formalise this process to ensure that ethical considerations are placed at the heart of the decision making process. Any future approach should be flexible and scalable and make use of a range of existing tools that can be applied proportionately to provide clarity in the decision support process. It should also provide a clear audit trail for purposes of public accountability.

What are ethics?

At its simplest, ethics is a system of moral principles. They affect how people make decisions, lead their lives and carry out their work. Ethics is concerned with what is good for individuals and is also described as moral philosophy.

Police Scotland's Code of Ethics sets out the standards expected for all those who contribute to policing in Scotland. The Code is a practical set of measures, which reflect the values of the Police Service of Scotland. This Code sets out both what the public can expect from Police Scotland and also what staff and officers should expect from each other.

The Code of Ethics is focussed on four key values. These are: (i) integrity; (ii) fairness; (iii) respect and (iv) human rights. For the purposes of this document some examples of the standards set out in the Code of Ethics are provided below. These ethical standards apply to all officers and staff as well as organisational decision making.

Integrity

• Recognition that policing is a symbol of public faith and trust and the obligation this places upon Police Scotland to act with integrity, fairness and respect
• Act as a positive role model in delivering a professional, impartial service, placing service to communities before personal aims
• Behave in a way which reflects the values of policing in Scotland

Fairness

• Ensure that people have fair and equal access to police services according to their needs
• Ensure policing is guided by the principles of impartiality, non-discrimination
• Maintain an open attitude and continue to improve understanding and awareness of cultural, social and community issues

Respect

• Respect and uphold the law in order to maintain public confidence
• Show respect for all people and their beliefs, values, cultures and individual needs

Human rights

• Ensure that policing respects the human rights of all people and officers

The five case model

As described in Part one of this report, Police Scotland and the SPA employ the Five Case Model to appraise business cases. This is recognised as best practice across the UK public sector. The Five case model is not only applied to business cases relating to new and emerging technology, but is instead used when considering the full suite of policies, strategies, programmes and projects. The Framework enables a thorough assessment of business cases to ensure proposals demonstrate an appropriate utilisation of public funding. The following dimensions are considered in the framework:

• The Strategic Case
• The Economic Case
• The Commercial Case
• The Financial Case
• The Management Case

The Strategic Case requires demonstration of how the business case provides strategic fit with existing projects and programmes, as well as the organisation as a whole.

The Economic Case considers whether the business case provides best public value to society, including wider social and environmental effects.

The Commercial Case requires demonstration as to how the preferred option will result in viable procurement between service providers and the public sector.

The Financial Case assesses whether the business case is affordable and able to be funded.

Finally, the Management Case considers whether there are suitable arrangements in place to ensure the delivery, monitoring and evaluation of the scheme.

The Framework details the contents of each individual case as well as guidance on developing the business case appropriately to cover the individual criteria.

Whilst the current Framework is comprehensive and considers wide-reaching implications of business cases, there is currently limited opportunity within it to assess the ethical implications of a project business case.

It is therefore recommended that the present framework be enhanced to enable it to assist in determining, evaluating and balancing the ethical impacts of a business case. This presents an opportunity for the sixth case: the Ethical Case. This would consider the impact of change on a variety of aspects of ethics, including human rights, the impact on individuals, society and on public confidence. A 'sixth case' approach must be proportionate and make best use of resource. It is therefore suggested that an independent triage process is introduced to understand whether there are ethical implications that need to be discussed and addressed. A specific proposal has been developed to triage issues regarding data ethics across the policing system which is presented in detail in a following section on the Data Ethics Framework. The benefit of a triage approach is that it will focus effort on the areas of high risk, rather than every project needing to complete a sixth case. If the initial triage determined that there was low risk at IBC stage then no other work would be required but this assessment would inform the final decision.

It is important to consider the ethical, social and human rights impacts of future business cases for the adoption of new technology to ensure the SPA and Police Scotland are cognisant of upholding and improving public confidence. Furthermore, by calling attention to any ethical impact, this ensures it receives appropriate consideration. This could involve leveraging positive ethical impacts, or putting in place appropriate mitigations in the instance that negative ethical implications are raised.

As such, when assessing future business cases, it is proposed that existing governance tools are utilised to ensure appropriate consideration is given to the ethical impact of future business cases.

