Justice Committee 24 September 2019
The agenda for the day:
Scottish Biometrics Commissioner Bill: Stage 1, European Union (Withdrawal) Act 2018, Subordinate Legislation.
Scottish Biometrics Commissioner Bill: Stage 1
Scottish Biometrics Commissioner Bill: Stage 1
Good morning and welcome to the 23rd meeting of the Justice Committee in 2019. We have received apologies from Margaret Mitchell. I am pleased to welcome to the meeting Maurice Corry, as the Conservative Party substitute.
Agenda item 1 is an evidence session on the Scottish Biometrics Commissioner Bill, in which we will hear from two panels of witnesses. I refer members to paper 1, which is a paper by the clerk, and paper 2, which is a private paper.
I welcome the witnesses for our first panel: Professor Paul Wiles is the Commissioner for the Retention and Use of Biometric Material, and Lucy Bradshaw-Murrow is head of office at the Office of the Commissioner for the Retention and Use of Biometric Material. I thank the witnesses for their submissions, which are most helpful.
We will move straight to questions: I will ask the opening questions. Commissioner, will you give the committee an overview of the powers and functions of your role and how it currently applies in Scotland? What are the main differences between your role and the role that is proposed for the Scottish biometrics commissioner?
Professor Paul Wiles (Commissioner for the Retention and Use of Biometric Material)
Thank you for inviting us to talk to the committee.
My role is defined under the Protection of Freedoms Act 2012, and the remit that I have follows the current extent to which powers are devolved, or not devolved, across the United Kingdom. My role in national security is a UK-wide responsibility because security is currently a non-devolved matter. Therefore, I cover national security matters in England and Wales, in Northern Ireland and in Scotland.
As I am sure members are aware, my basic function in that regard is for when the police have no other legal power by which they would be able to take or retain biometrics, and so keep biometrics if a chief officer of police makes a national security determination. The grounds for such determinations are laid out in legislation. I have to look at all such national security determinations and, if for any reason I think that they have not been properly made, I have the power to order deletion of the biometric material.
There have been, comparatively, very few national security determinations from Scotland. Since the 2012 act came into force, there have been 21 NSDs from Scotland, which is really quite a small number compared with the number from England and Wales. Therefore, the power has not been used to any great extent in Scotland—although of course that could change, depending on what happens.
For police use of biometrics for reasons other than national security, my remit is limited to England and Wales, because such reasons are a devolved matter. Therefore, Police Scotland’s use of biometrics for any reason other than national security is a matter for the Scottish Parliament, and not Westminster. The same is true for Northern Ireland. My remit in that regard only covers England and Wales.
The difference between my role and what is proposed in the bill is quite significant. Under the 2012 act, my role covers only DNA, fingerprints and shoe impressions—although I am not clear why, because shoe impressions are not biometric. My role does not explicitly cover what I call second-generation biometrics. Through the bill, the Scottish Government is seeking to find a way of providing governance for police use of second-generation biometrics. The Scottish Government should be congratulated because Scotland is, as far as I know, the first country in the world that is trying to do that.
Many other countries are quite interested in what Scotland is doing, because they are all aware that they have similar issues. In particular, they are interested because the Scottish Government has come up with a form of legislation that the proposers at least believe will be flexible enough to cope with the fact that the technology in this area is moving very rapidly indeed.
I have no remit in respect of the new biometrics. I commented on second-generation biometrics in my annual report simply because I am constantly asked about them and the police constantly come to me and discuss them. My having no remit on them has not stopped people assuming that I do. That is why they are covered, to some extent, in my annual reports.
The proposed Scottish commissioner will, of course, have an active role—which I do not have—in determining the way in which governance operates in the future, because they will have the responsibility for drawing up codes of practice. I have no such proactive role in England and Wales.
Thank you. That is really helpful. For clarification, am I right that, from what you have said, you will not have much interaction with the Scottish commissioner other than on matters of national security?
Yes. Broadly, it is correct to say that the Scottish commissioner will deal with the police on matters that are not matters of national security.
People who have submitted written evidence to the committee have rightly drawn attention to two things. First, Police Scotland uploads biometrics to the UK-wide databases, so there are issues to do with the extent to which retention of that material will follow Scots or English law. I think that the answer to that question is that, if the biometric samples or biometric profiles in the case of DNA are Scottish, Scots law ought to apply. Technically, there is no reason why that should not be done.
There are potential problems simply because the databases on which the biometrics are held at UK level are elderly. They are in the process of being replaced, but there has been a delay in that, so there might be some problems because of that. However, with the new databases, I can see no reason why Scottish samples should not be held according to Scottish legislation and English samples held according to English legislation. That would mean that, if the bill is passed and a commissioner appointed, he or she should become a member of the strategy board that oversees use of national UK databases, just as I am. That should deal with that matter—although I can imagine one or two issues, at the moment.
Secondly, there are, of course, law enforcement bodies—for example, the British Transport Police and the Ministry of Defence Police—that operate UK-wide, in both England and Scotland. I cannot remember whether anybody has drawn attention to that. When the British Transport Police in Scotland arrests someone and takes biometrics, it uses Police Scotland to take them, but then ships the biometrics down to London. That is an issue, because those biometrics are currently kept according to England and Wales legislation. If a commissioner is appointed, that is perhaps something that they will need to take up. Samples that have been taken in Scotland should, in my view, be subject to the legislation that is in place here.
Thank you. John Finnie has a supplementary question.
That is very interesting, Professor Wiles. I had hoped to discuss that issue, so that was timely.
The example of the British Transport Police is a very good one. One might reasonably imagine that the legislation should apply to Scotland, within the confines of the territorial boundaries. Should similar provisions apply to the National Crime Agency?
Yes. You referred to territorial boundaries. I was suggesting that it is not just a matter of territorial boundaries, but that the approach should depend on where and by whom the samples were taken. It seems to me that if biometric samples are taken in Scotland, they ought to be subject to Scots law, even if they are taken by an agency that operates in England and Wales as well as in Scotland.
I concur fully.
You said that you have a specific role relating to national security. Should the bill also apply to the Security Service operating in Scotland?
First of all, the Security Service is outside my remit, as it clearly reminds me whenever I try to get involved. As far as I know, national security is not a devolved matter. Therefore, it is for the UK Parliament to provide that oversight. Of course, that is on the basis—
Is that notwithstanding the fact that a sample might have been obtained in Scotland?
