Regulating The Use of Biometrics Across Scotland

Open Rights Group’s response to the consultation lead by the Independent Advisory Group on Biometrics.

The use of biometrics has been a regular part of policing since the development of fingerprinting in the late 19th century. Policing has always looked towards new technology to aid the detection and disruption of crime. Now biometrics extends to DNA, facial search and facial recognition, iris patterns, the next vanguard could be voice biometrics and its operation although there is still skepticism of the accuracy of this technique.

While useful in preventing, detecting and prosecuting crime, the capturing and storing and searching of biometric identifiers is intrusive of individual privacy. There is a need to ensure that the use of biometric identifiers is within a governance framework that strikes an acceptable and proportionate balance between public benefit and individual privacy.

It is an uncontroversial proposal, made twice in the past ten years, that Scotland should establish an Independent Scottish Commissioner to address the issues of ethical and independent oversight of biometrics records and databases held in Scotland. Equally uncontroversial is the suggestion of a statutory Code of Practice for the use of biometric data in Scotland. The establishment of a body, and a body of rules, would go some way to working on the appropriate balance between public benefit and individual privacy in Scotland.

Open Rights Group has the following recommendations:

– Supports the creation of a commissioner, whether this is biometrics or wider more general privacy commissioner though should be considered.

–  Calls for the commissioner, whether biometrics or wider, should apply to all public bodies.

– Calls for a wider community than just one independent commissioner, such as National Biometrics Strategy Board.

– Calls for a standard for handling and retention of any ‘biometric’ information underpinned by primary legislation, with specific codes developed for specific categories after review by commissioner.

– Calls for rules setting out a presumption of deletion of collected biometric information.

– Calls for rules to address the use of automatic facial recognition software in public.

THE NEED FOR A COMMISSIONER

Changes in technology happen at a pace that the legislature fails to keep up with. This is a challenge for all Government’s across the world, but it isn’t insurmountable. Creating independent bodies of experts that are able to track the changes in technology, how those technologies are put into practice, and whether the legislative framework continues to serve its original purpose, is a good approach to meeting the challenges of an ever-changing technological landscape.

Biometrics collection and use will have to change in Scotland whether Holyrood acts on it or not. The upcoming General Data Protection Regulation contains new categories of sensitive personal data, such as genetic data, and biometric data where processed to uniquely identify an individual. Making sure public bodies remain in compliance with the General Data Protection Regulation and advising the Scottish Government how to approach creating rules with regard to biometrics in line with the GDPR is a task well served by a body like a Biometrics Commissioner liaising with the Information Commissioner’s Office.

The Biometrics Commissioner for England and Wales’ was created in the Protection of Freedoms Act 2012, which was passed as a result of the European Court of Human Rights decision in S and Marper v. UK. The role of the Biometrics Commissioner in England and Wales is:

– Keep under review the retention and use by the police of DNA samples, DNA profiles and fingerprints.

– Decide applications by the police to retain DNA profiles and fingerprints (under section 63G of the Police and Criminal Evidence Act 1984).

– Review national security determinations which are made or renewed by the police in connection with the retention of DNA profiles and fingerprints.

– Provide reports to the Home Secretary about the carrying out of his functions.

The Commissioner’s continued existence is a recognition that when it comes to biometrics, the expectations of society change as technology changes. Recent coverage of the piloting of facial recognition at Notting Hill Carnival is a good example of this. When a similar discussion occurred in Scotland with facial recognition at football matches, an independent commissioner, sensitive to issues in Scotland, knowledgeable about the current system of capturing photographs for policing purposes, capable of impartiality and objectivity, would have aided that debate. There is no reason why there shouldn’t have been one in place at that time.

There continues to be an interest in the topic of biometrics in Scotland, particularly when it comes to its use in policing, which provides further basis for a body set up to explore this area. HMICS’ report, at Recommendation 4, points to a need for more sustained focus on the use of biometrics in policing, particularly considering developing a clear framework of rules for its use: 

“Police Scotland and the Scottish Police Authority should consult with Scottish Government and other stakeholders on the potential development of a statutory Code of Practice for the use of biometric data in Scotland.”

The need for a commissioner should be apparent from the lack of joined up thinking Scotland has had when it comes to biometrics. Biometrics covers lots of topics, from DNA to facial recognition, iris recognition too and in the future, could include speech recognition and gait recognition. In the past Scotland has been a leader in some areas, while lagging behind in others.

