Biometric data retention: review report

Legal Analysis

18. The review team undertook a desk-based exercise to consider the available legislative provision around the retention of biometric data for policing purposes.

Strategic Gap Analysis

19. The review team conducted an analysis of the current legislative provision and relevant court judgements relating to the retention of biometric data in Scotland. This covered provision in place pre and post the 2018 IAG review. This was in order to assess whether the current provision was sufficient in terms of ethical and human rights considerations and the need for proportionality. Further details of this analysis are provided below:

Scottish Biometrics Commissioner 2020 Act: Code of Practice

20. The publication of the SBC's statutory Code on the acquisition, use, retention and disposal of biometric data, took effect from 16 November 2022 following parliamentary approval. Police Scotland, the SPA and the PIRC are required by the 2020 Act to comply with the Code.

21. The Code provides information and guidance regarding the responsibilities of Police Scotland, the SPA and the PIRC, and recognised standards in relation to biometric data. It also states that in all cases, the retention of biometric data should be justified and only kept for as long as necessary for the purposes for which it was processed.

22. In accordance with the legal requirement in section 7(2) of the 2020 Act, the Code states that if a biometric data type has no retention period prescribed in law, Police Scotland, the SPA, and the PIRC should apply the same retention period as for other types of biometric data, such as DNA and fingerprints in the corresponding case in question.

Data Protection Act 2018

23. It is important to note that there are also elements outside of Scots law that pertain to biometric data and its possible retention.

24. Part 3, Chapter 2 of the 2018 Act^[9] sets out six data protection principles. The fifth data protection principle at Section 39 provides that personal data processed for law enforcement purposes must be kept for no longer than is necessary for the purpose for which it is being processed. This section also requires that appropriate time limits must be established for the periodic review of the need for the continued storage of personal data for law enforcement purposes.

25. The 2018 Act applies UK wide and came into force after the Gaughran judgement was brought before the courts and so the 2018 Act was not factored into the judgement. Regardless, it is still the case that Police Scotland must ensure that their retention policies take the proportionate approach which section 39 requires.

Section 18 of the 1995 Act

26. Section 18 of the 1995 provides that a police constable can take from or require a person who has been arrested and is in custody to provide relevant physical data^[10] (fingerprints etc.) It also provides that a saliva swab and certain samples (hair, nails etc.) may be taken. Subsection (3) provides that all physical data, samples and information derived from such samples must be destroyed as soon as possible following a decision not to institute criminal proceedings against the person or on the conclusion of such proceedings otherwise than with a conviction or order under section 246(3) of the 1995 Act (absolute discharge) subject to subsections (3A) or (4) and sections 18A to 18G.

27. It was noted that Section 18 is silent on retention requirements for convicted people. However, the review team noted that there may be some benefit in the flexibility which the current provision allows. This was discussed alongside the wider research that was undertaken and it was clear that there is no consistent approach to retention within the EU. The research available indicates that national requirements vary significantly in the data available – this is discussed more fully later in the report. Therefore, there is no compelling reason for Scotland to try to emulate any other EU country's retention period regime.

28. For people who are not convicted, the 1995 Act makes provision as set out in the paragraphs below. Taking the provisions together, the review team ultimately agreed that the relevant periods set out in Section 18A through to Section 18H of the 1995 Act, could be seen as arbitrary to an extent, but the same could be said of any length of time that was selected. An important point is that retention under these provisions does at least have an initial time limit, and further extensions are subject to judicial control. The review team would also note that factually, no legal actions have been raised to date in Scotland regarding the retention of biometric data, which is also a relevant factor.

29. Section 18A of the 1995 Act provides that for criminal proceedings in respect of a relevant sexual or violent offence that conclude other than with a conviction that the destruction date for any relevant data taken under section 18(2) or any sample or any information derived from the sample is the date of expiry of the period of 3 years following the conclusion of the proceedings; or such later date as an order under subsection (5) may specify. Subsection (5) provides that the Chief Constable of the Police Service of Scotland can apply to the Sheriff Court within the period of 3 months before the destruction date to have the destruction date amended. As the process is subject to judicial oversight, this affords a degree of transparency and accountability to the decision-making, and therefore the review team considered this approach to be sufficient.

