Contents
- Attendance
- Decision on Taking Business in Private
- Scottish Biometrics Commissioner Bill: Stage 1
- Justice Sub-Committee on Policing (Report Back)
Scottish Biometrics Commissioner Bill: Stage 1
Agenda item 2 is an evidence session on the Scottish Biometrics Commissioner Bill. I refer members to paper 1, which is a note by the clerks, and paper 2, which is a private paper.
I welcome to the meeting our witnesses. They are Humza Yousaf, who is the Cabinet Secretary for Justice; Angela Davidson, who is the head of the police powers unit; Elaine Hamilton, who is the head of forensics policy; and David Murdoch, who is from the Scottish Government legal directorate.
I invite the cabinet secretary to make a short opening statement.
I apologise for running late and thereby interfering with the committee’s business.
I thank the Justice Committee for its scrutiny of the bill to date, and I thank the stakeholders who have contributed to developing this important bill.
The Scottish Biometrics Commissioner Bill speaks to key societal issues of our time—it touches on human rights and ethics as they relate to police use of personal information.
I want to ensure that our approach to biometric data—including from new technologies such as facial recognition software—is effective, proportionate and ethical. The bill will create an independent commissioner to advise on such issues and to oversee police policy and practice. My goals are to keep communities safe while respecting the rights of individuals, and to improve the accountability of the police.
The oversight arrangements in the bill will apply to Police Scotland and the Scottish Police Authority. The commissioner’s general function will be to support and promote adoption of lawful, ethical and effective practices in relation to collection, use, retention, and disposal of biometric data in the context of policing and criminal justice.
Another important function of the commissioner will be to promote public awareness of biometric data and of how police powers are exercised and may be challenged.
The commissioner will also prepare and promote a code of practice that may set out the standards and responsibilities of Police Scotland and the SPA, with the aims of ensuring good practice, driving continuous improvement and enhancing accountability. The code will be subject to consultation and the approval of Scottish ministers and the Parliament.
To enable the commissioner to perform his or her functions, the commissioner will have the power to request information. Having considered the information, the commissioner can make a recommendation with a requirement to respond. If no response is forthcoming, the commissioner could publicise that fact, so there will be the sanction of naming and shaming.
Through the bill, Scotland will have a commissioner who will encourage and support fulfilment by Police Scotland and the SPA of their functions in a manner that respects fundamental human rights, the law and ethics. That support will include promoting good practice, identifying systemic deficiencies and providing a measure of transparency, which will promote public confidence in policing and in the criminal justice system.
I am happy to respond to members’ questions, and I look forward to considering the committee’s stage 1 report and any recommendations that it might make.
In their evidence, several stakeholders mentioned that the bill does not principally define the commissioner as a body with powers to scrutinise police use of biometrics. Instead, the bill refers to the general function, which you mentioned,
“to support and promote the adoption of lawful, effective and ethical practices”.
Should the commissioner’s powers be strengthened to include such a scrutiny and investigative role?
That is an important matter, which I know has been a common thread in the committee’s evidence sessions. I was particularly taken by the evidence that was given by Paul Wiles, who is the Commissioner for the Retention and Use of Biometric Material, for England and Wales, in which the idea that the sanction of naming and shaming should not be seen as a light-touch option came through clearly. You asked about strengthening the commissioner’s role, convener: I caution against thinking that naming and shaming is a weak sanction.
Careful consideration was given to the scope, functions and powers of the commissioner. We had to be mindful not to duplicate or step over into the roles of other regulators—in particular, the UK Information Commissioner. Professor Wiles said in evidence that his role—the equivalent of the Scottish biometrics commissioner—does not need specific enforcement powers and that the police and other authorities are, in his experience, open to discussion.
Failure to have regard to the code of practice could result in notification to Scottish ministers and the Scottish Parliament. That public sanction of naming and shaming could have a significant effect on the police; I am certain that the police would not want to be in that position. We have given the matter careful consideration and I think that we have struck the right balance. The dynamic of the relationship between the commissioner, Police Scotland and the Scottish Police Authority will be very important.
Given that it is important that the public have confidence in the legislation and the power of the police to collect personal data, the Information Commissioner’s Office is quite supportive of the biometrics commissioner having a stronger role, and suggested that they could work together, which would mean that your fear of duplication could be overcome. Would you be prepared to consider that, as the bill progresses?