ETHICAL AND HUMAN RIGHTS CONSIDERATION

The leading European case law regarding the retention of biometrics for policing purposes can be summarised simply: the retention of fingerprints or DNA of individuals no longer suspected of a crime is a violation of the Article 8 right to privacy in the European Convention on Human Rights. A similar summary can be taken for photographs, with judgements in the High Court in England and Wales pointing in that direction. Scotland should immediately consider why it continues to operate systems containing photographs of those not convicted of any offence, for over 10 years.

The relevance of S and Marper v. UK in Scotland is often to reflect Scotland’s good standard on DNA at the time, but it is worth revisiting the judgement for the broader human rights considerations.

In the court’s assessment, the blanket and indiscriminate retention of fingerprints, cellular samples and DNA profiles of persons suspected but not convicted of offences was a violation of the right to privacy (para.125). It is also important to note that the court clearly places a special obligation on those States looking to operate as pioneers in the development and use of new technologies to work to strike the right balance between interference with the right to privacy (para.112). If Scotland were to look to set standards in this area, that status comes with a need to also be a leader in oversight, safeguards, and standards.

Marper was a landmark judgement, but then England and Wales were also an outlier in most European states by having a policy of indefinite retention for those arrested but acquitted of crime or who had criminal procedures discontinued (para. 47). However, recent decisions have found systems with defined but extensive retention limits as a disproportionate interference. Scotland’s system, which has no explicit limit on renewals for retaining DNA and fingerprints, risks falling outside those standards set by European Court of Human Rights case law. 

Finally, while there is no European case law relating specifically to custody photographs, the Marper judgement says photos should have similar rules to fingerprints in terms of approach to be followed (para. 84). Additionally, rulings of the High Court in England and Wales are of relevance. In the case R v. Metropolitan Police Commissioner, the High Court found that the retention of custody photographs of individuals either not charged or acquitted was an unjustified interference with the right to privacy. Heavily reflecting the judgement in Marper, the court found against the Police for, among other things:

–  Failing to distinguish between categories of crime, the convicted and those not charged, risking stigmatisation.

–  Retention for a long period of time, 6 years minimum, and in practice much longer.

The relevant human rights considerations point to the need for a framework governing all types of biometric material, not just specifically fingerprints or DNA, in a similar legislative framework. The framework should be limited in its scope and retention, clearly distinguishing between the innocent and the convicted, and come with meaningful frameworks for deletion and accountability.

GENERAL DATA PROTECTION REGULATION

Aside from the case law there is a change coming with the General Data Protection Regulation which makes a deliberate effort to include biometrics information as a category of information that has data protection standards attached to it.

This means that the processing of biometric information needs to have a purpose in law, there are many purposes, particularly those relating to the investigation and detection of crime but for other public bodies out there, which Open Rights Group thinks the Commissioner’s remit should extend to, there is a need to clearly present a legitimate processing standard or to seek explicit and freely given consent, or risk falling foul of the regulation.

This change also creates opportunity for work alongside the Information Commissioner. Open Rights Group considers it important that the Information Commissioner’s Office and whatever Commissioner may be created from this, should be in close alignment, and work to reinforce the authority of one another, not undermine. Open Rights Group considers that an achievable working practice that would also prove mutually beneficial. Incorporating relevant data protection principles into a statutory framework would help to achieve the mutually beneficial working environment.

ETHICS 

Much has been made of recent developments in facial recognition analysis, and the use of facial recognition in policing scenarios. In July, the Metropolitan Police announced a pilot initiative to use facial recognition technology at Notting Hill Carnival. They may have anticipated some scrutiny but a much larger discussion started about the merits of the technique in identifying offenders, the effect specifically on predominantly black communities, and continued use of photography databases that should have had their policies, and thus their contents, changed years ago.

Recent studies from Stanford have also begun to generate ethical debates. A study suggesting the sexual orientation of individuals could be derived from already available software hit the headlines in early September. Setting aside the ethical standards involved in its approval, the study suggests that technological developments are not waiting for society to approve, if it ever would, of the cutting edge of biometric analysis. Nevertheless, the study speaks for itself.

The pilot project of Notting Hill received the scrutiny of the Biometrics Commissioner, who released a statement in the lead up to the Carnival. This helped to manage the debate and provide some objectivity to the concerns.