Yes. I do not think that the proposals would put in place legislation to control retention and use of biometric samples that have been taken by the Security Service. The bill specifies that it relates to samples that are taken by Police Scotland and other such bodies. As I understand matters, national security is not within devolved powers.
You mentioned the British Transport Police. It is my view that there is a dearth of accountability in that respect. If we want an open, transparent and accountable process, surely the principle should apply to all public bodies.
That is a political matter for members, sir. As far as national security determinations are concerned, there is transparency, and it is provided by me and my office. The annual report gives the number of national security determinations, the number that I have challenged and the number for which I have ordered deletion. That information is publicly available, as regards biometrics that are being kept on the ground of national security, rather than any other grounds. However, as far as I know, the Security Service does not, itself, take biometrics—the police take the biometrics. In other words, that is covered by the NSD process.
Of the 21 applications from Scotland, how many did you refuse?
From memory, I do not think that I refused any of the 21 applications. Perhaps it would help if I explain the process. When I look at national security determinations, I have a two-stage process, not just because the legislation specifies that but because of what we have put in place. If, for any reason, I have concerns about why the NSD was awarded—basically, if I do not think that it meets the legal requirements of necessity and proportionality—I will challenge that. If the answer that I get back does not deal with my concerns, I order deletion of the samples.
You said that the Scottish Government should be commended for being the first in the world to propose specific legislation about how new biometrics are used for policing and criminal justice and how that should be governed. I have a couple of questions on that.
First, does it surprise you that such legislation has not been introduced before? Secondly, is there a reason for that? You talked about how quickly things move in the area, so is that speed one of the reasons? Do you think that other jurisdictions, in particular England and Wales, will introduce similar legislation on the back of what is happening in Scotland?
It is interesting to note that the Protection of Freedoms Act 2012, which is the current legislation in England and Wales, is relatively recent, but covers only DNA and fingerprints. That is because at that time people were not expecting the second-generation biometrics to become more usable at the speed at which that has happened. Essentially, we have three technologies coming together—biometrics, big data and artificial intelligence. The use of artificial intelligence on large data sets has driven the utility of the new biometrics—face and voice recognition, and so on. The matching capabilities of those technologies has improved exponentially in the past two or three years: it has been very rapid.
I think that all Governments have been faced with a situation that has been caused by the speed and extent to which the new biometrics are becoming available and, potentially, used. That process has been very rapid, compared with the normal processes of legislation.
Secondly, the number of new biometrics that are emerging is increasing all the time. More to the point, perhaps, is the fact that the number of cases of use of the new biometrics is multiplying. Members have probably noticed that, in England, there has been significant debate recently about use of facial recognition technology not just by the police, but by the private sector.10:15
The process has been very rapid, and I think that all Governments have realised that trying to legislate and put down rules for each biometric and each use case simply would not work, because they would always be behind the technological change. The difficulty has been in finding a way of providing legal governance for use of the new biometrics—by the police, in particular—that can respond to change.
In Scotland, an expert group looked at that problem and came up with some proposals that include a legal architecture that lays down principles, and the appointment of a commissioner to produce codes of practice that can respond to the rapid technological changes. There might be other ways, but I cannot think of one. At least that is an attempt to deal with the problem. I think that Scotland is the first country that has tried to do that. It is interesting that the legal architecture that is being used is very similar to the legal architecture that is used for data protection legislation.
I want to follow up on the issue of how quickly the technology is moving and the ability of legislation to keep up with that. You have said that the codes of practice will be the main tool that will be available to the new commissioner. Bearing it in mind that the main challenge is that the technology is continually changing, what do you think should be the main points of a robust code of practice?
The bill proposes the principles on which codes of practice should be drawn up, which include human rights, data protection legislation and principles from the current legislative framework for DNA and fingerprints. The commissioner must operate within those broad principles—they will not be free simply to do what they want. Furthermore, the bill provides that the commissioner, having drawn up the code, should report that to the Scottish Parliament, so Parliament will continue to have oversight of the process. That is the general framework, as I understand it.
When it comes to what the issues are, there are a number of steps. First, there is the question of whether a particular use of biometrics is in the public interest. I think that we would regard police use of biometrics as probably being in the public interest. At the moment, there is a question in England about whether use of facial recognition technology for public surveillance is in the public interest. That is a slightly different question from the question on which a court in south Wales recently decided, which was whether there is a lawful basis for its use.
If use of biometrics is in the public interest, it is inevitable that it will involve intrusion into individual privacy and liberty. That raises the question of proportionality and how the public benefit that is being claimed can be balanced against intrusion into privacy and limitation of individuals’ liberty. It seems to me that the first question that needs to be addressed is whether the public-interest case outweighs the invasion of privacy and the reduction of liberty.
There are also questions about who should be allowed to take biometrics and under what conditions, when and with what authority. Examples are whether the police would have the right to take facial images or do voice analysis; when they would do it—at arrest or some other point; and whether they would be entitled to take those by force if necessary, or only by consent.
There are issues about retention of biometric data and the form in which it can be retained. As members know, in the early days of police use of DNA, there were concerns about the police being allowed to keep DNA profiles but not samples, which would have allowed them to learn a lot more about individuals than was necessary for policing purposes.
The code of practice will have to address those questions and propose answers.
Good morning, panel. You have talked a wee bit about the bill creating a requirement for law enforcement bodies to be compliant with the code, but the bill does not give the Scottish commissioner any enforcement powers. Drawing on your experience, can you provide examples of where monitoring and public reporting by themselves have ensured compliance?
At the moment, the bill is limited to police use of biometrics, which is interesting. I am drawing attention to that because a common way by which commissioners or regulators are given enforcement powers is to give them powers to levy fines, as is the case for the information commissioner. The problem with trying to achieve compliance from public bodies by using fines is who suffers from the sanction, because the people who suffer the consequences are those who receive the services of that public body.
My experience of policing in England and Wales is that the police—like all public bodies, but particularly so—are very concerned about continuing to carry public trust in what they do. They know very well that it is much more difficult to police without public trust and without public belief in the legitimacy of what they do. The police are sensitive about carrying the public with them. That means that, when we visit, they are always extremely open with us; we always have open discussions and they are always amenable to our suggestions about their compliance, and the basic reason is that they want to continue to hold public trust.
