Final Business and Regulatory Impact Assessment
Title of Proposal
Scottish Biometrics Commissioner Bill
Purpose and intended effect
The Scottish Government's vision for a just, safe and resilient Scotland identifies the need to live in safe, cohesive and resilient communities as a priority outcome. The biometrics field is evolving rapidly and offers great potential in the detection, prevention and prosecution of crime and, thereby, the delivery of community safety. However, the use of biometric data and technologies raises a range of ethical and human rights considerations. Therefore, Scottish Ministers want to ensure that the approach to the collection, use, retention and disposal of biometric data in the context of policing and criminal justice is lawful, effective and ethical. Their ultimate goal is to keep communities safe while respecting the rights of the individual and improving the accountability of the police.
'Biometric data' is a relatively broad and evolving concept. It encompasses what is often referred to as 'first-generation biometrics' such as fingerprints, DNA and custody photographs which have been commonly used for identifying individuals in policing for many years. It also includes new and emerging technologies (or 'second-generation biometrics') such as facial recognition software, remote iris recognition and other behavioural biometrics such as voice pattern analysis.
While there is currently evidence of strong governance and practice within both Police Scotland and the Scottish Police Authority (SPA) with regard to the use and management of biometric data and techniques, there is currently no independent governance or oversight of the use of biometric data in policing in Scotland.
This gap was highlighted in the Fraser Report of 2008; a report by Her Majesty's Inspectorate of Constabulary in Scotland (HMICS) in 2016; and a report by the Independent Advisory Group on the use of biometric data in Scotland (IAG) in 2018.
The Scottish Biometrics Commissioner Bill (the Bill) will establish the office of Scottish Biometrics Commissioner (the Commissioner) whose general function will be to support and promote the adoption of lawful, effective and ethical practices in relation to the acquisition, retention, use and destruction of biometric data by Police Scotland and the SPA for policing and criminal justice purposes. The Commissioner will also produce a statutory code of practice which Police Scotland and the SPA must have regard to when exercising functions to which the code relates. To ensure that the Commissioner commands the confidence of the public and professionals, it is important for the role to be seen to be free of any undue influence. Therefore, the Bill proposes that the Commissioner be appointed by Parliament - and accountable to Parliament.
In making these provisions, the Bill responds positively to two of the recommendations made by the IAG which had called for legislation to create an independent Scottish Biometrics Commissioner; and legislation to establish a Code of Practice. The IAG presented its report in March 2018. The IAG was chaired by John Scott QC and drew its membership from Police Scotland, the SPA, HMICS, the Crown Office and Procurator Fiscal Service, the Scottish Human Rights Commission and the UK Information Commissioner's Office, with relevant academic and research expertise also in place. The Bill was also informed by responses to a Scottish Government consultation in 2018 which sought views on the proposals regarding a Commissioner for Biometrics and an associated code of practice.
To ensure that the approach to the collection, use, retention and disposal of biometric data in the context of policing and criminal justice is lawful, effective and ethical, the Bill proposes to:
- establish a new Commissioner accountable to the Scottish Parliament, to keep under review the law, policy and practice relating to the acquisition, retention, use and destruction of biometric data for policing and criminal justice purposes; and
- require the Commissioner to prepare, promote and monitor the impact of a new Code of Practice that is expected to provide information and guidance about the responsibilities of specified bodies and recognised standards in relation to biometric data.
The Scottish Government considers these measures will support the effective, proportionate and ethical use of biometric data, ultimately leading to better outcomes and maximising the value offered by biometric technologies in a policing and criminal justice context.
Fit with Scottish, UK and EU policy
The proposals in the Bill are designed to support the delivery of effective and ethical policing activity in Scotland. Such activity falls within the devolved competence of the Scottish Parliament.
