Official Report: Minutes of Evidence

The Chairperson (Ms Bunting): Dr Plastow, you are very welcome. Thank you so much for taking the time, and for coming in person, to give us evidence. We are really looking forward to hearing what you have to say as we wrestle with these issues. We have received your paper. We will hand over to you. After that, there will be questions on how, operationally, it is working for you in Scotland; reviews; children and young people; what we could learn; distinctions between the jurisdictions; and other bits and pieces along those lines. That is where we are coming from. For now, I will hand over to you. Thank you very much.

Dr Brian Plastow (Scottish Biometrics Commissioner): Thanks, Chair. You do not have to be Scottish to be the Scottish Biometrics Commissioner, but I am, so I apologise for my accent.

As you heard in the previous session, "biometric data" is defined differently in different legislation in the UK. For example, under UK data protection law, a photograph is not biometric data, but, as soon as you translate that photograph into binary code and apply it to a facial searching platform, it is biometric data. In Scotland, the definition of "biometric data" covers all biometrics that the police use, including DNA, fingerprints, photographs, recordings, voice, gait recognition and vein pattern recognition. The main types are fingerprints, DNA and images, as I prefer to call them.

In Scotland, we have a statutory code of practice — this thing here — which was approved by the Scottish Parliament in November 2022. It is a legally binding instrument that must be complied with by Police Scotland, which is the national police service in Scotland; Scottish Police Authority Forensic Services, which is the single forensic services provider; and the Police Investigations and Review Commissioner, because it has power of arrest. Of relevance is that the Scottish code of practice mandates that Police Scotland must comply with Marper and Gaughran.

It is probably worth making the point that there was a broader debate in the UK under the previous Government — the point that you just touched on. The previous Administration were basically trying to drive a cart and horses through some important safeguards, checks and balances that were put in place in England and Wales under the Protection of Freedoms Act 2012. That was all wrapped up in the "Take Back Control" agenda after Brexit. Under that proposal, which fell, the aspect of the England and Wales commissioner's role that would have gone to the Investigatory Powers Commissioner — and, I suspect, still will — was solely that part about reviewing where biometric data is held on a person who has not been convicted in connection with a national security determination (NSD). The fact that there has not been a commissioner in England and Wales since mid-August means that nobody is reviewing national security determinations in the UK, including Scotland.

On a question that you asked the previous witness, there was no plan for what would happen with arrests. Effectively, had that continued, there would have been no oversight in England and Wales of the police's use of biometric data, period. It would have given the police a licence to do whatever they wanted, and, trust me, that is exactly what the police would do if that were to happen. That is the broader context.

The role that I perform in Scotland is very proactive. We lay a four-year strategic plan before the Parliament. The commission is independent of the Government and reports only to the Parliament. Every year, we pick one or two themes and deep-dive into them. For example, yesterday, we laid a report in the Scottish Parliament on how the police in Scotland use DNA. It explains what DNA is used for, why it is taken and its value in contributing to solving crime.

On your Bill — it is easy for me to say this, because I come from a different jurisdiction — what you are doing is absolutely the right thing to do. Of course, you should have a biometrics commissioner. The role that that person performs has nothing to do with UK data protection law, which is upheld by the UK Information Commissioner. The role of your biometrics commissioner would be to uphold the lawful, effective and ethical use of police data under devolved criminal procedure law. It is important to have your own oversight arrangements for that.

The one term that I think is missing from your Bill is "images", as I call them, rather than "photographs". I think that I read online that the PSNI holds about 182,000 images. Like all UK police forces, the PSNI uses the police national database (PND), which is a UK-wide intelligence system that has retrospective facial matching capability. An image can be taken from a crime scene, put into the PND and washed against the images of people from anywhere in the UK who have been arrested. Likewise, the PSNI uses the child abuse image database (CAID), which has facial matching capability. That is public knowledge, but the Police Service here is using images in a way that would constitute biometric data under any definition anywhere.

It is absolutely the right thing to do. The Committee should think about whether images should be included. The police hold more images than any other type of biometric data. For example, the UK holds 7 million DNA profiles and about 6·5 million fingerprint profiles but way in excess of 20 million images. That is important because, even though we withdrew from the European Union, under the Trade and Cooperation Agreement, the exchange mechanisms with the EU have remained. The UK, as a whole, still exchanges fingerprints and DNA on a case-by-case basis with all 27 member states of the EU, which have a population of, I think, 590 million people. Under the Prüm II regulation, which is the next phase, the EU has already passed a motion to add images to the mechanism.

In due course, the UK will be invited to participate in that, which is why the Home Office is energising its work on creating a national UK image database similar to those that exist for DNA and fingerprints. That is to facilitate international exchange. I would have a good think about that. I think it is a very good Bill otherwise.

