 Ydw i ni i ni i ddim yn fwy o'rOM. Felly iddyn nhw'n gwybodaeth eich gwaith o'r Ysgolweith y Comidir Cymru. Mae ydych i ni i gael eu ffordd ar offern i gynnwys ac yn gair, a'r ystyrwch ymlaen i ymdidd都有 i ddechrau gael eich gwaith o thoseig yn fwy o pob wrth gyd yr ysgolweith i gydag ym ysgolweith arod eich gwaith. Mae'n ymlaen i ddweud? Mae'n digwydd. I'm very pleased to welcome Dr Brian Plasto to this morning's meeting and this is his first appearance before us in his role as the Scottish Biometric Commissioner. Dr Plasto is here to talk to us about his first draft code of practice on the acquisition, retention, use and destruction of biometric data for criminal justice and police purposes in Scotland. I refer members to papers one and two, and I'd like to invite Dr Plasto to make some new remarks. Thanks, convener. Good morning, everyone. Many thanks for the opportunity to address you today and to speak about the draft code of practice, which we're trying to bring forward in terms of, as the convener says, the acquisition, retention, use and destruction of biometric data for policing and criminal justice purposes in Scotland. As members of the committee will be aware, the last Parliament passed the Scottish Biometrics Commissioners Act back in 2020, and that received royal assent on, I think it was the 20th of April 2020. I was actually appointed as commissioner a year later on the 12th of April, and my first task was to start to build the new function from the ground up, and I'm pleased to inform the committee that that works now complete. I suppose, in terms of my role as commissioner, I have three main functions. The first one is to support and promote the adoption of lawful, effective and ethical practices in relation to biometric data and technologies for policing and criminal justice purposes in Scotland, specifically by Police Scotland, the Scottish Police Authority and the Perk. The second thing is to promote public awareness and confidence around such matters, and the third one is to develop the code of practice. How I intend to do all of that was set out in my first strategic plan, which was laid before the Scottish Parliament on the 24th of November. Now, as members will be aware, section 7 of the act requires me to prepare a code of practice, and section 10 lists those with whom I must consult in law in preparing the draft code, and then section 11 deals with the other procedural matters in terms of securing ministerial consent to lay a draft before Parliament. That's the stage that we're at now, and if you'll allow me, I'll just very briefly say how we got to this point. The very first draft, version 0.1, was developed round about July of last year, and then went to my professional advisory group, which I'm required to maintain under section 33 of the act. The membership of that group can be found on page 54 of this draft code. With a few amendments, version 0.2 was in the subject of a three-month closed consultation, which ran between October and December, and that involved consulting with around about 33, 34 individuals, office holders or groups, and those were the 12 that are prescribed in the act itself, and the remainder were other people who I would regard as significant stakeholders in this field. At that point, I also wrote to the Cabinet Secretary for Justice and also to this committee. That led to a version 0.3 being produced, and that was presented to the Cabinet Secretary for Justice and Government officials in January. We then received the consent of the Cabinet Secretary for Justice to lay version 0.4, the version that you have now before the Parliament. I should say at the same time of doing that, we also placed this version on our public-facing website to facilitate a level of public consultation and engagement on the product. I suppose that the message that I would likely go over to the committee is that the version that you now have is the product of thoughtful and well-considered consultation. It has the unequivocal support of those consulted, including those to whom it will apply. In terms of the construction of the code, it has what I would call lead-in materials, compliance factors and lead-out materials. Up to page 26 of the code is all lead-in materials, which helps to explain the purpose of the code, the meaning of biometric data, which is distinct in the Scottish legislation, explaining what the main biometric databases are in Scotland, and also explaining their distinct legal framework. That is important because, although the police in the UK share common biometric databases, the data that goes into that comes from very different jurisdictions and is defined differently in different contexts. The main substance of the code, the meat of the code, if you want to call it that, is on pages 27 to 35. That involves around 12 general principles and ethical considerations to be followed to ensure compliance with the code. The guidance also forms a self-assessment framework and a guide to professional decision making to those to whom it would apply. The remainder of the code is what I would describe as lead-out materials. It explains what would happen if there was non-compliance with the code. It talks about a mechanism for public complaints, where a data subject feels that one of those bodies is not compliant. It also has a number of appendices just to tell what it does and understand what this is all about. The primary audience for the code is Police Scotland, the Scottish Police Authority and the park. In due course, once approved, we will produce a short user-friendly public-facing version. Importantly, I would like to draw to the attention of the committee that, in all the consultation activity that we have conducted so far, there have been no dissenting voices to the content of the code, either in terms of the actual content or in terms of the principles-based approach. In my professional opinion, that is because it has been a well-considered piece of work that has been developed with partners across the criminal justice community. I think that it strikes the right balance between allowing the police the means of doing what they need to do to keep everybody safe, but at the same time protecting the individual human rights of individual members of the public, and factoring in privacy and ethical considerations. That is almost it for me. In terms of next steps, I am really looking for—obviously happy to take questions, but I am looking for the support of the criminal justice committee to take this to the next stage, which would be to put a final draft back to Scottish ministers so that they could then bring forward a statutory instrument in due course to bring the code into effect under regulations. The final thing that I want to say is that when this is introduced under regulations, Scotland will become the first country in the world to have a statutory code of practice on the acquisition, retention, use and destruction of biometric data for criminal justice and policing purposes. That is a significant human rights achievement for Scotland in something that we should be proud of. I also think that it will further help to enhance the confidence in our already excellent criminal justice system in Scotland. I think that that is it for me, convener. Thank you very much, Dr Plas. That was a very helpful overview and introduction to the code of practice, as it is in its current form. I wonder if I can maybe start with an opening question around it. You mentioned in your opening remarks that the meat of the code of practice document is structured around 12 guiding principles and ethical considerations to which specifically Police Scotland, Perk and the SPA must adhere to when they are acquiring, retaining, using or destroying biometric data. Can you expand a little bit on how those principles and considerations were developed and what was behind them being identified as appropriate for this particular code of practice? I should start by explaining my own journey in terms of all of this. As committee members will know, I was a police officer for more than 30 years in Scotland and my last five years as a chief superintendent. Back in 2015, when Alison McKinnis first raised the issue in the Scottish Parliament of an issue that had been identified by the biometrics commissioner for England and Wales at the time of the police service in the UK having rolled out facial search functionality to the UK police national database. I was working at HMICS at the time and I was asked to do an audit and assurance review of how Police Scotland was using this new facial search functionality. It is a retrospective tool. During the course of that review, we came to look at the called landscape around biometric data in Scotland. That also took us back to the Fraser report from 2008 that identified the issue of there being no independent oversight in Scotland in relation to the landscape. That projected forward into the new landscape after police reform because Police Scotland and the Scottish Police Authority jointly operate the main DNA and fingerprint databases. That concludes the Scottish Police Authority from marking their own homework, if that is not too crude a way to describe it. Subscan to that, I was also invited on to the independent advisory group on biometric