The proposals in the Bill mirror in some respects the current arrangements operating elsewhere in the UK. The Protection of Freedoms Act 2012 places a duty on the Secretary of State to appoint a Commissioner for the Retention and Use of Biometric Material in England and Wales (E&W Commissioner). It confers on the E&W Commissioner a general function of keeping under review the retention and use by the police of fingerprints and DNA profiles in specified circumstances. Separately, it confers on the E&W Commissioner the specific function on a UK-wide basis, of keeping under review determinations made by chief officers of police and others that the fingerprints and DNA profiles of a person are required to be retained for national security purposes, and the use to which fingerprints and DNA profiles so retained are being put.
The Scottish Government recognises that biometric data would be personal data in the context of the data protection regime which is a matter reserved to the UK Parliament. It is expected that any Code of Practice prepared by the Scottish Biometrics Commissioner will highlight the importance of full compliance with that regime. Similarly, it will be important to ensure that any advice, guidance and support offered by the Commissioner takes full account of that regime as well as the role and remit of the UK Information Commissioner.
The Bill's provisions are also compatible with rights under the European Convention on Human Rights (ECHR). The creation of both the Code of Practice and greater independent oversight of the collection, use and retention of biometric data will improve the protection of a number of rights under the Convention, including articles 5 (right to liberty and security); 6 (right to a fair trial); 8 (right to respect for private and family life); and 14 (prohibition of discrimination).
Rationale for Government intervention
In creating independent oversight of the acquisition, retention, use and disposal of biometric data for policing and criminal justice purposes, the Bill will facilitate an effective, proportionate and ethical approach to the use of biometric data. The Bill will therefore contribute towards the realisation of the Scottish Government's vision for justice of "a just, safe and resilient Scotland". The Bill also links to the Scottish Government's justice outcome, "we live in safe, cohesive and resilient communities", and to the National Performance Framework Values to respect the rule of law and to act in an open and transparent way.
In the context of seeking to strengthen the oversight of the approach taken to the use of biometric data and technologies, the most relevant national outcomes are:
- We live in communities that are inclusive, empowered, resilient and safe;
- We respect, protect and fulfil human rights and live free from discrimination;
- We grow up loved, safe and respected so that we realise our full potential.
The Scottish Government considers that the effective utilisation of biometric data and techniques can play a critical role in deterring and responding to criminal activity, improving the wellbeing of communities and supporting interventions which can in turn prevent repeat offending. The Commissioner is expected to play an important role in maximising the benefits of biometric technologies in this context. It is worth noting that while existing practice by both Police Scotland and the SPA is generally considered to be of a high standard, the establishment of an impartial Commissioner to advise on and monitor the effective use of biometric data will help drive improvement and enhance accountability in this area. It is also known that our most disadvantaged communities are disproportionately impacted by criminal activity. The Scottish Government therefore considers that the establishment of a Commissioner to improve standards and enhance performance has the potential to aid the government's wider efforts to address the inequalities experienced across Scottish society.
Scottish Ministers have also set a clear vision of Scotland as the best place in the world to grow up, with the Getting It Right For Every Child approach placing particular focus on improving life chances for children and young people.
The Commissioner is required to have regard to the interests of children and young people, when carrying out his functions. Accordingly, in carrying out his/her functions, it may be the case that the Commissioner would, for example, oversee Police Scotland's policy to minimise the number of children who have biometric data captured. This would help to reduce stigmatisation and minimise children's interaction with the justice system, supporting implementation of the UN Convention on the Rights of the Child.
Furthermore, the Human Rights Act, which incorporates the ECHR into UK law, sets out the fundamental rights and freedoms that everyone in the UK is entitled to, and makes it unlawful for a public authority to act in a way which is incompatible with Convention rights.
Through the proposed statutory Code of Practice, the Commissioner is expected to deliver greater transparency around performance, while their role in advising on working practices is likely to have a positive impact on the standard of service delivered on behalf of the public. The Commissioner's expertise in relation to biometric data and techniques will also support innovation and Scotland's engagement and reputation on an international level.
All Government portfolios have been consulted on the proposals.
Discussions focused on:
- The scope of the Commissioner's role and the nature of biometric data to be covered by our proposals;
- Consideration of the impact that the proposals will have on the promotion of human rights, including specifically the rights of children and young people;
- Alignment with the Scottish Government's public service reform priorities;
- Alignment with the UK data protection regime; and
- Affordability of proposals for a Scottish Biometrics Commissioner.
