Justice Committee

Meeting date: Tuesday, October 29, 2019

Official Report 618KB pdf

---

Scottish Biometrics Commissioner Bill: Stage 1

Agenda item 2 is an evidence session on the Scottish Biometrics Commissioner Bill. I refer members to paper 1, which is a note by the clerks, and paper 2, which is a private paper.

I welcome to the meeting our witnesses, who are Detective Chief Superintendent Sean Scott, Police Scotland, and Tom Nelson, director of forensic services at the Scottish Police Authority. I thank the witnesses for their written submissions, which, as ever, are extremely helpful to the committee in advance of taking formal evidence.

We move to questions. Will you explain the process for collecting, storing, using and retaining biometric data? We know that the process is complex, but it would be good if you would explain how it works in practice.

I am grateful for the opportunity to provide oral evidence this morning. In the criminal justice process, the acquisition, retention, use and disposal of biometric data starts with people being brought into custody as suspects or arrestees. We have the power to take DNA, fingerprints and photographs as part of the custody process. The biometric samples are processed and, thereafter, the criminal justice outcome of the inquiry—that is, whether or not a person is convicted—dictates the retention or weeding out of the samples.

The DNA and fingerprints go through a data process in which they are loaded on to databases, whether that is the Scottish DNA database, the national DNA database or the IDENT1 Home Office fingerprint live scan system. That is more Tom Nelson’s area.

In crime scene investigations, we have ways and means of picking up samples. The samples are processed through the same kind of system, whereby they are profiled, loaded on to databases and recorded appropriately. Thereafter, we go through weeding protocols.

In terms of the who, is custody evidence collected by the police initially?

Sorry—could you say that again, please?

Who initially collects samples when someone is in custody? Is it the police?

Yes. The officers or the custody staff in custody areas carry out the collection process.

Do you want to add anything, Mr Nelson?

Yes. We have a Scottish DNA database, which is based in Dundee, and load samples on to the national DNA database, which is obviously a United Kingdom database.

Fingerprints are slightly different from DNA, in that we do not have our own database and we load our samples on to the national IDENT1 fingerprint database. That historical issue goes back many years and DNA is a fairly new science. When it came into the forensic service environment, we brought in the Scottish DNA database. Other than that, the process is very similar.

Is that an area in which there might be an overlap?

We initially search on the Scottish DNA database and, if we get a hit, there is obviously no need to load the sample on to the national database.

Are there any other areas in which there might be an overlap in the process?

Not that I am aware of.

Not that I can think of.

You have talked about the process of collecting data in its various forms. I want to know about the control of the data at each stage. Who takes ownership of it? How is it shared with the Crown Office and Procurator Fiscal Service, the courts, defence solicitors and so on?

The sample is a physical thing; the data is not. The data is processed and then, as Tom Nelson said, it is recorded on the fingerprint database or on the DNA database. We retain the physical samples, but the data is kept on a database and thereafter alluded to in police reports to the Crown Office. The Crown Office receives the information but does not have control of the databases. We report what we have, and any analysis of the fingerprints or DNA is part of that report. We get the results of the fingerprint or DNA analysis from Tom Nelson’s staff and that is reported to the Crown Office. In other words, the data is retained in the database, and any physical samples are retained by us, or by the SPA in the lab.

If I understand you correctly, you share the data, but it remains your responsibility.

Effectively, yes. Do you agree, Tom?

Yes, that is correct.

It would be helpful to tease that out a bit more. Will you explain the governance of the process involved in collecting and using the biometric data? In effect, who has oversight of those processes in Police Scotland and the SPA, and who in those two organisations retains overall responsibility for the data collected?

The chief constable and I are effectively joint data controllers—we are responsible for the data. As I said, the data is stored on the national DNA database and the Scottish DNA database, and fingerprints are stored on the national IDENT1 database. It is through our working relationship with Police Scotland and the national system support unit that those samples are managed.

What about governance, which may be a little different?

Overall, governance sits with the Scottish Police Authority, which oversees the whole process.

The SPA’s written evidence says that

“There is evidence of strong existing governance and practice within ... Police Scotland and the SPA with regard to the use of biometrics data.”

Will you elaborate on that and, most important, explain how the establishment of a commissioner would further strengthen that area? What would the main difference be?

