88. The evidence we received on function creep, the re-purposing of data and unsupervised biometric systems raised broader questions about whether current legislation governing the ownership of biometric data, and who can collect, store and use it, remains effective. This chapter addresses these questions and pays particular attention to the use of facial recognition software by the police on photographs that were taken in custody. This matter was highlighted to us by both the Biometrics Commissioner and the Information Commissioner's Office.

Fit for purpose?

89. Witnesses disagreed about the effectiveness of the legislation governing the use of biometric data, including the Data Protection Act (DPA). As the Information Commissioner's Office (ICO) explained, the "DPA governs the use of 'personal data'", namely "data which relates to a living individual who can be identified from that data, either directly or indirectly". Since biometric data is "a measure of a biological property" that "can often be used to generate unique identifiers" the ICO noted that "it will often be classed as personal data" with its use "governed by the Data Protection Act".[144]

90. Dr Richard Guest, University of Kent, stated that, in light of many of the challenges posed by developments in biometrics, "current legislation" was "not fit for purpose".[145] Some witnesses suggested that this could be resolved through revisions to the DPA. For example, Professor Louise Amoore, Durham University, commented that a "revised Data Protection Act capable of keeping pace with the capacities of contemporary data analytics" was required. She proposed treating all biometric data as "sensitive personal data" since "it can reveal things relating to race, ethnicity, sexual orientation" as a change that she wished to see on the grounds that, "different rules apply to processing, storage and so on".[146]

91. Others, however, felt that it was time to start again. Professor Sue Black, University of Dundee, did not think that the DPA could be changed or amended in order to cope with advances in biometrics. Instead she stated that a "whole new outlook" was required since biometrics was "running ahead of our capability to manage it".[147] 3M went further and questioned whether legislation could ever keep pace with advances in technology.[148] It anticipated that as biometric technologies "diffuse down" to smaller, non-government entities, the Government's influence in this sphere would "disappear" to the extent that it would "prove almost impossible to enforce legislation introduced to deal with the situation".[149]

92. The Government disagreed, arguing that since the DPA was "a principle-based framework of statutory requirements" it should "remain relevant and applicable in the face of rapid technological advance".[150] The ICO concurred stating that the DPA was "technology-neutral and adequately flexible to ensure that biometric data can be processed in compliance with the essential legal obligations and safeguards".[151] While recognising Professor Amoore's concern that biometric data might reveal so-called "sensitive personal data", such as an "individual's race, ethnic origin or health condition", the ICO considered it to be "debatable […] whether information with the mere potential to reveal somebody's race, for example, is in itself sensitive personal data".[152] The Minister, therefore, did not believe that a "general review" of the DPA was currently necessary, though he remained "open to it". [153]

93. We agree with the Government and the Information Commissioner's Office that, as a principle-based framework, the Data Protection Act 1998 should provide adequate regulation in the face of developments in biometric technologies. However, we are mindful of the concerns raised by experts in the field, such as Professor Sue Black, and therefore recommend that the Government keeps this matter under review.

FACIAL RECOGNITION AND THE RETENTION OF PHOTOGRAPHS BY THE POLICE

94. Facial recognition systems can be used for verification (confirming a person is who they claim to be) or identification purposes (discovering who an otherwise unknown person is). In theory, the use of facial recognition for identification could assist the police in their investigations. However, there was a persistent lack of clarity about whether facial recognition was currently used by the police in this mode and particularly if it was being applied to photographs taken in custody.