As noted earlier, the proposals in the Bill have been developed following a Scottish Government public consultation in 2018. The consultation drew on two of the recommendations from the Report of the IAG, chaired by Solicitor Advocate John Scott QC. The IAG consulted widely in the course of producing their report, and their findings endorse recommendations previously made in both the Fraser and HMICS reviews in calling for the introduction of a Biometrics Commissioner.
The Scottish Government's public consultation on an outline code of practice and concept of the Commissioner's operations ran from 13 July to 1 October 2018. Alongside this consultation, the Scottish Government also arranged meetings with four groups of stakeholders (a stakeholder symposium; equalities groups; police workforce; and the Scottish Youth Parliament Justice Committee) to promote a national debate on the matters raised in the consultation. The consultation generated 89 written responses. The largest number (88%) were from individuals, with a small number from public sector organisations (7%); third sector organisations (4%) and a professional body (1%).
Respondents were broadly supportive of the proposals (with 83% of respondents supporting the need for a Code of Practice and 89% being in favour of the establishment of a Scottish Biometrics Commissioner).
The provisions of the Bill therefore seek to respond positively to the views expressed in the recent consultation. In developing the Scottish Government's proposals in this area, officials have continued to engage with John Scott QC and IAG members. The Scottish Government will also ensure that the views of group members continue to be considered as the Bill progresses through Parliament.
The Bill is not expected to have significant impact on businesses as the scope of the Bill is limited to biometric data used in the context of policing and criminal justice, and will not apply directly to private sector organisations. It might be possible for private sector organisations to choose to adopt any Code of Practice published by the Commissioner on a voluntary basis. Where a private sector business is collecting, using or retaining biometric data on behalf of one of the bodies to whom the Bill applies, the Commissioner may consider the manner in which the business is providing a service as part of his wider review role. However, it would be for the body to whom the Bill applies (i.e. Police Scotland or the SPA) to agree the terms of that service, and the business in question would not be compelled to respond directly to any requirements from the Commissioner. No private sector firms responded to the consultation, however any issues raised by the business or third sector as the Bill progresses through Parliament will be considered.
In developing proposals for the Bill, the Scottish Government undertook an Options Appraisal which considered the following options for delivery of enhanced oversight. These included:
1. Extending the functions of an existing policing body;
2. Extending the functions of a Parliamentary Commissioner;
3. Establishing a standalone Commissioner appointed by Ministers;
4. Establishing a standalone Parliamentary Commissioner; and
5. Do nothing.
The options were appraised through an assessment of their ability to deliver the benefits associated with a Biometrics Commissioner:
- the ability to provide greater support to Ministers in realising national outcomes;
- strengthened oversight and accountability of public services;
- alignment with Scottish Government Economic Policy;
- impact on working practices and organisational standards;
- robust governance;
- ability to scrutinise the biometrics regulatory framework;
- enhanced public awareness and confidence around the use of biometric data; and
- the strategic risks associated with any change (i.e. lack of available funding; lack of specialist knowledge to realise the benefits; lack of coherence in police scrutiny activity.
Sectors and groups affected
Options 1 to 4 have impacts for the following bodies:
- Police Scotland;
- Scottish Police Authority;
- regulatory bodies and office holders in Scotland, whose functions might be indirectly linked to the functions of the Commissioner: for example the Lord Advocate, HMICS, the Police Investigations and Review Commissioner, the UK Information Commissioner, the Scottish Human Rights Commission, the Commissioner for Children and Young People in Scotland; and
- the public at large.
In addition, option 4 will impact on the following body:
- The Scottish Parliamentary Corporate Body (SPCB) will have a role in the appointment of the Commissioner and set up of the Commissioner's office.
Options 1 to 4 may have an indirect impact for the following sectors:
- Local Government: the statutory requirement to comply with the Code of Practice will not apply to local government or any other community bodies. However, it might be possible for local authorities to choose to adopt any Code of Practice published by the Commissioner.
