Official Report: Minutes of Evidence

The Chairperson (Ms Bunting): Representatives from the Information Commissioner's Office (ICO) are in attendance. I welcome to the meeting Caroline Mooney, head of Northern Irish affairs; and Paula Hamilton, senior policy officer. Ladies, you are welcome. Thank you very much for taking the time to present to us. We have all received your written paper and are grateful to you for coming to speak to us.

We have all read your paper, and there are general themes in the questions that we will ask you. There will be stuff on children, young people and stigmatisation; issues with the retention of biometrics, EU law enforcement and gaps in that; queries about being reported for offences; and periodic reviews. Those are the types of things that we are interested in looking at with you, but other things may occur as we move through. Although we have all read your paper, I appreciate that you may have some introductory remarks to make, so I will hand over to you and then open up for questions. Thank you.

Ms Caroline Mooney (Information Commissioner's Office): Brilliant. Thank you very much. Good afternoon, everyone, and thanks very much for inviting us to give evidence. I will start by introducing ourselves. I am Caroline Mooney, head of Northern Irish affairs for the Information Commissioner's Office. I am joined by my colleague Paula. Paula, do you want to introduce yourself?

Ms Paula Hamilton (Information Commissioner's Office): Yes. I am Paula Hamilton, and I am senior policy officer in the Belfast office of the ICO.

Ms Mooney: As Paula said, we are based in the Belfast office. We are a very small team in a much larger organisation. The ICO has offices in Edinburgh, Cardiff and London, and our main head office is in Wilmslow, Cheshire, in England.

The role of our team is to manage and lead on stakeholder engagement and relationships across Northern Ireland. That is across all sectors. The Belfast office basically acts as a focus point and a point of contact for organisations based in Northern Ireland. We provide upstream advice, guidance and assistance to all the organisations that we regulate, engaging on national programmes and policies that they may be developing.

We undertake legislative consultation across the Northern Ireland Departments. That falls under data protection (DP) regulations. That is our role. We are an independent, UK-wide body. Our main aim is to act in the public interest to uphold information rights and promote openness, transparency and data privacy for individuals in line with the legislation that we regulate. We regulate not only the data protection legislation but the freedom of information (FOI) legislation — those are the two pieces that you most commonly hear of and use — among others. We produce a lot of guidance and support for organisations so that they can get things right when they try to comply with data protection law.

We also have a casework function. That is based primarily in our head office. That is where we can investigate complaints about organisations that individuals may have and take action to put things right where, they believe, something has gone wrong. As an organisation, we also have a range of corrective, enforcement and investigative powers. We can carry out investigations and data protection audits of organisations and issue warnings and reprimands, with the final power being imposing administrative fines in the form of monetary penalties.

Our evidence will focus on the biometrics aspects of the Justice Bill. We will start by saying that data protection is a really important part of the framework that governs the use of biometric data. That framework oversees the processing of biometrics in the context of law enforcement under Part 3 of the Data Protection Act 2018. It is important that, at the start, I mention that that legislation is, necessarily, broad and principles-based. It helps to ensure transparency and accountability in the use of biometrics and biometric technology. That can mean all technologies, including new ones, such as facial recognition technology.

Data protection law and our work empower individuals by giving them important rights. Some of those, which might be commonly known to you, are the right to access copies of personal data and the right to ask for the erasure of data. As I mentioned, we offer a complaint service and a route for individuals who may have concerns about how their data is being processed.

As an organisation, we have deemed biometrics to be an important area for us, specifically where biometrics intertwine with surveillance and facial recognition. We in the ICO are looking into that. We see a rise in the use of biometric technology, which everyone will be well aware of, and facial recognition technology. We are aware that the police and the justice sector may use such tools. Our concern is that, if we do not know a lot about that technology and its use, people's rights could be infringed and individuals and society could be exposed to risks. We have been working to improve our knowledge and understanding of future and current practices in the use of biometrics and facial recognition technologies. We are engaging with police services and forces across the UK on it. We have engaged with oversight bodies on it as well, such as the Equality and Human Rights Commission (EHRC) across the water, the National Police Chiefs' Council (NPCC) and the College of Policing. Those are a few of the bodies with which we are engaging, and that work has all been quite recent.

We know that the PSNI uses some form of facial recognition technology in certain and specific circumstances. It is really important that we get the approach to biometric retention right. That means that, for any new technologies that may develop, the retention regime is in place, is established and is being implemented lawfully with data protection in mind. We believe that getting the proposals on retained biometrics in the Justice Bill is crucial to getting that done. It is the first step in future-proofing any new biometrics that may arise.