data in Scotland back in 2017-18, chaired by John Scott QC. I suppose I was really invited on as a subject expert at that point to help John produce his report to the Parliament. John was very keen on a principles-based approach at the time. We did a lot of academic research. We looked globally to see what direction other countries were going in relation to this sort of thing. In a sense, arriving at a principles-based approach built not only on the former work of the independent advisory group in Scotland, chaired by John Scott QC, but it also built on the approach that is happening globally. Even in the UK context, beef egg, the biometrics and forensics ethics group of the Home Office, they have a principles-based framework that they operate to. The biometrics institute, which is a global organisation that tries to promote the responsible use of biometrics, operates to a principles-based framework. I think that there is a distinction between what the law needs to do in terms of setting hard and fast rules and what a code of practice can achieve by providing a framework for ethical decision making. Does that answer your question? No, that is very helpful. That is a context and a backdrop to how the principles were developed. Pickering up on that, it is fine to have principles and ethical considerations in the code of practice, but I am interested in how compliance with them and the code will be monitored. For example, would it be a continual monitoring process and monitoring and reporting process with the relevant policing bodies or some other process that you feel would work best in terms of that monitoring process? It is a three-part answer to that. My intention is that, one year after the code is brought into effect under regulations, there will then be an annual compliance assessment for each organisation to which the code applies. That will be partly predicated on them being issued with a self-assessment questionnaire, which is based on the national assessment framework, which is in one of the appendices at the rear of the code. In that national assessment framework, there are 42 quality indicators. What good looks like. I would pick a selection of questions from that framework and ask each organisation to do a self-evaluation. That would then be followed up by some field work to validate and confirm what we were being told was correct. That is one strand of it. The other strand is a rolling programme of thematic reviews in the strategic plan. For example, towards the end of this year, we will specifically look at how biometric data is acquired, retained, used and destroyed in relation to children and young people. It is part of that bigger agenda. In subsequent years, we will look at fingerprints, DNA and so on. The third strand is the on-going review part, which is that I have the professional advisory group that I referenced under section 33 of the act. The bodies to whom my functions extend are on that group. At those meetings, there is an opportunity to discuss emerging trends, pertinent issues and, on an on-going basis, I have regular meetings with Police Scotland, the Perk and the Scottish Police Authority and, indeed, others. You know, even bodies to whom my functions do not currently extend, the National Crime Agency, British Transport Police, Ministry of Defence Police, who also operate in Scotland. It is a kind of three-stranded approach, but there would be a programme of annual compliance assessments. I will open up questions now to other members. I will bring in Katie Clark, first of all, and then, I think, maybe, Jamie Greene as a follow-up question. Thank you very much, Commissioner, for a very comprehensive introduction, which addressed some of the issues that I was going to ask you about. I think that you have explained something about the lead-up to the creation of the draft code of practice and the consultation process, and it sounds as if there was a high level of consensus in terms of the discussions as to what should be in the code of practice. Could you perhaps outline whether there was any contentious issues, what you think the contentious issues for the public might be, but perhaps the issues that you might have thought would have been contentious before you started the discussions, even if, at the end of the day, there was a consensus within those involved? Again, a multi-part answer to your question. Firstly, in terms of the process arriving at a final draft, 0.4, I would say that there was a high level of consensus on the identification of the 12 general principles and ethical considerations as being the right ones, but there was a lot of debate and discussion about what should be in each of these general principles. I had some fantastic input from, for example, the UK Information Commission, our Scottish Human Rights Commission, Equality Organisations and others, Police Scotland as well. The evolution of the general principles have expanded to include additional information, to include hyperlinks, which signpost readers and the users of the code to other relevant guidance, for example ICO guidance on data protection, equality and human rights guidance, et cetera, et cetera. So that's that part. Answering your question about, has anything kind of surprised me? Well, one issue was, and this isn't just to do with the code, but we commissioned Scott Senn to do a public attitudes and awareness survey for us back in December, and this was tied into the bit about part of my function is to help promote public awareness and understanding and such things, so we thought it might be useful to try and baseline that. So a sample of 1154 people were asked eight questions basically, and the idea was to test what they know and think about how biometrics are used for policing and criminal justice purposes. We included in there a question number eight, which was on facial recognition, live facial recognition, which, as the committee will know, Police Scotland do not use, has never been deployed in Scotland. I expected the sample to say that they were strongly opposed to it, but they weren't. Now, that is only a small sample, but it's an illustration of, until you engage with people and ask them their opinion, you don't know. Because a lot of the optics around this kind of stuff has been played out through the lens of the media, so it's important that we know what the public know and feel, and it's important that we know where the public boundaries of acceptability are lie. Sorry, I've missed a point of view. No, no, that's really helpful. I think it highlights some of the issues around about the technology, and if people think it's 100% accurate, they might be comfortable with it, but it's the risks of it going wrong that's always going to be an issue. You mentioned annual, keeping the whole process under review with annual compliance assessments. How are you going to make sure that's a robust process, that you really engage and you get the difficult voices, not just those that are already part of the system? Sorry, can I just go back to a point about accuracy? There's no such thing as a completely accurate, I just wanted to get that out there, no such thing, because they rely on interactions between humans and technologies, so some are better than others. The answer to your question, Katie, is knowing the questions to ask. In my case, because I come from the policing world, because I know, I have an intimate understanding of their databases, I know where they are, I know where they're kept, I know what they contain, so therefore I know the right questions to ask. If you didn't have that subject knowledge expertise, it would be difficult to ask the right questions. The assurance that I would give the committee is that I will be asking the right questions and when I ask those questions, those to whom I direct them will know that I probably know the answer that I'm asking if that helps. Thank you, thank you very much. Jamie, do you want to come in? Yeah, I mean it's not necessarily on that question, but it follows on. I'm quite challenged on this one, I think, because as you say, much of the narrative is played out in the media as being a very polarised human rights-based issue versus that of public safety and use of technology amongst enforcement agencies, which they could and should be using. I wonder if I could ask you personally, if either the SPA or ministers were to propose something, which would be a policy, I guess, be it a trial of facial search or recognition technology at a specific event or a specific locus, or just a wider policy, what would that be subject to in terms of your test? Is it simply the code of practice and at what point would you feel comfortable in pushing back either political decisions or operational decisions that were being proposed by the police or ministers and say, no, I'm uncomfortable with this? That's a really interesting question. Firstly, I would say it's not my role to interfere with the operational independence of the chief constable, but I would hope that because of the mature relationship that I already enjoy with the bodies to whom my functions extend, that if they were wishing to pilot a new technology in the circumstances that you describe, that they might want to involve my office in the evaluation of that, so let's pick the