Biometrics and Surveillance Camera Commissioner's annual report 2022 to 2023 (accessible)
Published 24 January 2024
The Rt. Hon. Suella Braverman, KC MP
Secretary of State for the Home Department
Home Office
2 Marsham Street
London
30 October 2023
Dear Home Secretary
Biometrics and Surveillance Camera Commissioner Annual Report – 2022/2023
As Commissioner for the Retention and Use of Biometric Material, I am required under s21(1) of the Protection of Freedoms Act 2012 (PoFA) to make a report to you about the carrying out of the Commissioner’s functions. Additionally, as the Surveillance Camera Commissioner, I am enjoined under s35(1) of PoFA to prepare a report about the exercise of my functions in that role.
I am pleased to attach my report for 2022/2023 which is my final report in the combined role of Biometrics and Surveillance Camera Commissioner. The report covers the respective responsibilities of both sets of statutory functions, and also acts as a valedictory report, so contains some reflections from my time in post.
Key points in the report include:
-
The independent gap analysis commissioned by me after discussions with the Home Office. The purpose was to analyse how the oversight of public space surveillance camera systems and biometric materials will change under the Data Protection and Digital Information Bill and identify gaps likely to arise. This study found that the abolition of your Surveillance Camera Code of Practice would create vulnerabilities for users of technologies and for the rights of individuals subject to them and, in the absence of a clear plan for how the Commissioner’s functions will be replaced, risks there being more rather than less regulatory complexity.
-
The system empowering chief police officers and others to make National Security Determinations (NSD) for the retention of biometric material continues to work effectively, and legislative changes proposed to address the deletion of foreign law enforcement data demonstrates understanding of its continuing value. However, the significant IT issues reported previously by both myself and my predecessors have continued, resulting in occasions where the NSD itself is known by all parties to be inaccurate from its creation and others where it does not accurately reflect the legislative basis on which the biometric material has been gathered and retained, or the period for which the chief officer has approved retention. While I understand that some changes to the system are now being explored, this has, in my opinion, persisted for far too long and does nothing to secure public trust and confidence in the system.
-
While this year the number of applications by chief officers under s63G of the Police and Criminal Evidence Act 1984 has increased somewhat on last year (140 applications compared with 118), my impression remains that those provisions are significantly underutilised. This is something that I have raised with Ministers and HMICFRS. My visits to forces have been hampered again this reporting year, with staff departures because of uncertainties caused by the DPDI Bill, but I maintain those we have managed to undertake have been critical to identifying and sharing good practice, and I would encourage others to consider this when determining the future arrangements for biometrics casework.
-
My work on confronting security and ethical issues in the use of surveillance camera technology has reaped dividends in the shape of positive action to cease deployment of equipment subject to the National Intelligence Law of the People’s Republic of China, and an ethical procurement position on the part of the National Police Chiefs’ Council when considering the trading history of surveillance partners.
-
My office has carried out three major surveys: two with the police and some other law enforcement bodies and local authorities on the use of surveillance camera technologies, and one on uncrewed aerial vehicles (drones). These were to gain an understanding of the extent to which such technology is deployed, and compliance with statutory responsibilities under the Protection of Freedoms Act and your Surveillance Camera Code of Practice. Response rates were disappointingly lower than those surveys carried out in previous years, and findings were that there is a general lack of awareness of what technology is held and its capabilities.
I have completed my tenure as I began: a firm advocate for the appropriate use of facial matching and other emerging biometrics by the police and for an overarching accountability framework that keeps pace with that technology, in each case meeting the legitimate expectations of the public. What seems to be a narrow and disconnected focus within the Home Office is jeopardising both and my annual report provides detail as to why.
As with previous reports, I do not believe that this annual report contains any material which might need to be excised in the public interest or for reasons of national security.
Yours sincerely
Fraser Sampson
Commissioner for the Retention and Use of Biometric Material and Surveillance Camera Commissioner
Forward
My tenure as the first Biometrics and Surveillance Camera Commissioner ends on 31 October 2023[footnote 1]. I have taken the opportunity, in this my last report, to reflect on my time in post and have included some events and issues outside the reporting period.
I believe that the abolition of the recently combined roles of Biometrics Commissioner and Surveillance Camera Commissioner as proposed by the Data Protection and Digital Information (No.2) Bill (“the Bill”) is a missed opportunity to rationalise and strengthen regulation and oversight in closely aligned sectors about which there are acute public and sectoral concerns. But I do not dwell on the arguments here; my views are set out in detail in the response to the DCMS consultation[footnote 2]. Moreover, having commissioned an independent analysis of the work of the office, the findings of which follow below, my views on abolition have not changed and, if anything, have been corroborated. It will be for others to consider those findings and decide what disparate resources will be required to plug the gaps that have been identified. At a time when many other jurisdictions value increasing oversight in the biometrics and surveillance camera arenas, it is peculiar that we appear to be moving in the opposite direction.
The gap analysis has highlighted many areas of concern amongst which are: that the rationale of simplification is not fulfilled, abolition of the government’s Surveillance Camera Code of Practice with the attendant assumption that the relevant standards and functions can be swept up as data issues, potentially within the purview of the Information Commissioner, is demonstrably false, and moving biometric casework to the Investigatory Powers Commissioner leaves functions for public space surveillance and also biometrics unaccounted for.
I have not reported on some of the statistics that have previously featured in the Annual Report as they can be found elsewhere. For example, many of the DNA and fingerprint statistics form part of the Forensic Information Database Strategy Board (FIND-SB) annual report. But there are a number of areas, which I highlight, where the statistics I report are not reported elsewhere. My office has been in discussion with FIND-SB to ensure this transparency continues when the requirements for the Biometrics Commissioner to report annually cease.
My time as the Biometrics and Surveillance Camera Commissioner has been interesting, challenging, and at times frustrating, in part because of a lack of engagement across Whitehall and often an absence of support in obtaining the resources needed to fulfil my functions: at no time have I had a full complement of staff. This frustration has also been exacerbated by the uncertainty surrounding the future of the office. I touch on some of these matters in the conclusion of this report.
Engagement has not been without success, but often that success has only been achieved through sheer persistence. In the almost three years I have been in this role I have been at the forefront of the effort to confront security and ethical issues in the use of surveillance camera technology. Highlighting of the use of surveillance camera technology linked either to human rights abuses or fundamental questions about the security of the technology has reaped dividends. For example, in November 2022 the Cabinet Office minister made a statement to Parliament instructing departments to cease deployment of surveillance systems that have been produced by companies subject to the National Intelligence Law of the People’s Republic of China. In contrast to a lack of Whitehall engagement, these particular successes have not been achieved in isolation, but largely through working with Ministers, chief police officers, police and crime commissioners, local authorities, civil society groups, academics, and not least the international news media. There has of course been other work taking place in parallel, encompassing matters beyond surveillance cameras, such as reform in the shape of the National Security and Investment Act 2021 and the Public Procurement Bill.
I leave my post at a point where there is so much more that could be done to enable the police and other agencies to harness the extraordinary technological advances in biometrics and surveillance, and to embed accountability for their use and for the proper application of the already ubiquitous Artificial Intelligence (AI). I am not confident, following my interactions with the Home Office over many months, that the benefits of bringing the two offices together and the multiplicity of work that the single office covers will be readily addressed elsewhere. That will be for others to judge over the coming months and years as biometrics and the expansion of surveillance camera technology increase against the backdrop of leaden paced legislative change.
Fraser Sampson
Commissioner for the Retention and Use of Biometric Material and Surveillance Camera Commissioner
Executive summary
This is the annual report for the Biometrics and Surveillance Camera Commissioners’ functions, reflecting connected but legally discrete responsibilities. This report fulfils the Commissioner’s statutory responsibility to provide a report to the Home Secretary in respect of the retention and use of biometrics, and to Parliament in respect of the Surveillance Camera Code of Practice.
Part 1 – Mind the Gap
The Commissioner requested an independent gap analysis following discussions with the Home Office. This analysis will help inform the Home Office about what areas might need to be filled after the abolition of the Commissioner’s role and shape his exit. The purpose was to analyse how the oversight of surveillance cameras and biometrics materials will change under the Bill’s provisions and identify gaps likely to arise.
- The Bill’s aim with reference to the Biometrics and Surveillance Camera Commissioner was to simplify, bring clarity, and future proof the oversight of surveillance cameras and biometrics materials.
- The Bill would remove the need to publish the Surveillance Camera Code of Practice, which offers governance coverage beyond data related issues. Abolition of the guidance – a touchstone document for users – would create vulnerabilities for users of technologies and for the rights of individuals subjected to them.
- The duty to report annually to Parliament would diminish transparency over how public surveillance tools are used and how biometrics are overseen while potentially undermining public confidence in these activities against the backdrop of burgeoning technology.
-
Effective deletion of the Code would affect the non-statutory functions of the Commissioner. Delivering the Commissioner’s statutory obligations is contingent on following non-statutory activities, which are held in high regard by practitioners and which have proved effective in driving up standards of procurement, and the use and legitimacy of public surveillance cameras.
- The Commissioner has become a single point of contact for users, installers, and the general public. Yet no provision has been made to replace these activities. It is unrealistic to expect other public bodies to attend to these activities in the absence of statutory obligation.
- Without a clear plan for how the Commissioner’s functions will be replaced, there is a risk that there will be more rather than less regulatory complexity.
- The argument that surveillance camera oversight is duplicated bears little scrutiny.
- Retention of the Code, given its compliance-related activities are heavily embedded in the work of local authorities, police, and other public bodies, is essential. It is unrealistic to consider that activities aimed at raising standards can be replicated without a clear designation of responsibilities and resources.
- Weakening regulatory oversight raises the prospect of cherry-picking convenient parts of a growing library of guidance and legally unenforceable digital principles.
- In the absence of the Commissioner’s role and associated functions, IPCO would appear to be well placed to absorb some of those functions.
Part 2 – Commissioner for the Retention and Use of Biometrics
Chapter 1 – Retention and Use of Biometrics for National Security purposes
- The ability for chief officers to make National Security Determinations in order to retain the biometrics of individuals assessed to present a real risk to national security remains a vital tool in policing’s arsenal. The Home Office plans to bring forward changes to legislation to address deletion of foreign law enforcement data demonstrates understanding of its continuing value.
- But there are significant issues with the IT used to record and keep under review NSDs. Updates required following legislative change from several years ago have still to be made, and in some circumstances the NSD itself cannot be amended to record the revised lawful retention period. Further, the limited functionality means that the Commissioner has been unable to fulfil his statutory obligation of keeping under review the use to which material retained under a national security determination is being put. The Commissioner has made many pleas for upgrades and these are now being addressed.