In our pack, we set out the definition of "biometrics" as laid out in Part 7 of the Data Protection Act. We set that out in our submission, but I will remind you of the definition:

One area that we were aware of that people who contributed evidence to the Committee touched on was whether photographs should be considered to be biometric data. Whilst fingerprints and DNA are undoubtedly considered to be biometric data — that cannot be disputed — it is our general view that, although someone's physical characteristics may be present in a photo and you may be able to see them in it, that is not enough on its own to make the photo biometric data. It is only when you do something else to the photo or when something happens to it, such as some form of discrete processing operation — that is usually done by technical means to create a biometric template — that it becomes biometric data. You are then using it for the sole purpose of uniquely identifying that individual. Members may have more questions to ask later about that.

We want to mention the importance of replacing the indefinite retention that previously existed with the more nuanced framework proposed in the Justice Bill. We welcome any move away from indefinite retention. That goes a long way to complying with the fifth data protection principle by making sure that information is kept no longer than necessary. It is up to organisations to determine what "necessary" means, but they should be able to do that, justify why retention is necessary and evidence that justification. That is an important part of the legislation and an important part of the scrutiny that the Committee should do.

We welcome the review mechanism that has been proposed for long-term retained material. We might go into more detail on that later.

The data protection principle has two elements: first, it ensures that information is kept no longer than is necessary; and, secondly, it ensures that regular reviews are conducted and that time periods are set out for those reviews. Whilst that is in the legislation, it is noted that secondary regulations will be used for that. It should be higher up and in primary legislation, because it is a twofold principle, and, if it were in the primary legislation, you would hit that twofold principle and address it at once. We would like to discuss that with the Committee today.

Another key part of the Bill is the biometrics commissioner, who will have oversight of the biometric retention framework for Northern Ireland. We welcome the additional oversight role that a biometrics commissioner would bring. There are a few areas that we want to talk about, such as what is meant by the other part of the commissioner's role, which is to:

We would like the Committee to look at that a bit further to see whether any additional clarity can be provided. The legislation could be a wee bit clearer about exactly what that means. Our stance is that we want to ensure that there is no confusion or overlap between what we do and are regulated to do and what a potential biometrics commissioner could do.

That is where we will leave our introduction. Obviously, data protection is a fundamental and integral part of biometrics data. Individuals have rights under data protection law, and we can speak more about that, if you have any questions on it. We really welcome and appreciate the fact that the Committee has given such scrutiny to the Bill. It is important to say that you have done so.

The Chairperson (Ms Bunting): Thank you very much, Caroline. That is much appreciated.

Mr Baker: You noted in your briefing paper that:

Using your experience, what would you like to see in the Justice Bill to ensure that it is adapted to meet the needs of vulnerable persons, such as children?

Ms Hamilton: There is an option to set that out in the Justice Bill. If it were not written into the legislation, there could be guidance that runs alongside the Bill to explain it a bit further. If there were the option to put it into the legislation, that would be really helpful.

From our perspective and that of the likes of the Human Rights Commission, which previously gave evidence to you, children are in a more vulnerable position in such matters. It is such sensitive personal data that is being processed. Children generally do not have the same level of understanding as adults, so organisations are held to a higher standard when processing children's personal data. Again, that is heightened with biometric data, because it is regarded as sensitive personal data under data protection law, and that requires those organisations to put extra safeguards in place to make sure that the rights of the child are safeguarded. It is written into data protection law that individuals have the right to be informed under that law. Organisations need to take that one step further to ensure that they communicate the transparency information to vulnerable individuals — it gives the example of a vulnerable person being a child — whose personal data will be processed. That needs to be stronger, and they need to be able to evidence how they have gone about that.

In the past, we have seen organisations undertake that through the likes of focus groups with children in Northern Ireland. Privacy information or a privacy notice that is deemed appropriate for a child is drafted and given to a focus group of children, who are asked, "Would you understand what this meant if this was presented to you? Would you understand what this means for how your personal data is processed?". The evidence is then used to tailor that to make it best fit the needs of the child. It is really important for organisations to demonstrate how they have built that measure into their processes. I hope that that answers your question.

Mr Baker: It does. It feeds into that risk of stigmatisation of children and young people and the concerns about children's biometrics being grouped with adults'. Would retention of that data breach their human rights, be it under article 8 or article 12?