hot topics facial recognition. At the moment, Police Scotland only uses two types of retrospective facial recognition, so the police national database, which is a UK-wide intelligence sharing system, has a retrospective facial search capacity. Basically, what happens is you can upload an image from a crime scene into the police national database. That's known as a probe image and that image will be compared against a gallery of images which are derived from previous custody episodes. That system, depending on the quality of both the probe image and the gallery image, might bring back a shortlist of 30 potential matches that a human being would then need to look at and decide could that be the same person. There's also a retrospective facial search capability within Cade, the child abuse image database. Police Scotland don't use any other form of facial recognition either in the overt world, which would fall within marge jurisdiction, or the covert world, which would fall within the Investigary Powers Commission jurisdiction. Let's just say hypothetically that Police Scotland decided, while we actually want to introduce a live facial recognition technology, that we want to apply it to body worn video camera and we want to apply it for specific criteria, firearms operations, etc. I wouldn't be opposed to that as a concept. The questions would be around lawful basis, proportionality, necessity, does the technology work? Does it do what it says on the tin? Are the algorithms free from bias or discrimination? I'm your commissioner, but I'm also their commissioner. If Police Scotland, the Scottish police authority park, wants to use my office to help them to get to a place that they need to get to in a safe way that reassures the public, I would hope that they would have the confidence to do that. That's very helpful, thank you. That scenario you mentioned is a useful one in putting it in context, but there are obviously 100 other scenarios. My concern is perhaps about how you've worded and structured your answer, and it seems to imply that it would be nice if it involved you, but there's no statutory duty on them. I guess that that means theoretically they could do what they want in that respect within the confines of what's legal and what isn't in the over environment anyway. We know what happens in the other world. If they did not actively involve you, you would merely be an observer to the proceedings and then would be part of the mop-up as to whether any good or damage was done. Does that make you feel uncomfortable? Do you think that you would prefer a more active or statutory powerfully role in that respect? It doesn't make me feel uncomfortable because in the same way that I have a good level of confidence in Police Scotland, I would hope that they would have the same level of confidence in me through the professional work and relationship that we have. I could pick up the phone to the chief constable tomorrow. I have that relationship because we've known each other for many, many years. I suppose that in answer to your other point, there are gaps in the legislation. One of the issues is that because there are different definitions in the UK of what constitutes biometric data, there is a Scottish definition, which is all-encompassing and is a very good definition. You have the England and Wales definition under the Protection of Freedom Act, which only extends to fingerprints in DNA. Why that becomes relevant is that you think of my counterpart in England, Wales Professor Fraser Sampson, who I have an excellent work and relationship. Fraser is responsible for reviewing national security determination, so if biometric data was retained in Scotland under a national security determination, that falls to Fraser and not myself. Of course, POFA, which enables him to do that, only covers DNA and fingerprints. It's inconceivable that, if the police were retaining some of these fingerprints in their DNA, that they would not be retaining their other biometric data. So who exercises oversight over that? There are gaps. It's not perfect, but often we operate in cluttered landscapes. I think the thinking here was when the proposal first went forward to create a Scottish Biometrics Commissioner, actually the fundamental argument way back in 2015 was the police are minority holders of biometric data in Scotland and UK. It's actually local authorities and health boards that hold those biometric data. So the original thinking was it would be more all-encompassing, but I think probably three cabinet secretaries ago the decision was taken that the role would be restricted to the criminal justice portfolio. I think the reality is that these people have more of biometric data than the police or your local authorities or the NHS. The problem is that we're talking about very narrow use facial recognition, the sort of things that people identify cameras at football matches, et cetera, but looking at the list of things where technology has gone, it's 100 years ahead of that ear recognition, hand, finger, vein pattern, voice. I mean it's pretty much everything about you could be using AI proactively identified and that already happens in many commercial settings. This is a case though of what happens in the legal world and we already know that in some countries it's being used by law enforcement agencies to discriminate and pull out certain ethnic minority groups, for example, to incarcerate them. So it can go down a dangerous road, thankfully we don't live in that environment. A lot of interest in this particular line of questioning, so I'm going to bring in Russell and then Pauline McNeill. Good morning. You've actually answered one of my questions on my list, which was the difference between the biometric commissioner down south, which has been in existence since 2016 and yourself, which is you've got a much broader scope of material or factors to consider. Is that a general assessment? If you rewind on all of this, England and Wales used to have a biometrics commissioner, separately a surveillance camera commissioner and separately a forensic science regulator. In Scotland had none of these things and I think when they've created a role as Scottish Biometrics Commissioner by including source samples in the definition, trying to close the gap a little bit in terms of the forensic science piece, the role that Fraser now performs in England biometrics and surveillance camera was rolled into one new role. Fraser has two offices, one of which is on public space surveillance cameras and his other one which is specifically on fingerprints and DNA. He has a bigger portfolio in terms of geography but the definition of biometrics in Scotland is far more extensive. Thank you. One of the bits of information in the briefing that we've received suggests that Scottish Government is seeking biometric data that is held by UK policing organisations such as British Transport Police, Ministry of Defence Police and the NCA should come in within the remit of the Scottish Biometrics Commissioner. Has that happened? No, no, so this is a long drawn-out process but basically Scottish Government officials are pursuing what's known as a section 104 order under the Scotland Act to try to extend the functions of the Scottish Biometrics Commissioner to include those three policing organisations in relation to their Scottish operations. In preparation for that, and obviously it's at the gift of the Westminster Parliament to approve, when drafting the code of practice, I included the National Crime Agency, British Transport Police and the Ministry of Defence Police in the consultation. The chief officers wrote back favourably and I've indicated that if that section 104 order is granted, they would be more than happy to come under the auspices of my office and also of the code of practice and they would also welcome the opportunity to come on to the professional advisory group. The support is there. I think that the challenge is getting across the line because the committee might also be aware that the Department of Culture, Media and Sport in England and Wales launched a consultation last year where, effectively, they're trying to give the functions of the commissioner for England and Wales over to a newly constituted information commissioner's office. In other words, they're trying to reduce all of the complexity around the police use of biometric data to a question of data protection, which obviously it's far greater than that. If I can just say briefly that in response to that consultation, although it was in England and Wales only consultation along with Professor Fraser Samson, we wrote a joint letter not only to UK ministers but also to Scottish ministers to identify why that wasn't a good idea. The organisations that operate UK wide, was any consideration given to include the security services? That would be a question for Scottish Government rather than myself because I'm not driving the section 104 requests that's been driven by Scottish Government officials as a result of quite legitimate concerns raised by members of the department during the passing of the bill that led to the act. I understand fully why you're asking that question because, yes, obviously the security services do hold biometric data. I'll bring in Pauline