Transparency data

Fraser Sampson and Brian Plastow's joint letter to members of government regarding the DCMS Data Consultation (accessible version)

Published 6 December 2021

Keith Brown MSP
Cabinet Secretary for Justice and Veterans
Scottish Government.

Audrey Nicoll MSP
Convenor of the Criminal Justice Committee
Scottish Parliament.

Naomi Long MLA
Minister of Justice
Northern Ireland Assembly.

Brandon Lewis CBE MP
Secretary of State for Northern Ireland
Northern Ireland Office.

Robin Walker MP
Minister of State for Northern Ireland
Northern Ireland Office.

Cc: Kit Malthouse MP, Baroness Williams.

19 November 2021

Dear all,

Proposal to Absorb Oversight Arrangements for Police Use of Biometrics by new UK Data Protection Authority

We write in the capacity of our respective statutory roles: one of us as Biometrics Commissioner for the UK and the Surveillance Camera for England and Wales, the other as the Scottish Biometrics Commissioner. Both are independent appointments made under the relevant legislation, the former by the Home Secretary under the Protection of Freedoms Act 2012, the latter by way of recommendation to HM the Queen by the Scottish Parliament under the Scottish Biometrics Commissioner Act 2020.

Our respective appointments earlier this year marked two ‘firsts’. In relation to the Protection of Freedoms Act this was the first time that the roles and functions for both the Biometrics and Surveillance Camera commissioners had been combined under one officeholder while, in the case of Scotland, this was an entirely new position introduced by the Scottish Parliament following an extensive public consultation.

Independent Oversight of Police Biometrics

The issues around the appropriate regulation and oversight of the police use of biometrics and surveillance have been under consideration for several years. The case for reform has featured in the statutory annual reports to Parliament made by previous officeholders under the Protection of Freedoms Act and of course in the creation of a new position of Scottish Biometrics Commissioner.

On 10 September 2021 the UK government published a consultation on its proposals for data reform setting out an ambitious programme to create “a more pro-growth and pro-innovation data regime whilst maintaining the UK’s world-leading data protection standards” and creating a new UK data protection authority.[footnote 1]

Much of the consultation is concerned with data protection revision at large and the government’s proposals for “securing the UK’s status as a global hub for the free and responsible flow of personal data”.[footnote 2] Within that context the proposal asks specifically for views on whether the arrangements for oversight of the police use of biometrics could be simplified and whether the current functions of the Biometrics and Surveillance Camera Commissioner should be ‘absorbed’ under the reconstituted Information Commissioner’s Office (ICO). We welcome the opportunity to contribute to that consultation and have each submitted our views to the UK government. The proposal holds some specific issues for the oversight and regulation of the police use of biometrics in Scotland and Northern Ireland and it is in relation to those that we write here.

Without rehearsing our responses to the consultation, we believe it is important to highlight several key issues with you and would invite careful attention to the following aspects of what is being consulted upon.

Police Biometrics as Data Protection

The proposal invites consultees to infer that the police use of biometrics is simply another manifestation of data protection which therefore ought logically to sit with the UK’s data regulator. In our respectful submission any such inference would be entirely misplaced and holds some specific issues for Scotland and Northern Ireland.

In addition to the well-documented ethical issues arising from facial recognition technology, increasingly intrusive technological capabilities and the so-called ‘chilling effect’ on our society, there are many examples of oversight considerations in the police’s retention and use of biometrics that cannot be accurately characterised as simply data protection matters. At the same time, the conduct of an individual recently convicted of abusing deceased individuals in a hospital mortuary illustrates how even the most repellent violation of human dignity and private lives involving the use of image capture can fall outside the parameters of data compliance: the law only protects the privacy of the living.

In short, debates about biometrics and surveillance in policing are intrinsically complicated and linked to broader considerations of legitimacy, effectiveness and efficiency. Above all, this area is about public confidence, trust, and public acceptability – the debate must be far broader than one of ensuring compliance with any prevailing UK data protection regime.

UK-wide Jurisdiction

Even if one accepts (which we do not) the proposition that the police use of biometrics is, at its simplest, merely a matter of data processing, the absorption of the existing statutory functions into a new UK data regulator raises significant jurisdictional issues.

