Justice Committee
The Scottish Biometrics Commissioner Bill (“the Bill”) was introduced in the Parliament, by the Cabinet Secretary for Justice, Humza Yousaf MSP, on 30 May 2019. The Parliament designated the Justice Committee as the lead committee for Stage 1 consideration of the Bill.
Under the Parliament’s Standing Orders Rule 9.6.3(a), it is for the lead committee to report to the Parliament on the general principles of the Bill. In doing so, it must take account of views submitted to it by any other committee. The lead committee is also required to report on the Financial Memorandum and Policy Memorandum, which accompany the Bill.
In the Policy Memorandum, the Scottish Government states that it recognises that biometrics is a rapidly evolving area which “offers great potential in the detection, prevention and prosecution of crime”. The Scottish Government’s overarching policy objective for the Bill is to address a range of ethical and human rights considerations in Scotland relating to the collection, use, retention and disposal of biometric data in the context of policing and criminal justice. The Bill aims to ensure this is done in a lawful, effective and ethical manner.i
The Bill seeks to achieve this by establishing the post of a Scottish Biometrics Commissioner (‘the Commissioner’). The primary role of the Commissioner will be to oversee the use of biometric material in the Scottish criminal justice system by drawing up and promoting the use of a Code of Practice.
The Code of Practice is intended to set out how biometric data should be collected, used, retained and disposed of in the policing and criminal justice system in Scotland. The Bill confers certain powers on the Commissioner to promote compliance with the provisions of the Code of Practice.
Another policy purpose of the Bill is to underpin public trust in the way in which biometric material is used by the police, by establishing a Commissioner independent of Scottish Ministers, the police and the criminal justice system. The Commissioner is to provide oversight and promote a transparent and accountable approach for the use of biometrics.
The Bill proposes that this oversight is to be achieved by the Commissioner reviewing law, policy and practice in relation to biometric data; promoting public awareness of the powers and duties of police bodies as regards biometric data; and preparing and promoting the use of a Code of Practice.
The Bill, as introduced, provides that the Commissioner’s oversight functions will apply to Police Scotland and the Scottish Police Authority (SPA), as the SPA is responsible for the provision of forensic services to the police in Scotland.
The policy content of the Bill had been shaped by the work of the Independent Advisory Group on the Use of Biometric Data in Scotland (‘IAG’). The IAG was established by the Scottish Government in May 2017, and tasked to consider the taking, use and retention of biometric data in policing in Scotland. The IAG reported its findings and recommendations in March 2018.ii The work of the IAG is covered in more detail later in this report.
The Bill is split into 29 sections and 2 Schedules. Sections 1 to 5 deal with the establishment of the Commissioner and set out the powers and functions of the role. Sections 6 to 10 deal with the Code of Practice on the acquisition, use, retention and disposal of biometric material.
Sections 11 to 14 set out the powers of the Commissioner to gather information on compliance with the Code of Practice, while sections 15 to 22 deal with the reporting powers of the Commissioner and include provisions on accountability, annual reports, audit and budgeting functions. Sections 23 to 29 deal with interpretation, commencement and ancillary procedures.
Schedules 1 and 2 respectively set out further provisions around the appointment of the Commissioner and their support staff, and the application of public authorities’ legislation under the Bill.
The Justice Committee was designated as lead committee for Stage 1 consideration of the Bill. The Committee issued a call for evidencei on 3 July 2019, with a closing date of 30 August 2019. The Committee received 14 written responsesii to its call for evidence. Responses are published on the Committee's webpage.
The Committee took formal oral evidence on the Bill at five meetings (see further Annex A)-
On 25 June, the Committee heard from Elaine Hamilton, Bill Team Leader, Scottish Government;
On 24 September, the Committee heard from Professor Paul Wiles, Commissioner for the Retention and Use of Biometric Material and Lucy Bradshaw-Murrow, Head of the Commissioner’s Office. The Committee also heard from Dr Christopher Lawless, Associate Professor at the Department of Sociology at Durham University; Dr Hannah Graham, Senior Lecturer in Criminology at the Scottish Centre for Crime and Justice Research (SCCJR) at the University of Stirling, and Dr Karen Richmond of the University of Strathclyde;
On 1 October, the Committee heard from Dr Ken Macdonald, Head of ICO Regions at the Information Commissioner’s Office; Al Duff, Professor of Information Policy at Edinburgh Napier University and a Member of NO2ID Edinburgh; Matthew Rice, Scotland Director at the Open Rights Group, and Judith Robertson, Chair of the Scottish Human Rights Commission;
On 29 October, the Committee heard from Detective Chief Superintendent Sean Scott of Police Scotland and Tom Nelson, Director of Forensic Services at the Scottish Police Authority;
Finally, on 12 November, the Committee concluded its oral evidence taking by hearing from the Cabinet Secretary for Justice, Humza Yousaf MSP.
The Finance and Constitution Committee issued a call for viewsi on the Financial Memorandum for the Bill, between 31 May and 30 August 2019. Only one submission was received in response. This was from Police Scotland.ii As a result, the Finance and Constitution Committee did not make any comments to the Justice Committee on the financial provisions for the Bill.
The Justice Committee considered the financial provisions of the Bill as part of its wider consideration of the general principles. The Committee’s views on the Financial Memorandum are set out later in this report.
The Bill contains a number of delegated powers provisions. The Delegated Powers and Law Reform (DPLR) Committee published its reportiii on the Delegated Powers Memorandum on the Bill on 3 October 2019. The findings of the DPLR Committee are covered later in this report.
During the Committee's consideration of the Bill at Stage 1 the membership of the Committee changed. Daniel Johnson MSP left the Committee and was replaced by James Kelly MSP.
The use of biometrics identification by police is not a new phenomenon. In Scotland, police services have been using criminal history photographs and fingerprints for over 100 years. They have also developed a variety of systems and procedures for the collection, storage and use of such data, such as the Criminal History System (‘CHS’). The background to the CHS is set out in the report of the IAG.i
The Criminal Procedure (Scotland) Act 1995 (‘the 1995 Act’) is the primary Scottish legislation allowing the retention of fingerprints and other biometric samples from a person arrested by the police in Scotland. Section 18(2) states-
“A Constable may take from the person, or require the person to provide him with, such relevant physical data as the Constable may, having regard to the circumstances of the suspected offence in respect of which the person has been arrested, reasonably consider it appropriate to take from him or require him to provide, and the person so required shall comply with that requirement."ii
Section 83 of the Police, Public Order and Criminal Justice (Scotland) Act 2006, which inserted Section 18A into the 1995 Act, allows for the retention of DNA samples and profiles of persons who have been arrested but not convicted of certain sexual or violent crimes.
Over the last 30 years the use of human DNA testing has become a central tool in detecting and prosecuting crime.iii Recently, these existing forms of biometrics have become referred to as first-generation biometrics
The scientific developments like DNA testing have played a fundamental role in solving serious crimes such as murder and serious sexual offences.
The first two decades of the 21st Century have seen an exponential increase in the use of ever more advanced wireless technology capable of collecting, storing and using large volumes of biometric and personal data. These include laptops, mobile phones, tablets and other smart devices. Combined with the growth of wireless internet connectivity, this presents a challenge to policing in the 21st Century.
This new digital environment has also seen a growth in CCTV/security camera monitoring in public spaces by public and private organisations, and the introduction of the use of facial recognition and facial search technology. Other technologies, such as gait and movement recognition technology, eye/retinal identification, voice recognition software as well as data from social media, provide new biometric sources for the police. These new forms of biometric data are often referred to as second-generation biometrics.
New technology combined with new software development provides opportunities for a range of new investigative police tools. A number of which Police Scotland has indicated it wishes to utilise, ivsuch as systems which allow the rapid interrogation of large volumes of data through artificial intelligence software and machine learning programmesv
The introduction and use of new, intrusive technologies by the police present challenges for legislation in meeting human rights and data protection requirements. The Commissioner for the Retention and Use of Biometric Material summed up these challenges in his 2018 annual report-
"…we are seeing the rapid exploration and deployment by the police of new biometric technologies and new data analytics. Some of these will improve the quality of policing and will do so in a way that is in the public interest. However, some could be used in ways that risks damaging the public interest, for example by re-enforcing biases of which reinforcement is not in the public interest. If the benefits of these new technologies are to be achieved there needs to be a process that provides assurance that the balance between benefits and risks and between benefits and loss of privacy are being properly managed".vi
The question of how the police and criminal justice system in Scotland collects, uses, retains and disposes of biometrics has been a matter of public and policy debate since the establishment of a single national police force in Scotland.
In January 2016, Her Majesty’s Inspector of Constabulary in Scotland (HMICS) published an audit and assurance review of the use of the facial search functionality within the UK Police National Databasei (PND) by Police Scotland,ii following a request from Scottish Ministers. The aim of the review was to consider the state, effectiveness and efficiency of the arrangements surrounding the use by Police Scotland of the facial search technology capabilities contained within the UK PND, and the statutory framework that underpins police use of biometric data in Scotland.
The report made a number of key recommendations. These included the establishment of an independent Scottish Biometrics Commissioner to address the issues of ethical and independent oversight over biometric databases and records held in Scotland. This Commissioner, it was recommended, should have sufficient flexibility to embrace future technologies and relevant codes of practice; and the potential to develop a statutory Code of Practice for the use of biometric data in Scotland.
In response to the HMICS report, in May 2017 the Scottish Government established an Independent Advisory Group (IAG) on the use of biometric data in Scotland.i This was chaired by solicitor advocate John Scott QC.
An expert advisory group was established to advise the IAG in the consideration of its recommendations. It comprised a broad range of subject experts and included both strategic representation and technical input from HMICS. The IAG published its reporti in March 2018, setting out nine recommendations for the Scottish Government. The recommendationsiii of the IAG endorsed the four recommendations in HMICS’s 2016 review. They included the creation of an independent Scottish Biometrics Commissioner and an ethics advisory group, and the introduction of a statutory code of practice. The Scottish Government accepted all of the recommendations.
In its report, the IAG outlined the difficulties currently faced by the lack of clear definitions around biometrics in the criminal justice system, stating that-
“The term ‘biometric data’ is not defined in existing criminal justice legislation in Scotland. The terms ‘biometrics’ and ‘forensics’ are sometimes (wrongly) used interchangeably."iv
The Committee considered the general principles of the Bill and whether they meet the recommendations of HMICS and the IAG.
Section 1 of the Bill establishes the post of the Scottish Biometrics Commissioner. The Policy Memorandum indicates that the Commissioner will play a central role in setting and promoting working standards surrounding the use of biometrics in a policing and criminal justice context. The Commissioner will also play an important part in informing the views of policy and law makers responsible for making the law within which Police Scotland and the SPA operate.
