Contents
- Attendance
- Decision on Taking Business in Private
- “Independent Review of Complaints Handling, Investigations and Misconduct Issues in Relation to Policing: Preliminary Report”
- Scottish Biometrics Commissioner Bill: Stage 1
- Justice Sub-Committee on Policing (Report Back)
Scottish Biometrics Commissioner Bill: Stage 1
Our next item of business is to take evidence at stage 1 of the newly introduced Scottish Biometrics Commissioner Bill. I welcome to the committee the Scottish Government’s bill team. This is an opportunity for us to find out more about the purposes of the bill, which we will scrutinise in more detail. We have with us from the Scottish Government Elaine Hamilton, who is the bill team leader; Euan Dick, who is deputy director of the police division; and Louise Miller, who is from the directorate of legal services. I refer members to paper 2, which is a note by the clerk. I ask Elaine Hamilton to make some opening remarks on the bill. We will then move to questions.
The purpose of the bill is to put in place new oversight arrangements for collection, use, retention and disposal of biometric data in the context of policing and criminal justice. By “biometric data”, I mean fingerprints, DNA, other data that are currently being developed, such as facial recognition software, and any other forms of data that might emerge in the future that we cannot even imagine just now.
The oversight arrangements will focus on the creation of a new biometrics commissioner, who will have a range of functions. The oversight arrangements will apply to Police Scotland and the Scottish Police Authority. The bill allows a power for Scottish ministers to insert additional bodies, if that should be required in the future.
To ensure the impartiality of the postholder, the commissioner will be appointed by the Crown on the recommendation of Parliament. The commissioner will be accountable to Parliament for the performance of his or her functions and expenditure.
The need for independent oversight arises from the ethical, legal and human rights considerations that are associated with the use of biometric data. It is vital that the public have confidence in police use of biometric data. Given that biometric data and samples that are captured by Police Scotland may be taken without an individual’s consent, it is all the more important to ensure that there is adequate protection of rights and independent oversight of the police’s powers in that respect. The need for independent oversight has been identified in a number of independent reports—most recently, in the 2018 report, “Use of biometric data: report of the independent advisory group”. The Scottish Government consultation that followed the group’s report also indicated broad support for those arrangements.
I turn first to the commissioner’s general function, which is to support and promote the adoption of lawful, ethical and effective practices in relation to collection, use, retention and disposal of biometric data. That means that the commissioner will keep under review the law, policy and practice relating to biometric data in the context of policing and criminal justice.
The commissioner will also promote public awareness and understanding of biometric data, and of how police powers and duties are exercised, as well as how the powers and duties can be monitored and challenged.
The commissioner will prepare and promote a code of practice. In addition, his or her functions will include carrying out research and making recommendations in relation to any matter relevant to the Commissioner’s function.
In carrying out those functions, the commissioner will be required to promote in particular the interests of children, young people and vulnerable adults.
I will say a bit more about the code of practice. The commissioner is to prepare a code of practice in consultation with a list of prescribed stakeholders including Police Scotland, the Scottish Police Authority, the Police Investigations and Review Commissioner, HM inspectorate of constabulary in Scotland and anyone else whom the commissioner considers to be appropriate. The code must then be approved by Scottish ministers and laid before Parliament. The content of the code can be reviewed at any time, but there must be a report on it every four years.
The bill requires that there be a code, but it does not specify what its content should be. That is important, because it will allow the commissioner to use his or her own judgment and the input of stakeholders to shape the code. We anticipate that the code will provide information and guidance that sets out the standards and responsibilities of Police Scotland and the SPA, with the aims of ensuring good practice, driving continuous improvement and enhancing accountability. The SPA and Police Scotland will be legally obliged to have regard to the code.
To enable the commissioner to perform his or her functions, the commissioner will have the power to request information. Should that information be refused, concealed or destroyed, the commissioner has a remedy to the Court of Session, which would consider the matter. If an order were to be made by the court, it would be contempt of court to ignore it.
Having considered information about collection, use, retention and disposal of biometric data, the commissioner may wish to make a recommendation. Should no response to the recommendation be forthcoming, the commissioner would reference that in a report to Parliament, which would be made public. Therefore, the sanction is to name and shame, so to speak.
In conclusion, we will have a commissioner who will encourage and support the fulfilment by Police Scotland and the SPA of their functions in a manner that respects fundamental rights, the law and ethics. That support will include promoting good practice, identifying systemic deficiencies and providing a measure of transparency, which together will promote public confidence in policing and in the criminal justice system.
Thank you for those helpful opening remarks. Before I bring in John Finnie, I want to ask a question about behavioural characteristics. Can you give an example of what those would include?
