Publication - Impact assessment

Enhanced oversight of biometric data consultation: partial BRIA

Published: 13 Jul 2018

Partial business and regulatory impact assessment (BRIA) on the consultation on enhanced oversight of biometric data for justice and community safety purposes.

Enhanced oversight of biometric data consultation: partial BRIA
Partial Business and Regulatory Impact Assessment

Partial Business and Regulatory Impact Assessment

Title of Proposal

Enhanced oversight of biometric data for justice and community safety purposes.

Purpose and intended effect

Background

It is widely accepted that the use of biometric data is critical to policing and community safety activity in Scotland. Fingerprints and DNA often carry significant evidential value and custody images have been used for many years. These techniques are increasingly being supplemented by new and emerging technologies (or second-generation biometrics) such as facial recognition software, remote iris recognition, and other behavioural biometrics such as voice pattern analysis. It is also accepted that the biometrics field is highly complex, with successful adoption of the use of biometric data and technologies raising a range of ethical and human rights considerations.

When we talk about ‘biometric data’ for the purpose of this proposal, we are referring to any physical, biological, physiological or behavioural data derived from human subjects, which have potential to identify a known individual and which have been used by Police Scotland, the Scottish Police Authority ( SPA) or other specified agencies in a justice and community safety context in Scotland. We have defined the term in this way because it is wide enough to cover any future technological or scientific developments in this ever-changing area. It also recognises the key role of such agencies in not only the prevention and detection of crime, but also in improving the safety and well-being of persons.

In June 2017 the Cabinet Secretary for Justice established an independent advisory group ( IAG) to provide recommendations on a policy and legislative framework for police use of biometric data and technologies. The group was chaired by John Scott QC and drew its membership from Police Scotland, the Scottish Police Authority, Her Majesty’s Inspectorate of Constabulary in Scotland ( HMICS), the Crown Office and Procurator Fiscal Service, the Scottish Human Rights Commission and the UK Information Commissioner’s Office, with relevant academic and research expertise also in place.

The Group presented its report on 22 March, making a total of 9 recommendations which sought to improve public awareness and strengthen the governance arrangements for the use of biometric data. Ministers accepted 8 of those recommendations and signalled principled support for the final recommendation which called for the establishment of an independent Scottish Biometrics Commissioner.

This proposal seeks to give effect to three of those recommendations:

  • Legislation should establish a Code of Practice covering the acquisition, retention, use and disposal of DNA, fingerprints, facial and other photographic images (including custody images) and all existing, emerging and future biometrics for Police Scotland, the Scottish Police Authority and other bodies working in the field of law enforcement. The legislation should outline matters relating to review of the Code by the Scottish Parliament.
  • The Code of Practice should be the subject of detailed consultation. It should contain relevant human rights and ethical principles, address the implications of any presumption regarding retention and specify relevant procedures for applications from private citizens for deletion of biometric data. It should contain specific reference to validation of biometric technologies.
  • There should be legislation to create an independent Scottish Biometrics Commissioner. The Commissioner should be answerable to the Scottish Parliament, and report to the Parliament. The Commissioner should keep under review the acquisition, retention, use and disposal of all biometric data by the police, SPA and other public bodies. The Commissioner should promote good practice amongst relevant public and private bodies, and monitor compliance with the Code of Practice.

Objective

The Criminal Procedure (Scotland) Act 1995 (‘the 1995 Act’) is the primary Scottish legislation allowing the retention of fingerprints and other biometric samples from a person arrested by the police. Sections 18 to 19C stipulate the conditions under which samples may be taken by the police, as well as rules for retention and specification of the purposes of use of samples.

Whilst the data obtained under those sections will account for a significant proportion of the biometric data held and used for justice and community safety purposes, biometric data is also captured by the police in other circumstances. For example, there are situations where victims and witnesses agree to their biometric data being held in order to support investigative activity. In addition, police officers share their biometric data in order that they can be eliminated from investigations in circumstances where, for example, their fingerprints are found at the scene of an incident following their attendance in the course of their duties. Finally, there will be occasions where Police Scotland hold and use biometric data which has been provided by another agency, for example CCTV provided by a local council or data provided by a NHS Scotland Health Board.

Whilst there is currently evidence of strong governance and practice within both Police Scotland and the SPA with regards to the use and management of biometric data and techniques, there is currently no independently established framework of targeted standards against which to measure the quality of systems and practices currently adopted for the management of the above data.

To address this point, we are proposing that a statutory Code of Practice be developed. The Code would set out guidance in the form of 'General Principles' which clearly outline the responsibilities of those to whom it applies. The General Principles will embody wider legal, ethical, human rights, and data protection considerations including the special considerations to be made for children, vulnerable adults and protected characteristic groups. Importantly, the Code will not impact the existing legislative framework for the retention of biometric data. Rather, it will seek to ensure that the existing framework is understood, and that the retention of biometric data is both necessary and proportionate, and in accordance with the law.

