Official Report 756KB pdf
Our next item of business is an evidence session with the Scottish Biometrics Commissioner’s team on its work in the past year and its plans for the future. I am pleased to be joined by Dr Brian Plastow, commissioner, and Ross MacDonald, director. I refer members to paper 4. I intend to allow up to 60 minutes for the session. I invite the commissioner to make a short opening statement to highlight the main points in his annual report, before we move to questions.
It is always a pleasure to appear before the Criminal Justice Committee to discuss how biometrics are used for policing and criminal justice purposes in Scotland. As the convener said, I am joined by Ross MacDonald. In the real world, he is an experienced detective chief inspector with Police Scotland, but he joined me recently on a two-year temporary secondment, with the approval of the Scottish Parliamentary Corporate Body and the chief constable, in order to help us to build some capacity and capability during what will be a particularly busy period.
With the committee’s permission, I will briefly cover three broad areas. First, I will say a bit about my most recent annual report and accounts laid before the Parliament. Secondly, I will say something about the recent joint review of the laws of retention of biometric data that was laid in the Parliament in October and, thirdly, I will give the committee a brief flavour of some of our current and planned activity for the year ahead. I am very aware that the committee will wish to discuss other issues, so I will be brief so that we can cover as much ground as possible.
Turning to the first theme, our “Annual Report and Accounts 2023/24” is the third annual report and accounts that I have laid before the Parliament; the report was laid about a month ago. It includes the audit of the financial performance statements by Audit Scotland. To highlight some key points, the report indicates that, last year, we delivered our third assurance review. Members will remember that we have previously looked at how the police acquire biometric data from children and vulnerable adults. In March this year, the report that we laid before the Parliament looked at how the police use images and recordings.
We continue to operate a low-cost function through a shared services arrangement with the Scottish Public Sector Ombudsman, about which I have given evidence to the Finance and Public Administration Committee.
We conducted three compliance assessments on the code of practice. Members will remember that the code was approved by the Parliament in November 2022. Last winter, we conducted compliance assessments with Police Scotland, the Scottish Police Authority and the Police Investigations and Review Commissioner. In January 2024, we found each organisation to be compliant. We have also published easy read versions of the code and the code of practice.
In June this year, we hosted the first ever biometrics and criminal justice conference in Scotland. I am grateful to the cabinet secretary, who has just left the committee meeting, for attending and opening the event.
In our earlier reviews that related to children and vulnerable adults, we made four recommendations to Police Scotland for improvement. Two of those recommendations were about honouring the information rights of data subjects. One was about having distinct policies for children and the other was about improving the quality of management information to improve Police Scotland’s governance in that area.
The committee will be pleased to learn that, in July this year, subsequent to the period of my annual report, Police Scotland managed to discharge all four of those recommendations. For example, Police Scotland now gives this leaflet, “Your photograph, fingerprints and DNA: what we do with them”, to every person arrested. It goes into the prisoner property bag. That little leaflet explains to anybody who has been arrested and had their biometrics taken why they have been taken, what they will be used for and who they will be shared with, as well as information on the functions of the UK Information Commissioner and of the Scottish Biometrics Commissioner. That means that, in around 90,000 custody episodes each year, people are now receiving their information rights.
In relation to children, Police Scotland has introduced a new policy whereby it captures biometric data from children who are arrested in Scotland only if the arrest is in connection with a violent or sexual offence, or otherwise by exception. To give the committee a flavour of what the new policy means, at least half of around 4,000 children who are arrested by the police in Scotland each year will no longer have their biometric data captured.
Police Scotland is now also producing better management information. If you search your browser for “Police Scotland biometrics”, it will take you to a dedicated Police Scotland biometrics page with better management information in relation to things such as the data volumes that Police Scotland holds, which is important for transparency and accountability.
The reason for sharing all that information with the committee is that, now that the impact of our work is starting to materialise, I can advise the committee that we will update our existing strategic plan around February and we will transition away from reporting the output-based key performance indicators that were necessary for a new organisation set up mid-pandemic, towards reporting on the impact and outcomes of our work. That deals with the annual report.
I will talk very quickly about the review of the laws of retention of biometric data. In October, in partnership with the Scottish Government, we published a joint review report that, ostensibly, looked at the provisions in sections 18 and 19 of the Criminal Procedure (Scotland) Act 1995, which deal with the power that the police have to take biometrics from people who have been arrested. The report concluded that there was an insufficient evidence base on which to determine the need for any legislative change, but in the course of doing the review, we directed four recommendations at Police Scotland.
