Use of biometric data: report of the independent advisory group

2 Current Landscape – Scotland

2.1 This Chapter explains the current legislative framework, policy and operational practice relevant to the acquisition, retention, use and disposal of biometric data by Police Scotland and the Scottish Police Authority as part of the criminal justice process in Scotland.

2.2 In doing so, the Chapter draws on key findings from the 2016 HMICS Audit and Assurance Review of the facial search functionality within the UK Police National Database ( PND), and the recommendations from that report to Scottish Government which in turn formed the basis for the terms of reference for the IAG on Biometric Data ^[16] .

2.3 Those terms of reference have a specific focus on biometric data used for the investigation and prevention of crime; public protection; and maintaining public confidence in the use of such data. Accordingly, this Chapter primarily explores the current landscape in the most commonly used forms of biometric data collected for law enforcement purposes ( DNA, fingerprints and photographic images taken as part of the criminal justice and custody process). This includes current information on the number of biometric data records of varying types held by Police Scotland and the SPA.

2.4 Reflection on the current landscape highlights various human rights and ethical considerations in the use of biometric data for law enforcement purposes and, in turn, emphasises the need for strengthened governance and independent oversight. This includes opportunities, as highlighted by HMICS, to close a specific legislative gap in Scotland relating to the acquisition of custody images by the police, and to introduce background context on matters that will be discussed later in this report, such as questions about the proportionality, effectiveness and efficiency of current biometric data retention regimes.

2.5 Although the IAG terms of reference called for a primary focus on law enforcement in Scotland, there is also a range of other public agencies in Scotland that collect biometric data from citizens in varying circumstances and for differing purposes. Additionally, biometric image capture technologies are increasingly sourced from the private sector. This results in a gap in scope for independent evaluation of the effectiveness of technologies whose biometric identification algorithms ^[17] are protected by issues of commercial confidentiality. These issues were also highlighted by HMICS which noted, for example, that there had been no operational evaluation of the effectiveness of the facial search functionality within the Home Office UK Police National Database ( PND) ^[18] . Accordingly, these other areas are introduced briefly in the current Chapter, solely to assist in identifying opportunities to strengthen governance and oversight over biometric data collection and use in Scotland.

2.6 The Chapter also engages throughout with the issue of interoperability requirements for biometric databases used in sector-specific contexts, and particularly in relation to law enforcement. Such connectivity and exchange between biometric databases is a particularly important area for policing as Scottish data are aggregated to UK biometric databases maintained by the Home Office, which in turn gives Scottish policing access to biometric data from other jurisdictions. This national and international interoperability is vital in the wider interests of UK national security. Properly regulated interoperability will ensure that human rights considerations are not overlooked. We have also considered, as far as possible, potential alignment to the anticipated policy objectives of the Home Office Biometrics Strategy currently under development as part of the Home Office Biometrics ( HOB) Programme.

Statutory Framework for Criminal Justice biometric samples in Scotland

2.7 The Criminal Procedure (Scotland) Act 1995 (‘the 1995 Act’) is the primary Scottish legislation allowing the retention of fingerprints and other biometric samples from a person arrested by the police. Sections 18 to 19C stipulate the conditions under which samples may be taken by the police, as well as rules for retention and specification of the purposes of use of samples ^[19] .

2.8 Section 18 (2) states: ‘A Constable may take from the person, or require the person to provide him with, such relevant physical data as the Constable may, having regard to the circumstances of the suspected offence in respect of which the person has been arrested, reasonably consider it appropriate to take from him or require him to provide, and the person so required shall comply with that requirement’.

2.9 The 1995 Act does not refer to facial images. It defines ‘relevant physical data’ as ‘a fingerprint, palm print, print or impression of an external part of the body or record of a person’s skin on an external part of the body created by a device approved by the Secretary of State’ ^[20] . However, the term biometric data is usually thought to include facial images ^[21] . The absence of legislation in Scotland giving explicit authority to the police to take custody episode photographs is at variance with specific legislative authority in other parts of the UK. This was identified in the HMICS Audit and Assurance Review in 2016 and led to a specific recommendation for the Scottish Government to consider legislative provision in relation to the retention and use of photographic images by the police ^[22] .

