Written evidence submitted by the Home Office (BIO0035)

1)                Introduction

1.1 The use of biometric information[1] in systems for identification of an individual has become a fundamental part of modern society.  Such systems play a vital role in allowing a person to verify their own identity, in protecting the public from harm and enhancing the economic wellbeing of the UK.   They protect our borders, help enforce immigration rules in relation to who should be allowed to enter or stay in the country and inform the removal of people who do not have the right to be here. Biometric identification systems deter, detect and help in the investigation of crime, and protect us from terrorism and serious and organised crime.  They can eliminate the innocent from criminal investigations, whilst helping to bring offenders to justice and confirm the identity of sex offenders and other dangerous people.  Secure access to sensitive areas, to computers, phones and other devices can be managed using biometric identification systems.  In the commercial world they allow us to make secure transactions and verify whether we are entitled to services.

1.2 The use of biometric information for identification, by the state and by others, is growing significantly.  The growth in state use should be seen in the context of measures taken during this Parliament to abolish identity cards and delete the DNA profiles and fingerprints of more than 1.5 million people.  The Government’s view is that any decisions over the novel or continued use of biometric identification systems need to take account of a set of underlying principles associated with demonstrating a lawful purpose, a pressing need and proportionality.  This submission draws these principles to the Committee’s attention and indicates the direction of travel the Government wishes to set in this area.

1.3 We will first set out the variety and importance of the uses of biometrics.

Immigration

1.4 The use of biometric information is an integral part of the UK’s measures to protect its border and prevent immigration abuses. Biometric information held in passports is used at the border, is collected overseas to support visa applications, is used at the border to confirm the identity of visa holders, and used in processing applications for further permission to remain in the UK.   Biometric residence permits, credit card sized immigration documents that contain a highly secure embedded chip, evidence the holder’s immigration status in the UK.

1.5 Border Force operates automated border control gates for use by eligible passengers holding an ePassport.  Facial recognition is used to verify their identity against the data held securely on their passport and offers passengers a self-service alternative to the manual border checks.  Currently around 1.4 million passengers pass through ePassport Gates each month at 18 airport terminals across the UK.  Eligibility to use the gates is currently restricted to adult UK and EU/EEA/Swiss nationals and to registered travellers from Australia, Canada, Japan, New Zealand and the USA who hold an ePassport.

1.6 Biometric information taken for immigration purposes is stored on the Immigration and Asylum Biometric System (IABS), which holds in excess of 17.7m sets of fingerprints and on average receives 72,400 sets of fingerprints per week.   The use of biometric information has enabled us to identify over 9,000 identity swaps, where foreign nationals have attempted to conceal an adverse immigration history. Those applying for visas also have their fingerprints checked against the police system.

Identity Assurance

1.7 Our entitlement to travel abroad and to drive has to be demonstrated by identifying ourselves.  Our driving licences and passports contain recent photographs allowing us to prove that we are the person in question and can operate and drive vehicles or travel internationally. 

1.8 Where identity fraud does occur, the costs to society are significant.   The personal and financial consequences of identity fraud for individuals can be quite catastrophic. The use of biometric identification systems can help to mitigate the risk of identify fraud.

1.9 Facial recognition technology also plays a key role in the reduction of passport fraud. Her Majesty’s Passport Office is currently rolling out a system capable of undertaking biometric comparisons of each passport application photo against the entirety of its passport database.

1.10 The Cabinet Office has initiated an Identity Assurance Programme to be used across Government.  This is a core element of the digital by default strategy, setting standards for verifying an individual’s identity.  This includes four levels of identity assurance, of which the highest (Level 4) is dependent upon the use of biometrics. Level 4 verification is intended for those persons who may be in a position of trust or situations where compromise could represent a danger to life. 

Crime & Justice

1.11 Biometric identification plays a vital role in helping to bring offenders to justice and in reducing crime.   There is little doubt about the scope and powerful effect of DNA evidence – its use has revolutionised policing.   The ability to match traces of DNA left at the scene of a crime has helped to solve serious crimes and to reduce the scope for miscarriages of justice.  

1.12 People arrested by the police are identified using fingerprint records. This allows any previous criminal history to be identified and warning markers such as suicide risk to be highlighted so as to best protect both suspect and officer. The police also take a DNA sample from every individual arrested for the first time, using a swab on the inside of the cheek.