- The Commissioner’s support for the formation of a national cadre of chief officers to take responsibility for all NSDs across the UK has been proposed to seniors in CTP. If adopted, this will help reduce the number of challenges that are made by the Commissioner and his office (201 in this reporting period) and raise standards.
- In November 2022, the Commissioner wrote to the Home Secretary on a matter concerning NSDs and issues of public trust and confidence. The Commissioner pressed the Home Office to publish this report, the Home Secretary’s response (from March 2023), and a follow up letter, in line with the requirements of Protection of Freedoms Act 2012 s21(4) (PoFA), as the Commissioner does not believe that risks around publication relate to national security. The Home Office continues to consider its position on publication and, at the time of writing, we await notification of that decision.
- Provisions in the National Security Act 2023 will lead to an increase in the number of NSDs being made and requiring the approval of the Biometrics Commissioner, putting more pressure on the already failing PoFA IT application.
- The relevant legislation surrounding the making of NSDs does not require a Determination to be cancelled where retention under the NSD is no longer necessary. Operational colleagues have raised this with the office as a risk of legal challenge and will be taking this forward with policy officials in the Home Office to understand how greater certainty can be achieved.
- During this reporting period, from 515 applications made to chief officers for an NSD, 447 were made (retention agreed) by chief officers, and the Commissioner agreed with 438 of those decisions. The number of occasions where the chief officer declined an NSD has increased this year (87 compared with 57 in the last reporting period), which may reflect the amount of supporting intelligence made available to the chief officer to inform their decision. It also demonstrates that those charged with making these decisions are appropriately considering the necessity and proportionality of retention against the information they have available to them.
- But the small number of instances where the Commissioner ordered the destruction of biometric material retained under an NSD is not available this year, demonstrating another example where essential management information cannot be extracted from the NSD software.
- During this reporting period, Metropolitan Police Service (MPS) Secure Operations - Forensic Services undertook a data cleansing exercise, which identified several issues including where retention review dates had not been calculated correctly. This led to a number of records being identified that had not been sent to the National Digital Exploitation Service (NDES) within the PoFA retention period and cases not being uploaded in time, resulting in an increase in losses.
Chapter 2 – Section 63Gs
- Additional case working resource has had a positive impact on the casework backlog, which has been all but eradicated. But this progress will be undone without rapid appointment of a new Commissioner.
- In this reporting period, 140 applications were made under s63G, compared with 118 last year. The MPS have again submitted 50% of all applications. It is troubling that not all forces have made applications in the last three years, and some never have. OBSCC recently made contact again with forces who have never or not recently submitted any applications to understand the reasons for this and continue to offer assistance in upskilling. The Commissioner raised concerns about this issue with Ministers and HMICFRS.
- The subject of s63G applications can submit representations within 28 days to challenge the application that has been made. Although a voluntary option, it continues to be of concern that very few representations are submitted - only four representations in this reporting period. It remains to be seen whether this changes should the application process become more overtly ‘judicial’ under the IPC as proposed by the DPDI Bill.
Chapter 3 – International Exchange
- Resource limitations and uncertainty around the future of the office have affected the ability to undertake the dip samples anticipated in last year’s report. Similarly, owing to OBSCC resourcing constraints the Forensic Science Regulator and the Prüm Board agreed that his office could take responsibility for the Prüm audit.
- The limited statistics on international exchange and Prüm exchanges, all of which data is supplied by third parties to OBSCC, do not appear to be reported elsewhere, and the Prüm Board and FIND Strategy Board should identify where future publication best sits. As the DPDI Bill is silent on future oversight responsibility of international biometrics exchange, this is an impending gap in oversight.
Chapter 4 – Compliance, Retention, Use and Destruction
- Owing to resource constraints only four visits were undertaken to forces. Reducing the number of visits affects the ability to evidence compliance with statutory provisions.
- There have been lost opportunities for capturing biometrics in voluntary attendance (VA) cases. But NPCC now intends to publish VA guidance which will standardise processes across forces.
- The issue of the deletion of foreign law enforcement data has been highlighted in previous reports. MPS have been asked to monitor the conditions under which these records were being retained, to avoid the unlawful holdings of previous years. MPS confirms that this remains an ongoing issue which they continue to work to mitigate, whilst they await changes to legislation which will help them better manage the retention and deletion of those holdings. Some forces have implemented their own local management systems and protocols.
- In November 2022, one Forensic Service Provider (FSP) notified a quality incident which identified incorrect retention of DNA samples ranging from 54 days to 413 past the legislative retention limits. FINDS and the relevant FSP identified that the root cause was the introduction of an automated system that did not identify a change in FSP. An alternative way of generating the reports that prompt deletion has now been put in place. This is another example of oversight that is not specified in the DPDI Bill.
- Sampling errors have not reduced. Failure to seal bags correctly again features highly amongst errors, rising from 953 occasions in the last reporting year to 1214 this year. If the mitigation of changing the colour of the bag seals has been implemented in full, the results suggest it is not the solution.
- Lost samples remain an issue not helped by different interpretations between forces and FINDS of ‘lost’. Some of these issues could have been tackled through more force visits. Overall, the total number of lost samples is similar to previous years: 2081 compared to 2292 last year, but still compares well to total samples taken.
Part 3 – Public Space Surveillance
- The Commissioner’s work on confronting security and ethical issues in the use of surveillance camera technology has reaped dividends in the shape of positive action to cease deployment of equipment subject to the National Intelligence Law of the People’s Republic of China on sensitive sites; the encouragement of police and local authorities to recognise the ethical issues around procurement and deployment of surveillance technology; and recognition of the need for a review of public space surveillance. These remain works in progress.
- Given that the Bill will remove the requirement for the Secretary of State to publish a code of practice, thus effectively abolishing it, work has been paused on the National Surveillance Camera Strategy, particularly as the industry experts that devote time to the strategy do so on a voluntary basis.
- The office carried out three major surveys: two with the police (and some other law enforcement bodies) and local authorities on the use of camera surveillance technologies, and one with the police on the use of uncrewed aerial vehicles (UAV, or ‘drones’).
- Response rates compared to previous surveys were disappointing: 91% in the police survey against 100% in previous years. This survey identified the need for further guidance around the use of existing technology where there are security and/or ethical concerns; that the full capability of some of the technology was not fully understood at purchase or further down the line, reinforcing the need for due diligence as part of the procurement process; and that there is very little evidence of penetration testing when considering the cyber security of equipment.
- The survey of local authorities was to gain a better understanding of the extent to which they are complying with their statutory responsibilities arising from the PoFA and the Surveillance Camera Code of Practice. The response rate was lower than that achieved in 2020 (50%). The key finding was that a more robust policy around procurement must be in place and that collaboration between local authorities and other organisations is low, even with the police.
- The response rate to the UAV survey was 77%. Of the respondents only three forces stated that they do not use UAVs but there is a lack of awareness around security risks and how to mitigate such. As with the findings of the other two surveys the need for guidance on procurement was clear. Further, forces need a single, overarching approach from elected local bodies to ensure best practice and accountability.
- Owing to a lack of clarity from the Home Office about where non-statutory activity within the Commissioner’s responsibilities for surveillance cameras will lie after the DPDI Bill/Act commences, it was decided to close the Secure by Default certification scheme in June 2022. Similarly, third-party certification, in the absence of a commitment by any body to take on the scheme, was closed to new applicants on 31 July 2023. This decision ensures certification bodies, their clients, and other interested parties have certainty in advance of the Bill coming into force. This decision was also taken against the backdrop of organisations wanting to become certified or become accreditors.
- This year with the help of a previous Surveillance Camera Commissioner we set up the ANPR Working Group, which met for the first time in January 2023. The aim of the group is to bring together police, academics and industry experts to highlight the gap in the governance of ANPR that will be left when the office is abolished, and leaves a space for those experts in the field to come together thereafter. In light of concerns around the use of ANPR, the Commissioner wrote to the Secretary of State for Transport in early October 2023, urging him to consider modernising the way in which vehicle registration, roads surveillance and ANPR systems are regulated generally, and highlighting the enduring risks arising from the ANPR system.
Part 4 – Reflections and Conclusion
- The work of the Commissioner’s office has been hampered by bureaucracy and a poor level of engagement. These bureaucratic challenges have centred on recruitment and commercial work. Never having a full complement of staff meant that casework built up with a consequent focus on throughput rather than quality, and an inability to undertake enough police visits.
- Whitehall engagement has been very mixed: there have been some very high quality and fruitful interactions but also a complete lack of interest elsewhere, including correspondence being ignored.
- Notwithstanding the abolition of the office, there seems to be a narrow biometrics focus within the Home Office on DNA and fingerprints, which risks legislation and oversight falling behind the technology. The Commissioner remains unconvinced that gaps highlighted in the gap analysis report will be readily filled and that bodies, such as the ICO, will have the capacity, legislative authority, or capability to fill those gaps. That will leave the public and users in the arena vulnerable.
Part 1 - Mind the Gap
1. I had intended to end my tenure as the Biometrics and Surveillance Camera Commissioner in March 2023, which would have coincided with what had been predicted as the time when the Data Protection and Digital Information Bill (DPDI Bill, ‘the Bill’) would achieve Royal Assent. However, the passage and timing of legislation can often be unpredictable, and as the introduction of the Bill slipped, I was persuaded to extend my tenure as the Biometrics and Surveillance Camera Commissioner. This had a number of consequences, one of which was resetting an exit strategy for my office. In tandem, the Home Office, as part of their exit approach, were questioning what might follow after my role and office were abolished. Following discussions with the Home Office, I commissioned an independent gap analysis, which would help answer the Home Office’s questions and shape my exit. The purpose was to analyse how the oversight of surveillance cameras and biometrics materials will change under the Bill’s provisions, and identify gaps likely to arise. 2. The full gap analysis, which was undertaken by Professor Pete Fussey and Professor William Webster, was published on my website in the final few days of October[footnote 3]. I have extracted the headline findings and observations from the executive summary of the report below: - The importance of meaningful oversight and regulation is underscored by the acceleration in the capability and reach of surveillance technologies. This need for oversight is exemplified in the government’s ambition to embed facial recognition technology in UK law enforcement. - The Bill’s aim with reference to the Biometrics and Surveillance Camera Commissioner was to simplify, bring clarity, and future proof the oversight of surveillance cameras and biometrics materials. - The key arguments for changing the current oversight arrangements are: simplification given oversight is fragmented; a belief that sufficient oversight coverage exists in the shape of the ICO, Equality and Human Rights Commission, HMICFRS, and the Home Office Forensic Information Databases Board; duplication of oversight creates difficulties for policing, local authorities, and other public agencies; and an intention to adopt a ‘principles-based approach’ to address the problem of highly specified technology focused legislation that can become outdated.
