Meeting date: Tuesday, October 1, 2019
Justice Committee 01 October 2019
Agenda: Decision on Taking Business in Private, Scottish Biometrics Commissioner Bill: Stage 1, Contingency Planning (Brexit), Delegated Powers and Law Reform Committee Consultation (Referral Criteria for Scottish Law Commission Bills)
- Decision on Taking Business in Private
- Scottish Biometrics Commissioner Bill: Stage 1
- Contingency Planning (Brexit)
- Delegated Powers and Law Reform Committee Consultation (Referral Criteria for Scottish Law Commission Bills)
Scottish Biometrics Commissioner Bill: Stage 1
Agenda item 2 is an evidence session on the Scottish Biometrics Commissioner Bill. I refer members to paper 1, which is a paper by the clerk, and paper 2, which is a private paper.
I welcome our panel of witnesses: Dr Ken Macdonald, head of ICO regions, Information Commissioner’s Office; Al Duff, professor of information policy at Edinburgh Napier University and member of NO2ID Edinburgh; Matthew Rice, Scotland director, Open Rights Group; and, last but not least, Judith Robertson, chair of the Scottish Human Rights Commission.
I thank the witnesses for going to the trouble of making written submissions. I cannot tell you how invaluable it is for the committee to see written submissions before we take formal evidence.
I will ask the first question. Are members of the panel in broad agreement that the proposal to introduce a Scottish biometrics commissioner is a timely one, and do they think that the Government has got it right? Who would like to start? That is a fairly easy question to start with.
Judith Robertson (Scottish Human Rights Commission)
I would be happy to start.
I am the chair of the Scottish Human Rights Commission, which generally supports the direction of travel of the bill. We have worked alongside John Scott QC and the independent advisory group to consider the issue. We have been involved for a couple of years, but we know that a huge amount of important work was done prior to that process that recognised the need for clarity around regulation in relation to biometrics in Scotland and for human rights to be engaged—particularly article 8 of the European convention on human rights, which is on the right to private and family life. That recognition is clear and explicit in the proposed legislation, and we welcome that process.
We have some concerns. We would like the legislation to be strengthened in various ways—obviously, the evidence session will explore that in more detail—but we think that it is a start in the process.
That is helpful. The question was about timing. Is this the right time for the proposal, or could it have been later?
Matthew Rice (Open Rights Group)
Since 2017, the Open Rights Group has been involved in the policy debates on the creation of a biometrics commissioner in Scotland, and throughout, we have been consistent in supporting the creation of such a commissioner. To answer the question specifically, we are in broad agreement with the direction of travel and think that the bill is a timely addition to the landscape in Scotland, but we think that there are specific areas that can be improved on.
Al Duff (Edinburgh Napier University and NO2ID Edinburgh)
I represent NO2ID, which is an organisation that is opposed to identity cards in any form and to the growth of the database state. We support the bill, which is a step in the right direction, but we are looking for something rather different from what the bill has in mind. We are looking for a fully fledged information protector for Scotland.
Are you content on the timing specifically?
The timing is absolutely right.
Dr Ken Macdonald (Information Commissioner’s Office)
As members will be aware, I served on the independent advisory group whose report led to the bill. Obviously, I am content that the bill is going through. I represent the United Kingdom Information Commissioner, and I see the bill as complementary to our work. Concerns have been raised that there might be overlap. However, we have experience of working with the UK biometrics commissioner, from whom the committee heard last week, and anything that helps to clarify the way in which biometric information, which can be quite intrusive information, is held and used in Scotland has to be welcomed.
Thank you for that. To drill down a bit further, the Scottish biometrics commissioner’s general function, according to the bill,
“is to support and promote the adoption of lawful, effective and ethical practices in relation to the acquisition, retention, use and destruction of biometric data”
by Police Scotland and the Scottish Police Authority. It is good just to get that on the record at the beginning. Are the witnesses satisfied that that general function is sufficiently fit for purpose? If not, what changes should be made to ensure that it is?
We think that we need a lot more than someone who covers just police use of facial recognition and biometric data. We want to see a fully fledged rather than part-time information champion who would be a privacy champion for Scotland to supplement the role of the Scottish Information Commissioner, whose remit should be freedom of information. The information polity requires someone to champion the other side of the coin, which is privacy and data protection. We therefore have in mind a fully fledged privacy commissioner who would look at not just facial recognition data but any kind of cameras or data, whether that comes from the police, the secret services, the public sector or the private sector. The commissioner would be an ombudsman, a port of resort for inquiries, and someone who would engage in and commission research on privacy and would be a champion for privacy in the Scottish public sphere.
The issue goes well beyond that of facial recognition. We think that the bill is far too narrow. It is a part-time position, and that never really works. We are looking for someone who can take the bull by the horns and cover privacy in every respect. For example, cameras in school toilets and classrooms are not at the facial recognition level; they are closed-circuit television cameras, and we think that that is a problem. Police filming of innocent football crowds on a routine basis is not necessarily about facial recognition, but we think that it is wrong. We need something much bigger than what is proposed in the bill that would show that the Scottish Government and the Scottish Parliament are ahead of the curve as we head into the global information society.
What you propose would clearly involve a huge piece of work. Rather than have no legislation at this time, is not the bill a step in the right direction?
I do not see why the bill cannot be redrafted. That would not be a lot of extra work, and the person would not have to be tied to any particular law. The person we have in mind would deal with not just data protection law but other laws relating to privacy, so they would have a freewheeling role and would not be tied to any particular act. I do not see why you cannot go back to the drawing board a little. You have done a lot of good work, and facial recognition is the top issue at the moment, but you are in grave danger of producing an anomaly and something that does not address all the issues. There is an opportunity now for the Scottish Parliament to do something new. It would be reported all around the world if you funded a privacy commissioner. I know of only one country in the world that has both an information commissioner and a privacy commissioner: Canada, which has led the way. In many respects, we should be emulating Canada on the issue.