We are proposing that a Scottish Biometrics Commissioner be established with a function to review the acquisition, use, retention and disposal of biometric data by Police Scotland, the SPA and other specified bodies. In fulfilling this function, the Commissioner will have regard to the Code of Practice.

We consider these measures will support the effective, proportionate and ethical use of biometric data, ultimately leading to better outcomes and maximising the value offered by biometric technologies in a justice and community safety context.

Fit with Scottish, UK and EU policy

The changes we are proposing are designed to support the delivery of effective and ethical policing activity in Scotland. Such activity falls within the devolved competence of the Scottish Parliament.

The proposal replicates, to a degree, current arrangements operating elsewhere in the UK. The Protection of Freedoms Act 2012 places a duty on the Secretary of State to appoint a Commissioner for the Retention and Use of Biometric Material in England and Wales. It confers on the Commissioner a general function of keeping under review the retention and use by the police of fingerprints and DNA profiles in specified circumstances. Separately, it confers on the Commissioner the specific function of keeping under review determinations made by chief officers of police and others that the fingerprints and DNA profiles of a person are required to be retained for national security purposes, and the use to which fingerprints and DNA profiles so retained are being put.

Similar to the above, in Scotland we are proposing that a Commissioner be established to review the acquisition, use, retention and disposal of biometric data for justice and community safety purposes. Generally, the Commissioner would review the practice, processes and standards adopted by Police Scotland, the Scottish Police Authority (which delivers forensic services and manages some biometric databases on behalf of policing in Scotland), and any other individuals exercising the powers of arrest for devolved purposes in Scotland.

It is recognised that biometric data (and, indeed, all other forms of such data pertaining to living individuals) would be personal data in the context of the data protection regime which is a matter reserved to the UK Parliament. It will therefore be important to ensure that the Code of Practice highlights the importance of full compliance with that regime. Similarly, it will be important to ensure that any advice, guidance and support offered by the Scottish Biometrics Commissioner takes full account of that regime as well as the role and remit of the UK Information Commissioner.

Rationale for Government intervention

In the context of seeking to strengthen our approach to the use of biometric data and technologies, the most relevant national outcomes are:

  • We live in communities that are inclusive, empowered, resilient and safe
  • We are open, connected and make a positive contribution internationally
  • We respect, protect and fulfil human rights and live free from discrimination
  • We grow up loved, safe and respected so that we realise our full potential

We know that the effective utilisation of biometric data and techniques can play a critical role in responding to criminal activity, improving the wellbeing of communities and supporting interventions which can in turn prevent repeat offending. The Commissioner would play an important role in maximising the benefits of biometric technologies in this context. The establishment of a centre of expertise to advise on and monitor the effective use of biometric data would undoubtedly aid the work already undertaken by Police Scotland and the SPA to drive improvement in this area. It is worth noting that existing practice is generally considered to be of a high standard.

We also know that our most disadvantaged communities are disproportionately impacted by criminal activity. The establishment of a Commissioner to improve standards and enhance performance therefore has the potential to aid our wider efforts to address the inequalities experienced across society.

Ministers have set a clear vision of Scotland as the best place in the world to grow up, with the Getting It Right For Every Child approach placing particular focus on improving life chances for children and young people. The Commissioner would oversee new Police Scotland policy to minimise the number of children who have biometric data captured. This will reduce stigmatisation and minimise children’s interaction with the justice system, supporting implementation of the UN Convention on the Rights of the Child.

Furthermore, the Human Rights Act, which incorporates the European Convention on Human Rights ( ECHR) into UK law, sets out the fundamental rights and freedoms that everyone in the UK is entitled to, and makes it unlawful for a public authority to act in a way which is incompatible with Convention rights.

Because biometric data retention is an interference with the right to privacy, the proposed Code of Practice therefore establishes a presumption of deletion for biometric data (in circumstances where the subject has no previous convictions) following the expiry of the relevant retention periods as prescribed or permitted in law. This will be monitored by the Scottish Biometrics Commissioner.

Through effective enforcement of a proposed statutory Code of Practice for biometrics the Commissioner would also deliver greater transparency around performance, whilst their role in advising on working practices is likely to have a positive impact on the standard of service delivered on behalf of the public. The Commissioner’s expertise in relation to the adoption of biometric techniques will also support innovation and Scotland’s engagement and reputation on an international level.

Consultation

Within Government

All Government portfolios have been consulted on the proposals.