- The Bill would remove the need to publish the Surveillance Camera Code of Practice, which offers governance coverage beyond data related issues. Abolition of the guidance – a touchstone document for users – would create vulnerabilities for users of technologies and for the rights of individuals subjected to them. This would also have the effect of undermining ambitions for simplification of oversight.
- Some of the other key purposes of the extant legislation (PoFA) would also disappear: driving up standards, ensuring best practice, and providing reassurance to the public that cameras are being used appropriately.
- The duty to report annually to Parliament would diminish transparency over how public surveillance tools are used and how biometrics are overseen while potentially undermining public confidence in these activities against the backdrop of burgeoning technology.
- Effective deletion of the Code would affect the non-statutory functions of the Commissioner. Delivering the Commissioner’s statutory obligations is contingent on following non-statutory activities, which are held in high regard by practitioners and which have proved effective in driving up standards of procurement, and the use and legitimacy of public surveillance cameras. Consequently, the following would be lost:
- The National Surveillance Camera Strategy for England and Wales, which is the vehicle used to meet the statutory obligation to encourage compliance with the Code, and building awareness with the public, which affects public trust and confidence.
- The certification scheme and self-assessment tool to demonstrate compliance with the Code.
- The Surveillance Camera Standards Group defining minimum technical specifications and necessary standards.
- The Buyer’s toolkit setting out detailed procurement guidelines.
- Development of training modules to support those using surveillance camera systems.
- Engagement with public and practitioners which was highlighted by law enforcement bodies and other practitioners, whereby early advice could be obtained, standards met, and errors avoided. In this way oversight is seen as a means of facilitating public safety initiatives.
- Addressing issues of emerging concern illustrated by the formalisation of governance structures for ANPR, and the addressing of security risks brought by some foreign manufactured surveillance cameras on sensitive public sites.
- The Commissioner has become a single point of contact for users, installers, and the general public. Yet no provision has been made to replace these activities. It is unrealistic to expect other public bodies to attend to these activities in the absence of statutory obligation.
- Without a clear plan for how the Commissioner’s functions will be replaced, there is a risk that there will be more rather than less regulatory complexity.
- The argument that surveillance camera oversight is duplicated bears little scrutiny:
- there are significant, demonstrable differences between the Code and the ICO’s Video Surveillance Guidance;
- reducing surveillance into data protection limits recognition of potential surveillance-related harms, restricts the prospects for their migration, and denies the opportunity for remedy. And, as such, constitutes depletion of meaningful oversight;
- while there is some overlap between data protection and surveillance, disparities are significant. Moreover, acknowledgement of this difference is why other UK legislation aimed at regulating surveillance activities exists;
- surveillance practices engage a range of rights that extend beyond issues of data protection;
- oversight by other public bodies cannot be readily achieved. Those that might step in, such as the ICO, would probably need additional resource and capability suggesting there is no duplication with the Commissioner. Other named bodies have either limited or no discernible track record in the surveillance camera or biometric materials arenas;
- there is apparent confusion in government reasoning over the difference between inspectorate roles, oversight, regulatory functions, and issues of independence.
-
It is sensible to limit the specificity of technology-focused legislation by adopting a principles-based approach or effecting technologically neutral laws to avoid inevitable obsolescence. But the Bill presents issues: there are no details on what the principles are or how they would be enforced; there is no mention of guidance or compliance mechanisms save for those on data management; future proofing for biometrics seems limited to DNA and fingerprinting; there are implications for emerging technologies such as facial recognition though an entry point might be via ‘remote biometric identification’.
-
Retention of the Code, given its compliance-related activities are heavily embedded in the work of local authorities, police, and other public bodies, is essential. There is widespread support for this in the practitioner community. It is unrealistic to consider that activities aimed at raising standards can be replicated without a clear designation of responsibilities and resources. This is exacerbated by advancements in technology and issues concerning public trust and confidence.
-
Weakening regulatory oversight raises the prospect of cherry-picking convenient parts of a growing library of guidance and legally unenforceable digital principles. Strong, legally enforceable regulations bring clarity and certainty to how rapidly growing technologies could be used in accordance with the law.
-
Absent the Commissioner, it is difficult to identify where the Code, if retained, could be located, and where enforcement of such could lie.
-
In the absence of the Commissioner’s role and associated functions, IPCO would appear to be well placed to absorb some of those functions. With practices focused on authorisation of intrusive surveillance techniques, a role involving inspections and review, they could undertake some of the Commissioner’s activities relating to surveillance.
- Bringing this wider range of activities into IPCO would desegregate the oversight of biometric surveillance but also address the future challenges raised by the blurring of overt and covert surveillance.
Part 2 – Commissioner for the Retention and Use of Biometrics
3. I do not intend to rehearse the legislative backdrop to the police’s retention and use of biometrics or the decision-making powers of the Biometrics Commissioner, nor will I draw attention to the other independent oversight of police use of biometrics that exists at the time of writing. Instead, I politely direct the reader to my last annual report to find that detail[footnote 4].
Chapter 1 – Retention of biometrics for national security purposes: National Security Determinations (NSD)
Utility
4. It is clear to me that the ability for chief officers to make National Security Determinations in order to retain the biometrics of individuals assessed to present a real risk to national security remains a vital tool in policing’s arsenal. That the Home Office plans to bring forward changes to legislation to address the previously highlighted issue of deletion of foreign law enforcement data (see paragraphs 19 and 20 in my 2021/2022 annual report for background) demonstrates understanding of its continued value[footnote 5]. As ever, I extend my thanks to the various members of Police Scotland who continued to facilitate my access to the relevant IT required to consider NSDs.
5. There remains, however, significant issues with the IT used to record and keep under review NSDs, and on which I record my agreement (or otherwise) to the retention of the relevant biometrics. Updates required following legislative change from several years ago have still to be made, and this means the NSD endorsed by the chief officer is known by all parties to be inaccurate in material particulars from the time of its creation. For example, where biometrics are taken under recent legislation aimed at hostile state activity, the system has not been updated to include that, and therefore the only option is to record the NSD under the wrong legislation. Other instances include when I challenge a chief officer on the proportionality of the retention period they have approved and the chief officer subsequently revises retention to three years, the NSD itself cannot be amended to record the revised lawful retention period and will continue to show the original disproportionate period. In the same vein, the limited functionality not only afforded to my team and I, but also to NDES colleagues, means that I have been unable to fulfil my statutory obligation of keeping under review the use to which material retained under a national security determination is being put. It has proven impossible to obtain information I have requested, other than by doing a manual search of every extant NSD. I have raised this issue with CT Command, as I have done previously, and have highlighted this as an issue with the Investigatory Powers Commissioner, ahead of his taking responsibility for reviewing NSDs as and when the Bill comes into force. I think it fair to say that all those forced to use the application acknowledge its many failings, and I was dismayed to hear recently that funding previously made available to at least do some remedial work had been “de-prioritised”. At the time of writing, however, I am advised that an upgrade has been resurrected and hope that the revivified system both supports the production of basic management information and also that my successor is permitted access to it.
6. In my last annual report, I recorded my support of the formation of a national cadre of chief officers to take responsibility for all NSDs across the UK. This will assist in addressing some of the more fundamental errors I encounter when reviewing NSDs, improve consistency and consequently reduce the number of challenges that my office and I make (of which there have been 201 in this reporting period). I understand this is something that has been proposed to seniors in CTP, and encourage its formation, as well as a group of chief officers’ proxies who are often involved in the drafting stage, because of the continued variations I see in the standard of NSDs. These range from minor spelling and grammatical errors to more fundamental errors such as the inclusion of several entirely different names within the same NSD.
7. During this reporting period, my team and I have again spoken and written to a number of chief officers responsible for making NSDs and their proxies, provided advice and set out best practice around the details I expect to see in their comments. This includes:
- The subject should be expressly identified by reference to their full name by the chief officer not simply their family name.
- That the NSD is to retain the subject’s biometric data, and not a sample (sample having a specific meaning in biometrics legislation).
- Considerations should be made around the necessity and proportionality of retaining the subject’s biometric data, and reasoning around the period for which retention is approved.
8. The formation of a chief officer cadre will assist enormously in ensuring the recording of their decisions contain all the necessary information for the Investigatory Powers Commissioner to review in the future, and my office will continue to work with everyone involved in the NSD process to continue to raise standards.
Section 21 report to the Home Secretary
9. In November 2022, I wrote to the Home Secretary on a matter concerning NSDs and issues of public trust and confidence. I have pressed the Home Office to publish this report, the Home Secretary’s response (from March 2023), and a follow up letter I sent to the Home Secretary and Security Minister in July, in line with the requirements of Protection of Freedoms Act 2012 s21(4)[footnote 6] (PoFA) as I believe the risks from publication are not related to National Security. Since November, I have received two Freedom of Information Act requests for disclosure of the report and any response to it and, understanding that they were intended for future publication by the Home Office in line with s21, I did not disclose them. I now understand that the Home Office is considering its position on publication and, at the time of writing, await notification of that decision.
Legislative changes
10. The National Security Act 2023 contains provisions mirroring those in the Terrorism Prevention and Investigations Measures Act 2021, allowing chiefofficers to make National Security Determinations for offences relating to espionage, sabotage and people acting for foreign powers. Once commenced, these provisions will lead to an increase in the number of NSDs being made and requiring the approval of the Biometrics Commissioner, putting more pressure on the already failing PoFA IT application. 11. To my mind, there are questions around how an issue that is purely related to national security should be dealt with by the police. For reasons set out in paragraph 22 of last year’s Annual Report about organisations using Counter- Terrorism Act 2008 (CTA) s18B powers, it will be interesting to see the extent to which these provisions are used by law enforcement bodies other than policing. 12. In carrying out my NSD functions, it has not escaped my notice that the relevant legislation surrounding the making of NSDs does not require a Determination to be cancelled where retention under the NSD is no longer necessary. For example, where the subject has been convicted of a recordable offence. Operational colleagues have raised this with my office as a risk of legal challenge, and will be taking this forward with policy officials in the Home Office to understand whether greater certainty can be achieved through a policy decision, or whether amendments to legislation are required.