As always, convener, I will be open minded about any suggestions. I have a very positive relationship with the Justice Committee in respect of the recommendations that it makes on legislation. As things stand, my resolute belief is that we have struck the right balance. We want to ensure that the dynamic of the relationship between the commissioner, Police Scotland and the SPA is positive and open, but we also want to ensure that the commissioner feels that he or she has enough powers—should it ever be the case that Police Scotland and the SPA are not complying—to get them to have regard to the code. We have got that balance just about right.
I will wait to see the recommendations in the committee’s stage 1 report, but at this point I do not envisage making many changes to the commissioner’s role in relation to sanctions. As I said in my previous answer, I see the roles of the UK Information Commissioner and the Scottish biometrics commissioner as being complementary, and I do not want overlap. Your points on that are on record, convener, and I will give consideration to whatever the committee’s stage 1 report recommends.
Good morning, cabinet secretary. In your opening remarks you mentioned building public confidence in the activities of the SPA and Police Scotland, so it would be helpful if you could give further details on how you see the functions of the commissioner giving rise to that confidence across all the biometrics technologies that Police Scotland and the SPA will use. In particular, you noted the public debate around facial recognition technology. Would you expect assessment of use of live facial recognition to be a priority for the commissioner?
I know that Liam McArthur has a long-standing interest in that matter. I thank you for the question, which I will answer in two parts.
Public confidence is hugely important. I think that there is a high degree of public confidence in Police Scotland—we see that through criminal justice surveys and so on. It is absolutely correct that, whenever new technologies are being used, especially those that have a biometric data element, it is really important that the public be given as much reassurance as possible. How will that be done? First, the biometrics commissioner’s role should not be seen in isolation, so a number of other structures are being put in place to complement it. Liam McArthur will know about the independent advisory group’s recommendation that an ethics advisory group sit alongside the commissioner to provide expert advice and opinion.
I have been at the Justice Sub-Committee on Policing, on which Liam McArthur sits, where I talked about the group that I want to set up that will look at technologies that are coming down the line, and how we will ensure that the ethical frameworks around those technologies are positive. My officials are working on that: the work will largely relate to the sub-committee’s work on what are known as cyberkiosks, or digital triage devices. We have the UK Information Commissioner plus a suite of other measures.
When it comes to developing the code of practice, it will be very important that consultation be part of that. The bill prescribes the organisations that the commissioner should consult, but there is also a catch-all provision to the effect that other relevant stakeholders must also be consulted. I do not want to prejudge, of course, but the commissioner might well think it a good idea to consult the wider public on a code of practice: I think that doing so would be a positive step. Therefore, there are a number of ways in which we can build public confidence.
The second part of Liam McArthur’s question is about facial recognition technology, which has two elements. The element that is most relevant to the question is live facial recognition technologies, such as those that we see being piloted by the Metropolitan Police and South Wales Police. At a concert, for example, faces can be matched to images that the police have on their database. That is exactly the sort of technology that will fall within the scope of the biometrics commissioner’s role and, I would think, the code of practice. It is also exactly the sort of technology that should be rigorously assessed in relation to human rights and ethics. Liam McArthur is right to raise that as one of the most important issues for biometrics, moving forward.
That is very helpful. I take it from what you are saying that you see the matter as being a priority, in the sense that there will be a lot of work to be done in the early stages. Given some of the discussion around use of live facial recognition technology, do you expect that it will be a priority for the commissioner?
I suspect that it will. My only caveat is that it is my understanding—it is an operational matter, of course—that live facial recognition is not used by Police Scotland, although no doubt it is looking at the pilots that are being carried out by the Met and South Wales Police. It might well be that the priority is existing technology that is being used, with a view to looking at emerging technologies in the future. Either way, live facial recognition will certainly be one of the priority areas that will be looked at.
It has been suggested that the commissioner’s responsibilities be extended to include other criminal justice users, such as the Scottish Prison Service and the British Transport Police. Why is the bill limited to the Scottish Police Authority and Police Scotland?
The bill is narrow in its scope and specifically covers Police Scotland and the SPA because, although biometrics can be used by other public bodies and agencies, including the national health service, the way that biometrics are used in policing is unique. For example, there will be occasions when the biometric information is, for important operational reasons, taken without the individual’s consent.