2.10 Section 83 of the Police, Public Order and Criminal Justice (Scotland) Act 2006 inserted Section 18A into the 1995 Act and contains provisions to allow retention of DNA samples and profiles of persons who have been arrested but not convicted of certain sexual or violent crimes. The list of relevant sexual and violent offences is in section 19A(6) of the Act ^[23] .

2.11 In 2010, as part of the response to the Fraser Report, the Scottish Government also introduced sections 77 to 82 of the Criminal Justice and Licensing (Scotland) Act 2010 which included provisions to develop the law in relation to the retention and use of DNA, fingerprints and other physical data. This was done by amendment to the 1995 Act.

2.12 In brief terms, the statutory framework in Scotland for the retention of fingerprints and DNA biometrics is as follows:

• Fingerprints and DNA data from convicted individuals can be retained indefinitely ^[24] . This policy applies to adults and children ^[25] on the basis of a single criminal conviction for any type of offence, regardless of gravity;
• Data from children dealt with at the Children’s Hearings system may be retained only where grounds of referral are established (whether through acceptance by the child at such a hearing or a finding at court) in relation to a prescribed sexual or violent offence. Such data can only be retained for three years unless the police apply for, and are granted, an extension by a Sheriff. For less serious offences, and where grounds are not established, there is no retention in relation to children;
• Data from individuals who accept a Fiscal Offer ^[26] may be retained for three years in relation to a prescribed sexual or violent offence, with the Chief Constable able to apply to the Sheriff Court for further two year extensions (there is no limit on the number of two year extensions that can be granted in respect of a particular person’s data); and data may be retained for two years in relation to non-sexual or non-violent offences which are the subject of a Fiscal offer or fixed penalty notice from the police;
• Data from individuals prosecuted for certain sexual and violent offences may be retained for three years (whether or not they are convicted), with the Chief Constable able to apply to the Sheriff Court for further two year extensions (there is no limit on the number of two year extensions that can be granted in respect of a particular person’s data) ^[27] ; and
• Subject to the exception just stated, data from individuals arrested for any offences (and who have no previous convictions) must be destroyed immediately if they are not convicted or if they are given an absolute discharge.

2.13 Whilst it has been custom and practice in Scotland for over 100 years for the police to take photographic custody images of persons who have been arrested or detained, there is no specific legislation, Scottish or UK, which gives powers to Police Scotland to take such images. There is no legislation which specifically regulates the retention periods for such images, or indeed the way in which such images may be used. This means the Scottish legislation around biometric data retention by the police centres primarily on fingerprints and DNA data and not on data from photographic images ^[28] .

2.14 Before examining retention periods in more detail, it is useful to summarise briefly the main biometric data record types held by the police and other law enforcement agencies, and to reflect on the purposes for which such data are used.

DNA in the Criminal Justice Process

2.15 DNA is Deoxyribonucleic Acid. This is the genetic material which can be found, although not exclusively, in the nucleus ^[29] (centre) of most cells in the body. It contains a person’s genetic information – it is a genetic ‘code' unique to each of us. We inherit 50% of this DNA from our mother and 50% from our father. Our DNA determines the colour of our eyes, our hair colour and many other physical characteristics. The DNA in a person's body is the same regardless of which body fluid or cell type it comes from. It is therefore possible to create a DNA profile from samples such as blood, saliva, semen, hair roots, etc.

2.16 In forensic science, the process of analysing DNA is referred to as DNA profiling and involves targeting specific parts within the DNA known as Short Tandem Repeats ( STRs). DNA profiling in Scotland looks at 24 areas of a person’s DNA – a significant step up from the 11 areas that made up previous DNA profiling technology and an advance on the 17 areas which is the European standard ^[30] . These 24 areas do not code for any known characteristic like eye colour. This technology makes it possible to compare a DNA profile from a person, known as a reference sample, with a DNA profile from a ‘crime’ sample, for example, from the scene of a known crime. If there is a match between the DNA profile from the person and that of the crime sample, it can be stated in terms of probability. For example, if a good quality DNA sample is found, a probability of 1 in more than 1 billion of such a match if the DNA came from a male unrelated to this person. This is why DNA has become so important in criminal investigations as it can be used to exclude an individual as a source of DNA or to contribute to proving guilt.

