Biometric data retention: review report

Evidence Analysis

88. The report of the IAG in 2018 had recommended that evidence should be gathered from which continuing assessment could be made about appropriate periods of retention of biometric data. A clear focus for this latest review therefore placed particular emphasis on the importance of ensuring that its findings were shaped by the available evidence.

89. At the outset, it should be noted that capacity to undertake an analysis of the available evidence was managed within the existing resources of the SG and SBC.

90. For the purposes of considering the available evidence around the retention of biometric data for policing purposes, the review's methodology was primarily to undertake a desk based research exercise. The review team accessed an extensive reading list, sourced from the SG Library and through other online records. The content of over 100 articles/reports/findings were fully considered and are detailed in the bibliography to this report. These sources of information covered Scotland, the UK, the EU and the wider global community. It should be noted that some of these sources were not entirely relevant to the specific issue of retention of biometric data.

91. The review team also considered reconviction data in Scotland as a proxy for re-offending data which was not available.

92. The review team also considered the available data around the number of complaints made by the public around the retention of their biometric data.

93. The review team also organised a discussion with expert academics which provided an opportunity for the review team to consider their views on the current evidence base available around the specific subject of biometric retention.

94. A summary of the evidence found by the review team is set out in the paragraphs below.

Biometric data volumes

95. Forensic databases have become an important tool in the fight against crime in many jurisdictions around the world. In Scotland, forensic databases contain the data of convicted people; people who have been charged but not convicted of specific serious crimes; people who have not been charged, such as those who are "Not Officially Accused"; and to some extent, arrestees.

96. A summary of Scottish Biometric Volumes held for law enforcement purposes is set out below – for fingerprints, only the UK level position is known:

• Scottish DNA Database (as of 3 November 2023)^[24]
  • 378,615 individual profiles held
• UK National DNA Database (as of 31 March 2024)^[25]
  • 6,031,139 = Estimated total number of individual profiles held
• UK IDENT1 (as of 31 March 2024)^[26]
  • 28,374,312 fingerprint forms relating to 8,775,386 individuals held
• Scottish Criminal History System
  • 646,935 custody images (relating to 382,052 people) held^[27]
  • As highlighted in the SBC's "Assurance Review of the acquisition, use and retention of images and photographs for criminal justice and police purposes"^[28], the total data volumes of images are unknown and not easily accessible or possible to determine.
  • The SBC estimated that across the Scottish databases there could be in excess of 3 million images currently being held.

97. There has been an overall rise in biometric data collected for authentication and identification purposes around the globe and the SBC's recent assurance reviews demonstrate similar patterns in Scotland. Table 1 below shows that Scottish biometric databases continued to grow in 2023 compared to figures for 2021 (except for DNA).

98. UK law enforcement databases for DNA are the largest in Europe. A 2016 DNA database comparative study ^[29]shows the volumes of individual profiles held are equivalent to 8.8% of the population of England and Wales, the number for Scotland is equivalent to 5.6% of the population which makes it the largest DNA database in Europe. This compares with for example, 0.09% of the population in Portugal. In certain EU countries, the comparatively lower number of the DNA profiles held on law enforcement databases compared to the overall population, could be linked to the use and requirement of national ID cards. This topic is further explored later in this section of the report.

99. For 2022/23 there were 96,821 custody episodes at Police Scotland custody facilities throughout Scotland^[30]. A clear majority (75%) of all biometric data records held in Scotland for policing and criminal justice purposes relate to males. However, this is to be expected as males are more likely than females to be investigated/prosecuted for offending, with for example males accounting for 83% of all criminal convictions in 2021/22^[31].