Elaine Hamilton, Head of the Scottish Government Bill Team, told the Committee that it “is the policy of the Scottish ministers not to create a new public body unless there is an absolute need for it and the functions cannot be carried out by an existing body".i
Ms Hamilton confirmed that the Scottish Government had considered whether another body such as HMICS, or the Police Investigation and Review Commissioner (PIRC) would be suitable to carry out the functions set out in the Bill. But the Government concluded that: “the option of a new body” would be the most effective way of “strengthened oversight and accountability” and offer “a proportionate and effective approach to biometric data.” Furthermore, a “parliamentary commissioner would also function independently, with no perception of undue influence from policing-related bodies."i
The written and oral evidence that the Committee received showed broad support for the establishment of a Scottish Biometrics Commissioner. The Commissioner for the Retention and Use of Biometric Materials (CRUBM), Professor Paul Wiles, told the Committee that the primary requirement for a legislative framework is to have a process to decide which biometric uses by the police are in the public interest, and consider the balance between any such public benefit and the intrusion into the privacy and liberty of individual citizens.iii
Professor Wiles stated that the Bill places Scotland at the forefront of legislating for the oversight of biometric data in the field of criminal justice, saying-
Many other countries are quite interested in what Scotland is doing, because they are all aware that they have similar issues. In particular, they are interested because the Scottish Government has come up with a form of legislation that the proposers at least believe will be flexible enough to cope with the fact that the technology in this area is moving very rapidly indeed.i
In his written evidence, Dr Christopher Lawless of Durham University indicated that there was an urgent need for independent oversight of the use of biometrics, highlighting the potential for straining the bounds of the current criminal justice legislative framework. He told the Committee-
…the first important thing is that there is a gap that needs to be filled by an agency or body that can address the technical standards around biometric technologies and critically assess the scientific basis of such technologies.i
Dr Lawless added that it will be important for the Scottish Biometrics Commissioner to adopt an extensive overview of the use of biometric data, involving different stakeholders who use a range of processes in criminal investigations. This covers many biometric processes from a crime scene to the courtroom and beyond, with crime scene examiners, forensic scientists, police officers, lawyers, jurors etc. all potentially having very different experiences and understandings of biometric data.
Dr Hannah Graham of the Scottish Centre for Crime and Justice Research (SCCJR) also supported the overall principles of the Bill and stated that there is a clear need for such a Commissioner in Scotland. Speaking of some of the concerns a Commissioner could address, she said-
As recently as in the past few weeks, there have been headlines in London around whether some of the [biometric] technology might be inaccurate in 80 per cent of cases. Such statistics can capture the public imagination quite quickly, potentially cast doubt on authorities in which we would want to maintain public trust, and raise legitimate questions about accuracy, validity, bias and discrimination, and the transparency with which data is collected. i
Both Police Scotland and the SPA support the establishment of a Commissioner and were members of the IAG. In their written submission, SPA Forensic Services state that “there is evidence of strong existing governance and practice within both Police Scotland and the SPA with regard to the use of biometrics data. The establishment of a Biometric Commissioner office is likely to strengthen this further."vii
The Cabinet Secretary for Justice told the Committee that the establishment of a Commissioner would help to keep communities safe, whilst also respecting the rights of individuals and improving the accountability of the police service, saying that-
Through the bill, Scotland will have a commissioner who will encourage and support fulfilment by Police Scotland and the SPA of their functions in a manner that respects fundamental human rights, the law and ethics.i
The Committee views the establishment of an independent Scottish Biometrics Commissioner as both timely and necessary. The Bill should have enough flexibility to enable the Commissioner to provide oversight of new and developing technologies and processes which there is a desire to introduce in terms of the criminal justice system and policing purposes in Scotland.
Sections 2 to 5 of the Bill set out the functions and powers of the Commissioner. A primary function of the Commissioner will be to draft and promote a Code of Practice for the use of biometrics by Police Scotland and the SPA. The functions also include duties to support and promote the adoption of lawful, effective and ethical practices on biometric data, review the law and policy in this area, promote public awareness of the oversight of biometrics, and carry out, commission or support research in this area.
The Commissioner also has a duty to work jointly with, assist or consult the Scottish Parliament; the Scottish Ministers; the Lord Advocate; the Chief Constable of Police Scotland, HM Inspector of Constabulary in Scotland; the SPA; the Police Investigations and Review Commissioner; the Information Commissioner; the Scottish Human Rights Commission, and such other persons as the Commissioner considers appropriate.
The Bill proposes that the Commissioner provides independent oversight of biometric data to ensure public confidence in its current and future uses in the context of policing and criminal justice.i
Schedule 1 of the Bill provides that the Commissioner will be appointment by HM The Queen on the nomination of the Scottish Parliament.ii The Scottish Parliamentary Corporate Body (SPCB) will be responsible for recruiting the Commissioner and providing the resources for the staff and operations of the Commissioner’s office. The SPCB will also determine the length of the term of office of the Commissioner, up to a maximum of eight years. The Bill prevents a serving or past Commissioner from being reappointed to the office.iii
The Commissioner will be responsible to the Parliament, both in terms of reporting on the discharge their powers and functions and the operations of the Code of Practice, as well as for the administrative operation of their office and use of resources.iv
The need for a Commissioner, independent of Government, the police and the criminal justice system, was a key recommendation in both the 2016 HMICS review and the 2018 IAG report.
The Scottish Government state that the establishment of an independent Commissioner, as set out in the Bill, provides a positive response “to the recommendations made in three independent reports from recent years".v
The HMICS report indicated that public confidence in the police service’s use of biometrics could be maintained through the role of an independent Commissioner reporting to the Scottish Parliament, providing an opportunity to-
“…build capacity and resilience in Scotland, and to explore emerging human rights and ethical considerations around the use of biometric data, not only for policing purposes but also by other public agencies involved in the collection and use of biometric data from citizens."vi
HMICS highlighted public space CCTV systems, Road Camera Enforcement Systems and Automatic Number Plate Recognition Systems (ANPR) as areas where independent oversight is required.vi
The IAG suggested that a Commissioner could play a vital role in helping to shape the approach taken to the ever-growing number and type of biometric data collection methods which are available. A Commissioner could also help shape how the police service may seek to use these into the future.
Judith Robertson of the Scottish Human Rights Commission (SHRC), expressed concern that the independent oversight structure in the Bill does not meet the principle of placing human rights, privacy and ethical practices at the centre of biometric use. Ms Robertson said that-
…the draft bill does not principally define the Commissioner as a body with powers to scrutinise the police but rather with the general function to support and promote the adoption of lawful, effective and ethical practices with regard to biometric data. This is problematic as it detracts from the primary role of promoting and investigating compliance against a Code of Practice for the collection, use, retention and disposal of biometric data in the policing and criminal justice system in Scotland.viii
Both Police Scotland and the SPA stressed the important role that the Commissioner could play in overseeing the use of biometrics in Scotland, especially in underpinning public knowledge and confidence in the criminal justice system's use of biometrics.ix
In evidence to the Committee, Detective Chief Superintendent (DCS) Sean Scott of Police Scotland welcomed “the creation of the commissioner” as an underpinning to the approach of policing by consent and retaining public confidence.ix
Tom Nelson, the Head of Forensic Services for the SPA also supported the establishment of the Commissioner. Speaking of the value a Commissioner would add, he said-
…[where] a commissioner would add significant value is around public awareness. It is crucial that we keep the public aware of what we are doing with data. New technologies relating to DNA are coming on board, for example. In a couple of years’ time, we could be getting more characteristics from samples, such as hair and eye colour. We believe that that needs public debate, to make sure not just that what we are doing is what the public wants, but that the public understands why we want to take the data in a particular direction. We believe that a commissioner could begin to lead the public debate on where the science is going.ix
The Cabinet Secretary and his officials recognised the importance of the oversight mechanism the Bill seeks to put in place for biometrics. Elaine Hamilton of the Scottish Government Bill Team told the Committee that “Scotland will have a commissioner who will encourage and support fulfilment” of Police Scotland and the SPA’s functions “in a manner that respects fundamental human rights, the law and ethics”. She emphasised that the focus of the Commissioner’s role will be to promote good practice, “identifying systemic deficiencies and providing a measure of transparency”, with the aim of promoting public confidence in policing and in the criminal justice system.ix
The need for public confidence and trust in the use of biometrics by the police and criminal justice system is essential. The Committee agrees that the Scottish Biometrics Commissioner should be independent and endorses the proposal that the Commissioner be appointed by the Scottish Parliamentary Corporate Body.
The Bill proposes that the Commissioner has oversight of the collection, retention and use of biometric data by Police Scotland and the SPA. However, the Committee heard evidence that such biometric data use is much wider in policing and criminal justice in Scotland, and beyond.
Professor Paul Wiles told the Committee that further consideration is needed as to whether the oversight functions of the Scottish Commissioner ought to apply to police forces that operate both inside Scotland and across the UK, such as the British Transport Police (BTP) and the National Crime Agency (NCA), because-
When the British Transport Police in Scotland arrests someone and takes biometrics, it uses Police Scotland to take them, but then ships the biometrics down to London. That is an issue, because those biometrics are currently kept according to England and Wales legislation. If a commissioner is appointed, that is perhaps something that they will need to take up. Samples that have been taken in Scotland should, in my view, be subject to the legislation that is in place here.i
Matthew Rice of Open Rights Group spoke of i biometric material collected under the EU's Passenger Name Record Directive, where such material is shared across borders-
There is the supplementary question of data held in Europe that would be transferred across to the British Transport Police, for instance, such as under the passenger name directive or under anything that might imply people travelling and crossing borders with biometrics attached to it which might be used for law enforcement purposes.iii
Dr Ken Macdonald of the Information Commissioner's Office also suggested to the Committee that the BTP should be added to the list of consultees set out in the Bill, in relation to the Code of Practice.i
The Committee sought the views on the BTP and the NCA, on the provisions of the Bill and the issues raised by witnesses in relation to their functions.
In response, the Director General of the NCA, Lynne Owens, told the Committee that the NCA “relies upon paragraph 6, Schedule 1 of the Crime and Courts Act 2013 (‘the 2013 Act’) to operate in Scotland, subject to the agreement of the Lord Advocate”. Director Owens stated that the NCA operates “fully within the Scottish framework and report all of its cases to the COPFS, in accordance with paragraph 6(3) of Schedule 1 of the 2013 Act".v
Commenting on the views of Professor Paul Wiles, the Director General replied that the “NCA takes no issue with the position of Professor Wiles” and “operates within the Organised Crime Partnership in Scotland and thus follows the relevant protocols of Police Scotland”, while “the Scottish Police Authority undertakes forensics” on the NCA’s behalf.v
Paul Crowther, Chief Constable of the BTP agreed with the proposition that biometric materials collected in Scotland and their retention, use, storage or disposal should be done in accordance with the provisions of this Bill and Scots law, stating that-
“In line with current practice, the determining factor should be the geographical boundary within which the sample has been taken."vii
Describing the expected relationship between the BTP and the Commissioner, Chief Constable Crowther stated that the BTP will have regard to the legislation, and indicated that he would like the BTP to be included in the list of consultees for the Code of Practice, as well as offering to assist in the development the Code.
On governance arrangements for oversight of the use of second-generation biometrics by the BTP, Chief Constable Crowther stated that-
“...the BTP do not currently use facial or voice recognition, we are keen to develop such technologies in a proportionate, legal, transparent and ethical manner. Therefore, oversight by the Scottish Biometrics Commissioner would provide clarity and guidance to the development of police practice in this area, supporting the Force in our ambition to exploit this data to more effectively reduce harm to the public."vii
Responding to views that the Commissioner should also have oversight of other policing bodies, who share biometric data with the police service, such as the NCA and the BTP, the Cabinet Secretary for Justice said-
I will reflect carefully, and the committee might well signal this in its report, on whether we can give more consideration to where there are cross jurisdictional issues—the British Transport Police and the National Crime Agency being obvious examples. I think that we have to give a little more consideration to bodies whose work has a policing implication.i
The Committee considers that the Scottish Biometrics Commissioner should scrutinise biometric processes adopted by all of those who provide a policing service within Scotland, especially those who share biometric data with Police Scotland.