Okay. Ken Macdonald is next. Members may ask supplementary questions once we have heard from all the panellists.
I must clarify the legal situation. As I said, I represent the UK Information Commissioner’s Office. Although the ICO is headquartered in Wilmslow, just south of Manchester, we have a small office here, in Melville Street, and we also have offices in Belfast and Cardiff, which I head up.
Data protection is a reserved matter. Although I can understand the concerns of Professor Duff, at present it is not within the legislative competence of the Scottish Parliament to legislate on the data protection side of things. Therefore, there is no opportunity to have a privacy commissioner of the sort that he suggests.
Thank you. That is helpful. I will bring Professor Duff back in once other members of the panel have had a shot and we have had some supplementaries. There might be some questions for him.
I would like to answer your specific question about the role of the commissioner in general. We have some concerns about that, in that the bill does not principally define the commissioner as a body with powers to scrutinise the police in relation to their use of biometrics; rather, it defines the commissioner as having a
“general function ... to support and promote the adoption of lawful ... and ethical practices”.
From our perspective, that is problematic, because it detracts from what we consider should be the primary role of promoting and investigating compliance with a code of practice in relation to the collection, use, retention and disposal of biometric data. We think that making that very explicit in the bill would afford the strongest protection against intrusion into people’s rights. We must make sure that that is the purpose of the commissioner.
In other words, the bill lacks teeth when it comes to enforcement.
At the moment, it does.
We have some concerns about the scope of the commissioner’s role. Although we would not go as far as Professor Duff, we think that the use of biometrics is an issue of high public concern, but the matter does not end with law enforcement—it is clear that there are applications of biometrics in private sector and other public sector bodies that the public are concerned about. We feel that it is unhelpful that the bill is slightly narrow in that respect.
I agree with Judith Robertson and the Scottish Human Rights Commission on the need to put the commissioner on a stronger footing with regard to investigating and maintaining compliance with the statutory code.
Liam Kerr has a supplementary question.
Professor Duff mentioned the fact that the commissioner will be a part-time role—0.6 full-time equivalent, I think. When the committee raised that concern previously, it was given assurances that the strength of the team that will back up the commissioner will ensure that the part-time status of the role will not be a problem. Do you disagree with that?
Yes, I strongly disagree with that. We envisage the individual having a wider and much greater role. It would have to be a full-time position. If that does not happen, that would suggest that the Scottish Government and the Scottish Parliament are not taking privacy seriously.
As we move on, there will be other opportunities for people to speak more fully about any issues that they think have not been covered.
Good morning. I want to raise an issue that we covered at last week’s meeting. We were given assurances by the Commissioner for the Retention and Use of Biometric Material, who covers England and Wales, that the proposed role is broad ranging enough and that the proposed powers are extensive enough. However, we have heard concerns about the extent of the role from the witnesses and from others who have supplied written evidence. For example, even in the criminal justice system, the Scottish Prison Service will not be covered by the bill’s provisions.
Although initially the commissioner might be a part-time role, are there ways in which the powers that the bill provides could be extended almost incrementally? I would like us to establish where the areas of priority are and how we might move forward to a more all-encompassing role in due course.
One way in which the bill could be strengthened that would enable that process to take place incrementally over time would be to establish the code of practice that was developed by the independent advisory group on a statutory basis. That would involve putting the code of practice in the bill and making it an explicit statement.
The code of practice could be reviewed. The bill allows for that, but it gives the authority to do so to the commissioner.
We think that the code of practice should be included in the bill, because that would provide absolute clarity for the commissioner, the police and the authorities that will be bound by the proposed legislation. That would also provide a model of good practice. The general principles and parameters on how biometrics should be dealt with generally would be made very clear, and that would provide an opportunity for the model to be applied on a more general basis to the other spheres and areas of concern.
We, too, recognise that the bill is a step in the right direction, but it does not cover everything that potentially needs to be covered by biometrics legislation.10:15
Would it need to explicitly refer to the Scottish Prison Service or private companies gathering biometrics on behalf of the police or the Scottish Police Authority? Would that need to be explicitly set out in the legislation, or would putting the code of practice on a statutory footing, as you suggest, allow the commissioner oversight in those areas?
We would probably need to extend which authorities the legislation was intended to cover. The code of practice, as written by the independent advisory group, was developed with Police Scotland and the SPA in mind. It was heavily consulted on, and evidence was taken from across the different sectors. If you were to extend the scope of the legislation, you might have to extend the scope of the consultation to ensure that the code of practice was broad enough to cover those other authorities. The code of practice was not developed for that purpose, as far as I understand it.
I do not want to create any false choices, and there does not necessarily need to be an either/or choice but, in the order of priorities, is putting the code of practice on a statutory footing more imperative for you at this stage than expanding the reach of the provisions?
I think that you have just created a false choice. [Laughter.] It is really important to put the code of practice on a statutory footing. I would also argue that it is important to extend the scope of the legislation. I do not think that those are alternatives.
Specifically on whether you can amend and add to the code, section 7(4) of the bill, which is on the effect of the code, allows for the Scottish ministers
“to add a person or description of person”
to the persons that the code has an effect upon. Currently, the code has an effect on
“constables and police staff of the Police Service of Scotland”
and the Scottish Police Authority. You could conceivably see an opportunity to add the Scottish Prison Service to those persons.
However, I go back to the problem with adding a private body, for example. The general functions of the commissioner would still relate to criminal justice and policing purposes; there may be other purposes for which biometrics would be used that would not necessarily be covered or deemed legitimate to add to the bill.