If Police Scotland were to adopt similar pilot projects, who would be in a position to externally scrutinise the ethics? Who would have the mandate, and the authority to make statements about the framework that is being developed. Most importantly, who would follow up to find out about the results of the project and assess its worth against the friction it created with some of the attendees? Scotland would be at a loss for the ethical guidance in that instance, which is a disappointment.

The adoption of biometric analysis need to be considered against the wider principles of society. It was obvious that people were concerned about the use of facial recognition at Notting Hill carnival, likely because of the predominantly black community attending, and the record the technology has in misidentifying members of that community, risking the arrest of innocent individuals and further stigmatisation of a community that has concerns about the way they are policed in comparison to other communities. Ethically, this was unsound.

Further, the bleeding edge of research and analytics in biometrics appears insensitive to the ethics of the wider world. What part of societies’ needs are being met with the ability to detect the sexual orientation of an individual based on their facial features? Saving an awkward conversation at a bar for some creates a despotic tool for sorting those breaking the law for others.

Scotland as a society and its institutions are broadly accepting of all people, but having a Commissioner that is sensitive to the effect these technologies can have on marginalised communities is incredibly important in the wider discussion of adoption and use of technologies, and appropriate frameworks to govern a set of systems and analysis techniques that is capable of revealing most intimate information, just from the shape of our nose or jaw.

A consistent line of reasoning in courts decisions has been on the intimate details DNA could reveal in the future (Marper para. 71), sometimes drawing distinction against fingerprints. However, in other cases, photography and fingerprints are recognised as having an intimate nature to them also such as Baroness Hale’s speech in Campbell v. MGN Ltd.

This line of concern is important to note. It means that it is not the specific biometric data collected alone that has alarmed courts and the public, it is the insight to be gained from analysing the information. As a result, the regulation of the use of biometrics should be considered a moving target ethically. Increasingly sophisticated biometric analysis is now using something like a fingerprint, or a face, categories of information that were not as revealing as DNA in the past, to generate intimate insights.

The legislative framework should reflect societies concerns, as should the operations of the Commissioner. It would be unwise for a framework to be created that tries to tie down categories of information as revealing and not revealing, or intimate and not intimate. That approach has proven to age quickly result in the need for reforms, such as custody photographs in England and Wales.

A flexible framework should provide Scotland the opportunity to balance societies concerns against technologies developed, and the practice of institutions adopting biometrics. This goes from border forces to transport police, to council programmes, to health providers.

POLICY AND LEGISLATIVE FRAMEWORK 

Summary:

– A presumption of deletion of the retention of biometric information, with the burden on police to justify retention.

– There should be general rules for all ‘biometric’ information collected, passed via primary legislation, with additional rules created for specific categories of information based on their level of intrusiveness and potential for revealing of intimate information.

– There should be a strict limit to the retention of biometric data, with no opportunity for indefinite retention.

– Automated facial recognition search needs to be underpinned by primary legislation.

The European Court of Human Rights judgement in the case of S and Marper from December 2008 found that the blanket and indiscriminate retention of DNA and fingerprints of innocent people by police forces in England and Wales was a breach of Article 8 of the European Convention on Human Rights. The judgement singled out the Scottish system for praise while it came down against the English and Welsh system:

“The current position of Scotland….is notably consistent with Committee of Minister’s Recommendation…which stresses the need for an approach which discriminates between different kinds of cases and for the application of strictly defined storage periods for data, even in more serious cases…England, Wales and Northern Ireland appear to be the only jurisdictions within the Council of Europe to allow the indefinite retention of fingerprint and DNA material of any person of any age suspected of any recordable offence.” para. 109 – 10.

Scotland was a standard setter when it comes to DNA and fingerprint retention. The Scots system was of such laudable standard that in passing the Protection of Freedoms Act, which responded directly to the S and Marper judgement, the Home Office produced a fact sheet comparing the new rules for retention of Biometric data against the Scottish model.

On the same day Scotland was being placed as leading the way in DNA and fingerprints in 2008, it was taking custody photographs of individuals detained. Some of those individuals had no charges brought against them. However, those photographs remain retained and on computer systems today, almost 10 years later, even though no action was to be taken with those individuals in custody.

This lack of joined up thinking is something a commissioner, with a wide enough remit to review biometrics use across policing in Scotland, would have likely spotted and marked for change, instead it remains a policy gap to this day.

