chalabala - Fotolia

UK police have ‘culture of retention’ around biometric data

A culture of retention around biometric data in UK policing is damaging public trust, says UK biometrics commissioner, who is calling for clear regulation to govern police use of biometric technologies

The UK’s biometrics commissioner, Fraser Sampson, has told MPs and Lords there is a “non-deletion culture” in policing with regards to the retention of people’s biometric information, even when they are not convicted of a crime.

Addressing Parliament’s Joint Committee on Human Rights (JCHR) on 22 February 2023, Sampson said the default in UK policing was to hang onto biometric information, regardless of whether it was legally allowed. “It’s really clear, and I think it’s occurred on every visit we did to every police force,” he said.

When asked to define biometric information, Sampson said that while there is “a drift towards excluding lots of things” from the definition of biometrics by certain groups, notably the UK government, it should include “any unique manifestation … that can be accurately measured, recorded and compared with other records” for the purposes of identifying an individual. This would include any data related to a person’s gait, voice, face, DNA or prints.

He added that the proliferation of biometric surveillance tools – many of which use artificial intelligence (AI) in some capacity – brings up a number of human rights concerns around, for example, bias and discrimination against groups or individuals, privacy, freedom of movement, and freedom of assembly or speech.

Less discussed, said Sampson, was the positive obligation of the state to prevent citizens from suffering inhumane or degrading treatment, which he contends biometrics could help with.

However, he said, even in instances where a person is never convicted after an arrest, police will still retain biometric information in the form of custody images (which can then be used to populate facial recognition watch lists, for example), DNA and fingerprints.

“This was challenged back in 2012 … and the trial judge in that said ‘you need to get rid of that – you can’t retain them if people have done nothing wrong or are of no further interest’,” said Sampson.

Read more about biometric technologies

The 2012 High Court ruling specifically found the retention of custody images by the Metropolitan Police to be unlawful on the basis that information about unconvicted people was being treated in the same way as information about people who were ultimately convicted, and that the six-year retention period was disproportionate.

However, despite the ruling being handed down in 2012, the same problems are persisting, which is ultimately damaging public trust.

“I’m here today saying there are probably several million of those records still,” he said, adding that the response from policing bodies and the Home Office (which owns most of the biometric database used by UK police) is to point out the information is held on a database with no bulk deletion capability.

“I’m not sure that works for public trust and confidence, but even if it did … you can’t [legally] rely on a flaw in a database you built for unlawfully retaining stuff … that’s a technical problem that’s of the country’s and the police’s making rather than the people whose images you’ve kept.”

The same issue was brought up by Sampson’s predecessor, Paul Wiles, in March 2019, when he highlighted the retention of custody images as a major problem to the Science and Technology Committee. Wiles later called on Parliament to explicitly legislate on the use of biometric technologies to provide greater clarity on how police could use people’s sensitive information.

Sampson said that while some forces have now started issuing “discharge information” to people being released from custody that outlines how they can have their facial images deleted, the onus to pursue deletion is still on the individual rather than the police.

He added that when deletion is pursued by an individual, there also needs to be confidence that it will actually happen. “As well as having the wherewithal, capability and understanding to make the application, you also need to have confidence that will make any difference and that it will be done,” said Sampson. “It may be that some groups [in society] have less confidence in it making any difference and being heeded than others.”

Exponential information recording

The proliferation of digital technologies also means the information police can now know and record about a person “have magnified exponentially”, which Sampson said is happening “without any real rules or legislation beyond the internal guidelines for retention of data generally, which I’m not sure goes far enough to assuage the concerns”.

From the police perspective, he added that there is “a great and probably growing anxiety” that, in the retained biometric information, there may be something critical to a case the public expects to be pursued; meaning there could be a backlash (at a time when public confidence in policing has been rocked) if a relevant biometric record was deleted.

However, he also noted that UK police are “operating in a completely uncircumscribed world where we wouldn’t know until someone says they got it wrong”.

In a report that was sent to the Home Office in November 2022 and published on February 2023, Sampson called for clear, comprehensive and coherent frameworks to regulate police use of AI and biometrics in the UK, noting there has been an “explosion of capability in AI-driven biometric surveillance”.

Both Parliament and civil society have repeatedly called for new legal frameworks to govern law enforcement’s use of biometrics – including a House of Lords inquiry into police use of advanced algorithmic technologies; an independent legal review by Matthew Ryder QC; the UK’s Equalities and Human Rights Commission; and the House of Commons Science and Technology Committee, which called for a moratorium on live facial recognition as far back as July 2019.

However, the government maintains that there is “already a comprehensive framework” in place.

While the UK government is yet to publish its AI whitepaper, which will formalise its approach to regulating the technology, Sampson told MPs and Lords it needs to “understand very clearly all the risks associated” with its deployment, and that human rights should be the “highest priority”.

Read more on Artificial intelligence, automation and robotics

Data Center
Data Management