The Committee recommend that the National Crime Agency and the British Transport Police be included in the bodies set out in Section 7(1) of the Bill, in respect of their functions in Scotland. The Scottish Government should bring forward the necessary amendment at Stage 2.
The Committee also recommends that the Bill should be amended so that both the National Crime Agency and the British Transport Police be added to the bodies set out in Section 3 of the Bill in terms of the power of the Commissioner to work with others.
Evidence received by the Committee highlighted the issue of the use of biometrics across other areas of public life such as the health service, education and local government functions. Questions were raised as to whether there is a need to ensure that the Bill is flexible enough to enable the Commissioner’s remit to be widened in future.
The Policy Memorandum acknowledges the debate about the scope of the Bill and its possible future application to other organisations. It cites the recommendation of the IAG that the “Commissioner should keep under review the acquisition, retention, use and disposal of all biometric data by the police, SPA and other public bodies.”i On the issue of the police acquiring biometric data from others, the Memorandum cites the NHS as an example, saying-
“The code will not apply to other bodies who collect, use, retain or dispose of biometric data more generally, such as the National Health Service (NHS), unless and until that data is passed to Police Scotland or the SPA.…However, were the police to ask NHS staff to act on their behalf in dealing with biometric data, then the police are bound by the code of practice and it will be for them to ensure that proper regard is being had to the code".ii
The IAG report refers to the routine use of biometric data across various parts of the Scottish public sector. Their report said for example-
“In a non-policing context, there are public space CCTV systems, Road Camera Enforcement Systems and ANPR, all of which can capture the facial images of citizens engaged in routine lawful activity."iii
The IAG went on to say that “in education, some schools operate biometric identification systems where the fingerprints of children are captured and used with parental consent.” And in a health context, a Scottish Government report in 2014 “explored the ethical, legal, human rights and social issues surrounding the existence, continued storage, and future uses of the new-born screening collection held in Scotland (known as the Guthrie Card collection)".iv
As early as 2010, the Scottish Government issued guidancev designed to assist schools with the use of biometrics for student access to various services and facilities such as automated systems for recording student attendance, cashless catering systems for school meals and automation of school library systems. These are just some examples where various non-criminal justice parts of the public sector in Scotland currently use biometrics.
Professor Paul Wiles told the Committee that the debate about biometrics in England and Wales has now extended beyond use by the police of new biometric technologies to a consideration of their use by private companies in large private spaces that are open to members of the public, often on an unrestricted basis. He suggests that the Scottish Government might wish to consider whether the proposed legislation would facilitate discussion of how such issues should be addresses in Scotland.vi
Dr Hannah Graham told the Committee that the Bill provided an opportunity to future proof the statutory framework within which the Commissioner and the Code will operate. For example, by considering whether the “Scottish Prison Service, electronic monitoring providers or local authority providers of public space closed circuit television combined with facial recognition technologies should be encompassed within the commissioner’s remit and the code of practice now or in the future."vi
Open Rights Group stated that while the reviews leading up to the introduction of the Bill had focussed on the use of biometrics by law enforcement, the issue of the use of biometrics has gone beyond law enforcement. Private actors and public authorities are now using biometric technologies, and Open Rights Group stated that the Bill creates a Commissioner with limited scope at a time when the public’s concern about the use of biometrics is growing.viii
The SHRC also raised concerns about the scope of the Commissioner’s remit as set out in the Bill. The SHRC points out that the IAG’s report, and the HMICS review are clear that it is not solely the police who require regulation and scrutiny on the issue of biometrics, stating-
“There are third party agencies whose activities engage duties in relation to biometric data. Their practicing frameworks are usually enshrined in commercial contracts. The Commissioner should be able to scrutinise any person or body who deals with biometric information on any basis."vi
Commenting on the use of biometrics more widely across Scottish public life, and the possible future expansion of the role of the Commissioner to encompass these circumstances, the Cabinet Secretary said-
Once the position and code of practice are embedded, there might well be good reasons for the role [of the Commissioner] to be extended to other public bodies outside policing, such as the NHS and so on.vi
The Committee notes the evidence that the collection, use and retention of biometrics data goes much wider than Police Scotland and the SPA, especially in areas such as education and the NHS. This data is shared with the police by other public sector bodies, and with UK police forces by private companies. Use of biometrics in this way will impact on human rights and data protection requirements. There is, therefore, is a pressing need for a public debate on such use, the transparency which surround these practices and whether oversight and scrutiny in the Bill should be extended to cover them.
The Committee asks the Scottish Government to consider how the lack of debate and transparency on the use of biometrics across Scotland might be addressed, and what role the Scottish Biometrics Commissioner could play in this, as part of its response to this Stage 1 Report.
Section 7(1) of the Bill states that constables and police staff of Police Scotland and the SPA must have regard to the Code of Practice when exercising functions to which the Code relates. The Explanatory Notes which accompany the Bill, state that-
“It should be noted that the duty is to “have regard” to the code. This recognises that there may be particular times when the specific circumstances of a case mean that compliance with the code is not practicable or prudent".i
The Code of Practice is the primary vehicle by which the Commissioner will deliver on the general function set out in Section 2(1) of the Bill to “support and promote the lawful, effective and ethical practices in relation to the acquisition, retention, use and destruction of biometric data for criminal justice and police purposes by the Police Service of Scotland, and the Scottish Police Authority."
The Committee considered the implications of a duty for Police Scotland to “have regard” to the Code of Practice, and whether this will provide the Commissioner with sufficient enforcement powers.
The Bill provides the Commissioner with two powers: the power to request information on the use of biometrics, and the power to make recommendations in terms of the Code.
A key concern of witnesses was the lack of enforcement powers or sanctions within the Bill, to enable the Commissioner to ensure compliance with the proposed Code of Practice. Principally, whether the Commissioner’s duty to promote the Code of Practice and monitor compliance, provides enough reassurance to the public that the principles in the Code would be adhered to.
Professor Paul Wiles pointed out that the Bill creates a requirement for law enforcement bodies to be compliant with the Code, but it does not give the Commissioner enforcement powers. Prof Wiles explained that his experience in relation to the Protection of Freedoms Act 2012 is that monitoring and public reporting has been enough to ensure compliance, and deal with any non-compliance.ii Unlike the powers of Professor Wiles under the 2012 Act as UK Commissioner, the Bill does give the Scottish Biometrics Commissioner an enforceable power to require the provision of information.
The SHRC believes that the Commissioner’s powers are not enough to provide an independent sanction regime, and that the Code should be complied with. Judith Robertson told the Committee that the SHRC-
…do not consider that wording to be strong enough. The greatest protection would be provided if those bodies had a duty to comply with the code of practice. If the code was on a statutory footing and in the text of the legislation, it would be very clear what they had a duty to comply with, and if the commissioner deemed something to be a deviation from the code, there would be some kind of sanction.iii
In his written evidence on the Bill, Matthew Rice expressed a concern that the effect of the Code of Practice is “too minimal to generate proper regulatory oversight”, as a failure “to have regard” to the Code by Police Scotland and the SPA does not give rise to grounds for legal action. The inclusion of the “have regard to” provision in the Bill risks undermining the regulatory force of the Code, and he recommended-
“While the content of the Code is still to be determined it should clearly embed within it human rights standards and Open Rights Group sees no reason why the Code should not exist as binding, requiring those bodies to whom the Code applies to follow, not just “have regard to” the Code of Practice."iv
Dr Ken Macdonald spoke of the flexibility which statutory codes of practice provide the ICO in the discharge of its duties. He urged that-
…if the bill is passed, the codes of practice that the biometric commissioner has should be put on a statutory footing.iii
Detective Chief Superintendent Scott responded to the discussion on the requirement for Police Scotland ‘to have regard’ to the Code, and not a duty to comply with it. DCS Scott explained that he sees the relationship with the Commissioner being similar to the one between Police Scotland and HMICS, where Police Scotland “generally work to implement its recommendations”. DCS Scott explained-
If there is an area in which we have an opposing view, we have discussions and come up with a resolution. In working with a commissioner, I do not think that we would ever get to a point at which we would refuse to comply. If we had issues with a recommendation or a direction of travel, we would have dialogue with the commissioner far in advance of getting to that stage, and I would like to think that we would be able to work it through.iii
Tom Nelson of the SPA stated that, as the director of forensic services “if the commissioner came up with a proposal that we should follow, it would be hard for me not to follow it. My board would certainly hold me to account for why we did not follow it.”iii Expanding on his view of the relationship with the Commissioner, he said-
From a forensic services perspective, we hope to have a strong relationship with the commissioner. We feel that the commissioner is there to help us to determine the best way forward in relation to, for instance, databases in Scotland.iii
In response to a question on whether the SPA would have any concern if the Bill was amended to ensure that there was a requirement to comply with the Code, Mr Nelson responded-
If that was the feeling of Parliament, that would be the way to go. From my perspective, I know that I could not stand before my board and say why I had not followed a recommendation from the commissioner.iii
DCS Scott responded, that he would reserve judgment on this question, as he “would be more comfortable running that terminology past” Police Scotland’s legal services. In supplementary written evidence, Police Scotland stated that, following consultation with their legal services team, they’ve “concluded that, as this is a Code of Practice, the correct term which should remain within the Bill is ‘have regard to’ and [the Bill] therefore should not be amended to read ‘comply with’."x
Responding to the debate on the whether the Bill should place a duty on Police Scotland and the SPA to comply with the Code, as opposed to a requirement to ‘have regard’ to it, the Cabinet Secretary indicated that he felt that the power of the Commissioner to ‘name and shame’ was sufficient: He said-
“Failure to have regard to the code of practice could result in notification to Scottish ministers and the Scottish Parliament. That public sanction of naming and shaming could have a significant effect on the police…we have given the matter careful consideration and I think that we have struck the right balance."iii
Pressed further on the matter the Cabinet Secretary stated it is his “resolute belief” that the Bill achieved the right balance, adding that he would be “open minded about any suggestions” from the Committee. Mr Yousaf said that he wanted “to ensure that the commissioner feels that he or she has enough powers—should it ever be the case that Police Scotland and the SPA are not complying—to get them to have regard to the code."iii
In light of the evidence received, the Committee believes that the enforcement powers provided to the Commissioner in the Bill are insufficient as currently drafted. The use of biometrics for criminal justice and policing purposes in Scotland will have far-reaching human rights, ethical and privacy impacts.
The Committee considers that the power of Professor Wiles as UK Commissioner to ‘name and shame’ any of the 43 police forces in England and Wales, seems more appropriate, as those forces can, in effect, be benchmarked against each other on good practice or poor practice by the UK Commissioner. As there is only one police force in Scotland, this will not be an option open to the Scottish Biometrics Commissioner under the Code of Practice.
The Commissioner should have the powers to enforce any compliance which may be needed, as circumstances dictate. Lack of these powers may serve to undermine public confidence in the proper and proportionate use of biometrics for criminal justice and policing purposes in Scotland.
The Committee understands that a duty to ‘have regard to’ a code of practice has been used in the past for policing purposes, to enable flexibility in the discharge of public interest functions where there are good reasons for departing from a code. However, as the Code of Practice is the cornerstone on which the oversight and scrutiny system set out in the Bill will rest, the ‘have regard to’ duty should be reviewed after experience of the scrutiny and oversight system set out in the Bill as enacted has been gained in practice.