McNeill, I think that you were. Thank you. It was a supplementary on something that you said earlier that surprised me when you said that local authorities hold most of the biometric data. That was news to me, I have to say. I'm sure the answer is obvious, but I'm wondering if you could expand on why that would be. Yes, I think that the point that Jamie-Made earlier on when he held up his phone, if we reflect on the last year, sorry, to answer your question directly, local authorities hold lots of people's individual biometric data, photographs, etc, etc, as do the NHS, public space surveillance cameras, ANPR, so there's quite a big inverted commas surveillance landscape out there. It's actually interesting if you reflect on the last 12 months or the first my first year in office, have there been any scandals or controversies in relation to the use of biometric data in Scotland by Police Scotland to Scottish Police Authority or PERC? Answer, no. Have there been any controversies in other contexts? Well, yes. The first was around the debate around the use of facial recognition technologies in schools and airshares as a means of administering school meals. The second was when the UK Information Commissioner publicly reprimanded NHS Scotland and the Scottish Government for failing to predict data within the Covid certification app, so this was about allowing the supplier of the algorithm to retain people's facial images for five days to test their software. I suppose I'm just trying to highlight to the committee that actually policing and criminal justice are minority users. Another good way to look at it is if you look at the Home Office biometrics programme, so this is a big programme to join up police, immigration, other central government services, biometric databases. At the moment there are 120 million biometric records relating to 85 million people in the Home Office biometrics programme, but only 26 per cent of that is police data, so there is an awful lot of this stuff out there. Why it's important for Scotland is that Scotland needs to make sure that when it contributes Scottish data to national policing systems that Scotland retains control of that data, and it's also just not a question about what data police Scotland, the PIRC and the SPA hold, it's also a question of what data can they access when using the national systems. Age of criminal responsibility in Scotland is now 12, still 10 in England and Wales. The police in England and Wales retain images of people on the police national database who have never been charged or convicted of any offence. Police Scotland don't do that, but they can access the images on the system. It is inherently complicated, all this, but I suppose that the message of just trying to go over there is that actually this biometric data is everywhere and policing are a minority player in some of this. On the question of surveillance, you say that it would be under local authorities. Is that part of your role then to ensure that? Who checks that those surveillance systems are not being abused? When you were talking, I thought that you were going to say in England, certainly, in relation to school catchment areas. Local authorities were using surveillance to try and catch parents, which seem to cross some lines somewhere. I don't think that it's happened in Scotland. Scotland does not have a surveillance camera commissioner. That's not me. That's not part of my role. The UK Information Commissioner has a distinct locus in relation to biometric data, which, under article 414 of the UK GDPR, is defined as data that arises from specific technical processing. If you think of town centre CCTV where it's just captioned people's images, but it's not using them, it overwrites after, say, 30 days typically, that wouldn't be classes biometric data under UK GDPR, where it becomes biometric data is where you then take that image and you attach it to the profile of an individual. The answer to your question is that the ICO, from a data protection perspective, is the only organisation that looks at public space surveillance. They do enforcement activity that I have done in the past, but in relation to broader questions of legitimacy, effectiveness and ethical considerations, there isn't a specific office that looks at that in Scotland, unlike the role that Fraser performs in England and Wales. I'm just going to pick up on the thread that Jamie and Pauline have been. I have another question on a different subject, and it relates to facial recognition. I think that my colleague Fulton will back me up here. In the last session of Parliament, the police sub-committee took a lot of evidence on facial recognition, particularly in regard to the fact that the accuracy of it and there were problems with recognising people from ethnic backgrounds. I'm a bit confused now, if you could maybe just clarify when you were answering, I think, Jamie. You were saying that the police used retrospective images from previous custodies, et cetera. Was this new technology that we took lots of evidence of, but was that just never started or are they using that or not? No, so what that issue was all about, Rona, if you forgive me, what kicked us off was when Police Scotland originally published their 2016 to 2026 policing strategy. They had a statement in there which said that they were going to roll out live facial recognition. Of course, when the former justice sub-committee on policing had a look at some related issues specifically, such as the use of digital triage devices, digital forensics, et cetera, that whole piece came to the political fore. For the avoidance of any doubt, Police Scotland has not used live facial recognition in Scotland ever, and especially not in the way that we've seen it used down south, where it's maybe been used at rugby matches or it's been used in the Notting Hill carnival. I think it might help members of committee to understand the distinction between biometrics which establish characteristics of uniqueness versus those which only establish similarity. If we think about DNA, other than identical twins, nobody has the same DNA, so when you're analysing a DNA profile, if it's of sufficient quality and quantity, then the probability of you misidentifying is greater than one in a billion. Similarly with fingerprints, because they're actually formed in the womb when your little embryo and your fingers, your hands are fused and they form through environmental factors as a baby moves about in the womb, no two individuals on the planet, including identical twins, have ever been found to share identical fingerprints. Both of these sciences and the R sciences deal with characteristics of uniqueness, but our faces are not actually unique. We have evolved as humans to be very good at identifying faces because it helps us to know who our mum and dad is and our uncles and our friends, but machines are actually really, really bad at it. That's why a traditional police mug shot is taken in a certain position, and that's why when you put in an application for your UK passport, you're not allowed to smile and you're not allowed to wear sunglasses. The reliability of any technology dealing with face is not as good as one that would deal with fingerprints or DNA, so it's looking for characteristics of similarity. So the examples I gave you where the police used retrospective facial search for both the police national database and the child abuse image database, all that is really doing is using a machine to try and reduce a big huge sample, 100s of thousands of images to a shortlist of maybe 30 that a human can look at and go, or that could be him. So yes, face is not as reliable a technology at all. So you say that Police Scotland have not used a live facial technology. Is that an operational decision? I mean, they have the capability to do that, have they just decided not to do it? They were asked to give a reassurance to the last Parliament in response to the concerns raised by the Justice Subcommittee in policing about the statement that was in their 10-year strategic plan, and at that juncture they indicated that they had no plans at that time to pursue it. I'm not aware of any plans that they have to do so at the moment. If I could just ask another question please, and you've spoken about this and it's in the code of practice, but just for the record, if you could just sit out in broad terms the specific legislation to which this code will apply. So the easiest way to answer your question is to say that it will apply to all criminal justice legislation in Scotland that is not already within the preserve of another UK commissioner. So where my functions don't extend are to data protection act per se. So a specific complaint about breaches of data protection act would go to the information commissioner. My powers do not extend to biometric materials retained in Scotland under a national security determination. That's Fraser's role. I would add that the numbers are relatively small in Scotland. And if there was a complaint relative to biometric data obtained through covert policing operations, that would, if that was done under RIPSA, a regulation of Investigary Powers Scotland Act, that would have to go to the Investigary Powers Commissioner. Those are the three exceptions. Everything