Scotland’s practices were alluded to in the S and Marper v UK case, where the evidence was that our processes, retention and timelines were exemplary. Her Majesty’s Inspectorate of Constabulary in Scotland inspection report in 2016 also picked up that governance was strong in Police Scotland and the SPA. However, we have always considered that we needed a biometrics commissioner. We in forensic services have wanted that for a number of years, and we are really pleased that a bill to create a commissioner has been introduced.

One way in which a commissioner would add significant value is around public awareness. It is crucial that we keep the public aware of what we are doing with data. New technologies relating to DNA are coming on board, for example. In a couple of years’ time, we could be getting more characteristics from samples, such as hair and eye colour. We believe that that needs public debate, to make sure not just that what we are doing is what the public wants, but that the public understands why we want to take the data in a particular direction. We believe that a commissioner could begin to lead the public debate on where the science is going.

You are saying that, in your opinion, the current governance and practice are sound, but that we need to consider the future and public support for areas that are unknown and where technology is developing.

Very much so. To me, it is all about keeping the public informed and engaged. That is crucial, because the last thing that we want is for the public to lose confidence in our databases. At the end of the day, we are public servants, and we want the public to be involved in the discussion. That could be one of the key roles that the biometrics commissioner has.

We also believe that codes of practice are crucial. When Detective Chief Superintendent Scott and I were members of the independent advisory group, we developed a draft code of practice, which went out for public consultation. There was very strong support for the code, because it goes into the detail of how we would deal with new sciences and technology. We live in a world in which technology changes all the time, and my view is that technology should be validated and that a full and proper process put in place around it before it is used. Through the code of practice and working with the biometrics commissioner, that approach would bring some benefit to Scotland.

On Tom Nelson’s point about public awareness, ahead of any decision about the bill, we are working in Police Scotland on giving notice to people who come into custody. You could argue that biometrics and what happens with them more directly affect those who come into custody than is the case for any other member of the public. We have composed and are about to introduce a notice for people about why we take biometric information, what powers we have, what happens to the information and what their rights are. It is a fairly simple but direct information sheet. Traditionally, we take the biometric information, but often people do not ask what we are doing with it, so they do not know what happens to it, why we are doing it and what their rights are. We are therefore about to introduce a notice—which is a bit like the notice on solicitor access rights—that clearly sets out people’s rights in relation to biometrics.

Will the notice be routinely given out?

Yes. Every person in custody who has biometrics taken from them will be provided with the information so that they know exactly what we are doing, why we are doing it and what their rights are.

As we understand it, uploading DNA and fingerprint data is done voluntarily. Will you explain the background to that and comment on why no legislation underpins that process? Is that an effective way of collecting the data?

In Scotland, we upload the data on to the UK databases on a voluntary basis. It is about interjurisdictional co-operation. There are many unsolved crimes and unsolved profiles on the system. Clearly, we want to solve crimes, so if we have a sample of data, such as DNA or a fingerprint, we will upload it. UK-wide, we want to use every opportunity to protect the public by identifying offenders. Therefore, the voluntary uploading of data on to the national databases is for the wider public good. We do not have to do that, but it seems like the right thing to do.

Yes, I think that that is right.

Just to be clear, it is not voluntary for the suspect to give a sample, but whether you upload the data to the national database is voluntary.

Yes, absolutely.

Do you think that that is the most effective way of doing it? Is it just part of your process?

Yes, it is part of the process. As Tom Nelson said, if we got a hit for DNA on the Scottish DNA database, the DNA would not be loaded on to the national one. However, if we do not get a hit, the DNA would go on to the national database in order to give us the best opportunity of identifying an offender.

It is not only about identifying offenders, but about potentially exculpating people, and I think that that aspect sometimes gets lost. Forensics and biometrics are as much about making sure that we get the right person. That is why we do it.

One of the big advantages is the value that the databases bring not only for cases that are live and on-going, but for cold cases. In the past couple of months, we had a case in which a 21-year-old murder was solved because someone was arrested, their DNA and fingerprints were taken and there was a hit in the DNA database. We were able to solve a 21-year-old crime because of the database. There is significant value in having samples on those databases.

10:15  

At the moment, the data is shared across the border, but it is also shared across Europe. Is that something that will no longer happen following Brexit?

Yes. At the moment, a process is in place where data can be shared, but member states do not have access to our databases. It is done through a police process. However, a concern for the SPA and Police Scotland is that if, as a result of leaving the European Union, we lose that ability, it would reduce the impact that those databases could have.

As you understand it, you will not be able to share that data if we leave the EU.

