“Biometric data” is a relatively broad and evolving concept. It encompasses what is often referred to as “first-generation biometrics” such as fingerprints, DNA and custody photographs which have been commonly used in policing for many years. It also includes new and emerging technologies (or “second-generation biometrics”) such as facial recognition software, remote iris recognition and other behavioural biometrics such as voice pattern analysis.

The term “biometric data” has never previously been used in criminal justice legislation in Scotland. Accordingly, the Bill and its accompanying documents make clear that “biometric data” means information about an individual’s physical, biological, physiological or behavioural characteristics which is capable of being used on its own or in combination with other information (whether or not biometric data) to establish the identity of an individual.

To that end, “biometric data” may include:

• physical data comprising or derived from a print or impression of or taken from an individual’s body

• a photograph or other recording of an individual’s body

• samples of or taken from any part of an individual’s body from which information can be derived

• information derived from such samples.

The Criminal Procedure (Scotland) Act 1995 ("the 1995 Act”) is the primary Scottish legislation allowing the retention of fingerprints and other biometric samples from a person arrested by the police.

Sections 18 to 19C stipulate the conditions under which samples may be taken by the police, as well as rules for retention and specification of the purposes of use of samples. It should also be noted that Section 18G of the 1995 Act permits biometric data to be retained for reserved matters, notably under national security determinations. The existing law can be summarised as follows:

• fingerprint and DNA data from convicted persons can be retained indefinitely. This legal entitlement applies on the basis of a single criminal conviction for any type of offence, regardless of gravity

• data from children dealt with through the Children’s Hearings System may be retained only where the grounds for referral are established (whether through acceptance by the child at such a hearing or a finding in court) in relation to a prescribed sexual or violent offence. Such data can only be retained for three years unless the police apply for, and are granted, an extension by a Sheriff. For less serious offences, and where grounds are not established, there is no retention in relation to children

• data from individuals who accept an offer from the procurator fiscal may be retained for three years in relation to a prescribed sexual or violent offence, with the Chief Constable able to apply to the Sheriff Court for further two-year extensions (there is no limit on the number of two-year extensions that can be granted in respect of a particular person’s data); data may be retained for two years in relation to non-sexual or non-violent offences which are the subject of a ‘Fiscal Offer’ or fixed penalty notice from the police

• data from individuals prosecuted for certain sexual and violent offences may be retained for three years (whether or not they are convicted), with the Chief Constable able to apply to the Sheriff Court for further two-year extensions (there is no limit on the number of two-year extensions that can be granted in respect of a person’s data)

• subject to the exception above, data from individuals arrested for any offences (and who have no previous convictions) must be destroyed immediately if they are not convicted or if they are given an absolute discharge.

Whilst the data obtained under those sections will account for a significant proportion of the biometric data held and used for justice and community safety purposes, biometric data is also captured by the police in other circumstances.

For example, there are situations where victims and witnesses agree to their biometric data being held in order to support investigative activity. In addition, police officers share their biometric data in order that they can be eliminated from investigations in circumstances where, for example, their fingerprints are found at the scene of an incident following their attendance in the course of their duties. Finally, there will be occasions where Police Scotland hold and use biometric data which has been provided by another agency, for example CCTV provided by a local council or data provided by an NHS Scotland Health Board.

A significant amount of work has previously been undertaken to explore the benefits of enhanced independent oversight in relation to biometrics.

In 2007, Professor Jim Fraser was asked by the Scottish Ministers to review and report on the operation and effectiveness of the statutory regime governing fingerprint and DNA data. This work led to a number of amendments to the 1995 Act. Professor Fraser’s report also highlighted the need for the establishment of independent oversight arrangements in this area.

In January 2016, Her Majesty’s Inspectorate of Constabulary in Scotland (HMICS) published its Audit and Assurance Review of the Use of Facial Search functionality within the UK Police National Database (PND) by Police Scotland.¹Her Majesty's Inspectorate of Constabulary in Scotland. (2016, January 26). Audit and assurance review of the use of the Facial search functionality within the UK Police National Database by Police Scotland. Retrieved from <a href="https://www.hmics.scot/publications/audit-and-assurance-review-use-facial-search-functionality-within-uk-police-national" target="_blank">https://www.hmics.scot/publications/audit-and-assurance-review-use-facial-search-functionality-within-uk-police-national</a> [accessed 10 September 2019] Through that report, HMICS recommended that the Scottish Government consider the establishment of a Scottish Biometrics Commissioner to provide independent oversight of biometric databases and records held in Scotland.

In June 2017, the then Cabinet Secretary for Justice, Michael Matheson MSP, established an Independent Advisory Group (“the IAG”), chaired by Solicitor Advocate John Scott QC, to consider the taking, use and retention of biometric data in policing.

The Independent Advisory Group (IAG) published its final report ¹Independent Advisory Group on the use of biometric data in Scotland. (2018, March 22). Final Report. Retrieved from <a href="https://www.gov.scot/publications/report-independent-advisory-group-use-biometric-data-scotland/pages/4/" target="_blank">https://www.gov.scot/publications/report-independent-advisory-group-use-biometric-data-scotland/pages/4/</a> [accessed 10 September 2019] on 22 March 2018. In all, the IAG made nine recommendations all of which were accepted by the Scottish Government.

Specifically, the IAG called for:

• the establishment of a Scottish Biometrics Commissioner to provide independent oversight of the use of biometric data for justice and community safety purposes in Scotland; and

• a statutory code of practice covering biometric data and technologies.

In its report, the IAG highlighted previous issues raised by Professor Fraser and Her Majesty's Inspectorate of Constabulry in Scotland in relation to biometric governance. The following paragraphs provide a summary of some of the main issues raised.

