Use of biometric data: report of the independent advisory group

Key Recommendations

Recommendation 1

There should be national debate to improve public understanding of, and confidence in, the retention and use of biometric data in Scotland for policing, law enforcement and other public protection purposes. Ideally, this should start before and continue during the Scottish Government’s public consultation, as well as featuring in ongoing discussion after consultation.

Recommendation 2

Legislation should establish a Code of Practice covering the acquisition, retention, use and disposal of DNA, fingerprints, facial and other photographic images (including custody images) and all existing, emerging and future biometrics for Police Scotland, the Scottish Police Authority and other bodies working in the field of law enforcement. The legislation should outline matters relating to review of the Code by the Scottish Parliament.

Recommendation 3

The Code of Practice should be the subject of detailed consultation. It should contain relevant human rights and ethical principles, address the implications of any presumption regarding retention and specify relevant procedures for applications from private citizens for deletion of biometric data. It should contain specific reference to validation of biometric technologies.

Recommendation 4

Distinct policies should be formulated for the acquisition, retention, use and disposal of the biometric data of children aged between 12 and 17. In each case involving a child, consideration should be given to the proportionality and necessity of obtaining biometric data for the purposes of recording on the biometric databases, ensuring that the best interests of the individual child are taken into account in the decision-making process. Where the decision is to obtain and retain biometric data, the reasons should be recorded and subject to review and scrutiny. Appropriate consideration should be given, and adaptation made, in the treatment of the data of those (children and adults) with specific vulnerabilities.

Recommendation 5

There should be a review of the rules on retention of biometric data in sections 18 to 19C ^[14] of the Criminal Procedure (Scotland) Act 1995, considering all questions of proportionality and necessity. The review should be research led and consider not only the gravity of the offending but also the value of biometrics in the investigation of certain offences, re-offending rates relating to different crimes, the escalation of offending, and the value that biometric retention has in the investigation of this escalation. It should be informed by any developments in the law in Scotland, England and the European Court of Human Rights.

Recommendation 6

There should be a presumption of deletion of biometric data after the expiry of prescribed minimum retention periods.

Recommendation 7

Evidence should be gathered from which continuing assessment can be made about appropriate periods of retention of biometric data. Public consultation should include specific questions on retention periods.

Recommendation 8

There should be legislation to create an independent Scottish Biometrics Commissioner. The Commissioner should be answerable to the Scottish Parliament, and report to the Parliament. The Commissioner should keep under review the acquisition, retention, use and disposal of all biometric data by the police, SPA and other public bodies. The Commissioner should promote good practice amongst relevant public and private bodies, and monitor compliance with the Code of Practice.

Recommendation 9

An ethics advisory group should be established as part of the oversight arrangements. This group should work with the Commissioner and others to promote ethical considerations in the acquisition, retention, use and disposal of biometric technologies and biometric data.