It depends on the withdrawal agreement. In recent times, we have successfully passed information or data 23 times to Europe through the Prüm decisions. That process is successful because it is rapid. The original Prüm decision related to DNA, fingerprints and vehicle registration, but at the moment it covers only DNA. If we withdraw without a deal, we will lose that ability. If we are part of a deal, we should retain some of that. Whether we have a deal or no deal is, like everything these days, a bit up in the air.

Okay, thank you.

What photographic images are uploaded to a national database? Although body-worn video cameras are not currently in use, when they come into use, would those images be uploaded? If so, which ones?

The legacy arrangements for custody images were a bit disparate. However, we now have a national custody system, and anyone who comes into custody has their image automatically uploaded on to the criminal history system and there will be no retention of any images on databases in Police Scotland. Independently from the criminal justice outcome, if there is no conviction, the images are automatically weeded. If there is a conviction or a process thereafter, there are retention arrangements and timescales. The new system is far more robust in respect of retention.

Video from body-worn cameras will not be uploaded to the criminal history system or any national system in place at the moment. Body-worn cameras are about recording activity by police officers on the front line. If that footage becomes evidence, it will enter the evidence chain. If it is a case of trying to identify people from those images, we have the capability either to send physical briefings around officers to ask whether they recognise those people, or we can go through retrospective facial recognition through the police national database.

You mentioned legacy and custody images. Are those straightforward, front-on photographs?

Yes.

What about the body-worn cameras? What kind of images do they produce?

Body-worn cameras would be used to video activity on the streets. That footage would record the interaction between police officers and a member of the public and so on. If it is required that that is reviewed as potential evidence of a crime or of certain conduct having taken place, it is treated as evidence, a bit like how closed-circuit television is treated. That is separate to custody images.

There would appear to be broad agreement that the proposal for the creation of the commissioner is timely—presumably, you feel that the Scottish Government has got the timing right. You have talked a bit about the public awareness role and the fact that the relationship with the public is important, but what kind of relationship do you envisage having with the commissioner?

From a forensic services perspective, we hope to have a strong relationship with the commissioner. We feel that the commissioner is there to help us to determine the best way forward in relation to, for instance, databases in Scotland. As I mentioned earlier, there is new technology coming along, and we want to ensure that public debate happens around that. The commissioner will have a significant role in that regard.

Obviously, we would like to be involved in the development of the code of practice. On the draft code that has been developed, I was impressed by the range of people who were represented on the independent advisory group—there were people who are involved in human rights, the Information Commissioner’s Office, universities and the Crown Office and Procurator Fiscal Service, as well as Sean Scott and me from Police Scotland and forensic services. A good breadth of knowledge was represented, which is why the report of the independent advisory group and the draft code of practice were so well received. We hope that the commissioner will work through the report and the code, because they contain a lot of good stuff.

Police Scotland welcomes the creation of the commissioner. As you know, our approach involves policing by consent, which is based on public confidence. We are very much bound by legislation, regulations and operating procedures, and we are used to working in that way. However, our ability to develop technologies and adapt to advances in investigation techniques requires a degree of independent rigour, and we would want to have a close working relationship with an individual who can provide that, as we do with HMICS; we would welcome input from the ethics panel, too. That will give us a platform from which we can move on with the advances in technology that the public would expect us to explore in order to keep them even safer. Criminal enterprise is getting even more ingenious—ingenuity is everywhere, and we want to keep pace with that in order to keep people safe.

I expect us to have a close relationship with the commissioner.

Given that we have just been talking about the code of practice, it might be worth asking a question that I was going to ask later. Should the code of practice be established in legislation, as the independent advisory group advised?

We agree with the code being established in legislation. However, we feel that the detail of the code should sit outside that, in order to give us flexibility, because things are changing quickly. We want to ensure that the legislation and the code of practice enable us to be fleet of foot so that we can quickly move with the times. Our recommendation is that the code be established in legislation, but that the details of the code should be worked out separately and should come back to the Parliament and be consulted on before final sign-off.

So, the code should have a statutory footing, but the detail could change over time.

It could change over time, so you would want it to be kept as live as possible. However, it is important that it remains subject to public and parliamentary scrutiny, and parliamentarians need to be aware of the code.

It is right that the bill places a requirement on the commissioner to establish a code of practice. However, there is a need to consult on the details with the organisations that are named in the bill and with other organisations, and there must be flexibility to do that. Once the commissioner is in place, they can work with those organisations, including us, to create the code of practice, which can be agreed by Parliament. At that point, we can move on.