We recognise that, as the UK’s data protection authority, the ICO’s remit already extends to Scotland and Northern Ireland for all data protection matters including those in policing, both domestically and internationally. The national security functions of the UK Biometrics Commissioner also cover Scotland and Northern Ireland and, to that extent at least, overlap with those of the ICO. We can see therefore how absorbing those functions within the new UK data protection authority might achieve at least jurisdictional ‘simplification’ of the arrangements for oversight of the police use of biometric data, creating a single ‘super regulator’ for data and privacy.

In terms of Scotland however, the Scottish Parliament has clearly determined that it does not regard the use of biometrics by the police as simply a matter of data protection. In the words of the Justice Secretary Humza Yousaf, at the time Scotland appointed an independent Biometrics Commissioner, it did so to “complement the work of others, including the Information Commissioner, and help maintain public confidence in how new technologies and data are being used to help keep crime down and communities safe.”

Moreover, unlike England and Wales, Scotland does not have a Forensic Science Regulator and, as a result, the Scottish Parliament purposively expanded the definition of ‘biometric data’[footnote 3] to ensure that the Scottish Commissioner also has statutory oversight of forensic samples/biological materials from which biometric data can be derived. The Scottish role is not just about the ‘data’.

In Northern Ireland the Assembly passed the Criminal Justice Act (Northern Ireland) 2013, Schedule 2 to which makes provision for a new regime setting out a series of rules for the retention of DNA and fingerprints taken by police based on the seriousness of the offence, the age of the person from which the material was obtained, whether the person was convicted or not convicted and the person’s criminal history. In essence this was the equivalent legislation to the UK Parliament’s Protection of Freedoms Act 2012. The Northern Ireland legislation has, however, never been brought into effect because, according to the Justice Department’s website, under the current provisions, a large volume of DNA and fingerprints related to non-convicted people would fall for deletion from police databases. It goes on to say that, in order to mitigate any risk that the deletion of this material could undermine the investigation of unsolved Troubles-related deaths in Northern Ireland, a form of statutory provision will be required to provide a lawful basis for deleted material to be retained and used for the purpose of legacy investigations.

On 18 March 2020 the Justice Minister announced a public consultation to alter the legislation covering the retention and use of fingerprints and DNA and “to widen the scope of the Northern Ireland Commissioner for the Retention of Biometric Material” and, on 14 July 2021, the Secretary of State for Northern Ireland published the UK government’s plans for new legislation to address the legacy of the Troubles which includes proposals for a new Information Recovery Body.

Again, this complex legal situation and ongoing policy development appears to be inconsistent with the proposed approach to treat police use of biometrics and surveillance in the UK as matters of data processing.

Organisational Fit

Finally, we would make the observation that a principal ambition of the government’s data reform is to design a new UK data protection authority, replacing the Information Commissioner with a board along with a chair and a chief executive officer, introducing accountability and transparency changes and revising its objectives, performance measures, duties and culture. It may be that this will result in the ‘super regulator’ for data and privacy put forward in the UK Parliament during the passage of the Protection of Freedoms Bill.[footnote 4] However, it will by definition require transformational change from the ICO as we have come to know it. Any assessment of how a yet-to-be-defined new UK regulator might absorb existing statutory functions will therefore be very speculative and perhaps the consultation questions cannot be answered until there is at least a blueprint for the UK’s new data protection authority.

Conclusion

We fully recognise the ministerial assurance from the UK government that nothing has been decided and that therefore making Scotland or Northern Ireland an ‘exception’ before the responses to the UK government’s consultation have been fully considered would be pre-determinative. We would however encourage early exploration of the important jurisdictional issues that would necessarily follow from treating police use of biometrics as data protection and absorbing oversight functions accordingly within the remit of the UK’s new data protection authority.

We stand ready to assist in the exploration of any revised regulatory and oversight framework model.

Yours sincerely

Fraser Sampson

Brian Plastow

  1. Data: A New Direction 

  2. Ibid 

  3. in s.34 (2) (c) of the Scottish Biometrics Commissioner Act 2020. 

  4. Hansard: Protection of Freedoms Bill