2.17 DNA was first used in criminal investigation in the UK in the 1980s following a double rape and murder in Leicestershire. This led to the production of the first DNA profile which showed that both murders had been carried out by the same individual, who was not the prime suspect. Leicestershire Constabulary then carried out the world's first DNA intelligence-led screening. All adult males in three villages – a total of 5,000 men – were asked to volunteer and provide blood or saliva samples. A local baker, Colin Pitchfork, was arrested, and his DNA profile matched with the semen from both murders. In 1988 he was sentenced to life imprisonment for the two murders.

2.18 The Scottish DNA Database is held in Dundee. When a suspect is arrested, the police have the right to take a DNA sample, usually a mouth swab. This is known as a criminal justice sample. All samples are analysed by the SPA, and the profiles are stored on the Scottish database as well as being sent to the National DNA Database, set up in 1995 and based in Birmingham. The Scottish DNA Database is administered by the National Systems Support department of Police Scotland. DNA profiling from samples taken from subjects and crime scenes is undertaken by the SPA Forensic Services. All profiles on the Scottish DNA Database are exported to the National DNA Database which gives all police forces throughout the UK the ability to search for profile and crime scene matches. The exception to this is profiles taken from volunteers for the purpose of intelligence led screens. These samples are only compared against the crime scene profile in question and destroyed on conclusion of the investigation or, subject to any evidential requirement, if the volunteer withdraws their consent to retention.

2.19 The DNA sections of the SPA provide four key services to Police Scotland and other law enforcement agencies. Those are:

• Casework – These are cases where there is a known accused and comparisons can be made between reference samples and a crime sample.
• Undetected cases – These are where the police do not have a suspect and where the Scottish DNA database and UK National DNA Database are used to try to identify matches between a crime sample DNA profile and the profile of a person held on the database.
• Criminal paternity testing – in cases of rapes and incest etc.
• Identification of individuals – missing persons, bodies and body parts.

2.20 The SPA publishes monthly DNA Database statistics on its website, including the number of profiles held, added or removed. This data includes information on crime scene matches and information on data held by age and gender. As at the end of December 2017, there were 332,213 criminal justice samples (not including crime scene samples) retained on the Scottish DNA Database ^[31] . A process map showing the Scottish DNA Database process from crime scene to conviction is attached to this report ( Appendix 6).

Fingerprints in the Criminal Justice Process

2.21 The system of identification using fingerprints rests upon three fundamentals – the formation, uniqueness and persistence of the highly distinctive ridge patterns found on fingers (and some other parts of the body). Fingerprints develop early in foetal life before birth. Pads (bumps) form on fingers between weeks six and thirteen. Where these pads occur, how the baby moves around inside the womb and how fast and big the baby grows all affect how the fingerprint patterns and ridges form and ensure the apparently unique properties of fingerprints are never duplicated. The details of a person's prints are considered unique to them. Identical twins do not have identical fingerprints. This is why fingerprints are a generally reliable means of identification at all stages of a person's life.

2.22 The impression left by the owner of the fingerprints at a crime is referred to as a ‘mark' or fingermark. A ‘print’ is the sample taken from an individual by the police for identification purposes. This is normally a set from the five digits on each hand, referred to as ‘tenprints'. Tenprints are the rolled impressions made on a fingerprint form taken under controlled conditions, normally at a police office. Tenprint forms are initially searched against other tenprint forms held on the national fingerprint database to establish if the individual already has a criminal record for previous offences or is new to the system. The searching of the tenprint form against other tenprint forms allows for confirmation of identity and accuracy of information supplied by the arrestee along with the accurate alignment of offences to an individual’s criminal record or the generation of a new criminal record when required. These searches are completed in real time with a result returned to the relevant custody location within two hours from time of electronic submission of a set of tenprints. When marks are submitted from a crime scene these are assessed by fingerprint examiners for suitability for further examination. The mark is then compared against specific individuals whose names have been submitted by the investigating officer/Procurator Fiscal and can be speculatively searched against the national fingerprint database to establish if the mark has been left at the crime scene by an individual already on record with previous convictions.