Ms Hamilton: That is a difficult question for us to answer. Our perspective is that justification needs to be provided for the retention periods set down in the legislation, because we noticed that different rules in article 63 set out various circumstances depending on the age of the offender. For some of those, the length of retention time is the same for an adult as it is for a child. Across all the retention specifics that are outlined, the Department needs to be able to evidence how it arrived at its decision and why it thinks that 75 years, 50 years or whatever it may be is appropriate. From a data protection perspective, that is what we would ask about if it came our way. One of the main things that we want to get across today is that there needs to be that level of scrutiny through which the Committee can, hopefully, seek clarification from the Department about why it has arrived at that model, particularly for children, and why it deems those specific time frames to be necessary, proportionate and justified. It needs to be able to evidence that.
That evidence part was a new and fundamental element of data protection law that was built in from 2018 onwards when the law changed quite a lot. The principles of data protection were somewhat the same between 1998 and 2018, but, since 2018, that accountability principle has been a new fundamental part of data protection law, and it requires organisations to demonstrate and evidence their compliance with those data protection principles. We like to frame it in this way: when you did a maths exam at school, you got marks for showing your working out on the side of the page. It is very much like that.

It is about being able to see how an organisation has arrived at a decision — we might disagree with it — and that that is logical and proportionate.

The Chairperson (Ms Bunting): We asked for that last week. We have sought that rationale. Once we get it, it will be published on the website, so keep an eye on that.

Ms Hamilton: Thank you.

Ms Mooney: The data protection principles are the same for an adult as they are for a child. The examination of the necessity and proportionality must be rigorously done for an adult and/or a child. The processes are exactly the same. Organisations sometimes need to take different steps when processing children's data for, for example, transparency of information, as Paula mentioned. It is about giving that information to a child in a way that means that they will understand it — that should be done in a simple, easy, concise and intelligible way — but an organisation also needs to take into consideration what additional risks there are for a child versus for an adult. When an organisation assesses risk, it has to look at it through both those lenses. A proper and thorough risk assessment is part of that working out and evidence to allow it to mitigate any of those potential risks.

Mr Baker: Thank you.

Miss Hargey: Thanks very much for your papers and your presentation. That is one of the key issues that we are looking at, because the Human Rights Commission also raised it in its evidence on the new retention periods. The big thing is whether those competing rights on retaining the data and the length of time that it is retained for are proportionate and necessary. Have you had any engagement with the Department or arm's-length agencies on the issue? I was going to ask whether you had a rationale for the new proposed retention periods: can I assume that you have not?

Ms Mooney: Yes, we have had engagement with the Department on certain aspects of the proposals. We have a very good working relationship with the Department, and it is very open about coming to us with different pieces of legislation that it has.

Miss Hargey: It has not given a rationale for the new retention periods, so it has not provided that policy formation on the reason for the new retention periods, or has it?

Ms Mooney: No. We have not had sight of the rationale for the 75/50/25 years. We have not seen the exact rationale, the evidence base behind it or the justification for it. We have had an explanation about why 25 years, 50 years and 75 years are proposed. It consulted us on that, but we would be interested in the evidence base that it used to decide to keep something for 25 years. Why 25 years? What formed the basis of the decision for 25 years as opposed to 15, 10 or 30 years? What led to that?

Miss Hargey: Do you have concerns about the proposed new periods, or is the concern more about the rationale that led to those figures?

Ms Hamilton: We are looking for the rationale. We do not have concerns as such over the periods that have been set. We are coming to it from the perspective of compliance with that fifth data protection principle and how any move away from indefinitely retaining biometric material will comply with that principle and set out those retention periods. Data protection law is so principles-based. It will not set out the length of time that information should be kept for every organisation. It is up to each organisation to determine the necessity for the fifth principle, because it is so broad. The legislation applies to the PSNI in the same way as it does to your local corner shop. It is for those organisations to determine what they deem necessary for the personal data that they hold and how long they should hold it. We will then look at that justification to see how they have applied that necessity and whether we agree with it. We are keen to work with the Department on that.

Miss Hargey: Another area that some of us were concerned about was the fact that part of the legislation requires regulations at a later stage. I agree that it would be better to put it in the Bill. The Human Rights Commission has said that as well when talking about the rights perspective. Obviously, we are viewing it through that lens. Have you had any engagement with the Department on that key issue? When you look at things like a review period for the retention of the data, the review then becomes more critical, as does the right to appeal, which, I know, Ciara will touch on. I just want to get a sense of whether there has been any engagement with the Department on those issues. Are you satisfied with the feedback or rationale that it has given to you?

