There can be no doubt that technology using biometric data is progressing at a rapid pace. Clearly, the use of such technologies can be intrusive to privacy and raises other human rights considerations. However, it can also provide significant opportunities for law enforcement agencies to improve the prevention and investigation of serious crime and the prosecution of some very dangerous individuals, helping safeguard other fundamental rights such as the right to life and freedom from degrading treatment. Finding the right balance between the privacy concerns and entitlements of the individual while harnessing new technology responsibly, accountably and proportionately is proving to be a significant challenge for policing today; tomorrow’s technology will make it even more so. Which is why there needs to be an informed and realistic response to the government’s idea of soaking up the Biometrics and Surveillance Camera Commissioner functions within a data regulator’s role which is buried at the end of the DCMS’ ongoing broad consultation called Data: A new direction.
When we talk about ‘biometrics’ in this setting of course we talk about DNA and fingerprints but we also talk increasingly about new capabilities like Live Facial Recognition and inferential algorithms and other remote surveillance tools, and about gaps in the law that does, or rather more to the point, does not, govern such technology. We talk about the fact that we have an act of Parliament telling the police what they must do if they want to take a suspect’s boot print but which is silent on the mass capture of facial images, leaving the police frustrated and the public nonplussed. Or the fact that the same legislation creates unintended policing biometrics problems because of the increasing trend towards using ‘voluntary attendance’ at police stations instead of arrest. When we talk about biometrics we talk about the pressing need for reform in the taking and matching of samples by the police, the confusion from recent changes to bail legislation and the chaos / uncertainty caused when people are ‘released under investigation’.
In the words of a very experienced police biometrics manager during a recent visit, the result is that the current situation is “doing a disservice to our victims and our officers”.
At a time when the police must make some tough calls in their deployment of biometrics and surveillance, the government’s consultation offers a rare opportunity for an educated public debate. But none of these pivotal biometrics issues that we talk about are addressed by the consultation. Relegated to its closing questions that read almost like an afterthought, the proposal simply invites views about ‘absorption’ of the biometrics and surveillance functions under the Information Commissioner’s Office and offers no alternatives as found elsewhere in the consultation document which may reflect the extent to which this very specific die has already been cast. The anticipated impact of absorption does not make it into the accompanying Analysis of Expected Impact document even under the section on ‘delivering better public services’ or ‘impacts on privacy and trust’.
The Office of the Biometrics Commissioner (OBC) is not a regulator and the Commissioner has quasi-judicial functions entrusted to a public appointee making decisions about whether or not the police are empowered to keep an individual’s DNA profile and\or fingerprints when, ordinarily, legislation would require that they be destroyed. In reviewing all National Security Determinations (NSDs) the Commissioner must consider whether the police can retain the biometric data of individuals believed to present a significant threat to national security where they have not been convicted of an offence. NSDs are made by chief police officers and empower the police to keep an individual’s biometrics for up to 5 years in the first instance; thereafter they can be renewed for as many times as deemed necessary. Therefore an NSD represents a substantial and enduring interference with an individual’s rights, particularly as the subject of the NSD is not informed of its existence and has no opportunity to make representations against it. If the Commissioner is not satisfied that an NSD has been properly made, or concludes that the continued retention of the biometric data is not necessary and proportionate, they have the statutory power to order destruction of the biometrics.
During 2018 and 2019 the Biometrics Commissioner reviewed more than 800 NSDs; he challenged for more information in 10% of those and in 2% ordered the destruction of the material held. Since taking up the role in March 2021, I have already reviewed almost 500 NSDs.
The Commissioner’s quasi-judicial functions also include decisions as to whether or not the police should be granted exceptional and limited permission to retain the biometrics of someone who has been arrested for a serious offence such as sexual abuse, indecent exposure, assault, burglary and robbery where the victim was vulnerable by reason of their relationship with the suspect or is very young. In other words, in some of the most challenging and important crimes in our communities.