NSD decisions
2018 | 2019 | 2020 | 2021/2022* | 2022/2023** | |
---|---|---|---|---|---|
Total possible NSD applications processed | 1480 | 1374 | 1719 | 892 | 515 |
Renewal NSDs considered | 448 | 262 | 154 | 415 | 90 |
New NSDs considered | 1032 | 1112 | 1565 | 477 | 425 |
NSDs made by Chief Officer | 497 | 398 | 406 | 835 | 447 |
Renewals | 228 | 117 | 209 | 392 | 76 |
New NSDs | 269 | 281 | 197 | 443 | 371 |
NSDs declined by Chief Officer | 32 | 25 | 11 | 57 | 87 |
Renewals | 15 | 7 | 5 | 22 | 14 |
New NSDs | 17 | 18 | 6 | 35 | 73 |
NSDs supported by the Commissioner | 468 | 367 | 155 | 927 | 438 |
NSDs challenged or further information sought | 55 | 26 | 85 | 226 | 201 |
Destruction ordered by Commissioner | 11 | 6 | 0 | 3 | Not available |
Source: SO15
NB: some NSDs considered in a year may have been submitted the previous year
*01 January 2021 to 31 March 2021
**01 April 2022 to 31 March 2023
13. During this reporting period, from an overall 515 applications made to chief officers for an NSD, 447 were made (retention agreed) by chief officers, and I agreed with 438 of those decisions. Of the nine other cases, some will inevitably be carried over to this reporting year, and where I have requested further information, or have challenged the chief officer’s rationale for retention, a response was outstanding at the end of March.
14. The number of occasions where the chief officer declined an NSD has again increased this year (87, compared with 57 in the last reporting period). A possible reason for this has been put forward by National Digital Exploitation Services (NDES) colleagues about the amount of supporting intelligence made available to the chief officer to inform their decision, and reasons for refusal include limited information being made available, or not meeting the criteria to support retention. This demonstrates that those charged with making these decisions are appropriately considering the necessity and proportionality of retention against the information they have available to them.
15. The small number of instances where I have ordered the destruction of biometric material retained under an NSD is not available this year: this is another example where essential management information cannot be extracted from the NSD software, and a miscommunication between my office and colleagues in NDES means it has not been manually recorded. There have also been issues in obtaining data around matches between DNA profiles retained under an NSD and the national policing databases, and I have been provided with no data for this reporting period (see table below).
Matches with NSD retained material
Source: SOFS
Type of biometric match | 2019 | 2020 | 01 Jan 2021 to 31 March 2022 | 01 April 2022 to 31 March 2023 |
---|---|---|---|---|
Fingerprint crime stain to tenprints | 4 | 4 | 2 | 2 |
Tenprints (arrestee/Sch 7, etc) to tenprints | 106 | 48 | 112 | 142 |
DNA crime scene stain to DNA reference profile | 1 | 0 | 2 | Not available |
DNA reference profile to DNA reference profile | 20 | 11 | 87 | Not available |
DNA arrestee to DNA reference profile | 8 | 6 | 24 | Not available |
Losses of biometric material of potential CT interest
Source: SO15
Reason for loss of biometric data | 2019 | 2020 | 01 Jan ‘21 to 31 Mar ‘22 | 01 Apr ‘22 to 31 Mar ‘23 |
---|---|---|---|---|
Administrative error by SO15/SOFS | 4 | 1 | 1 | 11 |
Case not reviewed by Chief Officer within statutory time limit | 0 | 0 | 0 | 1 |
Case not progressed within statutory time limit | 0 | 0 | 0 | 5 |
Taking of material not notified to SOFS | 0 | 0 | 0 | 0 |
16. During this reporting period, MPS Secure Operations - Forensic Services (SOFS) undertook a data cleansing exercise ahead of moving onto a new IT system in 2023, which will allow computerised control of the data and prevent future loses. During this process, a number of issues were identified with the current system, where retention review dates had not been calculated correctly. This in turn led to a number of records being identified that had not been sent to NDES within the PoFA retention period and cases not being uploaded in time, resulting in an increase in losses. Other process issues around receiving biometrics in a timely manner, thus creating a delay in receipt by NDES for PoFA review, have also been identified as a national issue for CT policing, and have been raised by them at corporate level.
Holdings of biometric material on the CT databases
Source: SOFS
2020 | 2021/22* | 2022/2023 | |
---|---|---|---|
DNA | 9747 | 10301 | 11206 |
Of which unconvicted | 2143 (22%) | 2220 (21.6%) | 2566 (22.9%) |
Fingerprints | 11833 | 12839 | 13268 |
Of which unconvicted | 1939 (16%) | 2309 (17.9%) | 2388 (18%) |
Total holdings of material | 21580 | 23140 | 24474 |
Of which unconvicted | 4082 (19%) | 4524 (19.6%) | 4697 (19.2%) |
Individuals on databases | 12676 | 13537 | 13968 |
Of which unconvicted | 2099 (17%) | 2442 (18%) | 2521 (18%) |
*Fingerprint data covers period 01 January 2021 to 31 March 2022, and DNA 01 January 2021 to 01 August 2022.
Chapter 2 - Section 63Gs
Applications to retain DNA and fingerprints
17. Where there are compelling reasons to justify it, a chief officer may consider making an application to the Biometrics Commissioner for the extended retention of the biometric material of a subject, with no previous convictions, who has been arrested for a qualifying offence but is not charged. Such applications may only be made where the chief officer believes that retention is both necessary for the prevention or detection of crime, and proportionate in all the circumstances of the case. The process and considerations are explained in more detail in appendix C of my previous annual report, and detail on the core principles and approach to assessing s63G applications is set out in the guidance document issued by FIND-SB[footnote 7].
18. My office continues to have good working relationships with forces, with a consistent focus on ensuring that the content and quality of applications submitted by forces are to the standard required. Forces receive a quarterly update from my office which highlights how applications can be improved. Forces are also encouraged to get in to touch with my office should they require support on the application process, and where necessary, they can be directed to another force for support. It should be acknowledged that the Metropolitan Police Service has been most forthcoming in its assistance to other forces with the s63G application process, including recently agreeing to share some of their applications with other forces as examples of best practice.
19. The successful recruitment of additional case working resource has had an encouraging impact on the casework backlog, which had built up for a number of reasons, such as only having one of my allocated caseworkers. The backlog has been all but eradicated, allowing me to review cases in a far more timely manner, and I extend my thanks to my team for this achievement. But I am concerned that this good work will be for nought, if the Home Office is unable rapidly to identify and appoint a Biometrics Commissioner on my departure to continue to fulfil the statutory requirements around National Security Determinations and retention under s63G of the Police and Criminal Evidence Act 1984.
20. In this reporting period (April 2022 to March 2023), 140 applications were made under s63G, compared with 118 during the previous year (April 2021 to March 2022). As noted in my last report, the MPS have again submitted 50% of all applications. It remains of concern that not all forces have made applications in the last three years, and some never have. The table below shows the numbers of applications made by forces this year and compares that figure with the number made since the provisions came into force in October 2013. My office has recently made contact again with all those forces who have never or not recently submitted any applications under s63G, to understand the reasons for this (force priorities, lack of understanding, lack of resource, etc), and continue to offer assistance in upskilling.
Number of applications to the Commissioner by force
Force | April 2022-March 2023 | Total since 31 October 2013 |
---|---|---|
Avon & Somerset | 3 | 10 |
Bedfordshire | 1 | 9 |
Cambridgeshire | 0 | 16 |
Cheshire | 0 | 0 |
City of London | 0 | 0 |
Cleveland | 1 | 12 |
Cumbria | 0 | 2 |
Derbyshire | 0 | 1 |
Devon & Cornwall | 7 | 37 |
Dorset | 0 | 9 |
Durham | 1 | 5 |
Dyfed-Powys | 0 | 0 |
Essex | 9 | 49 |
Gloucestershire | 2 | 5 |
Greater Manchester | 0 | 3 |
Gwent | 0 | 5 |
Hampshire | 1 | 10 |
Hertfordshire | 2 | 13 |
Humberside | 2 | 25 |
Kent | 1 | 31 |
Lancashire | 0 | 0 |
Leicestershire | 2 | 2 |
Lincolnshire | 0 | 1 |
Merseyside | 0 | 0 |
MPS | 71 | 558 |
Norfolk | 0 | 1 |
North Wales | 0 | 4 |
North Yorkshire | 1 | 5 |
Northamptonshire | 0 | 2 |
Northumbria | 1 | 24 |
Nottinghamshire | 2 | 2 |
Staffordshire | 0 | 0 |
South Wales | 2 | 33 |
South Yorkshire | 6 | 19 |
Suffolk | 0 | 0 |
Surrey | 0 | 0 |
Sussex | 0 | 0 |
Thames Valley | 1 | 34 |
Warwickshire | 3 | 7 |
West Mercia | 0 | 6 |
West Midlands | 0 | 0 |
West Yorkshire | 21 | 94 |
Wiltshire | 0 | 3 |
Total | 140 | 1037 |
21. The majority (40%) of all applications this year have been made in relation to allegations of sexual offences, the majority of which were approved. The number of applications submitted in 2023 shows that applications continue to rise. As of 28 September 2023, 129 had been submitted. If similar numbers continue, we may receive around 170 applications by the end of 2023.
22. As highlighted in my last report, I am of the view that s63G provisions are underutilised. Whilst more applications are being made, these are predominantly produced by two forces, who submitted 66% of applications between them. There were 14 forces that only made 1 or 2 applications each. In March, I raised these concerns with the then Lord Chancellor and Secretary of State for Justice, the Rt Hon Dominic Raab MP. Following his departure, the concerns were then forwarded to the Rt Hon Alex Chalk KC MP in April 2023 but at the time of writing this report, I have not received a reply. In my last weeks in post, I have also raised these concerns in a letter to Andy Cooke, Chief Inspector at HM Inspectorate of Constabulary and Fire & Rescue Services (HMICFRS)[footnote 8]. Given HMICFRS has the role of independently assessing the effectiveness and efficiency of police forces in the public interest, I have suggested this might be an area they wish to consider, particularly in the absence of any other body able to undertake such a review.
23. The Police and Criminal Evidence Act 1984 (PACE) provides that s63G applications may be made on two statutory bases: that one or more victim criteria are met (i.e. the victim was under 18 at the time of the alleged offence, that the victim was vulnerable, or that the victim was associated with the subject of the application at the time of the alleged incident) or, where the victim criteria does not apply, the retention of the biometric material is necessary to assist in the prevention or detection of crime. Between 31 October 2013 and 31 March 2023, 647 applications were made in relation to victim characteristics and 411 were made for the purpose of preventing or detecting crime. In some cases, more than one of the ‘victim criteria’ was satisfied.