Ms Mooney: We had some early prior consultation, particularly about the retention periods and what the review mechanism will look like. It is in the early days of consultation. That process is still ongoing with the Department, and we want to see more from it. We have given it feedback, and a lot of our feedback was about the evidence and saying, "Show your working out", as Paula put it. We have asked it for that and have said that it is a fundamental part of it. The Department needs to be able show evidence of that work in order to justify it. It is a key thing. We describe the evidence as necessary and say that the Department needs to show evidence and justify the retention as being necessary, because the fact that it is biometric data is a key aspect. It is classed as sensitive or special category data, as you like to call it. Because it is sensitive, it requires that additional layer and those justifications. It is not just that you need reasons explaining why holding the information is necessary; doing so needs to be strictly necessary. That is a higher bar of necessity.

Miss Hargey: It is a higher threshold.

Ms Mooney: It is a higher threshold to reach and get across. That covers some of the views that we gave to the Department about providing the rationale and evidence base. We would like to see that, and we asked the Department for further information on it. We said to it that we are keen to keep the engagement and communication going about that.

Miss Hargey: Leading on from that, your paper sets out the six principles of data protection. Does the legislation, as it stands, meet those six principles? Which areas need more work? You highlighted some of them.

Ms Hamilton: The Bill goes some way to meeting the principles. We particularly homed in on the fifth data protection principle. As Caroline set out, there are two elements to that principle. It is about ensuring that the data is kept no longer than necessary and that appropriate periodic reviews are built in. As the legislation stands, it ticks that first requirement but not the second. We know that there will be periodic reviews, but we have no detail on those, because that is not in the primary legislation. I totally agree that it would be ideal for the reviews to be in the primary legislation. I do not know whether it is too late for that. The move away from indefinite retention goes some way to ticking the box for the fifth principle.

Miss Hargey: For me, the concern is about how it is managed in the time between the legislation passing and the regulations coming forward.

Ms Mooney: In the interim.

Ms Hamilton: Yes.

Miss Hargey: This is my last query. Your submission talked about Part 3 of the Data Protection Act and how the EU directive sits with data protection. The Human Rights Commission raised that as well. It has set up a whole section for EU directives. Is there anything that pertains to that EU law or that is likely to come down the line that will have an impact on the Bill or on our consideration of it? Do you want to raise anything else on that?

Ms Mooney: We have the equivalent of the EU law enforcement directive in the UK. It is Part 3 of the Data Protection Act, as we have talked about. It was implemented in UK law in 2018 at the time when the GDPR came in. It is known as Part 3 of the Data Protection Act, effectively. In large part, it is very similar to that EU law enforcement directive.

Miss Hargey: Is there anything around the Windsor framework that might be likely to come that could change some of that or have an impact? Obviously, that impacts legislation under the framework that was agreed. Is there anything that you have picked up on that pertains to that that would be likely to come down the line?

Ms Hamilton: Not in relation to the Windsor framework, as far as we are aware. The main legislative reform that we are working on and looking towards is the Data (Use and Access) Bill, which is making its way through the UK Parliament. It should receive Royal Assent in the springtime. That is not too far away, but it will not be the same radical transformation to data protection law that we had with the GDPR.

Certain elements of the current law will just be tweaked slightly. The biggest change may be to the make-up of the ICO, our internal set-up and oversight. Data protection legislation will not change fundamentally, however.

We foresee nothing in that Bill that will impact massively on the Justice Bill or change anything in it. It is the UK Government's legislation, so it will be at their behest. Hopefully, we will be able to advise further on that Bill when it is enacted in law, at which point we will know exactly what we are working with, but it is still a Bill at the minute.

Miss Hargey: Thank you.

Mr Bradley: I have been thinking about live links and data retention and especially about international data sharing, which is a worry for me, considering that we cannot keep pace with advances in AI. What concerns do you have about international data sharing, particularly where it relates to children? I am talking mainly about abducted or missing children and young people. There, international data sharing could be a force for good. If there is a time frame for keeping data in those circumstances and it is then deleted, that may be an opportunity lost.

Ms Mooney: That is why it is fundamental that, when the Department sets out the retention periods for children's data, evidence such as that is built into the rationale behind them. Evidence could include reoffending rates and the use of data for the detection and prevention of crime. There is a host of factors involved on which I am not an expert. Such things need to be considered when it comes to children's data. For example, if there were a risk of reoffending or of bad things happening, there surely should be evidence of that, which would provide a rationale for keeping data. Such things should therefore be built into the evidence base for children and looked at. Should a differentiation be made between a child's data and an adult's data? Would retention be warranted in any specific circumstances? Should a child's data be kept for a shorter or longer period? Evidence and justification for retention should come out of extensive consultation by the Department with police forces and other expert bodies, probably including overseas bodies, if that is common practice.

