Continuing Open Rights Group’s analysis of the proposal for enhanced oversight of biometrics, Scotland Director Matthew Rice turns to the definition of biometric data.
Rules about how long a given piece of biometric data is held are important, and also important is who would oversee the rules. But what would these rules to apply to? What do we mean by biometrics?
Biometric technologies are discussed in terms of generations. In the first generation you have fingerprints and DNA, generally around for decades now and used in criminal investigation. The second generation involves facial images, speech recognition, and iris recognition. These are at various stages of emerging into our lives. On the horizon is the third generation of biometrics, which include gait recognition. The challenge is creating rules and institutions that can work across these generations, and begin thinking and questioning the next generation.
The proposals from Scotland go for a general definition of biometrics. This is a good thing, which Open Rights Group supports. Regulating specific attributes quickly becomes obsolete and fails to adequately deal with the problem. For proof of this, look to England and Wales with the Protection of Freedoms Act 2012 which established the Biometrics Commissioner, which now falls short on fully regulating the biometrics landscape in England and Wales.
However, a general definition, established in law does not settle all debates. The introduction of biometrics technology needs to be carefully scrutinised and properly debated. Getting the roof on this new structure is good, but the public must be able to continue to debate the introduction of biometrics identification technology going forward.
The consultation by the Scottish Government runs until 1 October. Let the consultation know how you feel about the definition of biometric data. You can use the Open Rights Group action page to help you form your response.
For the purposes of the Commissioner’s role, biometric data is defined as:
‘Any physical, biological, physiological or behavioural data, derived from human subjects, which have the potential to identify a known individual’.
The definition, similar to the one given in the General Data Protection Regulation, is a welcome one. It seeks to regulate the process of using biometric data to identify an individual, not the attributes of identification, like fingerprints or DNA, that other frameworks operate and which create problems further down the line when new technologies that claim to identify individuals through new attributes appear on the market.
It reflects that biometrics are no longer merely fingerprints and DNA, and it won’t just remain facial or iris recognition either. This definition provides an evolving space for the rules, and importantly the Commissioner, to apply to.
When it comes to proposals to introduce new biometric technologies in Scotland, such as iris recognition in police stations, there would be standards for the technology to be assessed against. Importantly however, setting rules now does not mean that debates about the technology, its accuracy, and its ethics are no longer needed.
We only need to look to England and Wales to see the negative effects of being wedded to specific biometric attributes.
The Protection of Freedom Act 2012, which established the Biometrics Commissioner of England and Wales lists three biometric data that the Commissioner’s remit extends to: DNA, fingerprints, and footwear impressions. Setting aside the strange inclusion of footwear impressions, the Act and the Commissioner only regulate traditionally first generation biometrics.
It is clear the drafters of the legislation were just responding directly to the judgement in S and Marper, which found the indefinite retention of DNA and fingerprints by Police to be a violation of Article 8 – the right to respect for private and family life of the European Convention on Human Rights. They failed to anticipate where things were going in this field.
Now, we have South Wales Police and the Metropolitan Police trialling facial recognition. This has lead to the Commissioner raising concerns about the absence of regulation and oversight in this area. In addition, you have Liberty and Big Brother Watch taking legal action against the trials for the complete lack of rules in its operation. These challenges are legitimate and Scotland’s proposals shows the lessons learned from this unnecessary gap.
Despite the general definition meaning no biometrics technology would be introduced without some framework of rules applying to them, this does not remove the debate for the next generation of biometric technology, or the next one, or the one after that.
For instance, the introduction of iris recognition into police stations in Scotland, should be evaluated against whether these would actually improve efficiency, and more importantly whether efficiency is enough to justify beginning to collect sensitive personal data from visitors to a police station.
That we have a definition, and some rules that apply to that definition, does not automatically give the green light to introducing biometrics technology to Scotland.