I made a couple of other minor points in my written submission. There was a reference in one of the articles to DNA not changing, but DNA can change. The DNA of a bone marrow recipient, for example, would change because they would carry their DNA and the DNA of the donor. The more fundamental point in my written submission is that, if you do not let the PSNI keep the source DNA sample, and then technology advances, as it always will, and the PSNI adopts more advanced DNA interpretation and analysis capability, the PSNI will be denied the opportunity to re-profile that sample at a later date. That is just something for you to think about.

The Chairperson (Ms Bunting): That is really helpful. Before you conclude your remarks and I bring in members, I was going to ask you to elaborate on three paragraphs. That was one of them. The paragraphs to which I refer are 9, 14 and 15. If you have anything to add on those, Dr Plastow, I would love to hear it.

Dr Plastow: I was about to stop there, but I am happy to take questions on any points, so just hit me with them, and I will give you the answer if I know it.

The Chairperson (Ms Bunting): All right.

Miss Hargey: Brian, thanks very much. Apologies that I cannot be there in person; I have a chest infection, and I do not want to smite people. We are keen to keep our engagement with you going. There is a commissioner in Scotland, and we have moved on this because of the European Court of Human Rights judgements. We are looking at it all from a human rights perspective. The Department proposes the model of 70/50/25 years. Given that you have been up and running for a short while, is it the Scottish experience that that is proportionate in line with the European convention? How did you approach proportionality in data retention?

Dr Plastow: Thank you. It is a good question. That area is often misunderstood. The substance of the European Court ruling was not that indefinite retention is wrong but that indefinite retention with no prospect of review is wrong. We have researched retention periods, looking across Europe, and nobody has the gold standard; everybody does it differently. The UK is probably more draconian than every EU member state. We take too much of this stuff, and we keep it for far too long. There are two separate things. If you have biometric data from an unsolved crime, of course you are going to keep it forever. Why would you not? There is nothing to prevent you from doing that. UK data protection law does not apply, for example, to biometric data that has not been assigned to a known individual, so you can park the unsolved crime stuff.

When it comes to keeping data from people who have been arrested for all sorts of crimes and offences, it is a bad idea to have a one-size-fits-all approach — the idea that, "Whether you have stolen a Mars bar or you have killed somebody, we will keep your data for the same length of time" — which has been the approach in Scotland and in England and Wales. Your proposed retention regime is probably OK, but the bit that could make it not OK is not having periodic review. You might want to take advice on that from the UK Information Commissioner, and I think that somebody from the Information Commissioner's Office (ICO) will be coming before you.

It is not my place to speak about UK data protection law, but it states that there must be periodic review. We conducted a review of the laws of retention in Scotland last year, in partnership with the Scottish Government. We made a number of recommendations to Police Scotland to review its retention policy, because it is not Gaughran-compliant and is not doing what it should. One of the recommendations in the review of its retention policy was that it must — underline "must" — include periodic review. You get into difficulty and fall foul of the European rulings if there is no prospect of review, whether you arbitrarily decide to keep data for five years, 10 years, 25 years or 75 years. Some kind of review mechanism is required. It does not necessarily need to be in law. The Police Service could have a retention policy that builds in periodic review. It does not have to be in primary legislation.

The Chairperson (Ms Bunting): Is that periodic review of the length of time that you keep the data, periodic review of what you have, or both?

Dr Plastow: It is periodic review of what you have. There is an idea that, if you hold 1 million DNA profiles, you should not treat them all the same; that you should treat the DNA of Brian Plastow, for example, differently because it was taken for less of an offence. I should say why this is so difficult for UK policing. Police in the UK have been taking people's fingerprints and images — photographs, as they were — for more than 120 years. None of the databases that we have now, be that the UK national DNA database, IDENT1 — the UK fingerprint system — or local systems, was designed to facilitate weeding based on a periodic review mechanism. Therefore it is not that the police are unwilling to change; it is that they find change difficult to achieve without investment in technical solutions. That is one of the big challenges.

The Chairperson (Ms Bunting): It will certainly be a big challenge for us, given the PSNI's resources.

Miss Hargey: I want to touch on review and appeal, because, Brian, it is a critical area that even the Human Rights Commission has raised. It said that some of this should be set out in legislation at this stage to ensure that there is clarity. Obviously, there is a history and legacy here that differs slightly from the Scottish experience. You said that you have already gone through an initial review. Are there issues relating to periodic review and a right to appeal that we could be looking at to strengthen the current legislation?

You touched on facial recognition and the fact that the PSNI already has access to it. Do you feel that it is a weakness that facial recognition is not included as something that is held as part of the biometrics? Do you feel that, if, for example, there was a review or an appeal and we do not include facial recognition, that could be a weakness in oversight of how data is being held? Will you flesh that out a bit more?

These are my last few questions. Will the emergence of AI change things further? Are you alert to those new advances in technology? How do we make sure that any legislation that we work on is future-proofed, where it can be?