Statutory basis for s63G applications to the Commissioner (31 October 2013 to 31 March 2023)
Victim criteria | Applications received | Approved | Refused |
---|---|---|---|
Under 18 | 442 | 297 | 134 |
Vulnerable | 63 | 47 | 12 |
Associated with subject of the application | 142 | 82 | 59 |
Prevention/detention of crime | 411 | 295 | 97 |
(The figures above include applications that may have been withdrawn or were invalid. Also, applications were previously counted more than once when more than one category applied.)
24. As of 30 April 2023, I have reviewed 285 biometric retention applications made by the police under s63G PACE. Of these, I approved 259 applications and refused 26 applications. The table below shows how many s63G applications have been made each year since the provision came into force and the outcome of those applications.
S63G applications to the Commissioner since provisions came into force
Year | Number of s63G applications submitted | Approved | Refused | Withdrawn |
---|---|---|---|---|
2013 | 1 | 0 | 0 | 1 |
2014 | 126 | 91 | 18 | 17 |
2015 | 123 | 78 | 29 | 16 |
2016 | 136 | 77 | 48 | 11 |
2017 | 108 | 71 | 23 | 14 |
2018 | 76 | 53 | 18 | 5 |
2019 | 65 | 52 | 10 | 3 |
2020 | 113 | 78 | 29 | 6 |
2021 | 117 | 95 | 18 | 4 |
2022 | 127 | 112 | 6 | 9 |
Outcome of applications to the Commissioner to retain biometrics for qualifying offences under section 63G PACE (31 October 2013 to 31 March 2023)
Offence Group | Total applications | Approved | Refused | Withdrawn |
---|---|---|---|---|
Murder, Attempts and Threats to Kill | 18 | 10 | 8 | 1 |
Sexual Crimes | 549 | 353 | 144 | 44 |
Assaults | 207 | 168 | 18 | 18 |
Robbery | 152 | 124 | 15 | 11 |
Burglary | 88 | 70 | 14 | 4 |
Other | 23 | 17 | 1 | 5 |
Total | 1037 | 742 | 200 | 83 |
NB: In previous years, some applications were double counted, where the application was reliant on more than one offence.)
Subject challenges to police applications
25. The subject of s63G applications (or their appropriate adult if applicable) can submit representations to challenge the s63G application that has been made. They are informed about this process at the time when the police submit the application to my office, and they have 28 days to make a representation. This is voluntary, but it continues to be of concern that very few representations are submitted. For this reporting period only four representations were made. As stated in my last report, it will be interesting to see whether this changes should the application process become more overtly ‘judicial’ under the IPC as proposed by the DPDI Bill.
Representations by subjects and outcomes
01 Jan 2018 to 31Dec 2018 | 01 Jan 2019 to 31 Dec 2019 | 01 Jan 2020 to 31 Dec 2020 | 01 Jan 2021 to 31 Mar 2022 | 01 Apr 2022 to 31 March 2023 | |
---|---|---|---|---|---|
Total applications received | 76 | 65 | 113 | 150 | 140 |
Representations from subjects | 8 (10.5%) | 4 (6%) | 9 (8%) | 6 (4%) | 4 (3%) |
Preliminary applications
26. A preliminary application can be made if a chief officer has concerns about disclosing certain information to the subject of the application, for example intelligence about live criminal activity or sensitive witness statements. The force can discuss with my office whether the information can be withheld from the subject before they formally submit the application. As of 30 June, I have considered five such applications, all of which I approved the withholding of certain information from the subject. Prior to my tenure, 17 preliminary applications were submitted to the office.
Applications to a District Judge
27. In cases where I approve a s63G biometric retention application, the biometrics can be held for three years from the date they were taken. If the police wish to retain them for a further period of two years, they can apply to a district judge. There is no requirement for forces to inform my office about such applications. ACRO Criminal Records Office (ACRO) reporting in July showed that at the time, there were no subjects that had extended retention periods applied against them.
UZ Marker reviews
28. Police forces are able to place a ‘marker’ (UZ marker) on the Police National Computer (PNC) profile of an arrestee if they intend to make a section 63G application to the OBSCC for the retention of their biometrics. If no UZ marker is added to the PNC, the DNA profile and fingerprints are automatically deleted 14 days after the No Further Action (NFA) date. The UZ marker prevents the automatic deletion of the relevant arrestee’s biometric records and allows the force to prepare and submit a section 63G application for my consideration. This should be submitted to my office within 28 days of the NFA date.
29. Once an application has been received, the UZ maker remains live on the PNC until a decision has been reached. If the application is approved, the marker remains in place for three years from the date the biometrics were taken. It must however be removed immediately if the application is refused, triggering an immediate deletion of the arrestee’s biometric data.
30. I am provided by ACRO with a monthly report which gives brief details of every UZ marker that appears on the PNC. This enables me to monitor the number of UZ markers in use and to check the data provided against my own records of applications made to me. These reports are reviewed quarterly.
31. Analysis for this reporting period shows that forces have mostly been applying the UZ marker correctly and have been removing the marker carefully when the 3-year retention period expires or when an application for retention is refused. However, there have been some instances of a continued inappropriate use of the UZ marker, for example where it has simply been erroneously applied, or applied and then no formal application for retention under section 63G PACE has been made. If such a marker remains in place incorrectly, this can easily lead to biometrics being unlawfully retained. My office reviews the markers on a quarterly basis and, where such incidences exist, forces are asked to remove the UZ marker and confirm when this has been done. There have been a few instances where a force has submitted an application but have failed to apply the correct UZ marker to the PNC. In those instances, the application has had to be withdrawn as there is no biometric data to retain.
32. My office will continue to keep the use of UZ markers under review, and are working to identify whether this monitoring will continue to sit alongside the biometrics casework function moving across to IPCO which, given how it relates to the s63G process, seems to me the most logical step, or where else it may rest.
Chapter 3 – International Exchange
33. Resource limitations and uncertainty around the future of the office have affected my ability to undertake the dip samples I endeavoured to undertake in my last annual report. Whether this activity is taken forward by others is now a matter for the FIND Strategy Board and others to decide.
34. Similarly, the Prüm audit was activity I identified early during the reporting year as something that my office would not be resourced to undertake. Discussions with the Forensic Science Regulator and the Prüm Board led to agreement that his office could take responsibility for the audit. My office stands by to provide what limited assistance they can, should this take place before the proposed abolition.
35. I report here limited statistics on international exchange and Prüm exchanges, all of which data is supplied by third parties to my office for the purpose of my annual report. I am not aware that they are reported elsewhere, therefore in the interests of continued transparency once my office is abolished, I would encourage the Prüm Board and the FIND Strategy Board to identify where future publication best sits.
36. More broadly, given that the DPDI Bill is silent on future oversight responsibility of international biometrics exchange, I also highlight this impending gap in oversight, particularly around the existing requirement that my office is notified of any concurrent international exchanges of DNA profile and demographic data. Whilst my office has received no such notifications again this year, this notification requirement remains part of the Home Office’s International DNA and Fingerprint Exchange policy document for the UK[footnote 9], and so requires some consideration.
Prüm
37. Paragraphs 48 to 52 of my annual report for 2020 to 2021 provide detail on what the Prüm Council Decision of 2008 is and what it allows for around DNA and fingerprint searching within the EU, and the conditions around the UK’s participation. These exchanges between the UK and EU Member States are not provided for under the UK-EU Trade and Cooperation Agreement.
Prüm DNA
38. Prüm DNA exchange is administered by the MPS through a decentralised copy of the National DNA database. At the time of writing, the UK is now connected to 22 Member States[footnote 10] for the purpose of Prüm DNA exchanges, representing more than 90% of European DNA holdings. There has been a further fall in the number of legacy hits in this reporting period compared to last, for both UK crime stain hits and, more significantly, UK subject hits. The fall in legacy hits is to be expected, as these are hits generated at the point of connection to another country.
Prüm Step 1 DNA exchanges – UK matches
Source: MPS
Legacy hits (2020) | Legacy hits (01 Jan 2021 to 31 Mar 2022) | Legacy hits (01 Apr 2022 to 31 Mar 2023) | Business as usual hits (2020) | Business as usual hits (01 Jan 2021 to 31 Mar 2022) | Business as usual hits (01 Apr 2022 to 31 Mar 2023) | |
---|---|---|---|---|---|---|
UK crime stain hits | 1347 | 451 | 337 | 3141 | 2513 | 2189 |
UK subject hits | 4345 | 388 | 1091 | 46249 | 59521 | 29107 |
39. Following scientific verification that a match is a true one, the UK can request further information, which is Step 2. Step 2 is the point at which demographic data and crime investigation details may be exchanged: prior to this, the data is anonymised.
40. Step 2 requests may be outbound (request made by the UK where there has been a match of UK data against a Member State’s systems and that match has been verified) or inbound (where there is a verified match against UK systems for a Member State, and that State carried out a request to the NCA for the associated demographic information).
Prüm Step 2 DNA exchanges
Source: NCA
Outbound from the UK | *Total: 1764 | Intelligence packages received |
---|---|---|
Step 2 hit with a person profile | 1233 | 1233 |
Step 2 hit with a crime scene | 444 | 444 |
Inbound from the UK | *Total: 1190 | Intelligence packages disseminated |
---|---|---|
Step 2 hit with a person profile | 803 | 803 |
Step 2 hit with a crime scene | 334 | 334 |
*Totals include cases which were ongoing, no match, or no further action. Breakdown on the statistics below these totals exclude these three categories.
Prüm fingerprints
41. The UK is now (at the time of writing) connected to 20 Member States for Prüm fingerprints purposes[footnote 11]. An automated feed permits the comparison of fingerprints (Step 1), and once a hit occurs, the requestor verifies the hit and makes the Step 2 request for the intelligence linked to the tenprints or crime mark. In contrast to Prüm DNA, where DNA profiles are checked against a Member State’s holding at the point of collection, Prüm fingerprints continue to operate on a quota basis, which are designed to limit the manual resource required to verify matches, and are mutually agreed. The figures in the tables below are, therefore, much smaller than those for DNA exchanges, reflecting both the limiting quota, and the fact that fingerprint data is not constantly compared but is compared at a moment in time.