1.13 Crimes are investigated from material left at crime scenes by using DNA profiling technology and the National DNA Database (NDNAD); by using fingerprints and the Unified Collection on the IDENT1 system; and by using CCTV and facial images.  Victims of crime such as serious sexual offences are examined at Sexual Referral Centres to identify traces of an assailant and help obtain convictions. The NDNAD holds electronic DNA records (DNA profiles) taken from 4.9 million individuals and 168 000 unmatched DNA profiles from crime scenes. The database provides the police with over 25 000 matches a year, linking an individual to a crime scene including over 700 matches to murders, manslaughters and rapes.[2]        The IDENT1 Unified Collection includes fingerprint records associated with 7.8 million individuals, and 2.3 million unresolved crime scene finger marks and produces more than 50,000 crime marks identifications a year.

National Security and Defence

1.14   In the context of national security (including Counter Terrorism) investigations by the police or other law enforcement authorities, biometric material plays a vital part in our efforts to combat terrorism and counter the range of current and emerging threats to our national security. The Protection of Freedoms Act 2012 provides a clear framework for police retention and use of biometric material on national security grounds to ensure that material is only held where it is necessary and proportionate to do so. The Act provides a mechanism to extend retention where it is necessary on national security grounds, to ensure that valuable material relating to individuals who are the subject of continuing interest is not destroyed and that law enforcement authorities have the powers they need to protect UK citizens and assets here and overseas.

Biometrics in Wider Society

1.15 The use of biometrics is growing in society at large.  Schools use biometric technologies as authentication methods to speed up transactions made by students such as library loans and cashless catering.   Pre-schools and maternity wards can use biometrics as access control to protect their children.  The Prison Service uses biometric information in systems for positive identification of visitors engaging in social or legal visits.  As a result, members of the public are correctly identified upon entry and exit, and this helps prevent any attempts at a prisoner to escape by verifying their identity at various checkpoints within the prison visit areas.     

1.16 Smart phones and computers use biometrics to authorise, or prevent unauthorised, access.  The banking sector is beginning to use biometrics to verify transactions.  As the availability and ease of use of biometric devices increases, the use of such systems will inevitably increase.

1.17 In this submission we will set out the legislative basis for biometrics, the underlying principles that should govern all uses of data and the specific legislation around particular end uses.

2)                How effective is current legislation governing the ownership of biometric data and who can collect, store and use it?

2.1 Biometric information used for identification purposes will be considered as either personal data or sensitive personal data and will therefore be subject to regulation under the Data Protection Act 1998 (DPA).  The DPA sets out rights for data subjects and obligations upon any organisation in the United Kingdom which acts as a data controller or data processor.    Schedule 1 of the DPA sets out eight data protection principles[3]; these must be followed when processing personal or sensitive personal data[4]. There are a range of exemptions which are specified within the DPA to accommodate special circumstances.  For example, Section 28 provides exemptions for the purposes of safeguarding national security, and Section 29 provides exemptions for the prevention or detection of crime, the apprehension or prosecution of offenders, and the assessment or collection of any tax or duty or of any imposition of a similar nature.

2.2 The Information Commissioner has a statutory duty to maintain a register of data controllers, promote the following of good practice by data controllers, and has powers of investigation and enforcement where a breach of the DPA is reported.

2.3  Furthermore, wherever biometric information is processed by a public authority in the United Kingdom for identification purposes, such use is subject to the provisions of the Human Rights Acts 1998 (HRA).  The HRA enshrines the European Convention on Human Rights (ECHR) in United Kingdom law.   Of particular relevance is Article 8 of the ECHR which states that:

Right to respect for private and family life

1 Everyone has the right to respect for his private and family life, his home and his correspondence.E+W+S+N.I.

2There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

2.4 The DPA and the HRA provide a general framework of principles within which decisions over the use of biometric information for identification must be approached.  One of the strengths of a principle-based framework of statutory requirements is that it should remain relevant and applicable in the face of rapid technological advance and developments in the application of such new technologies.

2.5 There are, however, specific applications and uses of biometric information for identification purposes where Parliament has quite rightly seen it appropriate to create specific statutory requirements and safeguards to balance public protection with an individual’s human rights.  These include the following statutes:

2.5.1          Police and Criminal Evidence Act 1984 (PACE) - Provides specific powers in Part 5 for the police to take fingerprints, intimate and non-intimate samples (including DNA) and photographs of suspects who have been detained without their consent.  PACE also defines the purposes for which such biometric information can be retained and used by the police.

2.5.2          Protection of Freedoms Act 2012 (POFA) – Part 1 of POFA was devoted to the regulation of biometric material.  

2.5.3              Part 1 Chapter 1 amended PACE to implement the Programme for Government (section 3: civil liberties) commitment that the Government “will adopt the protections of the Scottish model for the DNA database”.    In doing so, it created a specific statutory framework for the proportionate retention of DNA profiles and samples and of fingerprints taken by the police, taking account of whether the person concerned had been charged or convicted of a recordable offence.   POFA also created the statutory appointment of a Commissioner for the Retention and Use of Biometric Material (the Biometrics Commissioner) to keep under review the retention and use by the police of DNA samples, DNA profiles and fingerprints.    In implementing these provisions of POFA, over 7.7 million DNA samples have been destroyed and over DNA profiles and fingerprints records taken from 1.5 million people and children have been destroyed.