As outlined above, in 2007, the Scottish Government asked Professor Jim Fraser to review the operation and effectiveness of the legislative regime governing police powers in relation to the acquisition, retention, use and disposal of fingerprint and DNA data. He was directed to consider additional powers insofar as they related to the retention of forensic data.

In 2008, his report was published and made eight recommendations, many of which were implemented in the Criminal Justice and Licensing (Scotland) Act 2010. Two recommendations which were not taken forward into statute were:

1. The current governance arrangements for DNA and fingerprint databases in Scotland should be reviewed as a matter of urgency. Future arrangements should take into account good practice in scientific and ethical standards, efficient and effective management and independent oversight.

2. Sufficient information regarding the governance and management of forensic databases should be in the public domain to maintain transparency, accountability and public confidence in their use.

The IAG pointed out that recommendation a) remains outstanding and that recommendation b) was addressed to some extent through implementation work following the Fraser report. For example, Scottish Government web pages were developed to provide information to the public and support transparency.

In 2016, HMICS considered the current governance arrangements in place in Scotland with regard to the use of biometric data by Police Scotland and the SPA. HMICS concluded that whilst it was clear that effective internal governance arrangements were in place between key partners, those arrangements did not deliver the necessary levels of independent oversight as called for in the Fraser Report.

Endorsing the findings in the Fraser Report, HMICS recommended the creation of a Scottish Biometrics Commissioner so that public confidence in the police use of biometrics could be maintained through an independent office reporting to the Scottish Parliament. In making this recommendation, HMICS noted the absence of biometric and forensic regulators in the Scottish context by contrast with other parts of the UK where there is a Biometrics Commissioner, a CCTV Surveillance Camera Commissioner, and a Forensic Science Regulator for England and Wales.

HMICS concluded that a Scottish Biometrics Commissioner offered the potential to build capacity and resilience in Scotland, and to explore emerging human rights and ethical considerations around the use of biometric data. This could apply not only for policing purposes, but also by other public agencies involved in the collection and use of biometric data from citizens. In particular, HMICS highlighted public space CCTV systems, Road Camera Enforcement Systems and Automatic Number Plate Recognition Systems (ANPR).

HMICS also noted the exponential growth of biometric technologies in contemporary society which escalate the value and possibilities around the use of biometric data. It was argued that, when combined with the development of an underpinning Code of Practice, the creation of a Scottish Biometrics Commissioner could both safeguard and future-proof what will undoubtedly continue to be a fast evolving landscape.

Although the question of independent oversight remains outstanding, the IAG report pointed out that in the summer of 2017, the SPA Board took steps to improve scrutiny and governance of forensic services and address some of the recommendations made by the HMICS Inspection of Forensic Services published in June 2017. The Director of Forensic Services, IAG member Tom Nelson, reports directly to the SPA Board and a Forensic Services Committee, (currently chaired by SPA Board Member, Tom Halpin ), was established. This committee meets regularly in public.

The IAG’s final report is extensive and includes detailed information on the current landscape in Scotland with regard to the most commonly used forms of biometric data for law enforcement purposes (i.e. DNA, fingerprints and photographic images taken as part of the criminal justice and custody process). The report also looked specifically at issues concerning children; human rights and data protection; retention periods; and general principles and ethical considerations.

The following paragraphs provide an overview of some of the Group’s key findings.

Facial images

As outlined above, the Criminal Procedure (Scotland) Act 1995 (‘the 1995 Act’) is the primary Scottish legislation allowing the retention of fingerprints and other biometric samples from a person arrested by the police. Sections 18 to 19C of the 1995 Act stipulate the conditions under which samples may be taken by the police, as well as rules for retention and specification of the purposes of use of samples.

Section 18 (2) states:

A Constable may take from the person, or require the person to provide him with, such relevant physical data as the Constable may, having regard to the circumstances of the suspected offence in respect of which the person has been arrested, reasonably consider it appropriate to take from him or require him to provide, and the person so required shall comply with that requirement.

The IAG report pointed out that the 1995 Act does not refer to facial images. It defines ‘relevant physical data’ as ‘a fingerprint, palm print, print or impression of an external part of the body or record of a person’s skin on an external part of the body created by a device approved by the Secretary of State’. However, the term biometric data is usually thought to include facial images.

The IAG stated that the absence of legislation in Scotland giving explicit authority to the police to take custody episode photographs is at variance with specific legislative authority in other parts of the UK. This was identified in the HMICS Audit and Assurance Review in 2016 and led to a specific recommendation for the Scottish Government to consider legislative provision in relation to the retention and use of photographic images by the police.

The IAG report states:

Whilst it has been custom and practice in Scotland for over 100 years for the police to take photographic custody images of persons who have been arrested or detained, there is no specific legislation, Scottish or UK, which gives powers to Police Scotland to take such images. There is no legislation which specifically regulates the retention periods for such images, or indeed the way in which such images may be used. This means the Scottish legislation around biometric data retention by the police centres primarily on fingerprints and DNA data and not on data from photographic images.

Scottish Government. (2018, March 1). Independent Advisory Group on the Use of Biometric Data in Scotland Final Report. Retrieved from file:///C:/Users/s800802/AppData/Local/Packages/Microsoft.MicrosoftEdge_8wekyb3d8bbwe/TempState/Downloads/00533063.pdf [accessed 8 September 2019]

In relation to the power to take photographs, there is a power for a police custody and security officer (PCSO), at a constable’s discretion, to take photographs of a person held in custody. That power can be found in paragraph 1(j) of schedule 2 to the Police and Fire Reform (Scotland) Act 2012.

The IAG also points out that it should be noted that Section 87(4) of the Sexual Offences Act 2003, which relates to the sex offender registration process, gives the power to the police take photographs and fingerprints of the subject for this specific purpose.