We visited just over half the forces in England and Wales last year and we will visit the rest this year. When we visit, I always say to forces that I do not name individual forces in my annual reports, unless we are publishing data that is broken down by force, such as the number of samples held. On the other hand, I also say that I will publish if I ever get into a situation in which a force deliberately misleads me or is knowingly non-compliant with legislation. However, there would be several stages before that, such as writing to the force’s chief constable and the Home Secretary. I would question how far what the force was doing was compliant.
I hear what you say about not mentioning individual police forces in England and Wales, which seems sensible enough. Are there are good examples of individual police forces with regard to the particular point that I made?
Recently, for the first time, I visited a police force in England and Wales, and I asked whether it was making any use of facial image matching. I was told that it was not. About two weeks after that visit, I read in the press that that force had been involved in some facial imaging at a shopping mall. I wrote to the chief constable and said that I was concerned because I had asked that question and been given an answer that I now understood was not full or correct. The chief constable wrote back to me to apologise but also to say that, if I had been misled, it was completely inadvertent, because the officers I was talking to and, indeed, the senior command team in that force were not aware that that had been happening. In other words, there had been sharing of information at a fairly junior level in the force. I have looked at that, and I entirely accept what the chief officer was saying. As far as I am concerned, I think that that deals with it.
However, what that case shows is the kind of risks that exist in the absence of clear and specific legislation to deal with the second-generation biometrics such as face recognition. Although senior officers in England and Wales are sensitive to the risks that they would run in terms of public trust by using the new technologies, inevitably, that might not work through all the way down the command chain. Officers lower down who are used to working co-operatively—quite properly—with bodies that run shopping malls, local universities and so on might inadvertently start sharing stuff that, in my view, they probably should not. As I say, I have seen an example of that but, on inspection, nobody was trying to mislead me deliberately or be knowingly non-compliant.
Listening to that exchange, it occurred to me that, in England and Wales, there is a plethora of forces, which means that the information is coming in from different places, and the sanctions that you have described will probably be applied in a different way from the way in which they would be applied in Scotland, where there is a single national force, which means that any data that comes forward will inevitably come from Police Scotland. Can you make any observations about the way in which this legislation and the sanctions would apply in that context?
Of course, Scotland has a single police force and, in that sense, there is—well, the equivalent will be one inspection. However, I tell you what: I will make a bet with you that the different bits of Police Scotland are not totally uniform. That is not based on what I know about Police Scotland; it is based on what I know about police forces. If I were the new commissioner, I would be interested in testing whether Glasgow operates in exactly the same way as Aberdeen or Inverness—that would be worth looking into. That is not a disparaging comment about Police Scotland at all; it is just that, although there is a single force, it covers a wide area and there will inevitably be some local variations. When you appoint the new commissioner, I would think that he or she might want to investigate that issue and find out whether there is uniform compliance or variation. In a sense, what I have just described in a single police force in England and Wales was about variation within the rank structure, and that force is a fairly compact one, geographically. Police Scotland is geographically widely spread and is quite a recent creation, so I would want to check the extent to which local cultures still apply.
You spoke earlier about the new Scottish commissioner having a proactive role. However, the bill envisages the role as being a part-time one. What is your view on that suggestion? Could the job be done part time? Is that a reasonable ask?10:30
I think that the role will be part time due to a combination of the amount of time that the commissioner is envisaged as providing and the extent to which his or her office can help in that process.
I am sure that you will want to ask Lucy Bradshaw-Murrow some questions in a moment. She and I work quite closely together, as do the rest of my team. It is a team effort rather than just that of a single person. Of course, you are right that it is the commissioner who will have to take responsibility for the decisions and be answerable for them.
If the bill becomes law and you appoint a commissioner, they will, particularly initially, be involved in significant consultation about the codes of practice. The workload will probably get a bit easier once the codes are established, but I imagine that they will require a lot of work. That is partly because the legislation would require consultation with certain people. I am sure that whoever you appoint will want to consult with all sorts of stakeholders, too.
There will initially be quite a process of consultation and quite a process of giving the principles that are in the legislation practical import in the way in which they feed into the codes. I imagine that that will be a lot of work. I think that that means that in the first year the commissioner will be focusing almost exclusively on that task, and other aspects of the role will probably have to wait until the first codes are in place. The bill allows for that, because the first report on the codes is not expected quickly—there is an assumption that it will take time to get to that point. That is quite sensible.
The other thing is that it depends on what previous experience the person whom you appoint has. To some extent, that says something about what kind of person you want to appoint as commissioner, particularly initially.
What is Lucy Bradshaw-Murrow’s view on the role being part time? Is the workload too heavy for that?
Lucy Bradshaw-Murrow (Office of the Commissioner for the Retention and Use of Biometric Material)
The Commissioner for the Retention and Use of Biometric Material covers England and Wales and UK national security cases on a part-time basis—the role is 0.6 of a full-time equivalent. That works for us. As Paul Wiles said, we have in place a team that can represent him in his absence or continue the work when he is not there. I will give a very simple example of how that relates to my role. If we had a strategy board meeting on a day when the commissioner was not working, I would represent his views on his behalf. The rest of the team continue the commissioner’s work in his absence, essentially. It is important that he is there for certain elements of the role and to provide a figurehead for the office, but he does not always need to be there.
It is probably perverse in the context of what we have been discussing about the role’s part-time nature to bring up this issue, but other witnesses that we will hear from in our second session today, such as Dr Hannah Graham, have pointed to the wider use of biometrics in other countries. Biometrics are even being used in the criminal justice system more broadly. We have seen that in relation to electronic monitoring, probation, parole and prisons. Notwithstanding the priority that is attached to the police and the Scottish Police Authority, is there a case for broadening out the role and remit of the commissioner into the broader criminal justice sphere?
I fully understand why the Government has started off focusing on the police’s use of biometrics, although the expert group suggested a slightly broader remit. The case for that is simply to do with the powers that police forces hold and the fact that they have a right to interfere in the lives of individuals in a way that no other organisation in law has.
There are issues with the criminal justice system, in particular, because the police are part of that overall system. In England, as in Scotland, there are links between the way in which the police use biometrics and the way in which the courts and prisons use them, because the same people are going through the system. There are links between the police use of biometrics to authenticate identity and the potential use of biometrics by the courts to check whether the person before them is the same one who was arrested by the police and by the prisons to check that they have received the person whom the courts sentenced and the police arrested. An individual is going through a process.