Behavioural characteristics would include analysis of, for example, a person’s gait or pattern of speech, such as a stammer—a defining characteristic in their behaviour. For example, if the person twitches or blinks, that could be helpful.
I thank Elaine Hamilton for her summary. I have a couple of questions, in particular about the status of the code of practice. It is very hard to predict the future, but four years on, if things go as expected, what status will the code have, what requirement will there be to adhere to it and what would be the sanction for someone who does not adhere to it?
The code of practice will set out the standards and responsibilities that will be expected of Police Scotland and the SPA. The expectation is that we will have in place internal systems to ensure transparency in how they exercise their powers, and that those powers will observe human rights and ethical considerations.
If the commissioner felt that Police Scotland or the SPA were not having regard to the code, the commissioner will be able to make a recommendation that they have regard to a certain part of the code. If Police Scotland or the SPA respond, the commissioner will consider that response. If the commissioner felt that they had not responded, that could be reported to Parliament and made public. There is therefore no legal sanction for failing to observe the code, but there is the sanction of reputational damage, which is a powerful one.
I have had discussions with Professor Wiles, the Commissioner for the Retention and Use of Biometric Material for England and Wales, and know that he, too, does not have sanctions in terms of enforcement powers. However, he feels that he does not need enforcement powers and that having them would adversely affect his relationship with police forces. I understand that there might be concerns here about the commissioner not having teeth, but in practice that does not appear to be an issue. The provisions in the bill for naming and shaming appear to be adequate.
Would there be retrospective application?
No. The code of practice will come into effect on a day that will be set by regulations that the Scottish ministers will lay before Parliament under affirmative procedure.
Have you formed a view of what the public might think about the likelihood of compliance, given the Scottish Information Commissioner’s and many other people’s views of the legitimacy of Police Scotland’s proposed deployment of cyberkiosks, and the fact that Police Scotland nonetheless considers it appropriate to go ahead with that deployment?
The cabinet secretary was clear when he appeared before the committee on 13 June that the legality of cyberkiosks is a matter for Police Scotland and the SPA. The bill’s proposed remit for the commissioner includes looking at developing technologies and ensuring proper validation of them before they are deployed, and ensuring that human rights and ethical considerations are taken into account.
Okay. I will not push further on that. Thank you.
Liam Kerr has a supplementary question.
What is driving the process? Have there been breaches—for want of a better word—with regard to what is mandated just now? If so, is how we move forward time critical?
There have not been such breaches. The Scottish Government’s position is that Police Scotland and the SPA work to very high standards, and that there is no suggestion that the commissioner is required because of deficiencies in their performance.
As I mentioned in my introductory comments, there have been a few independent reports in recent years, including the independent advisory group’s report in 2018 and a report by HMICS in 2016, both of which called for independent oversight arrangements. There have been independent oversight arrangements in England and Wales for a number of years now, so it is felt that there is a gap in Scotland.
If we consider the times in which we live, so many processes are now propelled by technology, particularly biometric technology, and the Scottish Government understands that the public will naturally be concerned about issues including privacy and the security of data. There has, therefore, been alignment of a number of factors here that make creation of the post of commissioner all the more appropriate.
11:15
I would like to ask a supplementary before moving on to my substantive question. It follows on from the convener’s question about behavioural characteristics. My question is about the definition of “biometric data” in the bill. I accept that the list of types of data that is provided in section 23(2) is a “may include” list, but it does not include behavioural characteristics.
A more important concern stems from the fact that much machine learning does not codify behavioural characteristics in terms of information, as such. There is a system that can identify such behaviours, but it cannot articulate what information is being held by people. I am concerned that the definition might not capture all the means by which people are identified by their behavioural characteristics. To what extent has the bill team looked into and covered off that issue? Are you confident that the definition is comprehensive?
The definition of “biometric data” was considered very carefully by the bill team. We wanted to offer a very broad and comprehensive definition that would allow future proofing, given the fast pace of technology. Ultimately, the definition that is provided in the bill is not meant to define biometric data generally; rather, it is provided for the purposes of the bill and for setting out the scope of the commissioner’s remit.
To be clear, in the bill,
“‘biometric data’ means information about an individual’s physical, biological, physiological or behavioural characteristics”
that may establish their identity either on its own, or when it is combined with other information. When we talk about information about a person’s physical characteristics, that would include facial recognition. Information about biological characteristics would include a DNA profile, which can be derived from blood, saliva, hair and so on. Information about physiological characteristics would include vein patterns. As I mentioned earlier, information about behavioural characteristics could include a person’s gait or speech pattern.