Currently, Scotland has no statutory framework governing the use and retention of photographic images, while DNA and fingerprints is governed by the Criminal Procedure (Scotland) Act 1995. Any statutory framework that is being considered should start from creating general regulations applying to the collection, retention, and use of ‘biometric’ data. There should then be a separate procedure, based on recommendations from a Commissioner or review, focusing on rules for the collection, retention, and use of specific categories of data, whether that be DNA, fingerprints, photographs, voice, iris, or any other emerging area of identification of individuals or groups of individuals using physical characteristics.

GENERAL RULES FOR BIOMETRIC DATA 

‘Biometric’ data should be defined generally, allowing for future developments or collection initiatives to still fall under general rules to protect Scottish citizens privacy, before having special rules created for a category of information, if required. The definition of ‘biometric data’ contained in the General Data Protection Regulation at Article 4(14) is suitably generic and flexible, and could be considered a working definition from which to build general rules.

COLLECTION, USE, RETENTION DELETION

Open Rights Group supports the development of primary legislation to cover photographic images. Throughout the HMICS report, including in its Key Facts section, it was pointed out the gap between photographic image retention, and DNA and fingerprints. While much of the policies for DNA and fingerprint are applied voluntarily to photography, it would be clearly beneficial given the development of new categories of information, to have clear rules for all ‘biometric’ information, with further rules applied to special categories of information (such as DNA and fingerprints v. Photographic images) and categories of people (children, non-offenders, specific types of offences).

presumption of deletion, as suggested by the Biometrics Commissioner in England, would help Scotland forge a new path for the use and retention of biometrics. Placing the burden on the police force to show that an image needs to be retained, rather than on the individual to appeal for their image to be deleted, is a better functioning system. There will likely be more deletions occurring as a result, the public’s privacy is better protected, and Police Scotland would be able to focus on maintaining the records of those small category of individuals that merit the retention of their biometric information.

AUTOMATED FACIAL RECOGNITION 

A growing area of practice, and of public concern, is the use by police of facial recognition software in public spaces, matching public faces against those of individuals on a watch list. Open Rights Group shares concerns expressed by the current and former Biometrics Commissioners in England and Wales about the invasion of public privacy and the lack of oversight or legislative underpinning the practice.

The databases used are often of custody photographs, the purpose of which is not to act as a public watch list to scan people’s faces in public places against, and yet that is precisely what is taking place. Open Rights Group considers this practice highly worrying, a disproportionate interference with many innocent individuals’ right to privacy.

Currently, this practice in the UK has no independent oversight from a Commissioner, nor any rules underpinning when it would be appropriate to deploy such systems, nothing laying out whether less intrusive means have been considered, or requiring a privacy impact assessment to be drawn up, or an independent body such as a judge or a commissioner to approve its use. It also departs from the authentication of individuals (matching one photograph to one photograph on record) toidentification (matching a photograph against all records in a database), which increases the risk of false matches.  In comparison to fingerprints and DNA, this space is wholly unregulated, and very public, a worrying combination of factors that Scotland should not be looking to emulate.

In other parts of the world, the use of facial recognition has grown past the use of custody photographs, and into searching against driver’s licences and ID photos such as in America. Scotland should look to act quickly in shutting down the opportunity for mission creep similar to that of America. Studies have proposed model laws for facial recognition legislation that should be considered how they can be represented in a Scottish legal framework.

The first step should be recognising that this is necessarily a public discussion. Opening a public consultation seeking to balance the necessity and proportionality of automatic facial recognition in public places would be a strong statement of intent. Working towards a fair balance between the use of these techniques and the protection of the public’s human rights should be the goal. The current state of affairs is untenable.

STRUCTURE OF COMMISSIONER

The scope of an independent body is important for a number of reasons. One is of course the effectiveness of the body in carrying out its duties: whether it has investigation powers, can levy fines, make recommendations, or oversee all the bodies relevant to its mandate. Scope and structure can also an effect on public trust, and on the relevance of the body in the future.

Regarding the sectors covered, Open Rights Group suggests the commissioner to cover the use of biometrics across Scottish public bodies, not just policing. The use of biometrics is more than just a crime and justice discussion but includes systems run by NHS Scotland,  and Scotland’s schools, which have had discussions in the past that may return.