After discussion, the Committee recommends that, as part of the review recommended in paragraph 158 (on the powers of the Commissioner) the Scottish Government also review the effectiveness of the ‘have regard to’ provision in Section 7(1). The Committee also recommends the Commissioner report on the effectiveness of the ‘have regard to’ provision in promoting its general function in Section 1, either as part of the reporting powers provided in Section 15, or as part of the Commissioner’s annual report to the Parliament under Section 22 of the Bill.
The Committee heard that the relationship between the Commissioner and Professor Wiles as UK Commissioner will play an important part in shaping the wider UK oversight landscape for the use of biometrics. Various stakeholders commented on whether the Bill provides the necessary flexibility to support this wider role.
In its written evidence to the Committee, the Law Society of Scotland state that it is not clear from the Bill or supporting documents how the Scottish Biometrics Commissioner will interact with the UK Commissioner for the Retention and Use of Biometric Material (Professor Wiles). The Law Society added that it “is slightly surprising” that CRUBM is omitted from those bodies set out in Section 3 of the Bill with which the Commissioner is empowered to work jointly with. The Law Society felt this was important as “there needs to be consistency in approaches to be adopted across the UK, particularly given the international dimension to crimes, especially those in relation to terrorism and serious organised crime."i
Professor Wiles also commented on the scope of the potential relationship between his office and the Commissioner. When asked whether he would not have much interaction with the Scottish Commissioner other than on matters of national security, Professor Wiles replied “Yes. Broadly, it is correct to say that the Scottish commissioner will deal with the police on matters that are not matters of national security."ii
While it will be for the Scottish Biometrics Commissioner to consider the scope of their working relationship with the Commissioner for the Retention and Use of Biometric Material (CRUBM), the nature of that relationship should be open and transparent, so as to promote public confidence and trust. The Committee suggests that this relationship would benefit from being formalised through a memorandum of understanding. This approach could also be adopted with other relevant UK Commissioners.
The Committee recommends that the Commissioner for the Retention and Use of Biometric Material be added to the bodies set out in Section 3 of the Bill in terms of the power of the Commissioner to work with others. The Scottish Government should also consider adding the Forensic Science Regulator and the Surveillance Camera Commissioner to Section 3 of the Bill.
Section 3 of the Bill specifies the organisations with which the Commissioner may work jointly in the performance of their functions. The Committee considered whether there was any overlap between the functions and powers of the Commissioner and those of the ICO.
Dr Ken Macdonald spoke about the potential of overlap in the role of the Commissioner in monitoring compliance with a biometrics Code of Practice, and the work of the ICO in dealing with public complaints about the mishandling of personal data. He said-
With regard to our responsibilities on data protection, it is key for individuals to know how their data is being handled, to whom it might be passed on and for how long it might be retained. It is a message that all data controllers, and all organisations that collect data, should give to the data subjects: the people involved. Anything that improves their understanding of what is happening to their information has to be welcomed. What we are discussing is just another element of that.i
Dr Macdonald added that, whilst the functions of the Commissioner were clear “there is still potential for dispute between a Scottish biometrics commissioner” and the ICO.i
However, Dr Macdonald explained the good working relationship that exists between the ICO and Professor Paul Wiles, the UK Biometrics Commissioner. Telling the Committee that there are regular meetings both at senior levels and informally, and therefore there had been no need for any form of memorandum of understanding between the ICO and the Professor Wiles.
The Bill does not contain any complaint mechanism. In response to a question on this omission, Tom Nelson of the SPA told the Committee that the ICO might be a route for complaints, saying that “much depends on what a complaint is about. The ICO has a role to play in relation to complaints about information, so that is a potential route for people who want to complain."i
The Cabinet Secretary told the Committee that he saw “the roles of the UK Information Commissioner and the Scottish biometrics commissioner as being complementary”, and that he wished to avoid any overlap in their functions.i
The Committee appreciates that it will be for the Commissioner to determine their relationship with the UK Information Commissioner. Given the potential for confusion about the roles, the Committee would recommend a memorandum of understanding between the organisations, and that this clearly signposts the complaint mechanisms available to the public.
Sections 2(3)(b) and (c) of the Bill place a duty on the Commissioner to promote public awareness and understanding of biometrics in the criminal justice system. As part of this function the Commissioner must keep the law on biometrics under review.
A consistent theme to emerge in relation to the development of a policy and legislative framework for the use of biometrics in the Scottish criminal justice system, is the need for a single actor, or officeholder, to take the lead in providing information to the public. Such a role would also help lead and shape the debate on the use of biometrics and identify where action is needed, for example to address gaps in legislation. The Committee heard that a Scottish Biometrics Commissioner could fulfil this role.
It was pointed out to the Committee that the 2016 HMICS review found that while the statutory framework in Scotland has specific legislation to govern and regulate the retention of biometrics such as fingerprints and DNA, there is no similar legislation which specifically governs the police retention and use of photographic images. The HMICS recommended that the Scottish Government should work with Police Scotland and the SPA to consider legislative provision in relation to the retention and use of photographic images by the police.
Concerns were raised in evidence about the increasing ability of intelligent software systems to become central to police investigations by allowing quick and targeted analysis of large data sets, including biometric data. This presents both an ethical and legal challenge to the criminal justice system.
Professor Wiles explained that there “is now a clear probability that the police will want to make use of some of the new biometrics and, certainly in England and Wales, they have already begun experimenting with doing so." i This included biometrics technology, big data and artificial intelligence.ii
Professor Wiles told the Committee of the importance of someone leading an informed debate on these technologies, and the need for private technology companies to be included in that discussion. Prof Wiles believed that “the commissioner will want to bring together what the tech companies say about the products and their evidence to justify what they say about the products—the scientific basis for that, any independent testing that has been carried out and so on”. Professor Wiles stated that such a lead by the Commissioner would “result in a proper and informed public debate."ii
Highlighting the public concern from recent doubts of the reliability of systems like facial recognition technology, Dr Lawless told the Committee that someone needed to undertake the role of assessing the scientific basis of the technologies being used or proposed-
For me, that is really important, because when we talk about the ethics of biometrics, the ethical issues are very closely related to—if not interdependent with—matters of reliability and validity, and they link into matters of public confidence.ii
The Committee heard that the police service will want to introduce the use of new technologies, and that it is the role of government to ensure the parameters within which those technologies can be used.
Professor Wiles cited the views recently expressed by Dame Cressida Dick, Commissioner of the Metropolitan Police Service, that while police should take advantage of new technology to improve policing, she does not believe that it is for the police service to draw up the rules by which that technology is used.v
Both Police Scotland the SPA acknowledged the importance of ensuring that the debate on biometrics in Scotland is shaped by the Scottish Biometrics Commissioner. Tom Nelson of the SPA said-
…it is all about keeping the public informed and engaged. That is crucial, because the last thing that we want is for the public to lose confidence in our databases. At the end of the day, we are public servants, and we want the public to be involved in the discussion.ii
The Cabinet Secretary acknowledged the important role the Commissioner will play in public debate in Scotland, from areas such as the use of facial recognition technology, to consulting the public on the Code of Practice, and ensuring it is kept up to date. Mr Yousaf pointed out the Commissioner will not do this in isolation, but as part of a complementary structure of developments, such as the planned ethics advisory groups, which is discussed later in the report.ii
A key role for the Scottish Biometrics Commissioner is to lead the debate in Scotland on the use of biometrics for criminal justice and policing purposes. The Committee recognises that this debate is not restricted to policing and believes that the Scottish Biometrics Commissioner must take a lead in setting out how scrutiny and oversight in Scotland responds to the growth of biometrics.
The Committee notes that the recommendation of HMICS that the Scottish Government works with Police Scotland and the Scottish Police Authority to consider legislative provision in relation to the retention and use of photographic images by the police has not been implemented. This represents a legislative gap.
The Committee asks the Scottish Government to set out the areas of legislation that it would expect to be prioritised by the Commissioner for review as part of its response to this Stage 1 report.
The IAG recommended that an ethics advisory group be established as part of the oversight arrangements. The remit of the group would be to work with the Commissioner and others to promote ethical considerations in the acquisition, retention, use and disposal of biometric technologies and biometric data.
The Scottish Government accepted this recommendation and gave a commitment to develop proposals for its remit and membership in discussion with stakeholders, drawing on the connections and relationships that have been developed through the work of the IAG.i
The Bill does not include a provision for the establishment of an ethics advisory group.
In their written submission, the SHRC, describe the decision by the Scottish Government not to include an ethics advisory group on the face of the Bill, as “regrettable”, saying that “the IAG report rationalised the need for such a group quite clearly. They drew on evidence of the success of the Biometrics and Forensic Ethics Group in England and Wales".ii
Both Dr Lawlessiii and Dr Grahamiii stated stated that the establishment of such a group would be a welcome development. Dr Graham recommended that an ethics advisory group should be established in time to work with the Scottish Biometrics Commissioner and other relevant stakeholders in drawing up the Code of Practice.
The Cabinet Secretary for Justice, when giving evidence to the Parliament’s Justice-Sub Committee on Policing on 13 June 2019, announced his intention to establish a reference group to advise Scottish Ministers, saying-
I plan to form an independently chaired reference group to scope the possible legal and ethical issues arising from emerging technological developments. The overall aim is to ensure that Police Scotland can continue to have not only the power to keep our communities safe but, crucially, the right safeguards to protect the rights of the individual.v
While giving evidence on the Bill on 12 November, Mr Yousaf explained to the Justice Committee that Scottish Government officials were currently “scoping the remit and membership of the group”. He explained that they are in touch with the Biometrics and Forensic Ethics Group in England and Wales, to help to inform the remit and membership of the group.
The Cabinet Secretary indicated that he expected that the advisory group currently being scoped “will be established at around the same time that the new biometrics commissioner” will come into office. He added that he did not envisage that group would be established on a statutory footing.iii
The Committee agrees with the Cabinet Secretary for Justice that expert advice on ethics will be vital in helping support the work of the Commissioner in developing policy on the use of biometrics in criminal justice system and for policing purposes. It is therefore unclear why the Scottish Government did not include the establishment of an ethics advisory group as part of the Bill.
The Committee asks the Cabinet Secretary to clarify the reason for this decision and set out how he would expect an ethics advisory group established by the Commissioner to interact with any Scottish independently chaired reference group the Cabinet Secretary may establish.
The Committee believes that an ethics advisory group which is established to support the Commissioner must be independent from Government, and that its membership should be a matter for the Commissioner. The Committee asks the Scottish Government to set out its views on this as part of its response to this Stage 1 report.
The Committee heard concerns about how the Bill’s oversight regime could respond to issues, such as Police Scotland’s proposal to introduce the use of live facial recognition technology. Many of these concerns were about how the use of this technology would meet privacy, ethical and human rights requirements.
In his 2018 Annual Report, Professor Wiles stated that police deployment of facial recognition and matching technology in England and Wales, which is used to scan crowds or CCTV recordings for people of interest, was chaotic and had run ahead of laws that could prevent its misuse.i With no legal framework in place, the report found that it was left to the police to decide when the public benefit outweighed the “significant intrusion into an individual’s privacy” arising from facial recognition and other types of biometric identification.
In May 2018, the UK Information Commissioner, Elizabeth Denham, raised concerns about facial recognition technology and law enforcement, describing the use of this technology in public spaces as particularly intrusive. She stated that the current use of facial recognition to monitor law-abiding citizens as they go about their daily lives was a real “step-change",ii which could undermine public trust in its use.