Discussions focused on:

  • The scope of the Commissioner’s role and the nature of biometric data to be covered by our proposals.
  • Consideration of the impact that the proposals will have on the promotion of human rights, including specifically the rights of children and young people.
  • Alignment with the Scottish Government’s public service reform priorities.
  • Alignment with the UK data protection regime.
  • Affordability of proposals for a Scottish Biometrics Commissioner.
  • Alignment of proposals for remuneration of the Scottish Biometrics Commissioner with public sector pay policy.

Public Consultation

As noted earlier, proposals have been developed following the Report of the IAG, chaired by Solicitor Advocate John Scott QC. The IAG drew its membership from Police Scotland, the Scottish Police Authority, HMICS, the Crown Office and Procurator Fiscal Service, the Scottish Human Rights Commission and the UK Information Commissioner’s Office, with relevant academic and research expertise also in place. The IAG consulted widely in the course of producing their report, and their findings endorse recommendations previously made in both the Fraser and HMICS reviews in calling for the introduction of a Biometrics Commissioner.

In developing the Government’s proposals in this area, officials have continued to engage with John Scott QC and the IAG. Officials have also sought further views from other key bodies including, most notably, HMICS, PIRC and the UK Information Commissioner’s Office.

Moving forward, the Independent Advisory Group, with expanded membership, will continue to meet at key milestones. Scottish Government officials will also take forward a programme of bilateral engagement to ensure key stakeholder views are sought as proposals are developed.

Public consultation will commence in July 2018, running to October 2018. A series of engagement events is planned as part of that exercise, including with children and young people, and under-represented groups.

Business

It is recognised that a number of commercial products are used for the purposes of obtaining, storing and utilising biometric data. With this in mind, officials will seek to engage with key business stakeholders during the consultation period. Details of potential engagement will be further developed in conjunction with Police Scotland and the SPA who will be the primary clients for these commercial providers.

Options

In developing proposals, officials undertook an Options Appraisal which considered the following options for delivery of enhanced oversight. These included:

  • Extending the functions of an existing policing body.
  • Extending the functions of a Parliamentary Commissioner.
  • Establishing a standalone Commissioner appointed by Ministers.
  • Establishing a standalone Parliamentary Commissioner.
  • Maintaining the status quo.

Sectors and groups affected

  • Policing and Law Enforcement: Police Scotland and the SPA will be required to comply with the Code of Practice on a statutory basis. The Code of Practice would also apply to any other bodies who may collect biometric data whilst exercising powers of arrest for devolved purposes. The Scottish Biometrics Commissioner will have a role in supporting, advising and reviewing activity taken forward by those bodies.
  • Other public bodies who collect biometric data from citizens engaged in routine activity: Although the primary purpose of the Code of Practice is to ensure statutory regulation in relation to the above mentioned bodies, there are many other public bodies who collect biometric data from citizens engaged in routine activity. These include, for example, local authorities and others operating public space CCTV surveillance systems. In addition, biometric data is also collected and retained with consent in various health and education contexts. We believe that many of the principles and practices set out in the Code will also be of interest to those organisations and for that reason we would encourage, as appropriate, their adoption on a voluntary basis.
  • Regulatory bodies and office holders in Scotland, whose regulatory function might offer insights into biometric data use: for example the Lord Advocate, HMICS, the Police Investigations and Review Commissioner, the UK Information Commissioner and the Scottish Human Rights Commission.
  • The Private Sector: the statutory requirement to comply with the Code of Practice will not apply directly to private sector organisations. However, where such an organisation is collecting, using or retaining biometric data on behalf of one of the bodies to whom the Code applies on a statutory basis, there should be a requirement made by the commissioning body to ensure the private sector organisation complies with the Code.

Benefits

The option to maintain the status quo was not considered viable as it could not effectively address the deficiencies in current oversight arrangements which were documented by the IAG and in previous independent reports conducted by HMICS (2016) and Professor Jim Fraser (2008).

Our initial Options Appraisal highlighted six key benefits to be delivered through enhanced oversight:

1. Clear alignment with: Scottish Government National Outcomes, Scotland’s Justice Vision and Priorities and Scottish Ministers approach to public service reform.

2. Clear alignment with Scottish Government Economic Policy.

3. A positive impact on business, policy, environmental and privacy legislation.

4. Robust governance.

5. An ability to effectively scrutinise all aspects of the regulatory framework surrounding the use of biometrics for policing and community safety purposes.

6. Enhanced public/stakeholder awareness and confidence around the use of biometric data.

Overall, there is a robust basis for the establishment of a new officeholder and strong strategic drivers, in line with Scottish Government priorities, in support of this option. Whilst the financial implications associated with the Commissioner’s office are not insignificant, the investment is considered to represent good value for money given the wide-ranging benefits which we expect to see realised.