The first recommendation is for Police Scotland to review its existing biometric data retention policies, which we have recommended that it must do by October 2025. It must also build in periodic review, which in any case is a requirement under the Data Protection Act 2018.
The second recommendation is for Police Scotland to accelerate its review of the retention of volunteer data in the same time period.
In the third, we have encouraged Police Scotland to improve its management information in relation to biometrics, to support better decision making around retention periods.
The fourth recommendation is for it to improve its management information more generally, to see whether there is any evidence to support the case for extension of the current one-month period that is allowed for post-conviction sampling, as we heard some anecdotal evidence during the review that that might be a problem. I am pleased to advise the committee that Police Scotland has accepted those recommendations and will look to conclude that work by October next year.
On the last theme, of current and planned activity, the committee might be interested to know that we are doing two assurance reviews in parallel. We are having a look at how Police Scotland and the Scottish Police Authority’s forensic services use DNA. We are doing that work in partnership with the Scottish Police Authority corporate and the Leverhulme research centre for forensic science.
At the same time, we are having a look at how Police Scotland uses the retrospective image search capability in the police national database, which is a UK-wide intelligence system, and the child abuse image database, which is a UK-wide database that seeks to protect children and disrupt those who would harm them. In both cases, the objective is to provide assurance to the Parliament that Police Scotland is using the data and technologies lawfully, effectively and ethically. We hope to bring the DNA report before the Parliament in late February and the retrospective image search report probably in late March.
Over the winter, we will rerun a survey that we ran back in 2021 to measure public attitudes to the use of biometric data. This time, we will do it as part of the SPA’s public confidence survey, so the sample size will be far bigger. Back in 2021, public confidence in the police use of biometric data was actually very high, so it will be interesting to see whether anything has changed. We will have the results of that survey in March.
We are obliged by the legislation to conduct the first three-year review of the code of practice that was approved by the Parliament in 2022, so we will have that done by the autumn of 2025. At that point, we will have achieved everything that we set out to do in our first strategic plan.
My final point, convener, is to reassure the Parliament that, as I approach my fourth year in office, the way in which biometric data is used for policing and criminal justice purposes in Scotland is generally in a very good place by comparison with other jurisdictions. There are always issues around the periphery but my key message is that it really is in a good place.
That was a really interesting update. I commend the annual report, which has a lot of interesting detail that reflects the breadth and detail of the work that has been undertaken this past year.
You have spoken a lot about Police Scotland in the context of the assurance review work and the recommendations that have come out of it, and some of the compliance work that you have done, which is really interesting.
I am very interested, however, in a letter that you sent to Police Scotland in October 2023, with regard to the DESC pilot. The level of detail in the letter is to be commended. Essentially, you set out some concerns that you have with regard to—I will not even attempt to sound as though I have a technical brain—an aspect of Police Scotland’s cloud storage. I am sure that other members will want to come in on that point but I am interested in any update that you have with regard to the specific issue that has been flagged. The fact that you are able to pick up something such as that and take it forward really reflects the value of your commissioner role.
Thank you, convener. I will simplify the matter to two issues. Let us rewind time: the police conventionally used to store data on a secure server inside a police building. If somebody wanted to access that data for malicious purposes, they would basically need to break into the police station. The world has moved on and everything nowadays moves on to the cloud. As members will be aware, the digital evidence sharing capability, or DESC, which I strongly support as a concept because it is about a more effective and efficient justice system, is hosted on the public cloud infrastructure.
11:30I highlighted two concerns in my letter to Police Scotland. The first was about the reach of the United States Clarifying Lawful Overseas Use of Data Act—the CLOUD Act. It was passed by the Obama administration in 2018, for good reasons—it is about fighting international criminality—but its reach is such that it gives authority to US federal authorities to access data anywhere in the world if that data is hosted by US-headquartered companies. My question at that juncture was whether that was a risky thing to do. My second concern related to security, which is important because, as we all know, the internet gets hacked all the time, sometimes by malicious actors and sometimes by kids in their pyjamas who have nothing else to do. I raised those two issues with Police Scotland to make a point about due diligence.
On the question of data sovereignty, the Scottish Police Authority and Police Scotland have done everything within their power, including having clauses inserted into contracts and so on, to mitigate those risks as far as possible, but it is an inescapable truth that the Federal Bureau of Investigation could access that data if it wanted to. Should that concern us? Probably not.
