The Scottish Government has proposed to create a Scottish Biometrics Commissioner to provide enhanced oversight of the collection, use and deletion of biometric data. Open Rights Group reacts to the proposal.
First the good news. The Scottish Government has proposed to create a Scottish Biometrics Commissioner to provide enhanced oversight of the collection, use and deletion of biometric data, and is asking the public for their opinion on the proposals. Open Rights Group called for this last year. It means oversight of Police Scotland’s use of biometrics by a body where previously there was none.
What’s more, the Government proposed the automatic deletion of biometric records when the relevant retention periods expire. This is the Scottish Government embracing technology to realise fundamental rights, another welcome development, and a marked departure from the reluctance to do the very same in England and Wales.
But in stepping into the effort to regulate this area, the Scottish Government has to grapple with some difficult regulatory questions, namely: “Who should these rules apply to?” and “How strong should these rules be?” The proposals struggle on these questions.
Within the Code of Practice there are rules for the collection, use, retention, and deletion of DNA, fingerprints, and for the first time in Scotland, custody photographs. The key rule is that after retention periods expire, this biometric data will be automatically deleted.
The striking part of this inclusion in Scotland is how difficult it has been to establish this rule in England and Wales. While the Biometrics Commissioner in England and Wales called for this in 2017 and a judgement in 2012 required mugshots to be deleted, it would apparently be too expensive to achieve automatic deletion. This is despite the Home Office spending over £2 million encouraging the adoption of facial recognition technology in police forces.
Open Rights Group called for rules establishing an automatic deletion procedure. It is welcome to see them included in the Code of Practice for Scotland and we encourage the rest of the UK to follow Scotland’s lead.
Monitoring the presumption of deletion will be a Scottish Biometrics Commissioner. For the first time a dedicated body will oversee the use of biometrics in Scotland. This is a significant proposal and – like automatic deletion – one that ORG called for and welcomes.
The proposal for the Commissioner will have to clear a hurdle. The Scottish Government have a presumption against the creation of new public bodies, meaning that the Government want to keep the number of public bodies operating in Scotland to a low number. The argument for a Biometrics Commissioner would need to show, among other factors, a pressing need for the public body, the effect of not providing the body, and the level of demand for such a body to exist. That test emphasises the importance for everyone to take the opportunity to respond to the consultation and encourage the Scottish Government to establish a Biometrics Commissioner for Scotland.
Open Rights Group wants to be involved in creating modern, effective institutions to safeguard human rights in Scotland. Achieving that requires a body with sufficient remit and sufficient powers. The Code of Practice would appear to lack in both of these areas.
Firstly, the Code will apply directly to Police Scotland and the Scottish Police Authority. It will slightly widen the application by also applying to biometric data use for any other policing and law enforcement purpose subject to the competence of the Scottish Parliament. While stopping at reserved matters like national security, the Code generally will focus on policing matters.
This does not reflect the direction of travel for biometrics in our lives. In Scotland alone we see bodies like housing associations establishing advanced CCTV systems, schools, and private sector application in retail. While not a matter of justice and public safety, these applications will have an effect on individuals’ rights, and the Code should reflect that. At the moment, adoption in other areas such as public bodies or private bodies is on a voluntary basis. The Code should go further and apply to those bodies directly. It is the logical way to prepare for the future.
Alongside the rules and remits sits the question of how to deal with breaches of the code. Breaches do not constitute a civil or criminal offence. The Commissioner cannot refer bodies to the courts under the Code. Instead referrals for repeated breaches go to the Scottish Parliament. If the rules are to be taken seriously and the Commissioner respected, there needs to be serious repercussions for breaking them, giving meaningful power to the Commissioner to enforce the Code of Practice.
Open Rights Group will be calling on its supporters to fully engage with the consultation in the coming weeks before it closes on 1 October. Everyone that is interested should take the time to respond. We will also continue to publish analysis of the proposals and how they stack up against our recommendations.
Biometrics technology develops quickly. Scotland’s proposals take some tentative and very welcome steps towards safeguarding rights in the future. Those tentative steps should be confident strides and it will take the voices of many to encourage the Scottish Government to do just that.