Dr Plastow: That is one of the significant challenges. Legislation, by its nature, will never keep pace with technology. That was the reason why the Scottish Parliament opted for a statutory code of practice: a code of practice can be amended very quickly, whereas it is difficult to amend primary legislation.

To go back to your substantive point, my view is that it would be a mistake for you not to empower your commissioner with the ability to oversee how the police use images. The databases that I referenced — the police national database and the child abuse image database — work off AI-enabled algorithms. When we talk about AI, we are not talking about something that is coming in the future; we are talking about something that is with us now. I referenced the fact that the Home Office is developing a new UK custody database and bringing in a new strategic facial matching capability. That is AI-enabled technology that will support both retrospective image search, as exists in the two databases that I referenced, and live facial recognition for those police forces that choose to use it. It has never been used in Scotland, and I believe that it has never been used in Northern Ireland. Does that answer your question?

Miss Hargey: Yes. That is useful. Thank you.

Mr Baker: Thank you for the presentation. Sorry that I cannot be there; I am down with a cold. I come at the issue from the angle of children and young people and the danger of stigmatisation from the retention of their data. What is your view on that? Do you have concerns about the retention of their biometric data?

Dr Plastow: Again, that is a fantastic question. Policing across the UK is not that different in what it is strategically trying to achieve, and one of the problems in the UK is that children — people under 18 — have been grouped in with adults. When we conducted a review in 2022-23 of how Police Scotland acquired biometric data from children, we found that it had no distinct policy for children at all, so we recommended that it develop one. As a consequence, Police Scotland will now only take biometric data from people under 18 if they are arrested for a violent or sexual offence or otherwise by exception — there will always be exceptions. In Scotland, about 4,000 under-18s are brought into police custody every year. Most youngsters who come into contact with the police never end up anywhere near a police custody centre. That voluntary change of policy by Police Scotland means that fewer young people will have their biometric data captured, and that will reduce the stigmatisation that you talked about.

I will illustrate a point to show why it is really important. When, in 2022-23, we asked Police Scotland, "Can you tell us how many under-18s you arrested and took DNA from?", it could very easily give us an answer, and the number was roughly 4,000. However, when we then asked, "In those 4,000 cases when you took DNA in a custody environment, how many times did it match the DNA from the crime scene of an unsolved crime?", it could not tell us. I suspect that that is because the answer was zero. Whilst biometric data is very important, it is not a feature in most police investigations. DNA only helps to solve about 0·34% of all recorded crimes, and facial imaging technology helps to solve less than 2% of all crimes. Sometimes, it has a high-quality value, because it can help to solve some really serious crimes, but, numerically, it is not a major feature in most investigations.

Mr Baker: Is holding that data a breach of article 8 of the Human Rights Act, because it is not proportionate?

Dr Plastow: That is the whole essence of article 8. It has to be lawful, proportionate and necessary. Often, if you look about and ask your police service whether it has a biometric strategy, for example, as we asked Police Scotland, it does not have one. A lot of these things have been around for so long, since before anybody called them biometrics, that they are not always managed as well as they should be, if that is not the wrong way to express it.

Mr Baker: Thank you.

Are there any aspects of the Scottish Biometrics Commissioner Act 2020 that you would amend or that could have been done better?

Dr Plastow: The Scottish legislation is well crafted in the sense that it has quite an expansive definition of biometrics, which future-proofs it. The fact that the Scottish commissioner is appointed by and answerable only to the Parliament is good, because that prevents any political interference. Every one of the four biometrics commissioners for England and Wales — I met them all; one of them, unfortunately, is no longer with us — has been frustrated by political interference in their role. Every one of them said that not including images in the role was a strategic mistake by the Home Office.

The other thing to mention is the wording of the Scottish legislation, which states:

to discharge their functions. Those are powerful words.

As I mentioned, we have a statutory code of practice and a public complaints mechanism. That means that, if the police take your data in Scotland — not necessarily because you have been arrested; they might have taken it because you were a victim of crime — and you feel that they are holding it in a way that is contrary to the Scottish code of practice, you can complain to my office. With the statutory code of practice come powers to serve information notices, powers to issue compliance notices and, ultimately, powers to report something to the Court of Session, which is the highest court in the land in Scotland. I do not think that that would ever happen, because the police service is good at listening to suggestions for improvement. The legislation is well crafted.

Mr Baker: Brian, thanks very much. I really appreciate it.

Ms Egan: There is something that I did not raise but that I want to ask about, which I definitely learned from your paper. Thank you so much for coming in today and presenting to us.

I want to tease out what you said about the fact that DNA can change. I did not know that before reading your paper, so I really appreciate your raising it with us. How much of an issue could that be, if it is not addressed in the legislation? Have you had any incidences in Scotland of that raising its head because someone's DNA changed following a transplant?