30. Under Section 18B of the 1995 Act, if a person accepts an offer under section 302 to 303ZA of the 1995 Act (conditional offer, compensation offer, combined offer, work offer), then any relevant physical data or sample that they have provided, or information derived from such a sample, must be destroyed within either 2 or 3 years beginning on the date on which the offer was issued (depending on whether a relevant sexual or violent offence was involved) or (in the case of a relevant sexual or violent offence only) any later date as an order may specify. Such an order may be sought by summary application by the Chief Constable under section 18C. Acknowledging that there is no obvious rationale as to why these time periods have been selected, but noting also their short duration, the review team considered this approach to be sufficient.

31. Section 18D of the 1995 Act provides that when a person is arrested in relation to a fixed penalty offence and the matter is dealt with by fixed penalty notice that any relevant physical data taken in connection with that offence must be destroyed within 2 years of the day on which the fixed penalty notice was given to the person. Again, acknowledging that there is no obvious rationale as to why these time periods have been selected, but noting also their short duration, the review team considered this approach to be sufficient.

32. Sections 18B and 18D of the 1995 Act were specifically considered, given the difference in nature of the retention periods outlined. It was established that the difference stemmed from the nature of the offence to which each provision relates – Fixed Penalty Notices (FPN) (issued by Police Scotland) are for relatively minor public nuisance offences, whereas Fiscal Offers (issued by COPFS) are for a higher degree of offending but not for serious (public safety) offences.

33. It was also noted that biometric data retention is very unlikely to be the key factor when a person decides whether to go to court or to accept a FPN / Fiscal Offer. It was also highlighted when the 1995 Act came into being, there needed to be a diversion from prosecution route and this is still the case today. The review team attempted to find the rationale behind the periods specified in the 1995 Act (2 and 3 years respectively) but were unable to locate any documentation to evidence this. Nevertheless, the review team considered this approach to be sufficient.

34. In reviewing these provisions, the review team were also mindful that the default position should not simply be to retain the data for the maximum time period; and that the necessity of reviewing the continuing need for retention should be observed. This would demonstrate that the retention periods applied in practice are proportionate, necessary and compliant with the data protection principles for its lifetime.

35. Section 18G of the 1995 Act provides that any relevant data or sample or information derived from a sample can be retained for so long as a national security determination made by the Chief Constable has effect in relation to this. A national security determination has effect for a maximum of five years beginning with the date on which the determination is made but this may be renewed. Any relevant physical data, sample or information from a sample which is retained in pursuance of a national security determination must be destroyed as soon as possible after the determination ceases to have effect. The review team noted that this element is a reserved matter under the Scotland Act 1998 and therefore outwith the scope of the review.

36. Section 18H of the 1995 Act provides that when a person is arrested under an extradition arrest power and relevant physical data is taken or provided, all record of any relevant physical data, all samples and all information derived from such samples must be destroyed as soon as possible following the determination of extradition proceedings. The review team considered this approach to be sufficient.

Section 19 of the 1995 Act

37. Section 19 of the 1995 Act applies where the person has not, since the conviction, had a sample, print or impression taken, or where the person has previously been required to provide relevant physical data (fingerprints etc.) or any sample and this has turned out to be unsuitable/inadequate. Where section 19 applies, the person may be required by the police to provide a sample/relevant physical data within the permitted period, which is either one month from the date of conviction/date or, one month from when written intimation is received that the previous relevant physical data/sample provided was inadequate.

38. The review team considered whether the one-month time limit was a practical and feasible requirement. The review considered that the one- month timescale would have been practical for the police when this legislation originally came into force. However, it is recognised that in current times, the police face significant operational challenges which can prevent resources being deployed to collect such samples before the time limit expires. The review also recognised that a one-month time limit had potential to increase the possibility for a convicted person to ignore or evade police efforts to trace and collect such samples for such purposes.

39. The review team also recognised the finding of the IAG in 2018 which had suggested that such a timeframe be increased to three months^[11].

40. The review team therefore considered, in principle, that the timeframe should be extended. However, further evidence is required to support a definitive view on what such a timeframe should be. At this time, the review team have heard arguments to extend which are based on operational and practical considerations. However, any extension in the timeframe will need to be supported by management information collated by the police which should provide more robust data on the incidences of missed timescales and the prevalence of sampling failures. Although the review team was provided with a snapshot relating to sampling failures in 2023, we considered that there were opportunities for the police to improve the monitoring of sampling under Section 19 for policies and processes and for improved management information to be compiled.

41. The review team considered that such evidence is critical to supporting any proposal for change and should also be informed by an analysis of human rights considerations, given that an increased timescale would effectively allow the police to have more time to collect samples. The review team acknowledges the context that such collection would only apply to those convicted of an offence and therefore the consequential risks of infringing human rights may be low but nonetheless this aspect needs to be fully explored. The review considered that this supporting evidence would provide the basis for a public consultation, with the intention that primary legislation could be considered more fully at an appropriate opportunity to extend the one-month timeframe – subject to the findings of the public consultation.