Open Rights Group supports the creation of an independent Commissioner to regulate the use of biometrics in Scotland. Topically, this scope should – at a minimum – apply to all types of biometric information, including facial images, and any type of biometric data collection that is adopted in the future. The House of Commons Science and Technology Committee had a similar recommendation for the Biometrics Commissioner in England and Wales. This acknowledged gap in oversight should not be repeated in Scotland.

However, Open Rights Group sees this as an opportunity for Scotland to build an institution that carries a mandate to improve the privacy of everyone in Scotland, working with existing bodies such as the Scotland Office of the Information Commissioner.

There are still oversight gaps in Scotland that could be solved by creating a body with a wider remit. For instance, there remains no CCTV commissioner in Scotland despite one in place in England and Wales. This could be solved by deliberately creating a commissioner that can operate across areas of wider privacy concern in Scotland.

Open Rights Group, while supportive of a Biometrics Commissioner, encourages the Group to consider whether there is scope for a larger, independent body to be present in Scotland to work on devolved issues in line with something similar to the Privacy Commissioner in Canada.

FUNCTIONS OF THE COMMISSIONER

The commissioner should report to a Committee in the Scottish Parliament, whether that be the Justice Sub-Committee on Policing, or a committee with a wider remit such as the Home Affairs Committee in Westminster which the Commissioner of England and Wales reports to, should depend on what sort of remit the Commissioner is given.

The Commissioner’s mandate should involve giving expert evidence in policy deliberations that are within its remit. This helps to ensure the relevance of the Commissioner and provide opportunity for regular contact between the Commissioner, the Scottish Parliament, and the public.

The Commissioner should also have a large part of public education and public engagement. One of the areas the public is continually let down on is the delivery of clear, jargon free information to help them understand the powers authorities have, the powers they the public have to hold those authorities to account, and how to exercise those powers. A commissioner with a mission statement relating to public engagement and education would go some distance to maintaining a public feedback loop for the Commissioner, noting the shifting expectations of the public, and reacting to those changes with new guidance, or public education initiatives.

ROLE AND POWERS OF THE COMMISSIONER

–  Commissioner should have an independent complaints mechanism.

–  Commissioner should be able to begin investigations from its own mandate.

–  Commissioner should be able to develop codes of practice relating to the handling of personal information, and hold bodies to account for following the rules set out.

–  Commissioner should report to Scottish Parliament and publish findings each year of the reviews it undertakes and the outcome of its investigations.

The powers of the Commissioner should be suitably wide to give freedom to operate on its own mandate, and respond to concerns raised by individuals and organisations. An independent complaints mechanism able to receive complaints from members of the public and civil society organisations should be included.

The Commissioner, as with the England and Wales Commissioner, should set codes of practice relating to the collection, retention, and deletion of biometrics information, including specific categories whether that is DNA and fingerprints, facial images, iris, or any other developing area. It should be able to investigate the respect of those codes of practice to the bodies it applies to, make recommendations, and follow up those recommendations, reporting publicly on the outcomes.

Open Rights Group encourages the Scottish Government to think about the wider environment of expert advisers that could assist the Commissioner in its mission. Groups like the National DNA Strategy Board are important in keeping an environment of information sharing between experts and practitioners. Adding the Commissioner to this board, or creating a similar devolved Board, working across issues relevant to Scotland would be of benefit to any new Commissioner trying to find its feet.

CONCLUSION

There are important differences in devolved Scottish law in comparison to England and Wales. This means, in reality, that national policing databases like the Police National Database has irregular practice attached to it. HMICS raised this as a primary concern in their report.

The answer, however is not to just mirror the England and Wales model. The answer lies somewhere in creating the kind of institutions that can consider how to reflect the expectations and beliefs of Scottish citizens in a framework that is clear, precise, and strikes the balance protecting the right to privacy, and the public benefit of fighting crime.

Biometrics is a bigger topic than just policing, it also involves education, immigration, housing, and potentially other areas yet to be considered. That should be factored into an effective institution for overseeing biometrics in Scotland.

What’s more, this discussion is bigger than just biometrics. This is about creating strong, effective institutions in Scotland empowered to hold to account public bodies, represent the public in debates, and help to create an ecosystem where Scotland can have meaningful debates about the direction the country should travel in. Open Rights Group welcomes the opportunity to help add to this burgeoning environment.