Use of biometric data: report of the independent advisory group

This report provides recommendations on a policy and legislative framework for police use of biometric data and associated technologies.


In May 2017, I was asked by the Cabinet Secretary for Justice to chair an Independent Advisory Group to review the retention of custody images by Police Scotland. The Cabinet Secretary for Justice also asked that the Group consider the use and retention of biometric data more generally in policing to seek to establish an ethical and human rights based framework which could be applied to existing, emerging and future biometrics in what is an important and fast-moving area of technology.

The present review comes at an opportune moment as it allows the position in Scotland to continue to be developed in a principled manner which gives appropriate weight to considerations of public protection and security on the one hand, and privacy and other relevant human rights and ethical considerations on the other. Such development should proceed on the basis of as much public awareness and engagement as possible, to try to ensure that there is appropriate public confidence and trust in technology and data which will be used increasingly, and which is important to society as a whole.

From the perspective of knowledge, experience and continuity, we have been fortunate in our work to have as Advisory Group members Her Majesty’s Chief Inspector of Constabulary in Scotland, Derek Penman, and Professor Jim Fraser. Their reports in this area, described in more detail below, have been key in developing the current landscape and outlining a principled course for the future. In addition, we had the assistance of Dr Brian Plastow who worked on the report by Her Majesty’s Inspectorate of Constabulary in Scotland ( HMICS). Brian’s knowledge and enthusiasm have been invaluable.

We also had the benefit in membership of our Group of considerable knowledge, experience and expertise in the fields of policing, forensic science, criminal justice, data protection, human rights and quantitative research. I am grateful to all Advisory Group members for their contributions. This report could not have been produced in such a short period of time without considerable effort on their part.

The Group had six months to carry out its work. The final report was submitted to the Cabinet Secretary for Justice on 7 February 2018.

The Scottish Government has advised that it intends to undertake a public consultation later in 2018 which will include discussion of our recommendations. We did, however, seek views from a broad range of interested and expert parties, both individuals and groups. We identified them with the assistance of those working in the field of biometric data and through responses to previous relevant consultations. A list of those who responded and consented to being identified is attached at Appendix 3. We are extremely grateful to those who took the time to send us written submissions. Their submissions have greatly assisted us in producing our recommendations. Written responses and submissions will be published along with this report.

In addition, many individuals gave up their time to speak to us in meetings and telephone calls, as well as sending us papers and suggestions. Special mention should be made of Professor Paul Wiles, the UK Biometrics Commissioner [1] , and Dr Gill Tully, the Forensic Science Regulator (England and Wales) [2] . Both attended one of our Group meetings, along with Dr Carole McCartney of Northumbria University Law School and her PhD student, Aaron Amankwaa. Carole is an acknowledged expert in this area, having been project manager for the Nuffield Council on Bioethics report 'The Forensic Uses of Bioinformation: Ethical Issues' and the Nuffield Foundation project 'The Future of Forensic Bioinformation'. Discussions with her have been invaluable. All four also assisted with comments on a late draft of the report and recommendations.

We are also grateful to the Biometrics and Forensics Ethics Group [3] , the body which provides advice to the Home Office in this area. They provided us with a draft paper which formed the basis for much of Chapter 5. They also allowed me to participate in one of their meetings and commented on a late draft of this report.

Special mention should also be made of the contribution of Police Scotland and the Scottish Police Authority. Both organisations offered considerable assistance to our work. Both were represented on the Advisory Group by their Forensic leads. In addition, several others within these organisations assisted us with information whenever requested, especially Calum Dundas, Forensic Data Manager at National Systems Support within Police Scotland. Calum guided us through current systems and procedures, as well as assisting with thoughts about possible future developments. He also commented on late drafts of the report.

A detailed list of meetings and conference calls appears in Appendix 2. All of this assisted us in arriving at our recommendations.

Although all Group members have contributed to the final report, I should make specific mention of Brian Plastow, who produced the original draft of Chapter 2; Diego Quiroz, who drafted the paper which forms the basis for most of the Human Rights section of Chapter 4; and Ken Macdonald who drafted the Data Protection section of Chapter 4.