I can see the case for extending the use beyond the police to the criminal justice system and why that is a particular case. On the broader question, there is a live public debate in England and Wales, as I said earlier, because it is becoming clear that the technologies are being used by the private sector. Unlike the police use of the technologies, private sector use is not always transparent or publicly admitted to; indeed, we have had some real evasions about that use. Therefore, I can see that the use of biometrics outside the police and criminal justice system should be looked at. Politically, that case is developing at the moment in England and I am sure that that will happen.
One has to remember that data protection legislation already covers it all—not only use in the public sector but use in the private sector. The information commissioner is certainly looking at the use of facial matching technology by the private sector in that mass public space around Kings Cross and St Pancras stations, for example, which has been in the news recently. It is not without some regulation, but the question, which will be one for the Government and Parliament of Scotland later, is whether you wish to see specific governance through law of the use of those technologies by the private sector or, for that matter, by the rest of the public sector.
The bill currently provides a list of people who should be consulted before a draft code is submitted to the Scottish ministers. Does either witness have a view on the proposed list of consultees and whether any other stakeholders should be included in the bill?
My view is that the bill has named the most obvious stakeholders. At the same time, I do not see anything in the bill that limits the commissioner to consulting only those stakeholders. Obviously, I cannot speak about that being the case for ever, but let us say that the bill becomes law and you appoint a commissioner. If I was the commissioner, I would obviously consult the people whom the legislation required me to, but I would also think about whether there were others whom I should consult, and I would make public the fact that I was interested in hearing from any other parties. I think that the commissioner would be sensible to do that. The question is whether the commissioner can produce a code that not just you in the Parliament think is all right but the people of Scotland think is appropriate. The commissioner that you envisage under the bill will have a broader role of trying to carry public opinion with them.
In a sense, the commissioner would also have that problem of trust, and they would be well advised to encourage all parties who might wish to have a say on the issue to do so. I was asked a few moments ago about whether there is enough time. Getting public opinion is a difficult process. You would have to think of mechanisms to limit how far that could go, but I cannot see anything in the bill that would prevent the commissioner from bringing a group of people together and getting them to do some of that work on their behalf.
From your experience in England and Wales, can you give the Scottish Government a steer on any bodies or stakeholders that may not have been identified but which should be considered?
I am speaking from memory, so I am not sure that I am remembering the bill absolutely correctly, but one group that is not a user of biometrics but which is nevertheless influential is the providers of biometrics. As I am sure that you are aware, the technology companies—particularly the big ones—are vociferous lobbyists for the use of their technology. Therefore, if I were the commissioner, I would want to talk to them and make sure that they were part of that conversation, because, at the moment, it is difficult to keep up with the different uses for biometrics that technology companies are developing, some of which are surprising uses that one had not thought of.
Recently, I was slightly, though not entirely, surprised to discover the use of facial imaging—on the basis of a belief that I am not sure is scientifically accurate—as a proxy for people’s emotional response to things. That is very different from simply authenticating identity. The claim is that you can tell from the face something about the way people are thinking and emotionally reacting. That is a different issue, and I would want to talk to the tech companies to make sure that I understood the other things that biometrics might be used for.
That is the point that I am driving at.
On a similar topic, the bill does not provide for an ethics advisory group, but we know that the Cabinet Secretary for Justice intends to establish such a group. What might that look like? I understand that there is a biometrics and forensics ethics group in England and Wales. Might the cabinet secretary’s group look similar to that, and how might such a group contribute to the work of the Scottish biometrics commissioner?
As a precursor to my response, I should say that I do not think that the bill will prevent the commissioner from setting up an ethics group. One way or another, that can happen.
However, you are correct. The Home Office has an ethics group, which has done some very important and useful work, some of which has been published. I say “some”, because it is a Home Office group and therefore the Home Office decides whether the group’s reports are published.
I was surprised when you said that it is the justice secretary who will set up an ethics committee, as opposed to the commissioner. If there is going to be an ethics committee, it should be transparent and its findings open.
In England and Wales, there are a number of ethics committees. You referred to the Home Office one, but there is also a cross-Government ethics committee that is looking at new technology in Whitehall.
I fully understand why people should look at the ethics of the use of new technology—I assume that we are talking about public ethics here. Of course, we expect individual actors to act morally, and we have seen examples in which those who work for technology businesses have pretty well forced their companies to pull out of contracts as a result of ethical concerns. Recently, some Google employees did that.
Of course individual ethical decision making is important, but we are really talking about the public ethics of the use of biometric data. That leads on to what I said a moment ago: the first question is how you balance the public interest in the use of the data against invasion of privacy and restriction of liberty. Those things seem to go together, and they are the kinds of issues that ethics groups can advise on.10:45
I go back to the line of questioning that Maurice Corry was pursuing. Would there be value in somebody setting up such a group prior to and in order to advise on the codes of practice that he was asking about?
You have said that the justice secretary is thinking of setting up a group; if that is so, it is not for me to comment on. The justice secretary will no doubt do that, and I can understand why he might want to do so. As I say, there is a cross-Whitehall group that looks at ethics and advises ministers and Government on the ethics of all new technology, not just biometrics. I can see such a group playing that role and being extremely useful. If there is such a group, I am sure that when the commissioner draws up codes of practice, they will be interested in the issues that the ethics group raises.
If the justice secretary does not set up an ethics group, the commissioner remains free to do so—I think.
I do not know whether you are aware of the criticism that Police Scotland faced about its roll-out of digital device triage systems, which became known as cyberkiosks. That criticism was founded on the dearth of a robust legal basis for that roll-out or any engagement with relevant stakeholders. You talked about the providers’ “vociferous lobbying”—that lobbying will involve getting information to the public about how vital a product is.
You have also repeatedly talked about how important trust in the police service is and how the term “policing by consent” is often used. I do not think that anyone would dispute that there should be engagement, but how informed can that public consent be?
I have several things to say. First, that is why I said that there are three pieces of technology that go together here. The kiosks that you refer to are not necessarily biometric, but they are part of the technological family of which biometrics is a member. That is exactly why I made that point; it raises the same issues.
