Biometric data retention: review report
A report by the Scottish Government and the Scottish Biometrics Commissioner of a review of the retention of biometric data provided for under sections 18 to 19C of the Criminal Procedure (Scotland) Act 1995.
Procedural Analysis
70. The review team assessed the existing policing procedures in relation to the retention of biometric data.
71. Police Scotland does not have a bespoke policy on the retention of biometric data, instead retention follows the retention policy for the entire criminal record or production evidence schedules.[20] For custody data, Police Scotland primarily apply retention based on the rules of the 1995 Act and are only required to apply internal policy where there are gaps in the Act, or the Act is silent.
72. Police Scotland policy and guidance on biometric retention can be found in internal Standard Operating Procedures (SOPs) and Codes of Practice.
73. There are two of these which are particularly relevant for data retention. Firstly, the Record Retention SOP, which defines specific retention rules for records andproduction evidence held by Police Scotland. These outline for example retention periods for custody images loaded to Criminal History System (CHS) – and then subsequently the Police National Database (PND). Secondly, the Recording, Weeding and Retention of Information on CHS Guidance, which supports the records management policy, data protection policy and records retention SOP.
74. Biometric retention and weeding practices vary according to the rules of the criminal record data policy for convicted case data. In addition, current retention policy is silent on biometric data of victims and witnesses and volunteer biometric data.[21] In the event that deceased subject's biometric data is held (fingerprint, image, and DNA) it is weeded 3 years from the date of death recorded on CHS - as this will trigger a full weed of the CHS record.
75. The current Police Scotland policy can be summarised as follows:
- DNA data is retained and reviewed at subject's 100th birthday or weeded 3 years from date of death (whichever is sooner).
- Fingerprint data is retained in alignment with the Criminal Record Data Policy for convictions; or weeded 3 years from date of death (whichever is sooner).
76. CHS and criminal Record Data Policy for Convicted Case Data is:
- The 40/20 rule means that the subject to whom the data applies must be 40 years old (or over) and the information been on record for at least 20 years (i.e., both conditions must be met before record would be weeded/deleted)
- The 70/30 rule means that the subject to whom the conviction applies must be 70 years old (or over) and the information been on record for at least 30 years (i.e., both conditions must be met before record would be weeded/deleted). 70/30 rule where any of the following apply:
- Conviction on indictment – Solemn Procedure.
- The antecedent is a ruling under Mental Health Acts; or
- Conviction is custodial (imprisonment)
- The 100/30 rule means that the subject to whom the conviction applies must be 100 years old and the information been on record for at least 30 years (i.e., both conditions must be met before record would be weeded/deleted). This rule applies when:
- Penalty of Life Imprisonment is imposed.
- Subject is detained during His Majesty's Pleasure.
- Subject is detained without limit of time; or
- The antecedent is a sexual or sexually aggravated offence.
77. Image data is retained for the duration that a subject has a criminal conviction for the case, or for any case prior to the image being taken.
78. The current policy and practice point to a general approach to biometric data retention which relies on criminal record data policy. Lack of specific policy on retention and deletion of biometric data brings legal and ethical risks, including excessive retention periods as the current retention and weeding practice follows and vary according to the convicted case data or the production evidence schedule. This creates concerns around the lawfulness, and both the proportionality and necessity of the prevailing biometric retention policies.
79. The governance landscape is complex as Police Scotland stores biometric data on other policing systems (such as fingerprints on the UK IDENT 1 system) with data managed in accordance with the rules applied to that system. This can be illustrated for retention periods. For example, Police Scotland retain images in accordance with their Criminal Record Data Policy or it is weeded 3 years from up to date of death (whichever is sooner).
80. On the other hand, the UK missing persons database weeds images 6 years after the last missing episode, and the video identification parades electronic recording weeds biometric data at 7 years. This also could mean that one type of biometric can be deleted while another will remain. Both Police Scotland and SPA are determining steps to ensure they comply with the law including the statutory SBC Code of Practice. It should be noted that the definition of what constitutes 'biometric data' in UK Data Protection law is different from the definition under the SBC Act 2020. Data Protection law also distinguishes between 'biometric data' (fingerprints and biometric templates derived from photographs) and 'genetic data' (DNA).
81. The deletion of biometric data from policing databases likely involves a combination of manual and automated procedures. For example, when biometric data is no longer required for investigative purposes or when individuals request the deletion of their data in accordance with data protection law, Police Scotland may initiate manual procedures to identify and remove relevant records from databases. Some records need to be weeded manually such as fingerprint forms done on ink, acetate fingerprint lifts and DNA mouth swabs. This may involve accessing database systems, reviewing records, and executing deletion commands or protocols. Additionally, automated processes may also play a role in data deletion, especially for routine data management tasks or when large volumes of data need to be deleted as in the case of a full CHS records weed.
82. In 2022, the SBC Code established a presumption of deletion for biometric data (in non-conviction and no-proceedings scenarios) following the expiry of the relevant retention periods as prescribed or permitted in law. The Code states that if a biometric data type has no retention period prescribed in law, Police Scotland, the SPA, and the PIRC should apply the same retention period as for other types of biometric data, such as DNA and fingerprints in the corresponding case in question.
83. There is also a lack of overarching biometric strategy or policy across both Police Scotland and the SPA Forensic Services which jointly administer the arrangements for managing Scottish DNA and fingerprint records and in certain circumstances images. This issue was also raised in the SBC's Images assurance review and report to the Scottish Parliament in March 2024.[22]
84. Police Scotland, the SPA and the PIRC do not hold enough management information on all biometric data types, pointing to their effectiveness, particularly in relation to retention. This was the subject of previous recommendation to Police Scotland in the SBC's assurance reviews relating to children and vulnerable adults in March 2023.[23] Retention and review periods should be informed by evidence and the principles of necessity and proportionality.
85. The paucity of management information on biometric data mirrors the position in the rest of UK policing where data is mostly only published at a macro level. Improving the collection of management information around biometric data will not only better inform strategic decision-making but help to demonstrate the effectiveness of that data within the criminal justice system. This would inform better public understanding and maintain confidence and trust in its use and in the police.
Procedural – Conclusion
86. Present practices for data retention concerning convicted individuals typically adhere to convicted case data retention policies or production evidence schedules. Nevertheless, there exists a notable absence of specific policies concerning the retention and deletion of biometric data. To address this gap, it is recommended that Police Scotland formulate a retention policy directly addressing biometric data to ensure compliance with the law (necessary and not excessive for the purpose). The retention policy should expressly prohibit indefinite retention without periodic review, and periods of retention which form part of the policy should be informed by evidence of effectiveness with proportionality and necessity demonstrated.
87. Additionally, the review team is aware that Police Scotland and the SPA plan to develop specific biometrics strategies to set out medium and longer term goals in relation to biometric data and biometric enabled technologies. Improving strategy will then enable policies and procedures to be aligned more coherently.
Contact
Email: louise.robertson@gov.scot
There is a problem
Thanks for your feedback