Mr Bradley: Thanks for that. Chair, I have an addendum to my question. I am thinking of children who went missing and have not been located for years. An image of what a child would look like six years down the line could be constructed using AI. That type of data retention is missing from the Bill. I am not talking about detection and prevention of crime or about reoffending rates; I am talking more about a niche concern.

Ms Mooney: You are talking about data retention in a specific, nuanced circumstance.

The Chairperson (Ms Bunting): Are you thinking of cases such as that of Madeleine McCann?

Mr Bradley: Yes, but I do not like mentioning names.

The Chairperson (Ms Bunting): Images were generated of what she would have looked like at specific ages as time passed in that case.

Ms Hamilton: We are keeping a close eye on AI advances. It is one of the ICO's strategic causes. We have a horizon-scanning function for new and emerging technologies, so we will look continually to identify the risks to individuals from such systems but will also look to identify their benefits.

Data protection law can sometimes be viewed as blocking new and emerging technologies, but that is not the case at all. It is very much an enabler of them, but it enables them to be used safely. The technologies are there, and their benefits are amazing. What AI has done for healthcare is amazing. It is being utilised in the Northern Trust, in the fracture clinic of Antrim Hospital's A&E department. The capabilities of AI are amazing. We fully support its use, but we need to make sure that it is used safely and that, if personal data is involved, that data is protected.

A key aim of the Bill is to make sure that it is future-proofed. The Bill alludes to that in clause 1, which refers to the biometrics commissioner's potential role of keeping new and emerging technologies under review. That is part of our role as well. There may end up being some overlap there, but there is also the potential for us to work together to make sure that the messaging that we send out to the regulated organisations about AI is aligned. It is one of those things. There is so much information out there that it is hard to know the correct source of truth and where to start. Hopefully, if a biometrics commissioner is appointed down the line, we will be able to work together to provide the regulatory certainty.

Ms Mooney: Does that answer your question?

Mr Bradley: It does. The future-proofing element is important. Thank you.

Ms Ferguson: Thank you, Caroline and Paula. I will ask questions about three areas. The first concerns your role. The Scottish Biometrics Commissioner gave evidence to the Committee here. Have you had any conversations or done any work with your counterparts elsewhere about a biometrics commissioner's terms of reference?

Secondly, we all know that it is critical that every individual be informed of exactly how their information will be used, where it is and how they can access it, as you mentioned. I am interested to know your general thoughts on how information is gathered and captured in the North at this time and whether, even at this stage, effective communication is taking place. As we move forward on the use of DNA and biometric information, it is critical that individuals are fully informed of and educated on exactly how their information is to be stored, how it will be safeguarded securely and how they can access it.

Thirdly, it is constantly being emphasised that it is critical that a review process is built into the Bill. I am conscious that we have a range of retention periods, a range of levels of crime, a range of databases that will be able to access the information and a range of levels of accessibility to different parts of that information. For instance, organisations such as the PSNI will be able to apply to get information retained because of prescribed circumstances and so on. The landscape is therefore huge and complicated. Are you familiar with such systems? Will it be a computerised, automated process, or will the Chief Constable, as an individual, have to deal with the range of databases?

Ms Mooney: I will start. As an organisation, we are a whole-economy regulator of databases. We regulate every sector, so we could not view every retention database from every organisation, because doing that would be virtually impossible. There are hundreds and thousands of organisations that come under our remit. We have some evidence from seeing such databases, however. We have an audit function to go in and audit organisations. It may be a consensual audit, or DP compliance concerns may have been raised. We therefore have a good understanding of what those systems can look like.

Some systems are modern, as you know, while some are antiquated. A lot of police forces and other organisations use older systems. Making changes and adaptations to different systems can often be difficult and costly. It can sometimes be hard to add new rules, such as retention rules, to different databases. It is something that those systems should be able to do, however. Individuals have the right to request the deletion of information. Their request is not always accepted, as it is not an absolute right, but, if people request it, organisations should have the capability to delete their records and data.

The Chairperson (Ms Bunting): Organisations should have those processes in place.

Ms Mooney: They should have those processes in place. My concern about any new system is whether a police service such as the PSNI has the technical capability to introduce all the new retention rules and flags for review periods or even whether it can easily do so. I do not know at first hand whether it can. It may take a wee bit of time and resource to do that to its systems, but that is the same for any organisation when new legislation imposes different —.

The Chairperson (Ms Bunting): The PSNI has indicated that it will need a new system. Its representatives will be before the Committee in a few weeks. I will want to put some of those questions to them.

