Amendment 5, in my name, is in a group on its own.
In its stage 1 report, the Justice Committee recommended
“that the Scottish Government includes a complaint mechanism within the Bill, to enable the public to refer issues to the Scottish Biometrics Commissioner on the use of biometrics by Police Scotland and the SPA, or on their lack of compliance with the Code of Practice.”
That follows many witnesses, including Matthew Rice from the Open Rights Group, expressing concern that, despite it being one of the key functions of the commissioner to promote public awareness and understanding of the duties and responsibilities of those who acquire, retain, use and delete biometric data, there is no corresponding complaints mechanism whereby a member of the public could raise such concerns with the commissioner.
In his evidence, Detective Chief Superintendent Scott from Police Scotland acknowledged the importance of the public having the right to complain, and Tom Nelson from the SPA said that he thought that the commissioner would want to hear from the public and understand where their concerns were coming from; he also believed that the ability to engage with and speak to the public would allow the commissioner to provide assurance to the public and would ensure that the public and the commissioner could identify any challenges.
Amendment 5 seeks to ensure that the bill provides a complaints mechanism that affords individuals, or someone who acts on their behalf, the right to complain directly to the biometrics commissioner about the acquisition, retention, use or destruction of their data by or on behalf of Police Scotland or the Scottish Police Authority.
Furthermore, amendment 5 also takes cognisance of the concerns that were expressed by the cabinet secretary about the risk of duplicating the role of the UK Information Commissioner if the Scottish biometrics commissioner had a similar function of looking at complaints about the use of biometric data, which can be personal data, which is a reserved matter. The cabinet secretary considered that the relationship between the UK Information Commissioner and the biometrics commissioner should be addressed and said that he was supportive of the Justice Committee’s recommendation that there be a memorandum of understanding between the two commissioners to avoid potential confusion about the two roles and to protect the independence of both offices.
Amendment 5 addresses both those concerns by providing that the biometrics commissioner must consult the Scottish Public Services Ombudsman, Police Scotland and the SPA, as well as any persons or groups that the commissioner considers appropriate, on the commissioner’s proposals for a complaints procedure. The commissioner must keep that procedure under review and must vary it
“whenever, after such consultation, the Commissioner considers it appropriate to do so.”
Late last night, I received a letter on amendment 5 from the UK Information Commissioner’s Office; it was distributed to the committee first thing this morning, and the cabinet secretary’s officials have a copy. It helpfully points out that amendment 5 contains an error—the “Information Commissioner Act 2000”, to which it refers, does not exist. That can easily be rectified at stage 3. In the meantime, the error should not prohibit the passing of amendment 5 today, if the committee is so minded.
Helpfully, the UK ICO confirms that complaints about the way in which the personal data relating to an identified or identifiable person is handled should be referred to the UK ICO. However, biometric data relating to an identified or identifiable person is deemed to be special category data and subject to additional safeguards. If, therefore, the complaints process is confined to compliance with the code of practice, the UK Information Commissioner says that that should be clearly stated in the bill to avoid any ambiguity. The complaints process as laid out in amendment 5 is confined to compliance with the code of practice.
Finally, the cabinet secretary stresses that, in his view, the biometrics commissioner
“should concentrate on ... systemic issues in the criminal justice and policing context”,
with its
“oversight driven by a systematic review of Police Scotland and the SPA’s activities as these relate specifically to biometric data”,
rather than the resolution of individual complaints. However, that fails to recognise that it is only by being aware of and involved in resolving instances in which things have gone wrong that systemic improvements can be made and robust systemic oversight achieved. More than that, quite simply, as the Justice Committee and many others have pointed out, there is a risk to public confidence and transparency if a complaints mechanism is not included in the bill.
I move amendment 5.