2.23 Scottish fingerprints are uploaded to IDENT1 which is the UK central national database for holding, searching and comparing biometric data on those who come into contact with the police as detainees after being arrested. Information held includes fingerprints, palm prints and scenes of crime marks. IDENT1 currently contains the fingerprints of more than 7 million people and makes 85,000 matches with data recovered from crime scenes each year.

2.24 The SPA does not publish fingerprint data on its website due to the Scottish information being hosted directly on the UK Home Office System. However, in August 2017 it is known that the SPA and Police Scotland held fingerprint records for 432,888 people ^[32] . This number reflects current long-term retention policies and includes records for non-residents.

Criminal History System ( CHS) photographs in the Criminal Justice Process

2.25 Police Scotland maintains a Criminal History System ( CHS), where all records and images of charged and convicted persons are stored. The criminal history images within these records are derived from photographic images relating to a particular custody episode when an arrested ^[33] person is brought into police custody.

2.26 As indicated in the 2016 HMICS Audit and Assurance review, the criminal history records and images of persons charged with, or convicted of, a common law crime or statutory offence in Scotland on CHS are uploaded automatically to a UK policing intelligence sharing system known as the Police National Database ( PND), so that other UK forces can search the PND to help identify and prosecute criminals. In the event of acquittal, the Scottish records and images are removed from CHS and PND by Police Scotland once notified of non-conviction or absolute discharge by the Crown Office and Procurator Fiscal Service ( COPFS). If a child is referred to the Children’s Hearings system, images are destroyed.

2.27 Although the 1995 Act does not provide specific legal authority in relation to photographic images, Police Scotland voluntarily applies a similar policy to the retention and weeding of photographs on CHS as exists in primary Scottish legislation for fingerprints and DNA. This means that images of persons not subsequently convicted (and who have no previous conviction) are removed from CHS and PND by Police Scotland in no proceedings/non-conviction scenarios, subject of course to the three year retention periods permitted for certain sexual and violent offences as defined in Section 48 of the Crime and Punishment (Scotland) Act 1997. This was acknowledged as effective practice by HMICS in 2016 and contrasted favourably with the position in other parts of the UK where many forces in England and Wales have been criticised by the UK Biometrics Commissioner for retaining custody images of innocent people on the Police National Database ( PND) despite the 2012 ruling by the High Court in England that this was unlawful ^[34] .

2.28 In August 2017, Police Scotland held 633,747 CHS photographs of 362,348 different people. This number reflects current long-term retention policies and includes records for non-residents. Unlike DNA and fingerprints, the physical appearance of a person will change over time, through ageing, injury or otherwise, and indeed is sometimes changed intentionally in an attempt to evade identification and detection. This is why the police will often hold multiple images of offenders who have multiple criminal convictions. A process map showing the Police Scotland and SPA biometric retention process is attached to this report (). It should be noted that this Police Scotland process map is intended as a guide only. It does not illust Appendix 7 rate the process for custody images and does not fully illustrate indefinite retention on the basis of a single conviction.

Custody episode images

2.29 Whenever a person is detained or arrested by the police and is brought into the custody environment, a computerised record is created. Included within each record is at least one digital image/photograph of the subject. A CHS image is only created after a person has been cautioned and charged with a relevant offence. It is also at this point that other criminal justice samples such as DNA and fingerprints are taken.

2.30 Police custody images in Scotland are only uploaded to CHS and PND if the subject has been charged with a crime or offence. This differs from the position in England and Wales where most forces upload all custody images directly to PND due to the absence of images on the Police National Computer ( PNC) (the PNC holds a reference to the image held locally within each force) or any statutory controls or guidance to the contrary.