I agree with what Tom Nelson said about the necessity for flexibility. You do not want to have to alter primary legislation all the time, so it is better to have a flexible instrument that sits below that. In the near future, there is the potential for us to be able to engage in gait analysis, vein-pattern analysis and the analysis of a host of other biometrics, so we need something that is flexible and agile.

It has been suggested that the commissioner’s responsibility should extend further than Police Scotland and the SPA. For example, it has been said that it should include those who share images with Police Scotland, such as the British Transport Police, councils, the National Crime Agency and private entities. Is that reasonable?

We need to start somewhere. The bill and the code of practice should be flexible enough to bring others into the mechanism. The British Transport Police currently uses our facilities. If it has a suspect or an arrestee whom it plans to put to court, it will use Police Scotland facilities for fingerprints and DNA biometrics, which are loaded on from there. There is already co-operation in that sense.

I do not think that having Police Scotland and the SPA is the prescriptive end of it, but I do not have a strong view either way on whether there should be an extension now.

Obviously, we try to cover the majority of the casework that we get in Scotland. We and Police Scotland would do that. We recognise that there might be occasions when the British Transport Police would take samples but, as Sean Scott said, that would mostly be in police custody suites and would therefore come under our DNA and fingerprint regime. There might be occasions when that is not the case, so it would be useful to have the British Transport Police involved, as well. The independent advisory group certainly recommended that it and maybe others could adopt the codes for how they practise. That could widen the value that the codes bring to the public in Scotland.

Would that include the National Crime Agency, for instance?

Yes, it could, but I will let Sean Scott speak about that.

If we went down south to pick up an arrestee in England, we would bring them back up under cross-border powers, take their biometrics in Scotland and load them. Tom Nelson has described that. Conversely, if English or Welsh officers came to Scotland, they would have the same ability to do that.

The NCA sometimes employs us to help it. We deal with the custodies and the biometrics in Scotland, or the person goes back down south under the cross-border powers. Jurisdictionally, the agreement is sound.

CCTV has been referred to. Local authorities and, indeed, private enterprises rely on it. Would there be a frailty in the system if they were not subject to the same level of control that you, who ultimately receive the information, are? Would there not be the potential for some reputational damage at the very least for Police Scotland and the SPA?

Do you mean reputational damage for Police Scotland if local authorities were not subject to that control?

Yes—or anyone from whom you receive information from which to process data images, for instance.

On evidence capture, we can, in effect, get CCTV images from anywhere. If somebody in a private house or a local authority has recorded something and there is the potential for evidence, we will acquire that and process it according to the law. Maybe I am not quite picking up where you think that that might—

Do you see no challenges to the SPA or Police Scotland from the source of that information? You know about the concerns that there have been about open space that the public presume is public but is private, for instance. There have often been concerns about the jurisdiction of that.

Are you talking about simple recording by CCTV cameras or facial recognition by local authorities?

I presume that you sometimes use your facial recognition techniques on CCTV footage.

If there is a suspect whom we cannot identify from a CCTV image, there is the facility to upload that image on to the police national database for retrospective facial recognition to see whether we can get intelligence. When we have done that, there might be five, six or seven suggestions with a varying degree of probability. That has to be worked around. It is just intelligence; it is not a facility to go and arrest someone. Other evidence corroboration has to be thought about. Some suggestions might be way left field. As I said, it is just intelligence, so it does not necessarily impinge on anyone’s immediate rights, because we need to work around it to create corroborative evidence, if there is any. If there is not any, we destroy that.

Okay. Thank you.

My line of questioning follows on from John Finnie’s questions. The bill as it stands suggests that the commissioner’s role should be part time. That has been the subject of debate by previous panels. Do you agree that the position should be part time?

10:30  

I think that they will be busy, so they might need to be full time. I do not have a strong view on the matter, because it depends on the decision about what the bill says the person should do and how many support staff would be at their disposal. It will be an extremely busy role; it is a burgeoning area of business and there is so much to do.

It has probably been touched on previously that the issues are more about private databases and what happens outwith the police and the SPA. We are very heavily regulated and legislated for and are pretty good at what we do, but so much is sitting out there in private databases in private companies and other areas—that is the area that is unregulated and ungoverned. Extending the code of practice into other areas will be a huge task, so full time might be the best option. Tom Nelson might have a view on that.