Children

The IAG report included a section on children stating that this is an area deserving of special attention given that there is currently no separate set of policies or practices as regards biometric data obtained from children and young people. To that end, the IAG established a Sub-Group to look specifically at whether special provisions should be introduced for children. The group also consulted with young people and those working with children and young people, as well as police officers specialising in this area.

The report points out that the number of children who come into contact with the police is relatively small in comparison to adults and, over the last decade in particular, it has reduced significantly (at least partially as a result of changes to the way in which children and young people involved in offending are dealt with by diversionary measures). The vast majority of children will be dealt with through the Children’s Hearings system.

The IAG stated that this provides reasonable justification for taking an appropriately distinct approach to the capture of children’s biometric data. Such an approach is also required by relevant legislation and human rights considerations. It is recognised that biometric data are not required in every case involving a child. In some areas of policing, individual decisions are based on an individualised risk assessment on a case by case basis and it was the view of the IAG that a similar approach would be suitable for the acquisition, retention, use and disposal of biometric data as it relates to children.

The IAG noted that for children aged 12 to 17 years, Police Scotland accept that, in each case, consideration should be given by the relevant officer as to whether it is proportionate and necessary to obtain biometric data for the purposes of recording on the biometric databases, with the best interests of the child specifically taken into account in the decision-making process. The IAG stated that in doing this they should consider the wider context of the child’s offending behaviour, including their previous offences, their likelihood of reoffending and the nature and seriousness of their offending behaviour. Where the decision is to obtain and retain biometric data, the relevant officer should record the reasons. These reasons should be subject to review and scrutiny within a reasonable timeframe, both internally by supervising officers and by the Scottish Biometrics Commissioner.

The IAG recommended that distinct policies should be formulated for the acquisition, retention, use and disposal of the biometric data of children aged between 12 and 17.

In each case involving a child, consideration should be given to the proportionality and necessity of obtaining biometric data for the purposes of recording on the biometric databases, ensuring that the best interests of the individual child are taken into account in the decision making process. Where the decision is to obtain and retain biometric data, the reasons should be recorded and subject to review and scrutiny. Appropriate consideration should be given, and adaptation made, in the treatment of the data of those (children and adults) with specific vulnerabilities.

Retention periods

The current retention periods for biometric data are set out above. The IAG report stated:

On present evidence, which is extremely limited, there seems to us to be no justification for different retention periods across different types of biometric data. That raises the question of what is an appropriate retention period. The best answer is probably a period specific to the various factors relating to the particular individual and any offending or alleged offending, taking account of prior criminal history, outstanding allegations and risk assessments.

Currently, retention periods vary between two or three years (subject to extension on review) to indefinite retention. The IAG stated that attempts to refine rules on data retention, particularly those which permit indefinite retention, are appropriate, not only on a human rights basis but also because over time, limitless retention of records would inevitably lead to databases being overloaded with biometrics of no further utility at increasing expense to the tax-payer.

The IAG suggested that current retention periods, although contained in primary legislation, should be reviewed and, thereafter, kept under review along with the Code of Practice. This should be done based on consideration of such evidence as is, or becomes, available, in Scotland and elsewhere. It may not be possible to specify a particular period for ongoing review, as it should relate to the availability of suitable evidence. Specifically, the IAG had in mind evidence about the value of biometrics in the investigation of certain offences, re-offending rates relating to different crimes, the escalation of offending, and the value that biometric retention has in the investigation of this escalation. In assessing the value of biometrics in the investigation of certain offences, the experience of police officers, prosecutors and others will be of assistance.

The IAG went on to say that there was no evidence which would allow them to make a recommendation about the appropriateness or otherwise of current retention periods and suggested a number of areas for review:

• Indefinite retention – the IAG felt that it was questionable whether such a blanket policy was proportionate and that consideration should be given to amending the current approach. The IAG said that there should at least be a review of the current indefinite retention rules based on a single conviction, taking account of any emerging changes in jurisprudence, whether in Scotland, England and Wales, or at the European Court of Human Rights.

• Children – the IAG stated that a review of retention periods should also extend to those applicable to children’s data. If, however, an individualised approach is adopted for the retention of each child’s data, regardless of whether proceedings are taken at court or through the Children’s Hearings system, (as suggested in Chapter 7 of the report), this may not arise. Otherwise, there should be a review of retention periods as they relate specifically to children, including the three-year retention period where grounds of referral are established (whether through acceptance by the child at such a hearing or a finding at court) in relation to a prescribed sexual or violent offence and the possibility of indefinite retention if a child is convicted of any offence at court.

• Fiscal offer/Fixed penalty - there should also be consideration of differentiation in the length of data retention when someone has chosen to accept a disposal e.g. fiscal offer or police fixed penalty, as opposed to those who do not and who are then not convicted. It is important to recognise that such offers/penalties do not operate on the basis of a requirement for formal acceptance. They operate by way of presumption that they are accepted unless challenged. If disputed, the individual must therefore take formal steps to challenge the penalty. The IAG states that there is a disparity here, and it is unlikely that all of those who ‘choose’ to accept such an offer or penalty are aware that they are doing so, or of the full implications of inaction. Retention of biometric data in such circumstances should be reviewed, and public awareness raised around the issue. To whatever extent possible, this review should also be research led and consider the matters referred to above in relation to indefinite retention.

The IAG report also contains extensive information on the law with regard to human rights considerations.

The Human Rights Act 1998 (“HRA”) which incorporates the European Convention on Human Rights (ECHR) into UK law, sets out the fundamental rights and freedoms that everyone in the UK is entitled to, and makes it unlawful for a public authority to act in a way which is incompatible with Convention rights.