100. The following biometric data volume table was prepared for the SBC annual report 2023:

*Criminal History Images, SBC estimates that Police Scotland has at least 3 million images held over all its systems

International DNA Volumes

101. It has not been possible to ascertain the volume of fingerprint or image data at the international level, but a comparative table is set out below of the number of DNA profiles held by jurisdictions (at 2020) across the world for law enforcement purposes and the year their databases were established:

Source: Forensic Genetics Policy Initiative (2020)^[33], Interpol (2019)^[34], The Impact of DNA Databases on the Investigation of Crimes (2024)^[35]

Reconviction rates in Scotland 2008 to 2019

102. In the absence of re-offending data, the review team considered the reconviction rates in Scotland between 2008 to 2019^[36] to assess whether there were any implications for biometric retention periods. After all, expectations around the likelihood to re-offend do play some part in the setting of retention periods. However, caution should be applied as reconviction is not the same as re-offending. It should also be noted that although data for 2020-21 is available, this is impacted by covid and as such is not indicative of long term trends – the review team therefore decided not to use this data.

103. It was established that the reconviction rate and average number of reconvictions per offender have generally decreased over the ten years between 2009-10 and 2018-19 by 2.3 percentage points from 30.6% to 28.3%. The data showed that under 21s have the highest reconviction rate and the over 40s have the lowest. The review team noted that this finding could have implications for the length of time required for retention periods. In particular, for the Twenty/Forty Thirty/Seventy (TFTS) rule in Police Scotland's Recording, Weeding and Retention of Information on Criminal History System (CHS)^[37]policy document – where fixed retention periods of either 20 or 30 years apply, depending on the length of time which has elapsed since the conviction; the severity of the sentence; and the convicted person's current age.

Key Findings

International Examples of retention policies

104. In Europe, very few countries have indefinite retention periods – some countries have fixed retention periods and others vary depending on the type of crime. Some countries have in-built review periods and others have none. These variations may be due to countries having differing socio-political histories in recent times which in turn affect public confidence in the retention of biometric data which is of course very personal data. Therefore, there is no consistent approach being taken. It is important to note, however, that the ECtHR has shown itself to be sensitive to the retention of biometric data and its automated processing for policing purposes, as reflected in judgments such as Gaughran v. UK previously referred to in this report.

105. Below are some examples of EU countries and their approach to retention of biometric data to give further context:

Germany

• Germany's DNA database was established in 1998 and has grown into one of the mid-sized databases in Europe. Germany's situation regarding genetics stands out because of its historical and cultural particularities.
• Germany follows the ruling in S and Marper v United Kingdom[2008] in relation to DNA profiles and fingerprint evidence and deletes an individual's data 'if they are found not guilty, charges are dropped or where after an arrest and investigation no further evidence is found'.
• According to German legislation^[38] the retention regime regulations require that profiles of adults and of crime stains will be reviewed after ten years and profiles of minors after five years, which could then lead to profiles being deleted.

Netherlands

• Dutch Forensic DNA legislation is expansive in several aspects, such as the retention regime and the consent for obtaining a DNA sample from a criminal suspect.
• Samples from convicted offenders are retained indefinitely and samples of suspects who are acquitted must be destroyed as soon as is reasonably practicable.
• When suspects are acquitted, their DNA profiles are deleted once the public prosecution office has confirmed that the individual is no longer considered a suspect.
• Profiles of convicted persons are kept for 20, 30, 50 or 80 years, depending on the seriousness of the offence and the conviction.

Poland

• In comparison to the other countries in the EU, the Polish DNA database is small.
• Every ten years, police bodies are required to verify all collected and stored information and remove obsolete data.
• The retention periods for DNA data are 20 years or 35 years for data related to suspects and those prosecuted or sentenced in connection with a crime.

Portugal

• The Portuguese DNA database was established in 2008 and is one of the smallest DNA databases in the EU. Portugal has arguably one of the most restrictive regulatory frameworks in the EU in relation to the criteria for the entry and deletion of DNA profiles.
• All data, including both the DNA sample and the DNA profile, has deadlines by which it must be eliminated and/or destroyed. More particularly, non-identified profiles must be deleted 20 years after they were inserted.
• The data of convicted individuals is removed from the database five, seven or ten years after they have served their sentence, according to whether the sentence was less than five years, between five and eight years or more than eight years, respectively.

106. When it comes to individuals who have been acquitted or had their criminal proceedings suspended, the view of the European Court of Human Rights is that the state should not be able to indefinitely retain DNA profiles of individuals who were not ultimately convicted.

