Scottish government proposes immediate deletion of expired facial images in new biometrics code
The Scottish government has won praise from the Open Rights Group with a draft Code of Practice which, if implemented in its current form, will result in immediate deletion of all mugshots at the end of their legal retention period, The Register reports.
The Code of Practice “On the acquisition, use, retention, and disposal of biometric data for justice and community safety purposes in Scotland” (PDF) establishes rules and oversight conditions that Scotland will appoint a biometrics commissioner to enforce.
The draft code includes sections on human rights and data protection, general principles and ethical considerations, privacy by design and data protection impact assessments (DPIAs), transparency, a process for reviewing and appealing biometric data, vulnerable individuals, and compliance with the code. It identifies fingerprint, DNA, and custody images as biometric data, but also notes that “second-generation” biometrics like iris recognition, behavioral biometrics and voice pattern analysis would be included if they are used.
It specifies the need for a “presumption in favor of deletion” and for agencies to ensure the deletion of data from any databases it has been replicated on.
“Open Rights Group called for rules establishing an automatic deletion procedure,” writes the organization’s Scotland director, Matthew Rice in a blog post. “It is welcome to see them included in the Code of Practice for Scotland and we encourage the rest of the UK to follow Scotland’s lead.”
So far, the rest of the UK has taken a markedly different approach, with the Home Office’s continued failure to delete facial images after being instructed to do so drawing criticism from the Parliamentary Science and Technology Committee, and Big Brother Watch filing a legal challenge to the continued trials of automatic facial recognition by UK police.
Open Rights Group also expressed disappointment with some elements of the draft code. It does not approve of its limitation to law enforcement, which would set different rules for biometric use by national security agencies or private companies, and also says the biometrics commissioner should have more power to deal with organizations that violate the code, as the office would only be able to issue an “improvement notice,” rather than legal challenges.