Only a few days to go: We’re raising £25,000 to keep TheyWorkForYou running and make sure people across the UK can hold their elected representatives to account.Donate to our crowdfunder
I am delighted to open this stage 1 debate on the general principles of the Scottish Biometrics Commissioner Bill. I thank Margaret Mitchell, the convener, and the Justice Committee for its scrutiny and its stage 1 report on the bill. I also thank the Finance and Constitution Committee and the Delegated Powers and Law Reform Committee for their consideration of the bill. I commend the Justice Committee for taking evidence from a very wide range of stakeholders and individuals. I am grateful to those stakeholders for the considered views that they offered to the committee.
I welcome the committee’s view that the establishment of an independent Scottish biometrics commissioner is both timely and necessary; I also welcome the committee’s recommendation that the general principles of the bill be agreed to. In its stage 1 report, the committee made a number of detailed recommendations and comments, and called on the Government to consider and respond to them. The Government is still reflecting on some of those points, but I hope that the interim response, which I provided to the committee earlier this week, provides a useful indication of the Scottish Government’s position. I will issue my final response next week.
In this afternoon’s debate, I will focus on the principles of the bill and what we want to achieve through it, although I will, of course, try to address some of the more significant points that the committee raised.
By introducing the bill, the Scottish Government recognised the need for transparency and accountability in how biometric data is used in the context of policing and criminal justice, and the importance of those issues to building and maintaining public trust. We live in times of rapid technological change, in which new biometric techniques continue to develop and evolve. Scientific innovation in policing has the capacity to make us safer, but it also raises pertinent questions about ethics, lawfulness and privacy. Therefore, we should recognise that public confidence requires that fundamental rights and the rule of law are not only respected but, importantly, seen to be respected. With that in mind, the bill creates an independent commissioner to ensure that the approach to biometric data is effective, lawful and ethical, and to ensure that an appropriate balance is struck between keeping communities safe, respecting the rights of the individual and improving the accountability of the police.
I cannot stress enough how important it is that we equip our police officers with the necessary technology to ensure that they can keep us safe. However, it is equally important for the public to have absolute confidence in those technological advances and in how their data will be collected or retained. The legislation, the commissioner and the code of practice will help to provide those reassurances.
The new commissioner’s general function is to support and promote the adoption of lawful, ethical and effective practices in relation to the collection, use, retention and, of course, disposal of biometric data in the context of policing and criminal justice. That function will be carried out by keeping under review relevant law, policy and practice, by promoting public awareness and by promoting and monitoring the impact of a code of practice.
I turn first to the scope of the oversight arrangements that are contained in the bill. They apply currently to Police Scotland and the Scottish Police Authority, but I intend to broaden the scope by lodging amendments at stage 2 to include the Police Investigations and Review Commissioner, in recognition of the fact that the PIRC manages biometric data in the course of its investigations. The Justice Committee will be pleased to hear that I am also actively considering the inclusion of cross-border policing bodies such as the British Transport Police, the Ministry of Defence Police and the National Crime Agency.
I want to speak now about the commissioner’s public awareness-raising function. Given the explosion in biometric data technologies in recent years, it is all the more important that we have an independent commissioner who will lead a national conversation about rights, responsibilities and standards. The Justice Committee asked how that conversation can be progressed. I see that we have a golden opportunity for the new biometrics commissioner to link up with others, such as the Information Commissioner and the Scottish Human Rights Commission, to perhaps take forward a national campaign.
The Justice Committee raised a number of questions and recommendations on the code of practice and the associated functions and powers of the commissioner, and I will address some of those now. I welcome the committee’s support in principle for the requirement to have a code, which the commissioner will prepare and promote. I envisage that the code will set out the standards and responsibilities of Police Scotland and the SPA, with the aims of ensuring good practice, driving continuous improvement and enhancing accountability. The code will be subject to consultation, and to the approval of Scottish ministers and, crucially, the Parliament.
I want to clear up a misunderstanding. The code is already being put on a statutory footing. The bill includes a number of statutory provisions about the code—for example, it requires the commissioner to prepare and review a code, it requires there to be consultation on the content of the code and it requires specified policing bodies to have regard to the code. The bill therefore already delivers on the committee’s recommendation that the bill should
“establish a statutory basis for the existence and application of the Code”.
It is the content of the code that is not specified in the bill. That is to allow for flexibility and future proofing and to ensure that the commissioner may act in a way that is impartial and allows them to use their own judgment.
The committee’s recommendation around using the independent advisory group’s code as an interim code was well intentioned, but I feel that the specification of the code by anyone other than the new commissioner would undermine the key principles of impartiality and statutory consultation. I believe that the better solution will be to let the commissioner undertake the process of preparing the code in the way that the bill specifies, which includes consultation, so that we have a code that is fully formed and up to date, and which has been informed by the views of the relevant parties.
I accept that, Mr McArthur. There is nothing preventing the new commissioner from having regard to the IAG’s code of practice and consulting the IAG members, but I would not want to pin them into that corner. The new commissioner should have flexibility and, for them to be genuinely independent, it is important that they be allowed to develop the code in the way that they see fit. The member is right to mention that the IAG consulted a number of the relevant parties.
Let me return to the commissioner’s powers. To enable the commissioner to effectively perform his or her functions, they will have the power to require police bodies to provide information. A failure to provide information to the commissioner can be referred to the Court of Session for enforcement.
The information that is gathered by the commissioner will allow him or her to prepare and publish reports that will be laid before Parliament, containing recommendations that will be directed to the police bodies that are listed in the bill. Those bodies can be required to respond publicly to a recommendation and, if they fail to do so, the commissioner could publicise such a failure. The ability to draw Parliament’s, and the public’s, attention to the activities of police bodies should not be—and, I am certain, is not—underestimated.
I am grateful to the cabinet secretary for taking an intervention on that point. I had planned to mention this in my speech. You could instead just have a requirement that had to be adhered to, and there would be no need for any of this. We know that judicial review is not a simple process. Surely, with any piece of legislation, discretion can be afforded to the decision making within it, but the requirement can be compulsory.
That was a punishable offence by Mr Finnie.
On his substantial point, I think that that approach would be the wrong one. I think that I said in a meeting with the member that I will continue to keep an open mind, but I am not persuaded yet.
“The police are sensitive about carrying the public with them. That means that, when we visit, they are always extremely open with us; we always have open discussions and they are always amenable to our suggestions about their compliance, and the basic reason is that they want to continue to hold public trust.”—[Official Report, Justice Committee, 24 September 2019; c 7-8.]
The commissioner went on to talk about the different dynamic that would exist, should there be a requirement as opposed to a duty to “have regard to”. He thought that that change in dynamic would be extremely unhelpful. I am also of that view.
All of us understand that the police are under a great deal of scrutiny—as they rightly should be. I completely agree with that, and the police agree with that as well. They have scrutiny from Her Majesty’s Inspectorate of Constabulary in Scotland, from the Justice Sub-Committee on Policing, from the Justice Committee and, more broadly, they are accountable to the SPA, the Police Investigations and Review Commissioner, Audit Scotland and so on. They are very aware of that public scrutiny and attention, and they put importance on taking the public with them. That is an important dynamic, which I would not want to change. I will listen to what the member says, and to what the Justice Committee says, on that.
It is important to be firm that there will be consequences if a recommendation that is made by the commissioner is ignored. A number of consequences might occur. First, the situation can be reported to Parliament. That not only makes it public and incurs reputational damage, but the body in question may also be called to account for itself to Parliament; indeed—dare I say it?—to the sub-committee convened by John Finnie.
Also, the commissioner may decide that the lack of co-operation has highlighted the need for a full review or for legislative change. If the commissioner made such a recommendation, we would, of course, be open to that suggestion. Therefore, lack of regard to the code or to a recommendation from the commissioner might have far-reaching consequences and I hope that the Justice Committee will be reassured by that. However, I suspect that this will continue to be a matter for debate as we progress to stages 2 and 3 of the bill.
As the committee recognised,
“the role of biometrics is fast becoming a central element of the way in which Scotland is policed and crime is investigated and prosecuted” and, as the Commissioner for the Retention and Use of Biometric Material observed, many countries are looking at what Scotland is doing through the bill. I want to put Scotland at the forefront of driving forward transparency, accountability and improvement in relation to biometric data for policing and criminal justice purposes. That is why the architecture of the bill allows flexibility, why the definition of biometric data is broadly drawn and why the commissioner’s powers and functions are focused on rights and responsibilities.
The bill creates a biometrics commissioner for modern times who will operate in a fast-changing world but always with a focus on our rights, our safety and our expectation of transparency in policing and the criminal justice system. I look forward to working with members of all parties to secure those objectives as we continue to take the bill through Parliament.
That the Parliament agrees to the general principles of the Scottish Biometrics Commissioner Bill.
As the convener of the Justice Committee, I am pleased to speak on the Scottish Biometrics Commissioner Bill. I express my thanks to the Justice Committee’s members and clerks for their hard work and to all the witnesses who provided evidence as part of our scrutiny of the bill.