Prüm Step 1 fingerprint exchanges
Source: NFO
Outbound | |
---|---|
Searches requested | 1780 |
Prüm Step 2 fingerprint exchanges
Source: NCA
Outbound from the UK | Total | Intelligence received |
---|---|---|
Step 2 hit with a person | 128 | 128 |
Step 2 hit with a crime scene | 0 | 0 |
Inbound to the UK | Total | Intelligence disseminated |
---|---|---|
Step 2 hit with a person | 137 | 137 |
Step 2 hit with a crime scene | 2 | 2 |
Chapter 4 – Compliance, Retention, Use and Destruction
Compliance visits
42. In my last annual report, I noted the volume of preparatory work required, both in force as well as by my office, ahead of my visits to police forces as part of my oversight of their retention and use of biometrics. Owing to staff departures and the inability to recruit replacements (an issue that I cover in more detail elsewhere in this report), I have only been able to visit Dorset in April, and virtual visits with Surrey and Sussex in July, with an online visit taking place with Nottinghamshire Police in the final weeks of my period of reappointment. This is frustrating for all involved, as it means I have been unable to visit those forces which featured in earlier plans for visits and follow up on recommendations made as a consequence of previous visits, as I had intended. The knock-on effect is the difficulty this presents in evidencing compliance with the statutory provisions, and the identification of good practice to be shared between forces.
43. Nevertheless, I was as ever grateful for the time and effort forces put into these visits, not only on the day but also in supporting my office to prepare for the visit, and have been pleased to hear of the ongoing support my office has been able to provide them in their consideration of my post-visit recommendations.
44. Whilst falling outside of this reporting period, I mention here that I had hoped to conduct a similar visit to NCA in the first part of 2023. As it became increasingly clear that would not be possible for my office, I instead wrote to the NCA’s Director General in June 2023, seeking an update on the recommendations made by my predecessor following his visit in 2020. At the time of writing, I had yet to receive a response from NCA, although understand that it is being worked on.
Voluntary attendance
45. Having highlighted the lost opportunities for capturing biometrics in cases of voluntary attendance (VA)[footnote 12], I am pleased to hear that NPCC intend to publish national VA guidance, which will standardise the process across all forces. This is welcome news, and my office has reached out to those tasked with drafting this guidance to pass on valuable lessons we have learned from our force visits.
Deletions
46. In previous annual reports, I have highlighted an issue with the deletion of foreign law enforcement data (see paragraph 85 onwards in last year’s report), where records received were retained out of time, and note the legislative changes proposed by the Home Office to rectify the issue. I had asked the MPS for an update on these holdings, to ensure they were keeping on top of the situation by monitoring the conditions under which these records were being retained, to avoid the unlawful holdings of previous years. Whilst I await a formal response to this request, I understand from conversations I have had with MPS colleagues responsible for these retentions that this is an ongoing issue which they continue to work to mitigate, whilst they await changes to legislation which will help them better manage the retention and deletion of those holdings of biometric material received from international law enforcement bodies. In the meantime, individual police forces such as Nottinghamshire Police have implemented their own local management systems and protocols.
47. In November 2022, my office was notified of a quality incident by one of the Forensic Service Providers (FSPs) which related to the disposal of DNA samples, meaning a number of samples were incorrectly retained past their required disposal under the Protection of Freedoms Act. Retention ranged from 54 to 413 days past the legislative retention limits. FINDS and the relevant FSP identified that the root cause was the introduction of an automated system that did not identify a change in FSP, and I understand that an alternative way of generating the reports that prompt deletion has now been put in place. This is another example of oversight that is not specified in the DPDI Bill, and which I believe should fall to FINDS and the Forensic Science Regulator once the Bill receives Royal Assent.
Governance of national databases
48. Previous reports detail how the Forensic Information Databases Strategy Board (FIND-SB) provides governance of the national databases for both DNA (the national DNA database – NDNAD) and fingerprints (IDENT1). The DPDI Bill contains some proposed changes to the FIND-SB, including increasing the scope of the Board to also provide oversight of the IDENT1, in line with the Board’s published governance rules. Many of the statistics I and my predecessors have reported on national holdings are also published in the FIND-SB annual report.
Total holdings on IDENT1 by classification
Source: FINDS National Fingerprint and PNC Office, in consultation with IDENT1 supplier
Tenprint sets from arrestees | Number of individuals with prints on IDENT1 | Unmatched crime scene marks | Number of cases with unidentified crime scene marks | |
---|---|---|---|---|
England and Wales | 26,354502 | Data not available | 1,666975 | Data not available |
Rest of UK | 1,268773 | Data not available | 308836 | Data not available |
Foreign convictions | Data not available | Data not available | Data not available | Data not available |
Total | 27,623275 | 8,665793 | 1,975811 | 827799 |
Additions to IDENT1 (01 April 2022 to 31 March 2023)
Source: FINDS National Fingerprint and PNC Office, in consultation with IDENT1 supplier
Tenprint sets from arrestees | New individuals | Unmatched crime scene marks | Cases created with unidentified crime scene marks |
---|---|---|---|
807881 | 314455 | 119122 | 19899 |
Deletions from IDENT1
Source: FINDS National Fingerprint and PNC Office, in consultation with IDENT1 supplier
Tenprint sets from arrestees | Individual subjects | Unmatched crime scene marks | Cases with unidentified crime scene marks | |
---|---|---|---|---|
01 Jan to 31 Dec 2020 | 38731 | 140384 | 166344 | Data not available |
01 Jan 2021 to 31 March 2022 | 75345 | 168963 | 196392 | Data not available |
01 April 2022 to 31 March 2023 | 35830 | 143030 | 135045 | Data not available |
Fingerprint matches in this reporting period
Source: FINDS National Fingerprint and PNC Office, in consultation with IDENT1 supplier
Scene of crime palm mark to palm print | Scene of crime fingermark to tenprint | Tenprint to scene of crime mark | |
---|---|---|---|
Total searches | 69260 | 413997 | Data not available |
Number of matches | 3383 | 14110 | Data not available |
Match rate | 1:20.47 | 1:29.34 | 1:119.68 |
Sampling errors
49. Once a DNA sample has been taken from an arrestee in custody, that sample will be collected and taken to the scientific or forensic service used by the force. Here, checks will be conducted to determine whether the bag has been properly sealed, the barcode correctly applied, or the swab placed in the tube correctly. The sample will then be submitted to a Forensic Service Provider (FSP), which will also have a number of safeguards in place to prevent and identify any errors in processing DNA samples. Furthermore, daily integrity checks are carried out by FINDS on the DNA profile records that are loaded onto the NDNAD.
50. Failure to seal the bag correctly again features highly as an issue, rising from 953 occasions in the last reporting year to 1214 to this year, which is frustrating to see. I am not aware that the mitigating action of changing the colour of the bag seals set out in last year’s report has been fully implemented, but if it has, the figures suggest it is not the solution. Unlike the issues addressed in the following paragraphs, this is not a case of the science failing us; it is a case of us failing the science.
Force sample errors
Source: FINDS DNA
Force sample errors | Total for reporting period |
---|---|
Sample failure | 1515 |
Bag not sealed correctly | 1214 |
Sampling error | 970 |
DNA attached to incorrect PNC ID | 731 |
POFA issue | 431 |
Custody software issue | 260 |
51. By way of explanation, sample failures are a scientific fail, where the FSPs have failed the sample due to insufficient DNA or poor quality DNA. Sampling errors are general errors, such as there being a foreign body in the swab, a missing swab, or the swab placed the wrong way in the receptacle, and these can be identified by either the force or the FSP. PoFA issues relate to the submission of samples outside the legislative six-month window.
52. The custody software issue is a new category introduced in the last quarter of the reporting period, as a result of the issues that have arisen from the introduction of the MPS’s new custody system. This includes lost samples, as well as some administrative issues within force. This has displayed as an initial reporting of a large number of sample losses, but then the figure does reduce when FINDS check the lost sample against the NDNAD, and some will have been loaded. Frustratingly, this is something that I would usually pick up in my force visits, and be able to probe the force further, but I must leave this to FINDS colleagues to monitor and report on going forward.
53. I also note that Surrey and Sussex still remain unable to report how many lost samples they have, which I understand is the consequence of a difference in opinion between them and the FINDS requirements around the definition of ‘lost’. I understand that FINDS are currently reviewing the ‘lost’ samples category definition to ensure it is clearer and can be captured by all forces, and my office stand by to provide any assistance they can on the matter. All that said, the total number of lost samples remains on a par with previous years (2081, compared to 2292 last year), and compares well against the total number of samples taken.
CPIA Exception
54. In some exceptional cases, retention of DNA samples is required until a criminal investigation and allied disclosure arrangements are concluded, and a force may retain it under the ‘CPIA exception’[footnote 13]. The number of such samples for this reporting period are provided in the table below, and are broken down into two categories: those held by forces, and those held on behalf of forces by FSPs. Figures for the previous reporting period are included for comparison purposes and show an overall increase in both arrestee/PACE samples and elimination samples retained under the CPIA exception: the total number of arrestee/PACE samples has increased by 9903 to 12226, and elimination samples by 5588 to 7209. Forces are holding more arrestee/PACE samples (557, compared with 382 in 2022), as are FSPs (11669, compared with 9521 in 2022).
DNA samples held under CPIA by England and Wales forces (as of 31 March 2023)
Source: FINDS DNA
Total | 2022 | 2023 |
---|---|---|
Arrestee/ PACE samples | 9,903 | 12,226 |
Elimination samples | 5,588 | 7,209 |
Held in Force | 2022 | 2023 |
---|---|---|
Arrestee/ PACE samples | 382 | 557 |
Elimination samples | 4,480 | 5,841 |
Held by FSPs | 2022 | 2023 |
---|---|---|
Arrestee/ PACE samples | 9,521 | 11,669 |
Elimination samples | 1,108 | 1,368 |
Deletion of police records
55. The ACRO Information Management Team remains responsible for coordinating requests by individuals whose biometrics are lawfully retained by the police, and who apply for ‘early’ deletion of their records from PNC, NDNAD and IDENT1. The team there will review the deletion request and PNC to determine an applicant’s eligibility in accordance with the national guidance. All eligible applications will then be referred to the owning police force by ACRO. The chief officer of the relevant force will then decide whether the record is retained or deleted, having first taken account of the national guidance issued to support the process.
56. There was a small fall in the number of such requests received by ACRO during this reporting period, but which is on a par with previous years, and so can mostly be explained by the slightly extended reporting period of my previous annual report. As I have previously commented, this is a small percentage of records potentially eligible for destruction.
Records Deletion Process
Source: ACRO
Total applications received* by ACRO Deletion Unit | Approved by Force | Rejected by Force | Rejected as ineligible by ACRO Records Deletion Unit | Pending with Force | Pending with applicant | |
---|---|---|---|---|---|---|
01 Apr 2022 to 31 Mar 2023 | 2336 | 596 | 667 | 516 | 557 | 0 |
01 Jan 2021 to 31 Mar 2022 | 2722 | 894 | 777 | 358 | 388 | 2 |
2020 | 2233 | 671 | 566 | 454 | 497 | 20 |
2019 | 2230 | 923 | 803 | 436 | 27 | 0 |
*Breakdown does not include applications partially approved by force.