42. Section 19A of the 1995 Act, allows for a sample to be taken, if the original is lost or destroyed, but only if a person is imprisoned for sexual or violent offences as specified under the 1995 Act. The review team considered the specified offences and it is not, at this time, of a view that there is enough evidence available to support a case for change. The review gave particular consideration to the omission of terrorism related offences but acknowledge that this subject matter strays into territory which could be deemed beyond devolved competence.

43. The review team did however identify the offence of 'robbery' as a possible omission to the specified list, although it was noted that such behaviour could already be covered in practice in law if it involved the use of a firearm or offensive weapon or some form of assault for example. The review team therefore considered that an evidence base would need to be established by the police in the first instance to support any proposed change to the specified offences at this time.

44. The review team also gave consideration as to whether it would be beneficial if powers were available to replace lost or destroyed samples for all serious offending convictions, and not just limited to imprisonment. There is however no supporting evidence for the review team to form a definitive view on such matters and in the context that this would significantly widen the scope of the existing powers.

45. The review team however considered that this could be a potential area for the police to review as part of developing its own wider policy on biometric retention – with the construction of an evidence base being required to support any proposed change to the scope of the power at this time.

46. Section 19AA of the 1995 Act makes provision around the taking of relevant physical data or samples from sex offenders subject to notification requirements under the Sexual Offences Act 2003 or an order under section 27 of the Abusive Behaviour and Sexual Harm (Scotland) Act 2016.

47. Section 19AB of the 1995 Act makes supplementary provision to section 19AA– principally around the provision of an offence where a person fails, without reasonable excuse to attend a police station to provide a sample or whilst in custody at a police station fails to allow a sample to be taken.

48. Section 19B makes provision in relation to the powers of a constable to take relevant physical data or to secure a person's compliance to take such data.

49. Section 19C makes provision around how relevant physical data, samples or information derived from a sample may be used, including for sharing material with others and checking it against other data and samples for permitted purposes.

50. Having considered the existing provisions under section 19AA-19C, the review team notes that there is no legislative provision under section 19AA which specifically sets how long the police should retain relevant physical data and samples from sex offenders subject to notification requirements. The review team therefore considers that such matters should be further explored as part of any wider work by Police Scotland and partners to progress recommendation 3 of this report. The review team also proposes that no change be made to the provisions under section 19AB to section 19C.

Section 56 of the Criminal Justice (Scotland) Act 2003

51. Section 56 of the Criminal Justice (Scotland) Act 2003^[12] ("the 2003 Act") allowed for the establishment of a database of DNA profiles developed from persons who have supplied their written consent to have their DNA profiles retained for specific purposes, namely the investigation and prosecution of a single offence or more general retention which allows the volunteer's DNA profile to be examined for any other offences which may be investigated in future.

52. Section 56 also provides for the withdrawal of consent in this case. However, in the absence of consent withdrawal, technically the data could be held indefinitely without review.

53. Although the provision has been in force for a number of years, the review team notes that there have been no legal concerns raised, as there is an existing mechanism to withdraw consent. Research showed that no complaints have been made regarding the retention of volunteer data to date. Nevertheless, indefinite retention does raise questions of proportionality and necessity. This matter therefore requires further consideration by Police Scotland.

54. It should be noted that Police Scotland are currently undertaking a review of volunteer data and their consent forms to ensure they continue to meet any and all legal and accessibility requirements. Nevertheless, the review team consider that a periodic review is required as to the continuing need for retaining this data once the original case is closed. A written note should then be recorded explaining any decision made to continue to retain this data.

S & Marper and Gaughran Judgments

55. There was an important principle established in the S & Marper^[13] and the Gaughran judgments where it was determined that Article 8 (right to respect for private and family life) had been contravened^[14]. These judgments found against indefinite retention of data in respect of non-convicted persons in the case of the former – and in respect of convicted persons where there are no review periods specified, in the case of the latter.

56. The 1995 Act does not contravene these judgments because it is silent about retention of data for convicted persons, and it sets specific destruction periods for the data of non-convicted persons. However, Section 56 of the 2003 Act may yet be argued to contravene because retention until consent is withdrawn could be seen as indefinite unless there is a period of review for the data of innocent people. As indicated earlier in the report, volunteer data is a complex issue where both the donor of the data and the authorities have the ability to decide to destroy the data.