Establishing a Commissioner who is accountable to Parliament may create a more transparent relationship with Government, including specific protection for the independence of some functions. This could help to ensure that confidence in the integrity of Ministers and the organisation is maintained and enhanced.

Costs

In order to analyse the financial implications of the Commissioner, we have drawn evidence from a number of sources including the office of the Biometrics Commissioner for England and Wales and the Scottish Parliamentary Corporate Body. Work will continue throughout the consultation to further refine these cost estimates associated with the establishment of a Commissioner.

In England and Wales the Protection of Freedoms Act 2012 introduced a new biometrics regime including the appointment of an independent Biometrics Commissioner. The Biometrics Commissioner has jurisdiction over England and Wales only, but also has a broader UK role on reserved matters of UK National security. The Commissioner is contracted for 0.6 Full Time Equivalent ( FTE) against an FTE net salary of £125,000 (his salary does not attract a pension).

Given the differing scale of Scotland, with a single primary police service, smaller population, and significantly smaller volumes of biometric data on retention, it is reasonable to assume a simplified landscape and narrower remit for a Scottish Commissioner.

Remuneration will also have to reflect those terms and conditions afforded to comparable Commissioners appointed by and accountable to the Scottish Parliament. Our assessment is that the Scottish Information Commissioner and Scotland’s Commissioner for Children and Young People offer perhaps the best indication of likely cost.

In light of this, it is reasonable to envisage a Scottish Biometrics Commissioner would be contracted for a maximum of 0.6 FTE against an FTE net salary of £75,000. They would therefore attract an actual salary in the region of £45,000.

The Commissioner will have to be supported by a small staff complement (estimated at 2.5 FTE staff members) and is likely to incur at least some accommodation and wider running costs. Taking this into account, an early indicative estimate of costs associated with the sponsorship of a Commissioner would therefore be:

Area Annual cost
Commissioner Remuneration £45,000
Support staff costs £118,200
Accommodation and other incidental costs £65,000
TOTAL £228,200

Scottish Firms Impact Test

Competition Assessment

While not involved in direct regulation of private sector bodies, the Scottish Biometrics Commissioner should have indirect oversight of their work on biometric data where it is done at the request of, or feeds into work by, Police Scotland, the SPA or any other body to whom the Code of Practice applies. In such cases, the relevant body should specify a requirement on the part of the private body to comply with relevant legislation, and to comply with the General Principles of the Code of Practice.

The Code of Practice will require that bodies to whom the Code applies should have internal validation systems, processes and procedures in place in respect of each biometric technology or technique that they operate as part of internal governance regimes. While this may reduce the number of suppliers available for selection to only those who can demonstrate the required standards of quality, this will assist with demonstrating the integrity and value of the underlying technology.

Contracts for biometric data handling systems should not be provided to private sector companies who do not agree to comply with the Code of Practice, particularly where private sector biometric identification software uses algorithms that cannot be independently validated due to issues of commercial confidence.

Enforcement, sanctions and monitoring

It will be a key role of the Scottish Biometrics Commissioner to advise, guide and oversee the practice of those bodies covered by these proposals (that is Police Scotland, the SPA and any other individuals exercising powers of arrest for devolved purposes in Scotland). Where a systemic breach of the Code of Practice is identified, the Scottish Biometrics Commissioner will have the power to serve an improvement notice. Whilst there will be no formal sanction associated with an improvement notice, details of such will be included in the Commissioner’s annual report to Scottish Parliament.

Implementation and delivery plan

Subject to the views expressed through the planned public consultation, Scottish Ministers will seek to bring forward legislation to establish a Scottish Biometrics Commissioner and associated statutory Code of Practice in the current parliamentary session.

Summary and recommendation

The case for the establishment of an enhanced regulatory framework for the use of biometric data for justice and community safety purposes is well established and supported by a range of partners. We consider that the proposals set out will support the delivery of a number of national outcomes and are consistent with the Scottish Government’s wider priorities for public service reform. Whilst the costs associated with the proposals are not insignificant, we consider that they represent good value given the wide-ranging benefits which we expect to see realised.

Declaration and publication

I have read the Business and Regulatory Impact Assessment and I am satisfied that, given the available evidence, it represents a reasonable view of the likely costs, benefits and impact of the leading options. I am satisfied that business impact is being assessed with the support of businesses in Scotland.

Signed:

Date:

Humza Yousaf
Cabinet Secretary for Justice

Scottish Government contact point:

Ruth Winkler
Police Powers and Workforce Unit
Scottish Government

Tel: 0131 244 8024

Email: Ruth.winkler@gov.scot


Contact