Police retention and use of biometric data

The Annual Report of the UK’s Biometric’s Commissioner highlights, among other things, a decline in the annual upload of fingerprint records and DNA profiles to the national databases, and a general lack of democratic governance and scrutiny over the police use of “second-generation” biometrics.

Policy issues 

The taking, retention and use of fingerprints in the investigation and detection of crime can be traced at least to the early years of the 20th century. With the development of DNA technology, DNA profiles of individuals are also playing an increasingly important role in this context. Nevertheless, primarily due to cost and the ease with which fingerprints can be taken and scanned against the database, the police still consider that they are of greater investigative value than DNA profiles. The attractions of both, however, are now being rivalled by a whole new generation of biometric identification data, such as digital facial images and behavioural biometrics (second-generation biometrics).

Obviously, the taking, retention and use of such intimately personal data for police identification purposes raise acute issues for privacy and the presumption of innocence, especially where the prints, profiles and images taken and retained include a very large number of persons who have no criminal record. The current police fingerprint database in England and Wales, established in 2001, holds the prints of over 8 million identified persons. The DNA database in England and Wales, established in 1995 holds the profiles of over 5,800,000 persons. Arguably, the manner in which these databases have been constructed and maintained is such that they are dominated by communities targeted by the police as ‘suspect’. This, in turn, raises the concern that they are operating as an instrument for ‘criminalising’ whole communities on the basis of factors such as ethnic origin, immigrant status, socio-economic status and address.

In S & Marker v UK (2008), the European Court of Human Rights found that the “blanket and indiscriminate nature” of the retention of fingerprint and DNA data on the databases, especially from persons who were arrested and not charged, constituted a disproportionate interference with the right to privacy, as guaranteed by Art.8 of the European Convention on Human Rights. The Westminster government responded eventually with the Protection of Freedoms Act 2012 which, among other things, introduced a range of limits on the length of time that fingerprints and DNA profiles can be retained. The retention periods differ depending on matters such as the offence classification, and whether the person concerned was arrested and released with no further action taken, was charged with a criminal offence or was convicted of a criminal offence. There are stricter rules for the retention of the more sensitive DNA samples from which the DNA profiles are extracted. A sample contains the entirety of a person’s genetic information, while a profile is more limited to material that will enable a person to be identified if they leave their DNA at a crime scene.

Biometric Commissioner’s Report for 2018

The 2012 Act also established the office of Commissioner for the Retention and Use of Biometrics (Biometrics Commissioner) with the remit to provide independent oversight of the retention and use of fingerprints and DNA samples and profiles in England and Wales. The Commissioner’s role extends to, among other things, the retention and use of such data by the police on national security grounds across the UK, and to the UK’s exchange of such data with the EU and internationally. The Commissioner’s annual report for 2018 (fifth annual report) was published a few days ago. Its 131 pages offer a wealth of detail and insights on a wide range of issues, challenges and concerns presented by the statutory regime and the rapidly changing environment in which it is operating. This note will comment on two of them, namely: 1. The reasons for a significant decline in the number of fingerprint records and DNA profiles held on the databases; 2. The lack of coherent, comprehensive, national governance and democratic scrutiny of the police trialling and use of second-generation biometrics.

Significant decline in the databases

The introduction of the new regime under the 2012 Act resulted in the destruction of more than 7,750,000 DNA samples, more than 1,760,000 DNA profiles and more than 1,670,000 fingerprint records. Nevertheless, the prints and/or DNA profiles of some 12.5% of men and 3% of women in the UK were still retained on the databases. Since then, however, the number of prints and profiles added annually to the databases have declined significantly. DNA profiles uploaded annually have actually declined from almost 600,000 in 2007/08 to just over 250,000 in 2017/18. The Biometrics Commissioner considers that this development diminishes the future utility of the databases and constitutes “a fundamental threat to the police use of [prints and profiles data] for investigative purposes.”

It would be tempting to think that the relative contraction of the databases is a direct consequence of compliance with the human rights criteria expounded in S & Marper. A more sinister possibility is that the police are avoiding the stricter controls by turning their attention to other forms of biometric identification data which are comparatively unregulated. More will be said of that below. The Commissioner, however, has linked the decline to unintended consequences of changes in other aspects of policing. These relate primarily to changes in police arrest and detention practices.

Arrest and detention provides a lawful (and the standard) basis for taking prints and DNA samples/profiles. Changes to Code G (guidance on the exercise of the statutory power of arrest) have resulted in more use of ‘voluntary attendance’ (VA) interviews of suspects, rather than arrest and detention. Since there is no legal power to take prints or DNA samples at the outset of VA interviews (in contrast with arrests), the number of prints and DNA profiles added to the databases have declined. It would appear that this decline has also been fuelled by financial cutbacks which have led to some police forces reducing their arrests and associated use of expensive custody suites.

Another contributor to the decline is statutory changes to the police practice of releasing arrested suspects on bail for further investigation. This practice has diminished substantially as a result of legislative changes aimed at protecting individuals from the experience of languishing on police bail for lengthy periods. Under the new measures, the police are encouraged to release arrested suspects unconditionally while they pursue further investigations. It seems that this change is also contributing to the greater use of VA interviews and a consequent drop in arrests.

The Commissioner has formed the view that there may be excessive use of VA interviews in cases where arrests would have been more appropriate. He attributes this partly to a lack of national policy and guidance on the use of the option, together with insufficient training and support for officers on its use in many forces. The problem is compounded by confusion and a lack of consistency and guidance on when prints and samples can (or should) be taken post VA interviews. Similar problems have affected the roll-out of the change to the release of arrested suspects on bail. It seems that one adverse consequence of the change for suspects is that they tend to remain under investigation for a longer period than would have been the case had they been released on police bail. This, in turn, has had the insidious effect that the prints and profiles of those for whom the investigation is eventually closed without charge are often retained on the databases for far longer than is necessary or lawful.

