Biometric data retention: review report

Ethical Analysis

Why Ethics?

119. The retention of biometric data for criminal justice and policing purposes represents a unique set of opportunities and risks. In this context, the ethics around retention should stand at the forefront of the discussion in developing relevant laws and operational practice. It is however important to note that a consideration of ethics will not of itself eliminate all ethical risks. It is rather aimed at reducing the likelihood of negative impacts of those ethical challenges.

120. This section sets out the accountability framework in Scotland and explores in particular the harms to individuals and groups resulting from the failure to ethically use biometric data.

Accountability Framework for Biometric Data in Scotland

121. In 2020, the Scottish Parliament introduced the Scottish Biometrics Commissioner Act creating a new accountability framework for biometric data and technologies used for policing and criminal justice purposes in Scotland. The accountability framework in Scotland includes independent oversight, a statutory code of practice backed by powers to ensure compliance, and an associated complaint mechanism for data subjects. The Scottish Code of Practice is designed around 12 guiding principles and ethical considerations^[44]. This ensures that biometric data and technologies used for areas of policing and criminal justice within the devolved competence of the Scottish Parliament benefit from full independent oversight.

122. In addition, the UK Information Commissioner Office (ICO) provides independent oversight of adherence to UK data protection laws in respect of both biometric and genetic data used for law enforcement purposes. Where fingerprints and DNA are retained in Scotland without conviction under counter-terrorism legislation it also benefits from independent oversight through the office of the Biometrics and Surveillance Camera Commissioner for England and Wales. Finally, any biometric data acquired, retained, used, or destroyed under covert policing operations is also independently overseen by the Investigatory Powers Commissioner's Office (IPCO). Collectively, this means that biometric data used for every conceivable policing purpose in Scotland has a clear accountability framework in place.

Harms to Individuals and Groups Resulting from The Failure to Ethically Use Biometric Data

123. Actual harms to individuals and groups can result from the failure to ethically retain biometric data. These include unfair and discriminatory outcomes. As these systems and the processes produce outcomes that directly affect individuals, it is important to explain to both the individual and society how they work, including the rationale behind a possible outcome or decision which affects their fundamental rights.

124. Actual harm examples:

• Potential harm for Privacy/Autonomy: The potential transfer of biometric data to other public/private bodies without consent of the individual raises' privacy concerns. A person has the right to control access to their own body (and the data derived) and that interventions related to their body require explicit consent, or extremely strong justification. Clear protocols should be put in place out of respect for the deceased. Harm example = indefinite retention of biometric data after the death of the data subject with neither consent nor strong justification for ongoing retention.
• Potential harm for Transparency: Systems/processes/procedures used for criminal justice purposes produce outcomes that directly affect individuals. Therefore, it is important to explain to the individual how the systems/processes/procedures are expected to perform and the rationale behind a possible outcome/decision. Harm example = Person not told why their DNA has been kept on record after potential arrest/conviction etc.