Children's data

57. Given that there has been recent legislative change (Age of Criminal Responsibility (Scotland) Act 2019, Children's Care and Justice (Scotland) Act 2024, respectively), the review team decided that it was not appropriate to review legislation relating to children's biometric data, as the legislation needs time to bed down.

The Independent Commission for Reconciliation and Information Recovery (Biometric Material) Regulations 2024

58. The review team wished to highlight that on occasion, UK legislation can override both Scottish statutory destruction provisions (where they exist) and operational practice/policy in devolved policing contexts. It is also to be noted that while instances of this kind are rare, it is important that devolved administrations are meaningfully consulted beforehand, to ensure an agreed robust rationale for the over-riding.

59. These regulations^[15] were laid in connection with the Northern Ireland Troubles (Legacy and Reconciliation) Act 2023, and designate collections of biometric material (DNA and fingerprints only). The regulations require that relevant material in those designated collections, which would otherwise be destroyed under certain statutory destruction provisions, is retained.

60. This is to ensure that preserved material is available for use by the Independent Commission for Reconciliation and Information Recovery (created by the Act) in conducting investigations into Troubles-related deaths and serious injuries. The territorial application of this instrument (that is, where the instrument produces a practical effect) is England and Wales (E&W), Scotland, and Northern Ireland.

Images – legislative approaches

61. In the course of this review, stakeholders have highlighted the legal provision in Scotland for the taking of police custody images. Although the taking of biometric data is not included in the scope of this review which is focussing on the retention of data, the review team wishes to recognise the points raised and to provide reassurance that these matters will be followed up beyond the conclusion of this current review.

62. While common law provides a legal basis for the taking of custody images in Scotland, stakeholders have noted that a different approach is taken in E&W where section 64A of the Police and Criminal Evidence Act 1984^[16] makes specific statutory provision around various aspects of the taking and use of images. Similar statutory provision also exists in Northern Ireland under article 64A of The Police and Criminal Evidence (Northern Ireland) Order 1989^[17].

63. The review team are also aware that the direction of travel for UK policing is for the creation of a single custody image database as already exists for DNA and fingerprints. This will be delivered by the Strategic Facial Matcher programme which is already in development by the Home Office^[18]. In turn, this helps to prepare the UK for future participation in the Prüm II biometric exchange mechanisms which are being expanded beyond DNA and fingerprints to include facial images and police records (reference numbers of suspects and convicted criminals).

64. Given that we anticipate a possible broadening of the use of images in Scottish and UK policing in the future, the SG and SBC will work with Police Scotland and other stakeholders to take a fresh look at the legal provision around the taking of images in Scotland to ascertain whether additional provision is needed to support future technologies and anticipated changes to international exchange mechanisms. Such technologies could include the sharing of facial images over UK agency boundaries as part of the Home Office Strategic Facial Matcher Programme; with EU member states through Prüm II; and through Live Facial Recognition technology which is currently in use by certain police forces in E&W. It should be noted that the SBC Act 2020 classifies both custody photographs and digital biometric templates derived from them as biometric data.

Legal – Conclusion

65. The 1995 Act serves as the primary legislation governing the collection and retention of fingerprints and other biometric samples from individuals arrested by the police in Scotland. However, in regard to the data of convicted persons, it does not provide explicit guidelines regarding the duration and criteria for the retention of such data.

66. However, the DPA 2018 imposes strict requirements for data retention and review periods to ensure responsible data management practice, including for law enforcement purposes. In accordance with this, certain elements of the current retention policy of Police Scotland may not meet the legal requirements of UK data protection law. However, this would be a matter for the UK Information Commissioner to advise on.

67. When taken together, existing law as set out in the 1995 Act, the 2003 Act, the 2018 Act and the 2020 Act, ensure that indefinite retention should only occur within the context of proportionality and necessity. The fact that the legislative provision covering this topic is spread between so many Acts is not ideal in aiding an individual's understanding of the position. This is to some extent remedied with the provision of comprehensive guidance in the SBC's Code of Practice^[19] which is publicly accessible online.

68. Lack of available evidence is an undoubted obstacle to determining whether any legislative change is necessary in respect of the 1995 Act and what sort of change might be required. Further development work is therefore required in this regard.

69. As previously stated, legal provision and Police Scotland practice work together to establish the rules relating to retention. In the next section the review considers the extent to which Police Scotland policies provide additional assurance that a proportionate approach is being taken to the timely deletion of biometric data.