6 Statutory Code of Practice
6.1 We recommend that a Code of Practice be established in legislation. The detail of the Code need not appear in legislation. Using the Code for aspects of oversight should allow greater flexibility when it comes to regular review by the Scottish Parliament than would be the case if relying solely on primary legislation.
6.2 Responses to our requests for submissions demonstrated support for a Code of Practice. See, in particular, the Justice Scotland submission to the IAG (paragraphs 31 to 37) and the submission from the Open Rights Group.
6.3 We suggest that the Code should be developed and finalised to come into force at the same time as the Commissioner takes office. This can be done following public consultation, as well as further discussion with relevant bodies and individuals. A more detailed outline of possible contents of the Code should be prepared ahead of public consultation on our recommendations. The Commissioner can take responsibility for matters relating to enforcement of the Code, subject to review by the Parliament.
6.4 In our discussions of a Code of Practice, we wondered about the audience for the Code. It appeared to us that a Code may have different possible audiences – the public, police, forensic practitioners, private bodies. This led to a question as to whether there should be one Code or several. A single Code might necessarily be lengthy and therefore off-putting for public consumption. To appeal to the public, however, it might have to be expressed in simpler terms than would seem useful to practitioners. Our recommendation is for a single Code of Practice, but we suggest that decisions on whether to create different versions for different audiences might usefully be made by the Commissioner. In looking at this question, the Commissioner can consider not only the different audiences but also any differences in use of different types of biometric data. In any event, there should be an easy read version of the Code.
6.5 We suggest that consideration is given to a separate section in the Code to address specific issues relating to children and others with vulnerability.
6.6 Public consultation should take place on the general principles likely to feature in the Code, which might usefully be taken from Chapters 4 and 5 of this report. It should also cover the scope of the Code, in particular, whether it should be restricted to public bodies in the criminal justice sphere, or apply to public bodies more widely, and whether it should apply also to the private sector.
6.7 The relationship between the Commissioner and private bodies should be consulted upon. Private bodies are responsible for a large and increasing amount of biometric data. It is arguable that they should come under public regulation and not merely be allowed to rely on contractual arrangements with their customers/clients. One suggestion was that public contracts should only be awarded to private bodies that were ‘accredited’, i.e. that adhered to the Code of Practice. The consultation can address this point.
6.8 Transparency and accountability are vital to ensure ongoing public trust and to adhere to basic democratic and rule of law principles. The Commissioner should be required to make information publicly available about biometric data acquisition, retention, use and deletion. This should include quantitative and qualitative information, including any relevant Key Performance Indicators. There should be an obligation on bodies to publish and explain data on their biometric data retention and use. We discussed whether this obligation should be restricted to all, or specific, public bodies or include private bodies. This can be the subject of consultation, but our view is that the obligation should extend also to private bodies.
6.9 The Code could specify any other implications of non-compliance (for example in relation to internal disciplinary procedures). That too should be the subject of consultation.
6.10 If, contrary to our recommendation, there is a presumption for retention of biometric data on the expiry of retention periods, the Code should specify procedures for application for deletion. This should include issues of accessibility, including easy read material, fees, advice and assistance. Even with a presumption for deletion, similar provision would be needed for individuals whose data was retained for specific reason despite the presumption.
6.11 It seems likely that there may be more proactive management of cases by the judiciary. This could include an earlier and more interventionist role in assessment of the reliability of biometric technologies and science, as part of the Court’s task in determining the admissibility of evidence. This would help to keep a balance, allowing innovative but unvalidated science to be used as an investigative tool, but maintaining a harder line when it comes to assessing what is admissible evidence.
6.12 Breaches of the Code will not be conclusive for the purposes of admissibility but can be taken into account by the Court in determining admissibility.
6.13 Breaches of the Code should not of themselves constitute a civil or criminal offence.
Legislation should establish a Code of Practice covering the acquisition, retention, use and disposal of DNA, fingerprints, facial and other photographic images (including custody images) and all existing, emerging and future biometrics for Police Scotland, the Scottish Police Authority and other bodies working in the field of law enforcement. The legislation should outline matters relating to review of the Code by the Scottish Parliament.
The Code of Practice should be the subject of detailed consultation. It should contain relevant human rights and ethical principles, address the implications of any presumption regarding retention and specify relevant procedures for applications from private citizens for deletion of biometric data. It should contain specific reference to validation of biometric technologies.