I noticed the proposal to give the Scottish commissioner a role in informing the public, which is important. Another important point is that, in carrying out that role, the commissioner will want to bring together what the tech companies say about the products and their evidence to justify what they say about the products—the scientific basis for that, any independent testing that has been carried out and so on. I hope that the commissioner will be in a position to bring that together and offer some advice on where the evidence points.
That role in encouraging and, to some extent, leading public debate will be important for the commissioner in Scotland, and will result in, I hope, a proper and informed public debate. What you are hinting at without saying it—and I agree with you—is that the current debate in England and Wales is not terribly well informed. As you are probably aware, I have been critical of Whitehall ministers for not leading that debate.
Who is leading it?
That is the problem; I do not think that anybody is leading it in England and Wales. That is exactly why I have been critical.
People have tried. The House of Commons Science and Technology Committee, on which some Scottish MPs sit, has considered the matter. I have given evidence to that committee, as has the Forensic Science Regulator and the Home Office minister responsible for biometrics. The Science and Technology Committee has published a report and, as you know, it has called for a moratorium on the use of facial imaging until some broader regulation is put in place.
There is a debate going on. At the moment, it is being led by, first, the Science and Technology Committee and, secondly, pressure groups such as Liberty and Big Brother Watch, which have successfully pushed the matter into the public realm so that the public are more aware than they were even a few months ago about the way in which some technologies are being used. The debate is still quite muted, however, and it is not as fully informed as it could be, ideally.
Would the new commissioner be able to move the debate beyond the idea that interfering politicians are trying to frustrate the efforts of the police to keep communities safe? That is how the debate is presented.
That goes back to the question that I raised some time ago about the public interest. I would have thought that we have a general interest in wishing to see justice properly existing. None of us wishes to be a victim of crime; we seek to ensure that we are protected from being victims of crime. I am sure that we think that those who commit crime—particularly serious crime—should be dealt with appropriately by the judicial system. I doubt that there are many people who do not think that that broad purpose is in the public interest. The question is how far the new technologies can aid that purpose and whether that outweighs the extent to which the use of those technologies interferes in the liberty of other people. When cases have got to court—particularly the European Court of Human Rights—that is the balance that the courts have always been concerned about: is that proportionality appropriate? That remains a very proper question, and it is a question that anybody who wishes to use the new technology should be answering.
On the other hand, I do not think that the matter should be left to those who wish to use the technology. It is a matter of public interest—it is a public matter and therefore a matter for a body such as Parliament, or Parliament through a commissioner in the way that is proposed. I find it interesting that the commissioner of the Metropolitan Police has said clearly that she thinks that new technology will improve policing and that she wishes it to be deployed in policing, while saying at the same time that she does not think that it is for the police to draw up the rules by which that technology is used.
That concludes our questions. I thank you both very much for attending.10:53 Meeting suspended.
10:56 On resuming—
I welcome our second panel of witnesses: Dr Christopher Lawless, associate professor, department of sociology, Durham University; Dr Hannah Graham, senior lecturer in criminology, Scottish centre for crime and justice research, University of Stirling; and Dr Karen Richmond, University of Strathclyde. Thank you for your submissions.
We will move straight to questions and I will ask the first one. From what we have been hearing and what we know, it would appear that the introduction of the bill is timely, given the rapid development of new biometric technologies. Will you outline why you think that establishing a Scottish biometrics commissioner at this point in time is so important?
Dr Christopher Lawless (Durham University)
In the previous session, we heard that there are many fast-moving developments in biometric technology. In terms of anticipating such developments, the first important thing is that there is a gap that needs to be filled by an agency or body that can address the technical standards around biometric technologies and critically assess the scientific basis of such technologies. For me, that is really important, because when we talk about the ethics of biometrics, the ethical issues are very closely related to—if not interdependent with—matters of reliability and validity, and they link into matters of public confidence. We see that with, for example, automated facial recognition. There have been concerns about the reliability of that technology, the potential adverse impact that it may have on individuals and, in turn, the potential for adverse views from the public.
With regard to the role of a Scottish biometrics commissioner, there is a gap to be filled. We have the Forensic Science Regulator in England and Wales, and there is a need for a separate agency in Scotland to address the various ethical and scientific challenges, which are interlinked, and how we communicate them to the public.
Dr Hannah Graham (Scottish Centre for Crime and Justice Research)
To complement what Dr Lawless said, I emphasise Professor Wiles’s comments on certain issues capturing the public imagination, but perhaps with the public having a limited or diminished understanding of what is involved. As recently as in the past few weeks, there have been headlines in London around whether some of the technology might be inaccurate in 80 per cent of cases. Such statistics can capture the public imagination quite quickly, potentially cast doubt on authorities in which we would want to maintain public trust, and raise legitimate questions about accuracy, validity, bias and discrimination, and the transparency with which data is collected. The bill focuses on the police—although it may be extended—but our biometrics are being used across our daily lives, therefore the role of commissioner needs to involve public communication and awareness raising, and to an extent provide public reassurance. It must also be independent from but have the confidence of the Parliament.
I echo what Professor Wiles said about Scotland having the opportunity to be pioneering in that way. One of the strengths of the bill is that the commissioner’s role could have an appropriate level of flexibility to deal with the rapid rate of change. Each time that I go to a tech conference, there are new uses, and your head has to try to keep up with how many human rights implications there might be. With the pace of change, an independent oversight role would be appropriate for the public.11:00
Dr Karen Richmond (University of Strathclyde)
I echo what Dr Lawless and Dr Graham have said and what Professor Wiles alluded to. We are seeing a step change in the emergence of new investigatory and broadly forensic techniques, which are quite different from the techniques that we are used to, such as the use of fingerprints or DNA, which emerged from certain forensic trade crafts or the scientific sector. Investigatory techniques are emerging that are driven by big data, and they are proliferating into areas that go beyond what the police, the investigative authorities and the Forensic Science Regulator, for instance, would be used to dealing with. The time is right to try to catch up with that development and even to try to get ahead of the curve to some degree by creating a position that is flexible and reflexive and can react to those interdisciplinary challenges.
Good morning. As we have heard, the bill provides that the commissioner’s general function will apply only to Police Scotland and the Scottish Police Authority. Should it also apply to other criminal justice organisations or other bodies that collect and use biometric data? If so, what bodies should be included?