The IAG report states that it is paramount that the relevant public authorities put in place an effective human rights framework when biometrics are used by law enforcement agencies. This framework should also reflect ethical considerations.

The IAG was also of the view that human rights should continue to be mainstreamed into the strategies, policies and operational processes of policing. As such, the IAG advocated a human rights based approach to the use of biometric data. The key principles of this approach should be: legality, accountability, effective participation, non-discrimination and empowerment.

The IAG report states that a human rights framework for biometric data should have an effective, accessible and independent mechanism of review for the individuals concerned. For example, there should be provision for independent review of the justification for the retention of biometric data according to defined criteria, including such factors as:

• the seriousness of the offence

• previous arrests

• utility of the retention and period of retention

• the strength of the suspicion against the person

• any other special circumstances.

Individuals should also be provided with an effective remedy to challenge the storage of biometric data and its use. A formal scheme for destruction would ensure accountability and community trust in the system. It is pointed out that complaint mechanisms play an important role in protecting against potential abuses and arbitrariness.

Sufficient information regarding the governance and management of biometric data should also be in the public domain to maintain transparency, accountability and public confidence in their use.

These are all matters which a new Commissioner would be likely to consider when drawing up a code of practice for the acquisition, use, retention and disposal of biometrics in Scotland.

Taking all of these issues into account, the IAG also specifically looked at the need for independent oversight and whether there was a need for a biometrics commissioner in Scotland.

The IAG’s report pointed out that there is currently no independent governance or oversight of the use of biometric data in policing in Scotland – something also pointed out by Professor Jim Fraser in 2008 and HMICS in 2016. As mentioned above, HMICS specifically recommended the creation of a Scottish Biometrics Commisioner.

In examining the need for a commisioner in Scotland, the IAG set out the position in England and Wales where independent oversight involves a number of distinct, but connected bodies.

• the National DNA Database Strategy Board

• the UK Biometrics Commissioner

• the Forensic Science Regulator (England and Wales)

• the Biometrics and Forensics Ethics Group.

The IAG points out that the UK Information Commissioner’s Office (ICO) also has a role to play in overseeing personal data usage.

The UK Biometrics Commissioner liaises regularly with the ICO. It is understood that arrangements work well generally without the need for a formal Memorandum of Understanding. The Commissioner for the Retention and Use of Biometric Material (CRUBM) provides oversight of biometric data gathered and used by police forces in England and Wales. The CRUBM was created by the Protection of Freedoms Act 2012 (“The 2012 Act”). The 2012 Act is a piece of UK legislation which includes provisions to regulate and oversee a variety of security and criminal justice powers introduced by the UK Parliament since the late 1990s.

The 2012 Act covers areas such as biometric data, public surveillance (CCTV, number plate recognition, etc.), counter-terrorism powers, access and use of criminal records, and the extension of freedom of information and data protection laws. The CRUBM was established to oversee and report on the operation of the legislation in relation to biometrics by reporting to the Home Secretary and the UK Parliament. In terms of the oversight of the retention and use of biometrics in matters related to national security, the CRUBM’s remit is UK-wide.

The Forensic Science Regulator (England and Wales) has oversight of the scientific quality of forensic evidence . The UK Biometrics Commissioner liaises regularly with the Regulator and they work together on the limited areas where there is a shared interest. The Surveillance Camera Commissioner has responsibility for drawing up a voluntary Code of Practice for the use by relevant authorities of public camera systems. The relevant authorities are set out in section 33 of the Protection of Freedoms Act 2012.

In deciding whether an independent biometrics commissioner would be necessary, the IAG took into account the general presumption against the creation of new public bodies in Scotland. Having examined various options, the IAG considered that there was no body within the competence of the Scottish Parliament to which oversight in this area could be given. The IAG also pointed out that as can be seen from England and Wales, there is some overlap of responsibility with the ICO which is a UK body. Data protection is a reserved matter and therefore the ICO exercises these powers in Scotland as well as the rest of the UK, albeit with a Scottish presence.

The IAG stated that the existence of the ICO in England and Wales did not preclude the need to establish a separate Biometrics Commissioner and, although there is some overlap, each oversees distinct areas which are widely recognised as requiring separate scrutiny. The reports and other work of the UK Biometrics Commissioner, generally accepted and welcomed by the UK Parliament, have highlighted the need for specific oversight in this complex and developing field. Finally, a majority of the responses and submissions the IAG received supported the creation of a new body to provide independent oversight in this area.

During its work, the IAG received a number of submissions which suggested a number of possible aspects to a Commissioner’s role. These included that:

• the Commissioner should be able to develop codes of practice relating to the handling of biometric data and hold bodies to account for following the rules set out

• the Commissioner should be able to begin investigations from their own mandate

• the Commissioner should have an independent complaints mechanism

• the Commissioner should report to Parliament and publish findings each year of the reviews they undertake and the oiutcome of any investigations.

It was also felt that the Commissioner should have a role to play in public education and public engagement. It was felt that one of the areas where the public is continually let down is on the delivery of clear, jargon-free information to allow them to understand the powers which authorities have, the powers which the public have to hold those authorities to account, and how to exercise those powers.

The IAG stated that oversight by the Commissioner should extend to all aspects of policing and law enforcement subject to the competence of the Scottish Parliament. Specifically, this would include Police Scotland and the SPA, as well as any other related public bodies. The Commissioner should be able to issue guidance to public bodies in the criminal justice field, as well as offering support in their ethical use of biometric data – existing, emerging and future.

The IAG pointed out that there were other areas of Government where biometric data features (e.g. health and education) and while these were not within the Group’s Terms of Reference, consideration could be given as to whether the role of the Commissioner could be extended to cover them.