The second question is, for me, more important. It is about the issue of security and I included specific examples in the letter that I wrote to Police Scotland in October 2023 to show that, even at Government level, as we have seen in the United States in recent years, a number of agencies have been hacked and important data has been stolen. We are where we are with that. Since I wrote that letter, the UK Information Commissioner has confirmed that it is lawful to host on the cloud law enforcement data that is covered by part 3 of the Data Protection Act 2018, providing that appropriate safeguards are in place.
I am in a more comfortable position now than I was when I wrote the letter, but my substantive point is that we cannot eliminate all risks.
That is really helpful.
I cannot remember whether it was in your letter or elsewhere, but I picked up on the fact that you are having to grapple with reserved and devolved legislation on biometrics. In the context of that particular concern, I am interested in hearing your thoughts. Can that be difficult, or are Governments working well together to allow you to do your job?
There is quite a complicated layer of independent oversight because biometric data is used for a number of different things, both overt and covert, in the world of policing.
At a basic level, the UK Information Commissioner is a whole-economy regulator in relation to data protection law. Separately from that, the function that I perform in Scotland is about ensuring that the police, the SPA and the PIRC acquire, use, retain and destroy biometric data in a way that is lawful, effective and ethical under domestic criminal procedure law. The Data Protection Act 2018 does not concern itself with questions of effectiveness or ethics.
In England and Wales, we have a Biometrics and Surveillance Camera Commissioner. That postholder’s functions are similar but, at the same time, very different to mine because, under the Protection of Freedoms Act 2012, biometric data is fingerprints and DNA, but it is not images. That seems bizarre because images are the type of data that is used most often.
On the covert side of policing, we have the Investigatory Powers Commissioner, as the police can and do acquire biometric data from people under surveillance legislation. There is also the terrorism dimension, which means that the commissioner for England and Wales, who is often wrongly described as the UK commissioner, has UK-wide jurisdiction whereby biometric data is retained as part of our national security determination. What that means is that someone has come to the attention of the police, they have not been charged or convicted of anything but the police think that they could be involved in terrorist activity.
The landscape is quite complicated but it works really well in the sense that there have now been four biometrics commissioners in England and Wales. The post is not currently filled—that is probably the best way to describe it. I have enjoyed excellent working relationships with those commissioners, and I enjoy an excellent working relationship with the UK Information Commissioner. It all seems to work well. We are all interested in different things but it is ultimately all about the same thing.
Thank you for that. I am going to bring in members, so I will hand straight over to Liam Kerr and then Sharon Dowey.
I have two questions. First, Dr Plastow, just last week, the Parliament had an interesting debate on artificial intelligence. What do you see as the opportunities and challenges from the increasing use of AI in your field of biometrics?
I suppose the first thing to say is that AI is already used in biometrics in policing. I will give you two quick examples. The first is in relation to the child abuse image database that I said we are looking at. There is non-autonomous decision-making AI software in that system that does a number of things such as removing harmful content from the web. It saves police officers or police staff from having to view thousands of horrible images, and so on.
The other example of non-generative AI that is already used in policing is in the UK fingerprint system, IDENT1. It has something called non-verified live identification. When the police arrest somebody, they take fingerprints in a custody suite using what is basically a big photocopier that scans the fingerprints. Within about 20 minutes, if someone has been arrested and has been in custody, and they have provided false particulars to the police, the non-verified live identification AI software will very quickly result in a phone call to the custody centre to say something like, “See that guy that you’ve got in cell 3 that says he’s Ross MacDonald? He’s not. He’s Brian Plastow.”
Those are two types of AI that are already in use. The important point to make is that AI is not used in any evidential capacity. To use the same example as the non-verified fingerprint identification, if the case were to go to court, it would require a forensic scientist—a human being—to compare the two sets of fingerprints and say yes or no.
More broadly, to lead on from that, there is a big place for non-generative AI in policing. For example, applying weeding regimes to massive biometric data sets is complicated. The UK holds 7 million DNA profiles, 8 million fingerprint records and way more than 20 million biometric image templates that are derived from faces. All of that becomes very difficult to weed. However, with the application of good governance and rules-based systems, non-generative AI could help.
The flipside to that is generative AI. For me, autonomous decision-making technology has no place in this space at this time. Biometrics is done to people by people and should be for the good of the people. Does that answer your question?