That is almost entirely what my submission focused on. I deliberately chose language such as “consider” and “discuss” because future proofing of the bill might be considered. I am not strongly advocating that certain justice authorities must be included, but it would be worth considering whether the Scottish Prison Service, electronic monitoring providers or local authority providers of public space closed-circuit television combined with facial recognition technologies should be encompassed within the commissioner’s remit and the code of practice now or in the future.
I want to draw attention to the fact that the Scottish Prison Service and the provision of electronic monitoring currently involve both public and private companies, and that might continue to be the case in the future. In addition, electronic monitoring does not have a dedicated inspectorate. Inspectorates have roles that are separate from what is proposed in the bill, and electronic monitoring would span three inspectorates with changes that are coming in with the Management of Offenders (Scotland) Act 2019.
I am not involved with and am not able to comment on the live electronic monitoring procurement exercise that is under way, but most of the international providers of electronic monitoring and reporting technologies, such as tagging, boxes and kiosks, have increased interconnectivity with other technologies. Therefore, we might see biometrics connecting with the global positioning system and with other things that we could know about people who are monitored. Increasingly, nearly anyone who bids for the Scottish contract will have biometrics as part of what they are suggesting, because they will need to be able to verify or identify a person remotely for their home detention curfew or alcohol monitoring, and to verify that a breath sample that has been given is indeed theirs. That will be a feature.
With the Scottish Prison Service, we can have a bricks and mortar understanding of what happens in prisons but, as recently as at your evidence session last week with Her Majesty’s inspectorate of prisons for Scotland, you heard the deputy chief inspector advocating further use of technology in Scottish prisons as a priority, and that might use biometrics.
Another area that I am unclear about and that has captured the public imagination is the involvement of biometric data in cases involving violence in custody as well as the profoundly serious and sad cases where there is a death in custody. The committee should check and discuss with the relevant people how the bill relates to that. If the bill goes ahead largely unamended, I would want the committee to check that you are confident that the Police Scotland and SPA remit within that is fine. A fatal accident inquiry is not about criminal or civil liability or the investigation of a crime; it is about establishing the circumstances of a death, yet biometric data has been the subject of questions at First Minister’s question time and public headlines, particularly in relation to CCTV footage in recent high-profile cases. I do not advocate that you should arrange everything around statistically rare but high-profile exceptional cases but, given the seriousness of what can sometimes happen in our prisons or with monitored people, it is worth discussing that further.
I largely agree with that and I have just a small point to add. Incidents and offences can occur in prisons and they need to be investigated, too. Some thought needs to be given to that, even if it is just a small amount of thought, to consider who collects biometrics, when they do it and by what means.
The use of biometrics in prisons is beyond my area of expertise, but I would be concerned if we focused entirely on the use of biometrics by investigative authorities and overlooked the use of biometrics in SPA forensics. There is a tendency to focus on the use of biometrics in investigations in the public sphere and then to assume that anything that happens beyond that is a matter for the courts. However, members of SPA forensics talk about using forensic techniques from the crime scene to the court—they understand it more as an evidential trajectory. It is important to bear in mind that virtually all the techniques that have ever been used just for forensic intelligence or investigative purposes have then developed and evolved and become evidential techniques—at least, there have been attempts to walk them into the courtroom. There is a forensic and scientific element to all the biometric techniques, and we should not lose sight of that when we concentrate on their use for investigation.
Just to follow up on that, I think that you have picked up Professor Wiles’s point about the journey through the criminal justice system. He made the point—he has left the public gallery, so I can probably now confidently paraphrase him—that the controls around data protection and the involvement of the information commissioner provide some safeguard across the public and private realms. Does that give you confidence about the way in which biometric data is potentially being used?
I still think that there is a gap to be addressed. We need to think about how we define biometrics. Are we talking just about the final data that comes out? For example, to go back to the distinction between a data profile—the data that is stored—and the material, do we need to think more broadly in terms of the processes that are at play in the production of a piece of biometric data?
A whole host of processes—from recovering a piece of evidence at the crime scene to turning it into a piece of biometric data that might be comprehensible in the course of an investigation—potentially need to be monitored to ensure that scientific standards are being properly applied, as well as in relation to other kinds of issues.
I am not sure whether that falls under the remit of the information commissioner, which is an argument for a biometrics commissioner to oversee the wider process.
Witnesses talked about the extent of the pace at which technological change is opening up a raft of complex issues. Does the way in which the bill is drafted allow sufficient flexibility and responsiveness to keep pace with that change?
Is it important to amend the bill to provide a greater degree of reassurance that it is future proofed and that the commissioner will be able to respond to, and anticipate, changes in the way in which technology is developing?
I do not have major concerns in that area. Although I do not wholly specialise in the area, there is a sense that—despite the need for more discussions—there are no significant surprises or unexpected things in the way that the bill is drafted.
I emphasise that what sounds like a distinction between what is happening in Scotland and what happens in England and Wales is the proactive nature of the commissioner. I would celebrate that element of flexibility being recognised and cemented in the bill. The committee will be well aware of the inherent difficulties and sensitivities in making law and policy around a controversy with more heat than light. The commissioner’s role and their need to be flexible may grow and may need to be re-evaluated in line with more use of technology and more cases coming to their desk. I see biometric technologies and other forms of data practices only growing in the future.
In your written evidence, Dr Richmond, you suggested that the bill might be open to challenge with regard to the Scottish commissioner’s functions. Will you explain in a little bit more detail what you mean by that, and whether you have any suggestions as to how the bill might be amended in order to address that concern?
Certainly. In my submission, I was concerned that there might be a slight lacuna in the bill between the function of the Scottish biometrics commissioner and Professor Wiles’s function in England and Wales.
As he stated in his evidence, when Police Scotland and the SPA collect samples of DNA and what are called “ten prints”—fingerprints—and load them on to Scottish databases, they are also loaded on to the UK national DNA database and to IDENT1, which is a national UK fingerprint database. From the way in which the proposed legislation is drafted, it seems as though the samples that are copied on to UK databases might fall between two pieces of legislation.
Professor Wiles alluded to one or two solutions. First, he stated that new databases are coming in, through which the problem might be resolved. Although I do not know anything about that—I could try to find out and send you a written submission—I hope that the new databases that are to replace the existing ones do not replicate their architecture, as that will not resolve the problem.
His other suggested solution was that the commissioner should sit on the strategy board. That is certainly a good way forward, and it seems to exemplify the flexible and communicative role that is envisaged for the commissioner.