Key Consideration 5: The SPA and PS should develop a wider framework which sets out a suitable process for all ethical considerations, this should serve to guide the creation of a sixth ethics and human rights case which would be included in Initial and Full Business Cases. (See Appendix 3 – Draft proposals for Oversight of Ethical Considerations in Policing)

Data ethics framework

Following the establishment of the IAG on new and emerging technology, Police Scotland have developed a data ethics framework which can be used across the Policing System. The framework sets out how Policing should govern its development and deployment of data driven technology. The framework proposes new checks and governance tools embedded into the existing change process and will seek both internal and independent advice to ensure that the adoption of new technologies is proportionate, ethically justifiable and aligned with Police Scotland and the SPA's commitment to policing by consent.

The Data Ethics Framework has been endorsed by Police Scotland and will be considered by the Authority for use across the Policing System in the coming months.

Key Consideration 6: The process to gain approval to adopt the Data Ethics Framework across the policing system continues and that a light touch review is undertaken 12 months after the roll out to quantify the benefits realised.

In order to provide assurance to the IAG, that the proposed data ethics framework addresses the identified gaps, the following sections of this report will summarise the proposed framework and highlight areas that are expected to significantly enhance the oversight and scrutiny of the adoption of new and emerging technology across Policing.

Purpose

Data and data-driven technology provides new opportunities and the potential for innovation, but the Scottish Policing System need to get this right by driving the responsible use of data and technology. Data ethics is not about constraining this potential, but about the responsible and trustworthy use of data.

The proposed data ethics framework will guide Scottish Policing in the responsible use of data and data-driven technology, and provide the governance required to identify and address ethical challenges posed by novel uses of data and data-driven technology. The framework has been developed in collaboration with the Centre for Data Ethics and Innovation (CDEI) and through engagement across the police service and externally, with academics, civil society and Scottish Government. Delivery of this framework will support the Scottish Policing System in meeting its ambition to become "organisations driven by effective and efficient use of data, in an ethical way."

It should be noted that although the focus of the data ethics framework is on 'data' and 'data-driven technology', the methodology can equally be applied to technologies that either have limited or no data collection element, such as conducted energy devices or TASER as part of a wider sixth case approach.

Alignment with the memorandum of understanding

Police Scotland and the Scottish Police Authority have recently formally agreed a Memorandum of Understanding (MoU) which aims to ensure early visibility and oversight of any new and emerging strategy, policy or practice under consideration by Police Scotland. The MoU will apply to all novel deployments and technologies. The Authority's main focus will be on significant equalities, human rights, privacy or ethical concerns raised, or where the issue will have a significant impact on public perceptions of, or confidence in, policing.

The aim is to provide early recognition of the public importance, a focus on understanding the public interest around it, and a shared critical pathway for assessment and anticipated outcomes. The MoU will use existing Police Scotland management controls and advisory mechanisms, and SPA governance systems, to achieve the aim.

It is proposed that the Data Ethics Framework provides a methodology and mechanism to ensure that the goals of the MoU in relation to data ethics are implemented in a consistent and repeatable way. The same methodology can be scaled to cover a wider consideration of equality and human rights issues. An outline proposal is presented at Appendix 3.

Approach to the framework

The proposed framework is principles based and considers how these principles apply in the context of the decision being made. At the heart of policing in the UK is consent and legitimacy in the eyes of the public. Practically applying these principles should ensure that the Policing System in Scotland take a trustworthy approach to the use of data-driven technology as the service looks to innovate.

Underpinning this trustworthy approach must be a commitment to asking the right questions and developing robust, evidence-based and acceptable responses to them, which are open to internal and external scrutiny and challenge.

Guidance questions have been developed, structured by key themes, which are related to the responsible development and use of data and data-driven technology, including:

• Value and impact: The use of data and data-driven technology should provide value and benefit to individuals or society that is measured and evidenced.
• Effectiveness and accuracy: Data-driven technology in policing should be reliable and improve the accuracy of existing approaches. This should be monitored, audited and for particularly sensitive projects independently evaluated. Good quality data is required to ensure the data-driven technology is reliable and effective.
• Necessity and proportionality: Any potential intrusion arising from police use of data must be necessary to achieve legitimate policing aims and proportionate in relation to the anticipated benefits.
• Transparency and explainability: The project's purpose, details of the data it uses, and notice of its deployment should be made public and open to scrutiny. Data-driven technology should be understood by relevant individuals using and affected by it.
• Reliability and security: Data-driven technology in policing should be reliable and measures should be in place to ensure data is used securely and protects privacy.

This approach to governance is designed to help the Policing System in Scotland identify potential harms, risks, and challenges and weigh these up with potential benefits and opportunities. Ultimately, being able to answer these questions should help Police Scotland deliver on their ambition to use data ethically.