Ms Mooney: You should definitely ask them to indicate whether it is a new system that the PSNI needs and how long it would take to make the change.

If you are setting review periods, such as for 25, 50 or 75 years, and if you are bringing in a review mechanism that provides for a review every so many years, I would be inclined to build that into the system at the same time. Doing that would probably prevent double-handling by the people who are setting up the retention system. Effectively, the system is installed; the rules for it are created; and that is it done. I would be keen to see that done from the outset. From a practical point of view, that is another possible reason that it would have been useful had review mechanisms been built in at the same time as retention in the primary legislation. Had that all been agreed and been done and dusted, it would probably have been easier, from a practical perspective, for the organisations involved to deal with.

I paraphrase you a bit, but you asked what organisations' data handling is generally like. A lot of Departments and public-sector bodies here are largely good, and a lot of them engage with us. We have a small local office, and they engage with us willingly and enthusiastically. When they make new proposals under legislation they consult us, and that is a requirement of the UK GDPR for data processing, under Part 2 of the Data Protection Act 2018. They are required to come to us if any kind of personal data processing is involved. A lot of them consult us effectively. We would therefore say that, largely, it is good that organisations know about retention periods. They publish their retention periods a lot of the time and are good and open about doing so. Their transparency information tends to be good. What we look at regularly covers all the main elements. Across the board, organisations here are generally willing to engage about data protection. They take their obligations seriously and comply with anything that we ask them to do. When we make suggestions, they are always keen to comply.

The Chairperson (Ms Bunting): I am keen that we stay within the parameters of the issues that we have to deal with.

Ciara, is that you done?

Ms Ferguson: No, Chair. Given the ICO's current role, do you have any thoughts on there being a biometrics commissioner? Have you done any work on that or spoken to your counterparts elsewhere? Are memorandums of understanding (MOUs) in place with them?

Ms Hamilton: We will be keen to work closely with the biometrics commissioner here, as and when someone is appointed, because of the potential overlap in our roles. We will want to make sure that we send out the same messaging and give the same certainty to the regulated organisations. We work closely and well with our counterparts in the rest of the UK, such as the Scottish Biometrics Commissioner and the UK Biometrics and Surveillance Camera Commissioner. I believe that MOUs are in place with those commissioners.

Ms Mooney: Yes, there are.

Ms Hamilton: We have a wide remit when it comes to that cross-regulatory role. We sit on the Digital Regulation Cooperation Forum (DRCF) and the like. We are working quite a bit at the moment with other regulators that overlap with our role to make sure that we all sing off the same hymn sheet. We are keen to have a positive relationship with the Northern Ireland biometrics commissioner, when appointed.

The Chairperson (Ms Bunting): You already have a working relationship with the Scottish Biometrics Commissioner. What you are trying to ascertain from the Justice Bill is how accountability will work when there is a biometrics commissioner here and whether there will be any duplication of or overlap with your work. You want to make sure that there is a distinction: is that right?

Ms Hamilton: Yes. It comes down to the wording in the Bill on the function of the biometrics commissioner to keep certain things under review. It is about what "keep under review" in clause 1 really means and what it extends to keeping under review. Any additional information that the Committee can glean for us about that phrase would be really helpful to us.

The Chairperson (Ms Bunting): Given the issues that you have flagged in your report for us to consider further, it is my intention, at the end of the evidence session, to put it to the Committee that we send your paper to the Department to ask for a response on some of issues that you have raised, particularly on issues on which we have not sought clarification from it thus far. We have already addressed some of them with the Department, however.

Mr Dunne: Thanks for your presentation, folks. I will pick up on the biometrics commissioner elements. Is there conflict or overlap at present between the ICO and the commissioners in other parts of the UK? Is that something that you see being an issue here?

Ms Mooney: No. We welcome any additional oversight, clarity and increased regulatory certainty that can be given to individuals and organisations. We do not foresee potential for overlap here in some of the proposals. We perhaps need some clarity about "keep under review", however, because it is quite a vague phrase. We would not want the proposal to encroach on work that we do, because duplication is not good for anyone. If, say, we were to write a report or do work on new biometric technologies and the biometrics commissioner were to do something similar, that would not be a good use of anybody's resources. We are willing for there to be agreements or an MOU in place, however.

Mr Dunne: Am I correct in saying that a formal MOU is in place with the Scottish Biometrics Commissioner?

Ms Mooney: There is, yes, and that is on our website.

Mr Dunne: Are you looking to replicate that here?

Ms Mooney: Yes. The same approach would need to be taken here.