95. The Association of Chief Police Officers (ACPO) described facial recognition as "a less well developed area of biometrics", though it noted that police have taken photographs of suspects during the custody process "for many years". ACPO stated that these images had recently "been held digitally" and were "capable of being used within the emerging science of facial recognition".[154] However, ACPO did not state in its written evidence if this "capability" was operational. Speaking to the Committee, Chief Constable Chris Sims, ACPO, clarified that he was:

not aware of forces using facial image software at the moment. There are certainly lots of discussions and there has been some piloting, but from my perspective the technology is not yet at the maturity where it could be deployed, so issues as to how it is used sit as a future debate rather than a current one.[155]

96. Mr Alastair MacGregor, Biometrics Commissioner, told us that he was "slightly surprised by some of what [Chief Constable Sims] has said": it was his "understanding that 12 million-plus custody photographs" had been "uploaded to the PND [Police National Database] and that facial recognition software [was] being applied to them".[156] When asked to respond to Mr MacGregor's comments, Chief Constable Sims replied that he too was "surprised" by what he had heard, adding that he "certainly did not think it was an operational reality" before stressing that facial recognition was not his "area of specialty".[157]

97. Compounding this confusion was an apparent 'gap' in the legislation regarding the retention of images, and the use of facial recognition software, by the police. The Information Commissioner's Office (ICO) stated that the Protection of Freedoms Act 2012 "does not cover photographs" and that there was "no specific legislation covering their retention or their use".[158] The Biometrics Commissioner echoed the ICO's point and questioned how "appropriate" it was for the police to put "a searchable database of custody photographs" into "operational use" in the absence of any "proper and effective regulatory regime […] beyond that provided for in the Data Protection Act 1998".[159] He added that the custody photographs loaded on to the PND included "those of hundreds of thousands of individuals who have never been charged with, let alone convicted of, an offence".[160]

98. The deficiencies of current legislation and policy relating to the retention of images by the police were clearly highlighted to the Government in 2012 in R (RMC and FJ) v MPS (Metropolitan Police Service). The two claimants, RMC and FJ, were arrested but subsequently not convicted of an offence and sought the destruction of their custody photographs, fingerprints and DNA samples. The Court ruled that the "defendant's existing policy concerning the retention of custody photographs (namely, to apply the MoPI Code of Practice and the MoPI guidance)" was "unlawful".[161] Rather than require "the immediate destruction of the claimants' photographs", the Court allowed "the defendant a reasonable further period within which to revise the existing policy" while clarifying that a "reasonable further period" was to be "measured in months, not years".[162] Over two and half years later, no revised policy has been published. However, when giving evidence, the Minister announced a new "a policy review of the statutory basis for the retention of facial images" on the grounds that "the chief constable, the police and the Home Office" all accepted that "the current governance of the data being held is not sufficiently covered" by existing policy and legislation.[163]

99. We are concerned that it has taken over two and half years for the Government to respond to the High Court ruling that the existing policy concerning the retention of custody photographs was "unlawful". Furthermore, we were dismayed to learn that, in the known absence of an appropriate governance framework, the police have persisted in uploading custody photographs to the Police National Database, to which, subsequently, facial recognition software has been applied.

100. We fully appreciate the positive impact that facial recognition software could have on the detection and prevention of crime. However, it is troubling that the governance arrangements were not fully considered and implemented prior to the software being 'switched on'. This appears to be a further example of a lack of oversight by the Government where biometrics is concerned; a situation that could have been avoided had a comprehensive biometrics strategy been developed and published. While we welcome the Minister's announcement of a review of the statutory basis for the retention of facial images, we are concerned that similar issues could arise in the years ahead relating to voice and gait recognition, and possibly other biometric traits.

101. To avoid a biometric application once again being put into operational use in the absence of a robust governance regime, we recommend that:

a)  the forensics and biometric policy group is reconstituted with a clearer mandate to analyse how developments in biometrics may compromise the effectiveness of current policy and legislation;

b)  as recommended in paragraphs 35 and 36, the reconstituted group should operate in a transparent manner, be open to receiving inputs from external bodies and publish its outputs;

c)  the Government, police and the Biometrics Commissioner should use these outputs to identify gaps in the legislation to be addressed ahead of any new biometric application going live.