The past 25 years have seen a digital revolution, with technology now central to the way we live. That impacts on how the police investigate crime. The bill establishes a Scottish biometrics commissioner and a statutory code of practice to provide oversight for the collection, use, retention and disposal of biometric data in the context of policing and criminal justice. The committee welcomes the bill, but, as ever, the devil is in the detail.
The oversight system created by the bill sets the blueprint for Scotland’s response to the growing influence of biometrics. The committee agreed that the bill must set out clearly the principles that should underpin that oversight and that the promotion and protection of human rights, privacy, public confidence and community safety are crucial. Therefore, it is disappointing that the Government’s response to our report does not support the specific inclusion of those principles in the bill.
The committee believes that the bill must provide the commissioner with the necessary powers to hold the police service to account for its use of biometrics and to ensure compliance with the code of practice. That is absolutely vital to ensure public confidence and trust in the use of biometrics by the police and the criminal justice system.
The committee agrees that the Scottish biometrics commissioner should be independent of the Government, appointed by the Scottish Parliamentary Corporate Body and should be able to scrutinise biometric processes adopted by all who provide policing within Scotland and who share biometric data with Police Scotland including the British Transport Police and the National Crime Agency.
At present, other public and private sector bodies are collecting and sharing biometric data without regulation. There is a lack of transparency that requires to be addressed urgently. The bill proposes that the commissioner has oversight only of Police Scotland and the SPA, at a time when public concern over the use of biometrics is growing. Witnesses suggested that a wide-ranging debate on the issue should be led by the new commissioner. The committee urges the Government to fully meet its policy intention of providing confidence to the public by extending the debate to apply to all those who collect biometric data in Scotland. I welcome the cabinet secretary’s recognition of that need and call on him to support the commissioner in leading that debate.
Members unanimously support a code of practice, to be established by the commissioner, and believe that the code should be considered and approved by the Parliament. Given the far-reaching human rights, ethical and privacy issues relating to the use of biometrics for criminal justice and policing purposes, the commissioner’s lack of powers to ensure compliance with the code raises concerns. Although name and shame is a key approach in the oversight of the 43 police forces in England and Wales, there is only one police force in Scotland, so the committee considers that that approach is not a viable option for the new commissioner under the code of practice. The committee considers that the commissioner must have the powers to enforce any compliance that may be needed.
We recognise that there may be exceptional circumstances in which the police are not able to comply with the code. The committee therefore recommends—there was lengthy discussion of this—that the ‘have regard to’ approach be reviewed in the light of experience and that the commissioner reports to Parliament on its effectiveness.
I note the Government’s view that the commissioner could “explore” procedural changes with Police Scotland, or recommend new legislation to strengthen observance of the code, but those options are far from ideal.
Another key concern raised in evidence was the lack of a complaints mechanism in the bill. It is essential that people are able to complain about their biometric data being taken or used without their consent. The committee recommends that the bill provides for a complaints mechanism to allow the commissioner to deal with complaints from the public. It is disappointing that the cabinet secretary is opposed to that recommendation.
Does the convener recognise that it is important for us to not stray into the reserved functions of the Information Commissioner and that, as things stand, if anybody in Scotland has a complaint about how their data is being used or that their data is being misused, they can go to the Information Commissioner to ask for that complaint to be investigated?
The bill is all about transparency and the collection of more biometric data, which is very personal information. If we are to have trust and the bill is to be successful, the public must have a mechanism through which to complain, and I urge the cabinet secretary to reconsider that when we come to stage 2.
The use of technology that impacts on the rights of individuals must always be justified and proportionate. Committee members stress that the bill must ensure that the police always adopt an ethics-centred approach to the use of new invasive technologies. The commissioner will have a key role in exploring whether the use of new technologies is necessary and justified, and in ensuring that technology is used according to the principles that underpin the oversight mechanism.
The committee recommends that the bill provide for an ethics advisory group to assist the commissioner, and that that group be appointed by the commissioner and be independent of the Government. I am sorry to see that the cabinet secretary rejects a statutory basis for such a group. The cabinet secretary recently announced plans to establish an independently chaired ethics group to advise the Government. It would be helpful if he could be clear that an ethics group for the commissioner would be separate from any ethics group appointed by him.
Serious concerns were expressed about private companies that collect and share biometric data with the police, and public sector use of biometrics, such as in parole e-monitoring and local government closed-circuit television systems. Here, the bill provides very few, if any, reassurances. The committee therefore recommends that the Scottish Government reviews provisions on the scope of the commissioner’s remit and powers after a suitable period, that the commissioner reports to the Parliament annually on the adequacy of the resources provided to their office, and that the Scottish Government reviews the commissioner’s funding, in cooperation with the SPCB. I note the Government’s comments on a review of funding and post-legislative scrutiny. However, we should not rely on post-legislative scrutiny; we should aim to get this legislation right the first time.
The committee considers that the bill will need to be strengthened at stages two and three. I ask the cabinet secretary to rethink some of his objections to our recommendations. In the meantime, the committee welcomes the bill and recommends that the Parliament agrees to its general principles.
I am very pleased to open this stage 1 debate on the Scottish Biometrics Commissioner Bill on behalf of the Scottish Conservative and Unionist party. For the avoidance of doubt, my colleagues and I, like the committee, support the bill’s principles and will vote accordingly at decision time.
At the outset, I echo the convener’s thanks to the clerks for pulling together a great deal of information on a complex area into a comprehensive, clear and accessible report. The principles of the bill are sound: to address ethical and human rights considerations in Scotland relating to the collection, use, retention and disposal of biometric data in the context of policing and criminal justice. The bill seeks to do that by establishing the post of a Scottish biometrics commissioner who will oversee the use of biometric material and will draw up, and promote the use of, a code of practice that will govern how biometric material should be used and gathered. It also seeks to underpin public trust in the way that the police use biometric data; a key point that I shall return to shortly.
I have set out the bill’s general principles in that way because the scope of the bill raises a number of considerations that have been highlighted in the Justice Committee’s stage 1 report and that bear further examination as the bill progresses.
First, and perhaps most important, is that the resourcing of the bill will determine its success, both in the immediate and longer term. The committee’s report is clear that one of the key concerns raised by witnesses centres around the level of resources required to allow the commissioner to operate effectively. The report states clearly that
“Other SPCB supported officeholders have faced resourcing issues as a result of changes or expansion to their role and powers over time or as a result of growing demand for activity.”
By its very nature, this is a rapidly developing and changing environment that is likely to see an increase in activity. The report’s conclusion was stark:
“the Committee is concerned that the Financial Memorandum may not sufficiently estimate the resources which may be needed to support the delivery of the Commissioner’s functions”.
In the same vein, the Law Society of Scotland has made a useful and important submission to the debate and specifically highlights that not only should the role be
“appropriately funded” but that
“such funding must also continue at an acceptable level to allow for” the inevitable mission creep. The Law Society goes on to say:
“Only in that way can the Scottish Commissioner be able to ensure that they can properly fulfil their functions and be appropriately accountable”.
That is why the cabinet secretary’s response to the committee’s report is somewhat concerning when he says:
“The provision of further resources will be subject to wider public spending pressures and will be considered as part of the annual budget setting process”.
Of course. But that is not a cast iron commitment to ensure either appropriate or continuing funding as the role inevitably enlarges.
On another matter, the committee is right to highlight at paragraph 86 of its report that biometrics use goes far beyond police Scotland and the SPA; for example and especially, it goes into education and the NHS.
There is a public need and a public good in seeking to regulate biometrics in that way, and there is a pressing need for transparency. What do we do about that? The committee called for a public debate but, at the very least, the code of practice ought to address how the commissioner will interact with private sector users of biometrics. Again, I note the Scottish Government’s response, which is encouraging, but a great deal of responsibility would be loaded on to the commissioner, which takes us back to resourcing, both initially and going forward.
Of course, all that leads to concerns about enforcement. I recall the committee being concerned about whether there should be a duty to comply with the code as opposed to a duty to “have regard to” it. The convener highlighted that the committee felt that the enforcement powers were insufficient, which could undermine public confidence. That merits further consideration, although I recall the cabinet secretary arguing his case persuasively in committee, and I note his letter of 7 January. In my view, it seems sensible to have the review that the convener talked about.
If public confidence is a key aspect of the bill, the absence of a complaints mechanism to enable the public to refer issues to the commissioner—for example, for lack of compliance with the code—is regrettable. In committee, many witnesses brought up that issue, and the committee’s report says:
“there is a risk to public confidence and transparency if a complaint mechanism is not included in the Bill.”
I find that view persuasive.
I hear the point about the Information Commissioner’s Office, but the new biometrics commissioner will want to engage with the public and be available. One can imagine a situation in which the new commissioner, in seeking to fulfil the public engagement or awareness role, is approached by a member of the public about an apparent breach, but is required to send them away to the ICO. I suggest that that would not lend itself to providing public trust and confidence. I accept the requirement in the cabinet secretary’s response to develop a comprehensive communications strategy to understand the role, but I am less persuaded that there is no merit in including a direct complaints mechanism, as the committee unanimously recommended.