Mr Dunne: On the PSNI issue, we have seen in recent times the importance of retaining data and the sensitivities around doing so. I will link that to the IT issue. You state in your paper that the Department of Justice and the PSNI will have to upgrade their systems substantially. Are you confident that that can be done? Furthermore, are there any lessons that we can learn from that that may link to the Bill?

Ms Mooney: For obvious reasons, we cannot speak about that from a budgetary perspective.

Mr Dunne: Yes, that would be a challenge.

Ms Mooney: If it were determined that they needed new systems, should the existing ones not be able to be updated, they would have to look at that. It would be a big undertaking for any organisation to update such a huge system.

Mr Dunne: Is the ICO involved in that process?

Ms Mooney: No. We are not involved in an organisation's procurement of a new system. We sometimes provide upstream data protection advice to an organisation on potential risks, compliance issues and the potential pitfalls of updating such a system. Doing something on such a huge scale can be inherently risky. Migrating records from one system to another can often prove difficult and problematic, and doing so poses risks, because of the large volumes of highly sensitive data saved on such systems. We would therefore probably be involved in providing upstream advice, and we have provided similar advice to other sectors.

Mr McNulty: Thank you, Caroline and Paula. This has been an informative evidence session. Where does the retention of legacy biometric material and data sit in the Justice Bill?

Ms Mooney: From my reading of the Bill, I do not think that it forms part of it. It is not covered specifically.

The Chairperson (Ms Bunting): Part of the issue, Justin, is that that was covered in the Northern Ireland Troubles (Legacy and Reconciliation) Bill that went through Parliament, under which legacy stuff would be retained for the sole use of the Independent Commission for Reconciliation and Information Recovery (ICRIR). At the point at which the ICRIR concludes its work, it will be destroyed. That is of massive concern, but that is my understanding of what is going on with legacy biometrics. Is that right?

Ms Mooney: That is my understanding.

The Chairperson (Ms Bunting): The Government are undertaking a review of legacy stuff, so I am not clear whether any changes will be made to the law. They have indicated that they are looking at some stuff, but we have heard nothing definitive thus far.

Ms Mooney: It will be an interesting area to keep across, in case there are developments.

The Chairperson (Ms Bunting): It will be important for victims.

Mr Beattie: Thanks for the evidence. You were definitive in saying that photos are not biometrics. I wish that our Department of Justice were as sure-footed. The Scottish Biometrics Commissioner, however, was equally definitive in saying that he believed that they were biometrics. Why such a difference?

Ms Mooney: I will clarify what I said to make sure that I am being clear enough: a photo per se is not biometric data. When a technical process is performed on a photo and it is then used for the purpose of uniquely identifying somebody, that is what makes it biometric. A photo stuck to the front of a HR file is not biometric data. If, however, you were to do the necessary technical things needed to create a template of the photo on my HR file and then put it into a facial-matching system to match me against other workers in the organisation or match me against some other database, you would be using that template to uniquely identify me. In that sense, it is biometric data.

Our guidance is clear on that, as is the description and definition in the Data Protection Act. In the paper that we submitted to the Committee, we mentioned the issue. The questions that I would ask are these: is the PSNI routinely using photos, or is it routinely using biometric templates? Is it using photographs for the purpose of uniquely identifying someone? People have asked whether that should be considered biometric data. If it is routinely being done for the purpose of uniquely identifying someone — as long as it meets that definition — yes, it could be classed as biometric data. It would render photographs biometric data when they are used in that way.

Mr Beattie: The raw material, which is the photograph, even before it is treated, could therefore be considered biometric data in many ways. Having the photograph is the start of the process.

Let me give you an example. If you take a picture on an iPhone using the live setting, the picture, when touched, has movement to it. It must therefore be considered a biometric photograph. Is that right?

Ms Mooney: No, because it is not being used for the purpose of uniquely identifying someone. If you were to plug into a police database that could then match the photo against something, that is what would make it biometric data. A photo is biometric data when it used for the purpose of uniquely identifying somebody. It is biometric data if a template is created from the photo that is then used for the purposes of uniquely identifying somebody.

The Chairperson (Ms Bunting): When the PSNI comes to the Committee, Doug, we will need to find out the circumstances in which the police keep photos for the sake of keeping photos and the circumstances in which they put photos through systems or use them for another purpose. We will need to understand, in the PSNI's processes, the distinction between the two and the ratio of what is kept as just a photo to what photos are used for further purposes. That is a question for the PSNI.