107. However, when it comes to individuals who have been legally declared guilty as seen in the Gaughran judgementandTrajkovski and Chipovski^[39], longer retention periods are generally permissible. This does not mean however, that the state has unlimited power to retain DNA material indefinitely. Rather, the state must adhere to the principle of proportionality, which seeks to prevent a blanket and indiscriminate restriction of the right to privacy. This involves a number of safeguards including, judicial control of data retention, periodic checks, and expert opinions on the validity of data retention.

108. The EU Court of Justice issued a press release in 2024^[40] on the right of erasure and it supports the view that "police authorities may not store biometric and genetic data concerning all persons who have been convicted by final judgment of an intentional offence, without any time limit other than the death of the person concerned."

EU National ID Cards

109. The review team also considered that many EU states have mandatory identity cards and this may explain why the UK (which does not) hosts the largest law enforcement databases for biometric data. National identity cards are issued to their citizens by the governments of most EU states, the exceptions are Denmark and Ireland.

110. Regulation - 2019/1157^[41], which has applied in the EU since August 2021, states that all valid EU ID cards should contain a facial image of the holder and two fingerprints in interoperable digital formats. ID cards which do not meet the requirements set out will cease to be valid at their expiry or by 3 August 2031, whichever is earlier.

111. The Regulation does not provide a legal basis for setting up or maintaining databases at national level for the storage of biometric data in by individual EU States. This is a matter for each individual EU country and as such there is no EU wide biometric database. It is also important to highlight that the Regulation does not contain any mention of possible police use of any database at either local, national or international level.

112. Hypothetically, there could be instances where local police could access their own national ID card database to initiate a search for a missing person or for criminal purposes. The review team was unable to find detailed legislation/guidance in this regard due to searching and language limitations.

113. However, it was noted that there had been a recent issue around the possible granting of access to French police^[42]. If access were granted, then there would be little need to retain biometric data for lengthy periods on bespoke law enforcement databases. It should also be noted that each ID card is only valid for a period of time, after which a new image is required for each new card and this would be a recurring requirement until the person is deceased. Therefore, an up to date facial image would be available on a regular basis.

Availability of research

114. The review team found that there was a lack of evaluations of retention periods for biometric data across jurisdictions. This conclusion was supported by a discussion held with academic interests which suggested that the use of biometrics and supporting technologies was currently a more prevalent topic for academic research than matters of retention. The level of public understanding on such matters is yet to be fully established but it was suggested that awareness levels could be low based on the low number of complaints received by regulatory bodies.

115. Some of the key areas that were highlighted as lacking recent and robust research were as follows:

• Recent available research on public perception on retention periods overall in the UK and out with
• Research on how effective different retention periods/policies are in relation to public/private safeguards in the UK and out with
• Research on retention periods comparing views of criminal justice professionals versus other members of the public
• Up to date quantitative data on how much biometric data is held by policing authorities internationally. The table above (DNA databases in 2020) is the most up to date material that was available on any biometric data type
• Absence of published data on re-offending rates
• Police Scotland had little evidence or management information to support its current retention policies
• Lack of information about the legislative basis for retention in other countries

Evidential - Conclusion

116. The review team has established that there is not a gold standard of retention that Scotland should seek to emulate. Given the variety of approaches being taken in regard to the retention of biometric data across the world, current cross-jurisdictional comparisons taken in isolation do not present a convincing argument for Scotland to change its approach to biometric retention, without a more robust evidence base. It was also noted that there is a gap in the evidence base due to lack of Police Scotland management information on re-offending.

117. There is a case however for changing the approach to DNA retention in light of the recent EU judgment^[43] that retention until death or beyond is indefinite retention. Indefinite retention without meaningful review is contrary to Human Rights and to the 2018 Act.

118. This being the case, Police Scotland should review its general approach to DNA data retention given that its policy of destruction of DNA is based on the person's 100^th birthday/ date of death +3 years. It should also review its approach to other forms of biometric data held until the person's 100^th birthday such as fingerprints and Images for those convicted of serious sexual and violent offences.