Blog: One more step towards a Scottish Biometrics Commissioner
Matthew Rice writes on the need for reform of Scotland’s biometric data regime.
Scotland, unlike England, Wales and Northern Ireland, does not have an independent body overseeing the use of biometric data such as DNA, fingerprints, facial images. Neither does it have specific rules relating to the deletion of custody photographs - images of those detained or arrested but not necessarily charged with a crime. The latter could be a breach of human rights law. These two facts while surprising, are not new.
They have been raised in the past, first in 2008 and again in 2016. A report, released this month by the Independent Advisory Group on the Use of Biometric Data in Scotland, brought up these problems again - making nine recommendations, including creating an independent Biometrics Commissioner for Scotland.
The Open Rights Group made a submission to the group and welcome the work they’ve done to nudge the argument further down the road. In particular the group’s report has received almost complete backing from the Scottish government, who have accepted the majority of recommendations.
These reforms, when they arrive, will be welcome. The sooner this work begins, the better. This is about more than biometrics, this is a question of whether the Scottish government are willing to build strong, effective institutions empowered to hold public bodies to account and help to create meaningful debates in Scotland about the direction this country should travel in.
Scotland’s patchy biometrics record
The blanket retention of individuals’ biometric data is a breach of their fundamental right to privacy according to international and national courts. Scotland’s record of meeting this standard is patchy.
In the leading European case in this area S and Marper v UKfrom 2008, the court praised Scotland’s system for collection, retention, and deletion of DNA and fingerprints. In Scotland they must be destroyed immediately if taken and the person is not convicted of a crime or given an absolute discharge, save for exceptions for specific sexual and violent crimes.
When it comes to photographs however, it is a different story. There is no legislation which specifically regulates the retention periods for images, or indeed the way in which the images may be used. This has lead to the collection of over 1,000,000+ custody images by Police Scotland, with no policy for the disposal of these images. On that day in 2008 while the judges in the Marpercase were praising Scotland’s record on DNA and fingerprints, custody images were being taken that to this day are still retained.
The court in Marperwas clear: indefinite retention of biometric data is unlawful. Yet with custody photographs that is precisely what Police Scotland have found themselves doing. The Independent Advisory Group agreed with ORG’s recommendation, which in turn echoed the calls from the Biometrics Commissioner in England and Wales, that a presumption of deletion should apply for biometrics data and legislation should be passed covering DNA, fingerprints, photographs and all existing and emerging biometrics.
It is time Scotland’s record across biometric data stopped being patchy, and started following human rights law.
The need for a Commissioner
The remit of any Commissioner in Scotland seems tied to the use of biometrics in policing, but as the Open Rights Group and the Independent Advisory Group report point out, biometrics pervades much more of public life, such as the health service, and increasingly the private sector. The government should not close off the possibility of a Commissioner exercising a remit wider than policing, doing so would give provide more work for the Commissioner, justifying a full time body.
Currently, the CCTV Commissioner and Biometrics Commissioner in England and Wales are sharing an awkward moment when it comes to who oversees the use of facial recognition technology. Scotland can avoid this unhelpful distraction by establishing a modern Commissioner for all types of biometric data and technology used to capture it. This is helpful too considering there is no CCTV Commissioner in Scotland either.
The evidence for the need is piling up: a patchy record for Scotland depending on the type of biometric data you look at, which the Commissioner could have spotted and brought to the attention of the Scottish government. Debates about the use of technology are already here: consider the proposal for facial recognition at football matches in Scotland and the role a Commissioner could have played there. The only step left to be taken is for the Scottish government to recognise the solution to the problem is in front of them and set out repeatedly across three independent reports.
Scotland is missing institutions. The effect of the lack of these institutions is a practice potentially in breach of human rights. There may be more consultations to come, asking for the views of the public on creating such a body, but this should be a formality. The time to start building institutions fit for a modern Scotland is here.
- Matthew Rice is Scotland director of the Open Rights Group