Police collected data should be processed in a cycle of retention, review and disposal if an individual is not convicted. The Scottish Biometrics Commissioner has expressed concern that the volume of police data can not be estimated accurately, bringing into dispute governance challenges.
There are many interpretations of how data might be mis-managed – not calculated, disorganised, or not being destroyed after its use.
Volumes of data are used in policing to record the identities of offenders who commit or who are suspected of committing crimes, with convictions securing the right to retain the data. However, not all biometric or biographic data which is collected at the point an individual is arrested should be held indefinitely if a case is dropped. Police can apply to the Biometrics Commissioner for permission if they wish to retain DNA and fingerprint biometrics from an arrested individual for a period up to 3 years.
The Commissioner commented that at least 3 million images are being held by Police Scotland alone, amounting to a vast collection of personal and sensitive data which should be legally retained and stored securely.
The real estimation of biometric data held by UK police forces was revealed in a report submitted to the Scottish Parliament on 25 March 2024.
This report promotes transparency around the level of protection for police data after it is collected and how it is used, making recommendations of governance in line with the law and policy for biometrics. It also provides astute learnings around good practice and how police should conform to protect public trust in their services.
Commendable data practices were also mentioned about Police Scotland, the Scottish Police Authority, and the Police Investigations and Review Commissioner, however, the suggestions were about improving management of all biometric data types.
These agencies lacked an understanding of the true volume of biometric data they held in complex storage systems and databases, the investigation concluded. The recommendations also stated that agencies should enhance their compliance with SBC Code of Practice and data protection laws and safeguard data within existing systems.
Dr Plastow expressed that governance was needed to reduce data being held longer than necessary without authorisation.