Yes; I am very grateful. It is very interesting.
My second question might be a little more awkward, but I feel that I need to ask it, to get the issue out in public. Your role is to scrutinise the police, at least in part, or to have oversight of the police. Earlier, you talked about public awareness and public perception. You are joined today by Ross MacDonald, who has joined you on secondment from Police Scotland. Now, there is no question about Mr MacDonald’s expertise; I can see that from the committee papers. However, Mr MacDonald is seconded and is therefore still an office-holder of Police Scotland. Given that the public perception of such a secondment might involve a question about independence, why was that route chosen, and is there merit in future in looking beyond the police and perhaps beyond the public sector?
That is a good question. Thank you for asking it, because it allows me to explain.
Part of the reason for seconding someone from Police Scotland is because the role is highly specialised. To do the job properly, a person needs a detailed understanding of how the police use biometric data and technologies, from not just a criminal justice perspective—in terms of people who have been arrested by the police—but an investigative perspective, a forensic perspective and a multi-agency public protection arrangement perspective. You cannot easily bottle that and teach it. That is why organisations such as the Police Investigations and Review Commissioner and His Majesty’s Inspectorate of Constabulary in Scotland rely heavily on people coming to their world with investigative backgrounds and a certain level of lived experience of how the police do things. It is about bringing expertise into the organisation.
For the avoidance of doubt, I am the accountable officer. I am not allowed by the Parliament to discharge that duty to anyone. I am the ultimate decision maker. However, Ross MacDonald brings to the role an incredible wealth of experience that is just not out there on tap.
I absolutely understand the premise of your question, but the situation is not unique—and it was necessary for me to seek the prior consent of the Scottish Parliamentary Corporate Body. I hope that that provides the reassurance that you are looking for.
I understand. That is clear. Thank you.
Good morning. I want to go back to your opening remarks. You mentioned that the biometrics of children are taken only in the case of a violent or sexual offence, or by exception. Will you expand on that a wee bit, and will you tell me the age classification for “children”?
Last night, some of my colleagues and I took part in a debate in the chamber about the huge rise in antisocial behaviour. A lot of it is caused by youths—children and young people under the age of 24. What age would you class as that of a young person? If you are not taking those details, how are you monitoring whether someone is a repeat offender before the problem escalates and the person commits a violent or sexual offence, perhaps because we have not taken action earlier?
11:45
Thank you, Sharon—that is a good question, to which I will give a two-part answer.
In our work, we class anybody under the age of 18 as a child. Obviously, a child in Scotland is defined differently under different legislation.
That is confusing.
Yes, it is confusing. However, from the work that we have done previously, such as the assurance review around children who are arrested by the police, and looking at the United Nations Convention on the Rights of the Child, we work on the basis that a child is anybody who is under 18. However, as you rightly point out, in other legislation, people can be regarded as an adult at 16.
To reassure you, the substantive point is that, even if the police do not take biometric data from children who have not committed a serious sexual or violent offence, they still record their details as part of the management of an incident. If a young person comes to the attention of the police for the sorts of things that you described, the fact that their biometric data is not taken does not change the fact that there is still a record of that engagement with the police. If they come to the attention of the police on a second or subsequent occasion, that record is available to the individual inquiry officer.
The point about not taking DNA and fingerprints when you do not need to goes back to the point about weak management of information. For example, when we did the assurance review in relation to children, we asked Police Scotland how many children it had arrested in the past 12 months, and it could easily tell us. We then asked how many children it had taken DNA from, and it could easily tell us. However, when we said, “Okay—in taking DNA from those 4,000 children, how many times did the DNA that you took in custody match to an unsolved crime scene?”, Police Scotland could not tell us. It is important that it should know, because, otherwise, why is it doing so?
Does that answer your question at all?
Partly—I might have more questions on that. At what stage would you take biometric data?
The new Police Scotland policy is that, if a child is arrested in connection with violent or sexual offending, the police will capture their biometric data.
That probably leads to more questions because we have lower police numbers and, for some crimes, they say that there is no evidence that they can follow, so the crimes are not getting investigated. That might mean that there is no DNA to follow, because the police have not taken fingerprints for a minor crime. That would perhaps open up more questions for me.
You are welcome to send them to us, and we will be happy to answer.
I will make a quick point. Most people out there, who are not involved in the policing world and who perhaps watch programmes such as “Silent Witness” or “CSI”, wrongly assume that biometric or forensic data is a feature of all crime. It actually is not.