I owe my final point to my learned friend Gordon Lindhurst, who I expect will, in closing, develop the argument on what I am increasingly of the view is a key issue. The cabinet secretary rightly raised the issue of enforcement, which is worth exploring further. Section 12(3)(b) of the bill allows the Court of Session to treat a failure to provide information to the commissioner under section 11 as a contempt of court. The drafting seems somewhat draconian, given the lack of similar provisions elsewhere. In addition, given the drafting, an individual will not know in advance whether an action will be in contempt of court, unlike a situation in which someone does know whether they are ignoring a direct order of the court. Furthermore, the interplay between that section and section 11(3), under which
“A person is not obliged ... to provide information which that person would be entitled to refuse to provide in proceedings in a court in Scotland”,
is, I gently suggest, challenging. I will leave that point there for consideration by my colleague later and, perhaps, for review at stage 2.
Suffice it to say, I confirm that we will support the general principles of the bill at stage 1, and I look forward to cross-party collaborative working to drive improvements into the Scottish Biometrics Commissioner Bill.
I am delighted to open the debate for Scottish Labour, and I confirm that Scottish Labour will support the general principles of the bill at decision time. As other members have done, I place on record my appreciation of the work of the Justice Committee—particularly that of the clerks in compiling the report. I also thank the witnesses who appeared before the committee.
The bill that is before us is important. If we look at the background to biometric data and data in general, we can see its importance and that, over 100 years, it has played a central role in policing and criminal justice. Police and law enforcement agencies have used data very effectively to prosecute crimes and to bring those who have committed crimes to justice.
Data collection and the extent of the data that is collected have increased significantly over the past 25 years, as Margaret Mitchell said, particularly with the vast improvements in technology that we have seen. That is welcome in helping the police to do their job. We have seen numerous examples of cold-case reviews having allowed the police to go back and investigate crimes from 30 or 40 years ago and secure successful prosecutions as a result of improvements in biometric data techniques.
At the same time, given the breadth of the collection of data, the number of people that it covers, how that data is stored and how long it is stored for, there are central issues around respecting people’s human rights while enabling the police and the prosecution authorities to carry out their job effectively. It is essential, therefore, that we establish an independent biometrics commissioner.
Three issues that are addressed in the committee’s report have already begun to play out in the debate: the scope of the commissioner’s role, the powers that the commissioner will have and access to the commissioner for complaints. The scope is currently limited to Police Scotland and the SPA, so I welcome the cabinet secretary’s announcement this afternoon that it will be extended. However, we should examine whether it should go further, including public bodies such as the NHS and covering the way in which some private bodies collect and store data. The Justice Committee heard in evidence concerns about the breadth of the organisations that are collecting biometric data, using it and passing it to the police. There is no doubt that that will continue to grow, so it is clearly an area that needs to be examined further.
The powers will be established through the code of practice that the commissioner will move forward with, and a lot of the debate this afternoon has been around whether the provisions that are currently in the bill are adequate. There has been much discussion about whether the phrase “have regard to” is legally adequate to ensure that people comply with the code of practice. I am not persuaded that it is strong enough; I think that we need to require more legal compliance. Although we agree on the bill, the cabinet secretary and I have had numerous political disagreements over the years. I can “have regard to” the cabinet secretary’s views on, say, the matter of the constitution, but that does not mean that I have to follow them or implement them in the speeches that I make in the chamber. We need something stronger if we are to give the commissioner the powers that he needs to ensure that the code of practice does not become toothless.
On access, it is important that the public have a mechanism to bring forward complaints properly. I listened carefully as the cabinet secretary made a number of representations on that, but I still feel that the bill, as it is currently drafted, needs more on public awareness and that more needs to be done to allow people to bring complaints if they feel that their human rights are being compromised in any way. As I said, that is becoming a central issue.
The other area that will be crucial is how the bill caters for future developments. Although the bill, as it is currently drafted, is reasonably balanced, that area will expand greatly in the coming years, and the code of practice and the commissioner need to be able to take account of developments in technology.
I welcome the principles of the bill. It is important that we have an independent biometrics commissioner, although issues have arisen in the Justice Committee’s report about the scope of the commissioner’s role, the powers that he will have and access to the commissioner. I hope that the cabinet secretary takes on board some of the views that have been expressed this afternoon. I am sure that, if appropriate changes are not indicated ahead of stage 2, members from all parties will lodge amendments that seek to strengthen the bill, to make it more effective and robust.
I advise members that the Scottish Green Party will support the general principles of the bill at decision time. I, too, thank all those who have been involved in the process—particularly the clerks who compiled the report. The examination of the legislation has been thorough. I also thank all those who have provided briefings, including Amnesty International—I refer members to my register of interests, as I am a member of Amnesty International.
Paragraph 87 of the Justice Committee’s report, to which the convener alluded, states:
“The Committee asks the Scottish Government to consider how the lack of debate and transparency on the use of biometrics across Scotland might be addressed, and what role the Scottish Biometrics Commissioner could play in this”.
The Scottish Government’s response of 7 January says that the biometrics commissioner would
“be best placed to lead any debate on the level of transparency”.
I do not agree. I think that it would be inappropriate to leave all of that to the biometrics commissioner. As the convener and others have said, this is a fast-moving area. It may seem strange to say that we need to debate the topic when we are actually doing so, but we need a lot more debate on this issue for the very reasons to do with technology that members have outlined.
The Scottish public is under heavy surveillance. I will not dwell on the issue, but we have seen that with the digital triage devices—the cyberkiosks—which were deployed without assessment, lacked a robust legal basis and received little, if any, oversight from the SPA. Public rights could have been eroded, but Police Scotland has responded extremely positively and has engaged with others.
Things have moved on, and the Justice Sub-Committee on Policing is looking at issues to do with facial recognition, which would clearly fall within the remit of the biometrics commissioner. A live challenge on that issue is going on elsewhere in these islands.
I welcome the contributions from the Scottish Human Rights Commission, Open Rights Group, Big Brother Watch, the Scottish Information Commissioner and various academics. I commend the independent advisory group for the role that it has played throughout and for recommending that an ethics advisory group should be established if the bill is passed. I consider that that recommendation should form part of the bill.
The committee’s stage 1 report alludes to facial recognition, facial search technology, gait and movement recognition technology, eye/iris/retinal identification, voice recognition software and data from social media that is capable of providing biometric sources to the police—which, I am told, is second-generation biometrics. Consequently, we need robust oversight.
I recall the trialling of CCTV in Airdrie in the 1990s, when I was working in a different capacity, and the issues remain largely the same. Who will undertake the role? What role should the police and the private sector have and for what purpose? Who will have oversight? Who will have access to the material? How long should it be retained for? Parliament must lead that debate, along with our country’s justice system. I am sure that Police Scotland and the Crown Office and Procurator Fiscal Service would welcome discussions on that area. It is key that we all protect citizens’ rights, because, if we do not, who will?
The code of practice, which has been alluded to, is intended to deal with some of the issues. In its written submission, the Scottish Human Rights Commission highlighted that a detailed analysis of the deletion of biometric data was part of the independent assessment group’s initial report but that the issue has not been picked up. We also know, from our deliberations, that data that is already in the protection of Police Scotland and the SPA is not all legitimately held. We allude to that as a “legislative gap” in paragraph 132 of the committee’s report.
In its response to the report, the Scottish Government said:
“Since the publication of the 2016 HMICS review of the use of the Facial Search functionality within the UK Police National Database ... Police Scotland has successfully delivered a new national custody episode management system which enables custody images to be automatically weeded from that system when the corresponding image is similarly deleted from the Criminal History System.”
It is unclear to me what that is supposed to mean. It was my understanding that, for technical reasons, photographic details of people who had been acquitted remained on the system. If that has been corrected since 2016, that is very good, but perhaps the cabinet secretary could outline to us whether that is the case.
The bill covers Police Scotland and the Scottish Police Authority. However, I have been frustrated by the fact that a number of police services that operate in Scotland are not accountable to this Parliament. Those include the British Transport Police and the National Crime Agency, never mind some of the other UK agencies that it will be more challenging to deal with. I welcome the fact that the cabinet secretary wants the British Transport Police and the National Crime Agency to be covered by the bill, and I wish him luck in getting the UK Government to agree to the Ministry of Defence Police being covered by it. I hope that it agrees to that and that people will support the use of section 104 orders. However, if the UK Government’s agreement to that is not secured, not all of policing will be covered by the bill—only the principal police force and the principal holders of the information will be.
We are in a situation in which it is not just public bodies that hold information. Public space CCTV systems, road camera enforcement systems and automatic number plate recognition systems can all capture facial images of citizens who are engaged in routine lawful activity. In its briefing, the Open Rights Group refers us to the case in which the European Court of Human Rights said:
“any state that claims a pioneer role in the development of new technologies bears special responsibility for striking the right balance”.
