Scottish watchdog urges wider biometric oversight

Oversight of biometric data in Scotland should be extended to cover the entire criminal justice landscape and not just policing, says Scottish biometrics commissioner in annual report.

Despite the extensive use of biometric data throughout the Scottish criminal justice system – including, for example, criminal prosecutions, prisons and the management of violent and sexual offenders by various agencies – commissioner Brian Plastow said the current biometric oversight arrangements are “piecemeal” as they only apply to policing bodies rather than the entire law enforcement ecosystem.

“My concern is that all these areas do not benefit from independent oversight nor the protection provided by our Code of Practice,” he said, referring to a statutory code which took effect in Scotland on 16 November 2022 following approval by the Scottish government.

The code itself contains 12 principles – including accountability, privacy, necessity and proportionality – to ensure the Scottish police use biometric data in a lawful and ethical manner.

“Biometrics are shared between criminal justice partners, between prisons and criminal justice social work to name a few. These agencies, and policing, all work closely together and sit within the same ministerial portfolio, so it is my view that the goal should be for them all to be the subject of independent oversight,” said Plastow.

“I would encourage Scottish ministers to give more serious consideration to opportunities to extend the independent oversight of my office and the safeguards of the statutory Code of Practice in Scotland to that whole ecosystem.”

If such changes are made, Plastow said that biometric data within multi-agency sharing initiatives such as the Scottish Government Digital Evidence Sharing Capability (DESC) would become subject to independent oversight.

He added while there have been no major public controversies involving the handling of biometric information by criminal justice bodies in Scotland over the past year covered by his report, the DESC system in particular has prompted concerns and media coverage from a data protection perspective.

At the start of April 2023, Computer Weekly first revealed that DESC service – contracted to body-worn video provider Axon for delivery and hosted on Microsoft Azure – is currently being piloted despite major data protection concerns raised by watchdogs about how the use of Azure “would not be legal”.

This prompted Plastow to issue a formal information notice to Police Scotland as the lead data controller for the system, which required the force to demonstrate that its use of the system is compliant with Part Three of the Data Protection Act 2018 (DPA 18), which contains the UK’s law enforcement-specific data protection rules.

While Police Scotland’s response is yet to be publicly disclosed, Plastow confirmed in correspondence with Computer Weekly that the force “uploaded significant image volumes to DESC during this pilot”, which specifically included stills and CCTV images.

Writing in his annual report, Plastow said: “The central question for the organisations running this project is whether the use of hyperscale cloud infrastructure provided by US companies – which may involve biometric or genetic data – is compliant with UK data protection law.

“While the key issue is data protection and therefore a matter for the ICO – in line with the act and reserved matters – we are currently engaging with Police Scotland, SPA and ICO, particularly on aspects related to compliance with our Code of Practice: which requires that biometric data must be protected from unauthorised access.”

In the coming months, Plastow’s office will carry out a review of images and photographs held on various databases, including DESC, which will be laid before the Scottish Parliament in March 2024.

Plastow added there is also a “compelling” case to be made for the expansion of his office’s remit to also cover the acquisition, possession, use and destruction of biometric data from Scotland by police in bodies in England and Wales, such as the National Crime Agency, British Transport Police and Ministry of Defence Police.

“In contributing biometric or forensic data to UK policing systems, Police Scotland and the [Scottish Police Authority] SPA should ensure they have the functionality to administer and maintain that Scottish data in compliance with Scottish legislation and any Codes of Practice in terms of its use,” he wrote in his recommendations.

He added that the massive proliferation of biometric capabilities, which make it easier to collect and compare increasing amounts of biometric data, means there is a greater need for democratic accountability over that data to instil public trust and confidence.

“Looking to the future of law and policy, there is an opportunity for Scottish ministers to ensure that an interconnected criminal justice ecosystem, where biometric data is used by a range of other actors including prisons and DESC, has a proper legislative framework and democratic oversight,” he said.

“There are opportunities also to provide independent oversight over public space CCTV surveillance cameras and other public space biometrics capture technologies that operate independently of policing in Scotland.”

Taking into account the wider societal context in which the vast majority of biometric capability is privately owned and access under contractual arrangements between public and private sector bodies, Plastow further added the current partnerships are failing to recognise ethical values and ensure that the technology is fully functional, accountable and backed by science from inception.

As a result, he said that that public-private partnerships are an area that needs monitoring, as they are “critical to the lawful, proportionate, and accountable use of biometrics” in Scotland.

However, he also said there are “grounds to be confident about the security of biometric data used for policing purposes in Scotland”, as there have been no complaints made under the Code of Practice to date.

He added: “A public attitudes survey we carried out to assess people’s opinions on biometrics and inform future work of the organisation suggested high levels of public confidence and trust in the way it is used.”

In England and Wales, Parliament and civil society have repeatedly called for new legal frameworks to govern law enforcement’s use of biometrics – including a House of Lords inquiry into police use of advanced algorithmic technologies; the former biometrics commissioner for England and Wales, Paul Wiles; an independent legal review by Matthew Ryder QC; the UK’s Equalities and Human Rights Commission; and the House of Commons Science and Technology Committee, which called for a moratorium on live facial recognition as far back as July 2019.

The current biometrics commissioner for England and Wales, Fraser Sampson, also said in February 2023 that clear, comprehensive and coherent frameworks are needed to regulate police use of artificial intelligence (AI) and biometrics in the UK.

However, the UK government maintains there is “already a comprehensive framework” in place.