The IAG stated that the Commissioner should also have powers to investigate compliance with any Code of Practice by the bodies to which it applies, making recommendations, and following up those recommendations, as well as reporting publicly on the outcomes.

In Scotland there is no Surveillance Camera Commissioner. One respondent to the IAG suggested a commissioner whose oversight covered biometrics and CCTV where biometric data can be captured without knowledge or consent. Again, this area extended beyond the IAG’s Terms of Reference, and the Group made no recommendation, but stated that it was a matter which could be considered in due course.

The IAG also stated that the Commissioner should report to the Parliament on an annual basis. It also suggested that the Parliament should carry out a periodic review of the Commissioner’s work at regular intervals, perhaps every three to five years.

As pointed out above, the IAG called for:

• Legislation to create an independent Scottish Biometrics Commissioner. That the Commissioner should be answerable to the Scottish Parliament, and report to the Parliament. The Commissioner should keep under review the acquisition, retention, use and disposal of all biometric data by the police, Scottish Police Authority and other public bodies. The Commissioner should also promote good practice amongst relevant public and private bodies, and monitor compliance with the code of practice.

• Legislation to establish a code of practice covering the acquisition, retention, use and disposal of DNA, fingerprints, facial and other photographic images (including custody images) and all existing, emerging and future biometrics for Police Scotland, the Scottish Police Authority and other bodies working in the field of law enforcement.

The IAG pointed out that biometrics and biometric data in policing are areas with significant ethical issues, challenges and concerns. To that end, the IAG was impressed by the contribution made in England and Wales by the Biometrics and Forensics Ethics Group (“the BFEG”). The BFEG is an advisory, non-departmental public body, sponsored by the Home Office.

The BFEG has 13 members. Although it has only four plenary meetings annually, much of its work is done through sub-groups. The BEFG has reported on a number of issues in the past including:

• a pilot project on the international exchange of DNA

• the development of a set of high-level ethical principles for stakeholders

• the retention and use of custody images

• the role of forensics in achieving criminal justice outcomes.

The IAG also recommended that there should be an Ethics Advisory Group on Biometrics in Scotland. It suggested that the Group could support, test and challenge the Commissioner and other relevant bodies. Liaising with others working in relevant areas of ethics, the Group could also offer advice on options as to how, or whether, to proceed with proposed developments in technology. The IAG stated that there would be considerable scope for liaison with the BFEG, possibly to include observers from each Group attending meetings of the other.

It seems to us that there are individuals in Scotland, especially in our universities, who would be ideal to perform such a role. We received considerable assistance from them and, whether or not directly involved in such a Group, we are confident that they would have a useful role to play in the oversight landscape, especially when we are recommending greater transparency and evidence-gathering. (IAG Report)

Although the Bill as introduced does not provide for such a group, the Cabinet Secretary for Justice, Humza Yousaf MSP when giving evidence to the Parliament’s Justice-Sub Committee on Policing on 13 June 2019 stated:

Because of my commitment to the legal, ethical and proportionate use of new technologies, which I believe is shared by the sub-committee, I plan to form an independently chaired reference group to scope the possible legal and ethical issues arising from emerging technological developments. The overall aim is to ensure that Police Scotland can continue to have not only the power to keep our communities safe but, crucially, the right safeguards to protect the rights of the individual. I believe that the use of independent expertise has delivered a real improvement in Scottish policing in areas such as stop and search and biometrics. Because this is, at present, simply a policy intention, I am unable to go into much detail about the group’s full remit and membership, but I am, of course, keen to hear the sub-committee’s thoughts on the matter.

Following publication of the IAG’s final report, the Scottish Government ran a consultation ¹Scottish Government. (2018, July 1). Consultation on enhanced oversight of biometric data for justice and community safety purposes. Retrieved from <a href="https://www2.gov.scot/Resource/0053/00538313.pdf" target="_blank">https://www2.gov.scot/Resource/0053/00538313.pdf</a> [accessed 10 September 2019]on proposals for the Bill from July to October 2018. The consultation aked for views on two proposals intended to create independent oversight of the acquisition, retention, use and disposal of biometric data for criminal justice purposes:

• the establishment of a new independent Scottish Biometrics Commissioner

• the creation of a draft Code of Practice for the collection, use and disposal of biometric data.

The Scottish Government also held four consultation stakeholder events with the Scottish Youth Parliament; equalities groups; police workforce; and a mixed event including academics.

The consultation received 89 written responses. Forty respondents gave consent for their submissions to be published and the Scottish Government also published an independent analysis of responses²Scottish Government. (2018, October 26). Consultation on enhanced oversight of biometric data for justice and community safety purposes analysis of responses. Retrieved from <a href="https://consult.gov.scot/safer-communities/use-of-biometric-data/results/biometricsdata-finalconsultationanalysis.pdf" target="_blank">https://consult.gov.scot/safer-communities/use-of-biometric-data/results/biometricsdata-finalconsultationanalysis.pdf</a>. Respondents were broadly supportive of the two key legislative proposals included in the consultation with 89 per cent being in favour of the establishment of a Scottish Biometrics Commissioner; and 83 per cent supporting the need for a Code of Practice.

The consultation also included a draft Code of Practice which respondents were asked to provide comment on.

The following paragraphs provide brief information on some of the key issues raised by respondents to the consultation.

Meaning of biometrics

In its submission, the Law Society of Scotland stated that it would be essential for the term “biometric data” to be carefully defined. The Law Society said that this may prove to be challenging but without a clear statutory definition, the scope of the proposed Bill “will be uncertain and open to challenge”. The Law Society also pointed out that developments around biometric data are fast-moving and as such, the definition of biometric data must take account of advice from appropriate experts to produce a definition that is relevant today but will also encompass future advances in these relevant technologies. The legislation must be wide enough to ensure all relevant data is caught and subject to the Code of Practice and the remit of the Scottish Biometrics Commissioner.