- The Private Sector: although the statutory requirement to comply with the Code of Practice will not apply to private organisations, it might be possible for private sector organisations to choose to adopt (on a voluntary basis) any Code of Practice published by the Commissioner. It should be noted that where a private sector business is collecting, using or retaining biometric data on behalf of Police Scotland and/or the SPA, the Commissioner may seek information or views from that business as part of his function to keep under review law, policy and practice - however, the business does not have to respond.
Option 1 - Extending the functions of an existing policing body
HMICS and the Police Investigations & Review Commissioner (PIRC) as existing policing bodies were considered. While both HMICS and PIRC are well established in their respective areas of expertise, they do not currently have a remit across all areas of biometrics.
The required widening of their focus could lead to a loss of focus, negatively impacting on their perceived authority and so their credibility to advise not only on biometrics, but also on those issues for which they currently have responsibility.
In addition, any decision to extend the remits of HMICS or PIRC to provide oversight of biometrics use across the wider justice system would represent a fundamental shift in their purpose.
A broadening of focus and increasingly complex structures could impact on their effectiveness in terms of their current scrutiny role. In this context it is also worth noting the IAG's conclusion that such a change could negatively impact HMICS's perceived level of authority and competence, delivering the opposite effect to that which is intended. These arguments apply equally to the PIRC and other parliamentary commissioners who, while having a valuable role to play in informing the debate around biometrics, do not currently possess the requisite skills and expertise to deliver the functions that are being proposed in respect of the Biometrics Commissioner.
Option 2 - Extending the functions of a Parliamentary Commissioner
The findings around extending the remit of an existing parliamentary commissioner were that it would support enhanced delivery of outcomes and improvements in setting, monitoring and enforcing standards adopted by bodies involved in the delivery of criminal justice. In addition, it offered added value in ensuring a proportionate and effective approach to biometric data and additional capacity to support world class innovation, research and development.
While it also offered the means to improve working practices and organisational standards and capacity to enhance public awareness, it would, however, be unlikely to realise overall benefits as it did not have the remit or expertise to effectively advise on and scrutinise all aspects of the regulatory framework surrounding biometrics.
Option 3 - Establishing a standalone Commissioner appointed by Ministers
This option raised similar benefits to option 4 however was not taken forward for the reasons set out at option 4.
Option 4 - Establishing a standalone Parliamentary Commissioner
The findings around a new parliamentary commissioner were that it would support improvements in setting, monitoring and enforcing standards adopted by bodies involved in the delivery of criminal justice. This option scored highest for benefits realisation, particularly around strengthened oversight and accountability of public services. It also offered added value in ensuring a proportionate and effective approach to biometric data and additional capacity to support world class innovation, research and development.
While offering the means to improve working practices and organisational standards, it also offered capacity to enhance public awareness. Importantly, a new parliamentary commissioner would function independently, without any perception of undue influence from policing-related bodies. The advantage of a parliamentary appointment over a Ministerial appointment is that the parliamentary appointment would provide the most independent oversight arrangement and is therefore the option most likely to inspire greatest public confidence due to its governance falling to Parliament rather than to Scottish Ministers.
In addition, where a public body is being tasked with safeguarding rights and, in pursuing this objective, commenting on the role and behaviour of other public bodies including the Scottish Government, the decision will often be taken to establish that role through a parliamentary appointment. Therefore, this approach would most closely align with the requirements of the proposed Biometrics Commissioner. The recent public consultation indicated broad support for the Biometrics Commissioner to be appointed by and accountable to Parliament.
Option 5 - Do nothing
The main findings around the status quo were that it scored the lowest in terms of overall benefit realisation and did not support further public services reform. In addition, it did not offer any added value in ensuring a proportionate and effective approach to biometric data or any additional capacity to support world class innovation, research and development. Finally, it did not offer the means to improve working practices and organisational standards or the capacity to enhance public awareness.
The conclusion was to progress option 4 and that a new Commissioner appointed by Parliament offered the most benefit and posed the least risk. Most notably, this option provided for the specific expertise required to realise the full range of benefits. It also provided the highest level of perceived openness and transparency through full independence from Government, both in terms of the Commissioner's appointment and in the officeholder's reporting processes and structures.