England and Wales has a biometrics commissioner, Paul Wiles, who covers the 43 forces and all the forensic practitioners down south, so 0.6 of a full-time equivalent is probably reasonable. However, a lot depends on the number of staff that the person would have to support them. In the early days, there might be a requirement to be full time to get the ball rolling—to get things in place and begin public engagement and debate—but 0.6 FTE may be a reasonable amount of time, given the size of Scotland compared with England and Wales.

I will follow on from the point about the position being part time. Do you think that the commissioner’s general function carries enough weight, given that it is to

“support and promote the adoption of lawful, effective and ethical practices in relation to the acquisition, retention, use and destruction of biometric data”?

Are you asking whether we think—

Does that general function carry enough weight? When you answer, perhaps you could tell us a little more about retention—how long data is retained and for which crimes—and provide assurance about the immediate destruction of data that is no longer required.

I am sorry, but can you give us the first question again?

Yes—there was a lot in my question. Does the general function carry enough weight? There is a lot in it about lawful, effective retention and destruction.

With regard to the general process, that is correct. There was discussion previously about whether there should be enforcement or penalties. In the policing world, naming and shaming is probably the worst thing that can be done, so there is a lot of strength in that approach. Paul Wiles mentioned in his evidence that, when he does that, police forces and others respond.

There is a lot of regulation around all that we do; forensic services are accredited by the United Kingdom Accreditation Service, or UKAS, to a 17025 standard, so our business is covered by that assessment organisation, which comes into our organisation and spends between 60 and 70 days a year going through all our processes and practices. In effect, it gives me the licence to operate; if it does not sign off our work, we cannot load samples on to the national DNA database, for example. A lot of assessment and review of our practices and processes is done externally by UKAS and other bodies such as HMICS.

Is that review reactive rather than proactive? If the commissioner’s general function had more weight—if it had more enforcement powers—might it be more proactive?

If the commissioner came up with recommendations that we should do something, I think that we would adopt them.

Your point is well made, convener. The commissioner is to

“promote, and monitor the impact of, the code of practice”,

and we need to consider the general principles for how the police and the SPA will act. We know that the new technologies are coming in, and I think that it is implicit that we will work closely with the commissioner and the ethics panel and be proactive about what is coming up and what is now, potentially, a valuable tool in keeping the public safe. I do not know whether the word “proactive” should be included. Greater minds than mine might think that it should be, but I think that it is implicit. It is a bit like what we do with HMICS—we work with it to consider where we can improve areas of business, and I think that the same will apply in this case.

On the retention of biometric data, one of the IAG’s nine recommendations was about the retention periods and a presumption of deletion, and that is absolutely right. The choreography of the IAG’s recommendations, which the Government accepted as legitimate, is that we start with a commissioner and a code of practice and we then start to work on and develop the other recommendations. As I said, we are proactively doing some work on some of the recommendations within Police Scotland—we are not waiting for any legislation—because that is the right thing to do. It concerns people’s awareness of their rights and proportionality.

On whether we should take biometric data from children aged 12 to 17, we are implementing a process whereby we consider the matter case by case. The fact that we can take it does not mean that it is the right thing to do, as there is a question of proportionality.

Others might think that the bill needs to be more explicit but, based on what is in it, I think that the commissioner will be proactive in their role.

What is the retention policy? I know that there is three-year retention for certain offences and there is immediate deletion for others.

Yes. It is a mixed bag. If you like, I can provide the committee with a written chart of all the retention times depending on whether the data is fingerprints, photographs or DNA, because we have that.

Is there three-year retention for certain offences such as sexual and violent offences?

Yes, and the chief constable can apply for an extension of two years if it is required. That is already in legislation. However, there are other retention periods based on other levels of criminality.

Does it end at five years or can the extension be repeated time and time again?

There is no limit to how many two-year extensions can be applied for, but that has not happened. We have not had to do that, but the power exists if there is an exceptional circumstance in which we want to do that.

In the interest of reassuring the public, will you confirm that, if data is collected from an individual who has not previously committed an offence but is arrested, and they are not convicted, it is destroyed immediately afterwards?

That is correct.

Mr Nelson, in an answer to Shona Robison, you discussed the code of practice, and you said that you have done some work on a draft code of practice. That is helpful. Will you outline the main factors that you believe the code of practice should encompass in order to ensure that it is robust?