THE BIOMETRICS COMMISSIONER

102. The role of Biometrics Commissioner was created by the Protection of Freedoms Act 2012. That Act established a new regime to govern the retention and use by the police in England and Wales of DNA samples, DNA profiles and fingerprints. Mr MacGregor was clear that his statutory responsibilities as Biometrics Commissioner related "only to DNA and fingerprints" though he acknowledged that the term 'biometric data' was "usually thought to include, among other things, facial images and voice patterns". He also noted that "no other commissioner or regulator" appeared to have a remit which specifically covered the use of facial and voice recognition by the police.[164]

103. We put it to Mr MacGregor that it appeared "a bit odd that the Office of the Biometrics Commissioner [did] not cover all potential biometrics".[165] While initially stressing that he was "keen not to empire-build"[166] Mr MacGregor later stated in correspondence with the Committee that:

strong arguments could be advanced in favour of the proposition that the jurisdiction of the Biometrics Commissioner should be extended so as to cover the police use of custody photographs (and possibly other biometric material) and that that would be a much more sensible arrangement than the appointment of some new or separate Commissioner to provide independent oversight.[167]

When asked if the Government had considered extending the responsibilities of the Biometrics Commissioner, the Minister replied that he was "going to look at this", adding that he had "heard what the biometrics commissioner said, and we have launched the review. I can say to the Committee that the role of the biometrics commissioner in response to facial images will be a key aspect of the review".[168] In subsequent correspondence with the Committee, the Minister stated that, in the longer-term, "the future provision of biometrics capability for at least the police, immigration, borders and security needs to be more coherent and integrated". He continued that the "governance and oversight of any such integration […] will be given careful consideration, particularly in relation to the role of the Biometrics Commissioner".[169]

104. We agree with the Biometrics Commissioner that there is value in the provision of day-to-day, independent oversight of police use of biometrics and that such oversight should extend beyond fingerprints and DNA. We also agree that broadening the Commissioner's responsibilities would be a "more sensible" approach than establishing a new, separate commissioner covering other biometric traits.

105. We therefore recommend that the statutory responsibilities of the Biometrics Commissioner be extended to cover, at a minimum, the police use and retention of facial images. The implications of widening the Commissioner's role beyond facial images should also be fully explored, costed and the findings published. We further recommend that the Government clarifies where the operational boundaries lie between the Biometrics Commissioner and the Forensic Science Regulator.

National and international standards

106. We received several submissions, particularly from industry, which argued that legislation and regulation could only go so far in ensuring that biometric systems were operated in ways that were "reliable, accurate and secure", particularly when their development and use might "transcend territorial jurisdiction".[170] It was therefore suggested that 'standards' were also necessary. The British Standards Institute (BSI) describes a standard as "a document defining best practice, established by consensus" that is "voluntary and separate from legal and regulatory systems".[171] Biometrics standards currently exist at the British, European and International level and address topics such as:

·  modes of biometric system including fingerprints, facial recognition, voice, finger or palm

·  vein and iris recognition

·  interoperability and communication of biometric data

·  methods for protecting against fraud and misrepresentation

·  usability and accessibility of biometric systems

·  society and cross-jurisdictional issues

·  privacy, security and consumer protection.[172]

107. Standards can fulfil a number of complementary functions. The Government, for example, anticipated that:

open standards for data formatting, storage, communication and access [would] form a critical element of the infrastructure for biometric information, with benefits for interoperability across Government and internationally allowing ease of access whilst maintaining security and data assurance, and increasing the efficiency of existing systems.[173]

According to Mr Marek Rejman-Greene, Home Office, having open standards also:

enables all the details of how those systems operate to be out in the open. It allows for innovation, so you know the constraints within which to innovate; and it means, therefore, that UK companies can bid for parts of the systems that relate to the biometric component.[174]

108. Some concern was voiced about how difficult it would be to persuade commercial companies to adhere to open standards. Pointing to "the use of mobile platform and cloud-based systems" for biometrics, Dr Richard Guest, University of Kent, reported that "large technology manufacturers" were adopting "proprietary standards thereby preventing third-party use of data" which could limit new entrants to the market.[175] However, in the case of government biometric systems, Sir John Adye, Identity Assurance Systems, predicted that "with major international industries competing for government contracts", it would "be possible to encourage compliance with best practice".[176] Speaking as a supplier of biometric technologies, Ben Fairhead, 3M, agreed with Sir John's assessment. He stressed that 3M's systems had:

to be [standards compliant] because Governments demand that the sorts of systems we supply are standards compliant. The systems we supply need to talk to other systems within a country, and sometimes between countries, so they have to comply with certain data standards otherwise they could not exchange information.[177]