I have an interesting statistic for you. We can look at the number of DNA recoveries in the UK where the DNA that is recovered at a crime scene matches a profile that is already held by the police, which means that it matches someone who has already been arrested. Bearing in mind that most—or a lot of—crime is not reported, when we express that number as a percentage of all reported crime, it is 0.3 per cent. That will probably surprise you, but that is what it is: 0.3 per cent of all recorded crime. However, it has a high qualitative value, particularly in crimes such as murders.
I have one final question. In your evidence to the committee last year, you mentioned your concerns about funding in relation to the use of new technologies, particularly body-worn cameras, for Police Scotland.
Another year has passed, and they have still not been rolled out. How disappointed are you about the current situation, and do you have confidence that it will be resolved soon?
I absolutely support the need for Police Scotland to deploy body-worn video. I have said that on a number of occasions, and I am grateful to the Parliament for supporting the funding of that.
My understanding is that the delays are associated with technical issues, such as making sure that individual police stations have the correct plumbing—for want of a better word—so that the docking stations work.
It is a bit disappointing, but I guess that there were always going to be technical issues associated with the scale of the national roll-out for so many police officers.
Are you confident that it will be rolled out within a year?
Am I confident? I could not express a view on that one way or the other.
Good morning, commissioner. From your opening statement, it sounds like you have made great progress. I am really pleased about the children and vulnerable people initiatives that you have worked on with Police Scotland. That is a really positive move.
I want to ask you about Police Scotland’s plans to bring in facial recognition and how that would impact on your role. It has been talked about for some time, and concerns have been raised about accuracy. Will you talk me through that?
The first thing to say is that, as far as I am aware, Police Scotland has no plans to bring in live facial recognition technology. It plans to have a tripartite conversation around looking at its feasibility, initially with me and the Scottish Police Authority. That journey is yet to happen.
I have said before that there are certain, limited circumstances in which the technology—if it works, is affordable and is used in a proportionate and necessary way—could add value.
To get to the heart of the question that Ms Mackay asked, it would depend on how Police Scotland deployed it. For example, if Police Scotland were to go down the route of deploying the technology in a mobile van, as happens in the Metropolitan Police, there would be no jurisdictional issues for me.
However, if, on the other hand, Police Scotland chose to deploy it by applying software such as BriefCam, which it had bought, through a local authority public space safety camera network, that would give me jurisdictional issues, because I do not have any authority over local authorities. If Police Scotland chose to go down that route—I am not sure whether it will—what would the delivery mechanism be?
There are other big questions, one of which is that the quality of the images that are currently held is probably not good enough to support the technology at this time.
A lot of people think, “Well, we can do this at a passport gate.” Yes, you can, but that is because you have given your passport image in a controlled condition, it has a biometric chip and you are standing three feet away from a really expensive camera. That is one issue.
The other issue is about return on investment. Whatever solution Police Scotland might or might not choose to look at in the future, it would have to be satisfied that it got a return on investment. Even the Metropolitan Police, which does this in quite a limited number of deployments, spends well over £500,000, so it would not be cheap. A whole lot of things are in the mix, but, to go back to my original point, there is no secret plan to do that. It is an area that needs to be discussed.
That is really helpful.
Part of your role involves engaging with international partners at conferences and other events, which are really important opportunities to hear and find out about practice, policy developments and the direction of travel in other jurisdictions. What have you learned? Has any particular practice come to your notice that you feel might be relevant to the Scottish biometrics landscape?
That is another interesting question and there is often no right or wrong answer in that territory.
I try to limit engagement outwith Scotland due to the small scale of my budget. I go to London twice a year—although Ross MacDonald will do that next year—to attend the UK forensic information databases strategy board, which is the oversight board that looks after the running of the UK’s DNA and fingerprint databases and is an exchange mechanism with the European Union and Interpol.
For the past two years, I have been invited to speak at the Biometrics Institute congress in London, which is the world’s biggest global gathering of biometrics policy makers and subject experts. This year, I spoke about the importance of independent oversight; last year, I spoke about the value of biometrics in solving what might seem to be impossible crimes, which goes back to my point about the high qualitative value of DNA.