Sure. It is quite a lengthy document—it is about 20 pages long—but I will outline the content. It defines biometric data, it goes through the purpose of the code of practice and it looks at the human rights aspect of retention and how we should review that. It goes through some general principles, one of which is on the introduction of new technology, and it considers the process that we should follow in introducing new technology or new evidence types into, for example, forensic services.

In England and Wales, there is a Forensic Science Regulator, who is currently Dr Gill Tully. I sit on her Forensic Science Advisory Council. The advisory council and Dr Tully have generated some guidelines on how new technologies can be validated to show that they are fit for purpose and that instruments that are used give the expected results. A process is built around that, and it is also included in the code of practice, as are the ways in which people can get information on how data is used and how successful it has been.

The code of practice covers all that. The document, which went out for consultation about 12 months ago, was positively received. There were some recommendations from that process, but the code of practice is in draft form.

That is helpful. In particular, the comments on new technology are helpful because it is important that the code of practice is able to deal with changes in technology as it evolves. Does the code of practice need separate sections for different technologies?

Most technologies will probably follow the same principles. Providing that we get the validation principles correct, they could be applied to any technology. For example, we have just brought in the equipment for the drink driving legislation. We had to spend almost a year preparing for that, by ensuring that the instrumentation was giving the desired result. The people who supply the equipment tell us that it will give us the results, but we have to put the equipment into its working environment to make sure that the desired result is produced every time. That is part of the validation process. That then goes through for accreditation. We ask UKAS to go through all the work that we have done and to give us the validation stamp to show that it has been accredited.

As the bill stands, Police Scotland and the SPA will only be required to “have regard to” the code of practice and failure to do so will not in itself give rise to grounds for legal action. Do you have a view on that approach? During this evidence session, much has been said about public confidence. Is there a contradiction in Police Scotland and the SPA just being required to “have regard to” the code of practice and there being no legal sanction for failure to do that?

It is a bit like how we work with HMICS. We work with it and we generally work to implement its recommendations. If there is an area in which we have an opposing view, we have discussions and come up with a resolution. In working with a commissioner, I do not think that we would ever get to a point at which we would refuse to comply. If we had issues with a recommendation or a direction of travel, we would have dialogue with the commissioner far in advance of getting to that stage, and I would like to think that we would be able to work it through. Tom Nelson probably feels the same.

As director of forensic services, I think that, if the commissioner came up with a proposal that we should follow, it would be hard for me not to follow it. My board would certainly hold me to account for why we did not follow it.

So you do not see the provision as a frailty. You used the term “opposing view”, Mr Scott.

By the point at which recommendations are made, we will have worked closely with the commissioner and the ethics panel, and we will then implement them. It is highly unlikely that we would ever get to an impasse.

To clarify, would either of you have any concern if the bill was amended to ensure that there was a requirement to comply rather than just a requirement to “have regard to” the code?

If that was the feeling of Parliament, that would be the way to go. From my perspective, I know that I could not stand before my board and say why I had not followed a recommendation from the commissioner.

I would be more comfortable running that terminology past our legal services, so I will reserve judgment on that.

Okay. Thank you.

Good morning, panel. You have both talked about the fact that biometric technologies are evolving at a rate of knots—I think that we all accept that—and the associated issues. Is the bill a reasonable attempt to keep up with developments in the area? Will the code of practice be enough for us to adapt to new issues and technologies as they arise?

10:45  

Tom Nelson mentioned the general principles that are included in the draft code of practice, but it also mentions how the general principles are to be implemented, so there is a clear direction on that, and there are directions to help us with how we process data. I think that the principles and the directions on how they are to be implemented and what we must consider when collecting, processing and retaining data are sufficiently broad to cover any eventuality in how biometric data might be used in the future and advances in technology.

I am comfortable with the draft code as a starter for 10, but the commissioner and others will refine the work to get to the final product. The code will definitely help.

The independent advisory group did a lot of work in drafting the code. A lot of people were involved, including those with a human rights perspective, practitioners, academics and the Crown Office, and a lot of thought went into developing it. I think that it is very much fit for purpose. It addresses some of the new technologies that are coming in. In England and Wales, Mr Wiles was concerned that he does not have that control over new technologies. The bill certainly gives us that control.

The draft code is definitely fit for purpose, but that does not mean that it will not evolve. When the commissioner is in post, he or she could carry out another phase of consultation before taking the code to Parliament to get it signed off. Thereafter, there should be a process for regularly reviewing the code.