We are talking about the scrutiny of who has what, who has access to it and all the rest of it. Schools hold biometric information, and the national health service holds information that I understand is referred to as the gold card collection. Amnesty says that the regulation of biometrics outside policing, including its use by the private sector, is “challenging but vital” and that the Government should consider how best to achieve that. As it is presently configured, the bill will not do that.
I will return briefly to the “have regard to” provision. Like James Kelly, I have regard to a lot of things. I have had regard to dietary advice, but I will have to endure the reputational damage of not having adhered to it. We should get it right the first time. There should no problem whatever with our policing services accepting that, if the person who is engaged by this Parliament to deliberate on decisions in this area says they should do something, they should do it. There should be no issue whatever with that.
The reality is that there is flexibility within any system of law enforcement. Day in and day out, the police make judgments about whether to take actions; day in and day out, the Crown Office and Procurator Fiscal Service considers representations that are made. It should not be punitive for the police to adhere to the decisions of the commissioner, but I feel that “have regard to” is a very unsatisfactory phrase to use.
Future proofing is an issue, and the technology is far ranging. We must watch out for the snake-oil salespersons who are very happy to sell us technology that has a 2 per cent success rate—I am referring to facial recognition technology. Police Scotland has no plans to introduce it at this time, but that is in the 2026 plan. As has been said in some of the representations that have been made to us, scrutiny of the technology should be an important function of the biometrics commissioner.
I will leave it there.
We have some time in hand, but I cannot be overgenerous, interesting though Mr Finnie’s contribution was.
Mr McArthur, if you want to use up a wee bit of extra time, dinna fash yersel—you will get it.
Thank you, Presiding Officer. I will not abuse that invitation.
Like others, Scottish Liberal Democrats strongly support the general principles of this focused but important bill. As others have done, I pay tribute and offer thanks to those who helped the Justice Committee during our stage 1 scrutiny.
I also want to acknowledge the contribution of John Scott QC and his colleagues on the independent advisory group, who have done so much to lay the foundations for the bill. Mr Scott barely had time to draw breath, after digging the Government out of a hole over unregulated stop and search, before being invited to help to shape the regulatory framework for use of biometric data. He and his IAG colleagues certainly rose to that task; it is important that Parliament now passes legislation that stays true to their recommendations. As I will shortly come on to explain, I do not yet believe that the bill does that well enough. First, however, I will take a moment to put the bill in context.
The term “biometrics” is the umbrella term for our most valuable personal data, so we are considering how to govern how accessible it is to others. In 2015, it emerged that pictures of 330,000 Scots who had been taken into custody had been made available to users of the police national database. The pictures could be accessed nationwide and included pictures of many people who had never done anything wrong. The pictures were analysed and consulted in criminal identification processes.
That revelation kick-started a Liberal Democrat campaign that was spearheaded by my former colleague Alison McInnes, to protect people effectively from unregulated use of biometrics. She wrote to the First Minister at the time, demanding a review of facial recognition technology, which prompted the announcement of a review by Her Majesty's Inspectorate of Constabulary in Scotland.
During the passage of the Criminal Justice (Scotland) Bill, which became the Criminal Justice (Scotland) Act 2016, Alison McInnes lodged amendments that would have subjected collection of biometric information to the same rules as DNA and fingerprints. That would have required information to be
“destroyed as soon as possible following a decision not to institute criminal proceedings against the person or on the conclusion of such proceedings”.
Two independent expert reports, from HMICS and the independent advisory group, then agreed that fresh legislation and oversight were required. Although it has taken time for the Government to introduce the bill, the Scottish Liberal Democrats clearly welcome it, as we do the creation of a biometrics commissioner to oversee the collection, use, retention and deletion of biometrics.
To restrict the commissioner’s remit to policing, however, is problematic. As the Justice Committee heard repeatedly during its evidence sessions, biometrics are increasingly used across a range of areas—public and private. There is obviously a significant challenge in ensuring that a regulatory framework keeps pace with technologies that are evolving at a bewildering pace, but I believe that the Open Rights Group, Amnesty International and others are right to call for the scope of the commissioner’s role to be extended. Let us not forget that the IAG recommended that the commissioner should have oversight of biometrics that are used
“by the police, SPA and other public bodies.”
The cabinet secretary has informed us that he plans to extend that to cover the PIRC—I very much welcome that confirmation—and he suggests that he is prepared to keep an open mind on wider extension, but the bill needs to be more specific about how that could be made to happen. As various witnesses told the committee, it is not unreasonable to aim for the commissioner’s role to cover use of biometrics by public authorities and private actors, where biometrics are being used on the general public. That may be the case in other parts of the justice system, or in areas including education and health, where biometrics are being used increasingly. That extension would reflect the public mood and expectation.
Of course, there is a balance to be struck between, on the one hand, public safety and giving the police the tools that they need in order to do the job that we require of them and, on the other, individual rights—not least, the right to privacy.
I will address the substantial point about potentially broadening the role in the future. Does Liam McArthur recognise that biometrics data that is collected and retained by the police and the SPA for policing and criminal justice purposes is unique in its own right? Often, such data is taken without the consent of the individual, if it is needed for crime investigation purposes. Therefore, the focus on policing and criminal justice is the right place to start because of the unique nature of the data that is collected.
I absolutely do not dispute that, nor would I dispute that that is perhaps the area of priority. However, we should not lose sight of the fact that the technology is increasingly being used and deployed in other areas of the public realm.
There is already public concern about live facial recognition technology, which was referred to by John Finnie and others. Such technologies are increasingly being trialled and used by the police to monitor public spaces. We must be very wary of what can amount to indiscriminate mass surveillance—not least given the inaccuracy of the technology. In its briefing, Amnesty refers to analysis that shows that the technologies generate false positives in about two thirds of cases. The Metropolitan Police suggests that the figure is as high as 80 per cent, with there being particular problems in matching images of people from the black and minority ethnic community. Clearly, that is no basis for roll-out of the technology, at this point.
The lack of a legislative framework and transparency, the potential for discrimination, the absence of public information and rights of review or appeal, all point to use of such technologies and retention of images being potentially unlawful. The issue of review or appeal was picked up by the Law Society of Scotland, which argues that, for public confidence, a complaint mechanism to enable the public to refer issues to the commissioner on use of biometrics, and for when there has been lack of compliance with the code of practice, should be included in the bill.
As for the code of practice, a draft of which was drawn up by the IAG, the committee concluded that it should be on a statutory footing and should come into force at the same time as the commissioner takes office. The Law Society of Scotland suggested that that would avoid the need for speculation about what the code might or will include. Disappointingly, the cabinet secretary has rejected those calls, which is something that I am sure the committee will return to at stage 2.
The cabinet secretary also appears to be determined to do his own thing when it comes to the proposed ethics advisory group. John Scott and his colleagues recommended the establishment of such a group
“as part of the oversight arrangements.”
The remit would be to
“work with the Commissioner and others to promote ethical considerations in acquisition, retention, use and disposal of biometric technologies and data.”
The Government accepted the recommendation but has failed to put it in the bill. Again, that is disappointing and needs to be addressed.
On enforcement powers, the Government has argued that the threat of naming and shaming is sufficient. The committee was not convinced, nor indeed were many people from whom we took evidence. Again, that is something to which, I am sure, we will return at stage 2.
More encouragingly, I note the cabinet secretary’s willingness to consider amending the bill to include regulating powers so that biometric data can be defined and subsequently updated. That is very welcome.
Scottish Liberal Democrats have led the way over the past five years in campaigning for proper regulation of use and retention of biometric data, including the establishment of a biometrics commissioner. On that basis, we warmly welcome the bill, but believe that there is more work to be done to ensure that it is up to the formidable task that is required of it.
Technology in biometrics is advancing at breakneck speed, so we must be prepared for it by introducing a sensible framework of legislation to enable the police to detect, prevent and prosecute crime. That is why I am pleased to support the general principles of the Scottish Biometric Commissioner Bill today.
I thank the clerks and bill team for their hard work in collating the evidence that we heard from a variety of excellent witnesses, and I thank the witnesses for helping us with their expertise in the field.
The written and oral evidence that the committee received showed broad support for the establishment of a Scottish biometrics commissioner. Of course, it is important that we have the public’s support for and confidence in the use of the new technology. A new independent and expert commissioner is pivotal to achieving that, and to helping us to ensure that use of biometric data in criminal justice and policing is effective, lawful and ethical.
The bill covers acquisition, use, retention and disposal of biometric data, including fingerprints, DNA and currently emerging techniques such as iris recognition, which are all necessary to keep communities safe and to help police in their fight against crime. In my view, it is an example of using technology for the best purposes—although, of course, human rights and data protection requirements pose challenges and must be strongly considered. Again, that is why the post of biometrics commissioner is so necessary.
The UK Government’s Commissioner for the Retention and Use of Biometric Material, Professor Paul Wiles, is on record as saying that the bill will place Scotland at the forefront of legislating for oversight of biometric data in criminal justice. He said,
“Many other countries are quite interested in what Scotland is doing, because they are all aware that they have similar issues”.—[Official Report, Justice Committee, 24 September 2019; c 2.]