Therefore, the context within which biometric data is taken in policing and the SPA is different from how it is done any other context. I will reflect carefully, and the committee might well signal this in its report, on whether we can give more consideration to where there are cross-jurisdictional issues—the British Transport Police and the National Crime Agency being obvious examples. I think that we have to give a little more consideration to bodies whose work has a policing implication. I have not made a decision on whether oversight should be extended to other policing bodies; I keep an open mind on that.
I also keep an open mind about broadening the commissioner’s remit in the future. It will be important that, from the moment when the commissioner begins to develop the code of practice, it is specific and narrowly focused on policing. If, once the code of practice is embedded and the commissioner is embedded in the role, a suggestion that the code be widened to include the Scottish Prison Service, for example, should not be off the table. However, from the moment the commissioner is appointed, he or she should be very focused on the SPA and Police Scotland, in my view.
10:30
Thank you. I am pleased that you mentioned the BTP and the National Crime Agency; colleagues have questions on them. Is there a danger in the general principle of their not being included at this stage? Might we find that double standards emerge regarding collection and use of biometric data?
I do not think that the comparisons are necessarily being made between apples and oranges here, because biometric data is used in a very different and specific way by Police Scotland and the SPA—particularly in forensics, obviously—from how it is used in any other scenario in which biometrics are retained. The policing context in which data is preserved, retained, collected and disposed of is unique: it does not compare with other contexts, and the rules that apply to policing do not necessarily apply to other public bodies. There might be good guiding principles on good practice that other bodies should consider, but some circumstances are very specific to the police, as John Finnie knows very well from numerous roles that he has had. The context of policing is very specific and very different from that of any other public body.
I know that you will pick up on this, but I note that of course the bill will not cover all the police that operate in Scotland. It will cover only Police Scotland, so I am pleased that you have undertaken to consider that.
I also suggest that other public authorities and private actors that utilise biometric technology should come within the commissioner’s ambit. The example that many people will be aware of is public-space closed-circuit television that is used by councils. Is there any reason why it should not be considered for the same level of scrutiny?
If criminality has taken place in a public space, or there is a suggestion of criminality, such CCTV footage would be passed to the police. If a pub brawl, for example, was captured by CCTV cameras in a public place, one would think that that would, in the course of things, be passed to Police Scotland, which would have to make sure that it abided by, and had regard to, the code of practice, with oversight by the commissioner. Criminality, or even potential criminality, would be captured by the code and oversight of the commissioner.
I will not labour the point that I made earlier too much, but the context within which data is captured for policing purposes is unique. That is the priority of the effort, for very good and understandable reasons.
There cannot be a bigger effect on an individual’s human rights than through restricting their liberty—for example, if they end up in prison. The powers of our criminal justice system are unique and can have lasting and significant impacts on people’s lives. For that reason, the focus is on policing. We should not dismiss a possible broadening of that remit, or take it off the table, but the initial phase should be focused on policing, in my view.
Thank you very much.
If we are to refer to the new post as the commissioner for biometrics, is there a possibility that the public will expect the commissioner to be able to look at biometrics in the wider sense, and that he or she might have to spend a lot of time explaining that they are just looking at biometrics in the context of policing and the SPA?
That is a fair point, and I remember raising it at a meeting with my officials and other colleagues when we were drafting the bill, at which I asked whether there could be a misunderstanding of the role of commissioner. I wrestled with that a fair bit. It goes back to the points that Mr Finnie and Mr McArthur made that, if the commissioner was called the Scottish biometrics commissioner for policing, broadening that role in the future would be extremely difficult.
Once the position and code of practice are embedded, there might well be good reasons for the role to be extended to other public bodies outside policing, such as the NHS and so on. We could change the commissioner’s role, but if they had a different title we would need to decide whether to carry out a whole rebranding exercise. There are pros and cons, but I will keep a relatively open mind.
If we look at the role’s counterparts in England and Wales, I think that there is a good argument for both options, but ultimately we thought that, if the role was extended, we would have to change the title and that would be more challenging.