You are satisfied that the draft code is flexible enough and that, as far as you can envisage at this stage, no further legislation will be required.

That is correct.

The fact is that the validation and the reliability of new techniques are explicitly included in the draft code. Tom Nelson mentioned validation. Technologies being fit for purpose is key, and that aspect is covered in the draft code. Whatever the technologies might be in the future, we have to bear in mind the need for them to be validated and reliable.

You have both made the case that it should be the SPA’s forensic services department that is subject to the code of practice rather than the SPA itself, and you have asked for the bill to be amended in that respect. Will you elaborate a wee bit on the thinking behind that request?

The document, which I have read, mentions the Scottish Police Authority. The SPA is the legal entity, but I think that it could be more prescriptive, because the SPA could mean many things to different people, including the public. The work and the delivery of the service is done within the SPA forensic services department, and it might be worth while to draw attention to that. It is drawn out for the constables and the police staff who work for Police Scotland. That is the only reason why I mentioned the issue.

Okay. The Scottish commissioner will work with only one police force whereas the situation in England and Wales is that the commissioner deals with multiple forces. Do you see any benefits or, alternatively, any disadvantages to that approach?

I think that working with one police force will be an advantage. Instead of things being done differently 43 times, there is potential to have one way of operating, and there will be just one group of people to engage with. That will probably make the role of the commissioner easier.

I agree.

I want to return briefly to the question of who should be subject to the code of practice. When I asked who currently takes on the governance of the process of collecting and using biometric data and who, of Police Scotland and the SPA, has oversight of such processes, Tom Nelson said that overall governance sits with the SPA. That being the case, surely it is reasonable for the SPA, as an entity, to be subject to the code of practice.

Yes, it is, totally. I was not asking for the SPA to be taken out; I was asking for forensic services to be added.

Right. The SPA, as a legal entity, will be subject to the code, but forensic services should be added. That is helpful—thank you.

The issue is that the bill is explicit about constables and police staff but not quite as explicit in relation to the Scottish Police Authority. That is why we made the same point in our submission.

A lot of ethical issues are coming through. The bill as it stands does not provide for an ethics advisory group, but we know that the cabinet secretary intends to establish such a group. Do you have a view on the merits of establishing an ethics advisory group? If you are broadly in favour of the approach, do you have thoughts on who might be on the group and how it might help the commissioner?

We are very supportive of the approach. Everything that we do in Police Scotland, in the context of new processes and how we want to do our business, is underpinned by human rights and the appropriate equality impact assessments. That is especially the case for an issue that is as sensitive as the one that we are considering. Traditionally, when the police have been looking to implement new ways of working, opportunities could probably have been enhanced and processes could have been better if there had been wider engagement on ethics, because it is about not just the police but the public—although I am not saying that things have been done in isolation.

We welcome the potential opportunity to explore areas with an ethics panel, and I think that we would be neglectful if we did not have wider consultation and input. As Tom Nelson said, the IAG’s construction was very much about that, with explicit human rights representation and input from the Information Commissioner’s Office and academics. The process worked really well, and the recommendations that came out of it are balanced and show the benefit of wider engagement, which we whole-heartedly embrace. Such engagement is necessary.

I sit on quite a few bodies down south, in England and Wales, such as the Forensic Science Advisory Council; I also sit on the Home Office biometrics strategy board, and as part of that there is also the forensic information databases strategy board. The ethics group of England and Wales reports to that group. Certainly in England and Wales there is a strong need for us all to have an ethics group, and by setting up such a group in Scotland we would be replicating what is in place in England and Wales, which brings value. Particularly in the context of DNA and some of the advances that are potentially coming down the line, it is essential that ethics are discussed, and I would have thought that the commissioner will want to bring in such an approach very soon.

The bill as drafted does not provide an opportunity for members of the public to raise concerns about the commissioner. For example, I do not think that it provides for a complaints process that individual members of the public can use. Should the bill be amended to provide for such a process, or is that unnecessary?

The public have the right to complain to the Parliament about anything they like, on any subject, and a complaint would be addressed. I am not sure that the lack of a specific public complaints mechanism means that there is no effective way of dealing with a complaint. If a complaint came in, it would be dealt with. I am not sure that the bill needs to be explicit in that regard.

