Policy paper

Scottish Biometrics Commissioner review of functions consultation response (accessible)

Published 3 June 2026

I am grateful for the opportunity to comment on this consultation looking at the role of the Scottish Biometrics Commissioner. My thoughts are set out in the following narrative:

Main points

• I recognise the Scottish Biometrics Commissioner (SBC) and his office as an important and relatively new oversight body which has delivered the Statutory Code of Practice, Assurance Reviews, a Strategic Plan and a statutory Advisory Board.
• The SBC’s role must remain clearly independent from the bodies it regulates and question whether the duty to “promote” biometrics could undermine that independence.
• The SBC has limited capacity and resources, which may restrict effective oversight. This could be enhanced with stronger powers for inspection, compliance and public engagement.
• I believe there is a case for expanding the SBC’s remit to cover other bodies and technologies.
• I believe changes to the UK regulatory landscape proposed by the UK Government and cross-border issues make the SBC’s future role increasingly important.

Detailed argument

Overview of My Role

I was appointed Biometrics and Surveillance Camera Commissioner (BSCC) for England and Wales, in November 2025, and this is my considered response to the consultation in an independent capacity. My role and functions are set out in the Protection of Freedoms Act 2012 (PoFA) and include oversight of the police collection, retention and use of DNA and fingerprints, as well as monitoring compliance with the Home Secretary’s Surveillance Camera Code of Practice (Surveillance Camera Code of Practice). My geographical remit is primarily England and Wales, with biometrics functions extending to Scotland and Northern Ireland in matters relating to national security. In this capacity, I also sit on the Scottish Biometrics Commissioner’s Advisory Board.

Prior to appointment, I served on the Advisory Board as an academic specialising in the governance of surveillance and biometrics. In addition, as Director of CRISP, I initiated public engagement activity that occasionally involved the SBC and have previously contributed to events organised by his office. I am therefore familiar with Dr Brian Plastow, and his team.

The Office of the Scottish Biometrics Commissioner (SBC)

I am aware that the Scottish Biometrics Commissioner Act 2020 established the office of Scottish Biometrics Commissioner and provides for its functions. My understanding is that the Commissioner’s general function is to support and promote the adoption of lawful, effective and ethical practices in relation to the acquisition, retention, use and destruction of biometric data for criminal justice and police purposes by Police Scotland, the Scottish Police Authority (SPA) and the Police Investigations and Review Commissioner (PIRC).

The SBC’s primary function is to prepare and revise a Code of Practice on the acquisition, retention, use and destruction of biometric data for criminal justice and police purposes, publish a report on the Commissioner’s findings and lay a copy of this report before the Scottish Parliament. The SBC can also investigate complaints about non-compliance with the Code, and has the power to issue compliance notices, and where compliance is not demonstrated report the matter to the Court of Session. To support these functions the Commissioner has a Strategic Plan, conducts Assurance Reviews and has a statutory Advisory Board. The role of the SBC is relatively new, and I am aware that considerable effort has gone into appointing a Commissioner, preparing and publishing the Statutory Code, recruiting staff, creating a Strategic Plan and Advisory Board, and that 2026 is a good point to review progress and the functionality of the office.

The Regulatory Landscape for Biometrics

It is important to note that the functions associated with my role as BSCC for England and Wales are significantly different to those of the SBC. This relates to different functionality and differences in the way that biometrics are defined.

Section 34(1) of the Scottish Biometrics Commissioner Act 2020 defines biometrics in the following terms: “biometric data” means information about an individual’s physical, biological, physiological, or behavioural characteristics which is capable of being used, on its own or in combination with other information (whether or not biometric data), to establish the identity of an individual. “Biometric data” may include: “Physical data comprising or derived from a print or impression of or taken from an individual’s body, a photograph or other recording of an individual’s body or any part of an individual’s body, samples of or taken from any part of an individual’s body from which information can be derived, and information derived from such samples.”

In relation to my regulatory role, biometrics has a much narrower definition and is defined in PoFA as fingerprints, DNA Samples and DNA profiles, and impressions of footwear. I also have primacy over biometric data in relation to national security reserved powers under section 20 of the Protection of Freedoms Act 2012, and specifically in relation to Scotland, National Security Determinations (NSDs) made under section 18G of the Criminal Procedure (Scotland) Act 1995. This is where the Chief Constable has made a determination to retain the fingerprints and/or DNA profile of a person who has not been convicted because they are viewed as posing a significant threat to UK national security.

Other UK agencies have primacy in relation to other biometrics matters, notably the Information Commissioners Office (ICO) for matter relating to data protection, and the Investigatory Powers Commissioner’s Office (IPCO) which provides oversight of how public bodies use covert investigatory powers. Combined the UK regulatory landscape for biometrics, including Scotland, is complex.

