Scottish Biometrics Commissioner – Response to Justice Committee call for evidence

Open Rights Group’s response to the call for evidence from Scottish Parliament’s Justice Committee on the Scottish Biometrics Commissioner Bill.

Open Rights Group are a UK-wide grassroots campaigning organisation working to protect and enhance the right to privacy and free speech online. As digital technology continues to transform the way we live and opens up new ways to communicate and connect, it has also created new threats to our rights. Open Rights Group exists to foster and support those positive developments and challenge the threats, through public campaigns, media commentary, policy interventions and technological projects. 

Open Rights Group’s Scotland office has been involved in the legislative debate regarding the establishment of modern, effective institutions to safeguard rights in Scotland. The call to create a Biometrics Commissioner is one of the central pieces of this work towards modern, effective institutions in Scotland. We are grateful for the opportunity to respond to the Justice Committee’s call for evidence.

What are your views on the establishment of a Scottish Biometrics Commissioner as a new body to scrutinise the police?

Open Rights Group welcomes the proposed establishment of a Scottish Biometrics Commissioner. We supported this in our submission to the Independent Advisory Group on the use of Biometrics and again in the Scottish Government’s public consultation.

However we do have concerns about the scope of the Scottish Biometrics Commissioner Bill, the powers available to them, and the wider governance of biometrics in Scotland. Unfortunately, the proposed Bill does not satisfy these concerns. For that reason this call for evidence has a number of recommendations within it that we would be happy to discuss further with the Committee:

Open Rights Group recommends a change to the Bill to make the Commissioner’s function extend to the use of biometrics by public authorities and private actors when it is being used on the general public.

Open Rights Group recommends making the Code of Practice binding on bodies to which the Code applies, who “must follow” the code of practice.

Open Rights Group recommends the Bill is amended to allow for some form of public individual complaints mechanismto the Commissioner to support its already proposed general functions.

Open Rights Group recommends the Biometrics Commissioner bill carries a reform of the Criminal (Procedure) Scotland Act 1995 to place facial images in the same framework as DNA and fingerprints.

What are your views on the proposed role, responsibilities and enforcement powers of the Scottish Biometrics Commissioner?

The need for oversight of the collection, use, retention and deletion of biometrics in policing circumstances is well established. The case of S v. Marper created the need for England and Wales to change their rules and governance of the use, collection, retention, and deletion of DNA. Since 2012, The Commissioner for the Retention and Use of Biometrics Material (CRUBM) for England and Wales has been in operation. 

The role of the Commissioner in England and Wales remains on the use, collection, retention, and deletion of DNA, fingerprints and foot impressions, while the issue of biometrics has moved on. The proposal in the Bill for the Commissioner to oversee biometrics as it is defined in the General Data Protection Regulation which encapsulates a much wider definition at section 23(1):

information about an individual’s physical, biological, physiological or behavioural characteristics which is capable of being used, on its own or in combination with other information (whether or not biometric data), to establish the identity of an individual.

Scotland has been rightly praised, including by CRUBM, for its effort to establish the role to regulate biometrics with a wide and flexible definition which can incorporate new generations and applications of biometric data. Open Rights Group supports this definitional scope for the Commissioner’s work as it relates to the definition of biometrics.

We are also supportive of the Commissioner’s information gathering powers. One of the vital tasks of any regulator is to hold those they regulate to account, and the primary method of doing this is the gathering of information. The Bill provides strong gathering powers, including punishment when an individual does not comply. These information-gathering powers should remain in the Bill as it progresses.

Concerns

Functions and coverage of the Commissioner and the Code of Practice

While the reviews leading up to this Bill have focused on the use of biometrics by law enforcement, the issue of the use of biometrics has gone beyond law enforcement. There are applications of the use of biometrics by public authorities, and private actors that merit considering whether the Biometrics Commissioner scope is limited at a time when the public’s concern about the use of biometrics in all areas of public life is growing.

The recent controversy surrounding the use of facial recognition by the developer Argent at the King’s Cross Coal Drop Yard is not an outlier, we have seen Swedish schools install facial recognition on students, and shops use it for tracking customers for feedback and payments. Neither is this issue just confined to London, Glasgow Council has a CCTV system which has 70 cameras allowing for the matching of any person of interest with an uploaded photo, which then maps the location of that individual in real time. Finally, the European Union recognises this problem is broader than law enforcement in their recent commitment in August to bring forward legislation covering facial recognition by companies and public authorities. 