else I'm regarding is being within my remit. Yes, thank you. And just finally, and this is one you probably can't answer, when do you expect the code of practice to be approved by ministers? If you have any indication of that? Yes, so I've had a discussion with Scottish Government officials about this. Once I have the feedback from this committee and allowing time for factoring any amendments that you may wish to be made, the actual drawing up of a Scottish statutory instrument is relatively straightforward, but the difficult part is finding parliamentary time to introduce it. So my best guess is that we might be talking about the autumn, which would work, because in parallel with this, we've developed a draft complaints procedure to come to the code and we're in discussion with a number of bodies around that because it could become complicated. So, for example, if somebody made a complaint to me about potential breach of the code of practice, but at the same time they had also complained to the park about the same thing, you would just need to make sure that the processes and procedures are agreed between us so there's no blue on blue type activity. Thank you, that's very helpful. Thanks, computer. Thanks very much. I wonder if I can maybe just pick up on a point that you've been discussing there in relation to, for example, the introduction of facial recognition, which Police Scotland has, at the moment, indicated that it has got no plans to do that. Earlier on, you mentioned or you said that you're also their commissioner, i.e. Police Scotland. I'm interested in, if, for example, the position of Police Scotland changed in terms of use or not using a specific biometric data collection, such as facial recognition, what would your role be, if any, in that? So, would you have a role in supporting that, or is your role very clearly more around regulation? The convener, of answer to that question, I suppose, is twofold. Firstly, in terms of the legislation, my role in the legislation is to support and promote the adoption of lawful, effective and ethical practices. The answer to your question lies in those three key points, lawful, effective, ethical. So, if, for example, hypothetically Police Scotland decided that they wanted to, sorry, firstly had identified a facial recognition technology that worked, and that would be the first real challenge, and they decided that they wanted to deploy that Scotland-France rugby game. I think it would be very difficult, notwithstanding the lawfulness question, it would be very difficult for them to demonstrate that that was proportionate and necessary in the absence of a specific threat against that event. On the other hand, if they, again, had access to a technology that worked and was reliable and was free from bias and discrimination, and there was a G20 or something on in Scotland and there was a specific intelligence threat against that from a number of known individuals whom they had access to the photographs of, then, of course, that would be probably a legitimate use, but I would suggest that that would happen in the covert world. I've said this before, because I've been accused of being anti-facial recognition, and I'm not. What I'm said is that I am opposed to the way that it's been implemented in other jurisdictions. Whereas its use has been held to be unlawful because community impact assessments or quality impact assessments haven't been done, and in circumstances where technologies have been rolled out that, quite clearly, don't work, in which do contain discriminatory algorithms, then, of course, that would be, and not in favour of that, who would? That's why, if you look at the Bridges case, for example, in south Wales, it was ruled to be unlawful not because it was facial recognition. It was ruled to be unlawful because the various impact assessments hadn't been done, and reasonable steps had not been taken to ensure that the technology wasn't discriminatory. In England and Wales, the police are very much pressing ahead with this. It is an interesting one, because the site common law is the lawful basis for its use. In other words, it's using laws that have evolved from medieval times to say that this is the lawful basis for mass public space surveillance. I've probably got some issues around that, and I think that's all I would say. That's helpful. I'm going to bring in Russell Finlay. I think that you had a question around voluntary provision of biometric data. I'll just quickly touch on where we are just now, which is the issues of elsewhere in the United Kingdom. I think that there's a quote attributed to you previously, where you described it as being a dangerously authoritarian path. I don't know if that relates specifically to the south Wales thing or more general. That kind of prompted a rebuke at the time from the Scottish Police Federation, who even went as far as questioning your objectivity. Has that been resolved if you had conversation with them? Do they now understand where you're coming from? I think that, if you'll forgive me for saying that, that was a misguided comment by the Federation. I've written to the Police Federation before when I developed the first version of the code, the first version of the strategic plan. I wrote to the Police Federation, but I didn't get a response from them. The article that you referenced was that I received a request from a journalist from 1919 magazine, which is the magazine that's funded by the Police Federation. During the course of that interview, I was asked my views on live facial recognition and what I said is that it doesn't happen in Scotland. I gave a view on how it had been used in two specific scenarios in England. One was the Notting Hill Carnival, where the technology at that time was found to be something like 90 per cent inaccurate. In other words, 9 out of 10 people were misidentified. In that case, the London Ethics panel, I think, had a look at afterwards, and there had been no equality impact assessment, no consideration to the impact that we'd have on the black and minority ethnic community. In the Bridges case, I was simply citing a matter of fact, which was that the UK High Court, Supreme Court, whichever one it was, ruled that the way that had been deployed was unlawful. It was unlawful not because of its deployment, but because of the lack of impact assessments and the failure on the part of South Wales Police to satisfy themselves that the technology did not operate on the basis of discriminatory algorithms. I think that my remarks were interpreted out of context by someone who could easily have picked up the phone to speak to me but chose not to. I have tremendous respect for the Police Federation. That was like water off a duck's back. For me, that just came from one individual office holder. In the four-year plan, you talk about your first annual report to Parliament being due in summer 2022. Do you have a date for that? My first annual report is written, but as the committee may or may not be aware, there's actually quite a bureaucratic process that you have to go through to land your annual report. Even though I'm a tiny organisation with only three members of staff, I still have to go through the full Audit Scotland financial and performance audit. That's happening at the moment. Because of the way that that works, until my accounts are signed off by the Auditor General and the window for that September, even though my report is written, it can't see the light of day probably until October. The annual report is written. It would be wrong to say what's in that in its entirety, but the key message that I would leave with the Criminal Justice Committee is that, in my view, the Parliament should have confidence at this moment in time in the way that biometric data has been used for criminal justice and policing purposes in Scotland. Presumably, the 15 key performance indicators that the annual report will address where you're at in respect of each of those. There's a legislative anomaly. When the original act was passed, my financial and reporting periods were aligned in law, but because there was a delay in recruiting a commissioner associated with the pandemic, there was a Scottish statutory instrument subsequently laid down, which misaligns in law the period of my strategic plan and my finances. My finances run conventionally April to April, but my strategic plan runs December to November. I intend to put a recommendation in my first annual report about that. I've asked Scottish Government officials about that before. A way needs to be found to return to the original because I am the only independent off-solder in Scotland whose financial and reporting periods are misaligned in law. That doesn't help me. It doesn't help you. It doesn't help Audit Scotland. I'm hoping that by including a recommendation in that report that a convenient opportunity that can be addressed. That's just due to Covid. That's just unfortunate. My understanding, because the act was passed in April 2020 and the process to start recruiting a commissioner I think started in the December of that year, so I presume it was a Covid consequential. I'm going to bring in Katie Clark now. I wasn't going to come in in this. No, I'm not going to come in in this. Okay, thanks very