On 10 March 2020 MSPs unanimously approved the Scottish Biometrics Commissioner Bill. The Bill creates a Biometrics Commissioner that will oversee police use of biometric data, including DNA samples, fingerprints and facial recognition. Some of the proposals in the Bill mirror the function and powers of the Biometrics Commissioner in England & Wales.

What is it about?

Given the increasing use of biometric data for crime detection, the Bill is intended to ensure that the use of such data is carried out in a lawful, effective, proportionate and ethical way. The Bill applies these principles in respect of the collection, use, storage and destruction of biometric data.

Members of the public concerned with how their data is being collected, used and stored can raise this using the complaints procedure.

The Commissioner's purpose and powers

  • General function - keep law and policy under review and promote public awareness and understanding of police powers and duties in relation to their biometric data.
  • Draft a Code of Practice - provide guidance on obtaining, using, storing and destroying biometric data for use by Police Scotland, the Scottish Police Authority and the Police Investigations and Review Commissioner.
  • Establish the complaints procedure - consult with the Scottish Public Services Ombudsman, the ICO and the Police authorities in determining it.
  • Enforce compliance - investigate complaints made by individuals and report serious failures of the Code of Practice to the Scottish Parliament and ultimately the Court of Session . The Court of Session will hear evidence and has the power to make enforcement orders on the authority or deal with them as if it were a contempt of court.

The Commissioner's scope

At present, the Commissioner's purpose and powers only concern Police Scotland, the Scottish Police Authority and the Police Investigations and Review Commissioner.

The Bill does, however, make provision for the Scottish Ministers to add a person or a description of a person to be regulated by the Code of Practice.

How does the Bill interact with data protection law?

Data protection legislation also regulates the processing of biometric data. The GDPR does not apply to the processing of personal data by the police and other law enforcement bodies. Instead, the Law Enforcement Directive 2016 (LED) applies. Part 3 of the DPA 2018 transposed LED into UK law. As with GDPR, stricter rules apply where biometric data is being processed for the purpose of uniquely identifying an individual.

The ICO is the supervisory authority under Part 3 of the DPA 2018 and can take enforcement action in relation to non-compliance. Individuals can also raise a separate civil action for damages for a breach.

The Scottish Government have said that any advice, guidance and support offered by the Commissioner will take full account of the data protection regime, as well as the role and remit of the ICO.

Next Steps

It will be interesting to see how the ICO and Commissioner work together, given their overlapping jurisdiction in relation to the use of biometric data by the police in Scotland,. if any overlap with data protection legislation arises, and how that may work in practice. Will any Code of Practice complaints raised to the Commissioner result in breach reporting to the ICO?

The Bill is not yet in force, but readers should watch this space. You find a copy of the Bill (PDF) on the Scottish Parliament's website.


Martin Sloan