fgnopporn - stock.adobe.com

Oversight of biometrics and surveillance should not go to ICO

Biometrics and surveillance camera commissioner Fraser Sampson has panned the UK government’s proposed plan to absorb the functions of those roles under the remit of the information commissioner

Government plans to make the Information Commissioner’s Office (ICO) responsible for monitoring the use of biometric and DNA data by the police are “ill-conceived”, claims the UK’s biometrics and surveillance camera commissioner, Fraser Sampson.

As biometrics commissioner, Sampson is responsible for oversight of how police collect, retain and use a range of biometric material (including digital facial images), while as surveillance camera commissioner he is tasked with encouraging police compliance with the surveillance camera code of practice.

Sampson was appointed to the dual position in March 2021, after the Home Office announced in July 2020 that it would be amalgamating the roles to make the discrete statutory functions of each office the responsibility of a single individual.

The idea to further amalgamate the roles under the purview of the ICO is contained in a consultation opened by the Department for Digital, Culture, Media & Sport (DCMS) into the direction of data protection governance in Britain, which was launched in September 2021.

Sampson has also criticised the lack of transparency around the consultation, claiming he was never made aware of it through official channels, and that it was only brought to his attention in private conversations.  

In his official response to the consultation, Sampson said that to even propose the absorption of these functions by the ICO “is to misunderstand the realities of those functions”.

While both roles involve oversight of lawful data processing, including the retention and sharing of some highly sensitive personal data, both of their discrete functions go far beyond data protection, he said. “There is an elemental difference between general data management principles and intrusive state surveillance; there are also fundamental considerations in this area that are not data protection issues at all,” said Sampson.

Read more about UK technology regulation

These non-data areas include the need to consider the impact of biometrics and surveillance on a range of fundamental human rights, such as the “chilling effect” that “even the perceived presence of a police surveillance camera” can have on freedom of expression and assembly, and whether the tools deployed by police are reliable enough to actually be used in criminal investigations or prosecutions.

The surveillance camera role also specifically includes areas of technical standards, liaison with academia and industry, and the delivery of certification schemes.

Sampson further added that although his surveillance camera role does have a regulatory element, in that he must monitor and encourage compliance with the Home Secretary’s Surveillance Camera Code of Practice, the UK Biometrics Commissioner is by contrast not a regulator at all, meaning its absorption by the ICO would create a conflict of interest.

“The principal functions of the Biometrics Commissioner are quasi-judicial in nature and are exercised in the setting of policing, counter-terrorism and national security,” he said. “To characterise them as upholding information rights is to miss this fundamental point and their absorption would introduce a UK regulator to this area and then require that regulator to take on non-regulatory judicial functions. 

“In the setting of those functions there may also be an inherent conflict for the ICO as they will find themselves participating in decisions to authorise police retention of biometrics which are later challenged by the individual who would not then be able to turn to them as the nation’s regulator upholding their information rights at large.”

In its response to the consultation, the ICO said it had noted the intention to bring the surveillance camera and biometrics commissioner roles into its own remit, and that it recognised the benefits of this approach to stakeholders.

“We are open to this expansion of our regulatory remit, subject to appropriate funding, and await further detail on how any transfer of functions would work in practice,” it said.

Alternative suggestions

Ultimately, if the biometrics commissioner role is to be absorbed, Sampson said it would be better to incorporate its functions into an already-existing judicial body (such as the Investigatory Powers Commissioner or the Investigatory Powers Commissioner’s Office), rather than create a new, non-regulatory remit for the ICO as a data regulator.

Similarly, he added that while there is more overlap between the ICO and surveillance camera role specifically, the latter’s laser focus on policing matters on top of its non-data functions means there is a more compelling argument for it to be absorbed by the Forensic Science Regulator instead.

If absorbed by the ICO, the data-related functions of each role would also “almost certainly result in their receiving less attention”, said Sampson, adding that he believes the solutions is “a single set of clear principles by which those operating biometric and surveillance technology will be held to account, transparently and auditably”.

He said that not only would his alternative suggestions help reduce the role of litigation and legal challenges in shaping the UK’s regulatory landscape, which he described as “an expensive and unpredictable way of developing policy”, it would also help people have “trust and confidence in the whole ecosystem of biometrics and surveillance”.

“The narrow and singular proposal of absorption by the ICO is, in my view, ill-conceived; it is the wrong answer contained within the wrong question and, for the many reasons cited above, is unlikely to produce simpler, stronger governance,” said Sampson. “It is more likely to result in dilution and further complexity while at the same time squandering the chance to hear and heed what we talk about when we talk about biometrics.”

Lack of transparency

Sampson said there had been a lack of transparency around the DCMS’ consultation procedure itself, adding that he was “wholly unaware” of the DCMS’ consultation and its focus on the transfer of functions to the ICO until it was brought to his attention privately.

“At the time of writing, I have yet to receive formal notification as a statutory officeholder but, notwithstanding that formality, I have had the advantage of seeing the letter sent to other stakeholders and have met with officials and the Minister for the Lords for which opportunities I am grateful,” he said, adding that, given the process to transfer functions to the ICO started before his appointment to the dual role, “one might be forgiven for thinking the government has already answered its own questions and the consultation gives the appearance of putting the deliberative cart before the determinative horse”.

Sampson further added that he has raised these issues with officials. “I appreciate the difficult position in which they can find themselves when trying to provide accurate information while at the same time not wishing to encroach on my independence,” he said.

“Crucially, I have received a categorical assurance from ministers that the purpose of the consultation questions is to enable the proper formulation of as yet undecided policy in light of informed responses. It is on that understanding that I submit this one.”

The DCMS consultation ends on 19 November, and the responses it receives will be used to shape future reforms to the UK’s data protection and governance regime.

Read more on Artificial intelligence, automation and robotics

Data Center
Data Management