You would need to return to the functions to see whether you could add biometric data in the field of public bodies and its use by private bodies in relation to the general public. At that point, section 7(4) of the bill would allow ministers a little bit more flexibility.
However, in terms of the code of practice, the commissioner’s role would still be more the role of a champion and promoter than a regulator.
Would you have any anxieties about spreading the reach of the commissioner as well as putting the code of practice on a statutory footing? In terms of the establishment of the commissioner, you have essentially required more of the commissioner from the get-go so, in a sense, more things could go wrong or not work as effectively as they might.
One of the lessons that should be learned from the commissioner in England and Wales is that they started off with a narrow problem and they found a narrow solution but that problem was never narrow to begin with. There is now a commissioner in England and Wales who regulates the use of fingerprints, DNA and even footprints—much to his own hilarity, it seems—but whose role does not cover these second-generation biometrics although the real crux of public concern is around gait recognition and facial recognition. The anxieties are more around fixing that narrow issue. Although the issue is profound in a law enforcement context, we are not future proofing for what the public needs.
The bigger anxiety, for me, is that the public will see a commissioner and expect something of them that they may not be able to deliver, which would result in a loss of public confidence and trust in what that commissioner can be relied upon to do.
I agree. I reiterate that we need a rounded, holistic approach to privacy. Threats to privacy come from all directions. Facial recognition is just the latest iteration, and there will be things after it. We need someone who can grab the bull by the horns and run with it. To take up Dr Macdonald’s point, it is still the case that data protection is not devolved and is covered by the Information Commissioner’s Office in London. Should that be the case? Should the Scottish Government not be pushing to have data protection devolved? I would suggest that the Scottish National Party should be forcing that issue and enabling a situation in which all aspects of data, whether it is high-resolution facial recognition or grainy CCTV, comes under the remit of a Scottish privacy commissioner, who would be completely future proofed.
With regard to the code of practice, we have a number of statutory codes that we find are a useful tool in our work. They give us flexibility as the landscape changes, because we can amend them—of course, we need to get such amendments approved by the Westminster Parliament. I certainly urge that, if the bill is passed, the codes of practice that the biometric commissioner has should be put on a statutory footing.
Matthew Rice made the point that it is very difficult to start narrow and go wide, but that if you start wide, there is a better opportunity to broaden the scope in due course. Do you agree with that?
That is right. The codes give you the flexibility to adjust as change takes place. As Matthew Rice also said, the Scottish biometrics commissioner’s terms are a lot more future proofed than those of Professor Wiles. We saw that under the previous data protection regime, which did not allow at all for the electronic and biological advances that have now really been taken in under the general data protection regulation. That is where there is an overlap between the work of this commissioner and my commissioner.
I would like to probe a wee bit on the earlier part of Liam McArthur’s question regarding the list of those who should be consulted about the code of practice. Judith Robertson, you said that the list could be widened a bit, and that there should maybe be a further consultation. What issues should a consultation with stakeholders cover?
The draft code that was produced by the independent advisory group has been widely consulted on. As I understand it, that consultation was on the basis of it focusing on the criminal justice system. If the scope of the legislation were to be broadened into health, education and other areas where biometrics might be in use, I would contend that the scope of the consultation would have to be broadened to ensure that the job of work that the code of practice does, as it is currently framed, is appropriate and fit for purpose for the broadened scope. That is one aspect.
The recommendation of the advisory group was that the code of practice should be in the bill, which would have meant that it would have been consulted on as the bill was going through Parliament, in the way that any other bill is consulted on during the legislative process. In addition to the consultation that took place prior to the code being drafted, the code would have been subjected to the general and robust scrutiny that is undertaken as a bill is considered. That has not happened, and therefore an opportunity has been missed to engage a wider audience and the wider public in a debate about the code of practice. Therefore, in the context of the PANEL principles—participation, accountability, non-discrimination, empowerment and legality—which the commission promotes and which underpin human rights law, an opportunity for scrutiny to be undertaken has been lost. That is not to say that the code of practice cannot be included at stage 2 of the bill, when there will be further scrutiny. That would strengthen participation.
Does that begin to answer your question? Does it get to what we are thinking about?
Yes. It sounds as though the extended remit that you talked about would require more than a part-time commissioner.
Sorry, I did not respond to that bit of the conversation. I completely agree. It might be appropriate for a part-time commissioner to fulfil the function as it is described in the bill.
There are two ways of looking at the issue, and ultimately it comes down to resources. If a part-time commissioner had a strong code in legislation, to which they were working, and a general understanding was established so that they did not have to do the promotion, which is potentially expensive, it is possible that a part-time role might be enough, because what the commissioner was monitoring and the scope of the actions of the public authorities that they were monitoring would be very clear.
As soon as that remit is broadened, the scope of the role is massively extended, so there are resource implications. I cannot say more—I am slightly stretching my mandate as human rights commissioner. From my experience, I can say that my role has an extremely broad mandate and full time is not enough.
Does anyone else want to comment?
You asked who should be consulted. Expanding the provisions to include public authorities would engage the Convention of Scottish Local Authorities and its network. We recommend that that be done.
Although the independent advisory group’s terms of reference specifically focused on law enforcement, the group acknowledged that there were questions—mostly brought up by us, I guess—about the need to consider wider application. I think that the Scottish Government said that it would explore with COSLA and other local and public bodies the potential for voluntary adoption. I do not know whether that recommendation has been followed up or how far such conversations have progressed. COSLA would be the body that one would immediately go to.
The part-time role issue is tricky. The biometrics commissioner in England and Wales is part time and regulates 40 or so police forces. What is proposed in the bill is a 0.6 FTE who regulates one central police authority. It could be argued that more bodies could be added without stretching the role into a full-time one.