Biometrics in its earliest forms saw the introduction of use of criminal history photographs and fingerprinting, which has been going on for about 100 years. Those of us who are of a certain age will remember when DNA fingerprinting was introduced 30 years ago, and how it revolutionised policing and crime detection. We all marvelled at the technology that allowed more and more crimes to be solved. That scientific development has played a fundamental role in solving serious crimes, including murder and sexual offences.
We are moving on to more sophisticated and accurate biometric testing, so it is only logical for Scotland to have its own independent commissioner, who will be appointed by Parliament in order to ensure impartiality.
Due to the fast-changing nature of the technologies, the committee and the Government have sought to keep some aspects of the bill flexible enough to cope with technical advances. Due to the complexity and nature of the bill, it has been split into sections. It is impossible to discuss all aspects in a short speech, but I will highlight the main areas of discussion that came up in evidence to the committee.
Sections 2 to 5 of the bill set out the functions and powers of the commissioner. A primary function of the commissioner will be to draft and promote a code of practice on use of biometrics by Police Scotland and the SPA. The commissioner will also play an important part in informing the views of policy and law makers who are responsible for making the law within which Police Scotland and the Scottish Police Authority must operate. The code of practice will not be specified in the bill, in order to allow for flexibility and future proofing, as I said earlier.
There was discussion on whether the code should be mandatory, with sanctions to be imposed if it is broken, rather than it being something to which people should “have regard to”. John Finnie mentioned that; I know that he feels strongly about it. There is a strong argument for that. The committee has asked the Government to review the effectiveness of the term “have regard to” as a working practice. In reality, the code of practice must be taken seriously, and any failure to observe it will need to be accompanied by a good reason for that. There could also be legal consequences if the code is not adhered to, including judicial review.
Another aspect that was widely discussed during evidence was the jurisdiction and cross-border nature of some aspects. We had to consider who would be accountable for data and where ultimate responsibility would lie. The Government believes that it is for Police Scotland and the SPA to manage the data that they allow to be uploaded to United Kingdom databases, and that it is their responsibility to ensure that records are managed effectively.
The committee recommended that, in relation to their functions in Scotland, the National Crime Agency and the British Transport Police be included in the bodies that are set out in section 7, and asked that the Scottish Government lodge the necessary amendments at stage 2. The cabinet secretary spoke about that in his opening speech. I will welcome such amendments.
There is also an argument for including public and private bodies, as several members have mentioned. The Scottish Government is currently liaising with various bodies and the UK Government on that; it is, as they say, a work in progress.
The committee also recommended that the Commissioner for the Retention and Use of Biometric Material be added to the bodies that are set out in section 3, in order to enhance the power of the Scottish commissioner to work with others. It also recommended adding the Forensic Science Regulator and the Surveillance Camera Commissioner.
I believe that the Scottish Government favours a memorandum of understanding between the organisations, which would signpost a complaints mechanism that is to be available to the public. However, the Government stresses that it would be for the new Scottish biometrics commissioner and the UK commissioner to agree on that.
The committee also recommended the setting up of an ethics advisory group. The Scottish Government is also open to considering wider views on the remit and membership of that group, and to whom it should report. The Government believes that it is important that the remit is scoped to ensure relevance, and that its members have the appropriate skills and experience.
As the convener mentioned, the committee recommended that a complaints mechanism be included in the bill, but the Government believes that the commissioner’s role should be strategic oversight, rather than dealing with resolution of individual complaints. I am sure that that will be fleshed out in the later stages of the bill.
There are areas of detail that are still to be determined, which will of course be addressed at stage 2. However, it is essentially a good bill that will greatly enhance crime prevention and detection. I whole-heartedly support its general principles.
I am pleased to speak in the debate, and I support the general principles of the bill. Like others, I thank the clerks and the bill team for all their work so far.
It has been an interesting experience for the Justice Committee to look at the bill, which has expanded my knowledge of all matters biometric. The key point is that we must recognise that technological advances have brought huge benefits to the police in detecting, preventing and prosecuting crime. The aim here is to ensure the effective use of biometrics technology by the police in a manner that is ethical and respects fundamental rights and freedoms. It is a balancing act.
The roles of the commissioner and the code of practice will help to maintain public confidence in how biometric technologies and data are used by the police in crime detection.
As other members have mentioned as background, the bill emanates from the independent advisory group’s report on the use of biometric data in Scotland. The report pointed out that there is currently no independent governance or oversight of use of such data in policing in Scotland. In deciding whether an independent biometrics commissioner would be necessary, the group had regard to the presumption against establishing new public bodies in Scotland, but it considered that there was no body within the competence of the Scottish Parliament to which oversight of biometric data could be given.
During its work, the IAG received several submissions that suggested possible aspects to the commissioner’s role, which we have heard about in the debate. A key aspect was the development of a code of practice that relates to the handling of biometric data and holding bodies to account for following the rules that are set out. There were also recommendations that the commissioner should have a mandate to begin investigations and have an independent complaints mechanism, and that they should report to Parliament and publish regular reports on their work.
An important element that the IAG mentioned was that the commissioner should have a role to play in public education and engagement. It was felt that the public is sometimes frustrated about the lack of clear jargon-free information to allow people to understand the powers that authorities hold, as well as the powers that the public have to hold authorities to account and how to exercise those powers. I hope that engagement with the public will be a key role of the commissioner.
I welcome some of the cabinet secretary’s commitments. On the recommendation that there should be an ethics advisory group on biometrics in Scotland, I welcome the cabinet secretary’s commitment to form an independently chaired reference group to scope the possible legal and ethical issues that arise from emerging technological developments.
I move on to the conclusions of the committee’s stage 1 report. There has been a bit of a debate about the scope of the bill, and the committee heard a good deal of evidence about that. Some have called for a wide extension of the bill and others have called for a smaller extension to other parts of the justice system, such as CCTV systems in the Scottish Prison Service. Some have called for it to be extended to include private sector users of biometrics and private sector technology developers, whose work drives the use of new biometric data.
Although I have sympathy with that position, a phased approach and making sure that we get it right for the justice system—initially, for policing, in particular—is important. I welcome the fact that the cabinet secretary has agreed to extend the scope to the PIRC.
As I understand it, the Scottish Government has said that it might be appropriate in the future to extend the commissioner’s oversight role to cover other criminal justice related matters, and the bill includes a power to amend the resulting act in that regard. I also understand that the Government will consider consultation in due course about including in the scope of the Scottish biometrics commissioner further persons or bodies with criminal justice related functions. That strikes the right balance at the moment. On whether it goes further than that in the future, we need to enable the commissioner to get themselves and their office up and running, then perhaps revisit their scope in due course.
There has been a debate about a statutory footing for the code of conduct. I hear what the cabinet secretary is saying: the code of conduct itself has statutory underpinning, but its detail should be left flexible for the commissioner to develop in consultation with bodies and—importantly—the public. Again, that probably strikes the right balance.
As others have said, the work that is being done here in Scotland is of interest to other jurisdictions that are also wrestling with these issues as technology develops apace. I look forward, hopefully, to Scotland leading the way in the area—as I am sure that it will.
I welcome this afternoon’s stage 1 debate on the Scottish Biometrics Commissioner Bill. I acknowledge the scrutiny work of the Justice Committee, with the support of its clerks, and thank them all for that. The committee’s report raised most helpful recommendations, which I hope will be properly considered today.
With the increasing use of biometric data, particularly the rise of second-generation biometrics, the need for a biometrics commissioner in Scotland is absolutely clear. We have a situation where biometric data has evolved and expanded and is now about not just the collection of DNA, fingerprints and photographs but enhanced facial recognition software, social media information and voice pattern systems, among other things. Legislation must reflect those changes, taking into account the sensitive nature of data collection, which is what the bill seeks to do.
New biometric data opens up more opportunities for our police force. It can target the gaps in criminal proceedings with new ways of detecting criminal behaviour through, for example, personal traits and advanced movement technologies. For victims of violent crime or sexual assault, such scientific developments can, in many cases, ensure that their cases reach a just close. Of course, I am in favour of any advances that equip our police force in Scotland to prevent crime to the best of its ability.
However, although biometrics may pave the way for solving serious crime in the future, it is incredibly important that any new legislation considers the ethics of using such data and technology. Indeed, the protection of human rights, personal security and privacy when gathering and storing data can present potentially serious obstacles that should not be ignored. With that in mind, the creation of a Scottish biometrics commissioner is a positive and necessary step forward. It is vital that such a position will allow for any biometric data policy and practice by Police Scotland and the Scottish Police Authority to be kept under close review. In particular, I welcome the decision that the role will be especially mindful of how young people and those who are most vulnerable might be impacted by the data-gathering process. That oversight would encourage a greater level of protection and accountability for those who need it most. l am supportive of the flexible and independent nature of the commissioner’s role, particularly in relation to how they might consider new technologies and incorporate those into the criminal justice system as appropriate.