Data ethics governance framework

The Framework sets out how the Policing System in Scotland should govern its use of data and data-driven technology. It outlines mechanisms for internal input and challenge along with ways to inform decision making with independent advice. It also sets out practical guidance and repeatable processes for identifying the key ethical considerations when developing a data-driven project.

The Framework recommends the governance required to identify and address ethical challenges posed by novel uses of data and data-driven technology. It is an enabling Framework, designed to ensure a consistent approach to making decisions and is not intended to constrain responsible innovation.

The Framework suggests an approach to ensure that clear, robust governance supports decision making for any data and data-driven technology associated projects. Such governance arrangements should be established before Police Scotland makes significant steps to invest in new technologies so as not to risk undermining public confidence.

In the context of a responsible approach to the use of data and technology in Scottish Policing, good governance means:

• Establishing robust mechanisms for internal input and challenge, and external advice, on decision-making. This should include ensuring that risks and harms are properly understood and weighed up.
• Establishing clear responsibility and accountability for new uses of data and data-driven technology. This should include identifying the key decision-makers and decision points along the project lifecycle, within the existing policing chain of command.
• Putting in place repeatable processes to identify, address and test ethical considerations and ensure consistency of approach and auditability.

The approach to good governance in the Framework will also drive other benefits which will overall contribute to building confidence in the Policing System in Scotland as a trusted steward of data. Embedding the Framework will help Scottish Policing raise the bar in the following ways:

• Being transparent and open about its use of data and data-driven technologies, communicating such uses clearly, accessibly and, where possible, proactively.
• Engaging with diverse views and collecting input on its uses of data and data-driven technologies and, where appropriate, demonstrating the path to impact such engagement has.
• Drawing, and building on, specialist and multi-disciplinary expertise to ensure the use of data and data-driven technology is robust, evidence-based and effective.
• Clearly articulating the purpose and value of the use of data and data-driven technologies and ensuring these are measured and met. This should include identifying the trade-offs and considering what is publicly acceptable.
• Identifying and mitigating potential harms that may arise from novel uses of data.
• Creating an environment for responsible innovation, whereby new approaches can be explored within frameworks of rigorous oversight, evaluation and transparency.

The below diagram summarises the proposed ethics governance framework and details how it will work in line with the project and programme methodology employed by Police Scotland and the SPA:

• The Ethics Advisory Panels discuss whether Scottish Policing should use data in a particular way or develop a new data-driven technology at the Problem Identification stage. They should also be identifying the ethical challenges and sorts of mitigations needed if the Police or Forensics Service was to go ahead with the project.
• The Data-driven Technology Oversight Group provides internal input and oversight through the project lifecycle.
• At this stage it is proposed within the data ethics framework that projects that fit the criteria set out in the Introduction will be reviewed and scrutinised externally by the Independent Data Ethics Group from the Design stage through to deployment (it is proposed this group is facilitated by the SPA).
• The Technical Design Authority will provide input specifically at the Design stage.

Ethical questions or challenges associated with a project may be raised by the Policing System or by these bodies as a project progresses. Should a new and sensitive ethical challenge emerge midway through the project lifecycle, it may be necessary to refer it back to a National Ethics Advisory Panel or Independent Ethics Advisory Panel.

A detailed description of the role and remit of each governance body/group has been provided in Appendix 1.

1. Date Ethics Assessment

• Embedded into IBC/FBC process

Project completes data ethics assessment at planning stage

2. Data Ethics Triage

Data ethics triage determines whether additional internal and external scrutiny is required

• CDO to lead with triage

3. Internal Scrutiny

• New internal data scrutiny group required

For "high risk" projects during delivery stage

Use data ethics toolkit to identify and mitigate risks

4. Independent Scrutiny

For "high risk" projects during delivery stage

Use data ethics toolkit to identify and mitigate risks

• New independent data ethics scrutiny group required

5. Ongoing Review

Post-deployment monitoring

Triage of risk – Data ethics risk assessment

As the use of data and technology become more common, it can be challenging to determine the level of risk associated with a given project and the subsequent levels of governance and oversight that should be invested.

To address this, the Data Ethics Governance Framework contains a set of eleven common triage questions to be used when considering a new project. Those projects which have been identified as carrying particularly high risk (as an outcome of the triage), will go through the detailed Framework process, thereby ensuring effort is focused only on those with the highest risk.