Mr Beattie: I kind of get that, Chair. I am just trying to tease out the issue. If that is a fact, organisations can retain photographs for as many years as they want as long as they do not treat the photograph. That means, however, that they could treat the photograph in 60 years' time. They are therefore holding on to the base material. By the way, I have no issue with that, but it is the case that they can hold on to the base material for as long as they want. I understand that it is not until they treat that base material that it becomes biometric data.

Ms Mooney: The base material, like anything else, is subject to a retention schedule, and a retention schedule must be set out. In exactly the same way, the base material, whether it is a photo, a file or whatever, can be kept for only as long as is strictly necessary and proportionate. The police should have a policy on retention periods for photos regardless.

Mr Beattie: It comes back to what Justin was asking about legacy data. If the police are saying that they want to retain information from 50 years ago, that is kind of the same principle.

I think that you have answered my question. I think that I understand exactly what you are saying, but there is a little more to it than I may fully understand.

The Chairperson (Ms Bunting): Thank you, Doug. Your questions segue into mine, as I also have some questions about photographs. We understand that, at present, the PSNI uses a service instruction for photographs. Is that sufficient?

Ms Mooney: I think that that service instruction is for the purpose of deletion, such as when, for example, people request that their custody photographs be deleted.

The Chairperson (Ms Bunting): Is that service instruction enough, or should there be something in legislation?

Ms Mooney: The service instruction sets out the process that the police should follow for how that material is deleted and the process for how someone should request its deletion. It is appropriate that the police have a service instruction or a policy in place that details how to do that, so, yes, it is correct that that is enough.

For custody photographs and any other material that they hold, as I mentioned, organisations should have a retention period and a retention schedule. That is a requirement under the Data Protection Act. For example, HR files, custody photographs and files on people will all have different limits and time frames for retention, and all those should all be set out. A service instruction goes some way to doing that and, if my understanding is correct, is a bridging mechanism or —

The Chairperson (Ms Bunting): An interim position.

Ms Mooney: — an interim position until the Bill becomes law.

The Chairperson (Ms Bunting): We have sought sight of the service instruction in order to understand what it contains. For some of the post-legislative scrutiny that we are doing, your paper has highlighted some questions that we will need to pursue further with the Department and with the PSNI.

I ask the Committee staff to take note of what we will ask the Department. There are certainly questions to be asked about what the PSNI shares on national databases and the time frames for retention of data. We need to know how long it will take the PSNI to develop a new IT system. We also need to know when the Department intends to commence this Part of the Bill. The problem is that the Department can commence all it likes, but, if the PSNI is not ready, commencement is pointless. That is partly why some of the legislation fell down the last time. We also need to work with the Department and the PSNI on costing any such system. We did not check with the Scottish Biometrics Commissioner whether his role is full-time, so we also need to do that. There is no indication in the Bill of whether the biometrics commissioner's role is to be a full-time one.

Miss Hargey: We also need to ask about international databases.

The Chairperson (Ms Bunting): Yes, we need to ask about national databases and international databases.

Miss Hargey: We also need to ask whether there is any North/South co-operation on the exchange of information.

Ms Mooney: I will make a point about national and international databases. If there are specific retention periods in the Bill when it becomes law, those will most likely be different in Northern Ireland from what they are elsewhere, as other places may not have got around to such legislation. There will therefore be different retention periods in different jurisdictions. Retention periods in England may be different from those in Northern Ireland and Scotland. If your DNA or biometric data, for example, is held on a Northern Ireland database and on one of the matching databases across the water and the retention periods are different, when the time comes for the material to be deleted from one database, will there be the capability to delete it from both? Under data protection law, when someone requests erasure or when the time comes for something be deleted, it should be deleted from all applicable sources and databases. Something else for the Committee to ask therefore is how, logistically, that can be done.

The Chairperson (Ms Bunting): That is something that we will need to check, particularly if retention periods are different. We can understand why they would be, but which jurisdiction would take precedence? I understand that conversations are ongoing with the Home Office on some of the issues, but we will have to take them up with the Department.

Ladies, thank you very much. You have given us plenty of food for thought. We appreciate your time and your evidence. I presume that the Committee agrees that issues that are raised in the paper can be sent on to the Department and the PSNI, as necessary, for follow-up.

No one has anything further to add, so thank you.

Ms Mooney: If you think of anything further, we are more than happy to help provide additional clarity.

The Chairperson (Ms Bunting): That is great. As we get more information, it may well be that you will have more to say, so please keep an eye on the website. We will publish everything that we have, so we may have further questions for you as we get more information. Thank you very much.

Ms Hamilton: Thanks very much.

Ms Mooney: Thank you.