2.31 At the time of the HMICS report in 2016, there was no national custody software solution in place in Scotland and Police Scotland were retaining custody images on the different legacy custody applications of the eight former police forces. It was also noted by HMICS that Police Scotland did not have weeding policies in place to cater for the timely disposal of the photographic images of persons not subsequently charged or convicted. Instead, such images were, and are, retained by Police Scotland under general data retention policies for a minimum period of one (current year) + six years. This means that photographs of people are routinely retained by Police Scotland for a period of up to seven years, even where they have not been convicted of any offence. This practice contrasts with the approach taken in Scotland for fingerprints, DNA data and the CHS images/photographs which are all destroyed if no proceedings are taken against the person to whom those various biometric records relate, providing that they have no existing criminal convictions.

2.32 Since the publication of the HMICS report in 2016, Police Scotland has rolled out a new national custody solution (completed January 2017) to manage custody episodes in a single and consistent way across Scotland. This solution will result in the records within various legacy custody applications becoming of less relevance. Legacy applications do not afford the same functionality or flexibility to identify and remove custody images of people who are not convicted/not proceeded against. Access to these legacy applications, and therefore the images retained, is limited to geographical areas and certain staff, predominantly dedicated custody staff. A legislatively mandated weeding regime based on the disposal of the associated case would require Police Scotland to consider a policy, process and technical response to ensure compliance within an acceptable timeframe in relation to the legacy custody applications. Although Police Scotland has not yet changed its policies on custody image retention, it has indicated that weeding conventions are capable of being programmed into the new custody software. This means that Police Scotland should have the technical capability to remove and dispose of the photographs of people who are not convicted/not proceeded against from the new system in a timelier manner, and in a way that is consistent with the existing legal framework in relation to DNA and fingerprints and Police Scotland’s own policy relative to the corresponding CHS image derived from the same custody episode. It also offers a greater capacity for compliance with any changes to biometric retention regimes arising from this IAG report.

2.33 Based on a one + six year retention policy, Police Scotland currently holds or retains more than 1 million custody images ^[35] . Police Scotland has no technical means of understanding how many people these records relate to and has no automated means of establishing how many custody images it holds of people who have not been convicted of any offence.

2.34 For ease of presentation, the data from the foregoing paragraphs is summarised in Table 1, below:

Table 1: Summary of biometric data records retained by Police Scotland and the SPA

Biometric Data Type	Number of records held	Comments
DNA Profiles	332,213
Fingerprints	432,888
CHS photographs	633,747	These relate to 362,348 individuals.
Custody photographs	1,000,000 +	It is unknown how many of these images relate to persons not charged or convicted of any offence.

2.35 These reflections on the current landscape are intended to introduce questions about the proportionality, effectiveness and efficiency of current biometric data retention regimes in Scotland. Whilst these will be discussed in some detail later in this report, it is apparent from initial review that the absence of specific legislative authority for the police to capture custody episode images raises important human rights concerns. The non-statutory status of some of the biometric retention regimes described above also raises concerns about the lack of sufficient differentiation for the special position of children and vulnerable individuals in our society.

2.36 In relation to children, the numbers entering the criminal justice system in Scotland is small by comparison to adults, with Scottish Government data showing around 2,200 criminal proceedings being initiated against persons aged between 12 and under 18 in 2017, the vast majority of whom were aged 16 or 17 ^[36] . This means that biometric data are rarely captured from younger children, and they are likely to be taken from those in their mid-teenage years only in circumstances where the gravity of their offending or other circumstances are likely to result in criminal proceedings.

2.37 In the case of children, such small numbers raise questions about value and utility, as well as allowing for the possibility of introducing a more nuanced and individualised risk-based decision-making model in relation to biometrics acquisition and retention that better balances the needs of law enforcement with the best interests, needs, rights, and life chances of the small numbers of children whose offending brings them into contact with the criminal justice system in Scotland. It also calls into question the proportionality of a ‘one size fits all’ policy which sanctions indefinite retention of biometrics on the basis of a single criminal conviction for any offence, regardless of seriousness (albeit the number of children involved is very small as most are dealt with by the Children’s Hearings system).