Dr Plastow: It is not a major issue. Everybody's DNA is unique apart from that of identical twins. Identical twins have identical DNA. They do not have identical fingerprints, because your fingerprints are formed when you are an embryo and move about in the womb. Otherwise, everybody's DNA is unique; you get half of it from your biological mum and half of it from your biological dad. About 10 or 15 years ago, there was a sexual assault case in Alaska in which the Alaskan state troopers matched the DNA to somebody on the North American database. They thought, "This is easy. It is an open-and-shut case". The problem was that the person to whom they matched the DNA was in prison and had not been out; they could not have committed the offence and did not even match the description. When the state troopers investigated more thoroughly, they found out that the guy who was in prison was a bone marrow donor and that the recipient had committed the sexual offence. The DNA that was extracted from the semen recovered from the crime scene contained the DNA of the donor.

I am simply making the point that there is no such thing as biometric technology that is 100% accurate all the time. That just does not happen. When a forensic scientist presents evidence in court on DNA, they are always talking about probability rates. Even then, DNA can be problematic sometimes if you get a part profile recovered at a crime scene, so you do not have a full profile. If you have a mixed DNA profile, because there are mixed male and female DNA, that can be difficult as well.

I am just making you aware of the point that chimeric or recombinant DNA, as it is properly known, does happen. It would be picked up by a forensic scientist in this country, because all the forensic scientists work to an international scientifically accredited standard. In some other countries, they do not. When you hear about something happening in America, for example, you will often hear people talk about the Golden State killer and how investigative genetic genealogy is the way to go, but, actually it is not, because American police should have been able to trace that person anyway because his brother was already on the combined DNA index system (CODIS), which is the FBI database.

This stuff is complicated, and I am just highlighting the fact that everyone's DNA is not unique — identical twins have identical DNA — and, sometimes, quirky things happen in science that mean that someone's DNA is a bit more complicated.

Ms Egan: Following on from that, how do you take that into consideration in practice in Scotland? Is it in your code of practice or is it in your legislation?

Dr Plastow: You do not need anything specifically in legislation for that. All the forensic science providers in the UK have to be accredited by the Home Office, and the Home Office will accredit them only if they have their ISO/IEC 17025 from the UK Accreditation Service. If it gives you any reassurance, you would not have a miscarriage of justice in Northern Ireland because of that phenomenon. I am simply highlighting to you that it sometimes exists.

Ms Egan: Thank you very much. That is really helpful.

Mr Bradley: Thanks very much for your presentation. Your accent is pleasant to hear, so do not worry about that. [Laughter.]

I have been an amateur photographer for 30-odd years, and I am interested in the progress of AI. It used to be that you had to click and click to crop out a background, but now you can do it at the touch of a button. Not only can you erase a background but you can add a background.

I am interested in facial recognition. I think that it would be good if it were shared. We do not have it here. As AI progresses, do you see advancements in AI not only in facial recognition but in body form recognition, for example, how a person walks, how they carry themselves, their weight profile etc?

You mentioned political interference. We need to make sure that politicians like us have absolutely no input into what comes out at the other end. We should not interfere in the process of law and order. If there is any way that we can enhance the process of law and order, and if that means stepping away from it and letting professionals do it, I am all for it.

You mentioned that facial recognition is accepted by the EU. Has the European Court of Human Rights come back to say that there is anything wrong with sharing data across police forces?

Dr Plastow: The European Court of Human Rights, as you know, is —. A better way of saying it, actually, is this: human rights are enshrined in European law. The existing exchange mechanisms for biometric data that involves DNA and fingerprints is completely human rights-compliant, because there is no bulk transfer of data. For example, if I were to commit an offence in Spain and the Spanish police were to recover my DNA, they could upload that into the Prüm system, and all that would happen is that they would get an alert that says that it is a UK profile. They would then have to contact the UK. The Metropolitan Police and National Crime Agency, on behalf of all UK police forces, operate a kind of one-way-in/one-way-out system. The host force — say it is the PSNI — would confirm whether it holds that profile. It would say, "What do you want it for?". If the Spanish police were to say, "It relates to someone who has stolen a wheelbarrow", the PSNI would say, "You are not getting it". If, however, the Spanish police said, "It is a case of child abduction", of course, the PSNI would share that information. The whole human rights piece goes across all of that.

As I said, although the EU does not support live facial recognition, it supports the exchange of images by police and law enforcement agencies for the purpose of retrospective searching; in other words, to wash images from crime scenes against images of people who have previously been arrested by the police. Does that answer your question at all?

Mr Bradley: It does, but will you expand on the advantages of AI when it comes to not only facial recognition but body and gait analysis?

