In context: Use of biometric data and the Scottish Biometrics Commissioner Bill

What’s it all about?

The Scottish Biometrics Commissioner Bill will create a new commissioner to oversee the use of biometric data such as fingerprints, facial images, voice recordings and DNA samples by police in Scotland. The commissioner will also prepare a code of practice on the management and use of biometric data for criminal justice purposes.

The proposal to create this new role follows concerns that have been raised over a number of years about a lack of oversight and guidance around how police use new technologies that make use of personal data, including data on people who have not been convicted of any crime.

In January 2016, HM Inspectorate of Constabulary in Scotland (HMICS) called on ministers to create the post of biometrics commissioner to deliver “truly independent oversight” following a review it carried out in 2015 of police use of facial recognition technology in Scotland.

While the watchdog concluded that all uses of the technology had been “lawful, proportionate and necessary”, it noted that legislation around retention of data only covered fingerprints and DNA and it was being voluntarily applied to photographic images by Police Scotland. HMICS recommended the creation of a statutory code of practice on the everyday use of biometric data in Scotland as well as a commissioner to oversee it.

In response to the HMICS report, the Scottish Government set up an independent advisory group on the use of biometric data in Scotland in 2017. The group’s recommendations, delivered in March 2018, stated that a legislative framework for the use of biometric data was needed and that rules on the retention of biometric data in the Criminal Procedure (Scotland) Act 1995 should be reviewed.

The group also recommended that a code of practice should be created to cover “existing, emerging and future biometrics”, with specific rules regarding data about young people, and that as well as a commissioner, an ethics advisory group should be set up as part of the oversight arrangements.

A consultation on proposed changes was held between July and October 2018, with 89 per cent of respondents in favour of the establishment of a Scottish biometrics commissioner and 83 per cent supporting the need for a code of practice.

The Scottish Biometrics Commissioner Bill was introduced to the Scottish Parliament on 30 May 2019 and is currently being considered at stage one by the Justice Committee. The parliament has set 20 December 2019 as the deadline for the end of stage one scrutiny.

What’s been going on in committees?

The Justice Committee began taking evidence on the Scottish Biometrics Commissioner Bill in June 2019 and has heard from the Scottish Government team that created the bill, the UK biometrics commissioner, the Information Commissioner’s Office and criminology and human rights experts.

Earlier this month, the Justice Sub-Committee on Policing launched an inquiry into police use of facial recognition technology from CCTV, body-worn cameras and phones to find out what Police Scotland, British Transport Police and the National Crime Agency are doing now and what they plan for the future.

Balancing rights and responsibilities is always difficult, particularly when looking at questions around protecting the public from harm versus protecting the public from state intrusion. The rapid development of technology that can identify individuals by using highly personal data, and the huge risks associated with this sort of data being used improperly, means that these are interesting and timely proposals from the Scottish Government – Justice Committee convener Margaret Mitchell

Controversy

Concerns have been raised in recent months about the increased use of facial recognition technology in Britain. Campaign group Big Brother Watch warned of an “epidemic of facial recognition in the UK”, with the technology now being used in public spaces such as shopping centres, casinos, betting shops and museums.

In May, a report from the Council of Europe’s Commissioner for Human Rights recommended that European countries should regulate the use of facial recognition technology and put in place legislative frameworks for AI systems processing biometric data to “protect the effective exercise of the right to freedom of assembly”.

In July, the House of Commons Science and Technology Committee called for police in England and Wales to halt trials of facial recognition technology until a legal framework was established. And in August, the information commissioner, Elizabeth Denham, opened an investigation into the use of facial recognition software in a new development near King’s Cross in London.

Meanwhile in Scotland, concerns were raised this year over the collection of other forms of data by Police Scotland. The force began trialling and then purchased ‘cyber kiosks’, which can rapidly process digital data from an electronic device such as a mobile phone. But MSPs and the Scottish Human Rights Commission criticised the rollout of the technology, given doubts about the legal basis for processing this data and the likelihood that it contravened human rights law on privacy.

What laws exist currently?

The EU General Data Protection Regulation (GDPR), which came into force on 25 May 2018, places biometric data under “special categories of personal data”, where processing is usually prohibited. However, certain exceptions apply, such as where consent is given, where it is necessary to fulfil obligations under employment or social security law and where there is “substantial public interest”. The UK must comply with GDPR until it leaves the EU.

In the United States, no single federal law exists on the use of biometric data, but some states have passed their own laws. Illinois was the first US state to regulate biometric data when it passed the Biometric Information Privacy Act (BIPA) in October 2008. Washington and Texas have since also passed laws on the use of biometric data, while California has an act that comes into force on 1 January 2020 and Arizona, Florida and Massachusetts are also considering legislation. There are differences between the states’ laws as to what they classify as biometric data and whether action on breaches is taken by the state’s attorney or by individuals themselves suing in a civil case.

The rest of the UK has had a biometrics commissioner since 2013. The role was created by the Protection of Freedoms Act 2012, which also covered the use and retention of fingerprints, shoe impressions and DNA samples. In Scotland, the Criminal Procedure (Scotland) Act 1995 regulates the retention of fingerprints and DNA but does not cover facial images.