Publication - Report

Use of biometric data: report of the independent advisory group

Published: 22 Mar 2018
Directorate:
Safer Communities Directorate
Part of:
Law and order
ISBN:
9781788516006

This report provides recommendations on a policy and legislative framework for police use of biometric data and associated technologies.

92 page PDF

2.3 MB

92 page PDF

2.3 MB

Contents
Use of biometric data: report of the independent advisory group
5 General Principles and Ethical Considerations

92 page PDF

2.3 MB

5 General Principles and Ethical Considerations

5.1 This Chapter overlaps with Chapter 4, with the various human rights and data protection principles often similar and equally relevant in addressing ethical considerations. It is important to ensure a proper grasp of ethical considerations at all stages of the biometrics data process – acquisition, use, retention and disposal – given the highly sensitive and personal nature of the data involved. It is important to ensure that what is done is informed by considerations of what should be done, as opposed to merely considerations of what can be done. Or, as it was put in the medConfidential submission to the IAG, ‘ Just because something can be done somewhere, does not mean it should always be done everywhere.

5.2 Much work has been done by others to identify relevant human rights and other ethical principles relevant to biometric data. We have not needed to innovate, instead pulling together some of these from elsewhere, borrowing especially from a helpful paper produced by the Biometrics and Forensics Ethics Group (‘ BFEG ’), the body that provides advice to Home Office in this area. We are grateful to them for sharing this paper which had not yet been published. We have, however, adapted it with regard to our work and the Scottish context, insofar as involving any different considerations. Appendix 4 includes related questions from the same BFEG paper which assist in focussing the principles.

5.3 We consider that these principles might usefully feature in the Code of Practice and could therefore form part of the public consultation. They should apply to all public bodies operating in this area. Private bodies should also apply them. Public bodies dealing with private bodies should ensure that their partners in the private sector operate in accordance with these principles.

5.4 The principles take into account the particular context of the relevant science, with validation a key and distinct concept to offer assurance around reliability, efficiency and effectiveness.

5.5 Acceptance of these principles should not stifle progress but may help to ensure that there is always sufficient pause for thought and review before proceeding. As this area relates to existing, emerging and future technologies, it is important that issues of quality are addressed in each. Validation is one key means of addressing issues about the quality of the underlying biometric technologies.

General principles

5.6 The use of biometric technologies and forensic procedures should comply with the following governing principles:

  • enhance public safety and the public good;
  • advance the interests of justice;
  • respect for human rights of individuals and groups;
  • respect the dignity of all individuals;
  • take particular account of the rights of children;
  • take particular account of the rights of other vulnerable groups and individuals;
  • protect the right to respect for private and family life;
  • scientific and technological developments should be harnessed to promote the swift exoneration of the innocent, afford protection and resolution for victims, and assist the criminal justice process;
  • based on validated evidence. (See below regarding validation).

Implementation of the General Principles

5.7 The general principles should be implemented with due regard to the following:

  • impartiality – procedures should be applied without bias or unfair discrimination;
  • proportionality – balancing individual rights, public safety and the public good;
  • effectiveness;
  • openness and transparency;
  • minimal intrusion needed to achieve outcome;
  • the need for systems to be validated to show that they are fit for the specific purpose intended i.e. the results can be relied on irrespective of use (for example, intelligence or evidential purposes);
  • the need for assurance in relation to the quality of the system;
  • the need for public accountability;
  • the need for independent oversight where appropriate;
  • the need to provide adequate information and, where appropriate, to obtain consent from those from whom data or samples are sought or retained, or from some other appropriate individual where the individual cannot consent

Considerations Specific to the Collection and Processing of Data

5.8 In relation specifically to the collection and processing of data the governing principles should be applied as follows:

  • data should be collected, stored, used and retained only for specified and lawful purposes;
  • data collection, storage, and use must adhere to legal requirements;
  • steps should be taken to ensure the accuracy, security and integrity of data collected, stored and used;
  • steps should be taken to ensure transparency around error rates and uncertainties inherent in the procedures;
  • processes should be robust and conform to any relevant standards and be applied by professionally trained staff whose work can be audited;
  • intrusion into private lives should be minimised – this may be of particular significance in relation to issues of data linkage;
  • account should be taken of the interests of secondary data subjects (i.e. people potentially affected by data collected from others, e.g. family members);
  • policies should be in place around the weeding and disposal of these data, including a presumption in favour of deletion.

Validation

5.9 To comply with the governing principles set out above it is important that the effectiveness and reliability of any biometric technologies is established by those who use them. The key issue is that all technologies should be fit for purpose i.e. capable of achieving the outcome that they are designed to achieve. Further considerations are the efficiency and cost effectiveness of any technologies. An important consideration is that the user should not simply rely uncritically on third party assertion regarding the performance of technology without an understanding of how the technology performs as it is applied by the particular user and for the particular purpose of that user. Biometric technologies that are perfectly adequate for individual users to protect their data or privacy may not be adequate for use at the level of an organisation or in a criminal justice context.

5.10 One means of establishing fitness for purpose is formal validation. This assists with demonstrating the integrity and value of the underlying technology.

5.11 Validation is ‘The process of providing objective evidence that a method, process or device is fit for the specific purpose intended’ [101] . It involves demonstrating that a method used for any form of analysis is fit for the specific purpose intended i.e. the results can be relied on. It is the expectation of the Forensic Science Regulator (England and Wales) that all methods routinely employed within the criminal justice system will be validated prior to their use on live casework material.

5.12 Once a method has been validated in another organisation, there is a requirement for the organisation wishing to use this new method to review the validation records to ensure that it has been done correctly. Once satisfied, the new user need only undertake verification for the method to demonstrate that the organisation is competent to perform the test/examination, i.e. demonstrating that it works in their hands. This could be important because, in many areas, the technology is being employed by non-scientists/non-experts with no detailed understanding of the underpinning science.

5.13 The validation approach will vary depending on the nature of the method/system, the manner in which it is used and the risks to the criminal justice system. A full validation process could include the following:

1. Determination of the end-user requirements and specification
2. Risk assessment
3. Review of end-user requirements and specification
4. Set the acceptance criteria
5. Validation plan
6. The outcomes of the validation exercise
7. Assessment of acceptance criteria compliance
8. Validation report
9. Statement of validation completion
10. Implementation plan


Contact