We should bear in mind that behind all commissioners there are fantastic support staff, who work full time—such as Lucy Bradshaw-Murrow, who works for the biometrics commissioner in England and Wales. It is not as though making the role part time means that the office is unstaffed on Thursdays and Fridays; a team is there, although the figurehead might not be.
There is a tricky issue to do with how the nature of policing in Scotland maybe changes the regulatory landscape a little.
Given the commissioner’s proposed remit, are there glaring omissions of stakeholders who should be consulted? Police Scotland, the Lord Advocate and the Scottish Human Rights Commission are included in the bill.
Nothing jumps out at me. Paragraph (j) in section 3 most likely refers to broader civil society, and we hope that it does not need to be written in the bill that the commissioner should consult wider members of the public and interested parties. I hope that it is implied that it would be appropriate for the commissioner to go to groups such as the Open Rights Group, so I have no immediate concerns.
Thank you. Sorry—I see that Judith Robertson wants to come back in.
I was just going to say, on reflection, that if you are really thinking about people’s engagement with their article 8 rights to privacy, home and family life, the widest engagement is recommended, because the public really need to understand what is at stake here. I think that that is poorly understood at the moment.
Whether we are talking about people’s understanding of their article 8 rights, current practice on the retention of data or what consent might imply in these processes, there is a range of aspects that the draft code of practice unpicks—indeed, it is quite explicit about many of those issues.
For me, making that much more explicit in the bill would mean that the public could identify the code and go straight to it, knowing that it had a basis in law and was supported in that way.
Obviously, civil society organisations are very good benchmarks and routes into the public, but the Parliament’s having a robust debate about article 8 and the balance and protection of those rights is a really important part of the process.10:30
The commissioner is to be appointed by the Parliament, but the code of practice is to be approved by the Scottish ministers. Do you have a comment to make on that?
You are right. That is absolutely what the bill says, and that is potentially a weakness. If the code was debated, approved and understood by the Parliament and its implications were interrogated through the parliamentary process, that would give better protections. Placing it on a statutory footing would mean that it would be an integral part of the parliamentary process.
Are there other views from the rest of the panel?
I concur with Judith Robertson’s assessment.
I certainly agree that the code should be approved by the Parliament rather than the Scottish ministers.
On the consultation on the code, there is a fairly comprehensive list of those to be consulted as the bill stands, and there is some flexibility. The commissioner can choose
“other persons as the Commissioner considers appropriate.”
The code certainly needs to go to full public consultation at some stage, as Judith Robertson said. However, in the initial drafting of the code, there is a need to ensure that the commissioner properly consults bodies that have a direct interest in it.
Does Liam McArthur want to follow up that issue?
No. I wove my question into my earlier questions.
Okay. Sorry about that.
Good morning. What are your views on how the code could address legal issues about where biometric data is held in databases outside Scotland? That issue has been touched on, but only a wee bit. It came up in the previous evidence session last week. I am trying to follow that up.
Will you expand a little on what you mean by information that is held outside Scotland?
If biometric data is held within Scotland, it will, obviously, be the responsibility of the commissioner, but what if it is held elsewhere—perhaps in England, another part of the UK or somewhere else in Europe?
Stepping into an already developed legislative environment needs to be handled discreetly. Although the commissioner in England and Wales does not have a role to play in policing in Scotland, they have a role to play in national security in Scotland and in information that would be held by the National Crime Agency specifically. How best to manage that situation is a tricky issue, and I do not have an immediate answer to that. There is the supplementary question of data held in Europe that would be transferred across to the British Transport Police, for instance, such as under the passenger name directive or under anything that might imply people travelling and crossing borders with biometrics attached to it which might be used for law enforcement purposes.
I hope that the Scottish commissioner would be welcomed into the landscape. There are plenty of advisory groups, including strategic advisory groups, that Professor Wiles and the Information Commissioner’s Office are part of. I cannot say definitively where that would be best placed in the bill, but I hope that the Scottish commissioner would be welcomed into the wider landscape.
If I recall correctly, the discussion last week was about the Scottish police putting data into the national crime database and the retention periods. In strictly legal terms, that will come down to who the data controller is. I would expect that, in most cases, it would be the Scottish organisation, where it is considering Scottish biometric data, and therefore the Scottish rules of retention ought to apply, even if those data are being held for the organisation’s use by an authority outside Scotland.
That is helpful. Does anyone else want to comment?
That is a very good point from Dr Macdonald. Changes are being undertaken in England and Wales in the retention of data in police systems in particular. The police national computer and the police national database are both currently being reviewed; the Open Rights Group is contributing to that process as part of our UK work.
It is key that Scotland has a really important voice in that process. Responsibility currently sits within the Home Office, and my contributions are as much as I can give in terms of a UK focus. Her Majesty’s Inspectorate of Constabulary in Scotland needs to get more involved in the process, with a focus on Scotland’s good reputation in the retention of biometrics versus the situation in England and Wales.
As I understand it, the changes that will be taking place are going in a positive direction, so I have fewer concerns about how the approach will transfer over. Ultimately, Police Scotland, as the data controller, would retain governance and control in respect of being able to delete the data, which is obviously an important aspect. The independent advisory group has raised the idea of a presumption in favour of deletion. The key point is that when we move to a UK system, Scottish bodies and policing bodies in particular must be able to delete that data, and it must be deleted rather than replicated on a wider UK system with a different retention period.
Good morning, panel. We are looking at legislation, and words are very important. There has already been reference to the code of practice. The bill states that Police Scotland and the SPA
“must have regard to the code of practice”,
but goes on to say that
“Failure to have regard to the code of practice does not of itself give rise to grounds for any legal action.”
Would you comment on that aspect, please?