As you will be aware, it is anticipated that the commissioner’s role will be carried out on a part-time basis. You will be aware from some of our earlier evidence sessions that there has been a bit of debate around that subject. What is the rationale for the part-time role and is it something that you might consider revisiting in the future?
Again, I noticed that that was discussed in a number of your evidence sessions, and I refer to the evidence given by Professor Wiles and a number of other interested parties. I will use the comparator example of Paul Wiles in England and Wales. Professor Wiles works part-time—0.6 full-time equivalent—in his role as commissioner. His remit covers 43 police forces but covers only fingerprints and DNA. His office is resourced to a maximum with four FTE officials who obviously do a good job of supporting him and his functions.
Those functions do not include the development and monitoring of a code of practice as is proposed for our commissioner, but they include considering applications from police forces to retain biometric data under certain circumstances, which is not proposed for the Scottish commissioner.
In all of that, having paid due regard to the differences between the commissioner in England and Wales and our proposals for the Scottish biometrics commissioner, we think that 0.6 FTE to cover the oversight of a wider group of biometric data—not just fingerprints and DNA—that is managed by one police force, albeit the second largest in the United Kingdom, and the Scottish Police Authority, is the right call. Also, our commissioner will be supported by three full-time members of staff in comparison to England and Wales, where there are four FTE staff.
Considering the comparators was the best way to do this. It will be quite an undertaking in the first year. The main focus will be on developing that code of practice with stakeholders and potentially with the public. Should we keep an open mind on that? Yes, absolutely. If the demands on the commissioner mean that they come back to us to say that they should go from 0.6 FTE to full time, we should keep an open mind on that. As we would always do, we will keep an open mind on the committee’s recommendation in that regard, because you have taken evidence from quite a number of sources.
That is helpful. The financial memorandum to the bill shows that the first year’s costs will be met by the Scottish Government and thereafter they will fall to the Scottish Parliament. It does not give any resources for research or public engagement that might be carried out by the commissioner. Is the assumption that those costs would be met by the Scottish Parliamentary Corporate Body, or would the Government meet them?
There was maybe an issue about how the financial memorandum was presented. Perhaps we can be more explicit in future stages of the bill.
The public engagement budget is made up partly of the travel and subsistence budget of £4,000 per annum and partly of the website maintenance budget of £15,000 per annum, because there would obviously be a strong online element to the engagement. Both those sums are pretty generous estimates in the context of comparator public engagement bodies. Engagement with the public will be key, with both face-to-face engagement and an online presence. Any running costs relating to research will be sourced from the professional fees budget of £20,000 per annum, as set out by the financial memorandum.
Good morning, cabinet secretary. You mentioned the code of practice earlier, and I would like some detail on that, given its importance. You will be aware of the evidence from the independent advisory group on the use of biometric data, which recommended that a code of practice should be established in legislation and should come into force at the same time as the commissioner takes office. You will also be aware that other witnesses have said something similar to that. So far, that recommendation has not been accepted by the Government. In the light of the evidence that has been given, though, will you consider putting the code of practice on a statutory footing?
For a couple of reasons, I would strongly prefer not to do that. First and foremost, I want the commissioner to develop the code of practice through his or her engagement with the public, stakeholders and whoever else. If the Government introduced the code of practice, it would obviously be heavily influenced and driven by the Scottish ministers and would therefore not be independent. The point about the code’s independence is hugely important. If we put the code of practice on a statutory footing at the same time as the commissioner took office, we would have to develop it. It is better that the independent commissioner develops it.
Secondly, the approach in which ministers give the date on which a code of practice would come into effect is done by the affirmative procedure and involves introducing the code of practice to Parliament, which means that there will be parliamentary scrutiny. Of course, we would not want to avoid parliamentary scrutiny of the code of practice, and there will be no suggestion of that, because scrutiny will be undertaken by a committee—I suspect by this committee. We have the right priorities of ensuring that a code of practice is independent and that it receives parliamentary scrutiny.
A third important point, which is often made about legislation, harks back to what Liam McArthur and John Finnie said. If the code of practice was put on a statutory footing, it would have a degree of inflexibility. However, we are talking about emerging technologies in this context. We might be focused just now on live facial recognition, DNA or fingerprints, but technologies will emerge in five to 10 years that are probably beyond our comprehension at the moment. There must therefore be a degree of flexibility about the code of practice. If we put it on a statutory footing, we would not have that flexibility.