Another theme running throughout the evidence received on the general principles of the Bill is the acceptance that the Scottish Biometrics Commissioner will require to have an ongoing relationship with private sector entities in order to be able to carry out the functions set out in the Bill.
Matthew Rice stated his belief that the use of biometrics across areas like the public and private section “is an issue of high public concern”, which the scope of the Commissioner’s role in the Bill cannot address.iii
Professor Wiles spoke of the importance of the Commissioner having a working relationship with the private sector developers of biometrics because they are-
…influential as the providers of biometrics. As I am sure that you are aware, the technology companies—particularly the big ones—are vociferous lobbyists for the use of their technology. Therefore, if I were the commissioner, I would want to talk to them and make sure that they were part of that conversation, because, at the moment, it is difficult to keep up with the different uses for biometrics that technology companies are developing, some of which are surprising uses that one had not thought of.iii
Dr Lawless also raises a number of questions with regard to the Code of Practice and adherence to it by private companies who may work in conjunction with the police, and other agencies in providing biometric services. Dr Lawless believed that much more clarity will be required regarding the Scottish Biometric Commissioner’s relationship with the private sector in the light of the potential for biometric technology to evolve quickly, which may be due in part to private sector activity.v
These views were also echoed by Dr Hannah Graham when she spoke of private sector organisations which support public sector collection of biometrics. She drew the Committee’s attention to the fact that-
…the Scottish Prison Service and the provision of electronic monitoring currently involve both public and private companies, and that might continue to be the case in the future...Most of the international providers of electronic monitoring and reporting technologies, such as tagging, boxes and kiosks, have increased interconnectivity with other technologies. Therefore, we might see biometrics connecting with the global positioning system and with other things that we could know about people who are monitored. Increasingly, nearly anyone who bids for the Scottish contract [for parole e-monitoring of prisoners] will have biometrics as part of what they are suggesting, because they will need to be able to verify or identify a person remotely for their home detention curfew or alcohol monitoring, and to verify that a breath sample that has been given is indeed theirs.iii
Dr Graham also highlighted the issue of “the involvement of biometric data in cases involving violence in custody as well as the profoundly serious and sad cases where there is a death in custody.” She requested the Committee “check and discuss with the relevant people how the bill relates to" biometrics in such circumstances. She stated that "if the bill goes ahead largely unamended, I would want the committee to check that you are confident that the Police Scotland and SPA remit within that is fine."iii
The Cabinet Secretary stressed the reason for the focus of the Commissioner’s role on biometrics use by the police and criminal justice was in acknowledgement of the unique powers the police hold to restrict a person’s liberty and the “lasting and significant impacts on people’s lives”. However, he stated-
We should not dismiss a possible broadening of [the Commissioner’s] remit, or take it off the table, but the initial phase should be focused on policing.iii
Similarly, in response to debate on whether other parts of the criminal justice system, such as prisons and the parole system, should come under the scope of the Bill, the Cabinet Secretary reiterated his view that for now, the initial focus of the Commissioner’s work should be on Police Scotland and the SPA. But he indicated he will “keep an open mind about broadening the commissioner’s remit in the future” to include other parts of the criminal justice system.iii
The oversight framework and Code of Practice established by the Bill will set the blueprint by which the policing and the criminal justice system develop their use of biometrics. The Committee notes that a similar blueprint will be required in due course for other parts of the public sector.
The Committee is of the view that sufficient levels of consideration have yet to be given to issues such as the collection of biometric data by private sector entities who work with the police and criminal justice system, and the wider public sector, in sharing, using and retaining biometric data.
The Committee recommends that the Scottish Government include a suitable period within the Bill, to review the scope of the Commissioner’s remit and powers.
As part of the review, the Scottish Government should consult on whether other public sector bodies should be included within the scope of the Bill, for example the Scottish Prison Service, parole e-monitoring and local government CCTV systems.
The Bill should recognise the role the Commissioner will need to undertake to interact with private sector users of biometrics, as well as private sector technology developers whose work drives the development of new biometrics data.
The Committee asks the Scottish Government to set out in its response to this Stage 1 report, how it expects the Commissioner will assess the scope of biometrics being used for criminal justice and policing purposes in Scotland, which are provided by the private sector, and the oversight regime required to achieve this.
An area of concern which has emerged during the Committee’s scrutiny of the Bill centres around the legal basis of biometric data gathered in Scotland which is then subsequently uploaded or copied to UK-wide police databases located outside Scotland. Concerns were raised as to whether the power of the Scottish Biometrics Commissioner would extend to the gathering, use, retention and disposal of biometric data gathered in Scotland and retained on UK police databases.
In his evidence to the Committee, Professor Wiles considered this issue and indicated that Scots law should determine the matter, saying that-
Police Scotland uploads biometrics to the UK-wide databases, so there are issues to do with the extent to which retention of that material will follow Scots or English law. I think that the answer to that question is that, if the biometric samples or biometric profiles in the case of DNA are Scottish, Scots law ought to apply. Technically, there is no reason why that should not be done.i
Professor Wiles highlighted the age of the UK-wide police databases and the fact they are coming to the end of their technical operational life. The UK Home Office and police forces across the UK are currently working on projects to replace the databases, to meet data protection requirements. This process, Prof Wiles observed, presents an additional challenge which may require the Scottish Biometrics Commissioner to have a seat on the strategic board overseeing the replacement databases.i
Concern over the legality of data held in UK-wide police databases, such as the UK Police National Database (PND) and IDENT1, were the focus of the evidence received from Dr Karen Richmond of the University of Strathclyde.
In her written evidence to the Committee, Dr Richmond stated that Section 2(1)(2) of the Bill provides that the Scottish Biometrics Commissioner’s general function does not extend to biometric data in relation to which a national security determination has been made under section 20 of the Protection of Freedoms Act 2012. Such data comes under the remit of Professor Wiles as the UK Biometrics Commissioner. However, she went on to state that the “interactions between the two commissions are apt to be more complex” than the Bill allows.iii
In evidence to the Committee, Dr Richmond agreed with Professor Wiles’ suggestion that some of her concerns could be addressed by the Scottish Biometrics Commissioner having a seat on the strategy board overseeing the development of new UK-wide police databases. Nevertheless, she told the Committee that she-
…was concerned that there might be a slight lacuna in the bill between the function of the Scottish biometrics commissioner and Professor Wiles’s function in England and Wales. As [Professor Wiles] stated in his evidence, when Police Scotland and the SPA collect samples of DNA and what are called “ten prints”—fingerprints—and load them on to Scottish databases, they are also loaded on to the UK national DNA database and to IDENT1, which is a national UK fingerprint database. From the way in which the proposed legislation is drafted, it seems as though the samples that are copied on to UK databases might fall between two pieces of legislation.i
In supplementary evidence, Dr Richmond explained that “the status and governance of - and responsibility for – DNA, and fingerprint data, deriving from samples taken in Scotland by either Police Scotland or the Scottish Police Authority, is problematic. At present, copies of DNA profiles…are routinely sent to England for loading onto the National DNA Database, and the National IDENT1 fingerprint database”. These databases Dr Richmond pointed out fall within the ambit of Professor Wiles as UK Commissioner. However, the UK Commissioner’s statutory powers only extend to biometric samples taken in England and Wales under Section 63D (1)(a) and (b) of the Police and Criminal Evidence Act 1984 (PACE), and a number of other counter-terrorism statutes."v
Dr Richmond warned that this legal uncertainty could give rise to a situation where “a citizen of England or Wales whose biometric samples and data are collected under PACE would be afforded certain rights relating to the use and retention of their data on the national databases. Individuals whose samples and data were collected in Scotland would find themselves comparatively disadvantaged” since the functions of the Scottish Biometrics Commissioner in the Bill, “extend no further than the Scottish jurisdiction”, and the UK Commissioner “enjoys no powers over the retention and use of Scots samples copied to national databases."vi
In response to a question on who would have oversight of biometric data collected in Scotland, and stored on UK databases, the Cabinet Secretary said-
The bill does not give the Scottish biometrics commissioner direct access to UK databases, but where Police Scotland or the SPA choose to store that biometric data will be a matter that falls within the oversight functions of the commissioner under the bill. The fact that biometric data is being stored in UK databases could be the subject of reports and recommendations by the commissioner, which could inform further consideration of the matter.i
The Committee is concerned that the powers of the Commissioner do not include oversight of biometric data collected by the police service in Scotland, that is then retained on UK-wide police databases based outwith Scotland. The Committee asks the Cabinet Secretary to provide clarity on this issue in his response to the Stage 1 report, with a view to addressing this at Stage 2 if required.
The Committee recommends that the Scottish Government seek agreement with the UK Government that the Scottish Biometrics Commissioner be a member of any strategic boards overseeing the development of new UK-wide police databases.
A concern for many witnesses was the lack of a complaints system for the public within the Bill. Open Rights Group highlighted in their written evidence that one of the key functions of the Commissioner will be to promote public awareness and understanding of the duties and responsibilities of those who acquire, retain, use and delete biometric data. This includes public awareness of how those powers and duties can be monitored and challenged.i
In evidence to the Committee, Matthew Rice pointed out that the Bill does not provide a method whereby a member of the public could raise concerns with the Commissioner, such as an individual complaints mechanism.
Open Rights Group pointed to work the Information Commissioner’s Office has undertaken on public engagement campaigns, such as ‘Your Data Matters’ii which exists to help the public understand how companies might be using data to target individuals online and how individuals can control who is targeting them.
DCS Scott of Police Scotland acknowledged the importance of the public having a right to complain, but felt the “lack of a specific public complaints mechanism” within the Bill would not mean that there is no effective way of dealing with a public complaint on the use of biometrics or compliance with a Code of Practice.iii
Tom Nelson of the SPA indicated that it would depend on the nature of the complaint, noting that the Information Commissioner’s Office “has a role to play in relation to complaints about information”, which could provide a “potential route for people who want to complain.” However, he told the Committee he thought-
…that the commissioner would want to hear the public and understand where their concerns were coming from. That ability to engage with and speak to the public, which was the number 1 recommendation of the IAG, would certainly allow the commissioner to provide assurance to the public, and it would ensure that the public and the commissioner could identify any challenges.iii
The Cabinet Secretary told the Committee that the ICO provides a route for complaints, saying-
…specific complaints about the handling of data can be made to the UK Information Commissioner.…there is currently an avenue to make a complaint about the handling of data, which can be investigated. The role of the biometrics commissioner is designed not to duplicate that.iii
However, the Cabinet Secretary went on to note the concerns being raised about “public confidence” and stated that the Government could perhaps be “explicit about what the commissioner can and cannot do…at the moment—even before the bill is enacted—there is nothing that would preclude an individual from going to the Information Commissioner if they felt that their biometric data was being unlawfully collected, retained or disposed of”. iii
The Committee is concerned that there is a risk to public confidence and transparency if a complaint mechanism is not included in the Bill.
The Committee recommends that the Scottish Government includes a complaint mechanism within the Bill, to enable the public to refer issues to the Scottish Biometrics Commissioner on the use of biometrics by Police Scotland and the SPA, or on their lack of compliance with the Code of Practice.
Sections 6 to 10 of the Bill set out the duties of the Commissioner in developing and implementing a Code of Practice on the use of biometrics by those bodies to which the Code applies.