Importantly, the role of the biometrics commissioner would also serve to create a public dialogue about our understanding of biometric data, particularly the second-generation advances and how those might be used safely. Ultimately, the use of biometrics in Scotland needs to be made clearer and have greater transparency. A Scottish biometrics commissioner would have to encourage a public conversation about how data is collected and how those practices can be effectively utilised overall—without infringing upon human rights standards.
Linked with that, I would welcome further discussion on the possibility of widening the biometrics commissioner’s role to encompass the use of biometric data by other groups. Indeed, many of the witness contributions that are included in the Justice Committee’s report state that public bodies such as the national health service, as well as some private companies, are also in need of essential oversight of how they collect and store biometrics data. Although I accept that it may be best to start with a policing and justice remit at this stage, clarification as to whether the commissioner’s capacity might be expanded to include other groups in the future would be very much appreciated.
To gain public confidence in personal data protection, the bill would be further strengthened through the inclusion of a complaint mechanism, as the Justice Committee recommended.
We cannot expect the public to put their trust in the provision of a biometrics commissioner if the role does not allow for complaints referral. If issues are detected in Police Scotland’s or the SPA’s handling of biometrics, the public need to be assured that a level of accountability is in place. That would ensure that the role of the biometrics commissioner is independent and efficient.
Of course, at the centre of our debate today is how ethical standards can be preserved. As we know, the independent advisory group for the bill recommended that an ethics advisory group be created to work with the commissioner and other key stakeholders. Its role would be to encourage ethical decisions to be made in the use, retention and disposal of biometrics. That recommendation was in response to there being no provision for such a group in the bill. I am sure that colleagues share my opinion that that was an oversight. Although I am aware that the Scottish Government has indicated that it is working towards establishing that group in conjunction with the commissioner role, I find it concerning that that was not clarified in the bill beforehand.
I welcome this first stage of the Scottish Biometrics Commissioner Bill. The bill sets out a much-needed role alongside a code of practice that will ensure that personal data is handled in keeping with ethical standards. I hope that the upcoming stages of the bill will address some of the issues raised in the Justice Committee’s report, so that the bill can be as effective as possible.
It gives me pleasure to speak in this debate as a member of the Justice Committee, which scrutinised the bill at stage 1. Like others, I take this opportunity to pay tribute to the witnesses and to the clerks, who have undertaken so much work on the bill. I also pay tribute to the clerks for the work that they are doing on other bills, because the Justice Committee, as I am sure members will know, is a very busy committee indeed, and the clerks definitely have their work cut out.
It is great also that there has been broad cross-party consensus on the bill, with the committee agreeing to the bill’s general principles and the stage 1 report. There is no doubt that we need the bill now. As other members have said, technological advances have brought massive benefits to policing in recent times and help to keep us all safe. However, the bill and the creation of a commissioner will help to ensure that the use of biometric data is effective, lawful and ethical.
Of the areas that the committee considered in greater depth, there are three that I want to focus my remarks on today: first, increasing the scope of the commissioner; secondly, the creation of an ethics panel; and, thirdly, the flexibility of the bill to move with the times. Those areas have already been covered by other members and there is broad agreement about them, but I will perhaps come at the Government response from an angle that is slightly different from that of some of my committee colleagues.
Shona Robison talked about this issue just a couple of minutes ago and others have raised it, but one of the areas that the committee focused on was giving consideration to the scope of the commissioner. The committee recommended that the National Crime Agency and the British Transport Police be included among the bodies that are set out in section 7(1) and section 3. I note in the response from the Scottish Government that it is considering the inclusion of those bodies as well as the Ministry of Defence Police, and that discussions are on-going. The cabinet secretary stated that a section 104 order under the Scotland Act 1998 would be the most appropriate mechanism for conferring duties on such bodies and that it is not possible to introduce that as a stage 2 amendment. I welcome that Government response, because the area was one of the more debated aspects in our consideration of the bill at stage 1, and I feel that the Government response has brought clarity to it.
We also recommended that provisions for the Commissioner for the Retention and Use of Biometric Material, the Forensic Science Regulator and the Surveillance Camera Commissioner be added to section 3. I note and welcome the fact that the Government is considering that. Perhaps when the cabinet secretary sums up, he could expand on any thoughts that he and the Government might have on that ahead of stage 2, if he has time. I note also that, overall, the Scottish Government is clear that it might be appropriate in future to extend the commissioner’s oversight role to cover other criminal justice-related matters and that that will be consulted on. Again, I welcome that.
As we have already heard, there was some discussion in the committee on an ethics advisory group. The committee believes that an ethics advisory group that is established to support the commissioner must be independent of the Government and that its membership should be a matter for the commissioner. Amnesty International said in its briefing that the use of biometrics has the potential to breach human rights, such as the rights to privacy, to freedom of association and to peaceful assembly, and it referred to facial recognition, which John Finnie talked about in his speech. It is important to bring in what Amnesty International said about that, because it is an important aspect of the reason for having an ethics panel.
I note that the cabinet secretary gave a positive commitment to establish such a group, which he articulated at several committee meetings during stage 1, and I accept his detailed explanation for why that might not be best achieved through primary legislation, which includes the fact that that is not what was recommended by the IAG in 2018 and that the equivalent group in England and Wales is not on a statutory footing—I know that that group was referenced quite regularly. There are fears that such a move might be premature and lead to a lack of the flexibility that we all agree is important in this legislation. The Scottish Government would prefer to take time to consult to ensure that it has a wide range of views about the best way forward, so that the remit of the group is relevant and that the group has members with appropriate skills and experience. That is a fair enough request from the Government—if it feels that it needs more time to consult, we should take that seriously. It is also important that lessons are learned from the establishment of the emerging technologies advisory group, which will be established early this year, given that the groups will have similar remits. Those are reasons that have convinced me in relation to the committee’s recommendation.
The final area that I will address is flexibility to move with the times, which is important because of the rapid development of technology in the field of biometrics. The committee discussed that in great depth, and many witnesses brought it up, too. I welcome the fact that the Government is content to bring forward an amendment in this area at stage 2. Given the initial response that the cabinet secretary sent to the committee, I ask him to expand on his early thinking on the issue when he sums up.
I also note that, in its briefing, the Law Society calls on the Government to ensure that the role of the commissioner is appropriately funded on an on-going basis to ensure that any change in remit can be coped with. I think that we all expect that the role will need to be flexible and that it will have to change as technology changes so that we can have an ethical approach.
This is a good bill. Clearly, there are issues that will be debated at stage 2 in order to make it even better—that is the point of having this process. This has been a good and consensual debate, and I encourage Parliament to agree to support the principles of the bill at stage 1.
I start by thanking the clerks to the Justice Committee, the bill team and the witnesses from whom the committee took evidence ahead of today’s debate.
As we have heard, “biometrics” is the technical term for a strand of biology that applies statistical analysis to physical measurements. Many of us use biometrics every day, from entering this building to unlocking our mobile phones using facial recognition technology. As the stage 1 report notes, over the past 30 years, this type of technology has become key in detecting and prosecuting crime. Indeed, because biometrics are non-transferable and difficult to falsify, their growing importance in the justice system cannot be underplayed. Advances in technology have created many benefits for our modern-day justice system, and the role of the new independent commissioner has therefore become of essential importance in overseeing the use of personal information by the police, in addition to helping to maintain public trust in its ethical use. As the committee notes, the creation of that role is both timely and necessary.
As was mentioned by Shona Robison, the need for a biometrics commissioner, independent of the Government, was also a key recommendation in the 2018 independent advisory group’s report, which said:
“There should be legislation to create an independent Scottish Biometrics Commissioner. The Commissioner should be answerable to the Scottish Parliament, and report to the Parliament. The Commissioner should keep under review the acquisition, retention, use and disposal of all biometric data by the police, SPA and other public bodies.”
Although technological advances in biometrics have undoubtedly brought huge benefits to policing, they have also created challenges for Governments globally, as it can be difficult for legislation to keep pace. In its briefing ahead of today’s debate, Amnesty International says:
“effective regulation of these technologies is a significant challenge that governments across the globe are grappling with as technology evolves faster than regulatory frameworks—and we remain open minded about how best effective regulation can be achieved to ensure all biometrics technology use is in line with international human rights”.
As Rona Mackay mentioned, on the issue of human rights, HMICS asserted that the role of the commissioner creates an opportunity in Scotland to
“explore emerging human rights and ethical considerations around the use of biometric data”.
The Commissioner for the Retention and Use of Biometric Material summed up the challenges of new technological advances in his 2018 annual report. He said:
“We are seeing the rapid exploration and deployment by the police of new biometric technologies and new data analytics. Some of these will improve the quality of policing and will do so in a way that is in the public interest. However, some could be used in ways that risks damaging the public interest, for example by re-enforcing biases of which reinforcement is not in the public interest. If the benefits of these new technologies are to be achieved there needs to be a process that provides assurance that the balance between benefits and risks and between benefits and loss of privacy are being properly managed.”