I would hope that that would be made concrete through some form of protocol, so that if a member of the public was concerned about the retention of their fingerprints or DNA, there would be some fairly robust mechanism to ensure that, if the retention was unlawful, that information could be removed from the databases.11:15
Thank you—that is very helpful.
One of the main tasks in implementing the bill would be for the Scottish biometrics commissioner to draw up a code of practice for the use of data by the police and the SPA. What main factors should be considered in order to ensure that the code is robust enough?
Following on from what Professor Wiles said, it is important that a code of practice is driven by clear principles. I have been thinking a lot about the process of drawing together such a code. I emphasise the importance of the consultation process—that has been discussed previously, but it is worth revisiting. The bill lists some obvious consultees, but it gives the commissioner quite a lot of scope to consult other stakeholders, too.
It is important for the commissioner to consult as wide a variety of stakeholders as possible. I emphasise the need to have a conversation with suppliers and industry, which should have their own board, but it is also important to consult others, such as civil society groups. We have heard about the role of organisations such as Big Brother Watch in England and Wales; such groups very much need to be included. The public should possibly be consulted, too, as the code of practice needs to be clearly communicable and clear to the public. Consulting a suitably varied and diverse array of people might help to protect the code from any accusations of vested interests or other such criticisms.
I have one final thought. The bill talks about the need to consult. Perhaps there needs to be some real reflection as to what consultation actually means in this case. Would the commissioner draft a code and send it out to stakeholders, or are those stakeholders to be included in the process from the outset? That is maybe something to think about.
I agree with Dr Lawless. I underscored in my written submission the need to consider diversity, equalities and protected characteristics in that regard. From the independent academic and scientific research that is going on around some of these technologies, we have an awareness of issues around data justice, algorithmic bias and the disproportionate impact on particular groups, some of whom, although not all, are minority groups. For example, women are not a minority group but a fair proportion of the population.
The process would depend on the data, technology and practice involved, but I echo the need to consult widely and listen to people. One of my suggestions was to consult the Mental Welfare Commission for Scotland, because the commissioner has to have due regard to children and vulnerable people. In addition, I celebrate the fact that the Scottish Human Rights Commission is one of the named groups in the bill. However, as I originally come from Australia, I point out that, in an Australian jurisdiction, there would be quite a lot of consultation with an anti-discrimination commissioner if there was the potential for people of colour, ethnic minorities, young people or people with other protected characteristics to be impacted and for issues of equality and diversity to arise. The public would—quite rightly—be interested in those aspects, and we have seen some practices that have been experienced disproportionately by certain groups.
If you extended the remit of the commissioner and the code of practice to include other criminal justice agencies, you would need to add their inspectorates to the list of those to be consulted, as well as HM inspectorate of prisons for Scotland and the Care Inspectorate if it involved local authorities and community justice.
As well as the code of practice being robust, I recommend that a degree of flexibility is built in. Given the nature of many of the challenges, which are arising at an increasing pace, a degree of flexibility would allow the biometrics commissioner to respond in an agile way.
Dr Graham touched on the point that one of the concerns about the fast pace of development of biometrics technology is that people’s human rights might be compromised. How can the code of practice protect people’s human rights?
That is a good question. Some of the answers might depend on the extent to which the code can be enforced and what the commissioner’s powers are. Scotland prides itself on being progressive and a rights-respecting nation and so I would hope that everyone would speak about human rights, but we also need to have a pragmatic conversation about enforcement or processes of communication to expect public and private bodies to comply with the code of practice.
I am not a human rights lawyer and I know that the Scottish Human Rights Commission has some excellent and vibrant views on that. I commend the amazing and excellent report of the independent advisory group on biometric data, which had human rights running right the way through it. However, I cannot easily answer the question without talking about the power or authority to enforce.
I will come to the other witnesses in a minute, but on that specific point about enforcement, do you think that it is a concern that the bill does not give the commissioner the power to enforce the code of practice?
There are probably different views on that. If my understanding is correct, the ability to require people to provide information is good and I would support it. As you heard from Professor Wiles earlier, it sounds as though there is quite a diplomatic ramping up of communication—it reminds me of how we train probation officers—in that if an organisation does not comply, the commissioner might release the name of the police force, agency or whatever. I imagine that that would clarify decision making.
Unfortunately, on rare occasions, there might be a serious case in which enforcement would be needed. I hope that the committee and the Parliament are either satisfied with the bill as it is or amend it to provide for some of those enforcement powers. Personally, I would tend towards giving the commissioner the enforcement powers, but with the recognition that they may not be used regularly.
There is a potential question about resourcing. If we are talking about human rights, we are going back to some of the questions that were discussed earlier, such as who should be allowed to take biometrics and under what circumstances. We need to think carefully about how such practices might occur on the front line. To go back to what was said earlier, we must ask whether we need to think about potential local differences in practice or whether we need to ensure that good practice takes place across Scotland. That gets me thinking about whether the commissioner would have time to visit various parts of the policing service to compare and contrast, check and establish that the code is being followed and to ask such questions across the board. Potentially, it comes down to being a matter of having enough time.
I return to the issue of a statutory power of enforcement. The way in which the bill is drafted—without such a statutory power—sits quite well with the way in which the regulator’s role has been envisaged in this case.
I have done some research on the Forensic Science Regulator, who has a slightly different function, and there has been a lot of impetus from that office to get a statutory power of enforcement. That fits well with the FSR’s role, as it is to police the boundaries of science and ensure that everyone meets a certain basic quality standard with a stable set of scientific techniques.
What is envisaged for the new commissioner is more evolved and slightly different, involving much more flexible communication and engagement with a number of stakeholders. Perhaps that is the way to move forward, rather than having a statutory enforcement role.
I return briefly to an issue that came up earlier. Dr Lawless brought up resourcing and Jenny Gilruth quite rightly asked the earlier panel about the commissioner’s role being part-time. Professor Wiles said that, because they would have a team, it would fundamentally be okay. However, in his written evidence, Dr Lawless disagreed and expressed a concern that a part-time role might not be sufficient. Will you elaborate on that, Dr Lawless?
Afterwards, will you give us your thoughts, Dr Graham, because you talked in your evidence about the remit being extended to other agencies such as the Prison Service? Presumably, that would load responsibility on to what is currently intended to be a part-time role.