The triage questions consider a number of dimensions, including the scale and breadth of project, the data being used, the outcome/effects, and potential disproportionality. The detailed questions have been provided in Appendix 2.

While the Triage questions have been designed to carry out a risk assessment on projects, they could easily be applied to non-project initiatives and/or standalone decisions.

Recognised best practice and benchmarking

The proposed roll-out of a Data Ethics Governance Framework is aligned with current recognised best practice in UK policing. Most notably, work by West Midlands Police to establish an Ethics Committee has been recognised by the NPCC and numerous international policing bodies as cutting edge and public sector best practice. The West Midlands Police (WMP) Ethics Committee functions to advise the Police and Crime Commissioner and Chief Constable on data science projects being proposed by the West Midland Police Data Analytics Lab.

The Data Analytics Lab is led by specially recruited data scientists and will develop programmes of work that use data more intelligently to help WMP prevent crime, allocate resources more efficiently and help it to do its job of keeping the public safe. The Ethics Committee has now been operating since April 2019 and helps ensure that ethics and people's rights are put at the heart of the Lab's work. Using the Committee' expertise, it is regarded that West Midlands Police are in a better position to help people avoid crime and support the communities of the West Midlands.

Although broader in scope, the Data Ethics Governance Framework has ensured that the experiences and learning from West Midlands Police are reflected in the Framework. In particular the establishment of an independent external consideration and advisory mechanism, aligns closely with the Ethics Committee that is now tried and tested in the West Midlands. Going forward, it is recommended that Scottish Policing continues to share experiences with partner agencies, both nationally and internationally and within the network of the NPCC to continually share lessons learned and refine approaches.

Main considerations - Data ethics framework

The Policing System in Scotland recognises that there is significant opportunity for data and technology to support progressive policing, however it is also recognised that the adoption of such technology can present significant organisational and ethical risks. This calls for greater levels of scrutiny, oversight and transparency of particular uses of data and data-driven technology.

As such, it is recommended that Police Scotland continue to seek approval to adopt this approach and implement key aspects of their Data Ethics Framework across the Policing System in Scotland:

1. Data/technology Ethics Triage – Set up a policing system Data/technology Ethics Triage process, which would provide a data ethics risk assessment for all new project submissions, and also be used for relevant standalone operational initiatives/decisions.

2. Internal Scrutiny – Set up an internal Data-Driven Technology Oversight Group, which would provide internal support and challenge for high-risk data-driven technology projects (as identified by the Triage process) throughout the project lifecycle.

3. External Scrutiny – Set up an external scrutiny mechanism, jointly with the Scottish Police Authority, to provide external review and advice to the SPA and Police Scotland and Forensics Services senior leadership teams on data-driven /technology projects being proposed.

4. Design Authority – Accelerate the development of the internal Digital & Data Design Authority, with Data Design embedded in the scope. This would support, review and provide challenge at the 'Design' phase of a data-driven project.

5. Alignment to Change process – The guidance and controls laid out in the Data Ethics Governance Framework should be embedded into the Policing System BAU Change Governance process, and align with the existing PMO Stage Gates.

6. Transparency – Maximum transparency and engagement is encouraged and should be foundational to the Scottish Policing System's use of data and data-driven technologies, both internally and externally. Whilst transparency in practice will necessarily look different across different use cases and the confines of the specific policing context need to be understood, in principle it should involve clear, comprehensive and accessible communications, tailored to the needs of different audiences. Where possible, transparency should be a proactive rather than a reactive process

7. Future extension – Although beyond the scope of the IAG work stream, it is also recommended that the SPA considers the implementation of the MoU principles with the further enhancement of how ethical dilemmas across all policing policy and practice are addressed. This consideration should seek to learn form and build on the Data Ethics Framework. The independent data ethics group proposed by the Data Ethics Framework could in time be broader in scope and use external expertise to advise Scottish Policing's development of changes to police, practice or strategy and provide assurance and advice to Authority members to support their decision making through thorough consideration of human rights and ethical issues presented by new initiatives.

Initial outline considerations of a wider ethical assessment of new strategies policies and practices aligned to the principles of the MoU are detailed at Appendix 3.

Workstream membership

• Scott Ross, Scottish Police Authority
• Elaine Galbraith, Her Majesty's Inspectorate of Constabulary in Scotland
• Naomi McAuliffe, Amnesty International
• Diego Quiroz, Scottish Human Rights Commission
• Dr Genevieve Lennon, University of Strathclyde
• Dennis Hamill, Police Scotland Chief Data Officer
• Sam Curran, Scottish Police Authority