Much depends on what a complaint is about. The ICO has a role to play in relation to complaints about information, so that is a potential route for people who want to complain. However, I would have thought that the commissioner would want to hear the public and understand where their concerns were coming from. That ability to engage with and speak to the public, which was the number 1 recommendation of the IAG, would certainly allow the commissioner to provide assurance to the public, and it would ensure that the public and the commissioner could identify any challenges.

The issue is one of public confidence, not just awareness. I think that we all agree that, if there is a clear way for people to be able to complain, and that is advertised, public confidence will be increased.

I want to continue to discuss the issue of public awareness and confidence. There is a suggestion that there is a role for the commissioner in that regard, and you might have some views on how the commissioner would promote public awareness and understanding.

You have both talked about public awareness, and Mr Nelson talked about critical public awareness. You will be aware that there is suspicion about police activity and that an inherent part of any liberal democracy is that people will question the powers that the police have. With regard to the intention behind the bill and the potential for any unintended consequences, collateral intrusion or whatever, will you tell us how Police Scotland and the SPA currently engage with the public to provide assurance? Have lessons been learned about the dearth of that with regard to cyberkiosks, which the public view in a similar vein to this issue?

If I pick up correctly what you mean, I would say that cyberkiosks are a separate subject to the one that we are discussing today. What is going on with cyberkiosks has been well rehearsed, and I do not have any involvement in that area of business. However, in terms of—

Sorry to interrupt, but I was asking about public confidence and engagement on the part of the police. I was wondering whether lessons have been learned from failures in that regard in the case of cyberkiosks.

Sorry—I understand you now. Of course, there are lessons to be learned anywhere. As I said, I do not have an explicit involvement in cyberkiosks, but we always try to take on board any lessons that we can learn in terms of public engagement with regard to our local and corporate communication. I do not know exactly what those lessons are with regard to cyberkiosks because I have not been involved in that area, but I am aware that there have been issues with implementation in that regard.

On the wider public engagement around biometrics, we are starting off with a focus on anyone who has their biometrics taken from them, so there will be an awareness about what happens to that information, as I explained earlier. Clearly, any work that we do around biometrics in conjunction with the commissioner would be part of a wider communication strategy for the general public, and we would look to ensure that we were explicit about our intentions and how we intended to work. If there are areas in relation to which the public needs more information, we will provide that.

From a forensic services perspective, I would say that we do not do enough communication. We could do an awful lot more. On our website, we have information in relation to DNA samples and hits, and we explain what DNA is. Quite a lot of work has gone into developing that. However, that approach needs to go wider. We hope to work with the commissioner to see how we can do more to increase that awareness on the part of the public, because it is crucial. If we lose public confidence, we lose everything.

I am sure that all the members of the committee want the police to be given all the tools that they need to protect the community. However, when we are dealing with legislation, it is important that it is robust and thoroughly scrutinised. Concerns have been raised about the use of some biometric technologies. With regard to live facial recognition technology, there are specific concerns about privacy and human rights issues, the accuracy of the technology and the potential for bias. How valid are those concerns?

They are valid, and I think that they have been borne out. We are acutely aware that any progress in relation to live facial recognition technology needs to be appropriately considered. We are about to provide you with a fairly detailed response on the issue because there has been a separate request to Police Scotland for written evidence on that technology. That response is in the pipeline and it will be with you shortly.

At the moment, we have not been involved in any kind of live testing of or involvement in live facial recognition technology. However, through the media and other police forces, we understand that there are issues with the technology, such as the algorithms that it uses, and we need to get that absolutely right before we do anything with it in Police Scotland. We will go through the necessary governance in relation to ethical considerations and so on before we make any moves in that direction.

You alluded to the fact that the public expect us to use the best type of technology to keep them safe. Clearly, live facial recognition technology is an area that we want to explore, but it will be done in a way that involves the appropriate measures and regulations.

We are looking at what has happened down south and we are learning lessons from that. As Sean Scott said, we need to understand and test the system before we would even consider using it in Scotland. Work has to be done around the validation of the technology and the algorithms that lie behind it. All of that can be tested by developing what is called a ground-truth database, which is in effect a database of known results against which a system can be tested. That is one way in which we can begin to understand how confident we can be in the system and what the limitations of the system are.

That concludes our questioning. I thank both witnesses for attending. If any further questions come up in our scrutiny of the bill, we will write to you, and I hope that you will give us further answers. In the meantime, I thank you for a worthwhile session.

I will suspend the meeting briefly to allow for a change of witnesses and a five-minute comfort break.

11:01 Meeting suspended.  

11:06 On resuming—