A detailed review by Scottish Biometrics Commissioner of biometric data retention practices under sections 18 to 19C of the Criminal Procedure (Scotland) Act 1995 considers the collection, retention, and destruction of biometric data such as fingerprints, DNA profiles, and custody images by Police Scotland, assessed as relying on broader criminal record retention rules rather than a specific biometric data retention policy.
The report states
1. Following the 2018 report of the Independent Advisory Group (IAG) on the use of biometric data in Scotland[1], the Scottish Government (SG) committed to reviewing the retention of biometric data provided for under sections 18 to 19C of the Criminal Procedure (Scotland) Act 1995 ("the 1995 Act") as recommended by the IAG. The 1995 Act is the primary Scottish legislation allowing the collection and retention of fingerprints and other biometric samples (including hair samples and nail clippings) from a person arrested by the police. Although the 1995 Act does not include reference to facial images, the IAG did include these in its review.
2. Since 2018, it is recognised that many of the IAG's findings relevant to the laws of retention have been at least partly addressed or mitigated by subsequent developments in the intervening period such as the: commencement of United Kingdom (UK) -wide Data Protection Act 2018 ("the 2018 Act") and in particular the provision for data controllers to ensure that retention is subject to periodical review; the European Court of Human Rights' judgement on 'Gaughran v UK ("the Gaughran judgement) in 2020; commencement of the Scottish Biometrics Commissioner (SBC) Act 2020 ("the 2020 Act") and the appointment of the SBC in 2021 which provides oversight of the collection, use, retention and destruction of biometric data by Police Scotland, the Scottish Police Authority (SPA) and the Police Investigations and Review Commissioner (PIRC); implementation of the SBC's Code of Practice ("the Code") and public complaints mechanism in 2022; planned rolling programme of annual compliance assessments with the Code undertaken by the SBC which began from late 2022; annual thematic assurance reviews already undertaken/proposed by the SBC on particular subject themes; establishment of the Police Scotland Biometrics Oversight Board (which meets every 6 months and has the following areas of business: Biometric Data; Forensic Biometrics; Biometrics Technology; Ethics).
3. In the course of 2023, the SG and the SBC (the review team) therefore considered whether a review of retention periods as recommended by the IAG was still required. Such considerations also included consultation with the SBC's own independent advisory group. The review team concluded that such a review could still be beneficial.
4. The purpose of this review is therefore to generate findings in respect of the retention of biometric data for policing purposes at this current time. The review makes recommendations as considered necessary – with a view to ensuring that the approach taken to the retention of biometric data is lawful, ethical, effective and proportionate. ....
5. It is recognised that biometric retention in Scotland is informed by a combination of legislative requirements and police retention policies. The review therefore considers three distinct areas - the legal provision concerning the retention of biometric data; the current policy and procedures adopted by Police Scotland; and the current available evidence base in order to support its findings. The review also recognises the importance of ethical and human rights considerations on such matters. It is expected that the findings from this review may inform the policies and procedures of the SG, the SBC and policing partners going forward.
6. For the avoidance of doubt, the scope of biometric data considered in this report are fingerprints, deoxyribonucleic acid (DNA) profiles and custody images. Although images do not feature in the 1995 Act, the review team have included them in the course of their work for completeness. This reflects their longstanding use by police in the detection and prevention of crime and their inclusion in the 2018 IAG report, from which this review originates.
7. The review team also wish to highlight that they were unable to ascertain a legal definition of what constitutes indefinite retention of data. As such, the review team interpreted it as meaning of long duration with no end date specified.
Further
11. Biometric data is important to the detection of crime - bringing perpetrators to justice and exonerating the innocent. How biometric data is managed following acquisition continues to raise questions for society as a whole in ensuring that this is undertaken by the police in a lawful, effective, ethical and proportionate way.
12. This review has therefore focused on the current legislative landscape around retention; the retention policies and procedures currently adopted by Police Scotland; and the current research and evidence base available on biometric retention in the UK, European Union (EU) and beyond.
Key Findings and Recommendations
13. The review finds that the current research and evidence base on biometric retention in the UK, EU, and wider is not sufficiently developed to enable a robust proposal to be made around alternatives to current Scottish law and operational rules. It is considered, at this time, that there is not a gold standard of retention that Scotland should seek to follow, as a variety of approaches are being taken by different countries in regard to the retention of biometric data.
14. The review finds that the law on the retention of biometric data as set out under Section 18 of the 1995 Act complies with human rights and recent legal judgments, based on the available evidence. In terms of future-proofing the legislation, the review found that a more robust evidence base was required in order to determine whether and how Scotland should change its existing legislation for biometric retention. The review does however acknowledge that (although not included in the scope of the review), issues around the acquisition and use of biometric data - particularly images - would benefit from further exploration going forward.
15. The review finds that Police Scotland does not currently have a bespoke policy on the retention of biometric data taken for policing purposes. The retention of biometrics is instead aligned to a separate retention policy for retaining a person's criminal record and retaining productions as part of evidence in criminal proceedings.
16. The review finds that Police Scotland and the SPA do not hold sufficient management information on biometric data to determine a suitably overarching policy on retention. However, the review team acknowledges that as a result of self-assessment activity relating to the SBC's Code of Practice, Police Scotland and the SPA Forensic Services are currently developing distinct biometric strategies as part of strengthening their internal governance.
17. The review finds, in principle that the one-month timeframe for the taking of samples and prints under section 19 of the 1995 Act (where previous acquisition proved unsuitable/inadequate) could benefit from further review – subject to further evidence being provided by Police Scotland to support a case for change to that timeframe.
The following recommendations aim to assist these findings:
1. The existing retention periods for the biometric data of non-convicted persons should remain as set out in the 1995 Act.
2. For now, the current legislative silence in the 1995 Act should be retained with regard to the retention period for the biometric data of convicted persons, subject to the outcome of Police Scotland reviewing its retention policies. the findings of a robust evidence base once this has been assembled by Police Scotland.
3. Police Scotland to set up a Short Life Working Group to develop an options appraisal for their retention policies for the biometric data of convicted persons, which is evidence-based; observes the need for proportionality and necessity; and complies with the law and relevant legal rulings of the European Court of Human Rights (ECtHR), particularly Article 8 ECHR. The options must expressly prohibit indefinite retention without periodic review. The options should be consulted on, and new policies should be put in place by 31 October 2025.
4. Police Scotland should, as matter of routine, collect and retain accurate and robust management information in respect of the retention of biometric data going forward. This information should provide a solid and transparent evidence base to support future assurances that such retention policies are lawful, ethical, effective and proportionate.
5. Police Scotland should accelerate their current review of retention periods for volunteer data and put changes into place by 31 October 2025.
6. Police Scotland should collect management information to ascertain whether the one-month timeframe under Section 19 has caused any operational difficulty. If such evidence exists to support the need for change, the SG should consider bringing forward primary legislation, subject to consultation.
