Policy paper

Commissioner response to the OPC consultation on biometric information

Published 24 August 2023

1. The Commissioner for the Retention and Use of Biometrics Material and the Surveillance Camera Commissioner are independent appointments each made by the Home Secretary under the respective provisions of the Protection of Freedoms Act 2012. The geographical extent of the role is England and Wales, and extends to Scotland and Northern Ireland for biometrics issues relating to national security matters^{[footnote 1]}.

2. The Commissioner welcomes the invitation from OPC to provide input into its consultation on a potential biometrics code of practice, and supports the proposal to bring forward a code of practice. He makes the following specific observations:

• The capability of biometric surveillance systems is growing ever faster. The opportunities presented by new technological capabilities are extraordinary, and their potential for improving the efficiency and effectiveness of those empowered to utilise these vital tools cannot be overstated. Many of the risks and societal concerns that accompany those opportunities – particularly in the area of facial recognition technology and artificial intelligence – sit at the interface of my two functional areas.

• The State’s use of biometric and surveillance technology plainly engages individual data rights, but it should be noted that some of the key issues that have raised significant questions of public trust and confidence are no more ‘just’ data protection than facial recognition is ‘just’ photography or DNA profiling ‘just’ chemistry.

• People must be able to have confidence in the relevant technology doing what it is supposed to but that means the whole ecosystem that uses surveillance cameras and biometrics, not simply novel offshoots of it. It also means having clearly defined, publicly accessible and intelligible policies setting out the parameters, and a sensible system for reviewing those policies in light of experience.

• My own experience in this field relates to the Surveillance Camera Code of Practice^{[footnote 2]}, which is published by the Home Secretary. My role as the Surveillance Camera Commissioner requires that I review how the code is working, and encourage compliance with the code by those relevant authorities to which it applies^{[footnote 3]}. Whilst the code applies a legal obligation to local authorities and law enforcement to have regard to its content, its broader value also enables central government, the public and private sector to make legitimate use of available technology in a way that the public would rightly expect, and to a standard that maintains public trust and confidence.

• As a society, we are becoming inured to biometric surveillance, while technological developments have meant that our capability to prepare for, respond to and recover from global crises has increased beyond anything our forebears might have realistically imagined. When extended into other areas such as schools and impacting upon young people’s lives, the sensitivities and risks of what has been termed omniveillance^{[footnote 4]} are amplified. We must be able to have confidence in the whole ecosystem of surveillance, to be sure that what is technologically possible is only being done in a way that is both legally permissible and societally acceptable.

• From a purely law enforcement perspective, and notwithstanding the need to balance security and privacy, the greater the certainty there is about identification the greater the potential benefits: ensuring the right suspect is pursued and prosecuted; saving of time and resources in the investigation and prosecution processes (particularly with regard to elimination of those who were not responsible for a reported crime); and the ability to make early interventions to prevent crime. At a very basic level the use of biometrics simply involves collating information and looking for points of congruence with a reference sample. As our capability to collect and compare more biometric information from more sources with greater speed and at scale increases, the greater becomes the need for democratically accountable governance of the deployment of those capabilities, and standardised and accredited training to help instil public confidence in these capabilities. We are moving quickly into a new era of biometrics where technological innovation has been driven largely by consumer convenience and retail solutions, the product of which is readily available to the police and other state institutions but also to the citizen who now has access to technology that only a decade ago was the preserve of state agencies.

• The vast majority of biometric capability is privately owned and accessed under contractual arrangements between law enforcement and policing bodies and the private sector which means we rely on trusted partnerships and must therefore be careful whose corporate company we keep^{[footnote 5]}. In terms of regulation, I welcome the OPC’s inclusion of some ‘new biometrics’ in the proposed code, something which I have pressed for in the UK. It makes no practical sense to regulate only those established elements (fingerprints and DNA) or some of the equipment where it is operated in public spaces by a small number of public bodies. In this respect, I was somewhat surprised at OPC’s exclusion of DNA under the proposed code. I understand that alternative legislation exists setting out rules around DNA use and retention, however my experience is that a fragmented, sometimes competing legislative framework (as exists for fingerprints and DNA - and anachronistically, footwear impressions - in the UK) can lead to confusion amongst practitioners. It is also important when considering both benefits and risk to take account of the combined effect of searchable databases which, if it permits aggregation of datasets, makes administrative separation largely cosmetic. Therefore I would urge further thought around providing sufficient clarity around how the legislative and technical parts interact within the overall machinery of law enforcement and criminal justice.

• Similarly, I note the intention to make the new regulatory framework for biometrics as tech-neutral as possible, to ensure it remains relevant as new technologies emerge. While I understand the rationale behind it, the balance between remaining tech neutral and providing sufficient clarity is a delicate one. And while practitioners may initially welcome the apparent flexibility this seems to afford them, it is ultimately greater clarity and specificity that they need and eventually seek. When it comes to the proper exploitation of technological capabilities in law enforcement and the increasing contribution of Artificial Intelligence (AI), the need to demonstrate accountability and governance can only really be met by a tech-neutral approach which focuses on principles that will be applied consistently and conspicuously from pre-procurement to post-deployment review. For these reasons I have been involved in the development of an international framework of accountability principles for the use of AI in this sector^{[footnote 6]}.

• The issue of storage of sensitive material has received some attention in the UK recently. The Scottish Biometrics Commissioner^{[footnote 7]} raised concerns over Police Scotland’s intention to move to a cloud-based system for example, and whether those proposals complied with the data protection elements of his code of practice. Similarly, I have queried whether cloud-based solutions are appropriate for such sensitive material, as the location of servers in third countries raises jurisdictional questions around legislation permitting third party access. More generally the recently-reported data breaches from police forces around the UK have underscored the continuing need for vigilance and scrutiny around data storage policies, practices and remedies^{[footnote 8]}.

• If we are to get the most from biometric surveillance technology, a systemic approach to regulation is needed, focusing on integrity – of both technology and practice – along with clear standards for everything and everyone involved because, in a systemic setting, compromising part means compromising the whole. Its future regulation and oversight ought to reflect both its potential and its risk.

• In sum, I believe that a set of clear, indefeasible principles by which agencies will be held transparently and auditably to account for their use of biometrics is required. There are many different models by which to achieve this, but the acid test for all of them will be whether they ensure that biometric technology (what is possible) is only being used for legitimate, authorised purposes (what is permissible) and in a way that the citizen is prepared to support (what is acceptable).

OBSCC

16 August 2023

1. Scotland has its own Biometrics Commissioner established under the Scottish Biometrics Commissioner Act 2020 ↩

2. Update to Surveillance Camera Code of Practice ↩

3. Local authorities and policing bodies ↩

4. Blackman, J 2008 Omniveillance, Google, privacy in public and the right to your digital identity: a tor for recording and disseminating and individual’s image over the Internet, Santa Clara Law Review 49, 313-392. ↩

5. something that is being debated within the parameters of the Public Procurement Bill at the time of writing ↩

6. About AP4AI ↩

7. Digital Evidence Sharing Capability (DESC): Information Notice under section 16 of Scottish Biometrics Commissioner Act 2020 ↩

8. PSNI and UK voter breaches show data security should be taken more seriously, The Guardian; Norfolk and Suffolk police forces admit personal data breach, The Guardian (pressreader.com) ↩