We do not consider that wording to be strong enough. The greatest protection would be provided if those bodies had a duty to comply with the code of practice. If the code was on a statutory footing and in the text of the legislation, it would be very clear what they had a duty to comply with, and if the commissioner deemed something to be a deviation from the code, there would be some kind of sanction.
A discussion on sanctions would be important—I do not know whether we will come on to that. With regard to giving the greatest possible protection to citizens and to the bodies that implement the code, sanctions would ensure that people were held to account appropriately if the code was not applied or if the commissioner deemed there to be problems with the way in which it was being instituted. That would give the commissioner some teeth in the process.
There are many examples of regulators having sanctions at their disposal. The Information Commissioner’s Office is a strong example, as that body has the capacity to issue a fine. A range of potential sanctions could be added to the bill to strengthen the commissioner’s capacity in that regard. At present, I regard the wording as not strong enough—it could be a lot stronger.
As I understand it, the wording in the bill is “have regard to” because that would not place a requirement to comply on a statutory footing; instead, the code will be considered under secondary legislation or in guidance. As Judith Robertson pointed out, the code of practice is not currently in the bill.
If we cannot get the code on to a statutory footing, the wording is likely to remain as “have regard to”, rather than providing for a much stronger duty to comply. That takes us back to the point about whether the code of practice can be included in the bill in some form.
If the committee accepts my premise that we need a fully fledged Scottish privacy commissioner, I think that it might be missing a golden opportunity if it does not revisit the bill to enable something much greater than what is currently in mind.
That champion of privacy in Scotland would have to have regard to many laws relating to privacy and data protection. In some cases, there would have to be a legal obligation; in other cases, there would not have to be a strict obligation, because a privacy commissioner would be able to shame malefactors—that is, those who abuse data or privacy. There would not have to be legislative machinery. The person would be in the public domain, championing privacy. They would not only be a functionary of one law and they would not just look at technicalities; they would look at the bigger picture. I am shifting the paradigm completely.
One has to have to regard to rather than follow the codes of practice that are produced by the Information Commissioner. However, I think that there is a distinction between the issues that we face and those that the biometrics commissioner would face. We have to give guidance and highlight good practice on every type of processing of personal data, including biometric and electronic, across the private and public sectors. It is impossible to have a prescriptive code of practice for all situations. However, with the biometrics commissioner’s responsibilities, we are looking at a much more precise and narrow focus of processing. Therefore, I agree with Judith Robertson that the code needs to be prescriptive—it needs to go beyond people having regard to it; it needs to have a statutory basis.
Even if we accept that the secondary legislation would be strong and have good rhetorical flourish, another tricky element is that the primary legislation—the backstop on which the code of practice would rely—does not cover all biometrics. The Criminal Procedure (Scotland) Act 1995 allows for fingerprints or other relevant physical samples that it may be deemed necessary to take, but that does not cover photographic images. If we cannot put on to a primary legislative footing the strong definition of what biometrics means in relation to the commissioner’s role, we will create a strange two-tier system. There will be very strong secondary legislation setting out what biometrics means: it is the function of identifying an individual based on physical or physiological characteristics. However, when we go back to see what a body has responsibility to comply with, we will see that photographic images are not covered. There will be a strange disjunction between the two. If we put a definition in some form on a primary legislative footing, and that definition applied to the 1995 act, we would have future-proofed primary legislation.
My next question is on a subject that has been alluded to briefly. The bill specifically mentions Police Scotland and the SPA, but it does not mention the British Transport Police, the National Crime Agency, or—nervous though it makes people—the security services, which, of course, operate in Scotland in conjunction with Police Scotland and the BTP. Is there a gap in that respect?
NO2ID thinks that there is a gap: we believe that the secret services should be accountable, as far as possible.
We are calling for there to be a Scottish privacy commissioner, but we would not want that to be a stick with which to beat the press; we would want the press to be protected and supported. Indeed, it is historically proven that the press is often the greatest champion of privacy. It has exposed various wrongdoings by the secret services, including extraordinary rendition, in which Scotland was involved because Prestwick airport was used for that purpose. Let it be said that extraordinary rendition is when the US farms out people for torture at black sites, and such things must be stopped. Even if you settle for the proposed narrow role that is set out in the bill—and I suggest that you do not—any commissioner should have that under their remit.
Some of the issues that John Finnie raises come down to what is devolved and what is reserved. National security is a reserved matter; as Professor Wiles said at last week’s meeting, he has that responsibility UK-wide. It will be difficult to contain those UK-wide elements in the bill without going through other legislative mechanisms, which you are more familiar with than I am.10:45
Does that apply to the British Transport Police?
The British Transport Police is a slightly different kettle of fish. Last week, Professor Wiles made a reference to retention if the BTP makes an arrest in Scotland. He said that the appropriate retention regime would be the Scottish one. That makes me wonder whether the BTP should at least be added to the list of consultees. We would not have any particular view on whether the BTP should come within the remit of a Scottish biometrics commissioner.
Does Mr Rice have a view on whether a Scottish citizen would have regard to jurisdiction if they were the subject of facial recognition measures, or if samples were taken from them, by one of those organisations? Should that be important to them, or would they anticipate that this Parliament would regulate how they were treated? I am genuinely not making a constitutional point; I am trying to understand the overlap that exists across the law enforcement agencies that operate in Scotland.
The British Transport Police jumps out as being unsatisfactorily covered in the bill. When it comes to biometrics, the BTP would have quite a lot of passage—a lot of activity is based on the collection and use of biometrics. We have called for an individual complaints mechanism to be put in place that would allow members of the public to raise concerns about how biometrics have been used. If there is a problem, such as a Scottish citizen being detained at Prestwick and having biometrics taken or used in some way, the pertinent point is where their complaint would flow to.