Establishment of a Biometrics Commissioner

The Scottish Police Authority welcomed the proposal to create an independent Scottish Biometrics Commissioner to support the effective, proportionate, legal and ethical use of biometric data. The SPA noted that the consultation paper recognised that there was strong existing governance and practice within both Police Scotland and the SPA regarding the use of biometrics data, and that the establishment of a source of independent advice and support is likely to strengthen the law in this area.

Responding in an individual capacity, Laura Martin stated that a Biometrics Commissioner for England and Wales had been established since June 2016, however, Scotland has not yet taken steps to ensure adequate regulation of biometric data for criminal justice and community safety reasons. Ms Martin stated that it is crucial that Scotland establish a similar public body and that an independent expert must track the development of biometric technologies and how they are put into practice in Scotland. Ms Martin also stated that a Biometrics Commissioner can identify challenges and gaps in regulation in order to ensure fundamental rights and interests are adequately protected whilst promoting police accountability and transparency.

Code of Practice

The Law Society of Scotland stated that there were several reasons why a statutory code of practice should be put in place. The Law Society pointed out that the Criminal Procedure (Scotland) Act 1995 already sets out the procedures governing the obtaining of biometric samples such as fingerprints as well as the rules for its retention and use. It went on to say that it is important that any Code of Practice should not seek to change the existing law but should consolidate the current law as changes are made to take account of new procedures and techniques as set out in a future Bill.

A Code of Practice provides an opportunity to set out:

• the scope of its application to safeguard the public interest;

• the extent of the biometric data it covers; and

• the organisations affected and required to comply.

The Coalition for Racial Equality and Rights (CRER) was generally supportive of the Scottish Government’s proposals to establish a Code of Practice relating to biometrics data and an independent commissioner to provide external oversight. CREC stated that an effective Code of Practice will allow all parties, particularly those whose biometric data is being collected and stored, to better understand the proper procedures and rights involved relating to biometric data. However, CREC felt that the proposals for a Code of Practice do not include an appropriate focus on underlying inequalities faced by non-white communities in Scotland.

CRER pointed out that the Scottish Government, Police Scotland, and the Scottish Police Authority are bound by the Public Sector Equality Duties, which require not only that public bodies eliminate unlawful discrimination, harassment and victimisation, but also advance equality of opportunity between different groups.

Paragraph 43 of the draft Code of Practice lists several “General Principles” that should be adopted to govern the use of biometric technologies – however, none of these principles say anything about either eliminating discrimination or advancing equality. CRER strongly believes that the statutory Code of Practice should explicitly include such statements.

In its response, Open Rights Group stated that a statutory Code of Practice is needed to regulate biometrics currently used in the criminal justice sector in Scotland, but also for biometrics which are still to emerge. The Group stated that the current Scottish landscape regulating biometrics in the criminal justice is fragmented in that it does not provide a general framework to regulate biometric data currently used in the criminal justice process. The Group reiterated the point that the Criminal Procedure (Scotland) Act 1995 governs the acquisition of DNA and fingerprints but says nothing of photographic images.

The Scottish Biometrics Commissioner Bill (“the Bill”), along with accompanying documents, was introduced in the Scottish Parliament by the Cabinet Secretary for Justice, Humza Yousaf MSP on 30 May 2019. The Parliament has designated the Justice Committee as the lead committee for stage 1 consideration of the Bill.

The following paragraphs provide an overview of the provisions in the Bill.

The overarching policy objective of the Bill is to support and promote the adoption of lawful, effective and ethical practices in Scotland in relation to the collection, use, retention and disposal of biometric data in the context of policing and criminal justice.

The Bill seeks to achieve this by establishing the post of Scottish Biometrics Commissioner (“the Commissioner”).

The primary role of the Commissioner will be to provide independent oversight in relation to the collection, retention, use and disposal of biometric data by police bodies.

The oversight will comprise of the Commissioner:

• reviewing law, policy and practice in relation to biometric data

• promoting public awareness of the powers and duties of police bodies as regards biometric data

• preparing and promoting the use of a Code of Practice for the collection, use, retention and disposal of biometric data.

The Policy Memorandum to the Bil¹Scottish Parliament. (2019, May 30). Scottish Biometrics Commissioner Bill Policy Memorandum. Retrieved from <a href="https://www.parliament.scot/S5_Bills/Scottish%20Biometrics%20Commissioners%20Bill/SPBill48PMS052019.pdf" target="_blank">https://www.parliament.scot/S5_Bills/Scottish%20Biometrics%20Commissioners%20Bill/SPBill48PMS052019.pdf</a> [accessed 10 September 2019]l states that in creating a new Scottish Biometrics Commissioner, the Scottish Ministers are responding positively to the recommendations made in three independent reports (see above).

The Bill is a relatively short one, comprising 29 sections and two schedules. The following paragraphs outline the main provisions within the Bill.

Establishment and appointment of the Commissioner

Section 1 establishes the office of Scottish Biometrics Commissioner (“the Commissioner”), while Schedule 1 provides further detail on the appointment and status of the Commissioner.

The Commissioner is to be independent of Scottish Ministers and report directly to the Parliament. The Commissioner will be recruited by the Scottish Parliamentary Corporate Body (SPCB) and appointed by HM the Queen on the nomination of the Scottish Parliament. This is a similar procedure used for other commissioners or appointees who are required to be independent of the Scotish Government, such as the Auditor General for Scotland.

The Commissioner may be appointed for a single term up to a maximum of eight years (a shorter period may be set by the SPCB) and a serving Commissioner or a previous Commissioner may not be re-appointed to the post.