2.38 Notwithstanding the broader question of whether there is a need to keep biometric data from children out of aggregated adult biometric databases completely, the available data confirms trends of decreasing criminalisation of children, and correspondingly increasing trends in alternative social policy solutions as part of the Scottish Government Whole System Approach to dealing with children involved in offending ^[37] .

Biometric governance issues previously highlighted in Scotland

2.39 In 2007, the Scottish Government asked Professor Jim Fraser to review the operation and effectiveness of the legislative regime governing police powers in relation to the acquisition, retention, use and disposal of fingerprint and DNA data. He was directed to consider additional powers insofar as they related to the retention of forensic data.

2.40 In 2008, his report was published and made eight recommendations, many of which were implemented in the Criminal Justice and Licensing (Scotland) Act 2010. Two recommendations which were not taken forward into statute were:

a) The current governance arrangements for DNA and fingerprint databases in Scotland should be reviewed as a matter of urgency. Future arrangements should take into account good practice in scientific and ethical standards, efficient and effective management and independent oversight.

b) Sufficient information regarding the governance and management of forensic databases should be in the public domain to maintain transparency, accountability and public confidence in their use.

2.41 Recommendation a) remains outstanding. Recommendation b) was addressed to some extent through implementation work following the Fraser report. Scottish Government web pages were developed to provide information to the public and support transparency. As mentioned above, there is also monthly publication of statistics by the SPA. Such information gives the public access to information on how DNA is used in connection with law enforcement in Scotland and gives an indication of its effectiveness in the investigation of crime.

2.42 In 2016, HMICS considered the current governance arrangements in place in Scotland with regard to the use of biometric data by Police Scotland and the SPA. HMICS concluded that whilst it was clear that effective internal governance arrangements were in place between key partners, those arrangements did not deliver the necessary levels of independent oversight as called for in the Fraser Report ^[38] .

2.43 Endorsing the findings in the Fraser Report, HMICS recommended the creation of a Scottish Biometrics Commissioner so that public confidence in the police use of biometrics could be maintained through an independent office reporting to the Scottish Parliament ^[39] . In making this recommendation, HMICS noted the absence of biometric and forensic regulators in the Scottish context by contrast with other parts of the UK where there is a Biometrics Commissioner, a CCTV Surveillance Camera Commissioner, and a Forensic Science Regulator for England and Wales.

2.44 HMICS concluded that a Scottish Biometrics Commissioner offered the potential to build capacity and resilience in Scotland, and to explore emerging human rights and ethical considerations around the use of biometric data, not only for policing purposes but also by other public agencies involved in the collection and use of biometric data from citizens. In particular, HMICS highlighted public space CCTV systems, Road Camera Enforcement Systems and Automatic Number Plate Recognition Systems ( ANPR) ^[40] .

2.45 HMICS also noted the exponential growth of biometric technologies in contemporary society which escalate the value and possibilities around the use of biometric data. It was argued that, when combined with the development of an underpinning Codes of Practice, the creation of a Scottish Biometrics Commissioner could both safeguard and future-proof what will undoubtedly continue to be a fast evolving landscape ^[41] .

2.46 Although the question of independent oversight remains outstanding, it should be noted that in the summer of 2017, the SPA Board took steps to improve scrutiny and governance of forensic services and address some of the recommendations made by the HMICS Inspection of Forensic Services published in June 2017 ^[42] . The Director of Forensic Services, IAG member Tom Nelson, reports directly to the SPA Board and a new Forensic Services Committee ^[43] , chaired by SPA Board Member, Iain Whyte, was established. This committee meets regularly in public.

Biometrics in other public sector contexts

2.47 Whilst this Chapter has focussed primarily on the current biometrics landscape as it relates to the criminal justice context, biometrics capture technologies are in use in a range of other policing and non-policing contexts. In policing, images of citizens can be captured through body worn video cameras or by Public Order Surveillance Teams at demonstrations and events, or through air-based technologies such as helicopters or drones.