The remit of a strong commissioner would cover, say, any policing activity that occurred in Scotland—rather than activity related to the security services or national security, which might be best reserved for the time being. That is based on there being, as we suggest, some public-facing front door for the public to come to in order to raise concerns. If we start to make distinctions, particularly around policing—say between British Transport Police and Police Scotland—we will leave the public confused about what they can rely on the commissioner to do.
Good morning, panel. We have touched on the technologies before—Matthew Rice in particular got into some of this earlier. It is accepted that biometric technologies are evolving at a rapid rate and it is hard to predict what they will look like in five, 10, 15 or 20 years’ time.
Does the bill represent a reasonable attempt to keep up with developments in that area? Is the code of practice all that will be required to deal with the increasing use and changing nature of biometric technologies, or will further legislation be required in future? Matthew Rice touched on whether primary legislation is adequate, but would future technologies require further legislation—either primary or secondary—or can we rely on the code of practice being swift and light enough on its feet to cover changing technologies?
In the Open Rights Group’s assessment, three things can change the dynamics: the technology, which can change hugely; bodies, which can change how it is used; and case law, which can change the way in which something is framed.
On the technology, the definition of “biometric data” in the bill serves quite well as a future-proofing measure, because it does not necessarily refer to a specific biometric attribute that might not be in use; it refers to any biometric attribute that may come into use. For instance, if gait recognition and speech recognition became part of general policing practice, they would still be caught under the definition. However, the definition would apply under a code of practice that has come in through secondary legislation. Therefore, there is still the need to attend to the Criminal Procedure (Scotland) Act 1995 and subsequent acts to ensure that, where those are engaged, there is reference to a more generic definition of biometrics.
On case law, although there was a judgment in south Wales that said that the use of automated facial recognition is in accordance with the law as it is currently understood, that judgment had a lot to do with the facts that were involved. Litigation led by Big Brother Watch is in train, but other litigation is still pending, such as Gaughran v Chief Constable of the Police Service of Northern Ireland, which has moved past the Supreme Court and may change the nature of what data can be retained for.
The commissioner needs to be able to respond to changes in case law. As we are part of a common-law jurisdiction, we will have to be able to react to those. Having codes of practice in secondary legislation that ministers bring forward is good, but that is not the best way to start off, because we still need things on a strong primary legislative footing.
Finally, there are the bodies. The bill binds the commissioner to looking at policing, and it is quite clear that there are practices that go beyond policing and that public concern goes beyond policing. Over the summer, the Ada Lovelace Institute did some very good survey work in a report called “Beyond face value: public attitudes to facial recognition technology”. I recommend that members of the committee pick that up and perhaps contact the Ada Lovelace Institute about it. The institute showed quite clearly that the public’s concern is not just about law enforcement; in fact, the public have a heightened concern about the use of the technology by private bodies and other public bodies.
We have done okay with the technology, but we have not necessarily figured out with the bill how to react to case law and to the changing nature of who adopts the technology.
I would like to put my point again. It makes no sense to me to have a facial recognition commissioner who does not cover CCTV. Images are on a continuum. Facial recognition data is simply more high-resolution picture data than a CCTV image has. Therefore, it makes no sense to have someone solely dedicated to facial recognition technology. We need a commissioner who covers all imagery and all intrusive camera work by whatever agency, including the police, the secret services, the public sector and schools, which are abusing the technology—there is research on that, and pupils do not like being spied on.
There is a disproportionate use of CCTV. We are not against CCTV or, indeed, facial recognition in some contexts, but we are against the growth of the database society and state.
We think that that crying need, which the public have expressed many times, needs to be properly met with a proper Scottish privacy commissioner. Canada has such a commissioner, who works alongside—sometimes in tension with, and sometimes co-operating with—the Information Commissioner of Canada.
On Professor Duff’s characterisation of the commissioner as being just a facial recognition commissioner, that is clearly not what we are talking about; we are talking about biometric data, which has a much wider generic definition that touches on other forms of identification. Therefore, we are not talking about a facial recognition commissioner, despite the fact that facial recognition is a topic that probably sits at the front of people’s concerns. We understand the issue to be a bit wider than that.
I agree, but it does not go down the scale to CCTV, so there is a disconnect. That makes no sense. CCTV issues are the slippery slope that leads to facial recognition issues.
We have already heard that point, which you made very well.
Thank you. I will not mention it again. [Laughter.]
Okay; thank you.
To some degree, Shona Robison’s question highlights the gap resulting from not having the text of the code of practice in the legislation, and it allows us to have a conversation about that issue. Does the code of practice, as covered in the legislation, give us the required protection? We are not in a position to have a detailed discussion about whether the code does that, because it is not in the bill.
The purpose of the code is to enable clarity on the protection of people’s rights. The code, as drafted, is robust and has been heavily consulted on. It provides clear principles that allow us to look at a range of interventions, among which biometrics are key. It is a principled analysis that allows us to ask whether people’s rights are or are not being breached.
An issue that has not been highlighted in this evidence session but which may have been highlighted elsewhere is the presumption of non-retention. That crucial protection is not in the bill, because the code is not in the bill.
If we are going to legislate, we have to be very clear about why we are doing that; the principles in that regard also have to be explicit, and they have to be referred to. Without that—if that clarity is not explicit—we get into all sorts of grey areas and mush. That is fundamental.
It is a chicken-and-egg situation. If the code was in the bill, we could comment robustly on whether it would be strong enough to give protections for the future. I think that it is recognised in the draft version of the code that things will change. Ensuring that there is that capacity to review and re-lay the code is really important, because it needs to be fit for purpose, and its purpose is to protect people’s rights. That is another argument for including the code in the bill.