The estimated costs of the establishing a standalone parliamentary commissioner under option 4 are based on costs incurred by comparator bodies, and informed by advice from SPCB officials. Therefore, the set-up costs and running costs estimated in Tables A and B respectively can be predicted with a reasonable degree of certainty. VAT will not be reclaimable by the Scottish Biometrics Commissioner and is therefore added to the costs. The costs are also calculated on the basis that the Scottish Biometrics Commissioner will be a part-time post (0.6 FTE) and will employ three full time equivalent members of staff. Further details may be found in the Financial Memorandum for the Bill.
Table A - Set up costs
|Accommodation: fit out and legal fees||126,000|
|IT and website set-up||50,000|
|Marketing/Payroll and HR set-up||4,000|
Table B - Annual Running Costs
|Payroll / HR services||3,000|
|Travel & subsistence||4,000|
|Other administrative costs||2,000|
Scottish Firms Impact Test
The Scottish Government is unable to identify any specific businesses which would be detrimentally impacted by this Bill. Businesses were, however, able to contribute to the formal consultation on an outline code of practice and concept of the Commissioner's operations. It is worth noting that no firms responded to the consultation.
The statutory requirement to comply with the Code of Practice will not apply directly to private sector or third sector organisations. However, where an organisation is collecting, using or retaining biometric data on behalf of Police Scotland and/or the SPA, the Commissioner will have a role in keeping under review the law, policy and practice relating to the acquisition, retention, use and destruction of biometric data by such organisations.
(1)The Commissioner must prepare, and may from time to time revise, a code of practice on the acquisition, retention, use and destruction of biometric data for policing and criminal justice purposes. It will therefore be for the Commissioner to consider and decide whether the Code that Police Scotland and the SPA must have regard to, would set any requirements for them when contracting private organisations to provide services on their behalf. The Commissioner may therefore choose to undertake a further Business and Regulatory Impact Assessment on any draft Code published for consultation to establish whether the Code itself will impact on businesses.
Any issues raised by the business sector as the Bill progresses through Parliament will be considered.
Using the four Competition and Markets Authority competition assessment questions, the Scottish Government has concluded that the provisions in the Bill are not expected to limit the number or range of suppliers of forensic services; or to limit the ability of suppliers to compete; or to limit the choice and information available to consumers. The Commissioner may however choose to undertake a further assessment as to whether any draft Code of Practice would set any requirements for Police Scotland and the SPA when contracting private organisations to provide services on their behalf. The Commissioner may also choose to undertake a further assessment as a result of any wider requirements identified by the Commissioner in fulfilling his/her oversight functions.
The provisions in the Bill itself are not expected to affect the availability or price of any goods or services in the market for forensic services, and may have a positive impact on the quality of those services provided by SPA. The Bill does not impact on consumers in respect of storage or increased use of consumer data; or in the information available to consumers. The Commissioner may however choose to undertake a further assessment on any draft code of practice published for consultation to establish whether the Code would have unintended consequences for the market which could impact on consumers.
Test run of business forms
The Bill itself does not require new forms for businesses to complete. The Commissioner may however choose to undertake a further assessment to establish whether Police Scotland, the SPA (or private organisations operating services on their behalf) will need to complete new forms as a result of any requirements identified by the Commissioner in fulfilling his/her oversight functions, including the code of practice.
Digital Impact Test
The provisions in the Bill itself are not expected to impact on technology or become redundant as a result of technological advances. Indeed, the intention is to ensure the effective, proportionate and ethical use of biometric data in the face of technological advances. The Commissioner may however choose to undertake a further business and regulatory impact assessment on any draft Code of practice published for consultation to establish whether any requirements in the Code placed on Police Scotland and/or the SPA will have any unintended consequences from a digital/online context. This may extend to any impact on private organisations operating services on the behalf of Police Scotland and/or the SPA.