2.48 In a non-policing context, there are public space CCTV systems, Road Camera Enforcement Systems and ANPR, all of which can capture the facial images of citizens engaged in routine lawful activity. In education, some schools operate biometric identification systems where the fingerprints of children are captured and used with parental consent. In a health context, a report on Guthrie Cards in Scotland explored the ethical, legal, human rights and social issues surrounding the existence, continued storage, and future uses of the new-born screening collection ^[44] held in Scotland (also known as the Guthrie Card collection) ^[45] . The report highlights how such biomedical collections inadvertently operate as a de facto DNA database and discusses the various ethical considerations that arise. The report ensured that Guthrie Cards were included in the developing governance regime for biomedical collections within Scotland.

2.49 The relevance of this medical example is that it highlights the ethical dilemmas of collecting biometric data and subsequently using aggregated metadata for purposes for which it was not originally intended. Although set in a medical context, this example highlights the need for biometric samples to be collected and used within an appropriate legal framework so that relevant human rights considerations can be addressed. It also highlights the need for sound governance and accountability mechanisms, including a framework involving independent ethical oversight.

2.50 In a policing context, there are clear parallels to be drawn from the personal biometric data collected from individuals which subsequently become part of aggregated and searchable law enforcement biometric data sets such as those for fingerprints, DNA and photographic images in the Police National Database. There is also increasing availability of open source biometrics, notably those which could be processed using facial recognition technology.

2.51 In addition, and as part of the Scottish Government's Digital Strategy for Justice in Scotland, a digital evidence sharing capability is being developed between criminal justice partners. Subject to successful prototyping, testing, and the securing of future funding, this presents opportunities to transform how evidence, including biometric data, is accessed across the justice system, allowing for more efficient sharing of evidence with consequential benefits which may accompany that development. However, it also presents ethical challenges in relation to the safeguarding of biometric data within the context of a shared multi-agency secure digital platform.

Biometrics – UK Government Strategy

2.52 There has been broad political support at Westminster for the notion of enhancing regulation, governance and independent oversight of the use of biometric technologies, and calls for the development of a Biometrics Strategy by the UK Government:

2.53 ‘In the absence of a biometrics strategy, there has been a worrying lack of Government oversight and regulation of aspects of this field. We were particularly concerned to hear that the police are uploading photographs taken in custody, including images of people not subsequently charged with, or convicted of, a crime, to the Police Database and applying facial recognition software. Although the High Court ruled in 2012 that existing policy concerning the retention of custody photograph by the police was ‘unlawful’, this gap in the legislation has persisted. At the very least, there should be day-to-day, independent oversight of the police use of all biometrics. We therefore recommend that the Biometrics Commissioner’s jurisdiction should be extended beyond DNA and fingerprints to cover, at a minimum, the police use and retention of facial images’ ^[46] .

2.54 Against the context of parliamentary concerns, the UK Government continues to develop a biometric strategy as part of the HOB Programme. It is anticipated that the strategy will be completed in 2018 and will be directed at Home Office functions and areas such as policing, immigration and the justice sector in England and Wales. The HOB Programme includes a privacy and ethics impact assessment committee so that ethical and privacy considerations can be designed in to the new strategy.

2.55 Whilst a key objective of the HOB Strategy will be to deliver greater interoperability between key UK partners, discussion with Home Office officials has also provided clarity for the IAG on matters of reserved and devolved competence. From discussion, it would appear that there is a consistency of thinking and a corresponding golden thread through the work in each jurisdiction which encompasses respect for human rights, ethical standards, compliance with the law, and improving public confidence and trust.

2.56 In concluding discussions on the current landscape, it is clear that we live in an era of ever increasing proliferation of automated biometric identity systems with associated application to law enforcement and other public functions. In this context, it is essential that sensitive personal data are collected only for specific, explicit, lawful and legitimate purposes. In seeking to achieve a careful balance between the needs of citizen and state, there is clearly a need for independent oversight, and for the development of a broad framework of consistent ethical and human rights-respecting principles against which all biometric use for policing, law enforcement and public protection purposes in Scotland can ultimately be checked.