It is worth bearing in mind that the most significant judgments in this field, whether that be S and Marper v United Kingdom or R (RMC and FMJ) v Commissioner of Police of the Metropolis, came down not to the use of biometric data but to the retention of that data. Often, cases have really turned on the nature of retention and how long something is retained for.
One of the independent advisory group’s great victories was the promotion of a presumption in favour of deletion. That is key, particularly for anyone who might be concerned about the growth of a database state. This is about whether the system is one in which certain data will be retained. In fact, the database state will shrink at a certain point, because the retention periods would lapse. That is a huge issue. Of course, as I have said, the courts are alive to that when deciding on interference in relation to article 8 of the European convention on human rights.
The bill does not provide for an ethics advisory group, but the Cabinet Secretary for Justice has indicated his intention to establish such a group. My understanding is that the bill would not prevent the commissioner from setting up a group, should they want to. Should an ethics group be set up? If so, who would be best to do that?
There should be an ethics advisory group. The territory is evolving, and it is difficult for one individual to hold all the knowledge that they require to do their job. The group should be set up on a statutory basis. It could sit in the biometrics commissioner’s office, but it would have to be independent. It would advise the commissioner and, I presume, the people who use biometrics to deliver their functions.
If possible, convener, I would like to comment on the specific powers that the bill grants, or does not grant, to the commissioner. I do not know when you are due to finish and I am concerned about whether I will have the time to do that.
There needs to be an ethics committee; no commissioner could work without one. The issues are difficult and it is very hard to balance all the rights—despite everything that I have said, I believe that the police, and the security services and secret services, have rights. There is no way that all the wisdom can reside in the head of any one individual. I imagine that not having an ethics committee would be an impossibility, or else the system would be autocratic.11:00
In the evidence that we heard last week, Professor Wiles said that he was surprised that the Cabinet Secretary for Justice, rather than the commissioner, is going to set up a committee. He said that there should be an ethics committee, and it should be transparent and open in its findings. I suppose the point that was being made was about the separation from Government and what is seen as independent.
I am not fully sure that the cabinet secretary, in his appearance before the Justice Sub-Committee on Policing, was announcing the creation of a permanent ethics group. It seemed to me that he was referring to something closer to the independent advisory group, which was formed for a temporary period to look at an issue and produce recommendations. We have not heard anything since then about what the terms of reference for such a group would be.
When I read the Official Report of the meeting, I did not think that an ethics advisory group was being formed then and there by the cabinet secretary. A sensible commissioner, when they come into post, would see that there is a wealth of knowledge across academia and civil society in Scotland that could be drawn on to help with those tricky discussions.
I suppose that it is for us to drill down into that with the cabinet secretary. Does anyone have anything to add?
The subject of data ethics is becoming increasingly important, given the growth in personal information and the way that it is collected. We would certainly support an independent ethics panel that the commissioner—it would be the commissioner, rather than the minister—can speak to and debate issues with.
One of the commissioner’s jobs is to raise awareness in relation to biometrics and the roles and powers of Police Scotland and the SPA. How can that best be achieved so that the public have confidence in the system?
To be perfectly honest, if you want the public to have confidence in the system, the commissioner needs powers in more areas than simply awareness raising. Awareness raising is useful and important, and it enables people to understand the terms of the debate and what is at stake. It would raise awareness of the discussions that an independent ethics advisory committee would have, which is important.
However, in my view, that is not sufficient. In order for the public to have confidence in the system, the commissioner would need more powers than a simple awareness-raising power. They would need the power to compel evidence; to enter specific places; to investigate and inquire; and potentially to inspect in a similar way to HMICS. A range of other powers could be explored. We need to ask what will give people confidence that the commissioner has the teeth to be able to ensure that the authorities in question are fulfilling their duty to comply with the code of practice. That would be my first answer to your question.
As a commission itself, the Scottish Human Rights Commission has a duty to raise awareness. It does a huge amount to raise awareness of human rights, and it is clear that a whole range of tactics come into play in that respect. Awareness raising is important, but it is not sufficient. I would absolutely include it in the commissioner’s mandate but I would strengthen the powers of the commissioner considerably.
It would be an important part of either the reduced role for the commissioner that you have in mind or the expanded role that I have in mind.
Raising public awareness of privacy issues is absolutely vital. The Scottish Information Commissioner has shown good practice in that regard. Indeed, as we sit here, Paul Mutch from the Scottish Information Commissioner’s office is lecturing to my 50 undergraduate journalism students, because I am missing the lecture to appear before the committee. He kindly agreed to speak about freedom of information to them, as he has done over several years.
The Scottish Information Commissioner’s office has done tremendous work to raise awareness of FOI. We need a comparable level of commitment to raising the standard for privacy in Scotland. The biometrics commissioner should definitely have a budget for that.
We can look at another commissioner and how their role is formed. The UK Information Commissioner’s Office runs campaigns such as the your data matters campaign, which is a fantastic way to raise awareness and has shown real returns in terms of the public’s understanding. I feel as if I am speaking on behalf of Dr Macdonald in talking about the ICO, but it is merely as an illustration.
As part of the ICO’s strategic role, it considers individual complaints mechanisms as an aspect of raising public confidence. Enabling public access to the ICO has been key to its success in raising awareness and confidence. We maintain that having a front door—some kind of way by which an individual can approach the commissioner to raise a concern, with a way to enable the commissioner to address, look at and respond to those concerns—is one of the key functions that gives the public real confidence that they have a commissioner who is not just on their side but on the side of rights and enforceability.
I welcome what Matthew Rice said—it is good to hear a stakeholder speak up for what the ICO has been doing.
With regard to our responsibilities on data protection, it is key for individuals to know how their data is being handled, to whom it might be passed on and for how long it might be retained. It is a message that all data controllers, and all organisations that collect data, should give to the data subjects: the people involved. Anything that improves their understanding of what is happening to their information has to be welcomed. What we are discussing is just another element of that.