The committee asked the Government to consider how a perceived lack of debate and transparency in relation to the use of biometrics across Scotland might be addressed. The Government’s response accepts that the commissioner
“as an independent office-holder will, once appointed, be best placed to lead any debate on the level of transparency on the use of biometrics for criminal justice and police purposes”.
The financial memorandum states that the commissioner’s role will be part-time—estimated to be 0.6 full-time equivalent—and that the commissioner is to be supported by three full-time staff. In evidence sessions, the committee heard debate as to whether the position should be enhanced to a full-time role. Detective Chief Superintendent Sean Scott advised that
“It will be an extremely busy role; it is a burgeoning area of business and there is so much to do ... Extending the code of practice into other areas will be a huge task, so full time might be the best option.”—[Official Report, Justice Committee, 29 October 2019; c 12.]
However, Tom Nelson, the director of forensic services at the Scottish Police Authority, advised that, although a full-time role was in operation in England, that individual’s role covers 43 forces. He concluded that
“0.6 of a full-time equivalent is probably reasonable ... given the size of Scotland compared with England and Wales.”—[Official Report, Justice Committee, 29 October 2019; c 12.]
In response to my line of questioning, Mr Nelson also explained that a lot depended on the level of staffing available to the commissioner. I raised that issue with Professor Paul Wiles, who said:
“I think that the role will be part time due to a combination of the amount of time that the commissioner is envisaged as providing and the extent to which his or her office can help in that process ... It is a team effort rather than just that of a single person.”—[Official Report, Justice Committee, 24 September 2019; c 9-10.]
As Liam Kerr mentioned earlier, the need for public confidence and trust in the use of biometrics by the police and criminal justice system is essential. The committee recommended that
“the Scottish Government includes a complaint mechanism within the Bill, to enable the public to refer issues to the Scottish Biometrics on the use of biometrics by Police Scotland and the SPA, or on their lack of compliance with the Code of Practice.”
However, I note from the Government’s response its assertion that, as the commissioner’s role is
“intended to be one of strategic oversight rather than resolution of individual complaints”,
the responsibility should instead rest with the Information Commissioner’s Office. The Government also mentions the development of
“a fully comprehensive communications strategy, which would help the public understand the Commissioner’s role.”
That is welcome.
As we have heard today, the evidence that the Justice Committee received on the establishment of the biometrics commissioner has been broadly supportive. As the Commissioner for the Retention and Use of Biometric Material, Professor Wiles, stated, the bill places Scotland at the forefront of legislating for the oversight of biometric data in criminal justice.
On that positive note, I conclude my speech.
It has been an interesting debate. There is a lot of consensus around the bill and a lot of support for its general principles and the establishment of a biometrics commissioner.
In their speeches, Humza Yousaf and Liam Kerr emphasised the need for public confidence in the role of the biometrics commissioner. That is a good test for some of the arguments that played out during the debate. There has been disagreement between the committee and the cabinet secretary around the scope of the commissioner’s role. In the bill as introduced, the commissioner’s role will cover Police Scotland and the SPA. The cabinet secretary has helpfully said that that will be extended to the PIRC and the British Transport Police.
During the debate, members have argued that the scope of the role should be extended to public bodies such as the national health service and to private companies. Shona Robison argued for a staged approach, supporting the position that the cabinet secretary outlined. Maurice Corry was interested in testing that further, and John Finnie wanted to move much further down the line and take on board private companies.
Having listened to the arguments this afternoon and to the evidence at committee, I am more persuaded to move along the line to where John Finnie is. I understand Shona Robison’s point about a staged approach, but we are establishing an important role. Data collection techniques and technology—and its uses—can change quickly, and private companies are picking up on issues such as facial recognition technology. We therefore need to be more robust in the bill. I return to testing things against public confidence: we need to go further than Humza Yousaf has outlined in order to instil public confidence in the approach that we finally agree.
Similarly, in relation to powers, Margaret Mitchell made a strong case on behalf of the committee that there should be more on compliance with the code of practice. There was a lot discussion about whether the phrase “have regard to” is strong enough. If we really want public confidence, we need to go further than simply saying that people should “have regard to” the code.
On access, again, if we want public confidence, we need to have a strong complaints process with which the public are able to engage. A number of members made points about the need for amendments to include a complaints process in the bill—and we truly need such a process. Another key point on the code of practice that was brought out is that, bearing in mind the code’s far-reaching consequences of the code, approval should be for Parliament, not ministers. The committee felt strongly about that.
A number of members, including Liam McArthur, Rona Mackay and Fulton MacGregor, spoke about the ethics advisory group. Liam McArthur made a very strong point about its absence from the bill as introduced. Bearing in mind the data collection issues that we are dealing with, it is important that proper regard is given to the establishment of an ethics advisory group.
John Finnie made an important point about the potential gap in the legislation around retention of data. We heard some evidence on that at committee. Data might be held without a proper legal basis for doing so, so I hope that, separate from the bill, the Government will ensure that an appropriate legal basis is established to ensure that any data that has been collected is deleted when the end of its retention period is reached. It is crucial that people’s human rights are not compromised.
It has been an interesting debate. Some differences have been brought to the fore in a reasonable and considerate manner. I am sure that the cabinet secretary, being the reasonable and considerate person that he is, will take on board some of the changes that members have suggested ahead of stage 2 consideration of the bill.
It is perhaps not just a conservative instinct—I say “conservative” with a small c in this consensual debate—but a human instinct to stand up for the individual, to check the power of the state and to prevent Governments or their agencies from overstepping their bounds, so I welcome measures that seek to prevent unnecessary intrusion into the lives of ordinary Scots.
As was so eloquently said by my colleague Maurice Corry, legislation needs to reflect the technological progress that we have made. Legislation should, of course, support the police in carrying out their duties and in their use of new technology in all circumstances in which doing so is appropriate to their tasks. However, the public must be protected from any misuse or abuse of all technologies or techniques, new or old, and their use must submit to the rule of law and respect for individual dignity.
With that in mind, Parliament will no doubt require to revisit the issues that arise in this debate, in both the public and private fields, as we move into the future. Others have already commented on that. I cannot better James Kelly’s superb round-up of members’ contributions, which I shall not repeat.
If the legislation contributes to respect for those principles, the office of the commissioner may take a leading role in promoting a greater understanding of personal biometric data and how its use affects us, preventing overreach, and balancing what Police Scotland has termed the
“competing concerns of public benefit”.
However, as has been highlighted, key issues remain. First among those is the approach that any newly created commissioner would take to working jointly with the UK commissioner—a post that was created in 2012. In its stage 1 report, the Parliament’s Justice Committee heard evidence from the Law Society of Scotland that the bill does not specify how the Scottish commissioner should interact with his or her UK counterpart. For example, will the policy in Scotland—with its separate judicial system and police service—diverge distinctly from UK policy? How will that affect co-operation on joint competencies? Such questions have arisen.
Although I note the cabinet secretary’s comments in his opening speech on cross-border bodies, we surely need greater clarification of how information sharing, obligations and oversight involving the two offices will work, not least in light of cross-border considerations of terrorism and organised crime.
The UK commissioner, Paul Wiles, told us that his mandate to monitor and publicly report is enough to ensure compliance. The bill, of course, goes a step further by giving his Scottish counterpart the power to require the provision of information. However, it does not grant the commissioner power to sanction public bodies that are found to be in breach of any proposed policy on biometrics. My colleagues Liam Kerr and Margaret Mitchell, who is the Justice Committee’s convener, have rightly pointed to the committee’s view on the weakness of the enforcement provisions and to the lack of a complaints procedure, which will not bolster public confidence.
Against the background of Scotland having a single unitary police force, there is perhaps more potential for unintentional overreach than if we had multiple forces across the country, and there is less scope for performative comparison by benchmarking in Scotland than there is in England and Wales, with their decentralised police authorities. In England and Wales, scrutiny of standards from an enforcement perspective can be exercised by comparative means.
That supports the committee’s conclusion that a code of practice must be provided for in subordinate legislation made under the bill. Naming and shaming will hardly be adequate to ensure compliance. Serious and legitimate concerns have been raised in evidence to the committee about the lack of legal enforceability in the bill as currently drafted.
Against that background, and given the framework that is set out in the bill, I turn to section 12(3)(b), which seems both unclear and extraordinary in some ways. In general, section 11, on the commissioner’s power to gather information, appears unobjectionable—apart, perhaps, from section 11(3). Likewise, by providing a means to enforce the commissioner’s powers through recourse to the Court of Session, section 12 also appears to make sense—apart from section 12(3)(b).
The difficulty with section 11(3), as I see it, is that the definition that it contains of what information may or may not be provided is what is called in the courts a moot point. It can depend on a multiplicity of factors. That causes an immediate lack of clarity as to what information is being referred to where it says
“information which that person would be entitled to refuse to provide in proceedings in a court in Scotland.”