Professor Dame Sue Black provided us with helpful suggestions at the start of our work and commented on a late draft of this report. We are very grateful to her.

We also wish to record our thanks to Lindsay MacDougall and, latterly, Ruth Winkler of the Police Strategy and Performance Unit within the Scottish Government, who provided the secretariat for the IAG.

Finding a suitable legislative slot is a constant demand on Government. To this end, we suggest that further work might usefully be carried out in anticipation of legislation following on from our recommendations. We suggest that further development work should take place ahead of public consultation. This work can help to shape the terms of the public consultation, as well as developing the detail of our recommendations, specifically the role of the Commissioner and Ethics Advisory Group, as well as the terms of any legislation and draft Code of Practice.

John Scott QC Solicitor Advocate

7 February 2018

Executive Summary

Biometric data – primarily fingerprints and DNA, although with other technologies developing – are used in the criminal justice process in a number of ways.

Looking specifically at DNA evidence, in the three decades or so that DNA profiling has been in use it has revolutionised the investigation of crime. It is used daily in the investigation of a wide range of offences to identify offenders from minuscule amounts of body fluids and tissues. In sexual offences, DNA profiling can untangle complex mixtures of body fluids, typically found in such cases, to provide evidence that was previously unavailable. The introduction of DNA 24 technology and interpretation software in Scotland is thought to have proved invaluable. The creation of national DNA databases enables the linking of offences where a suspect has yet to be arrested, and the rapid identification of such individuals when they are arrested.

While it is often impossible to say what role such evidence has played in the resolution of particular criminal investigations, there seems little doubt of its significance. Reporting of a recently concluded case in Scotland involving serious organised crime suggests the possible importance of advances in such technologies [4] .

Crucially, and often overlooked, DNA evidence is routinely used to eliminate individuals suspected of being offenders.

Both of these uses of biometric data, assisting with identification and elimination, can contribute to public protection.

Finally, DNA profiling plays a critical role in the identification of body parts and tissues, for example in terrorist incidents and civil disasters.

On the other hand, there are concerns about the capture, storage, retention, use and disposal of biometric data in databases within the justice system and elsewhere. These are discussed in more detail elsewhere in the report.

Public confidence in the use of such data is important because of the potential significance of biometric data in individual cases and the justice system as a whole. Such data are a common feature in the most serious criminal investigations and contribute to the overall efficacy of our system of criminal justice, albeit in a way which is unquantifiable. The significance of what can be gleaned from such data, particularly the limitations, is not widely understood. Biometric data has implications for privacy and other fundamental human rights. It is an area which has been explored before in Scotland, but the Scottish Government considered that it should be subject to further review.

This report offers a review of evidence relating to the acquisition, retention, use and disposal of biometric data (including DNA, fingerprints and image data) by Police Scotland and the Scottish Police Authority [5] (‘ SPA’). (See Chapter 1 for an explanation of the phrase ‘biometric data’ for the purposes of this report). The report was prepared by an Independent Advisory Group (‘ IAG’), set up by the Scottish Government at the request of the Cabinet Secretary for Justice in June 2017. Membership of the IAG can be found at Appendix 1. The Terms of Reference are:

To consider the recommendations contained in the HMICS report ‘Audit and Assurance Review of the Use of the Facial Search Functionality within the UK Police National Database ( PND) by Police Scotland’ and:

  • advise Scottish Ministers on a policy and legislative framework for the use of biometric data (including facial images and other forms of emerging biometric data) for: the investigation and prevention of crime; public protection; and maintaining public confidence in the use of such data in Scotland;
  • advise Scottish Ministers on proposals to strengthen the governance and oversight of the use of biometric data and associated technologies in Scotland, including consideration of whether a Scottish Biometrics Commissioner is required;
  • advise Scottish Ministers on the need for, and potential content of, a Code of Practice for the use of biometric data in Scotland;
  • advise Scottish Ministers of human rights and ethical considerations in relation to the use of biometric data for law enforcement purposes; and
  • advise Scottish Ministers of the general principles that should apply to the use of biometric data for law enforcement purposes.

There has been previous relevant work in this field which has informed our review.