Independence of the Commissioner

In my firm view, it is paramount that the SBC is independent of those bodies they are appointed to regulate. This provides the public with reassurance that the police are using biometrics appropriately, ethically and lawfully. My personal opinion, is that the primary function of the commissioner - ‘to support and promote the adoption of lawful, effective and ethical (biometrics) practices’ mean that their oversight purpose is too closely aligned to the bodies being regulated. Whilst the office should be expected to support the lawful, effective and ethical use of biometrics, it’s questionable whether it should also be charged with promoting the use of biometrics more generally. A case in point, would be the recent ‘national conversation’ around the potential use of Live Facial Recognition technology (LFR) in Scotland and whether the Commissioner’s role is to promote the use of the technology or the oversight and regulation of such use. There is a risk here that the SBC’s independence is compromised if their primary function is perceived to be supporting initiatives led by Police Scotland.

Capacity and Effectiveness

The ability to regulate biometrics effectively is often determined by the capacity of the office to conduct inspections/audits/reviews and to demand compliance. I note that the SBC has a relatively small office and that to date not many compliance notices have been issued. Any extensions to the scope of the office will place further strain on scarce resources.

The Changing Regulatory Landscape in the UK

The Westminster Government is planning, in the proposed Police Reform Bill set out in His Majesty’s Most Gracious Speech^{[footnote 1]}, to change the way biometrics are regulated in England and Wales and to create a new regulatory oversight body. Whilst the intentions are set out in the Police Reform White Paper^{[footnote 2]} and the consultation^{[footnote 3]} the outcome of the Parliamentary process is still to be determined. Nevertheless, the intention and direction of travel is clear. As biometric technologies, such as LFR, clash directly with fundamental rights, the Westminster Government has decided to introduce primary legislation to make it clear how and when such emerging technologies can be used for law enforcement, public safety and safeguarding purposes. This will provide legal certainly and confidence for police forces and the public alike. The Bill is likely to create a new regulatory oversight body, combining my office and that of the Forensic Science Regulator, and with legislative powers of audit, inspection and compliance. The proposed new legislative framework for biometric surveillance technologies like LFR is likely to have legal primacy in England and Wales and should be designed to cater for future technological developments. My response to the Home Office consultation sets out a ‘light touch blueprint’ for meaningful oversight in this area^{[footnote 4]}.

Whilst the proposed new legislative framework will provide legal certainty for England and Wales, it further complicates the regulatory landscape for Scotland. The use by Police Scotland of LFR and other biometric surveillance technologies would not fall under the scope of this legislation and would consequently be governed differently. There is a scenario here where these sensitive, intrusive and often contentious technologies are governed to different standards in different parts of the UK, with citizens afforded different protections and rights. This situation would be further exacerbated if the legal framework for England and Wales extended to other public bodies, such as local authorities, and the commercial sector. For Scotland, the Scottish Government and SBC, the issue here is whether the use of such technologies should be regulated through existing mechanisms and Codes of Practice, or whether new primary legislation is required. A further consideration should be the extent to which the SBC has the power to insist on the independent periodic testing of emerging biometric surveillance technologies, like LFR.

Regulating Across Boundaries

An additional aspect of the complex regulatory landscape for biometrics relates to how biometrics are handled and regulated by different partner bodies across the UK policing ecosystem. This complexity arises where different partners, who may share biometric data with Scottish bodies, are required to adhere to different standards and rules. This, for example, could relate to different standards for custody images, for records on the Police National Database, for DNA retention periods for juveniles, or for review periods for DNA retention. Different retention and use requirements in different geographical jurisdictions may have complications for the legality of information sharing across the Scottish Border. Policing in Scotland does not exist in isolation and such information sharing is essential at both the UK level and internationally. The risk here, is that Scottish policing bodies can’t interact with UK national databases, because standards and rules elsewhere are not complementary with those in Scotland, or where practices diverge to the point that biometric data can’t be integrated. There is an argument, that the SBC should play a role, on a statutory footing, in highlighting issues and ensuring compliance across regulatory geographical boundaries.

Scope of the SBC

Under current legal provision the SBC regulates the Police Service of Scotland, the Scottish Police Authority and the Police Investigations and Review Commissioner, and their acquisition, retention, use and destruction of biometric data for criminal justice and police purposes. There is a strong argument that the scope of this remit should be extended to other bodies in the criminal justice ecosystem, and particularly the Scottish Prison Service. There is a further discussion to be had around whether the remit of the Commissioner should extend to all bodies using biometric data for law enforcement, public safety and safeguarding purposes. This is especially pertinent to the use of biometrics technologies in non-policing scenarios where they generate intelligence or evidence used for policing or in prosecutions.