To build on Mr Rice’s specific point about raising public awareness and the ability of the public to raise concerns, the bill does not currently contain any mechanism for raising complaints. Should that be examined as the bill goes through the amendment process? That question is also for the other panel members.
Yes. That is one of the means by which you could increase engagement with the commissioner and reinforce their ability to perform what we feel should be their function, which is to monitor and regulate the use of biometric data by Police Scotland and the SPA. That would depend on the purpose of the commissioner’s role being strengthened as well.
There is potential for misunderstanding between the role of the biometrics commissioner and the role of the Information Commissioner’s Office. We would be the body to which people would come if their information rights had been violated in any way or if they had any concerns that there had been a breach of their rights, whereas the biometrics commissioner would have other responsibilities in reviewing policy and practice. People need to know which is the correct place to go to.
It is more than 10 years since the Scottish Information Commissioner’s office was set up—it was in 2005, which is 14 years ago, so time is passing—but there is still confusion among people who really should know better. I am talking about civil servants, senior public authority officials and so on confusing the roles of the Scottish Information Commissioner and the UK Information Commissioner’s Office.
We have covered that pretty well. Liam McArthur wants to come in briefly. We will finish at a quarter past 11 at the very latest.
Excellent. I thank Dr Macdonald for not including MSPs in his list of people who may have confused the two roles, as I am sure he was keen to do.
I could not reveal any personal information about members around the table. [Laughter.]
Living the dream.
I appreciate that the ICO perhaps provides an example of how individual engagements can help to raise public awareness, although I am sure that you are aware that the previous Children and Young People’s Commissioner got into a lot of difficulty regarding the expansion of that commissioner’s role by advocating a move in that direction, but with very little detail on the implications for resources and staffing. Is there a clear understanding of what such a proposal would be likely to entail for the biometrics commissioner regarding individual engagements and the resulting impact on resources?
The act governing the Children and Young People’s Commissioner was quite vague as to the areas that the commissioner was to cover—basically, it was anything that had been excluded from anywhere else. That led to debate, and I remember that we raised a number of concerns about that during the passage of the Commissioner for Children and Young People (Scotland) Bill.
The Scottish Biometrics Commissioner Bill is clearer. There is still potential for dispute between a Scottish biometrics commissioner and ourselves, but you can consider the experience that Professor Wiles related to you last week regarding his engagement with my commissioner. We have a good working relationship. The commissioners meet at senior level and they meet informally at less senior levels on a regular basis.
To date, there has been no need for any form of memorandum of understanding or anything like that, although we are aware of a couple of issues coming up because of Brexit and exchange between the UK and the other European Union countries that may involve some agreement between us as to where the exact roles differ.
I was just about to commend you for getting to the end of the evidence session without mentioning Brexit. You almost managed it—although you actually mentioned it before the meeting started—but now you have blotted your copybook. That response was helpful, however.
There are a range of ways in which the commissioner’s powers could be strengthened. An individual complaint mechanism is one way. For the commissioner to fulfil the duty of investigating, monitoring or ensuring compliance with a code of practice, they would require more powers than the bill currently gives them. It is a matter of adopting that strengthening perspective and acknowledging the resource implications. To be honest, there are resource implications from any power that is attributed to an authority such as ours, as we know.
The important thing for the Scottish Human Rights Commission is that the commissioner has a range of tools in his or her toolbox, depending on the circumstances. Over time, we would be able to see which tools have had the most impact, which ones have been most effective and which ones the commissioner has been able to employ to hold authorities to account and to enable monitoring, data gathering, understanding, the facilitation of an independent advisory group and so on. All of that has resource implications.
I agree with you about the individual mechanism, but there are a range of ways in which it could be strengthened, and it would be good to see some of those in the eventual legislation.
Concerns have been raised about the accuracy of biometric technologies, in particular facial recognition. How valid are those concerns, in your view? What steps would you envisage the commissioner taking to ensure that the biometric technologies that are used are fit for purpose?
That is a well-documented issue. The systems are trained on data sets, so there is a question about what data we are putting in to make the decisions before the technology is even released for use with the wider public. Accuracy issues should be dealt with in the development of the systems, rather than improvements being made when they are being used with the general public. Fantastic work has been done by those focusing on the Metropolitan Police roll-out, which has many false positive rate issues.11:15
As for what the bill might address, the independent advisory group looked at accuracy as a principle that needs to be embedded in the code of practice. That could be done in a specific way, through what we might call a technological kitemark that would say that a system could not go out unless it had been trained on a data set that had, say, a particular level of diversity. For the independent advisory group, the important point was that it would carry a principled view in relation to determining accuracy.
At the moment, assessments in England and Wales are less about the accuracy of a measure than they are about its proportionality. Therefore, that principle has not been embedded in the use of facial recognition by South Wales Police and the Metropolitan Police. Accuracy has not been a determinative factor there, because it is not actually in play. The fix there is that accuracy is a principle for the commissioner to address.
It is not long since facial recognition software determined that 20 members of the US Congress were criminals—although those were all false positives, I hasten to add. However, the level of accuracy is changing. We must be aware that, sooner or later, all cameras will be fully accurate. There might be difficulties now, but we are moving towards a position in which there will be complete accuracy. Therefore I do not think that we can currently frame any legislation on the basis of accuracy.
We must assume that, sooner or later, there will be complete recognition and we will be completely exposed. We must envisage that destination when we set up laws and codes of practice now. It is only a matter of time before all such technicalities will be resolved.
As members have no further comments, that concludes our questioning. I thank the panel for a very worthwhile evidence session.
I suspend the meeting for a change of witnesses and a comfort break.11:17 Meeting suspended.
11:21 On resuming—