Part 3 – Public Space Surveillance
Technology and trusted partnerships
57. I have been in this role for almost three years, and for that time have been at the forefront of the effort to confront security and ethical issues in the use of surveillance camera technology. This has not been universally popular nor without its difficulties. However, as I noted in my foreword, my highlighting of the use of surveillance camera technology linked either to human rights abuses or questions about the security of the technology has reaped dividends. It has been an uphill effort, but I have been helped by a selection of Ministers, chief police officers, local authorities, civil society groups, academics, and not least the media. Other work in Whitehall has also lent weight to my work, chiefly legislative reform such as the National Security and Investment Act 2021 and the Procurement Bill.
58. I believe that these efforts have led to positive action, amongst which the most pleasing has been the Written Ministerial Statement of 24 November 2022, which noted:
The Government keeps the security of our personnel, information, assets, and estate under constant review. In this context, the Government Security Group has undertaken a review of the current and future possible security risks associated with the installation of visual surveillance systems on the government estate. The review has concluded that, in light of the threat to the UK and the increasing capability and connectivity of these systems, additional controls are required.
Departments have therefore been instructed to cease deployment of such equipment onto sensitive sites, where it is produced by companies subject to the National Intelligence Law of the People’s Republic of China. Since security considerations are always paramount around these sites, we are taking action now to prevent any security risks materialising.
59. Welcome as this move undoubtedly is, I consider this as merely a first step. Significant questions remain about ‘sensitive sites’ and sensitive activity, the narrow application of this action (which currently only addresses government departments) and how what I have termed ‘digital asbestos’ can be expunged.
60. At the same time, I have tried to get the police and local authorities to recognise the obvious ethical issues in their procuring and deploying surveillance technology associated with ethnic profiling and human rights abuses elsewhere in the world. To paraphrase the Chair of the Uyghur Tribunal, for fundamental rights to mean anything, it is my duty to protect my neighbour’s rights and their duty to protect mine, even when we are on different sides of the world, particularly when we are on different sides of the world. I was very grateful to Dave Lewis (member of the Biometrics and Forensics Ethics Group) and DCC Sam de Reya for giving me an audience before the National Police Chiefs’ Council Ethics Committee, following which submission I am delighted that the Chair (the Bishop of Manchester) accepted my case for preventing the procurement and deployment of such equipment from relevant companies notwithstanding any technical compliance with procurement policies.
61. The use of public space surveillance technology by the police will continue to have a direct impact on the wider and pressing considerations of public trust and confidence for a long time to come. When one considers the range of potentially ‘sensitive areas’ (courts, prisons, schools, places of worship election halls) we have barely scratched the surface of the security considerations; when considering the ethical considerations we have to make an indelible mark, but it is pleasing that some public bodies have already acted independently to strip out the technology or have undertaken not to make further purchases.
62. In the final days of my time in post, I had an online meeting with the Parliamentary Secretary for the Cabinet Office, Alex Burghart MP, to discuss the ethical and security issues I raised earlier in 2023 with the Minister of State for Crime, Policing and Fire, and my subsequent July letter to the Paymaster General and Minister for the Cabinet Office. I set out why I, along with many responsible and experienced voices, believe there is a need for a review of public space surveillance. Without such a review we cannot understand how many publicly owned cameras we have and where they are sited, and consequently we cannot assess the effectiveness, capabilities and potential impact of our ‘system’, aggregate their product and synthesise what is currently a vast accretion of cameras and devices operating orthogonally across the country. We agreed that it would be beneficial to have a further meeting along with the Security Minister and the Minister for Crime, Policing and Fire, to explore the prospect of such a review.
The National Surveillance Camera Strategy
63. The National Surveillance Camera Strategy (NSCS) was established by my predecessor in 2017. This has been used in the past by my office to support police and local authorities to meet their legal obligations via the delivery of the strategy’s objectives. The overarching objective was to develop systems and processes to establish efficient working practices regarding the operation of surveillance cameras, to protect communities while complying with all relevant legislation, including the Surveillance Camera Code of Practice.
64. Given that the Bill will remove the requirement for the Secretary of State to publish a code of practice, thus effectively abolishing it, I made the decision to pause all work on the strategy earlier this year. The industry experts that devoted time to the strategy did so on a voluntary basis, therefore it did not seem viable to ask them to continue their efforts on projects that will not have the chance to be implemented. I greatly appreciate the time and effort they have given to the strategy, and the gap analysis that I independently commissioned has given consideration to where this work should sit once the office closes (see part one of this report for more detail).
Surveys
Police 2022
65. Following similar surveys conducted in 2017 and 2019, I wrote in June 2022 to the chief officers of all police forces in England and Wales, as well as the Ministry of Defence, British Transport Police, the National Crime Agency and the Civil Nuclear Constabulary, asking for details of their use and governance of all overt surveillance camera systems deployed in public places. This included CCTV, ANPR, body-worn video, uncrewed aerial vehicles (more commonly referred to as drones), helicopter-borne cameras, and facial recognition technology, as well as any other relevant systems.
66. The response rates for previous surveys had been 100%, so it was disappointing that there were some noticeable absences in returns this time, including some of the larger police forces such as Greater Manchester Police, Merseyside Police, and the National Crime Agency. Despite accepting returns received more than three months after the closing date, the return rate for the 2022 survey dipped to 91%.
67. After publishing an initial analysis of the survey in November 2022[footnote 14], I published more detailed findings in February[footnote 15]. The key findings were:
- For all types of surveillance technology covered by the survey, other than helicopter-borne cameras, body-worn video and facial recognition technology, at least one respondent stated that their equipment was manufactured or supplied by a surveillance company outside the UK about which there have been security or ethical concerns.
- There is a need for further guidance to be issued around the use of existing technology where there are security and/or ethical concerns around its use, including around the definition of a ‘sensitive site’.
- The full capability of some of the technology owned by some respondents is not fully understood, be that at the point of purchase or further down the line when software updates are downloaded, reinforcing the need for thorough due diligence of all aspects of the equipment as an early part of the procurement process.
- Very little was reported about the use of penetration testing when considering the cyber security of their equipment, nor of use of the National Decision Making model in the procurement process with regards ethical considerations.
Local authorities 2022
68. My remit as Biometrics and Surveillance Camera Commissioner covers those who are classed as a relevant authority, namely the police and local authorities. Therefore, as I wrote to all police forces with questions on their use of surveillance technology, I also wrote to all local authorities in England and Wales in July 2022, asking for details of their use and governance of all overt surveillance camera systems deployed in public places. The purpose of the survey was to gain a better understanding of the extent to which local authorities are complying with their statutory responsibilities arising from the Protection of Freedoms Act 2012 (PoFA) and the Surveillance Camera Code of Practice, in connection with their overt use of surveillance camera systems falling within the definition in PoFA. As with the police survey, the systems covered by the survey included CCTV, ANPR, body-worn video, uncrewed aerial vehicles, helicopter-borne cameras and facial recognition technology.
69. The percentage of local authorities who responded to my survey (40%) was considerably lower than police forces. This compares with a response rate of approximately 50% for the 2020 survey, which took place at a time when many local authorities were forced to divert resources due to the covid pandemic. It is not clear what the specific reasons for a lower response rate are for this survey, but we have speculated that this could be because of some reconfiguring of local authorities, staff movement, and changes to contact details. That there is no one clear route into local authorities undoubtedly hindered the requesting of the information.
70. The findings from this survey were published in May[footnote 16]. The key finding throughout is that a more robust policy around procurement must be in place. There is much confusion within local authorities on whether there are ethical concerns relating to the surveillance technology they are using. The survey also found that collaboration between local authorities and other organisations is surprisingly low. Only 40% of responses said they work in collaboration with the police. I am aware of ongoing work between some local authorities and police forces to improve collaboration, however, it seems there is a long way yet to go.
Police Uncrewed Aerial Vehicle (UAV) 2023
71. Following on from the 2022 police survey, in March 2023 I wrote to all chief officers in England and Wales with questions relating specifically to their use of UAVs and counter-UAV technology.
72. The findings were published in September 2023[footnote 17], and showed that, while the majority of forces are using UAVs (there was a 77% response rate – of which only 3 forces stated they do not use UAVs), there is a lack of awareness around security risks and subsequently how to mitigate these risks. Most forces did not know the answer to at least one question and referred us to an outside body, such as the National Police Chiefs‘ Council (NPCC) or the Counter Terrorism Policing Headquarters (CTPHQ).
73. As with both the 2022 police and local authorities surveys, the UAV survey findings highlighted the need for guidance on procurement. Another key recommendation is the need for forces to have a single, overarching approach from their elected local bodies to ensure best practice and accountability.
Certification schemes
Secure by Default
74. In light of the Bill and the subsequent future of the office, and a lack of clarity from the Home Office around where non-statutory activity within my responsibilities for surveillance cameras will lie, should the clauses in the Bill be agreed by both Houses and achieve Royal Assent, I made the decision to pause my Secure by Default certification scheme in August 2022, and announced its permanent closure in June. At the time of the scheme’s closure, there were 21 organisations that held the certification mark for certain of their surveillance systems[footnote 18], and I wrote to each of them to explain my rationale behind the decision, requesting they remove the certification mark from all their products, websites, and anywhere else they might display it.
Third Party Certification
75. Third Party Certification initially lasted for five years, with an annual review each year. However, with the uncertainty that the Bill brought, I initially reduced this to annual certificates. But absent any commitment from the Home Office or any other statutory body to take the scheme, or a version thereof, forward once my office closes, it did not seem viable or correct to keep issuing certificates that would expire after there is no longer a Commissioner to spearhead the scheme. I therefore took the decision to close the scheme to new applications from 31 July 2023. My aim in making this decision was to ensure that the certification bodies, their clients and other interested parties have certainty in advance of the Bill coming into force, and I notified the three bodies of this decision in June[footnote 19], ahead of discussing it with them and in advance of them writing to their own clients on the matter.
76. 117 organisations were certified against the scheme at the final count, and it is disappointing that we had to take this step, as there continued to be interest from other organisations wanting to become certified or wanting to become accreditors themselves. The organisations and accreditors alike have shown constant support to upholding standards in the surveillance industry.
77. Both certification schemes belong to the Commissioner, and are based on compliance with the Surveillance Camera Code of Practice. Consequently, if there is no Commissioner and no Code, then the specific certification schemes cannot continue. However, it is vital – now more than ever – that organisations that operate surveillance technology still endeavour to comply with the 12 principles set out in the Code, which are a positive way to demonstrate adherence to best practice.