2.5.4              Part 1 Chapter 2 of POFA made provision for implementing the Programme for Government (section 3: civil liberties) commitment that the Government “will outlaw the finger-printing of children at school without parental permission”.    The Department for Education subsequently issued non-statutory advice to explain the legal duties place upon schools and sixth-form colleges by POFA if they wish to use biometric information about pupils for the purposes of using automated biometric recognition systems.     There is now a requirement for positive consent from parents before any enrolment in such systems as an alternative to a smartcard.

2.5         Identify Documents Act 2010 – made provision for implementing the Programme for Government (section 3: civil liberties) commitment to “scrap the ID card scheme, the National Identity register and the ContactPoint database, and halt the next generation of biometric passports”. It repealed the Identity Card Act 2006 and required the destruction of information recorded on the National Identity Register.    

• 2.5.6 Immigration Act 2014 – Section 14 of the Immigration Act 2014 sets out how biometric information taken for immigration and nationality purposes may be used and retained.  This will replace the various biometric retention and usage powers set out in the Immigration and Asylum Act 1999 and in regulations made under the UK Borders Act 2007 and the Nationality, Immigration and Asylum Act 2002 and will provide for new regulations on this to be made under the British Nationality Act 1981.  This means that the laws governing when and how biometric information taken for immigration and nationality purposes is retained and used will be aligned.  A statement of intent was made available at Commons Committee stage during the Act’s passage through Parliament[5].  This statement sets out how the Home Office intends to use biometric information provided for immigration and nationality purposes.   We plan to make several sets of regulations under this Act, the first in December 2014 and subsequent sets in early-mid 2015.

2.5.7 Currently, the basis for retaining or using biometric information depends upon the power under which the biometric information was taken. If taken under regulations made under Section 5 of the UK Borders Act 2007, it could be retained for so long as necessary for one of the purposes specified in regulations. If taken under the Immigration and Asylum Act 1999 or regulations made under the Nationality, Immigration and Asylum Act 2002, it could be retained for up to 10 years.

Road Traffic Act 1998 - Makes provision that applicants for a driving licence must provide a photograph that is a current likeness of the applicant. That photograph is processed as sensitive personal data under the DPA. .

2.5.8          Third EU Directive on Driving Licences – Mandates the issue of the uniform EU ID-1 driving licence format to reduce document fraud and identity theft, and securely identify drivers and their entitlement to drive. The Directive specifies the stored data on the licence e.g. photograph and signature.  Although the Directive also allows for the introduction of an optional microchip (which can include biometric data)[6], the UK driving licence does not include a microchip.    

2.5.10 British passports are issued under the Royal Prerogative, which is laid before Parliament from time to time.  The exercise of the Royal Prerogative is supported by robust policies and procedures for the issue, refusal and withdrawal of a passport.  HM Passport Office sets out their data sharing criteria and privacy principles on the .gov.uk website.  Access to personal data including facial biometric data is strictly governed by these principles and is focussed on preventing and detecting crime. 

2.6 There will always be challenges in maintaining an appropriate balance between securing the benefits that biometric identity verification and assurance can deliver for the public and the individual’s right to respect for their private and family life.  Except where there is specific provision, the current statutory framework is principle-based and thus provides the necessary safeguards against collateral intrusion or identity theft whilst allowing for innovation in both technology and practice within the law.  This is, however, a complex area and the Government keeps the need for further specific provision under review.

2.7 The principles on which the statutory framework is based include the fair processing requirements set out under the DPA, whereby the data subject must be informed about the purposes for which their personal data or sensitive personal data may be used and be advised of contact details so they can exercise their rights.    

2.8 Implicit in the principle-based framework is the concept of transparency on the part of the organisation which is using biometric information.   Such transparency is crucial in establishing and maintaining public confidence that the use of biometric information for a stated purpose is legitimate, necessary and proportionate.

2.9 Such transparency is important whether the biometric information is being processed by the state or by other bodies.   For example, social media providers may use automatic facial recognition systems as part of their products. Those providers may be outside the UK and therefore subject to a different statutory regime. It is important for users to consider the implications for their personal data when agreeing to terms and conditions.

3)                How might biometric data be applied in the future?