Dr Plastow: Non-generative AI — that is, AI that does not generate content — is one of the big opportunities for policing. It kind of goes back to the point that I made earlier: in the UK, we have something like 7 million DNA profiles, 6 million fingerprints and more than 20 million images. Every police force in the UK has struggled with the cases of Marper and Gaughran because they do not have an automated means of applying a retention regime that encompasses periodic review. That is where AI could help. You could easily programme a set of rules. Take, for example, the proposed retention regime for Northern Ireland. You could take that and superimpose a periodic review period on it. The AI could run that and, based on certain criteria, push stuff to a human for them to make decisions based on the recommendations of the algorithm.

Is it not strange that, in everyday life, you order something from Amazon, and a guy turns up at your door and delivers a parcel, and, within a split second, an email comes in that says, "Your parcel has been delivered"; yet, when the police try to use that type of technology, we go, "Oof"? That is a clumsy way of me saying that, although AI is already used in policing, lots of other areas of policing will benefit from AI in the future, but I am talking primarily about non-generative AI. That is the stuff that leaves a human in the decision-making process but can automate a lot of those processes. With biometrics, if we keep putting hay on the haystack and it keeps getting bigger and bigger, it becomes harder to look for that needle in the haystack. That is where technology can really help you.

Mr Bradley: Thanks very much.

The Chairperson (Ms Bunting): Deirdre, before I bring Ciara in, do you want in on that issue?

Miss Hargey: Yes. When Maurice asked that question, I started to think about the facial recognition issue that you touched on, Brian. What protections could be built in to ensure that there is not mass or targeted surveillance? There was a recent case in the investigatory powers tribunal in which the PSNI and the Metropolitan Police were unlawfully spying on journalists in a bid to uncover their sources. How would you ensure that biometrics is not used for the same purposes, and what safeguards could be put in place to ensure that it does not happen? On the one hand, they have access to the systems, as you said earlier, but how do you ensure that it is not used to target surveillance on certain sections or groups in society? What protections or enhancements could we build in to ensure that that does not happen?

Dr Plastow: That is why layers of independent oversight are important. The police can and do use biometrics in the covert side of policing. Those are not part of my statutory functions in Scotland and would not be part of your proposed commissioner's role, because the policing activities that do that are overseen by the Investigatory Powers Commissioner, Sir Brian Leveson, and his team. There is independent oversight of all the clever stuff that the police can do with biometrics in the covert space and that the security services and others can do. The issue, of course, is that there is no reporting on that.

Why is that important? For example, we discussed earlier that one of the roles of the commissioner in England and Wales is to oversee biometric data that is retained as part of a national security determination anywhere in the UK. Each of the previous four post holders has reported publicly in their annual report on that. They will say how many NSDs they reviewed, how many they upheld and how many they challenged. If all of that gets moved into the Investigatory Powers Commissioner's Office, as, I suspect, will happen, it will still be overseen, but we will not know any of that. We will not know how many were reviewed, upheld and so on, because that sort of oversight does not get reported. Does that answer your question?

Miss Hargey: It does, somewhat. It is an area that we need to look at more carefully, because, obviously, the tribunal ruled in that case that they were unlawfully doing that. It is about making sure that we look at that. As you said, it is such a sensitive area. Obviously, there is a different dynamic here with our history, and we need to make sure that we look at all aspects. Thanks for your answer. It clarified it a bit for me.

Dr Plastow: It is probably worth my adding that there are always mutually convenient exchanges between various offices. As I said in my written submission, for example, in the overt space, there is good UK coordination in all of that. I mentioned that the fingerprint and DNA databases at a UK level are managed through the forensic information database service. When we move, as we will, to a national custody image database and are sharing with the European Union, it will all come under that same UK architecture. That helps because, although the international exchange mechanisms are on a UK level, all the data is acquired, retained, used and destroyed under domestic criminal procedure law in different parts of the UK. It is important that we all speak to each other.

Miss Hargey: Thank you.

Ms Ferguson: Thank you, Brian, for your presentation today. I have two follow-up questions. First, could you provide more detail on the importance of the statutory code of practice that you currently have and utilise? Secondly, I am interested to know the annual cost of running the office itself. Do you feel that it needs to be strengthened, particularly in Scotland, with regard to staffing and resource etc?

Dr Plastow: I will start with your second question. I have three full-time staff. My budget is just under £500,000 a year, and 78·6% of that goes on salaries and pension costs etc. As a public authority, we have to produce an annual report and accounts that are audited by Audit Scotland. Last year, when salaries and the cost of external and internal audits were stripped out, the office running costs were about £50,000. It does not have to be an expensive function to maintain.

For reasons of full transparency, at the moment, I have a detective chief inspector from Police Scotland seconded to the office for a couple of reasons: it is about building capacity and capability in the office and because we were doing some highly technical reviews. I mentioned that we laid a report on DNA in the Scottish Parliament yesterday. It was very technical, and, short of doing all the work myself, I needed a person with some good subject knowledge. Next month, we will lay a report in the Scottish Parliament that you might want to pick up on as well. It is specifically about how Police Scotland uses the retrospective image search technology in the police national database and the child abuse image database. Obviously, I cannot say much about that, but the report will be worth a read, and it will be laid in Parliament probably in the last week in March.