The Financial Memorandum to the Bill²Scottish Parliament. (2019, May 30). Scottish Biometrics Commissioner Bill Financial Memorandum. Retrieved from <a href="https://www.parliament.scot/S5_Bills/Scottish%20Biometrics%20Commissioners%20Bill/SPBill48FMS052019.pdf" target="_blank">https://www.parliament.scot/S5_Bills/Scottish%20Biometrics%20Commissioners%20Bill/SPBill48FMS052019.pdf</a> [accessed 10 September 2019] states that the Commissioner’s post is expected to be part-time (0.6 FTE) and the staffing complement for the Commissioner’s office is expected to be three FTE members of staff. The estimated set-up cost for the Commissioner's office is £184,000. The annual running cost for the Scottish Biometric Commissioner is estimated at £333,000.

Schedule 1(9) of the Bill makes further provisions regarding the terms and conditions for the appointment of the Commissioner. This provides that the SPCB may prohibit the Commissioner from holding other offices or employment, or for the SPCB to approve the holding of other employment by the Commissioner while they are holding office.

Functions and powers

The Commisioner’s general function is set out in section 2 of the Bill. The Commissioner’s general function is to support and promote the adoption of lawful, effective and ethical practices in relation to the acquisition, retention, use and destruction of biometric data by Police Scotland and the SPA. The Bill also allows Scottish Ministers to amend by regulations, the list of persons within the Commissioner’s responsibility by adding, removing or varying a person or description of a person.

The Explanatory Notes to the Bill point out that that a “person” is defined widely in schedule 1 of the Interpretation and Legislative Reform (Scotland) Act 2010 and includes bodies as well as individuals, whether or not incorporated. However, the Commissioner’s remit is criminal justice and police purposes, so any persons with a range of functions who are added to the list in section 2(1) of the Bill would fall within the Commissioner’s responsibility in that regard only.

The Commissioner’s general function does not extend to biometric data in relation to which the Commissioner for the Retention and Use of Biometric Material (“CRUBM”) has a function under section 20 of the Protection of Freedoms Act 2012 – under which the CRUBM must keep under review national security determinations, including determinations made under section 18G of the Criminal Procedure (Scotland) Act 1995. A national security determination is made if the chief constable determines that it is necessary for biometric data to be retained for the purposes of national security. The CRUBM must keep under review the uses to which the biometric data retained pursuant to a national security determination is being put.

The Bill also requires the Commissioner to keep under review the law, policy and practice relating to acquisition, use, retention and destruction of biometric data by Police Scotland and the SPA. Promoting public awareness and understanding of these powers and duties, how they are exercised, and how they can be monitored or challenged also falls within the Commiissioner’s functions.

The Commissioner’s powers relate to biometric data which is acquired, retained, used or destroyed for criminal justice or police purposes. Although the terms “criminal justice purposes” and “police purposes” are not defined in the Bill, the latter would include any activities which the police legitimately undertake. This goes beyond just the prevention and detection of crime. It would therefore also cover, for example, work the police do to help identify a dead body (even where the death has not been categorised as suspicious). It would also cover work the police do to investigate an act carried out by a child who is below the age of criminal responsibility.

The Commissioner must also have regard to the interests of children and young people and individuals who are considered to be vulnerable. For the purposes of the Bill, children and young people means individuals under the age of 18 years. “Vulnerable” means individuals who, because of personal circumstances or characteristics, may have difficulty understanding matters relating to powers exercised by the police or the SPA relating to biometric data.

The Bill also provides that the Commissioner may work jointly with, assist or consult other persons in carrying out his/her functions. The list at section 3 of the Bill includes amongst others, the Scottish Parliament, Scottish Ministers, the chief constable of Police Scotland, the SPA, and the Scottish Human Rights Commission.

Code of practice

The Commissioner must prepare, and may periodically revise, a code of practice on the acquisition, use, retention and destruction of biometric data for criminal justice and police purposes. Once a draft code of practice has been drawn up, the Commissioner must submit it to the Scottish Ministers for approval. Before submitting a draft code of practice for approval the Commissioner is required to consult a wide range of stakeholders including, the chief constable of Police Scotland, the SPA, the Lord Advocate, the Information Commisioner and the Scottish Ministers.

Should Ministers decide not to approve the draft code, they must provide reasons to the Commissioner. If the Scottish Ministers decide that modifications to the draft code are appropriate, these must be agreed with the Commissioner.

The code of practice provided for in the Bill will provide detailed information and guidance for police bodies on the achievement of recognised standards in relation to the acquisition, retention, use and destruction of biometric data. It is anticipated that the code will reflect the need for transparency, accountability and the observance of the rule of law. The code is also likely to provide guidance in relation to good practice particularly as regards children, young people, vulnerable individuals and groups with certain protected characteristics.

The Bill provides that constables and police staff and the SPA must “have regard” to the code of practice when exercising any functions to which the code relates. The Explanatory Notes to the Bill explain that this recognises that there may be particular times when the specific circumstances of a case mean that compliance with the code is not practical or prudent. Section 7(3) of the Bill provides that failure to have regard to the code of practice does not of itself give rise to grounds for any legal action.

The Bill provides that any code of practice has no effect until the day appointed for the code by regulations made by the Scottish Ministers. The regulations will be subject to the affirmative procedure in the Parliament. While the regulations will not contain the code itself, the Scottish Ministers must lay a copy of the code before the Scottish Parliament at the same time as the regulations are laid. This is to ensure that the Parliament has the opportunity to consider the code of practice before approving the regulations that bring the code into effect.

The Commissioner will be required to keep the code of practice under review, prepare and publish a report on the findings of that review, and lay a copy of that report before the Parliament. The first report must be laid no later than 3 years after the date on which the code comes into effect.