I have reflected on that and I heard what was said earlier in the meeting. Some of my concerns would be met, provided that the commissioner is sufficiently supported by a full-time team. There is an important need for a multitier system, which has been suggested in written submissions, so that there is an advisory group to assist the commissioner.
Potentially, the part-time issue could be resolved if the commissioner has sufficient support, but we should not underestimate the scale of the challenge that they might face. There is the increasing variety of technology that might be available and would need to be considered, as well as the amount of work that might need to be done, not just in anticipating new technology but thinking about how that technology might be regulated, including through the development of technical standards. Those aspects are interlinked with matters of ethics and public confidence.
On reflection, I am open to arguments either way, but members should not underestimate the potential scale of the task that the commissioner might face. I urge members to consider, regardless of whether the role is part-time or full-time, the point that the commissioner be given sufficient support.
Forgive me, Dr Graham, but before you come in, I want to ask Dr Lawless about a concern that was raised in his written evidence—it might or might not have been in his submission—about resourcing and the financial memorandum not sufficiently taking into account the support that you have mentioned. Will you elaborate on that point?
Having looked at that again in a bit more detail, I can see the other arguments with regard to some of my concerns, but one concern remains. I think that the financial memorandum said that the cost of implementing the code would be “minimal” and, if we assume that we are just dealing with the police, I can see that the costs might be minimal. My concern is whether—and, if so, to what extent—the police are reliant on third-party suppliers for biometrics. If those technologies are being brought in by commercial firms, and if we were to allow for that in the bill and the commissioner’s remit, we might need provision to assess the technologies, think about how they are being used and check technical standards with the third-party suppliers.11:30
I, too, acknowledge what has been said and emphasise the level of interdisciplinarity that will be needed in the role. I say with respect and humility that there are not an extraordinary number of people in Scotland who could do the role, and they would need an interdisciplinary team around them. Even the panellists have different qualifications—they may have similar qualifications, too—and quite different experiences. For example, I can speak only as a criminologist to one narrow part of that topic. Thought needs to be given to what might be expected of the commissioner now and in the future, the potential growth of the role and the need to work across technology, policing, criminology, criminal justice, data science, information, law and human rights. Those are the things that the panellists have to spend many of our waking hours reading up on in order to understand what is going on, so the commissioner will have to have a team around them.
I also acknowledge and echo the recommendation of the independent advisory group on the use of biometric data in Scotland to establish an ethics advisory group. That group could be established by the Cabinet Secretary for Justice or by the commissioner. That could be done in different ways. It may or may not operate for free.
I note that the research budget would not buy much research, should the commissioner want to commission any. I mean no disrespect to my colleagues’ contributions, but there is not a lot for us to go on. The bill talks about ethical and effective practices. There can be no claims about effectiveness without evidence to back that up.
The commissioner could work more with the people who bring in larger, independent research funds, or they could work with organisations such as the Ada Lovelace institute, which, along with the Nuffield Trust, is doing amazing research. In recent weeks, it published research on recent public attitudes towards facial recognition technology.
The commissioner could choose to work in both those ways. However, I suggest that the resourcing needs to be reasonable for the remit that you end up agreeing to, if you pass the bill.
Dr Graham mentioned interdisciplinarity. I echo that that should really be brought to the fore in relation to the commissioner’s capabilities and the mixture of the support staff that are available. The challenges that a commissioner faces will entail an interdisciplinary approach, a high degree of reflexivity and an ability to work over disciplinary boundaries and understand the needs and objectives of other actors. That should also be reflected in the ethics group.
Dr Graham mentioned that there might not be such a large pool of people with the necessary experience to pull everything together. Should the person be based in Scotland? Should they have an in-depth knowledge of the Scottish system and the devolved nature of the issues?
That is a good question. I suggest that the Scottish biometrics commissioner should have a well-developed knowledge of the Scottish context. Despite there being a national policing hierarchy, localism is a feature of Scottish justice, public protection and community safety. At times, that is something that this Parliament might celebrate; at other times, it may throw up some complexities.
Whoever has the role must have good awareness, because they need to hold the confidence of the Parliament and the public. They must have a very strong awareness and sense of Scottish contextual features. I do not have a view on where they should live or where they should be from. As a dual citizen and someone with an accent, I do not mind.
I agree that this is very much an interdisciplinary role. The pool of candidates is potentially limited. However, I am confident that there are people who could fit the interdisciplinary remit. In my experience of talking about forensic and biometric issues with various stakeholders, I get the sense that many recognise that, if someone has a scientific background, for example, they must also be conversant in law, matters of ethics and social impact; likewise, they recognise what other knowledge someone with a legal or social scientific background would need. A lot of us recognise that there is a need to be conversant in those areas.
I am quietly confident that there are people who would fit the remit. Even in the short time that we have had the roles of the Commissioner for the Retention and Use of Biometric Material in England and Wales and the Forensic Science Regulator, the people doing those roles have had quite varied professional backgrounds. If some flexibility is given in relation to people’s backgrounds, it would be possible to find candidates for the role.
That is an encouraging note to end on. Thank you very much for attending. We shall have a five-minute comfort break, to allow the witnesses to leave.11:35 Meeting suspended.
11:40 On resuming—
European Union (Withdrawal) Act 2018
European Union (Withdrawal) Act 2018
Civil Jurisdiction and Judgments (Civil and Family) (Amendment) (EU Exit) Regulations 2019
Agenda item 2 is consideration of a statutory instrument relating to the UK’s decision to leave the European Union. I refer members to paper 3, which is a note from the clerk.
As members have no comments, are they content with the Scottish Government’s view that Parliament should consent to the relevant changes being made by the UK Government?
Members indicated agreement.
Police (Retention and Disposal of Motor Vehicles) (Scotland) Amendment Regulations 2019 (SSI 2019/231)
Agenda item 3 is consideration of two negative instruments. The Delegated Powers and Law Reform Committee has considered both instruments and had no comments. I refer members to paper 4, which is a note from the clerk.
As members have no comments, does the committee agree that it does not want to make any recommendations in relation to the Scottish statutory instruments?
Members indicated agreement.
Thank you. That concludes the public part of today’s meeting. Our next meeting is on Tuesday 1 October, when we will continue taking evidence on the Scottish Biometrics Commissioner Bill. We will also take evidence from Police Scotland on the policing and criminal justice implications of withdrawal from the European Union.11:42 Meeting continued in private until 12:04.