I go back to your first question. Scotland chose to go down the code of practice route because it was a recommendation from an independent advisory group on biometric data, chaired by John Scott, who was a QC at the time. He is now a Lord and a High Court judge in Scotland. His view, which I completely agree with, is that, because technology moves so quickly, it is easier for a commissioner to oversee not just the law but a code of practice, because a code of practice can be changed more quickly. The code of practice in Scotland is a principles-based framework, which allows you to change things quickly if you need to. As I said, those to whom it applies must comply with it, and it is backed up by powers of enforcement. It seems to work well in Scotland.

The police are very familiar with codes of practice. There are policing codes of practice for almost everything. Therefore, it is a language that the police service understands. However, a code of practice works best when it is backed by legislation. In the Scottish case, it is a statutory instrument that has legal authority.

Ms Ferguson: Thank you, Brian. You mentioned that the report on the UK database of custody images will be laid at the end of March. Can you throw light on anything else that we should look at for the Bill?

Dr Plastow: No. The report will show the direction of travel in UK policing — where all this stuff is going in the future — and why it is important to think about having independent oversight of how the police use retrospective image searches, as they already do in Northern Ireland, and where it will inevitably go in the future should your Chief Constable decide to go down that route.

Ms Ferguson: OK. Thank you.

The Chairperson (Ms Bunting): Thank you, Brian. I have a couple of things that I want to whiz through reasonably quickly.

I want to check a general premise. Is there a legal distinction between "images" and "photographs"? I have in my head what the distinction is, but, obviously, our Bill perpetually refers to "photographs".

Dr Plastow: I joined the police in 1978, and we used to take photographs of prisoners. They are digital images now. They are binary code. If you just hold that image, that is one thing. However, when you then ingest it, via the binary code, into a biometric template, which is what is in PND and CAID, it is absolutely biometric data. The UK Information Commissioner will tell you that, in UK data protection law, that is biometric data. That is the first thing.

It gets more complicated, because, in UK data protection law, DNA is genetic data, or it can be in certain circumstances. There are different ways of talking about the same thing, but, my substantive point is that, when somebody is arrested by the police, all three things get taken at the same time. Why would you not have oversight of one of those things when it is the most commonly used one?

The Chairperson (Ms Bunting): That is helpful, thank you. Presumably, it would be your view that a service instruction that the PSNI destroy, for example, custody photographs, when it destroys the other elements that are collected at the same time, is insufficient. It should be covered in the Bill.

Dr Plastow: Best practice would be if it was in primary legislation. However, the difficulty is — this goes back to the point about DNA not changing. If the police have arrested somebody and have their DNA, normally, when they arrest them on a subsequent occasion, they will not take it again, because they already have it on file. The same is true of your fingerprints, because, unless you work a lot with cement and things, your fingerprints are relatively static. However, your image changes a lot throughout your life, and certain categories of offenders, as we all know, deliberately change their image all the time to avoid detection. The issue is that, even if somebody is arrested for something and there are no proceedings, or they are found not guilty, if they already have previous convictions, you need to keep everything, because it is good practice.

Another thing to think about is that, even if someone is not proceeded against and they have no previous convictions, of course, you would expect the police to remove their fingerprints and DNA from the national systems, as you would expect the police to remove their image from the national systems. However, you might want to keep that image for a while, because the person may, a year down the line, put in a complaint and say that they were beaten up in custody. Having that photograph of them, with or without a black eye, might be helpful. While you may not be keeping that data for a biometric purpose, you might still want to keep it for a period under your normal, conventional retention regimes for data.

The Chairperson (Ms Bunting): That is a really interesting point, which had not occurred to me. We may need to follow it up.

Dr Plastow: Of course, that is the distinction: when is a photograph not a photograph? If it is just the image of the person for a human being to look at, that is one thing, versus the binary code, which goes off into the —.

The Chairperson (Ms Bunting): Running it through the systems for facial recognition.

Dr Plastow: Yes. Exactly.

The Chairperson (Ms Bunting): That is helpful, thank you.

Your last point is a segue into my next question, which is about the periods proposed for us.

The proposed periods for holding DNA are 75 years, 50 years, 25 years and, for somebody who is not convicted or charged, three years. Is that right? Sorry, it is three years if they are not convicted and for 10 years after death. Do the periods proposed in the Bill appear proportionate to you?

Dr Plastow: Do you want my honest answer?

The Chairperson (Ms Bunting): Yes.