Automatic Number Plate Recognition
78. This year especially has brought more attention to the use of Automatic Number Plate Recognition (ANPR), mainly due to the expansion of the Ultra- Low Emissions Zone (ULEZ) in London and the Clean Air Zones (CAZ) in other parts of the UK. In August 2023, it was reported there were 1,900 ULEZ cameras being used across London. At the end of expansion, it is reported there will be 2750 cameras in operation across the City and Greater London[footnote 20]. These numbers highlight the need for conversations to be had around the use of ANPR and how the data from these cameras will be used.
79. My office has always worked closely with experts around the topic of ANPR. The ANPR Independent Advisory Group (IAG) has been in place since my predecessor was in post, and last met in March 2022^[21]. However, with the help of my predecessor, this year I set up the ANPR Working Group (WG). The WG met for the first time in January 2023. The aim of the group is to bring together police, academics and industry experts to highlight the gap in the governance of ANPR that will be left when my role comes to an end. Not only has this helped aid my Gap Analysis, but the WG leaves a space for those experts in the field to come together after my office is no longer here to facilitate these important conversations.
80. In light of these ongoing concerns, I wrote to the Secretary of State for Transport[footnote 22] in early October 2023 ahead of leaving the BSCC position, urging him to give consideration to modernising the way in which vehicle registration, roads surveillance and ANPR systems are regulated generally, and to addressing the enduring risks to the ANPR system in particular. In the letter, I highlighted the significant and enduring risks arising from the ANPR system, and how they threaten the efficacy of local policing and traffic enforcement initiatives and the integrity of a national system which has been so successful in supporting policing and law enforcement for decades.
Part 4 – Reflections and Conclusion
Reflections
81. Although I have spent the vast majority of my career in public service, I have never worked so closely with the Civil Service for such a period of time. Overall, I have been somewhat disappointed both with the level of engagement and the support I have received. Bluntly, there has been a lack of interest and knowledge about my work within the Home Office. This has been far from the Rolls Royce service I had expected. I would contrast that unfavourably with my relationship with external stakeholders. For example, I have been surprised by the inconsistent quality of work and the hands-off attitude of officials. My experience may not be typical, but I have found the ‘system’ to be heavily bureaucratic, evidenced by the prolonged challenges around recruitment and commercial work. At no point during my tenure have I enjoyed a full complement of staff, and this has not been entirely due to high levels of turnover nor to notice about the closure of the Office.
82. My engagement with Ministers has generally been good, but I have been surprised that correspondence to Ministerial departments is often ignored; sometimes there has been a delayed response but equally frequently no response at all. Conversely, outside government I have made valuable inroads with interested MPs and Lords, though in fairness this has also been rather hit and miss.
83. The closure of my office has lacked structure despite it being on the cards for months, and there has been no urgency in appointing a replacement. This follows the similarly haphazard reappointment of my predecessors, indicating that few lessons have been learned from those experiences.
Conclusion
84. I have previously put my thoughts on record about the future of the Office when replying to the DCMS consultation. That has been overtaken by events to an extent and I broadly agree with the findings of the gap analysis as set out in Part 1 (Mind the Gap) of this report.
85. Beyond the substance of that report, I remain concerned about the narrow focus that the Home Office applies to biometrics in concentrating almost exclusively on DNA and fingerprints. In my view, there is far too little engagement with emerging issues and new technologies. As things stand, post-Bill, this work will not be within the remit of IPCO. There is a risk that legislation and oversight of growing technology will fall further behind. This apparent lack of interest in proper regulation is borne out by the reluctance to make major changes in the last iteration of the Surveillance Camera Code or to address the need for further regulation in the Live Facial Recognition space.
86. My chief concern, however, is about the capacity of the Information Commissioner’s Office, potentially amongst others, to adequately oversee the evolving and burgeoning areas of surveillance camera technology and biometrics within the framework of data protection alone. As the gap analysis concludes, judicious allocation of responsibilities and resources will go some way to addressing the closure of the Office.
87. I am grateful for the opportunity to have been first Biometrics and Surveillance Camera Commissioner and will be watching with interest, albeit from a distance, how the regulation and oversight of both areas develop in the future.
Annex A: Biometric statistics
DNA Interpol profile enquiries (01 April 2022 to 31 March 2023)
Source: NCA
Outbound from UK
DNA Type | Total | Searches concluded | Positive/ potential match |
---|---|---|---|
DNA samples | 0 | 0 | 0 |
DNA subject profiles | 11 | *Not known | 0 |
DNA missing persons | 82 | *Not known | 0 |
DNA crime scene profiles | 71 | *Not known | 1 |
DNA unidentified bodies | 14 | *Not known | 0 |
Inbound to UK
DNA Type | Total | Searches concluded | Positive/ potential match |
---|---|---|---|
DNA samples | 0 | 0 | 0 |
DNA subject profiles | 41 | 41 | 4 |
DNA missing persons | 194 | 194 | 11 |
DNA crime scene profiles | 334 | 334 | 8 |
DNA unidentified bodies | 196 | 196 | 9 |
*For Outbound searches: Reason data not known for Outbound is that NCA are only notified if a hit occurs.
Interpol manual exchange: Inbound and outbound fingerprint requests (01 April 2022 to 31 March 2023)
Source: NCA
Outbound from UK
Fingerprint type | Total | Searches concluded | Positive/ potential match |
---|---|---|---|
Tenprint sets | 111 | 111 | 4 |
Crime scene fingerprints | 0 | 0 | 0 |
Inbound to UK
Fingerprint type | Total | Searches concluded | Positive/ potential match |
---|---|---|---|
Tenprint sets | 418 | 418 | 44 |
Crime scene fingerprints | 36 | 36 | 1 |
Conviction and fingerprint exchanges
Source: ACRO
EU exchanges with Interpol | EU exchanges with country | Non-EU with Interpol | Non-EU with country | |
---|---|---|---|---|
Requests in | 0 | 863 | 571 (NCA requests) | 7 |
Requests out | 19866 | 5229 | 10610 | 4984 |
Notifications in | 0 | 10 | 0 | 20 |
Notifications out | 0 | 9951 | 0 | 3008 |
Annex B: Acronyms
Acronym | Definition |
---|---|
ACRO | ACRO Criminal Records Office |
AI | Artificial Intelligence |
ANPR | Automatic Number Plate Recognition |
CCTV | Closed Circuit Television |
CPIA | Criminal Procedure and Investigations Act 1996 |
CTA | Counter-Terrorism Act 2008 |
DPDI Bill | Data Protection and Digital Information Bill |
FINDS | Forensic Information Databases Service |
FINDS-DNA | Forensic Information Databases Service’s DNA Unit |
FIND-SB | Forensic Information Databases Strategy Board |
FSP(s) | Forensic Service Provider(s) |
IAG | Independent Advisory Group on ANPR |
IPC | Investigatory Powers Commissioner |
IPCO | Investigatory Powers Commissioner’s Office |
ICO | Information Commissioner’s Office |
IDENT1 | The national police fingerprint database |
MPS | Metropolitan Police Service |
NCA | National Crime Agency |
NDES | National Digital Exploitation Service |
NDNAD | National DNA Database |
NFA | No Further Action |
NPCC | National Police Chiefs’ Council |
NSCS | National Surveillance Camera Strategy |
NSD | National Security Determination |
OBSCC | Office of the Biometrics and Surveillance Camera Commissioner |
PACE | Police and Criminal Evidence Act 1984 |
PNC | Police National Computer |
PND | Police National Database |
PoFA | Protection of Freedoms Act 2012 |
SOFS | MPS Secure Operations – Forensic Services |
VA | Voluntary Attendance |
-
I was offered an extension of my time in post from March 2023 because the Data Protection and Digital Information Bill did not progress within the expected timescale. ↩
-
https://www.gov.uk/government/publications/data-a-new-direction-commissioners-response ↩
-
https://www.gov.uk/government/publications/changes-to-the-functions-of-the-bscc-independent-report ↩
-
https://www.gov.uk/government/publications/biometrics-and-surveillance-camera-commissioner- report-2021-to-2022 ↩
-
Last year there were 200 cases that had been identified that had come from s18 material. They had expired due the NSD 3 year retention period that did not parallel the s18 material 5 year retention date. There are now 860 cases. JFIT are still waiting a decision from Parliament (source NDES). ↩
-
https://www.legislation.gov.uk/ukpga/2012/9/section/21/enacted ↩
-
https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/76 4558/Applications_to_the_Biometrics_Commissioner_under_PACE_September_2018.pdf ↩
-
https://www.gov.uk/government/publications/retaining-the-biometrics-of-people-arrested-for-serious- offences/letter-to-hm-chief-inspector-andy-cooke-regarding-the-use-of-police-powers-to-retain- biometrics-for-those-arrested-for-serious-offences-accessible-ve ↩
-
Para 2.1.2 ↩
-
Austria, France, Spain, Poland, Germany, Netherlands, Romania, Czech Republic, Ireland, Latvia, Sweden, Belgium, Malta, Lithuania, Finland, Croatia, Slovakia, Hungary, Greece, Estonia, Luxembourg, Cyprus. ↩
-
Germany, Belgium, Austria, Czechia, Bulgaria, Hungary, Lithuania, Denmark, Sweden, Slovakia, Slovenia, Finland, Estonia, Netherlands, Poland, Croatia, Romania, Portugal, Malta, France ↩
-
Voluntary attendance (VA) is where suspects are not arrested but are asked instead to attend voluntarily at a police station, usually outside a custody suite environment, to answer questions. ↩
-
Paragraph 78 to 80 in my last annual report provide further background to this exception ↩
-
https://www.gov.uk/government/publications/police-survey-2022-initial-analysis ↩
-
https://www.gov.uk/government/publications/police-survey-2022-responses-and-key-findings ↩
-
https://www.gov.uk/government/publications/local-authority-survey-2022-responses-and-key- findings ↩
-
https://www.gov.uk/government/publications/law-enforcement-use-of-uncrewed-aerial-vehicles- 2023-survey ↩
-
https://www.gov.uk/government/publications/secure-by-default-self-certification-of-video- surveillance-systems/organisations-who-have-been-given-our-secure-by-default-self-certification-mark ↩
-
https://www.gov.uk/government/publications/letter-to-third-party-certification-bodies/letter-to-third- party-certification-bodies ↩
-
https://www.bbc.co.uk/news/uk-england-london- 66592199?at_medium=RSS&at_campaign=KARANGA ↩
-
https://www.gov.uk/government/publications/letter-to-the-secretary-of-state-for-transport/letter-to- the-secretary-of-state-for-transport-risks-to-the-anpr-system-accessible-version ↩