I guess that that would depend on the nature of the code. I do not want to pre-empt a later question, but we would like to know how detailed the code will be and how it will be segmented. I guess that the independent advisory group made its recommendation because it felt that the code is important. Do you believe that the code will be seen as important and solid whether or not it is put on a statutory basis?
My recollection of the independent advisory group’s evidence is that it recommended establishment on a statutory footing because so much of the detail of the operation will rely on the code. How do you answer that point?
10:45
I see where the IAG is coming from. I understand why people want things in statute. I have passed a number of bills in this Parliament and there has often been a desire for things to be in the bill. You are absolutely right and the IAG is correct that people sometimes view things in legislation as being more solid and having more effect.
However, it is undeniable that, when something is in primary legislation, it is far more difficult to change than when it is in a code of practice, as we have suggested here. With regard to the issue that we are talking about, it is important to have that flexibility.
It will be for the commissioner to highlight the significance or importance of the code of practice in the public awareness part of his or her job. How the stakeholders to whom it applies—in this case, Police Scotland and the SPA—act towards the commissioner and the code of practice will send an important signal about how important it is. I have spoken to the chief constable about the bill, and I have no doubt whatsoever that Police Scotland will treat it with the importance that it deserves.
Significant concern has been raised about the effect of the code of practice. As things stand, Police Scotland and the SPA will simply have to “have regard” to the code, rather than have a duty to comply with it. Do you think that that should be changed to a duty to comply?
I do not. In my answer to your opening question, I said that the dynamic is hugely important. I was quite taken by Professor Wiles’s evidence on that point, which was very strong. He felt that he had effective powers to make sure that police forces comply, which is the most important point, and that he enjoys a good dynamic and relationship with police forces, which means that he can be quite open with them and they, in turn, are quite open with him.
We should not downplay the seriousness of the power that the commissioner will have to alert ministers and the Parliament if the police do not have regard to the code of practice. I ask my officials whether there is also a power to inform the Court of Session.
There is no power to inform the court about whether the police are having regard to the code. However, the biometrics commissioner will have the power to require the production of information by the police or SPA, to determine whether those bodies are having regard to the code of practice. That is the information requirement power.
If the committee’s report were to have recommendations to strengthen that power, I would keep an open mind about it. I just do not want to get to a position in which the enforcement powers are so heavy that they affect the dynamics of that relationship. That might be something that can be considered once the commissioner and the code of practice are embedded.
When the bill was mooted, right at the very beginning, this issue was up there as one of the main concerns. We were asked whether the commissioner—the person in charge—would be toothless, or whether they would have powers to ensure compliance and to investigate and scrutinise, so that the public would have confidence in them. I am not sure, as things stand, that the public will have confidence. The commissioner will be able only to name and shame, without the power to investigate and scrutinise properly, perhaps in advance, and the police and SPA will only have to “have regard” to the code, so the powers sound a bit weak at this stage.
I take your point. We always thought that that element of the bill would come under a severe degree of scrutiny. I will keep an open mind to suggestions.
In one sense, the committee underestimates itself. Nobody likes to be hauled in front of a committee. We are happy to appear in front of a committee and answer questions, but if we are not complying with a code of practice or regulation and we get hauled in front of a committee and interrogated for an hour or two on that, it is enough to make us think twice about whether we are doing the right thing. I say that as someone who has been a Government minister for seven years, and I could say the same for my colleagues in Police Scotland and the SPA.
I would not downplay the public element. If there was a failure to have regard to the code, this committee—or any other committee in this Parliament—would not sit back and allow the police to get off the hook. I am sure that there would be intense political and media scrutiny. That public element is an important part of the commissioner’s powers.
Legislation should be strong enough and it should not rely on the committee doing that scrutiny.
Police Scotland and the SPA suggested that the bill should refer specifically to the forensic services department and not to the whole of the SPA. Is that a reasonable suggestion? There seems to have been a rolling back.
I cannot speak for the SPA, but I do not think that there was a suggestion of rolling back. The SPA was perhaps trying to focus on the part of the SPA that largely deals with biometrics, which is the forensic services department. I do not agree with the suggestion that the scope of the bill should be limited to that department. It should cover the whole of the SPA.