The Commissioner considers that the unintended consequences for the operation of the biometrics databases could have been avoided through greater engagement and advance planning between the Home Office and the police. This seems part of a larger problem in which policy and planning on these matters are beset with procrastination and a lack of leadership. So, for example, despite repeated recommendations from the Commissioner, there is still no national guidance on the appropriate use of the power to retain DNA samples beyond the statutory six months cut-off point in certain limited circumstances.

Quite separately, it is worth noting that errors in DNA sampling by police forces are generally low. It is a concern, however that the Biometrics Commissioner found that errors discovered thought integrity monitoring had doubled from 2017 to 2018. There is also significant room for improvement in individual force policies and practices on re-sampling in such cases.

Second-generation biometric data

Digital facial images are now routinely collected and stored by the police, and they are experimenting with live facial image matching in public places. Developments in machine learning, automated intelligence and digital photography offer the prospects of identification for policing and criminal justice purposes being established using algorithms and a national database of facial images. These new technologies offer many benefits to more effective law enforcement. In the absence of proper verification, regulation and scrutiny, however, they pose immense threats to individual privacy and to the requirements of transparency and proof in criminal justice. They also evoke the prospects of a society where the movements of selected individuals in public places are under constant police technological surveillance just in case they engage in crime or other behaviour unacceptable to establishment interests. The parallels with George Orwell’s dystopian vision of a totalitarian society are uncomfortably close.

Given the scale of the inherent benefits and risks presented by the new biometrics, it is vital that their development and deployment are the subject of coherent planning, transparent regulation and democratic scrutiny. One of the unsettling features to emerge from the Commissioner’s report is the extent to which the government appears to have conceded the field to the police themselves.

Even though the police have already established and are using a national database of digital custody facial images of arrestees, none of the second-generation biometrics are covered by the current statutory regime which is still limited to fingerprints and DNA profiles. There is no specific statutory framework, other than data protection legislation, to provide governance for the police use of them. The legislature and government are playing catch-up. They have not kept pace with the speed of technical developments in biometric capabilities. The police themselves have moved to occupy the pitch by developing their own guidelines.

There is also a concern that the police are conducting trials of the new technologies in their own interests and without adequate oversight or evaluation of the scientific standards on which they are based. These include the mass camera-scanning of people in public places in live-time (using public-facing CCTV systems) to test capacity to pick up individuals whose digital images are held on the national database. Such trials raise obvious concerns over how, or the extent to which, an appropriate balance is being struck between police and privacy interests in the conduct of these trials.

The Biometrics Commissioner recommends strongly that policy governing the use, and the conduct of trials on the use, of these technologies should really be a matter for parliament. Leaving it by default to the police invites the risk that it will be developed to reflect narrow police and security interests at the expense of wider interests such as privacy, transparency, the rights of suspects in the criminal process and ultimately, public trust and confidence in the police.

It is hardly surprising, perhaps, that some police leaders reject the argument that retention and use of digital facial images should be governed by the same regime applicable to fingerprints and DNA. They assert that fingerprints and DNA profiles are used for the purposes of identification in the criminal justice system, while the digital images are used as an element of police intelligence to manage the risk presented by individuals beyond the criminal justice system. Accordingly, they argue, that governance should come from a police-led process rather than a legislative framework based on the outcome of legal process. This police perspective will do little to dampen concerns over the threat posed by the use of the new technologies. As the Biometrics Commissioner observes:

“Governance based on the outcome of a legal process is easily turned into rules that are objective, publicly visible and subject to oversight. Governance in relation to police risk judgments is less amenable to producing objective rules which are publicly visible and subject to oversight.”

The Commissioner argues that achieving public trust in the deployment of the new technologies, and in the police as a whole, will require a process in which it is clear that the balance between the benefits and risks is being properly managed. The current approach is too complex, opaque, fragmented and police dominated. It requires the adoption of governance principles for the trialling and use of the new technologies, and those principles need to be decided by parliament and expressed in law. Accordingly, the Commissioner recommends the adoption of governance and oversight legislation that is flexible enough to cope with the rapid development of technical capabilities in biometrics. He notes, with some frustration, that there is no sign of such legislation, and wonders whether that is attributable to Home Office disagreement with the need for such legislation or Brexit paralysis.

The Biometrics Commissioner also identifies an urgent need for the development of clear policy and rules governing inter-governmental access to Home Office biometric databases, especially as some of these databases will be moved to generic biometric data platforms. Moving them to such platforms increases the risk of the police databases being improperly accessed by other government departments or agencies. An example of this is provided by the former practice of the Ministry of Defence searching the police national fingerprints database without a clearly evidenced lawful basis for doing so. This was possible because the MoD were allowed to add their fingerprint database, albeit as a separate cache, to the police fingerprint database. The adoption of clear rules on access are urgent and essential to guard against such risk.

On a more positive note, the Home Office, after several years of failed promises, finally published its strategy for the police use of biometrics last year. Disappointingly, however, it maps out the work that will need to be done and merely proposes that a review of governance and oversight will be undertaken over the following 12 months. This still leaves a vacuum in which policy and practice will continue to be developed by the police themselves on a piecemeal and ad hoc basis in the service of their own interests.

Download the July 2019 edition of Criminal Justice Notes