Dr Plastow: No. On the grounds of proportionality, it is a bit difficult to justify keeping anybody's biometric data beyond the period of average life expectancy. Just yesterday, we sent a recommendation to Police Scotland from our DNA report. This goes back to the point I that made about "Mars bar or murder". We asked Police Scotland, "If someone who has no previous convictions is found guilty in court of a trivial offence and is admonished or given an absolute discharge, it is still technically a conviction, but the court views it as so trivial that it is immediately spent under the Rehabilitation of Offenders Act 1974, so how long do you keep their DNA?" To that, Police Scotland would say, "We would keep it for 100 years or for three years after death". That is crazy: it is not proportionate. For that type of scenario, we suggested that Police Scotland might want to think about treating the biometric data in a similar way to how they would treat it were someone to receive a fiscal fine or a police warning — one of those direct measures. Police Scotland would normally keep that data for three years, and, if the person has no previous convictions and no subsequent convictions in the following three-year period, it would be destroyed.

The question of proportionality is important. All the EU rulings are based on considerations of proportionality. The periods that are proposed for here are fine, provided that there is an opportunity for periodic review. That is my take.

The Chairperson (Ms Bunting): I am trying to find the balance between retention and allowing crimes to be solved further down the line as intelligence progresses.

Dr Plastow: It is a matter of balancing human rights and wrongs. That is why it is so difficult and why nobody has got it right. We have looked, but there is no golden model that we can —.

The Chairperson (Ms Bunting): What are your retention periods?

Dr Plastow: Well, they are about to change, but, in Scotland, the law allows police to keep that information indefinitely. Sorry, that is to say that the criminal procedure law allows you to keep it indefinitely, but the UK Data Protection Act 2018 does not, and the rulings in the Gaughran and Marper cases do not. Police Scotland's policy is not based on indefinite retention. At the moment, it has what is called a 40/20 policy, a 70/30 policy and a 100-plus policy. That is based on your age. If you are 20 at the time of the offence, the police might keep the information for 40 years; if you are 30, they might keep it for 70 years; and, if it is a really high-tariff offence, it would be 100 years plus. For DNA, if they are keeping it "for 100 years", they are not really keeping it for 100 years, because it has been around for only 30 years, but the policy says that they would keep it for 100 years.

As I said, one of the recommendations that was made to Police Scotland — it is doing this at the moment — was to review that policy. We have given it until 31 October of this year to come back to us. We have not asked it to change any of the thresholds; we have asked it to come back and tell us how it will build in periodic review. It can be done. Police Scotland might come back and say, "Here is how we are going to do it. Scottish Government, you need to give us some money, because we need a technical solution to support that".

The Chairperson (Ms Bunting): I understand. It is likely that we will be in the same position. You have just brought to my attention something about the retention of DNA of children and young people: those under 18. We have seen — we know from evidence — that certain behaviours are indicators of potential to engage in serious crime. I appreciate that the number of people involved is small, but is there a risk that destroying that DNA could impact on the ability to solve serious crime in future?

Dr Plastow: There is. There is always a risk in everything that you do. It is the same as my earlier point about balancing human rights and human wrongs. There is a good example. We included case studies in the DNA report that we laid in the Scottish Parliament yesterday. There was a really interesting one of a murder in Scotland a few years ago. The police had a good DNA profile from the murder scene that they ran through the Scottish DNA database and the UK database. There were no matches. A few years later, the culprit was arrested for a really minor offence. The nature of that offence was such that, had his DNA not been matched to that murder, it would have been kept for only three years and then destroyed, yet we had in our community a rapist and a murderer who had probably done it before and, had they not been caught, would probably have done it again. There is always a risk with these things.

I go back to my earlier point: none of the European Court rulings prohibit indefinite retention. They just prohibit indefinite retention without periodic review. As long as you have periodic review, you could have lengthy retention periods, which, in some cases, you would want.

The Chairperson (Ms Bunting): That is the stuff that I am interested in. It is about finding the balance between making sure that we do not impinge on people's rights and that, going forward, people can solve serious crime. We are trying to figure that out. Thank you for that.

Is there anything else? The national security determinations are also an issue of concern, but we will have to see how that is borne out, because it also impacts on people from Northern Ireland.

Dr Plastow: I had to ask that question of Home Office officials about six weeks ago to find out —.

The Chairperson (Ms Bunting): Where we are.

Dr Plastow: Ministers are considering it. I do not know where that one will go. It would not surprise me if national security determinations went to the Investigatory Powers Commissioner. That is a good idea anyway, because they are made under counterterrorism legislation; it is a reserved matter, so that makes sense. I would worry if England and Wales did not then uphold the provisions of the Protection of Freedoms Act 2012. There are 43 police forces in England and Wales, and, if you give them licence to do whatever they want, they will.

Having independent oversight is important. It can be a supportive role. My role in Scotland is to "support and promote" the "lawful, effective and ethical" use of biometric data. As the commissioner, you are not a regulator. You are a trusted independent voice and almost the conscience of policing to help the police to do the right thing in keeping people safe and catching bad people.