much. Okay, in that case, I'll just move on and bring in Collette Stevenson. Good morning, commissioner. You have sort of touched upon this already as well, and it's about the sort of significant legal and ethical issues that have been highlighted within the Coda practice in terms of the different use of biometrics. I'm just wondering if you could maybe draw upon some of the work that's going to get undertaken in terms of assessing the legal and ethical efficacies really, because obviously the emerging technologies as well going forward. The idea of a Coda practice is or arose, and often does in other contexts, because the law is actually quite a blunt instrument and it takes a long time to change the law. And by time you do that, I think the point that was made earlier on is that the technologies have already made a quantum leap into the future. So the idea of having a Coda practice in the first place is that it's something that's more fleet of food, it's something that can be kept under review and something that can be adapted and amended on a regular basis. On the question of ethical consideration, they are everywhere. So if I think back in my, I joined originally into the world of policing in 1978, DNA hadn't been invented, right? Nobody'd ever heard of it. The police at that time took fingerprints by taking a tube of inks, putting out a brass plate, you rolled it out, and you basically got the prisoner in yourself covered in ink basically. And photographs were taken on the latest Codac camera, and it was a real period. But things have moved on so fast, and in the last 20 years, of course scientists have now sequenced the entire human genome. Now one of the things that I'll highlight in manual report when you get to see it, eventually, is that Scotland operates already at a higher level of DNA interpretation and analysis than the rest of the UK do. So UK and Europe use DNA17, Scotland use DNA24. But for the last 20 years it's been possible to sequence the entire human genome. But should we? So just because the police and others could use DNA to identify the skin colour, or eye colour, of a sample retrieved at a crime scene, should they? So those type of, type of, type of bits, particularly on DNA. And those kind of ethical debates are at the heart of that whole piece around live facial recognition. Is it appropriate in a modern democratic society for citizens to unknowingly be subject to mass public space surveillance? Yes or no? I mean these are, you know, regardless of whether there's a basis in law. Is that ethical? Is it proportionate? Is it necessary? Could you achieve the same means by traditional policing methods? So, I mean, yeah, I mean it's actually, it's fascinating stuff of this, it really is. And like many things in life there are no right and wrong answers, you know. But I think for Scotland, and I'm really proud of the way that Scotland has kind of led the way on this through the policy framework and through the, you know, the more all-encompassing definition of biometric data. Because it says something about the sort of society that we want to be and the sort of society we want to live in, you know. So, and the points being made well by other members this point, you know, if, what happens if you get this stuff wrong, you know, you look how it's used in China to suppress Uyghur Muslims. There are, I mean, China and Russia hold the two biggest state biometric databases in the world. Not my role to comment on how they use it other than to say that they do. But the UK holds enormous amounts of biometric data. The European Union, as you may be aware, are in the process of rolling out a massive facial recognition database under Prune 2. Prune is a small town in Germany for anybody that's never been there. But the prune, the existing prune arrangements cover the exchange of biometric data fingerprints in DNA between the UK and member states subject to very controlled conditions. That doesn't extend to face at the moment, but quite clearly the European Union want that to happen. I suspect the UK Government will want that to happen as well. So, yeah, sorry, I probably went off on a bit of a pet hobby there. No, not at all. It's all fascinating stuff. The other thing at M as well I wanted to ask, and you touched upon your annual report as well and it's at a ties in, is who actually oversees the procuring of all these technologies as well, because you mentioned about the local authority, but obviously 26 per cent as well of Police Scotland. So I was just wondering who actually oversees that and do you have any input in that as well? Yes and no. Good question. So in relation to fingerprints in DNA, the national DNA database, this is the UK one. Sorry, let me go back a stage. Scotland has its own DNA database, Scottish DNA database, and from there Scottish samples are uploaded to the UK national DNA database. Scotland doesn't have a fingerprint database, should it? Question mark. Scotland uses the UK fingerprint database known as IDENT-1. Scotland also has lots of databases that contain facial images, lots of them, but the only ones that are uploaded in biometric terms to the UK system are the Police Scotland criminal history system, and pictures are taken of people who've been arrested and charged, go into this thing called the Police National Database. I sit on the UK Finds Strategy Board, which is a forensic information database service. It's a strategic group chaired by a deputy chief constable, which oversees the management of the UK fingerprint and DNA databases. I don't have a seat on the National Police Chiefs Council group, which looks at facial images. Neither does my counterpart in England and Wales, because facial images do not fall within his definition. I suppose that's a roundabout way of saying to you that I'm very confident in what's happening in relation to fingerprints and DNA. I'm far less confident in what's happening around national approaches to face. The DNA database and the fingerprint database are all approved by the Home Office, procured by the Home Office, to ensure that among other things there are no discriminatory algorithms. The police tend to do their own thing in terms of face. I can't comment on the PND that Police Scotland uses as a Home Office-procured system. Some of the other ones that have been used by other forces down south, we've seen from the media that they've been out of the box too soon. I apologise. I'm just making sure that I'm bringing everybody in and covering off as many of the themes as we can. I'm going to bring in... Jamie, would you like to come in at this point? It does follow nicely. It's not just necessarily about procurement, although procurement is an issue that you remember as far back as 2015. Glasgow procured a high volume of digital surveillance cameras to replace its old analogue system through the Future Cities project that costs around £21 million, around 500 cameras currently sit there. Now they are capable of forms of facial identification through software if it were to be enabled. That was quite widely reported at the time and probably quite widely resisted by many stakeholders. I guess my question is that it seems to me, reading between the lines, that the Scottish Police Federation are of the view that their operational members, front-line policing, are very in favour of much more enhanced use of technology on a proactive basis, such as the enabling of CCTV to perform certain functions around specific targeting of people, tracking missing persons, preventing crime in certain areas of the city. Off the back of the 60 page report that the sub-committee of the previous Parliament came out with, it felt that those views had not been taken fairly into account by the committee, and that is with respect to members of the current committee who sat in the last committee, but there's just a general overview in their part. So it seems to me that there's a conflict that local authorities or operational police are very much in favour of the benefits of this, but feel like its use is being thwarted by either a public or political perception of the so-called big brother state argument, which is holding back the use of the technology. I would ask you first of all where you sit on that. Secondly, if you are likely to make a more proactive recommendation to Glasgow City Council to the police over enhanced use, in other words the switching on of these camps of just sitting there and not being used to their benefit? Yeah, that's an interesting two-part question there, Jamie. I mean, I think, I suppose that if I can put the Glasgow City Council one to one side unfortunately, because that isn't part of my remit, you know what, that's for others to decide where this role goes in future, but currently it's not part of my remit. I think the key issue here is that mud sticks, and if you allow unregulated experimentation with technologies and the consequence of that is some really bad publicity, then it really doesn't help the police service and others when they come to do what they need to do. I mean, personally, I think it's unfortunate that, and we'll use the Notting Hill example as one of what possessed the Metropolitan Police to think it would be a good idea to test facial recognition software at the Notting Hill carnival of all