Section 2 of the Bill states that the general function of the Commissioner is to support and promote the adoption of lawful, effective and ethical practices in relation to the acquisition, retention, use and destruction of biometric data for criminal justice and police purposes by Police Scotland and the Scottish Police Authority. This means that in either of the scenarios above, a private actor or a public authority using biometric data on the public, the Commissioner’s function will not extend to this area. 

Open Rights Group recommends a change to the Bill to make the Commissioner’s function extend to the use of biometrics by public authorities and private actors when it is being used on the general public.

While the Information Commissioner’s Office is the lead regulator for personal data, biometrics and the role of the Commissioner goes beyond that information governance. The Commissioner’s proposed function touches on “effective and ethical practices”. This would involve discussions about the accuracy, and discrimination risks that are carried with the use of some technologies such as facial recognition and include public issue such as the interaction between these technologies and the freedom of assembly and association. These are important discussions that the ICO’s role does not extend to and should be covered by the Scottish Biometrics Commissioner regarding law enforcement, public actors and private actors.

Code of Practice

Open Rights Group are concerned the effect of the Commissioner’s Code of Practice is too minimal to generate proper regulatory oversight.

Under section 7 of the code on those to whom it applies would be to “have regard to” the code of practice, and under 7(3) failure to have regard to the code of practice does not of itself give rise to the grounds for any legal action.

The inclusion at section 7 of “have regard to” risks undermining the regulatory force of the Code. While the content of the Code is still to be determined it should clearly embed within it human rights standards and Open Rights Group sees no reason why the Code should not exist as binding, requiring those bodies to whom the Code applies to follow, not just “have regard to” the Code of Practice.

Open Rights Group recommends making the Code of Practice binding on bodies to which the Code applies, who “must follow” the code of practice.

Open Rights Group also recommends that the Bill includes within it specific requirements of the Code of Practice, similar to that which is required for Codes of Practice under the Freedom of Information (Scotland) Act 2002 at Part 6. For the Biometrics Commissioner’s Code, provision should be made for:

• The need for quality control of a biometrics system;
• Procedures for demonstrating the robustness of the biometrics system and procedure
• The need for impartiality in the procedures to ensure that application is without bias or unfair discrimination;
• Proportionality
• Transparency and openness;
• Accuracy, security and integrity of data.

These are taken from the Independent Advisory Group on the use of Biometric Data in Scotland’s report. The Group had in turn taken some of these principles from the Biometrics and Forensic Ethic’s Group’s General Principles. These can act as a guide for the Commissioner’s code of practice.

Public access to the Commissioner

One of the key functions of the Commissioner is to promote public awareness and understanding of the duties and responsibilities of those who acquire, retain, use and delete biometric data. This includes public awareness of how those powers and duties can be monitored and challenged. Open Rights Group supports the inclusion of this function. However, as it currently stands there is no method through which a member of the public could raise concerns with the Commissioner, such as an individual complaints mechanism. This was a recommendation noted by the Independent Advisory Group on the Use of Biometrics.

The Information Commissioner’s Office, the data protection authority, has a long running information campaign called “your data matters” which exists to help the public understand how companies might be using your data to target you online and how you can control who is targeting you. This campaign involves practical, easy to understand guidance, blogs, videos and methods of entry to discuss concerns with staff at the Commissioner’s office. All of these activities should be considered options for meeting that general function of promoting public awareness.

Alongside information awareness campaigns, Individual complaints mechanisms are key for both measuring and improving public awareness. Returning to the ICO, under their strategy, Goal 1 is to increase public trust and confidence in how data is used and made available. Under this goal, the ICO includes responding to individual complaints. The ICO has recorded a year on year increase in public complaints, with a significant increase in 2018/19. The duty to receive and act on complaints operates as a metric for public awareness and also a proxy for awareness-raising campaigns such as “Your Data Matters”, including a formal “public front door” for the Scottish Biometrics Commissioner would also help to both measure the function of public awareness, and is a form of public awareness in and of itself. 