The Chairperson (Ms Bunting): It is just finding the right balance. That is helpful, thank you. I have one more question, I will then move to Stephen, and we will be done. You have addressed the issue around photos and live facial recognition. You mentioned familial DNA, or genealogical DNA. Do you have anything else that you want to bring to our attention around that?

Dr Plastow: Yes. Every so often, something jumps over the pond from America. For example, at the moment, a number of police forces in England and Wales are using lie detector tests in relation to the management of sex offenders. There is no scientific basis for polygraph tests whatsoever. They do not have any scientific validity or credibility. We always have to be careful about things like that.

There is a familial searching capability in the UK national DNA database, and Interpol has that capability as well. It is mainly used for unidentified bodies and body parts. When I posed the question about two months ago, only one UK familial search had identified an EU subject, and that was an unidentified body in the UK that turned out to be a missing person from the Republic of Ireland. So, it is used in a very limited way.

The UK does about only 12 to 15 familial searches a year. They have to be approved through the forensic information databases (FIND) strategy board, which is chaired by a deputy chief constable or assistant chief constable. In England and Wales, two commissioners sit on that group. I sit on it, and the Information Commissioner sits on it, so it is pretty well regulated, and it is not used a lot.

The issue with investigative genetic genealogy is that, if you have ever sent your DNA off to Ancestry to find out whether you are a Viking or whether you come from France, you just do not know whose DNA samples are out there. If the police were ever to go down that route, it would not stand up in court, to be honest, because there is no integrity in the system. I am not saying that UK policing will never use it; the police might use it occasionally in a particularly unusual inquiry, but we have so many of our citizens already in the DNA database. At the moment, in England and Wales, if DNA is recovered at a crime scene, 64·8% of it — do not quote me on the decimal point — matches to somebody who is already in the system. As a proportion of our domestic population, we hold more DNA on our citizens than any other country in the world, so it is probably not for us.

Mr Dunne: I have a couple of points. There has been a bit of press coverage this week around a report that you published urging police to speed up defining the strategy on the use of biometric data and to make more effort to record ethnicity. Do you feel that there is a lack of ethnicity data? I am keen to hear more about that to link it in with lessons that we could learn from that.

Dr Plastow: One of the issues here — this applies to all police forces — is that they tend to be data-rich but information- poor. They will hold lots of biometric data, but, when you ask them to explain the utility of holding that data, they struggle to do that. If you were to ask the Police Service of Northern Ireland, "Why do you need retention for five, 10 or 25 years?", it would struggle to give you a reason that is backed up by any evidence.

The PSNI will say lots of plausible things about keeping people safe etc, but police services are generally data-rich but information-poor.

On the ethnicity point, the FIND strategy board that I spoke about produces an annual report that gives a full breakdown of how many DNA profiles are held in the UK. It is broken down by age groups, and, at the time of being taken, it is broken down by gender and ethnicity. It will give you match rates and tell you about things such as adventitious matches, familial searching and everything like that. During a review in Scotland, however, when we asked Police Scotland to give us a breakdown of ethnicity in the Scottish DNA database, it could not tell us, because it does not record that.

Our broader point was that former Chief Constable Sir Iain Livingstone publicly stated that problems with institutional racism persisted in the national police service, and the new Chief Constable — she is not new now; she is the current Chief Constable — Jo Farrell has said that she agrees with that. It is important that the police service, as part of its public confidence package, be able to demonstrate to citizens that the police are doing their job lawfully, fairly and ethically and that they are not unfairly targeting any particular group in society or causing harm to any protected characteristic group.

The media probably made a bigger issue of that than we would have, but we would like to see Police Scotland improve on that. Fundamentally, our DNA review is a good news story. It has shown how important the technology is, but, as inevitably happens when you have a deep dive into something, you will find things that could be improved. Our recommendations have to be taken in that context of our trying to support and promote in order to make policing a bit better.

Mr Dunne: OK, thanks, Brian.

The Chairperson (Ms Bunting): Thank you so much, Dr Plastow. Your evidence has been really helpful. I presume that, if there is anything else that we wish to follow up on, we can do that with you.

Dr Plastow: Of course you can, yes.

The Chairperson (Ms Bunting): We very much appreciate your taking the time to come here in person.

Dr Plastow: Thank you.

The Chairperson (Ms Bunting): It has been great to have you. On behalf of the Committee, I extend our gratitude to you. Your evidence has been really useful to us. Thank you very much.

Dr Plastow: Thanks for having me. It was nice to pop over.

The Chairperson (Ms Bunting): If anything else occurs to you, please do not hesitate to submit it. We will be very grateful to receive it.

Dr Plastow: Will do. Thank you.

The Chairperson (Ms Bunting): Thank you. Have a safe trip home.

Dr Plastow: Thank you.