places. I don't know. I mean, that was years ago and that was a very specific trial and it went wrong. We get that, but I don't understand this link between something that's a seven-year-old decision which costs tens of millions of pounds for technology, which is currently sitting there, not being used to its benefit in the modern day environment, 2022 or halfway through it. I think that the conversation has moved on, technology has certainly moved on, the software, the hardware, but what you're saying is simply that the public mood has not moved on, and therefore, as a result of that, we shouldn't do it because the public are against it. No, that's not what I'm saying at all. What I'm saying is mud sticks, and the problem is that you only need one bad apple in the bunch and it changes the perception of many people. If I return to my opening point, which is that if we stick to Scotland, live facial recognition has never been used in Scotland in the past year in Scotland, as I said, there have been no controversies whatsoever about the way that biometrics have been used for policing and criminal justice purposes. I understand why the former Justice Sub-Committee on Policing got into that whole debate, because, in a sense, it was forced on them by comments made by, it was actually Alastair McGregor, who was the first commissioner for England in Wales. I think it was this 2015 annual report that had kind of exposed the thing around PND, facial search, and then, of course, the digital forensics, the cyber-chiosk experiment with the benefit hindsight probably wasn't handled as well as it could have been, and I think these two things came together in the minds of the previous Justice Sub-Committee on Policing, and then kind of drones and body one CCTV all kind of got wrapped up in that same argument. So, no, listen, these are all legitimate policing tools, right? It's not any of our jobs to tie the police's hand behind their back. I think all that we're saying is if you're going to use a technology, particularly a biometric technology, make sure you've got a lawful basis to do it, and make sure that its use is proportionate and necessary. In other words, strike that right balance between what it is you need to do your job to keep us all safe, but don't do it in a way that rides roughshod over the individual or collective human rights of individuals. So, for the avoidance of any doubt, I am not opposed to the police using facial recognition technology, that's hard to say, in the right circumstances, providing the technology works, providing there's a lawful basis for it, and providing it's done in a proportionate and necessary way. I don't think I could be any more clear than that, to be honest. Thank you. Thanks very much. I'm going to bring things to a close in about 15 minutes, and we've got a few things to still get through, so if questions and responses can be a wee bit succinct. I'll bring in Russell and then I'll bring in Pauline. Thank you. I'll be brief. It's a very specific two-part question. Jamie Greene has already touched upon local authorities with the capacity but not yet using this technology, which is probably changing rapidly day by day, week by week. Do you know of any other private organisations in Scotland that might be using facial recognition technology? If so, what ramifications might that have? Furthermore, the likelihood would be, if it was a retailer, for example, that they would then just instinctively share that information with the police and therefore it would become used for policing purposes by definition. Would you have a role at that point, or is there a worry that this would come in through the back door, through the private sector? The short answer question, Russell, that's not part of my remit in legislation. The Parliament decided to restrict the role specifically to Police Scotland, the SPA and Perk. Do private companies in Scotland use facial recognition? Yes, they do. Everybody has got an iPhone or a Samsung Galaxy that's enabled. If you've enabled, then it's been collected. We saw the recent case of clear view of downloading people's images off of the internet. Of course, phones contain the technology, but I'm talking more on the ground within society, and whether you're anticipating, if the police do then utilise this information, do you have a role if you anticipated that, or what their ramifications might be? Well, if the police use biometric data that's sourced from elsewhere that comes in my remit, so it's about acquisition, retention, use and destruction, so if they use it, so there are many examples where biometric data will come into the hands of the police that hasn't been primarily collected by the police, but its use would come under major distinction, and that's the code of practice. My substantive question was going to be how you're going to set up the framework for the public making complaints about if they thought that their data was being misused, but listening to you talking this morning, I'm wondering how does the member of the public even know how to go about it or that their data has been abused? Maybe you could come back on that, but the evidence that you've given the committee this morning suggests to me that there is a massive gap, and I just wondered if you thought that your role should be expanded, because I'm sorry that I didn't catch all of your contribution, Jamie, but I mean that I'm familiar to some extent with Glasgow's CCTV. It is relevant where the equipment was bought from, because it's controversial where Glasgow bought its equipment from. In Glasgow is a city where there are every weekend protests, marches and some of those are controversial. Those are the things that the public probably get concerned about being on CCTV and to make sure that that's properly used and not abused, but what concerns me is is what you said at the beginning, is that I know the police use CCTV, everybody uses the CCTV, and this divide between the police and local authorities and private companies using and running seems to me to be a really messy area. I suppose that my second question is, don't you think then that either your office or another office should have some overarching view of the way that you've produced the code for the substantive issues that you're responsible for the overarching use and a collection of surveillance data where anyone's face is whether it's detailed or not detailed? That seems to me, that's what surprised me about the session today. The short answer to your question is yes, and that's obviously why in England and Wales that a number of years ago they created the Office of Surveillance Camera Commissioner, so as the same opposite number in England Wales has biometrics and surveillance camera function. In relation to his surveillance camera function he produces a code of practice. Now some Scottish, in fact the first organisation to be accredited in terms of his code of practice was actually from Scotland, I forget which it may have been Glasgow City Council in actual fact, I'm not sure I could find out from Fraser, but the fact that Scottish organisations feel the need to voluntarily adhere to a code of practice produced in England and Wales probably answers your question. There is a gap there, absolutely there's a gap. Fulton, we'll bring you in. One of the difficulties with being at the end here is I think that most points have been covered in the areas that I was going to ask about, but I'll try and put a slightly different slant on it if the community doesn't mind, but just firstly I'd want to say that with Rona Mackay and of course the clerks who are involved in the progress of the Bill through Parliament, certainly stage one and stage two of the whole Parliament were obviously involved. Latterlyn it is good to see the provision of that and how passionate you are about your work and that's really good because you in many respects and your small team are the Bill and the work that you're doing is really good because I won't lie to you and I'm sure that Rona will now back me up here after asking for my assistance earlier. It was a very technical Bill for a member correctly and some long warnings in committee, so it's good to actually see that somebody's been very very passionate about it and actually bringing that process to life for us all in hearing about your work. As I say, the areas that I was going to ask about was firstly about the collaborative work that you're doing with counterparts in the UK because obviously as you've already said yourself in your opening speech, you know there's lots of different overlap between the various bits of legislation and I think you've covered most of that but what I maybe ask you to put on record is where do you think that collaboration work will go going forward? What's your thoughts on working with Fraser as you mentioned and others going forward and where do you think that it would go if there's different legislation put in place? For example, if there's other powers devolved to Scotland, you know how do you think that that might work? Yeah, I mean that's a thanks for the question for all I mean it's quite an interesting area that firstly when I came to determine the membership of so the act requires me to have a professional advisory group but it leaves a