Police biometrics, surveillance ‘too complex’ to treat as data processing: UK commissioners
A letter from the UK’s biometrics and surveillance camera commissioners which lodges their warnings that police use of biometrics is far more than simply a data processing and protection issue has been published.
The authors state biometrics and surveillance matters are vastly complex and that reforms to data regulation with a body that combines statutory and regulatory functions could be incompatible with the different political system in Scotland and the proposals for dealing with materials kept by police in relation to the Troubles in Northern Ireland.
While the situation may seem peculiar to the jurisdictional makeup of the United Kingdom, the public discourse over what biometric data, forensics and biological samples are and how they are handled, could inform decision-making elsewhere.
The background of the authors is indicative of some of the issues raised: Fraser Sampson is the Biometrics Commissioner for all of the UK and the Surveillance Camera Commissioner for England and Wales – appointed after the two roles were merged earlier in the year. Brian Plastow is the Scottish Biometrics Commissioner, a role created this year.
Policing is a devolved to different extents across the four nations of the UK. In September 2021 the UK government published a consultation on its proposals for data reform and creating a new UK data protection authority – a reformed Information Commissioner’s Office (ICO), with the view of bolstering the country’s position for innovation with secure data handling and flow. The move is also proposed to absorb Sampson’s dual biometrics and surveillance role into the reconstituted ICO.
“Debates about biometrics and surveillance in policing are intrinsically complicated and linked to broader considerations of legitimacy, effectiveness and efficiency,” write Sampson and Plastow.
“Above all, this area is about public confidence, trust, and public acceptability – the debate must be far broader than one of ensuring compliance with any prevailing UK data protection regime.”
Sampson and Plastow argue that even if one were to accept that police use of biometrics is a matter of data processing, adding statutory functions to a new regulator would still face jurisdictional problems.
The Scottish Parliament has already determined that it does not view police use of biometrics as a matter of data protection. The commissioners quote Scottish Justice Secretary Humza Yousaf who said that Scotland appointed an independent Biometrics Commissioner to “complement the work of others, including the Information Commissioner, and help maintain public confidence in how new technologies and data are being used to help keep crime down and communities safe.”
Scotland does not have a Forensic Science Regulator and so expanded the definition of “biometric data” to ensure its Biometric Commissioner has statutory oversight of forensic samples and biological materials from which biometric data can be derived. The authors argue that this shows the role – in Scotland – is not just about data.
Forensics development in Australia could result in fingerprints and facial characteristics being deduced from DNA samples and is already deducing ages to within four years.
Northern Ireland poses an entirely different set of issues. Police there have amassed DNA and biometrics of people in relation to the Troubles. It has never brought into effect the passed Criminal Justice Act (Northern Ireland) 2013 because a large volume of DNA and fingerprints of non-convicted people would have to be deleted by the police.
“In order to mitigate any risk that the deletion of this material could undermine the investigation of unsolved Troubles-related deaths in Northern Ireland, a form of statutory provision will be required to provide a lawful basis for deleted material to be retained and used for the purpose of legacy investigations,” write the commissioners.
A new Information Recovery Body has been proposed for the region.
Ultimately, Sampson and Plastow argue the issues are too complex and jurisdictional variation too great for an overall “super regulator” that attempts to offer both statutory and regulatory functions.
Meanwhile Welsh police trial facial recognition via phone app for faster arrests
The South Wales Police are pioneering with biometrics again, this time alongside their colleagues at Gwent Police. Seventy officers will use a system called Operator Initiated Facial Recognition to confirm the identity of a wanted suspect without the need to go back to a police station, reports Police Professional.
A mobile phone app allows the officer to photograph a person to compare it to the police database.
“When dealing with a person of interest during their patrols in our communities, officers will be able to access instant information allowing them to identify whether the person stopped is, or is not, the person they need to speak to, without having to return to a police station,” Assistant Chief Constable Ian Roberts of Gwent Police is quoted as saying.
Consent is not necessary, reminds South Wales police and crime commissioner, Alun Michael: “It’s important to remember that police officers have always been able to spot a person who is wanted for a crime and stop them in the street. The difference with the use of this technology is simply the speed and accuracy with which the individual can be identified and arrested and the speed with which a person who is not wanted by the police can be allowed to go on their way.”
Also: “This tool can also provide identification of someone who is unconscious or seriously injured and unable to communicate who they are,” said Roberts.
The system’s name ‘Operator Initiated’ could have been chosen to calm concerns that the force is embarking once again in unlawful automated facial recognition. South Wales Police were heavily criticized for deploying facial recognition at a football match, capturing facial images without consent for automatic public identification. The UK Court of Appeal found such uses to have been unlawful.