109. Mr Rejman-Greene confirmed that, "in terms of government systems, the first direction is almost always to try to look at open standards" but noted that there were "limitations" regarding what the Government could do "in terms of trying to impose standards on the commercial sector".[178] The Information Commissioner's Office also questioned whether system interoperability should always be encouraged, noting that, in some systems, a lack of interoperability acted as "an important privacy protecting mechanism" through ensuring that an individual's biometric was "effectively meaningless outside the system for which [it was] collected".[179] A similar point was made by the Irish Council for Bioethics in its 2009 report on biometrics. It stated that enabling greater information sharing through enhancing interoperability between biometric systems could accentuate privacy concerns on the grounds that:

the more agencies and organisations that have access to an individual's biometric information, the greater the likelihood that this information will be used for another purpose beyond that for which it was originally collected.[180]

110. Standards become increasingly useful when they are widely adopted—namely required by customers and used by vendors to build standards-compliant products. As a customer, the Government can demand that its biometric systems adhere to national and international standards. While we recognise the advantages of the Government using its procurement powers in this way, and of the benefits of interoperability between biometric systems, we are also aware that there will be instances when interoperability should be prevented in order to limit access to sensitive personal information. Once again, in the absence of a comprehensive biometrics strategy, it is not clear how the Government aims to strike this delicate balance.

111. The Government should explain, in the interests of the responsible use of data, how it intends to manage both the risks and benefits that arise from promoting open standards and the interoperability of biometric systems.

145   Super-Identity Project, University of Kent (BIO0015) para 15 Back

146   Q16-Q17 Back

147   Q14 Back

148   3M (BIO0018) para 5.2; see also Church and Society Council of the Church of Scotland (BIO0016) Back

149   3M (BIO0018) para 5.5 Back

150   The Government (BIO0035) para 2.4 Back

151   Information Commissioner's Office (BIO0009) para 23 Back

152   Information Commissioner's Office (BIO0009) para 27 Back

153   Q172 Back

154   Association of Chief Police Officers (BIO0036) para 2.3 Back

155   Q90 Back

156   Q91 Back

157   Q92 [Chief Constable Sims] Back

158   Information Commissioner's Office (BIO0009) para 32 Back

159   Biometrics Commissioner (BIO0027) para 5 & 8.2 Back

160   Biometrics Commissioner (BIO0027) para 9 Back

161   MoPI stands for the Management of Police Information. The Code of Practice on the Management of Police Information was issued by the Secretary of State in July 2005 under the powers of s.39A of the Police Act 1996. By s.39A(7) of that Act, chief officers are required to have regard to the Code in discharging any function to which the Code relates.  Back

162   R (RMC and FJ) v Metropolitan Police Service [2012] EWHC 1681 Back

163   Q152; Q160; see also Q156 Back

164   Biometrics Commissioner (BIO0027) para 6 Back

165   Q95 Back

166   Q97 Back

167   Biometrics Commissioner (BIO0037) Back

168   Q159 Back

169   The Government (BIO0038) Back

170   3M (BIO0018) para 5.8; British Standards Institution (BIO0020) para 5.2 Back

171   British Standards Institution (BIO0020) para 1.4 & 1.5 Back

172   British Standards Institution (BIO0020) para 4.2. Back

173   The Government (BIO0035) para 5.3 Back

174   Q179 Back

175   Super-Identity Project, University of Kent (BIO0015) para 12 Back

176   Identity Assurance Systems (BIO0031) para 4.1 Back

177   Q50 Back

178   Q179 Back

179   Information Commissioner's Office (BIO0009) para 20 Back

180   Irish Council for Bioethics, Biometrics: Enhancing Security or Invading Privacy? (October 2009), p 75 Back