Section 6 of the Bill provides that the Scottish Biometrics Commissioner must prepare, and may periodically revise, a Code of Practice on the acquisition, use, retention and destruction of biometric data for criminal justice and police purposes. Before submitting a draft Code of Practice to Scottish Ministers for approval, the Commissioner is required to consult a prescribed list of stakeholders including, the Chief Constable of Police Scotland, the SPA, the Lord Advocate, the Information Commissioner and the Scottish Ministers, amongst others.
The Policy Memorandum states that the Code of Practice provided for in the Bill will provide detailed information and guidance for police bodies on the achievement of recognised standards in relation to the acquisition, retention, use and destruction of biometric data. It is anticipated that the Code will reflect the need for transparency, accountability and the observance of the rule of law. The Code is also likely to provide guidance in relation to good practice particularly in relation to children, young people, vulnerable individuals and groups with certain protected characteristics.i
One of the key issues raised in evidence is the Scottish Government’s decision not to include the Code of Practice in the Bill, as recommended by the IAG. The majority of witnesses were of the view that the Bill needed to conform to the original blueprint set out in the IAG report and place the Code of Practice on a statutory footing.
As one of its central recommendations the IAG drew up a draft Code of Practicei on biometrics, which was subject to public consultation, in cooperation with Police Scotland and the SPA. The Scottish Government published the outcome of this consultation in January 2019.ii
Providing the Committee with an overview of that draft Code, Tom Nelson, Director of Forensic Services at the SPA stated-
[The draft Code] defines biometric data, it goes through the purpose of the code of practice and it looks at the human rights aspect of retention and how we should review that. It goes through some general principles, one of which is on the introduction of new technology, and it considers the process that we should follow in introducing new technology or new evidence types into, for example, forensic services.iii
Mr Nelson described the IAG’s draft Code of Practice as “definitely fit for purpose”,iii adding adding the draft Code also addressed the processes to support the work of introducing new technologies, as well as procedures to allow the public to get information on the robustness of forensic systems in using biometric material correctly.iii
The Policy Memorandum states that the Code of Practice which the Commissioner will draw up under the Bill is intended to “fill a gap in the current biometrics landscape in Scotland, which lacks a commonly recognised set of working standards".vi
Speaking about the purpose of the Code of Practice, and the proposed role of the Commissioner in drawing it up, Prof Wiles told the Committee-
The bill proposes the principles on which codes of practice should be drawn up, which include human rights, data protection legislation and principles from the current legislative framework for DNA and fingerprints. The commissioner must operate within those broad principles—they will not be free simply to do what they want.iii
Elaborating on the principles which must underpin the Code, Prof Wiles said the Code must seek to answer “whether a particular use of biometrics is in the public interest, and whether the public-interest case outweighs the invasion of privacy and the reduction of liberty” as well as “who should be allowed to take biometrics and under what conditions, when and with what authority".
In its written submission, the SHRC states that “a robust Code of Practice established on a statutory footing would provide the most determinative guidance to all of those operating in the field as well as those regulating it."
Judith Robertson, SHRC, told the Committee that the “purpose of the code is to enable clarity on the protection of people’s rights”. She described the IAGs draft Code as robust, providing clear principles, and allowing an assessment of whether people’s rights are being breached. She added “that this crucial protection is not in the bill, because the code is not in the bill."iii
Ms Robertson explained that there is an understanding that the Code will change over time, saying that-
I think that it is recognised in the draft version of the code that things will change. Ensuring that there is that capacity to review and re-lay the code is really important, because it needs to be fit for purpose, and its purpose is to protect people’s rights. That is another argument for including the code in the bill.iii
Tom Nelson of the SPA acknowledged the need for a statutory Code of Practice, stating-
We agree with the code being established in legislation. However, we feel that the detail of the code should sit outside that, in order to give us flexibility, because things are changing quickly. We want to ensure that the legislation and the code of practice enable us to be fleet of foot so that we can quickly move with the times.iii
Responding to questions on the IAG’s draft Code of Practice, Mr Nelson confirmed that the content is flexible enough at present so that no further legislation will be required.iii
DCS Sean Scott of Police Scotland stressed the need for flexibility and agility in the process of drawing up, consulting and amending a Code, as it would need to respond to rapidly changing circumstances, such as the development of investigatory techniques based on biometrics utilising gait analysis or vein-pattern analysis. Agreeing with Tom Nelson he cautioned against a structure for a Code of Practice which might require frequent changes to primary legislation.iii
The Committee appreciates that the detail of the Code of Practice will be subject to change, and there is a need to include the flexibility for it to be updated and reviewed without the need to amend primary legislation. The Committee also notes that a draft Code of Practice was prepared by the IAG and consulted upon, on the basis that it would come into force at the same time as the Commissioner takes up post.
The Committee agrees that there should be a statutory Code of Practice. The Committee recommends that the Bill establish a statutory basis for the existence and application of the Code, and that the specific details of the Code, and any future revisions, be provided for by subordinate legislation.
Furthermore, the Committee calls on the Scottish Government to re-examine the draft Code of Practice already prepared and consulted on by the IAG. If the Government is of the view that draft Code meets the principles set out for the Code in the Policy Memorandum (and which the Committee has recommended be placed on the face of the Bill) we ask the Government to consider amending the Bill to bring that draft Code into force at the same time the Commissioner takes up office. We comment further on the approval mechanism for the Code later in the report.
The Policy Memorandum indicates that the Scottish Government’s objective for the Bill is to deliver on its “vision for a just, safe and resilient Scotland” identifying “the need to live in safe, cohesive and resilient communities as a priority outcome”. It recognises that biometrics are a rapidly evolving field which “offers great potential in the detection, prevention and prosecution of crime and, thereby, the delivery of community safety."i
On the timeframe for the development of the initial Code of Practice, the IAG recommended that the “Code should be developed and finalised to come into force at the same time as the Commissioner takes office.” The Commissioner could then “take responsibility for matters relating to enforcement of the Code, subject to review by the Parliament."ii
Dr Lawless reiterated the importance of the Code of Practice being driven by clear principles. Commenting on the statutory consultees for the Code set out in the Bill, Dr Lawless observes that-
It is important for the commissioner to consult as wide a variety of stakeholders as possible. I emphasise the need to have a conversation with suppliers and industry, which should have their own board, but it is also important to consult others, such as civil society groups. We have heard about the role of organisations such as Big Brother Watch in England and Wales; such groups very much need to be included. The public should possibly be consulted, too, as the code of practice needs to be clearly communicable and clear to the public. Consulting a suitably varied and diverse array of people might help to protect the code from any accusations of vested interests or other such criticisms.iii
Considering some of the principles which will be needed to underpin the Code, witnesses pointed to two recommendations set out in the work of the IAG, namely the accuracy principle and the principle of the presumption against retention of data.
DSC Sean Scott of Police Scotland supported the IAG recommendation on a presumption for deletion of biometric data as a central part of the oversight system established by the Bill. He stated that “one of the IAG’s nine recommendations was about the retention periods and a presumption of deletion, and that is absolutely right".iii
The Committee recommends that the principles underpinning the Commissioner’s role and the purpose of the Code of Practice in promoting and protecting human rights, privacy and public confidence must be enshrined in the Bill. The principle of delivering community safety, as set out in the Policy Memorandum, should also be included in the Bill.
As recommended by the IAG, the Code of Practice must include a presumption of deletion of biometric data after the expiry of prescribed minimum retention periods. This presumption, however, should not impede the power of the Chief Constable to apply for the retention of biometrical data for a given period of time, as operational needs require.
Section 6 of the Bill requires the Commissioner to “prepare, and may from time to time revise, a code of practice on the acquisition, retention, use and destruction of biometric data for criminal justice and police purposes."
Subsections (2) and (3) of Section 6 give the Scottish Ministers the central role in approving the Code of Practice and any amendments to it, stating-
6(2): Once the Commissioner has prepared a draft code of practice, the Commissioner must submit it to the Scottish Ministers for approval;
6(3): The Scottish Ministers may approve a draft code of practice— (a) without modification, or (b) with such modifications as they, with the consent of the Commissioner, consider appropriate.
The other parts of Section 6 provide that where the Scottish Ministers do not approve a draft code (or any revisions to the approved code), they must give the Commissioner a statement of their reasons for not approving it.
Section 9 of the Bill provides that a draft Code of Practice approved by the Scottish Ministers, shall not come into force until regulations making the Code have been laid and approved by the Scottish Parliament. Such regulations will include the text of the draft Code approved by Ministers, and those regulationsi would be subject to the affirmative procedure. This is subject to a 40-day period where the Delegated Powers and Law Reform (DPLR) Committee, and any subject committee could consider an instrument.ii
In relation to certain types of codes or guidance where an enhanced level of parliamentary scrutiny in deemed appropriate, guidance from the DPLR Committee stated that regulations “which require to go through a “pre-legislative scrutiny” period involving formal consultation on a draft (or other additional requirements) followed by approval by a vote in the Chamber before they can be made are known as super-affirmative SSIs”.iii While there is no specified timescale for the consideration of an SSI under the super-affirmative procedure, a recent report from the DPLR Committee indicated an appropriate timescale of 60 to 90 days for such scrutiny.iv
The Committee heard evidence that this approval mechanism is at odds with the Scottish Parliament’s role to appoint and fund the Commissioner, and the independence of the functions of the Commissioner in being responsible to the Scottish Parliament, not the Scottish Ministers.
Judith Robertson of the SHRC, described proposed approval mechanism for the Code as a potential weakness. Telling the Committee that “if the code was debated, approved and understood by the Parliament and its implications were interrogated through the parliamentary process, that would give better protections. Placing it on a statutory footing would mean that it would be an integral part of the parliamentary process."v
Both Matthew Rice and Dr Ken Macdonald agreed with this view. Dr Macdonald told the Committee that he “certainly agreed that the code should be approved by the Parliament rather than the Scottish Ministers."v
Describing how Police Scotland would work with the Commissioner and others on the development of the Code, DCS Sean Scott said that-
Once the commissioner is in place, they can work with those organisations, including us, to create the code of practice, which can be agreed by Parliament.v
Tom Nelson highlighted his view of how a Code of Practice, established in the Bill, would be approved-
Our recommendation is that the code be established in legislation, but that the details of the code should be worked out separately and should come back to the Parliament and be consulted on before final sign-off.v
The Cabinet Secretary indicated that the Scottish Government wished to approve the code of practice on the ground of cost and to ensure it aligned with the Scottish Government’s policy, saying that the-
…code of practice must be approved by the Scottish ministers. The reason for that is largely to ensure that there is alignment with affordability and policy coherence, which are important considerations for us. Clearly, if a code of practice was developed that was unaffordable and went in a direction that we would view as regressive rather than progressive, against our policy alignment, we would want to be able to influence that.v
Addressing the role of the Parliament in approving a draft Code of Practice, the Cabinet Secretary said the Government “must lodge in the Parliament an affirmative instrument that sets the day on which the code will come into effect, and [the Scottish Ministers] must lay the code on the same day."v
The Committee accepts that the Scottish Ministers require to be included in the process for consultation and approval of the draft Code of Practice. However, the Committee considered that the method for the approval of a draft Code of Practice is at odds with the underlying principle of the Bill. The affirmative instrument procedure for approving the draft Code by regulations will provide the Scottish Parliament with some time for scrutiny, however, that process would not allow the Parliament to make any recommendations for changes to the draft Code. Such a process is also subject to a specific, and potentially restrictive, 40-day time limit.