I can give you a practical example. While I was at the congress this year, I had a side meeting with staff from the US Department of Homeland Security to exchange knowledge and ideas. I shared my thoughts on the future use of biometrics in UK policing and they shared some of the emerging technologies that they are using. They want to move away completely from having electronic passport gates to having walking passport gates. If you go to the United States of America, you have to scan your passport in advance and fill out a form, but they are now trialling a system at Dulles airport in Washington DC where people do not even present their passport at a gate but just walk through and are stopped by a border official only if the technology does not recognise them.
I also have lots of side conversations with people from the Home Office. In my previous annual report I mentioned how, at the invitation of the Scottish Government, we went to Scotland house in Brussels and engaged with European colleagues, which allowed us to be sighted on things such as the EU Artificial Intelligence Act.
We try to cast our net as widely as possible and to deploy environmental scanning to understand what is happening in other areas in order to assess what might or might not be appropriate for Scotland. The answer is always that the approach in Scotland must be right for Scotland.
That was fascinating.
To come back to Scotland, as it were, I will pick up on a point that we discussed during your previous session with us. You suggested that there might be potential to expand your remit to include the prison estate because of the extensive biometric data that exists in that part of the justice sector. Will you give us an update on that work? Have you been able to move that forward?
No, I have not been able to move any of that forward. I will give you my rationale. I argue consistently that biometric data is used extensively throughout the entire criminal justice ecosystem, and I understand why the commissioner’s functions might be restricted to three policing bodies, because the police, whether it is Police Scotland or the PIRC, have the power of arrest and can take biometric data from people without their consent. However, that also happens in prisons. Every prisoner in Scotland has their fingerprints taken. Many prisons have biometric kiosks to save people from having difficulty in carrying money and so on in prisons. There is at least one prison in Scotland where even visitors will not be allowed in unless they surrender their biometric data as a condition of entry.
12:00At around the time that I was last before the committee, I had a discussion with the then chief inspector of prisons, who was quite happy to say that they did not understand much about biometric data but that they would welcome some support in that area. Subsequently, I had a conversation with the chief executive officer of the Scottish Prison Service and I also appeared before the Scottish Government criminal justice board to say a bit about that.
Ultimately, any decision on the expansion of remit is a matter for ministers. I am mindful of the office-holder landscape review and the call for no expansion of remit before June next year. However, it is a bit of a no-brainer, especially when we start to look at things such as DESC, where criminal offence data, including biometric data, is shared extensively between partners. I cannot exercise independent oversight of the whole of DESC, only the bit that Police Scotland does.
There are opportunities there, as well as in the surveillance space, as it is often wrongly referred to. We should be talking about public space safety cameras, because that is why local authorities have CCTV systems. It is all about public safety. Increasingly, those systems are piped into police control rooms or police officers in their control rooms. If, in the future, we move to police software interacting with council software, it might get a bit messy for independent oversight.
I have probably said enough about that. I have tried to hammer the point in each of my annual reports. However, there is a requirement in the Scottish Biometrics Commissioner Act 2020 that, no later than one year after the expiry of the period of the first strategic plan, ministers should review the functions of the commissioner. The first strategic plan expires on 30 November 2025, so ministers are required by the legislation to review functions no later than 30 November 2026. That could be about considering whether the function is still necessary, but the legislation also talks about that being the point at which ministers should consider whether any additional bodies should be added or removed. We are therefore coming to a natural point at which this function will need to be reviewed anyway and, as I said in my evidence to the Finance and Public Administration Committee, we look forward to engaging with that piece of work.
We are the model for existing and future bodies to follow in the sense that everything that we do uses a low-cost operating model that is built around shared services. We do not have a human resources function, for example; it is provided to us. Our finance and information and communications technology support is provided to us, too. You can therefore imagine that, if you mix that up throughout the whole environment, there are opportunities for savings.
A wee while ago, you mentioned public safety, which made me think about public awareness of all things biometric. In your annual report, you refer to the publication of easy-read versions of the code of practice and the complaints procedure. I presume that your doing that is to make sure that the public understand the implications of the use, storage and retention of biometric data.
We spoke about children and vulnerable witnesses. As a constituency MSP, I feel that I am getting more inquiries from the public about the use of cameras, say, from a bedroom window, that encroach, potentially, on someone else’s property. I know that that is not biometrics, but I am surprised at people’s limited knowledge about such practices and the legislation around them, which is really important to understand. I am interested in where you see scope to develop public awareness even further, so that we are not vulnerable to not fully understanding the implications of the use of biometric data.