If the police are unable to charge the suspect, for example, because the victim fears reprisals or is a lone voice against their suspected attacker, the suspect would normally be entitled to have their biometric data deleted but if the chief police officer can make a compelling argument, the Commissioner can consent to the retention for 3 years. The suspect is told of the application and has the legal right to make representations to the OBC.
These functions in some jurisdictions such as Scotland are made to a judge but, unlike a judge, the Commissioner must report annually to Parliament and provides comment on the use and outcomes of this statutory police power. Over the past 6 months I have made many such directions. I was also required to provide an assessment of whether temporary measures suspending legal protections on police use of biometrics during the COVID 19 pandemic had been used only as intended and also whether any biometric material had been lost.
These executive functions are not ‘regulatory’ and may even conflict with the role of the national data protection regulator (the ICO) under whose remit the consultation proposes to put them.
When we talk about oversight of police surveillance we talk about the Automated Number Plate Recognition (ANPR) system, a phenomenally powerful policing tool that registers some 60 million hits per day and its accountable use to support effective policing at neighbourhood, regional, UK and international level; we talk about working with the surveillance camera industry to explore the accountable, responsible and ethical use of new technology such as facial recognition and to enable the police and other law enforcement partners to harness new tools and techniques, visiting police forces to meet with their officers, staff and elected local policing bodies to understand how collectively to enable the responsible, proportionate and accountable exploitation of emerging tactical options in line with expectations of local communities. And we talk about supporting the private sector in their voluntary adoption of the exacting standards set out in the Surveillance Camera Code of Practice (which is itself in the process of consultation and revision), from high street retailers like Marks & Spencer to operators of small drone businesses and why it makes no sense for the government not to adopt those standards too.
What we talk about when we talk about biometrics and surveillance includes evidence presented to Parliament. When the House of Commons Select Committee on Science and Technology heard from the Biometrics Commissioner and the ICO in 2015 it recommended that governance would be improved by extending the statutory responsibilities of the Biometrics Commissioner “to cover, at a minimum, the police use and retention of facial images” and “fully exploring the implications of widening the Commissioner’s role beyond facial images” with all relevant findings and costs being published. This is what Scotland went on to do and this is what everyone talks about when they talk about better regulation of police biometrics, yet neither the questions nor the consultation make reference to this clear recommendation.
What we talk about when we talk about accountable surveillance includes the global challenges to police use of AI and automated decision-making technology in mobile phone tracking via cell-site simulators (‘Stingrays”), Toll Payment Readers, Shot Spotters, X-Ray Vans and “Surveillance-Capable Lightbulbs” and the use of Open Source Intelligence where the data protection rules are not always engaged but where the citizen’s protestation tells their government it may be legal, but people do not want the police using it, in their name or in their neighbourhood; we talk about the importance of transparency, the lack of which serves further to undermine public trust at a time when public trust is everything; we talk about the ethical practices of camera operators and how even technophile societies such as Singaporeans are becoming alarmed at the police use of surveillance technology and stopped their law enforcement bodies using the country’s COVID 19 track-and-trace capabilities and how MEPs just passed a resolution supporting a ban on the police using facial recognition in public spaces and preventing their use of predictive algorithms.
This consultation ought to have provided a rare opportunity to pause and consider the real issues that we talk about when we talk about accountable police use of biometrics and surveillance, a chance to design a legal framework that is a planned response to identified requirements rather than a retrospective reaction to highlighted shortcomings, but it is an opportunity missed.
What we talk about in the end, is how people will need to be able to have trust and confidence in the whole ecosystem of biometrics and surveillance, which is why singling out one technological application is unhelpful and the titration of one statutory post is unimaginative. The narrow and singular proposal of absorption by the ICO is, in my view, ill-conceived; it is the wrong answer to the wrong question and, for the many reasons cited above, is unlikely to produce simpler, stronger governance. It is more likely to result in dilution and further complexity while at the same time squandering a once-in-this-generation opportunity to reform the police use of biometrics and surveillance.
A quarter of the way into my 2-year appointment I can say that this is what we talk about when we talk about biometrics: we don’t talk about functional absorption by the data regulator.
* with all due admiration and acknowledgement to Raymond Carver