In all other aspects the Commissioner is accountable to the Parliament for the discharge of their statutory functions, save in the case of the drawing up or revision of the Code of Practice.
In order to deliver meaningful and transparent engagement on the Code of Practice, the final scrutiny and approval of draft of a Code should rest with the Scottish Parliament, not the Scottish Ministers.
The Committee recommends the Bill be amended to empower the Commissioner to lay the draft Code of Practice before the Parliament, following agreement with the Scottish Ministers, for consideration and approval. This process should allow enough time for the Parliament, and its committees, to consult on the draft Code and report back before final approval.
We note the recent views of the Delegated Powers and Law Reform Committee on possible timescales for instruments considered under the super-affirmative procedure and consider that a period of 60 days would be a suitable timeframe for consideration of an initial draft Code of Practice. Subsequent modifications of the Code could be achieved via regulations subject to the affirmative instrument procedure.
The Committee recommends that the Bill establish the Code of Practice, which has already been consulted on, as an interim Code which should come into force at the same time as the Commissioner takes up their role. This would ensure there is no hiatus between the Commissioner coming into post and the application of a Code of Practice on the collection, use, retention and disposal of biometrics for criminal justice and policing purposes. Furthermore, the Committee recommends that the Bill include a requirement for the Commissioner to review the interim Code as soon as possible and lay a full revised draft Code of Practice before the Parliament for consideration in the manner set out in paragraphs 223 and 224.
Section 11 deals with the powers of the Commissioner to gather information in relation to the actions of Police Scotland and the SPA to which the Code of Practice applies and to the actions they have taken to comply with the Code.
Section 12 provides the Commissioner with the power to report any failure by Police Scotland and the SPA to provide information sought under Section 11, to the Court of Session. The Commissioner may then seek orders to compel Police Scotland and the SPA to provide information.
Sections 13 and 14 relate to court proceedings and the requirement for the Commissioner not to disclose confidential information in a manner not provided for in the Bill.
The Committee is content with the powers set out in Sections 11 to 14, but as has been previously stated, notes the apparent mismatch between these powers in these sections, and the lack of powers provided to enforce the Code of Practice.
Section 15 of the Bill empowers the Commissioner to publish a report and make recommendations to the Parliament on the compliance with the Code by those bodies to which the Code of Practice applies under Section 7(1), namely Police Scotland and the SPA.
Section 16 empowers the Commissioner to require Police Scotland and the SPA to respond to any recommendations set out in such a report to the Parliament and requires a statement to be made by the respective bodies as to how they intend to implement the Commissioner’s recommendations (in part or in full) and if not, the reasons why.
Section 17 empowers the Commissioner to publish a statement in response to statements made by Police Scotland and the SPA under sections 16, and for the publication of this statement.
These sections help provide for the ‘name and shame’ mechanism open to the Commissioner to promote compliance with the Code of Practice. While the Committee is content with these provisions, as previously stated these should operate as part of a wider set of enhanced powers for the Commissioner in terms of compliance with the Code by the police and SPA.
Section 18 to 22 deal with the Commissioner’s accountability to the SPCB and the Parliament for the proper functions of their office, such as the development of strategic plans, budgets, accountable officer functions, accounts and audits and annual reports.
In relation to Section 19 on budgets, the Committee has concerns regarding the potential scope of the role of the Commissioner, and the resources provided to underpin that role.
The Committee would expect the Commissioner to make regular reference to the adequacy of the resources provided to the SPCB by the Scottish Government for the operations of their office, as well as any additional resourcing needs which may be required if the role of the Commissioner expands over time. We comment on the Financial Memorandum further in the report.
Section 23 to 29 deal with defining the meaning of biometric data, interpretations in the text of the Bill, regulation making powers, ancillary provisions, application of public authorities legislation, commencement and the short title of the Bill respectively.
The Committee welcomes the definition of biometric data as set out in Section 23 of the Bill, as this was a key recommendation of the IAG report. However, we note the Bill does not contain any regulation making powers which would allow the definition of biometric data to be amended should circumstances require this in future.
In light of the evidence taken from numerous witnesses on the need for maximum flexibility in the Bill, so as to respond to the rapid pace of change in the field of biometrics, we ask the Scottish Government to reflect on this and set out in its written response to this Stage 1 report how the definition in Section 23 could keep pace with future developments in biometrics.
The Committee is content with the ancillary provisions set out in Schedules 1 and 2 of the Bill.
Schedule 1 of the Bill provides that the Commissioner will be appointment by HM The Queen on the nomination of the Scottish Parliament.i The Scottish Parliamentary Corporate Body (SPCB) will be responsible for recruiting the Commissioner and providing the resources for the Commissioner and the staff and operations of the office. The SPCB will also determine the length of the term of office of the Commissioner, up to a maximum of eight years. The Bill prevents a serving or past Commissioner from being reappointed to the office.ii
The Commissioner will be responsible to the Parliament, both in terms of reporting on discharge of their powers and functions and the operations of the Code of Practice, as well as for the administrative operation of their office and use of resources. The Commissioner will be responsible for recruiting and appointing the staff of their office, subject to the terms and conditions set down by the SPCB.iii
Several witnesses speculated that the potential pool of candidates available to fill the role of Commissioner may be rather limited. Dr Lawless told the Committee that he was confident there are suitable candidates available to fill the post. However, he added that the interdisciplinary nature of the role will require someone with a “scientific background” and a knowledge of “law and matters of ethics and social impact."iv
The Committee also received a briefing note from the SPCB Officeholder Services secretariat. This is the section of the parliamentary administration which oversees the support to office holders and commissioners who are appointed and supported by the Scottish Parliamentary Corporate Body (SPCB). There are six SPCB supported office holders at present, they are-
the Commissioner for Children and Young People;
the Commissioner for Ethical Standards in Public Life in Scotland;
the Scottish Human Rights Commission;
the Scottish Information Commissioner;
the Scottish Public Services Ombudsman; and
the Standards Commission for Scotland.
Currently, four of these are Crown appointments and serve on a full-time basis. They are the Commissioner for Children and Young People, the Chair of the Scottish Human Rights Commission, the Scottish Information Commissioner and the Scottish Public Services Ombudsman.i
The Commissioner for Ethical Standards in Public Life in Scotland also serves in a full-time capacity and is appointed by the SPCB, with the consent of the Scottish Parliament. However, this post is not a Crown appointment. The members of the Standards Commission for Scotland serve on a part-time basis and are appointed by the SPCB, with the consent of the Scottish Parliament. Finally, three part-time members of the Scottish Human Rights Commission are appointed solely by the SPCB (to serve alongside the full time Chair of the SHRC). None of these posts are Crown appointments.
Amongst other issues, the Note from the SPCB Officeholder Services secretariat states that while SPCB staff can provide support in some of the administrative tasks of establishing a Commissioner’s office once they are in post, the primary responsible for the recruitment of staff and for the setting up of various systems such as IT systems, human resources, payroll and pension provisions is a matter for the Commissioner. The Note goes on to say-
"It is important that the Financial Memorandum which accompanies any Bill is as accurate as is possible with regard to the number of staff the officeholder will need to employ as this will be used by the SPCB when agreeing staff numbers... Periodic reviews to establish whether the financial and workload assumptions of the legislation remain accurate, particularly when it is a new office/additional functions, would assist the SPCB when being asked to consider a request for additional funding given the impact on its overall budget requirement."ii
The Committee notes the comments on support for the establishment of the Commissioner and well as noting that this would be the first occasion on which a Crown appointment of an SPCB supported officeholder is being made on a part-time basis.
As previously stated, the Finance and Constitution Committee did not make any comments to the Committee on the Bill. Nevertheless, one of the key concerns expressed throughout our evidence taking has been around the level of resources estimated to be required to allow the Commissioner to operate effectively.
Other SPCB supported officeholders have faced resourcing issues as a result of changes or expansion to their role and powers over time, or as a result of growing demand for activity. For example, in 2016 the Session 4 Local Government and Regeneration Committee consideredi the impact on the resources of the Scottish Public Services Ombudsman from the introduction of the Scottish Welfare Fund.ii And the provisions of the Children and Young People (Scotland) Act 2014 has significant resource implications for the Office of the Children and Young People’s Commissioner in Scotland.iii
The Financial Memorandum which accompanied the Bill stated that the Commissioner’s role will be a part-time one estimated to be 0.6 full time equivalent (FTE). The Commissioner would be supported by three full time staff who would operate the Commissioner’s office and be expected to carry out the bulk of the day-to-day work in developing the Code of Practice and liaising with key stakeholders.iv
Table C from the Financial Memorandum sets out the estimated split of total costs for the Commissioner between financial years 2020/21 and 2021/22, (inclusive of VAT where appropriate) as follows-
| Cost Type | Financial Year 2020/21 (includes set-up costs in italics, and part year running costs) | Financial Year 2021/22 (recurring running costs for a full financial year) |
|---|---|---|
| £ | £ | |
| Recruitment Costs | 4,000 | |
| Accommodation: fit out and legal fees | 126,000 | |
| IT and website set-up | 50,000 | |
| Marketing/payroll and HR set-up | 4,000 | |
| Commissioner’s remuneration | 28,500 | 57,000 |
| Staff salaries | 42,000 | 167,000 |
| Accommodation | 15,000 | 60,000 |
| IT maintenance | 5,000 | |
| Website maintenance | 15,000 | |
| Payroll/HR services | 3,000 | |
| Travel & subsistence | 1,000 | 4,000 |
| Other administrative costs | 500 | 2,000 |
| Professional fees | 20,000 | |
| Total Costs | £271,000 | £333,000 |
Various witnesses expressed concerns that the role of the Commissioner as set out in the Bill would not match the potential real-world experience of the Commissioner in light of the rapidly developing field of biometrics in public life.
Professor Paul Wiles commented that he has “no remit in respect of the new [second-generation] biometrics”, adding that he is “constantly asked about them”. He told the Committee that the police in England and Wales “constantly come to me and discuss them. My having no remit on them has not stopped people assuming that I do”. v He pointed to the fact the Scottish Biometrics Commissioner will have a proactive role in second-generation biometrics which he does not, and this is will be an additional resource burden.
Speaking of the initial work the Commissioner will, most likely, undertake. Professor Wiles noted that the Commissioner will “particularly initially, be involved in significant consultation about the codes of practice. The workload will probably get a bit easier once the codes are established, but I imagine that they will require a lot of work."v
Dr Lawless also raises a concern with regard to resources given the potentially extensive range of activities the Commissioner may be expected to undertake. Considering the questions as to whether the post may need to be appointed on a full-time basis, he questioned “whether the commissioner would have time to visit various parts of the policing service to compare and contrast, check and establish that the code is being followed."v
Much of the evidence the Committee has received has highlighted the interdisciplinary nature of the work the Commissioner and their staff will need to undertake. Fully recognising the resource implications of this will be vital, as the Commissioner will have to formulate a Code of Practice, engage with a wide range of public and private sector stakeholders in Scotland and further afield, and lead the public debate in Scotland on biometrics.
