UK's biometrics commissioners steps down, signalling missteps

Home Office is ignoring new technologies

UK's biometrics commissioners steps down, signalling missteps

Dr Sampson is worried that the Home Office is too focused on the regulatory framework for DNA and fingerprints, ignoring new technologies.

The newly departed biometrics and surveillance commissioner has criticised the Home Office's approach to governing biometrics technology, in a recent report.

Dr Fraser Sampson highlighted that the Home Office had too niche a focus in concentrating almost solely on the regulatory framework for DNA and fingerprints, leaving aside emerging issues and new technologies. For example, the need for regulation on live facial recognition (LFR).

His report, published a week ago, comes months after he quit the role - which will soon be abolished. Amid his claims, one suggests that the government failed to offer the support required to carry out the commissioner's duties.

The new Data Protection and Digital Information (DPDI) Bill will come into play from Spring, which will make the joint biometrics and surveillance commissioner role redundant.

However, who or what will replace the commissioner's key functions are unclear, which could pose high regulatory complexity to the UK.

The new law

Sampson highlighted the peculiarity of the UK appearing to be "moving in the opposite direction" to other leading nations, which are leaning towards oversight and governance in the areas of biometrics and surveillance.

The enactment of the DPDI Bill into law will transfer the commissioner's biometrics-related duties to the Investigatory Powers Commissioner's Office (IPCO). The bill will also remove the requirement to release the Surveillance Camera Code of Practice (SCCP). This is expected to create more vulnerabilities for users and the rights of those subject to it.

The SCCP was established under the Protections of Freedoms Act 2012, and assists local authorities and police with determining how to appropriately use surveillance technology. Sampson called it a "touchstone document" for users.

The current thinking is that the commissioner's surveillance-related functions will be regrouped as data issues and identified by the Information Commissioner's Office (ICO) and its Video Surveillance Guidance.

This was Sampson's major concern, referring to "significant, demonstrable differences" between the Code and the ICO's guidance. He said the merging of data will potentially limit the identification of surveillance-specific harms, reducing meaningful oversight.

IT Issues continues

The system used to enter National Security Determinations (NSDs) to hold onto biometric data for law enforcement purposes is plagued with IT issues, leading to a widespread notion that NSDs are inaccurate.

Legally required updates are yet to be implemented, which has led to some NSDs being filed under wrong (old) legislation. In other cases, officers have been unable to amend NSDs to reduce the time they hold particular pieces of biometric data, leading to some information being retained for unnecessarily long periods.

Search functionality also plagues the system, as it requires the commissioner to manually search every NSD record - an issue that hampered his data governance duties.

Sampson said in the report, "I think it fair to say that all those forced to use the application acknowledge its many failings, and I was dismayed to hear recently that funding previously made available to at least do some remedial work had been 'de-prioritized' [sic].

"At the time of writing, however, I am advised that an upgrade has been resurrected and hope that the revivified system both supports the production of basic management information and also that my successor is permitted access to it."

The National Security Act 2023 will allow chief officers to make NSDs for offences related to espionage and sabotage, which means even more NSDs will be generated using a failing IT system.

Is it ethical?

A recent survey of police forces uncovered a gap in awareness of surveillance technology's capabilities among staff, either when the software was purchased or installed.

While Sampson's work has assisted in the Public Procurement Bill to prevent the deployment of technology made in China - and subject to Chinese law requiring data sharing with Beijing - current procurement processes have transparency issues.

The figures showed the frequent deployment of Chinese kit, even though Sampson's recent report says active steps have been taken to remove this and prevent ethically questionable procurement in the future.

In addition, forces are rarely if ever performing penetration testing when considering their kit's cybersecurity.

The same 2022 police survey, which had a 91% response rate, states that "only two respondents stated that their equipment was subjected to penetration testing when assessing the cyber security of their equipment, while other respondents relied on encryption, VPNs, or health checks."

Sampson added, "This lack of proactive testing makes it hard to see how forces derive their assurances around data security."

While ethical considerations of the growing AI sector are crucial, the Home Office's new approach risks skipping over even core aspects of these technologies.

Sampson said, "I am not confident, following my interactions with the Home Office over many months, that the benefits of bringing the two offices together and the multiplicity of work that the single office covers will be readily addressed elsewhere.

"That will be for others to judge over the coming months and years as biometrics and the expansion of surveillance camera technology increase against the backdrop of leaden-paced legislative change."

Sampson has moved onto taking up the role of a director at Facewatch, a retail face biometrics provider.