Contrast the ICO situation with the individual complaints mechanism available in the specific case of law enforcement use of biometrics and you can see how important it is for an individual complaints mechanism to operate through a regulator, that has a function to promote public awareness. The process to request early deletion of a biometric record is provided for in a 49-page document from the National Police Chief’s Council that requires individual requests first to be made to local police chief officers and then to ACRO Criminal Records Office. If the individual wants to complain about that request there is no formal appeals process but they can write, eventually, to the ICO. 

This is a convoluted procedure, that is not well explained. The Biometrics Commissioner for Scotland could play a significant role in streamlining and simplifying a complaints or request procedure through an individual complaints or request mechanism that will both improve practices in those bodies to whom the code applies, but also improve the Commissioner’s visibility and meet one of its core functions to improve public awareness.

Open Rights Group recommends the Bill is amended to allow for some form of public individual complaints mechanismto the Commissioner to support its already proposed general functions.

What are your views on the provisions in the Bill for the drawing up of a Code of Practice by the Commissioner, and how compliance with the Code is monitored and reported on?

Open Rights Group does not have any specific comments on the provisions for drawing up a Code of Practice, although we would draw attention to the recommendation to make the Code binding. If the process for creating a binding legislative Code requires different provision, then that should be undertaken.

Open Rights Group would also like to raise a wider point about the development of rules that apply to all of biometrics. While the Code as it currently stands will apply to a wide array of biometrics, the legal standards elsewhere in Scotland will remain disjointed between different biometric attributes.

The Criminal Procedure (Scotland) Act 1995 at section 18 sets out the deletion procedure that was praised in the ECJ judgement S and Marper v. UK. Section 18 requires “relevant physical data” and information derived from those samples to be destroyed as soon as possible following a decision not no to institute criminal proceedings. This is a good standard, also known as presumption of deletion that is in accordance with rights standards. But the definition of “relevant physical data” does not incorporate all biometric attributes, it covers fingerprints, palm prints and samples such as hair, fingernails, or swabs (that would provide DNA). No mention is made of facial images captured. 

The retention of facial images of individuals who have not been charged with an offence was considered in the case R (RMC & FMJ) v. Commissioner of Police of The Metropolis. In the case, two individuals who were arrested but not charged with an offence had their fingerprints and custody photographs retained indefinitely by the Metropolitan Police, they applied for deletion of those records and were rejected by the police. The court held that the retention of the custody photographs amounted to an unlawful interference with the applicants’ Article 8 rights. 

The court found that the Met Commissioner’s policy on retention of custody photographs amounted to an unlawful interference because it failed to strike a fair balance between the competing public and private interests and did not draw an adequate distinction between the convicted and those who were either not charged or were charged by acquitted. This establishes custody photographs at the same level of protection as DNA and fingerprints. 

The case of R (RMC & FJ) established a shared standard across all biometrics that should now be reflected in Scots law.

In Scotland there remains a mismatch between DNA, fingerprints, and facial images. This imbalance was pointed out by the Independent Advisory Group on the use of Biometrics pointing out that at the time of writing that the biometric records retained by Police Scotland were as follows:

• 332,213 DNA profiles
• 432,888 fingerprints
• 633,747 Criminal History System photographs
• 1,000,000 + Custody photographs

One of the recommendations from that report was for legislation covering the acquisition of DNA, fingerprints, facial and other photographic images. The temptation may be to place this in the proposed Code, but because of the earlier problems of the Code’s status (not binding, just “have regard to”) this would not create a coherent legislative framework with all biometrics operating at the same level but continue to leave facial images at a lower level of protection than DNA and fingerprints.

This imbalance has lead to an over retention of custody photographs. The only correction that is worthwhile is a change in primary legislation, to add the collection and retention of facial images to the Criminal Procedure (Scotland) Act 1995 thus placing all biometric attributes at the same level of protection. Consideration should be had whether including a similar definition of “biometric data” would be a sensible, future-proofing measure. The Commissioner Bill itself could be used to make that supplementary amendment to the Criminal Procedure (Scotland) Act 1995.

Open Rights Group recommends the Biometrics Commissioner bill carries a reform of the Criminal (Procedure) Scotland Act 1995 to place facial images in the same framework as DNA and fingerprints.

What are your views on the appointment process for the Commissioner and the funding being provided to enable them to carry out their role?

No specific views.

Do you have any other comments regarding the Bill?

No other comments.