Scottish review calls for clearer standards for police in biometric data retention

The Scottish government, in partnership with the Scottish Biometrics Commissioner, has published a detailed review of biometric data retention practices as outlined under sections 18 to 19C of the Criminal Procedure (Scotland) Act 1995. The report examines current policies surrounding the collection, retention, and destruction of biometric data such as fingerprints, DNA profiles, and custody images by Police Scotland, aiming to ensure these practices align with legal and ethical standards.

The report highlights that Police Scotland lacks a dedicated biometric data retention policy, relying instead on broader criminal record retention rules. This follows calls for Police Scotland recently being under scrutiny for its practices over the deployment of live facial recognition technology.

Speaking about the review, Scottish biometrics commissioner Brian Plastow, says: “Police Scotland does not have a bespoke policy in relation to the retention of biometric data such as DNA, fingerprints, images and recordings taken for policing and criminal justice purposes in Scotland. Instead such data is retained under a separate policy relating to the retention of entire criminal records.

“This means that, in some cases, biometric data is being retained for longer than necessary and that it is not being subjected to periodic reviews to ensure that ongoing retention in any individual case is both proportionate and strictly necessary. Biometric data is invaluable in the detection of crime – bringing perpetrators to justice and exonerating the innocent. But society is increasingly concerned about how this data is managed and seeks assurance that the police follow lawful, ethical, effective and proportionate methods.”

Biometric data, including DNA, fingerprints, and images, is stored under the Criminal History System, with data weeding procedures outlined for convicted cases. However, concerns arise due to vague retention rules for non-criminal data like volunteer and witness information, potentially leading to excessive data storage. The report also implies that there is a need for more comprehensive management and policy frameworks to ensure compliance with ethical standards and public trust.

Emphasizing evidence-based decisions, the review sourced extensive research, with over 100 reports scrutinized for global trends, particularly in Europe and the UK. Scotland’s biometric databases have grown, with about three million images held and substantial DNA profiles collected.

Additionally, he report outlines differing retention policies across countries, spotlighting Germany, Netherlands, and Portugal, each balancing security and privacy. The EU’s mandatory ID cards impact data storage, hinting at future shifts in biometric data retention standards.

In 2020, Scotland enacted the Scottish Biometrics Commissioner Act, establishing an accountability framework for biometric data in policing and criminal justice. The framework includes independent oversight, a statutory code of practice backed by compliance powers, and a complaints mechanism for data subjects.

Furthermore, the UK Information Commissioner’s Office (ICO) monitors adherence to data protection laws across Scotland, while other agencies, such as the Biometrics and Surveillance Camera Commissioner for England and Wales, oversee retention of biometrics collected under counter-terrorism legislation. The Investigatory Powers Commissioner’s Office (IPCO) supervises biometric data used in covert operations.

The framework addresses privacy and transparency concerns, noting that unethical data retention, such as indefinite holding of deceased individuals’ biometrics, can lead to harm. Emphasis is placed on ensuring individuals understand how their data is managed, especially in cases affecting personal rights, with protocols to prevent privacy violations and discriminatory outcomes.

Balancing security and human rights

Scotland’s approach is grounded in compliance with human rights laws, with frameworks like the Human Rights Act 1998 and the European Convention on Human Rights (ECHR), ensuring biometrics are retained lawfully, proportionately, and with strong justifications.

International and national courts, such as the European Court of Human Rights (ECtHR), have often ruled that blanket retention of biometric data infringes on the right to privacy. Notably, the ECtHR supports long-term retention for legitimate criminal justice purposes, yet stresses that robust safeguards and clear legal timeframes are essential.

Scotland’s SBC Code of Practice mirrors these principles, enforcing human rights compliance to protect individuals’ privacy and ensure transparency in data handling within the criminal justice system.

Background and legislative context

The review builds upon the recommendations of a 2018 report by the Independent Advisory Group (IAG) on biometric data use in Scotland. The Criminal Procedure (Scotland) Act 1995 permits police to collect and retain certain biometric samples, but does not cover the retention of facial images – though the IAG report included them for consideration.

Since 2018, several legislative and regulatory changes have influenced Scotland’s biometric data practices. The report’s findings aim to inform future policies of the Scottish government, the SBC, and Police Scotland, with a focus on ensuring that biometric retention practices are ethical, proportionate, and transparent.

Article Topics

biometric data  |  biometric identifiers  |  data collection  |  data storage  |  police  |  regulation  |  Scotland  |  Scottish Biometrics Commissioner