UK pitches less oversight for Surveillance, who-knows-what for Biometrics Commissioner role
Tucked away on page 141 of 146, questions number 409 and 410 of the UK government’s data reform consultation document on data protection is a suggestion of potentially great consequence for the use of biometrics in Britain. The suggestion is to eliminate the positions of the Biometrics Commissioner and Surveillance Camera Commissioner.
“The government will explore the potential for further simplifying the oversight framework by absorbing the functions of those commissioner roles into the ICO [Information Commissioner’s Office], which should bring benefits to data controllers and the public with a single route for advice, guidance and redress,” question number 410 of the document concludes.
Biometrics and Surveillance Camera Commissioner Fraser Sampson tells Biometric Update in an interview this is not a good idea.
Tony Porter, who held the Surveillance Camera Commissioner role from 2014 to 2020, prior to its integration with the Biometrics Commissioner’s role, calls the idea “illogical” in an email.
Many of the functions of the Surveillance Camera and Biometrics Commissioner roles, which Sampson notes are both significantly different from each other and significantly overlapping, are not matters of data protection, or even regulation.
What the Surveillance Camera and Biometrics Commissioners roles are
The primary job of the Surveillance Camera Commissioner, Sampson explains, is to uphold the Surveillance Camera Code of Practice. He notes, with a wry grin, that the code was written when Edward Snowden was doing work for the NSA.
At that point, citizens had not taken the position Sampson says is now common, that facial photographs which could be used as biometric data should be treated the same way as fingerprints.
This creates major overlap with the Biometrics Commissioner’s role.
That role, however, is not regulatory. It is, Sampson says, “quasi-judicial,” with responsibilities like approving the storage of personal data by police of people deemed national security threats, but without having been convicted of a crime, and without their knowledge.
Sampson considers his roles to be determined by three domains. One is what is technologically possible, another is what is legally permissible, and the third is what is socially acceptable.
“For me it’s really clear that the future of this area is being developed in the third. People are increasingly saying, ‘I know you can do it technologically, and you might be able to get it past a judge, but I don’t want you doing it in my name or my neighborhood.”
People seeking reasonable answers to questions about their biometric data in the past were often told “we don’t know” and “we’re not telling you,” resulting in successful legal challenges.
That has resulted in a policy landscape not derived from a “eureka” moment, but rather a haphazard-seeming hybrid of litigation and legislation.
The idea of simplification and expansion may have appeal, Sampson acknowledges, but he says the question is how far safeguards and assurances present at beginning are there at the end.
Even if the ICO were to be expanded and given new resources, some functions would have to go somewhere else, according to Sampson. The quasi-judicial ones would have to go somewhere like the Investigatory Powers Commissioner. Porter agrees that the IPC could play a role, and points out that he said as much while holding the dual-Commissioner’s role, suggesting it could support the role with regulatory powers under the DPA 2018.
In Scotland, law enforcement seeking to retain biometric records for national security purposes make their case to a judge.
“The Biometrics Commissioner is not a regulator,” Sampson points out. “To move statutory functions that are quasi-judicial to a regulator is a very odd solution to improving and simplifying regulation, because it isn’t about regulation in the first place. So what you’d have to do is split them again.”
“In the first instance I see a significant advantage in keeping oversight of surveillance by police and those private organisations working in conjunction with police under the auspices of the Home Office,” states Porter. “The ICO operates under the Department of Culture Media and Sports — therein lies a disconnect. It is not helpful to consider the totality of surveillance through the prism of data protection and Data Protection Act.”
The implicit suggestion that oversight and regulation of surveillance cameras and biometrics should be deprioritized is significantly consequential, relative to the rest of the proposal, and yet is not mentioned or pointed to before the end of the document, suggesting at the very least a failure to effectively communicate the plan. That lack of transparency, however, is only the beginning.
Sampson is yet to receive a stakeholder letter regarding the consultation, and worse, he reports he was aware that plans had been taken to transfer the roles to the ICO last year, even before he took the position.
The proposal to “absorb” the positions was published while Sampson was on holiday, and appears to have gone largely unnoticed by a public increasingly concerned with the power of biometrics and surveillance technology.
A departure from the EU’s GDPR seems clear. The reason for less oversight of biometrics is not clear, beyond references to simplifying “the regulatory landscape,” “duplication, overlaps, and lack of clarity.”
“For example, the oversight arrangements for the police’s use of biometrics and overt surveillance are crowded and confusing,” the government argues. A quick search through Biometric Update’s story archive belies this claim, and indicates a complementary, distinct role.
Is this a data issue?
The means for police to protect citizens (as is their obligation) from all sorts of terrible things always is closer to their grasp, Sampson points out. They are ever “more affordable and more scalable, possibly more reliable.” But at what cost?
Policy-makers who prevent police from using a tool are responsible for harms that come from that lack, like police are responsible for harms that happen if they do use it, Sampson says. He advocates for a “layered accountability approach and governance”
The Biometrics Commissioner works towards legal and ethical use of the technology, encouraging biometrics use where appropriate, while also limiting it.
A company like Marks & Spencer, which recently adopted the Surveillance Camera Code, is such a part of the fabric of the nation, according to Sampson, that it appears to be broadly afforded special trust.
“Where I’m kind of struggling in this discussion – and it was highlighted by our secretary of state who was caught on camera earlier in the year – is that the government doesn’t adopt its own code,” Sampson says.
Asked if a second code is needed, he answers “the principles should be the same.”
He compares biometrics’ relation to data protection to the relation between his old job in nuclear security and general policing.
He draws another analogy to databases, which could be combined for enhanced utility, but are not due to a menu of risks topped by mission creep.
“There is a whole host of work that I’m involved in where the issues coming from people are not about information rights, they are about: ‘I don’t feel able to go and protest in Parliament Square because I think my conversation is being listened to, or someone is looking at my number plate.’”
This is plainly a surveillance issue, not a data protection one. It is about a chilling effect on constitutional entitlements.
Does any public service not use data, Sampson asks. Should every public service be regulated by one body? The government’s position, as currently presented, would appear to be vulnerable to an obvious reductio ad absurdum.
Bias is another issue that does not traditionally align with the responsibilities of the Information Commissioner. There has been a lot of discussion, says Sampson, about how mobile biometric machines were being used over the past year, and the proportionality of the numbers the practice produced.
The government’s role in guiding use or rejection of Hikvision technology is another example that the ICO seems ill-equipped to deal with.
“It is wrong to consider surveillance through such a narrow prism,” former Surveillance Camera Commissioner Tony Porter argues in his email. “It is important that regulation is streamlined and fit for purpose. However, in absence of any consultation or evidence to support the proposal, it is difficult to see the argument that has been constructed to support it.”
The benefits of CCTV and biometric surveillance technology continue to be regularly demonstrated, meanwhile, Sampson says. Police Officer Wayne Couzens’ recent conviction for the murder of Sarah Everard, a case which shocked the nation, was drawn largely from CCTV evidence.
But without a specific Commissioner providing oversight, will society accept the use of such tools to keep people safe? Should it? If the British government has answers to those questions, it is guarding the information closely.
This post was updated at 12:47pm Eastern on October 11, 2021 to include links to news items mentioned and correct the spelling of Wayne Couzens’ name.