In offering the definition in the bill, we have tried to be as broad as possible. We have made the definition broader than existing definitions of biometric data, such as in the general data protection regulations, which focuses more on data that has undergone some sort of chemical process.
The area is one that I would like to examine further as scrutiny of the bill progresses. There is an important difference between data and information, particularly when it comes to machine learning.
I will move on to my substantive question. The committee has taken evidence on the preliminary report on the handling of complaints against the police. Four bodies oversee or are involved in policing; indeed, if HMICS is included, it could be argued that we have five such bodies. The bill would introduce a sixth one. I note that the policy memorandum says that consideration was given to whether the functions of the proposed commissioner could be given to another body, such as the Police Investigations and Review Commissioner.
Is there concern that we are creating a crowded landscape for police governance? What steps have been taken with the bill to avoid that? Why was the idea of giving the functions in question to the PIRC, the Scottish Police Authority or some other body rejected in favour of creating a separate commissioner?
The regulatory landscape in Scotland includes the roles of HMICS and the PIRC. It is the policy of the Scottish ministers not to create a new public body unless there is an absolute need for it and the functions cannot be carried out by an existing body. To that end, a robust options appraisal was undertaken in May of last year, which considered existing bodies such as HMICS and the PIRC.
HMICS and the PIRC are certainly well established in their respective areas of expertise, but they do not have a remit across all areas of biometrics. If we were to widen their remit, that could lead to a loss of focus for them, and it could negatively impact on their perceived authority and credibility. On that basis, using an existing body was not considered to be optimal. To have added to the remit of either of those bodies would have represented a fundamental shift in their purpose.
Undoubtedly, HMICS and the PIRC have valuable roles to play, but the options appraisal identified that they were not ideally placed to take on an additional function such as this. The need for a new parliamentary commissioner was based on having a fresh approach to supporting improvements in the setting, monitoring and enforcing of standards. The option of a new body scored the highest for benefits realisation, particularly around strengthened oversight and accountability of public services. It also offered the value of ensuring a proportionate and effective approach to biometric data and additional capacity to support world-class innovation research and development.
A new parliamentary commissioner would also function independently, with no perception of undue influence from policing-related bodies.
Those are a number of reasons why it was felt to be inappropriate to use HMICS or the PIRC, and why the optimal solution was to have a completely new parliamentary commissioner.
When will the code of practice be available, even in a draft form?
The provisions of the bill are such that the code of practice is to be prepared by the biometrics commissioner in consultation with a list of prescribed bodies. The whole point of having an impartial commissioner is they will not be under the direction of Parliament or the Scottish ministers. It is therefore difficult for me to say exactly when the code of practice will be produced. I hope that it will be the new commissioner’s top priority but, as I say, there is a requirement for the commissioner to prepare the code in conjunction with stakeholders, which always takes time. The code will then have to be approved by the Scottish ministers and laid before Parliament. There is therefore a time element to it.
There is existing material that could be drawn on to form the code. The Scottish Government prepared a concept of operations code that was part of its consultation last year, and the new commissioner could also choose to draw on the existing standards from the forensic science regulator, for example. One would therefore hope that the commissioner will not be starting off with a blank sheet, but we have to respect the postholder’s impartiality, so I would not like to estimate when the code might be produced.
It will be after the bill is passed and it will be introduced by secondary legislation.
Indeed.
You mentioned raising awareness. Could you clarify whether that is about the role of the new commissioner or about the legislation itself and say how it is intended to raise public awareness?
Yes. One of the functions of the new commissioner will be to raise public awareness of police powers and duties in respect of biometric data. Because the post is impartial, it will be for the commissioner to decide how he or she will go about that. We would expect the commissioner to liaise with parliamentarians, with various representative groups and with the media in order to raise awareness of rights and duties in respect of biometric data.
That is quite a grey area. It sounds very good, but the detail of how you raise awareness in practice is not so clear. Is there a budget for doing that?
Yes. The financial memorandum sets out the costings for the bill. That particular part of the commissioner’s role has been costed. There is a budget for publications and a budget for travel and subsistence, which will cover the costs of the commissioner travelling around the country, attending conferences or public meetings to provide information. There is a costing for that but not one specifically for public awareness raising—that is wrapped up in the travel and subsistence budget, the salaries and other administration costs.
What is the budget?
The budget for travel and subsistence is £4,000 per annum. The administrative costs are £2,000 per annum. Do you wish to know the salary or remuneration costs?
Why not?
The commissioner’s remuneration is estimated at £57,000, and the staff salaries at £167,000, based on three full-time equivalents.
Thank you—that is helpful.
That concludes our questioning. I thank the bill team for providing evidence today.
11:27 Meeting suspended.11:28 On resuming—