Legal Aid Impact Test
The Bill introduces an offence where the Commissioner, its staff or agent (past or present) are liable to a fine if convicted of knowingly disclosing information obtained in the course of the Commissioner's activities, which was known not to be in the public domain. The inclusion of the offence is primarily a safeguard, so that prosecution may be taken forward in the unlikely event of unauthorised disclosure of information.
The Commissioner's office is expected to comprise of one Commissioner and three members of staff. While this introduces the potential for such persons to apply for legal aid should criminal proceedings be raised against them, the estimated number of prosecutions each year is expected to be negligible.
The introduction of this offence is therefore not expected to significantly impact on Legal Aid and create significant expenditure from the Legal Aid fund.
Enforcement, sanctions and monitoring
It will be a key role of the Commissioner to advise, guide and oversee the practice of those bodies covered by the Bill. The Commissioner will have the power to report on, and make recommendations regarding, the use of biometric data by a relevant body. While the body will not be compelled to comply with a recommendation contained in a report, the Commissioner can require the body to respond to the recommendation.
A response, or a failure to respond, can be publicised by the Commissioner.
The Commissioner is also able to serve a notice on a relevant body requiring the production of information to the Commissioner, which if ignored, could result in the Commissioner referring the matter to the Court of Session. Should the Court make an order for the production of information to the Commissioner, then a failure to comply with the order would be contempt of court.
The Commissioner is accountable to Parliament and must submit an annual report of his / her activities in fulfilling his functions. The Commissioner must also submit to Parliament his / her annual accounts, an annual budget, and a strategic plan every four years.
Implementation and delivery plan
Subject to the will of Parliament and the timetabling of parliamentary scrutiny of the Bill, the Commissioner is expected to be appointed in 2020, with the office of the Commissioner being established and the associated statutory Code of Practice being prepared in the current parliamentary session.
There is also provision in the Bill for the Commissioner to revise the Code from time to time. The Bill requires the Commissioner to prepare a report on the Code no later than three years after the date the Code first comes into effect, and a further report every four years from the date each subsequent report was last laid in the Scottish Parliament.
The Scottish Government will review the legislation to ensure that it is still fit for purpose within 10 years of enactment.
Summary and recommendation
The case for creating a Scottish Biometrics Commissioner and an associated code of practice for the use of biometric data for policing and criminal justice purposes is well established and supported by a range of stakeholders. The Bill will:
- establish a new Commissioner accountable to the Scottish Parliament, to keep under review the law, policy and practice relating to the acquisition, retention, use and destruction of biometric data for policing and criminal justice purposes;
- require the Commissioner to prepare, promote and monitor the impact of a new Code of Practice that is expected to provide information and guidance about the responsibilities of specified bodies and recognised standards in relation to biometric data.
The Scottish Government considers that option 4 (creating a new Commissioner appointed by Parliament) will best support the delivery of a number of national outcomes and is consistent with the Scottish Government's wider priorities for public service reform.
Option 4 offers the most benefit and poses the least risk. Most notably, this option provides for the specific expertise required to realise the full range of benefits.
It also provides the highest level of perceived openness and transparency through full independence from Government, both in terms of the Commissioner's appointment and in the officeholder's reporting processes and structures.
Whilst the costs associated with the recommended option 4 are not insignificant, the Scottish Government consider that they represent good value given the wide-ranging benefits which it expects to see realised.
The costs associated with the Bill are estimated at £184,000 for one-off set up costs; and £333,000 for annual running costs. Detailed costings for the Bill are provided in the Financial Memorandum.
Summary costs and benefits table
Total benefit per annum - economic, environmental, social
Total cost per annum: - economic, environmental, social -policy and administrative
Extending the functions to an existing parliamentary commissioner would:
Declaration and publication
I have read the Business and Regulatory Impact Assessment and I am satisfied that (a) it represents a fair and reasonable view of the expected costs, benefits and impact of the policy, and (b) that the benefits justify the costs. I am satisfied that business impact has been assessed with the support of businesses in Scotland.
Signed: Humza Yousaf
Date: 22 May 2019
Cabinet Secretary for Justice
Scottish Government contact point:
Police Powers and Workforce Unit
Tel: 0131 244 9278