The Power of Inspection

A key part of the functionality of a regulator is to have the power of independent investigation of those bodies being regulated. The SBC, under current statute, has the power under Section 16 of the Scottish Biometrics Commissioner Act 2020 to ‘gather information’. This power has been well utilised in conducting a serious of detailed ‘Assurance Reviews’, conducted with key partners, and often presented as ‘Joint Assurance Reviews’. The SBC’s Strategic Plan 4-Year Strategic Plan 2025/29 sets out a programme of thematic Assurance Reviews for the next few years, covering a number of different topics, including fingerprint biometrics, forensic imaging, biometric data from digital forensics and open-source methods, and body-worn camera data.

Whilst these reviews offer a detailed analysis of discreet topic areas, they do not provide a substitute for the periodic inspection and review of basic biometric acquisition, retention, use and destruction by the regulated bodies. There is a case that the SBC should undertake regular ‘inspections’ to ensure compliance with the Code of Practice. I note that such activity has resource implications.

Promoting Public Awareness

Section 2 (8) of the Scottish Biometrics Act 2020 states that “The Commissioner is to promote public awareness and understanding of the powers and duties of those bodies in relation to biometric data”. Whilst considerable progress has been made in fulfilling the requirements of the Act, promoting public awareness is one area where concerted effort is required. The future use of emerging biometric technologies in policing may to expand to include facial, noise, gait, smell, iris, and object recognition. Such technologies raise ethical, social and legal issues and public acceptance cannot be assumed. Attitudes towards biometric surveillance vary, depending on the purpose of the technology, its deployment and reliability. They are intrusive and intimate by definition and will always generate some resistance. This is further complicated by the opaque nature of technologically mediated surveillance practices. This means that there is an important role for the SBC to help gauge (or determine) what is seen as socially acceptable, as well as proportionate and necessary. This can best be achieved through promoting public awareness and an informed citizenry, and can be, and is, delivered through a range of mechanisms. The issue here is whether there should be a stronger statutory requirement for the SBC to consult with the public and undertake specific public awareness and engagement activities.

Public Surveillance Systems

Scotland governs public space surveillance camera systems differently to England and Wales. As the BSCC I advise on and provide oversight in relation to adherence with the Home Secretary’s Surveillance Camera Code of Practice for England and Wales. This ensures that these systems have a clear purpose, have agreed specifications and are used legally and proportionally. In Scotland, such systems are regulated by the ICO solely under data protection provisions and governed by the National Strategy for Public Space CCTV in Scotland (2011)^{[footnote 5]}. The latter is now quite old and there is a lack of governance around the biometric images generated by public surveillance systems in Scotland. It has been argued elsewhere^{[footnote 6]} that the SBC remit should be expanded to include public space surveillance camera systems, included those operated by local authorities. There is no doubt that such systems incorporate biometrics, so there is some merit in this argument. As biometric technologies, like LFR, are integrated into these systems the logic behind this argument becomes stronger. This would be a considerable undertaking and would have resource implications. One solution is that the SBC is tasked with developing a surveillance camera code of practice for Scotland.

Statutory Advisory Board

The SBC has a statutory Advisory Board which I have been part of for a number of years, most recently in my capacity of BSCC. I have observed that this Board has operated as an effective ‘critical friend’ and has provided insight and guidance around draft documents in development. Key partners and relevant regulators have been nominated to this Board. The statutory status of this Board should not be changed, and it provides an effective ‘sounding board’ for different key voices. Arguably, the Board would benefit from having representation from the commercial sector and/or a foresight function. This would provide insight into emerging technologies with a biometric element that may be used in policing in the future.

Concluding Comments

Since its inception the inaugural SBC has delivered a range of achievements, including a statutory Code of Practice, thematic Assurance Reviews, a statutory Advisory Board, as well as giving evidence to Scottish Parliamentary Committees and advice to Scottish Ministers. There is abundant evidence of the considerable work completed by the SBC and his office. This has created, for the first time in Scotland, a dedicated specialist oversight body for biometrics and is a significant achievement. However, the future landscape of biometrics in policing and beyond is evolving and it is important that the office of the SBC evolves to match this ecosystem. This requires careful consideration of the legislative powers of the office, changes in technological capability and deployment, and the necessary interaction with other policing and regulatory bodies in Scotland and the UK. Reflecting and revisiting the scope and powers of the SBC is crucial to delivering the effective, lawful, proportionate and ethical use of biometric data which was envisaged in the creation of the Commission.

Professor William Webster
Biometrics and Surveillance Camera Commissioner for England and Wales
May 2026

1. The King’s Speech 2026 ↩

2. White paper: From local to national: a new model for policing ↩

3. Consultation on a new legal framework for law enforcement use of biometrics, facial recognition and similar technologies ↩

4. Consultation response: A new legal framework for law enforcement use of biometrics, facial recognition and similar technologies. ↩

5. A National Strategy for Public Space CCTV in Scotland ↩

6. Statement on the public space surveillance infrastructure in Scotland, 20 February 2023 ↩