decision to the commissioner as to who should be on that group subject to the approval of the parliamentary corporation but one of the things I decided at the outset was I wanted Fraser on that group, I wanted the information commissioner on that group, Children's Commissioner, the Scottish Human Rights Commission etc etc and that group meets quarreling what that allows us to do because as you rightly highlight there are a number of overlapping areas of responsibility here so that allows us to discuss permanent issues that concern all of us and that arrangement seems to work really well and then as I also mentioned I managed to get myself invited on to the fine strategy board so the UK group that oversees the running of the DNA and fingerprint databases so that that piece works really really well I'm actually fortunate Fraser lives in Scotland, he's Scottish, he lives in Scotland so him and I can meet quite regularly I have met the UK information commissioner, the new commissioner but as members will know there's a an office in Edinburgh so these arrangements work really well I think where some of this could become problematic as and I mentioned earlier on the DCMS consultation if for example the UK government decide to hand oversight of police and criminal justice by metrics in its entirety to the information commissioner's office that would have consequences for Scotland because it would leave a gap in terms of well who then does national security determinations in Scotland if Fraser's post didn't exist and potentially it could usurp the will of the Scottish Parliament because way back during the early days in the passing of this bill before even contemplating creating a new public body consideration was given to is there an existing body out there who could take that on and the information commissioner's office was considered but they themselves ruled that out so that so I do think there's a vulnerability there that if Westminster decided to go in one direction with us there could be there would be consequences for Scotland you know so I mean I think it's just an inevitable consequence of having different legislative frameworks that culminate in data all going into the same databases it brings a whole host of problems okay thanks for that you're just concerned on that the other area that I was going to ask about as well has been quite widely covered by other members which is that about the expansion if you like and I remember you know taking the bill through the last time there's a lot of discussion about local authorities and you know the various biometric data that other bodies you know have mean even just to get into the parliament all of us here who work in the parliament have to you know put our finger print down so there is a lot of that and I guess what I would ask is rather than expanding your role because I think the parliament has been quite clear on that is do you have any thoughts on whether the role that you've got do you think that would be a useful role for you know other other either other criminal justice perhaps the criminal justice sector or even in time you know local authorities other public bodies yeah I mean without giving away anything or everything that's in my draft annual report I mean another obvious area is prisons so 7 000 prisoners in Scotland they have their you know prisoners have their biometric data captured that data is shared as part of criminal justice administration yes we have a chief inspector prisons Wendy I meet with Wendy on a on a regular basis as I do with others in the criminal justice landscape in Scotland but for me that that that's a if I was on this committee that's an question I would be asking you know about who oversees that data and how does that answer your question just as one example yeah no that's great yeah thanks so much thanks just going to another five minutes or so I'm going to bring in Rona and then Colette and then we'll come to a close thank you thank you convener apologies if I've missed this during the course of this morning but I just wanted to ask about your role with regard to um do you rely on reports coming into you about people who have or have not broken the code of practice or do you proactively investigate you know things is that yes so the short answer Rona none of that's in place yet because because obviously until the code of practice is introduced by regulations but is that how you how are you envisaging it to take well there's two essential conditions that have to be met for you to um to to complain one is you have to be a data subject i the place scotland or the SP or perk have to hold your data and in the second condition is that um they have to hold your data in a way that leads you to believe that they are breaching the code of practice I am going to put my head on the chopping block here I don't think that this process will result in a high number of complaints at all because I think the most likely complaint scenario would be probably a data protection matter which would go to the ICO it might be that people wrap up a complaint as part of a wider complaint about unlawful arrest something like that my gut instinct is and it's only that that the numbers of complaints that we would receive would be relatively small but I think the parliament felt it was important that there was a means of public redress in in the in the kind of regulatory landscape so that's just my best case you've kind of answered my next question which was you know if you're only dealing with police and criminal justice matters they will know the rules so the chances of you you know we might be a bit quiet the chances of you being swamped with stuff is not maybe that high but but in the case where you know something has happened and you it's been found that it has broken the code what's the sort of penalty is there a penalty here yeah well it's not it's there's not like a financial penalty or anything like that but so the legislation allows for for compliance notice to be served on the organization concerned and if the organization concerned disregarded compliance notice the act allows for the matter to be taken to the court of session basically that's a highly unlikely scenario I would suggest but again it's important I think that I think that is in there do I think that police scotland the SPA or part would knowingly breach the code of practice no are there areas of vulnerability for them yes there are there are areas of vulnerability sorry it's hard to say put my teeth in there's difficult questions for them around anything to do with face because unlike fingerprints and DNA which are held in single databases facial images are everywhere and sometimes they're on a primary database a secondary database a tertiary database and there are so many of them that I don't think anybody actually knows where they all are another area of vulnerability is around digital forensics so specifically where the police or others recover biometric data and I'm talking really about face or voice here from people's electronic devices in circumstances where that can enter the evidential chain from crime scene to court there are vulnerabilities that need to be addressed now police scotland have already embarked on a journey of accrediting their digital forensics processes and procedures but they won't achieve that till 2024 but those are the two areas where I would suggest that police scotland and others need to pay most attention to ensure compliance of the code thank you thank you thank you and finally I'll bring in Colette yeah you kind of just touched upon that there so for instance to contextualise that I've got a ring doorbell and you know having spoke to the local police as well and it captures you know people passing by the door and whatnot and there was an incident where there was people lying about outside at 2 and 3 in the morning and whatnot however I know that they what they said was they actually use that a lot and so you're saying to me that could be open to a complaint because it's facial digital technology that they're using and also could that complaint come back to me in terms of data protection or GDPR and then there's also the person that the company that actually ring themselves that actually hold that information I suppose I'm going down a bit Arab a whole year but I mean that's I mean where does it end really well yeah yeah it's how long is a piece of string yeah yeah you know I mean I think I made the point earlier on that the the code covers any biometric data in terms of the Scottish definition acquired retained used or destroyed so if the police obtain images from a crime scene and if they retain that image if for evidential purposes or against the profile of an individual then that falls as biometric data within the Scottish definition not in England the Wales so yeah it's a challenging task thank you thank you very much doctor plaster I'm just going to bring the session to a close this morning really fascinating an important discussion lots for us to think about and we'll certainly write to you with any follow-up questions that the committee members have so again thank you very much and look forward to your annual report coming forward this summer thank you very much thank you and we'll now move into private session thank you