There is a legal reason for that. Forensic services is a department, not a legal entity in its own right. When legislating, we must be aware that the name of the department could change. Legally, it would not be right to specify that department. In future proofing the legislation, we must be aware that we do not know what other responsibilities the SPA might subsume in the future—although I am not prejudging that or suggesting that it will have any other responsibilities. For the legislation to be future proofed, it should apply to Police Scotland and the SPA. There should not be any narrowing of the focus.
Legislation should always be as precise as it can be and there should be no room for misinterpretation. To “have regard” might say that there is manoeuvrability and wiggle room, whereas a “duty to comply” is quite different. However, I welcome your view that the bill should apply to the whole of the SPA for the reasons that you outlined.
How would you respond to those who say that, if there is no legal remedy for an instance in which someone pays no regard to the code of practice, the code is ineffective?
I will defer to David Murdoch and other colleagues on the legal implications. Section 7 of the bill covers actions in which the code might be a relevant consideration; for example, if an action were taken against the police or the SPA—regarding the unlawful retention of data, let us say—the code could be a relevant consideration in any such action. A failure to “have regard to” the code is not in itself a matter to go to court about. However, if someone was concerned about, for example, unlawful retention or collection of data, section 7(2) allows failure to take into account the code of practice to be part of any action that is taken to court. There could be a point at which the bill could be relevant to that. As the legal head here, David Murdoch might have more to add.
What the cabinet secretary said is correct. The code can be taken into account in relation to any action against the police. The duty to have regard to the code means that the SPA can depart from the code only if there is a good, case-specific reason for doing so—it cannot simply depart from the code because it disagrees with the general tenor of the code.
There is probably a public law remedy in relation to not having regard to the code, which would be a judicial review of the actions of the police or the SPA. There is a form of judicial oversight in relation to the police having regard to the code. There are some consequences for not having regard to the code. The police and the SPA have a public duty to have regard to the code, and there are administrative law consequences if they do not. There is always the possibility of judicial review.
Is the point about judicial review explicitly referred to in the bill?
No, it is not explicitly referred to in the bill, because that is not necessary. The courts have supervisory jurisdiction over public bodies and their actions. The courts would have supervisory jurisdiction over the police and the SPA and the exercise of their functions in relation to the code, so there is no need for the bill to make specific reference to that.
I am sure that you will agree, cabinet secretary, that it is important that the public have confidence in the bill. Do you think that the bill would be strengthened if it explicitly stated that there was a mechanism for making complaints to the commissioner?
At the moment, specific complaints about the handling of data can be made to the UK Information Commissioner. In answer to the convener’s opening question, I said that we have given a fair amount of consideration to the non-duplication of roles, to ensure that the Scottish biometrics commissioner complements the role of the Information Commissioner. There is currently an avenue to make a complaint about the handling of data, which can be investigated. The role of the biometrics commissioner is designed not to duplicate that.
However, I take the point that Mr Kelly is making about public confidence and perhaps being explicit about what the commissioner can and cannot do.
If an individual had concerns about the collection and processing of biometric data, where would they take them?
That would come under the remit of the Information Commissioner. At the moment—even before the bill is enacted—there is nothing that would preclude an individual from going to the Information Commissioner if they felt that their biometric data was being unlawfully collected, retained or disposed of.
What would be the logic behind going to the Information Commissioner rather than the biometrics commissioner?
The biometrics commissioner will develop the code of practice and be the oversight mechanism for the police and the SPA in relation to that code of practice. His or her job will be to have that oversight function and to make sure that the duty to have regard to the code of practice is complied with. We would expect the carrying out of the role to involve wide consultation. It would be at the discretion of the commissioner whether that consultation included the public.
I can see the attraction of giving the public a range of options of places to go with concerns, but given that there is already an avenue for an individual to make a complaint about the way in which their data is held, I am not sure that having another avenue for the individual to go down would be helpful—it might just muddy the water.
The Information Commissioner’s work is driven by complaints from individual members of the public, but the Scottish biometrics commissioner’s remit will be driven by identifying systemic deficiencies. There has been a lot of discussion with the UK ICO about the complementarity of the roles. The ICO very much welcomes the creation of the new Scottish biometrics commissioner and views that role as complementary to its role.