Information gathering

The Bill as introduced, provides that the Commissioner can require any person, by way of an information notice, within the Police Service of Scotland and the Scottish Police Authority to provide information which the Commissioner requires in order to determine whether those bodies are having regard to the code of practice, or for the purpose of exercsing any of the Commissioner’s other functions.

If information is required, the Commissioner must specify what information is required; the form the information is to take; the date by which the information is due; the place where the person is to provide the information if necessary; and the matters to which the information relates. A person would not be obliged to provide information which that person would be entitled to refuse to provide in proceedings in a court in Scotland.

The Bill enables the Commissioner to apply to the Court of Session where any person who has been served with an information notice:

• refuses or fails to comply with the requirement specified in the notice

• refuses or fails to answer questions asked by the Commissioner

• alters, suppresses, conceals or destroys any information that they have been asked to produce.

There is an exemption where there is a “reasonable excuse” for having done any of these things. The Bill does not specify what a “reasonable excuse” might cover.

The Bill also provides the Commissioner with the power to apply to the Court if they believe a person is likely to do any of these things.

After receiving an application from the Commissioner and hearing any evidence or representations on the matter, the Court may make an enforcement order that it considers appropriate i.e. to ensure that the person provides the information required by the Commissioner; or the Court may treat the matter as a contempt of court. The Explanatory Notes state that this recourse to the courts provides a way (subject to appropriate safeguards) for the Commissioner to obtain information from those bodies to which the Commissioner’s functions and the code of practice apply.

The Bill provides that an oral or written statement made by a person who has been asked to provide information is not admissible in any criminal proceedings against that person. The effect of this is that individuals cannot incriminate themselves when responding to a requirement to provide information.

Section 14 of the Bill contains a confidentiality provision that covers: the Commissioner (including any former Commissioners); the Commissioner’s staff (or past staff); and an agent (or former agent) of the Commissioner.

Under the confidentialty provision, these persons will be guilty of an offence if they knowingly disclose information which has been obtained in the course of the Commissioner’s activities, knowing that the information is not at the time of disclosure, and has not previously been, in the public domain.

There is an exception under which disclosure is authorised where it is made with the consent of the person from whom the information was obtained, or where it is necessary for the purposes of exercising the Commissioner’s functions, or where it is made for the purposes of legal proceedings (whether criminal or civil – and including the purposes of the investigation of any offence or suspected offence).

Reporting

The Bill provides that the Commissioner may publish reports and make recommendations on any matter relevant to his/her functions, including whether relevant bodies are having regard to the code of practice. Any reports published by the Commissioner must be laid before the Parliament. The Commissioner must ensure that reports do not include any information that, in the Commissioner’s opinion, it would be inappropriate to include on the grounds that it may be unlawful; would or might prejudice the administration of justice; or would not be in the public interest.

Where a report includes recommendations to either Police Scotland or the SPA, the Commissioner must provide them with a copy of the report and may also impose a requirement to respond to that recommendation. The written response must set out the actions which the person has taken, or will take, to respond to the recommendation, or the reasons why the person has decided not to implement the recommendation (in cases where the recommendation is not being implemented either in full or in part).

The Bill requires the Commissioner to publish any response to a recommendation, and to lay the response before Parliament, unless there is a reason it would be inappropriate to do so. Again, in publishing a response, the Commissioner should have regard to the need to withhold information where to include it would be unlawful, would or might prejudice the administrtaion of justice, or would not be in the public interest. The Commissioner may also publicise any failure to respond in a way which the Commissioner considers appropriate.

Accountability

The Bill requires the Commissioner to prepare and publish a strategic plan covering a four-year period and to lay the plan before the Scottish Parliament. The first four-year period will commence on 1 April following the relevant section coming into force. The strategic plan must set out the Commissioner’s objectives and priorities for the four-year period and how they will be achieved, what the costs will be, and the timescale applicable. The Commissioner is able to review and revise a plan at any time, and any such revised plan is subect to the same rules on publication and laying.

Before publishing a plan or revised plan, the Commissioner must consult the SPCB and any one else who the Commissioner considers to be appropriate – this will depend on the proposals under consideration.

Budgets

Section 19 of the Bill requires the Commissioner to prepare a budget before the start of each financial year and to seek the approval of the SPCB. The Commissioner may, in the course of a financial year, prepare a revised budget for the remainder of the year and send it to the SPCB for approval. A budget or a revised budget must contain a statement confirming that the Commissioner has ensured that resources will be used economically, efficiently and effectively.

Accountable officer

Under the Bill, the SPCB must designate either the Commissioner or a member of the Commissioner’s staff as the accountable officer. The accountable officer will be responsible for the signing of the accounts; ensuring that finances are kept in good order; and ensuring that resources are used economically, efficiently and effectively. The Bill provides a degree of protection for an accountable officer who is not also the Commissioner should they be required to act in any way which is inconsistent with their responsibiliies. Before any such action can be taken, the accountable officer must obtain written authority from the Commissioner and send a copy of the authority to the Auditor General for Scotland as soon as possible.

Annual report

The Bill requires the Commissioner to publish an annual report on the Commissioner’s activities for each financial year, which must include:

• a review of the issues identified by the Commissioner in the financial year as being relevant to the use of biometric data for criminal justice and police purposes

• a review of the Commissioner’s activity in that year, including the steps taken to fulfil each of the Committee’s functions

• any recommendations by the Commissioner arising out of such activity.

The SPCB could (under provisions in section 5 of the Bill) direct that the annual report is to include a forward-look by the Commissioner.

The Commissioner’s annual report will be laid before the Scottish Parliament within seven months of the last day of the financial year to which the report relates i.e. by 31 October.