On 27 January 2016, HMICS published the report ‘Audit and Assurance Review of the Use of the Facial Search Functionality within the UK Police National Database ( PND) by Police Scotland’ [6] . That report followed Parliamentary consideration of the issue, especially the retention of custody images [7] of individuals who had been charged but not convicted of a crime. This is an area of particular concern because it is not currently governed by legislation and, in practice, different retention periods and policies apply to the same images when kept on different police databases. The HMICS Report made several recommendations with a view to improving consistency and addressing concerns around custody images. The IAG was established, in part, to take forward some of those recommendations.

The issue of biometric data had been considered before in Scotland. Jim Fraser, Professor of Forensic Science at Strathclyde University, reported on the topic in 2008 (‘the Fraser Report’), again at the request of the Scottish Government. His review concerned the acquisition and retention of fingerprints and DNA. The Government consulted on his report and some of his recommendations formed the basis of the legislation which now regulates the retention of fingerprints and DNA.

The Scottish statutory regime for fingerprints and DNA was the subject of judicial approval by the Grand Chamber of the European Court of Human Rights in the leading UK case of S and Marper v the UK in 2008 [8] . Matters have moved on in a number of respects since 2008, in terms of biometric technology as well as jurisprudence, and they may develop further in the next short number of years. We have sought to capture these developments and reflect them in our recommendations.

The first question in our Terms of Reference, as to whether there should be a legislative framework for the use [9] of biometric data, was the simplest to answer. All Advisory Group members agreed that this was not only desirable but necessary, in order to satisfy the obvious requirement of lawfulness for such activity. This aspect was also mentioned by the individuals and bodies who made submissions to the IAG. All who expressed a view stated that legislation is necessary. No one expressed any contrary view.

It is clear from case law in England that legislation is required to govern the retention of custody images – it should be noted that the relevant authority is a High Court decision from 2012 [10] and there is still no legislation in England. The issue has not yet been the subject of judicial consideration in Scotland, but it is certain that the English position would be considered by the courts here and there is no reason to anticipate a different approach.

Coincidentally, the period of our review saw a campaign in England and Wales by Big Brother Watch. The campaign is called ‘Face Off’ and its aim is to ‘end the retention of innocent people’s custody images.’ [11] This coincides with the main focus of concern in Scotland, namely the treatment of biometric data of those who have not been convicted of any offence. In the course of our discussions, we came also to consider wider issues of proportionality and necessity, even in relation to the retention of biometric data of those who have been convicted of criminal offences, where there is currently no minimum threshold of gravity or evidence-based justification for indefinite retention. We gave particular attention to these issues as they affect children.

In our discussions, we considered the question of independent oversight and scrutiny. This is an area which was mentioned in recommendations by Professor Fraser in his report almost 10 years ago. It was also mentioned specifically in the HMICS Report. To date, there is no independent regulator of devolved aspects in Scotland in this area. Those involved in this field in Police Scotland and the SPA appear to work to very high standards of international repute, with a good grasp of the ethical and human rights implications of their work, but that does not obviate the need for independent oversight. The wide-ranging and sensitive information about individuals which can be gleaned from biometric data requires separate and independent oversight with ethical input. The Government’s desire to address this is welcome, as it seems likely that we have not yet reached the limits of the potential of biometric technologies.

Accordingly, we recommend that there be legislation to establish a Scottish Biometrics Commissioner (‘the Commissioner’). We see the Commissioner overseeing the constantly developing area of biometrics and biometric data in relation to policing and criminal justice (the areas specifically within our Terms of Reference). This is an area which is sufficiently important to justify a Commissioner even if that was the limit of the role. There may be scope for the Commissioner overseeing aspects of biometrics and biometric data in other areas of Government where they feature, for example, health and education, and the private sector, although any such extension is beyond our Terms of Reference.