11:00As I said, the work of the Information Commissioner is driven by complaints from individual members of the public. The Information Commissioner has certain powers of sanction—for example, it can fine private and public sector organisations—but, in respect of the Scottish biometrics commissioner, we are talking about a day-in, day-out review of the use by the police and the SPA of biometric data.
In terms of public confidence, the biometrics commissioner role is all about driving improvement, improving transparency and raising public awareness. The bill’s provisions make those duties very clear. The bill is drafted in such a way as to allow the biometrics commissioner discretion in how he or she will carry out those functions, but the functions themselves are quite clear.
The clerks have drawn my attention to the fact that, recently, the ICO published a report on how the police use facial recognition technology, which included the comment:
“The absence of a statutory code of practice and national guidelines contributes to inconsistent practice, increases the risk of compliance failures and undermines confidence in the use of the technology.”
I thought, cabinet secretary, that it might be useful for you to be aware of that comment and the context in which it was made.
Yes, the clerks are, as always, very diligent and we will, of course, have due regard to that comment. It is an important point.
As you will be aware, cabinet secretary, the bill as introduced does not provide for an ethics advisory group to be established, but I know that you have committed to forming such a group. Is that still your view? What is the rationale for that not being on the face of the bill?
It is important that we have an ethics advisory group, and I accept the IAG’s recommendation that such a group should be established. I made a public commitment to do that, and my officials are scoping the remit and membership of the group. My expectation is that the ethics advisory group will be established at around the same time that the new biometrics commissioner role is established.
I never envisaged that the group would have a statutory footing—nor, as far as I recollect, did the IAG. I would need to be persuaded on that point. The remit of the group is very much still under consideration and my officials are in touch with the counterpart group in England and Wales, the biometrics and forensics ethics group, to help to inform the remit of the group and what its membership should be. Some members of the IAG have volunteered to assist with the scoping of that, and I would welcome their views on how we should progress.
It is absolutely still our aim to have an ethics advisory group, and I think that it will come into force at around the time that the new commissioner role is established.
I know that you are still looking at the group’s remit, but is it your intention that it will be independent of Government? Do you think that it will be established as a permanent adviser to the commissioner?
The group will not be established by statute, but some might argue that its having a statutory footing would give it a level of permanency. However, as well as the ethics advisory group, we will have the group that will look at emerging future technologies, and both those groups must have a degree of flexibility. Again, I will look at the committee’s recommendations in that regard.
I accept that the ethics advisory group should be independent. I am sure that my officials will correct me if I am wrong, but I think that the group in England and Wales is made up largely of academics. My initial view is that I would want membership of the group here to be broader than that. That is no slight on academics—there will probably be a number of academics on the new group—but I do not think that its membership should be made up largely of academics; we will probably want other practitioners and stakeholders to be part of the group as well. However, the group should be independent, and I expect that it will be a very helpful source of advice for the commissioner.
You touched on the membership of the proposed group. Have you had any early thoughts on what stakeholders, in addition to academics, might be members of the group?
I do not want to pre-empt the process by making any suggestions about that. The similar body in England and Wales is made up largely of academics, but I think that we would want to have a better or wider mix and greater diversity in terms of the people, professions and expertise that input into the group here.
The bill’s ethos is to maintain public confidence in the commissioner’s independence, and he or she will be appointed by, and responsible to, the Parliament. However, the Scottish ministers will have final approval of the code of practice. Can you explain why that approach was taken? Should the code of practice be laid before Parliament for scrutiny and debate?
The member is right that the code of practice must be approved by the Scottish ministers. The reason for that is largely to ensure that there is alignment with affordability and policy coherence, which are important considerations for us. Clearly, if a code of practice was developed that was unaffordable and went in a direction that we would view as regressive rather than progressive, against our policy alignment, we would want to be able to influence that.
In terms of parliamentary scrutiny—I might have referred to this in an earlier answer—we must lodge in the Parliament an affirmative instrument that sets the day on which the code will come into effect, and we must lay the code on the same day. Therefore, I suspect that there will be rigorous parliamentary scrutiny of the code.
If, for whatever reason, ministers do not approve a draft code of practice, they must provide the commissioner with reasons for not doing so. Would those reasons be made public? What would happen if a draft code was not approved? Would it simply be revised until ministers approved it?