As has already been highlighted, the Commissioner will need to quickly address the lack of standards in the reliability of the biometric data collected by various forms of commercially-available technology, as well as the claims of the commercial manufacturers regarding the reliability and impartiality of their products and the data they provide. The Commissioner may also be required to engage in other reviews/consultations which may commence once they are in post."viii
Commenting on other potential costs, such as financial provision for research set out in the Financial Memorandum, Dr Karen Richmond said-
I note that the research budget would not buy much research, should the commissioner want to commission any…The bill talks about ethical and effective practices. There can be no claims about effectiveness without evidence to back that up.v
Both Police Scotland and the SPA also considered that the potential for a rapidly expanding workload is a realistic prospect for the Commissioner, and this may warrant a full time postholder. DCS Sean Scott said he thought the Commissioner role will be “extremely busy” given the volume of work required to oversee biometrics.v Speaking of the impact which biometrics sourced from privately held databases may have on the workload of the Commissioner, DCS Scott said-
...that the issues are more about private databases and what happens outwith the police and the SPA...so much is sitting out there in private databases in private companies and other areas—that is the area that is unregulated and ungoverned. Extending the code of practice into other areas will be a huge task, so [a] full time [Commissioner] might be the best option.v
During oral evidence to the Committee the Cabinet Secretary conceded that “there was maybe an issue about how the financial memorandum was presented. Perhaps we can be more explicit in future stages of the bill”, he stated.v
Given the current scope of biometric development, and a potentially rapid growth rate in the future, the Committee is concerned that the Financial Memorandum may not sufficiently estimate the resources which may be needed to support the delivery of the Commissioner’s functions. It is difficult to say with any certainty how accurate the cost estimates in the Financial Memorandum will prove to be over time.
A significant portion of the Commissioner’s time immediately after appointment may be taken up with the recruitment of staff for the office and the establishment of the technical and statutory employee requirements to underpin the work. The Scottish Ministers must be mindful of this and work in close co-operation with the SPCB to ensure the smoothest possible set up period for the Commissioner’s office and staff.
The budget allocation to the SPCB for the support of the Commissioner must make adequate provision for research, public consultation and marketing, and legal advice to support the Commissioner’s work, with scope for this to be increased if decisions are taken subsequently to increase the Commissioner’s workload or the scope of their office.
The Committee recommends the SPCB and Scottish Government review the resourcing provision for the Office of the Commissioner at the end of Financial Year 2021/22 (the estimated first full financial year from which the Commissioner will be funded from SPCB resources). The Commissioner should also report on any resourcing pressures they faced as part of the annual reporting process to the Parliament.
Furthermore, the Government must undertake to provide sufficient resources to the SPCB to support the work of the Commissioner if their role increases in response to Government policy or legislation, or the expansion of the number of organisations to which the Code of Practice applies.
The Delegated Powers and Law Reform Committee (DPLR Committee) considered the delegated powers in the Bill at its meeting on 1 October 2019.
The DPLR Committee considered each of the delegated powers in the Bill and published it’s the report on its consideration on 3 October 2019.i It determined that it did not need to draw the attention of the Parliament to the delegated powers set out in the Bill.
The DPLR Committee therefore reported that it was content with the delegated powers provisions contained in the Bill. The Committee notes the conclusion of the DPLR Committee.
We draw the attention of the Delegated Powers and Law Reform Committee to the recommendations made in relation to regulation making powers around the Code of Practice in Section 6 and Section 9, and on Section 23 on the meaning of biometric data.
The evidence received by the Committee clearly demonstrates that the role of biometrics is fast becoming a central element of the way in which Scotland is policed and crime is investigated and prosecuted.
The Justice Committee draws its conclusions and recommendations on the Bill to the attention of the Parliament and recommends that the general principles of the Bill be agreed to.
The Committee took oral evidence on the Bill at the following committee meetings-
Tuesday 25 June 2019: Minutes and Official Report
Tuesday 24 September 2019, Minutes and Official Report
Tuesday 1 October 2019, Minutes and Official Report
Tuesday 29 October 2019, Minutes and Official Report
Tuesday 12 November 2019, Minutes and Official Report
The Committee received written submissions on the Bill from-
Her Majesty's Inspectorate of Constabulary in Scotland (HMICS)
Karen M Richmond (Doctoral Researcher), University of Strathclyde
Law Society of Scotland
Lawless, Dr Christopher, Durham University
Northumbria University
NO2ID
Office of the Commissioner for the Retention and Use of Biometric Material
Open Rights Group
Petal Support
Police Scotland
Scottish Centre for Crime and Justice Research (SCCJR), University of Stirling
Scottish Human Rights Commission
Scottish Police Authority, Forensic Services
Scottish Youth Parliament
Stonewall
The Committee received supplementary written submissions on the Bill from-
Karen M Richmond
SPCB Officeholder Services on the Appointment of Scottish Parliamentary Corporate Body Supported Officeholders
Police Scotland on the Code of Practice
The Committee also exchanged the following correspondence on the Bill-
Introduction
The following glossary of terms has been included to assist the reader in understanding some of the technical terms referred to in this report. In many cases, there are no universally agreed upon definitions, or statutory definitions, for many of these terms, as their meaning can vary depending on the context within which they are used. The glossary sets out commonly held descriptions to assist the reader in understanding the content of this report.
Algorithm: An algorithm is a set of instructions designed to perform a specific task. This can be a simple process, such as multiplying two numbers, or a complex operation, such as playing a compressed video file. In computer programming, algorithms are often created as mathematical functions, and serve as small programs that can be referenced by a larger program when performing a specific operation. For example, internet search engines use algorithms to display the most relevant results from their search index for specific queries.
Artificial intelligence: The theory and development of computer systems able to perform tasks normally requiring human intelligence, such as visual perception, speech recognition, decision-making, and translation between languages.
Automatic Number Plate Recognition (ANPR): A technology operated by UK police forces using a network of specialist cameras designed to read the registration number plate of vehicles passing in front of the camera. This allows registration numbers to be read and instantly checked against database records of vehicles of interest to the police.
Biometrics: The measurement of the human body, both biological measurements or physical characteristics, that can be used to identify individuals. Fingerprint mapping, DNA, facial recognition, and retina scans are all forms of biometrics. There are first- and second-generation biometrics, which are covered separately within this glossary of terms.
Biometric Data: Section 23(1) of the Bill defines Biometric data as: "information about an individual’s physical, biological, physiological or behavioural characteristics which is capable of being used, on its own or in combination with other information (whether or not biometric data), to establish the identity of an individual". It is the data generated from biometric measurements of the human body.
CCTV/Closed Circuit Television: Also known as video surveillance, CCTV is a TV system in which signals are not publicly distributed but are monitored, primarily for surveillance and security purposes. CCTV relies on strategic placement of cameras, and observation of the camera's input on monitors. CCTV footage can be monitored live by dedicated staff or recorded for later review and analysis. CCTV can be operated by both public and private sector organisations, and can operate in public spaces (such as city centre streets or motorways), or privately owned spaces to which the public have access to (such as commercial premises like shops, or transport facilities like railway stations and airports etc.).
Criminal History System (CHS) in Scotland: The CHS is a computer system operated by Police Scotland where all records and images of charged and convicted persons in Scotland are stored. The criminal history images within these records are derived from photographic images relating to a particular custody episode when an arrested person is brought into police custody. Theses images, and the related criminal history records are uploaded automatically to the UK Police National Database (PND). In the event of acquittal, the records and images are removed from CHS and PND.
Data set: A data set is a collection of data. Large data sets: are sets of data that may be from large surveys or studies and contain raw data, microdata (information on individual respondents), or all variables of data, which can be exported and analysed. Examples include data extracted from the use of the internet and social media.
DNA (Deoxyribonucleic Acid): DNA is a self-replicating organic material which is present in nearly all living organisms as the main constituent of chromosomes. It is the carrier of genetic information. In policing, forensic DNA typing has become a widely used investigative tool to identify people.
Eye/Iris/Retinal recognition: This is a biometric technique that uses the unique patterns in the structure of a person's eye for person identification. This could be retinal identification - using the unique patterns of the layer of blood vessels situated at the back of the eye, to identify a person. Or, it could be iris identification, which uses the structure and pattern of the iris at the front of the eye, for identification.
Facial recognition technology: This is a biometric software application capable of uniquely identifying or verifying a person by comparing and analysing patterns based on the person's facial contours and features.
Facial search technology: This is a biometric software which allows for the identification of a specific individual's face from still or moving images by matching specific features with biometric data, such as a photograph, on file for that individual.
Fingerprints: An impression or mark made on a surface by a person's fingertip, able to be used for identifying individuals from the unique pattern of whorls and lines on the fingertips.
First-generation biometrics: A name given to certain forms of biometric analysis which are widely used by the police (such as: DNA, fingerprints, photographic identification). Many of these types of biometrics have some form of statutory regulation overseeing how they are collected, retained, used and disposed of.
Gait recognition technology: A form of biometric technology used to systematically study and monitor human locomotion (movement). This usually involves visually-based systems that use video cameras to analyse the movements of individual body parts in order to identify someone from the way that they move.
IDENT1: The UK's central national database for holding, searching and comparing biometric information on those who come into contact with the police as detainees after being arrested. Information held includes fingerprints, palm prints and scene of crime marks.
Machine learning: This is the scientific study of algorithms and statistical models that computer systems use to perform a specific task without using explicit instructions, relying on patterns and inference instead. This allows computers to automatically learn and improve from experience without being explicitly programmed.
Police National Computer (PNC): First established in 1974, the PNC is a national computer system holding a record of anyone who has been arrested, convicted, cautioned, reprimanded or warned about a recordable offence. A recordable offence is any offence punishable by imprisonment of at least one year, plus a number of other minor offences including begging or drunkenness in a public place. Records relating to over 12 million people are currently held on the PNC, and information about people’s convictions, cautions, reprimands or warnings is stored for 100 years from their date of birth. The PNC is currently operated and maintained by the College of Policing in England and Wales.
Police National Database (PND): Introduced in 2010 the PND is a nation-wide database that includes all of the information on the PNC plus extra information and “intelligence” held by UK police forces. This includes “soft” information such as allegations made against a person that did not result in any arrest being made, and concerns passed on to the police from other public bodies (i.e. schools or social services). The PND is currently operated and maintained by the College of Policing in England and Wales.
Road Camera Enforcement Systems: A series of traffic enforcement cameras, such as speed cameras, intended to reduce the number of road traffic accidents and related injuries by enforcing road traffic law. This system also provides data to prosecute motorists for offences such as speeding or dangerous driving. Such cameras can be mounted at fixed positions (such as speed camera poles) or operate on a mobile basis (such as from specialist traffic camera units in vans).
Second-generation biometrics: A name given to newly emerging forms of biometric analysis which have not, to date, been widely used in policing (such as: facial recognition, gait recognition, eye/iris/retinal identification, and voice recognition).
Social media: A system of websites and applications that enable users to create and share content or to participate in social networking. Various forms of personal social media can hold large amounts of personal and biometric data on individuals.
Ten Prints: The fingerprints and thumb prints from both an individual's left and right hand.
Vein pattern analysis/matching: Also referred to as vascular technology, this is a technique of biometric identification through the analysis of the unique patterns of blood vessels visible from the surface of the skin (such as on the forearm, or the back of a person's hand).
Voice recognition: The computer analysis of the human voice, for the purposes of interpreting words and phrases or identifying an individual voice.
Wireless connectivity: This is the term used to describe any computer network where there is no physical wired connection between the sender and the receiver, but rather the network is connected by radio waves and/or microwaves to maintain communications. Many personal devices (such as smartphones) provide for the near instantaneous transfer of data between computer networks, over a system of wireless connectivity, such as wireless broadband.