The question of legislation overlapped with discussions about a Code of Practice. There are, of course, different possible solutions to address the question of lawfulness – legislation alone, a suitable Code of Practice, or a combination of both. There is an attraction in the last of these, especially as we decided to recommend regular review of arrangements under the new oversight regime. As we recommend review of the Code by the Scottish Parliament and the Commissioner, it appears to us to be unnecessary to include every aspect of regulation in the legislation. Having some of the rules and procedures in a Code of Practice, which is itself kept under review, allows for the sort of flexibility which may be necessary in an area where advances in the relevant science and technology can occur quickly. We consider it crucial for rules and oversight to anticipate, or at least keep pace with, technological and other developments. Ideally, to allow this to happen, the Commissioner would work with those who are improving existing technology or developing new technology.

We have specified those aspects of governance which we think should be in legislation and made some suggestions for an outline Code of Practice. We have identified key principles and human rights considerations which might usefully feature in a Code and could be included in public consultation. Further work should be done at an early stage to produce a fuller draft Code for the purposes of public consultation. The Code can be finalised to come into force when the Commissioner takes office and can thereafter be monitored by the Commissioner and reviewed by the Parliament. In due course, the Commissioner can assess whether a single Code will suffice, or, as it may have various possible audiences – including the public, police, forensic practitioners and private bodies – whether separate Codes of Practice are required for specific and distinct purposes. In looking at this question, the Commissioner can consider not only the different audiences but also any specific requirements for the use of different types of biometric data.

In passing, it should be noted that biometric data may also be retained for reserved matters, notably under national security determinations [12] . Oversight is provided in reserved matters by the UK Biometrics Commissioner, although he has no role in devolved matters. We expect that the Commissioner would work with the UK Biometrics Commissioner in areas of mutual interest. While different legal frameworks apply in Scotland, the ethical and human rights considerations are universal.

Subject to appropriate arrangements for the independence of the Commissioner, the question of precisely where to locate the new regulator is a matter for Government, subject to considerations of public service reform. Some of the options can be included in public consultation. We discuss this later.

We see the Commissioner assisting with public awareness and confidence, although there is a role in this too for Government and others. Ultimately, the public will have a number of choices to make about the type of society in which they wish to live. There is always a balance to be struck between, on the one hand, considerations of public protection and, on the other, the right to privacy and other relevant human rights and ethical considerations. It can be difficult to have a rational debate in the aftermath of specific news stories which may emphasise only one part of the argument. There needs to be a wider debate about the various implications of the capture or surrender of biometric data, especially in terms of the implications for privacy. Privacy is not an infinite commodity. In one of the most frequently quoted statements about the right to privacy, in their influential 1890 article, Warren and Brandeis said [13] :

‘Recent inventions and business methods call attention to the next step which must be taken for the protection of the person, and for securing to the individual what Judge Cooley calls the right ‘to be let alone’. Instantaneous photographs and newspaper enterprise have invaded the sacred precincts of private and domestic life; and numerous mechanical devices threaten to make good the prediction that ‘what is whispered in the closet shall be proclaimed from the house-tops.’ For years there has been a feeling that the law must afford some remedy for the unauthorized circulation of portraits of private persons… The intensity and complexity of life, attendant upon advancing civilization, have rendered necessary some retreat from the world, and man, under the refining influence of culture, has become more sensitive to publicity, so that solitude and privacy have become more essential to the individual; but modern enterprise and invention have, through invasions upon his privacy, subjected him to mental pain and distress, far greater than could be inflicted by mere bodily injury.

The principle which protects personal writings and all other personal productions, not against theft and physical appropriation, but against publication in any form, is in reality not the principle of private property, but that of an inviolate personality.’

This statement comes from the late 19 th century, since which time matters have moved on considerably, albeit the principles and threats are similar. Biometric data, with its greater potential to encroach on the ‘inviolate personality’, represents a significant challenge to those who wish to preserve ‘some retreat from the world.’ The circumstances we are discussing involve, primarily, individuals who are convicted of criminal offences, albeit some who are merely accused but not convicted. The fact of an offence, or at least an allegation proceeded with to some extent, provides the current justification for encroachment into privacy.

The principles of proportionality and necessity suggest that we should be careful about the limits of the encroachment we excuse on that basis. This suggests the need to consider and produce a Privacy (or Data Protection) Impact Assessment to support any legislative requirements. Opportunities for engagement on the development of these could be explored with the Information Commissioners Office whose responsibilities are relevant in this area. We will explore this later in the report.


Back to top