There is no explicit mention in the bill of making those reasons public. We are talking about biometric data, so an element of discretion might sometimes be needed. However, the Government always tries to be open minded and as transparent as possible, so we will keep an open mind about making those reasons public. There might be good reasons for our rejecting a draft code, but there would be strong pressure from parliamentarians to understand why the Government had done that. We would therefore have to explain that in public in some way, shape or form. There would perhaps have to be appropriate caveats around certain things, but I think that we should look to make those reasons public in almost every instance.
Sticking with the issue of the code of practice, before submitting a draft code for approval, the commissioner is required to consult stakeholders. Can you confirm whether that category includes the public? Will the consultation be about what should ultimately go in the code? If not, do you envisage the commissioner drafting the code and then consulting on that draft?
Those are good questions. We are trying to give the commissioner as much independence as possible to develop the code as he or she sees fit. Section 8 enables the commissioner to consult a list of prescribed stakeholders, but it also has a catch-all provision on consulting any other relevant stakeholders. The commissioner will be independent, and he or she will be appointed by Parliament. I would not want to push them into a particular position, but I think that consulting the public will be a hugely important part of that exercise.
You asked whether the consultation should take place before or after the code is drafted. We have to respect the independence of the commissioner, who, as I said, will be appointed by Parliament, but I have always found that consultation before we introduce a piece of legislation or guidelines—which is what the Government often does—is the better way to go, as opposed to trying to bolt things on at the end. I suggest that consultation before the code of practice is drafted would be a better way to do it, but ultimately I have to take a step back and allow the independent commissioner to do as he or she sees fit.
If we start from the position that biometrics are evolving fairly rapidly and, as you said, the commissioner’s responsibilities could extend over time, do you have a view on whether a single code of practice will ultimately be the best way forward, or is there scope—would it be possible and, indeed, advantageous—for there to be more than one code of practice?
I take your point. There could be numerous codes of practice, depending on the technology. It would make the most sense, where possible and pragmatic, for the stakeholders involved—Police Scotland and the SPA—to have one code of practice to refer to and have regard to. That is why it is important that it is a code of practice: if we had provisions in the bill, changing the code of practice would be difficult. I envisage one code of practice that has the flexibility to evolve, given emerging technologies. However, the commissioner could decide that the code needs subsections, or that there needs to be more than one code, in which case those things should be considered.
Given the legal and ethical issues surrounding the collection of biometric data, do you expect the code of practice to definitively outline specific data protection considerations in terms of human rights that must be taken into account?
The short answer is that I absolutely have that expectation. Pretty much the primary reason for bringing forward the IAG and then the bill, and eventually the Scottish biometrics commissioner and the code of practice, is because of human rights and ethical considerations. If those were not a consistent golden thread throughout the code of practice, I would have severe concerns. I go back to my point about why Scottish ministers should approve the code—and I suspect that this is where Parliament’s consideration will be when it comes to approve it under the affirmative procedure. If, for whatever reason, the code of practice was regressive in terms of human rights, you would want to have a say in that.
Thank you.
You touched on this in your exchange with John Finnie. You will be aware that the committee has received evidence that there are potential legal issues around biometric data that is collected in Scotland but stored in UK national databases. How do you envisage the Scottish commissioner having oversight over biometric data that is collected in Scotland but stored outwith Scotland? Who will have legal responsibility for that?
The bill does not give the Scottish biometrics commissioner direct access to UK databases, but where Police Scotland or the SPA choose to store that biometric data will be a matter that falls within the oversight functions of the commissioner under the bill. The fact that biometric data is being stored in UK databases could be the subject of reports and recommendations by the commissioner, which could inform further consideration of the matter.
Can you clarify that whether it is the UK or the Scottish commissioner is up for negotiation?
The biometrics commissioner does not have direct access to UK databases, but where Police Scotland or the SPA chooses to store that biometric data will absolutely be under the oversight function of the commissioner, so there should not be an issue around where that data is stored. Again, I look to my officials for clarification: there are nodding heads, which is generally a good sign.
That concludes our questioning. I thank you, cabinet secretary, and your officials for attending today.
11:14 Meeting suspended.11:15 On resuming—