3.1 As current contracts for both the police fingerprint systems (IDENT1) and the Immigration and Asylum Biometric Systems (IABS) come up for renewal, there may be opportunities to develop a common services platform, with a rationalised architecture, including interfaces to automated fingerprint identification systems outside the UK, and user access dependent upon the purpose for which it is required. The benefits and risks of any common services platform would need to be assessed.

3.2 There is an increasing interest in the application of automated facial recognition systems. Common data standards and the accuracy of the underlying algorithms will be critical factors in any application, along with support in the resolution of possible matches by trained examiners.   There is a pilot project being run by Leicestershire Constabulary, and the DVLA has indicated an interest in the development of facial recognition software to reduce fraud.  

3.3 There is the potential for biometric identification technology to be applied in support of a range of activities in which the UK Armed Forces may be involved. These include, but are not limited to: base protection/base entry; countering insurgent networks; disaster victim identification; and other personnel identification to support operational tasks, such as Non-Combatant Evacuation Operations.  

3.4 There is the potential to exploit the automation provided by biometrics to increase efficiency in some public sector processes.  For example, recent improvements in fingerprint technology deployed by the Home Office have enabled a move by police forces towards a fully automated model of processing arrestee fingerprints.  This has reduced costs whilst preserving forensic integrity.  Looking to the future, the Home Office is working with the police and other partners to develop a Forensics and Biometrics Strategy.

4)                What are the key challenges for Government and industry in developing, implementing and regulating such technologies, and how might they be addressed?

4.1 A key challenge for Government is to maintain public confidence that the right balance is being struck between protection and privacy and the increasing use of biometrics both by the state and by others.    The Government has already taken action to destroy inappropriately held DNA samples and cancelled the national identity card programme in response to widely held concerns.   We will, however, remain vigilant to ensure that any proposed use by the state of biometric information for identification purposes is subject to careful scrutiny within the existing framework of principles set out in legislation.  Such scrutiny should always consider the legitimacy of the purpose for which biometrics might be used, and whether the proposal is necessary and proportionate. There should also be consideration of whether specific regulation and supervision may be necessary to create safeguards.    For example, work is underway to ensure the retention of photographs by the police, including those taken of detainees under Section 64A of PACE, is proportionate in the light of developing case law.

4.2 Transparency and consultation form part of the general framework of principles for use of biometrics for identification, and the Government has a role to play in promoting such transparency.

4.3   As the world becomes ever more connected, sharing selected biometric information with our international partners will become an increasingly important means to address threats such as terrorism, serious crime and illegal immigration.   There are already limited sharing arrangements in place to support co-operation in crime, security and immigration. Yet with increasing cross-border movement and technological developments there may be benefits in further international sharing of biometrics.  The appropriate safeguards and scrutiny will be essential.

4.4 Technological advances continue at pace to present new opportunities, some of which may be seized initially by the private sector. For example, in the application of facial recognition in social media. New Technologies offer the potential for growth in the UK commercial sector. Through its monitoring of developments in underlying technologies, through horizon scanning of innovative applications and in the independent assessment of claims of suppliers, the Home Office Centre for Applied Science and Technology (CAST) can alert Government to these new opportunities and the challenges they pose.

5)                Should the Government be identifying priorities for research and development in biometric technologies? Why?

5.1 There are some major opportunities for new applications of biometric technologies in identification systems.  These include: more effective use by law enforcement of data available at the scene of crime, whilst preserving the privacy of those not connected with an investigation; improvements in secure, yet usable and reliable, authentication for mobile devices to government, e-commerce and personal applications; and, reliable and fast stand-off recognition for larger numbers of people moving through a transition zone, such as a border exit from the country.  

5.2 To encourage innovation and scientific research, the UK Government sets regular and open, task specific challenges to academic and commercial groups.  This may be done through the Research Councils, Centre for Defence Enterprise or Innovate UK (formerly the Technology Strategy Board). In addition to identifying priorities for research and development, the Government also funds promising low Technology Readiness Level proposals and actively looks to set standards. The Government aims to work with Small and Medium-size Enterprises, universities and suppliers to test new proposals using facilities and data sources which may not be available outside of the relevant department. It also works with other governments in the development of international standards to ensure system interoperability and the operation of a wider market for UK developed products and services.

5.3 In addressing these challenges, there should not be any prescription of the technological solutions within systems. Open standards for data formatting, storage, communication and access will, however, form a critical element of the infrastructure for biometric information, with benefits for interoperability across Government and internationally allowing ease of access whilst maintaining security and data assurance, and increasing the efficiency of existing systems.    The Government plays an active role in the development of open standards.

5.4 In addition to the potential benefits for public protection and the security of an individual’s identify, such applications could provide greater efficiency in the use of resources within the public sector and contribute towards growth in the UK economy.

October 2014