That is a really interesting question. In a non-policing context, most of us love biometric data, because it makes our life easy. You can pay for a coffee with your fingerprint on your iPhone and you can travel almost seamlessly through the e-gates at airports. People are quite happy to surrender their biometric data if it is convenient to them. They do not always realise what then happens with that data.
In a policing context, most people will go through their entire life without ever having much contact with the police. The figure that I gave earlier shows that there are around 90,000 custody episodes in Scotland each year. However, as a percentage of the population of Scotland, most people never get arrested by the police and therefore never have their biometric data taken—so why should they care?
For an organisation such as ours—I have only three members of staff—it is hard to reach out to the wider public. We rely on partnerships for that. For example, once a year, I appear before the SPA board and the SPA policing performance committee. We try to do as much external engagement as we can—for example, through supporting an academic event at the Leverhulme research centre for forensic science or speaking at conferences. We do a bit of that.
It is a niche area but, in getting the message out, the leaflet that I mentioned does more than anything. Police Scotland gives it to every person who is arrested and who has their biometrics taken. That allows those people—the data subjects—to know why their data has been taken, what it will be used for and who it will be shared with.
That never used to happen. I was in the police for about 35 years, and never once in my entire service did we do that. I would just say, “Okay, pal, you’ve been arrested. We’re going to take your fingerprints and your DNA,” and that would be it. It is important that people who have been arrested, and who might be at their most vulnerable, are nevertheless given their rights.
To your point, convener, it is also important for victims and witnesses, because people will regularly have their devices seized by the police as part of an inquiry, and, during the course of examining those devices, the police will uncover biometric data.
It is important that there are appropriate safeguards in relation to all that.
Thank you. Ben Macpherson has a supplementary question.
Commissioner, you have provoked a question that I have wondered about for some time. It is in relation to what you said about travel. Often, when people enter or exit other countries, biometric data is taken. Do constituents have any ability through your office—not in relation to a criminal justice investigation or any attachment to a crime but in relation to when their data is taken as they travel—to inquire as to whether that data is still held or can be deleted? Do you have that international connectivity?
I have the connectivity, but it is not part of our jurisdiction. Obviously, some matters, such as UK border controls, are reserved to Westminster, so we do not have a function in relation to that.
That does not stop us from giving advice to people. For some reason, the most frequent telephone call to our office is from people who want to know how to get a biometric permit for Canada. We know how to do that. Joanna Milne from my office is very good at giving people appropriate advice.
Although we have wider conversations on the use of biometrics in other contexts, my role is specifically about policing and criminal justice. People tend not to come to us for other types of inquiries; if they do, we signpost them to the appropriate organisation.
I will ask a final question then draw things to a close. Your annual report helpfully sets out some of the detail of the costs that are associated with the commissioner function, which is very helpful, and you gave helpful evidence at the recent Finance and Public Administration Committee inquiry into the commissioner landscape. That has now been debated in the Parliament, and there is agreement that there will be a review process. What we have heard today has helped in the understanding of the technical nature of the Scottish Biometrics Commissioner. I am interested in any last reflections that you might have about the importance and relevance of the role—about which, given what we have heard today, we have no doubt.
I always say to people that the distinctiveness of what I do is to provide assurance to the Scottish Parliament that, when biometric data is acquired in Scotland under domestic criminal procedure law, it is used lawfully, effectively and ethically. That is important, because our national police service, Police Scotland—the second-biggest police force in the UK—holds massive amounts of biometric data. Some people would argue that it holds too much.
As I said, that data is sometimes acquired from people—whether they are accused persons, victims or witnesses—when they are at their most vulnerable. It is therefore important that there is a level of independent oversight. In this case, that cannot be delivered by the Scottish Police Authority, because it provides forensic services to Police Scotland and jointly administers the DNA and fingerprint arrangements.
It is a good, value-for-money and low-cost public service, on which the Parliament made a good decision when it passed the Scottish Biometrics Commissioner Bill back in 2020. I suppose that it will have an opportunity in 2026 to make up its own mind about how effective or otherwise that has been.
The numbers in the annual report speak for themselves. If we strip out the salaries, our operating costs were £65,000 for the year, £19,000 of which was audit costs. If we strip out the audit costs, the cost of running the organisation, excluding salaries, was £46,000 for the year. That is pretty good value for public money.
I agree whole-heartedly.
We draw our session to a close. Thank you for attending; it has been an interesting session.
That completes our business in public.
12:15 Meeting continued in private until 12:58.