However, the major point is that section 12(3)(b) gives the Court of Session a power to deal with a failure to provide information to the commissioner
“as if it were a contempt of court.”
The words “as if it were” summarise the problem. It is not a contempt of court. Is the bill seeking to set up the commissioner as a quasi-judicial figure? If so, that is a bad thing, because to confuse roles and powers that individuals who act in public offices possess is a bad thing. In the normal course of events, contempt of court carries a penalty of up to two years’ imprisonment to deal with, for example, failures to obtemper, or carry out, orders of a court. It should not be extended lightly. In short, it should not be extended to include something that is a failure in relation not to a court, but to someone else.
It would be helpful if the cabinet secretary could explain the provision a bit more—in this debate, if he can—and point to specific examples under existing legislation in other areas where conduct that is not contempt of an actual court may be treated as if it is.
I agree that the bill can provide a useful counterpoint to the emerging threat of a biometric avalanche. On that basis I, like others who have spoken in the debate, am supportive of it.
I will do my very best, Presiding Officer.
I thank the members who contributed to this afternoon’s debate, which has been healthy and constructive. Quite rightly, it has also been challenging, and I would expect nothing less, given the subject matter. I am very familiar with some of the issues that have been raised. I will take away and give further consideration to the issues that Gordon Lindhurst and, previously, Liam Kerr raised about contempt of court, and I will either write to the members or, perhaps, address the issues at stage 2. Some of the issues that have been raised have not been in my consideration thus far, and I thank members for raising them with me.
I am encouraged that the lead committee’s endorsement of the bill has been reflected in the debate. The bill covers a broad range of fundamental questions. How do we best keep communities safe while respecting the rights of individuals? How do we best ensure that we hold the most personal of data in an effective, proportionate and ethical manner? How do we ensure that the draft legislation and associated procedures are future proofed to enable us to respond to technological advances in the digital age? How do we best ensure that the public are aware of their rights and, equally important, that they know who to turn to should they have concerns? Those are just some of the basic but fundamental questions that each of us has to ask in relation to the bill, and many of those who contributed to the debate attempted to answer them.
It would be very unusual for any bill to achieve complete consensus at stage 1. There is consensus that we should agree to the bill’s principles and move on to stage 2, but there are, of course, differences across the chamber and challenges to the Government, which I have heard loudly and clearly. I will try to address some of those issues one by one. If I have time, I will be more than happy to take interventions, so if I omit any of the fundamental matters, members can intervene and ask me about them, should they wish to do so.
First, I will address complaint handling, which was raised by almost every speaker in the debate, but first and foremost by the convener of the committee in her speech. It has been mentioned in the committee as well.
In the drafting of the bill, a fair amount of consideration was given to the non-duplication of the roles of the Scottish biometrics commissioner and the UK Information Commissioner’s Office. The Scottish biometrics commissioner’s role is very much to complement the role of the Information Commissioner’s Office. It is worth reiterating and stressing that there is currently an avenue through which a complaint about the handling of data can be made and then investigated. A member of the public in Scotland can make such a complaint right here, right now. The role of the biometrics commissioner is designed to avoid duplication.
The work of the ICO is driven by complaints from individual members of the public. That is its bread and butter and the thrust of its work. The Scottish biometrics commissioner’s remit will be driven by identifying systemic deficiencies. There has been a lot of discussion with the ICO about the complementarity of the roles, and the ICO very much welcomes the creation of the new biometrics commissioner.
I agree with Liam Kerr and many other members that we want to maintain public trust and confidence, not to lose it. Therefore, making it very clear where complaints should be directed will be hugely important. I envisage that the Scottish biometrics commissioner might wish to develop a comprehensive communication strategy to explain its role.
Above and beyond that, it would make sense for the two commissioners to agree a memorandum of understanding, in order to aid understanding of their respective roles and to confirm to members of the public who wish to complain about the handling of their biometric data that they should take a complaint to the ICO. Scottish Government officials have had a number of discussions with the ICO, which has indicated its willingness to enter into such a memorandum of understanding.
I agree that we do not want duplication. If we are setting up a biometrics commissioner with a specific code of practice that pertains specifically to the role, collection and retention of biometric data in Scotland, it seems logical that, if people were to have an issue with any of that process, they would want to go directly to the biometrics commissioner as opposed to the ICO.
I do not disagree with what James Kelly is alluding to, which is that there could be an element of confusion about who people should go to. I will give a practical example that MSPs deal with in our everyday lives. I have constituents who come into my constituency office, which I share with my MP colleague, with an issue that is on a reserved matter. First, they will speak to me at my surgery, and then, if the case is to do with the Department for Work and Pensions or immigration, I will pass on their details to the MP, and I will inform my constituent that I have done that. I have never had a constituent complain that I have passed on their details, with their permission, so that the MP can pursue the case and, I hope, get a satisfactory outcome.
There can be confusion about what an MSP deals with, what a councillor deals with and what an MP deals with. However, as long as there is a seamless transition to the right point of contact and the person who can deal with the complaint or concern, there is rarely an issue. Having the two commissioners agree a memorandum of understanding is the right approach to take.
I should have said at the start of my speech that I will be open minded about all the suggestions that have been made by members across the chamber. My other concern in relation to complaint handling is that we could be out of scope, because the ICO has a reserved function on data protection and the investigation of complaints. However, I will give what has been said careful consideration.
Members right across the chamber consistently raised issues with the phrase, “have regard to”.
I listened carefully to the point that John Finnie, James Kelly, Liam Kerr and others made that, instead of the phrase “have regard to”, we should require compliance with the code of practice from the beginning and then perhaps review the situation in future. I understand that the Parliament wishes to ensure that Police Scotland and the SPA adhere to the code of practice. However, it is important to note that any provision that would force those bodies to comply with the code would in effect create a general regulatory regime in relation to the processing of biometric data by those bodies. Given that biometric data can also be personal data, my concern is that such a regulatory regime would cut across data protection law, which is reserved, and so may be outside our legislative competence.
Having said all that, I am happy to consider the committee’s recommendation that we review the “have regard to” provision. I am mindful that the Government and Parliament could carry out post-legislative scrutiny of the commissioner’s power at any time, without further legislative provision being required. However, I hear pretty loud and clear that members from across the chamber have real and sincere concerns. Therefore, I give an absolute assurance that, before stage 2, I will reflect on the points that each of the justice spokespeople and the convener of the Justice Committee made in that regard.
Another issue that has been mentioned is whether it is possible to extend the scope of the bill beyond policing or Police Scotland. My view is that it is possible to extend the bill, within the overarching purpose of criminal justice and police purposes, to include private sector bodies or other Scottish public authorities that operate in that field. Indeed, the bill already expressly includes the power to do that by regulation once the commissioner’s office is up and running.
On resourcing, obviously, the bill is accompanied with a financial memorandum. On top of that, on the question that was raised about whether the resourcing is adequate, the view was taken that it is very similar to the resourcing for the English commissioner. Therefore, at the moment, I do not envisage a resource challenge. Clearly, if the scope was extended—I will expand on that point in a moment—there may well be a resource implication. At that point, the Government would absolutely have to look at that. We would not look to extend the scope of a commissioner if there were concerns about resourcing. Any concerns would have to be made very obvious up front in that process.
Any move to extend the commissioner’s role would require the development of a substantive case for change, supported by an appropriate evidence base and by public consultation. I will keep an open mind as to the broadening of the commissioner’s remit to include other public bodies, but I say firmly that that would be after the new commissioner has had time to bed in and after a period of consultation. That would be the appropriate approach.
Liam McArthur and a number of other members raised the issue of an ethics advisory group. I note the committee’s wish for an advisory group to be established on a statutory footing and for its members to be appointed by the Scottish biometrics commissioner for the purpose of supporting the commission. However, that is at odds with the IAG’s recommendation, which the Scottish ministers have already committed to implementing. To be clear, I fully support the formation of an ethics advisory group. I recognise that it can make a valuable contribution to our collective understanding of the key ethical, legal and technical issues arising from the use of biometric data in policing and criminal justice.
I fully intend to honour that 2018 commitment, but I remain unconvinced of the need to include the group in the bill. The committee’s report does not make clear why a statutory footing is required. I note that the IAG did not ask for the group to be statutory and that the biometrics and forensic ethics group in England and Wales, which the stage 1 report and the IAG reference, is not a statutory group. I ask members to reconsider and perhaps explain their position more fully.
I am open to wider reviews of the remit and the membership of the group and to whom it should report. The IAG called for a consultation to explore the options and that is what I want to do.
A number of other issues were raised, but I have responded to the fundamental ones. I will reflect carefully on some of the challenges that members have raised about the Scottish Biometrics Commissioner Bill. If the Parliament is content to approve the principles of the bill, I will, of course, work with the committee to amend it as appropriate and to ensure that it achieves what we want it to.
I commend the motion to Parliament.
That concludes the stage 1 debate on the Scottish Biometrics Commissioner Bill. If no one objects, I am minded to take a motion without notice to move decision time forward to now.
Motion agreed to.