House of Commons Science and Technology Committee Current and future uses of biometric data and technologies: Government Response to the Committee’s Sixth Report of Session 2014-15 Second Special Report of Session 2015-16 Ordered by the House of Commons to be printed 8 September 2015 HC 455 Publishedo p aned aeem ber 2015 by authorityo f the Ho of Commons London: The Statio Fee Ottee Limited £5.00 Science and Technology Committee The Science and Technology Committee is appointed by the House of Commons to examine the expenditure, administration and policy of the Government Office for Science and associated public bodies. Current membership Nicola Blackwood MP (Conservative, Oxford West and Abingdon) (Chair) Victoria Borwick MP (Conservative, Kensington) Jim Dowd MP (Labour, Lewisham West and Penge) Chris Green MP (Conservative, Bolton West) Liz McInnes MP (Labour, Heywood and Middleton) Dr Tania Mathias MP (Conservative, Twickenham) Carol Monaghan MP (Scottish National Party, Glasgow North West) Graham Stringer MP (Labour, Blackley and Broughton) Derek Thomas MP (Conservative, St Ives) Matt Warman MP (Conservative, Boston and Skegness) Daniel Zeichner MP (Labour, Cambridge) Powers The Committee is one of the departmental Select Committeest,h e powers of which are set out in House of Commons Standing Orders, principally in SO No.152. These are available on the Internet via www.parliament.uk Publications Committee reports are published on the Committee’s website at www.parliament.uk/science and by The Stationery Office by Order of the House. Evidence relating to this report is published on the Committee’s website at www.parliament.uk/science. Committee staff The current staff of the Committee are: Simon Fiander (Clerk); Dr Grahame Danby (Science Clerk); Dr Elizabeth Rough (Committee Specialist); Darren Hackett (Senior Committee Assistant); Julie Storey (Committee Assistant); and Nick Davies (Media Officer). Contacts All correspondence should be addressedto the Clerk of the Science and Technology Committee, House of Commons, London SW1A OAA. The telephone number for general inquiries is: 020 7219 2793;the Committee's e-mail address is: [email protected]. Ae Government Response to the Committee’s Sixth Report of Session 2014-15 1 Second Special Report On 7 March 2015 the Science and Technology Committee published its Sixth Report of Session 2014-15, Current and future uses of biometric data and technologies [HC 734]. On 20 August 2015 we received from the Government a letter and Response to the Report. These are appended below. Appendix 1: Letter from Rt Hon Mike Penning MP, Minister for Policing, Crime, Criminal Justice & Victims I am responding on behalf of the Government to the Committee’s report on the current and future uses of Biometrics issued during the last Parliament. I would like to thank the Committee for its consideration of this issue and I look forward to working with you in the future. I recognise the need to develop a strategic approach to the use and retention of biometrics. This approach should recognise that biometrics is fast-changing and _ provides opportunities for better secure identity verification, better public services, improved public protection and the ability to identify and stop criminals. This should be balanced against safeguarding the rights of the individual from unnecessary intrusion. The Government’s Biometric Strategy will support an aligned approach on the use and retention of biometrics and how its implementation is governed. The Committee flagged 12 conclusions and recommendations. I have set out in an attachment to this letter the Government’s response to each recommendation. Appendix 2: Government response Biometrics is the science of measuring and analysing biological and behavioural characteristics, used to recognise individuals repeatedly to a high degree of confidence. It is therefore reported to be the best way of verifying identities, once they are established by associating people’s biometric and biographical details together. Biometrics are used extensively across Government for the purposes of crime prevention and investigation, protection of the UK’s borders and the delivery of public services. The application of biometrics in public protection provides a high degree of confidence and the increasing use of biometrics by the private sector demonstrates that biometrics could provide a more convenient way of proving identity before accessing services. 2 Government Response to the Committee’s Sixth Report of Session 2014-15 Therefore the Government believes it is important to assess properly the opportunities provided by biometrics for both public protection and citizen convenience, and to weigh these up against public concerns about the use of biometrics as an intrusion of their privacy so that biometrics can be safely used with proper safeguards. We would like to take this opportunity to thank the Science and Technology Committee for their comprehensive report on the current and future uses of biometric data and technologies. We have provided a response to each of the recommendations made by the Committee below. Scientific Advice on Biometrics Recommendation 1: The Foresight Programme's 2013 report on Future Identities was a missed opportunity to examine biometrics and identify the main trends, and the associated challenges, that policy-makers in this field will face in the future. Indeed, it is astounding that biometrics was deemed 'beyond the scope’ of an apparently forward-looking piece of analysis when, three years earlier, the Government had been seeking to rely on biometrics as part of its identity card programme. We agree with the Biometrics Commissioner that this type of forward-looking analysis is desirable. We recommend that Foresight builds on the evidence gathered during this inquiry and undertakes a short, "Policy Futures" study to examine systematically the emerging issues, risks and opportunities arising from developments in biometrics. This analysis should be frequently reviewed in order to keep pace with rapid advances in biometrics and should be applied by the Government to assist its preparations for, and to help it shape, how this field may unfold in the future. The Government Office for Science and its Foresight Programme work with partners across Whitehall to ensure that evidence and strategic thinking inform the policy making process. As part of this work, the Government Chief Scientific Advisor publishes an annual report; this year’s annual report will be on Forensic Science. The report will explore a range of related issues, one of which will be the opportunities and implications of innovations in biometrics. The Government biometric strategy is still in the early stages of development and it is not possible to make firm commitments as to the scope and content at this stage. However we believe that it is likely to consider advances in biometrics and set out a roadmap for how the Government intends to utilise the emerging thinking in this field, both for public protection and citizen convenience. Recommendation 2: Despite a previous assurance from the Government, given over 12 months ago, that the publication of the forensics and biometric policy group's minutes was on the horizon, this has not occurred. As a result, the remit and status of the group, as well as what has Government Response to the Committee’s Sixth Report of Session 2014-15 3 been on its agenda, remain a mystery. This continuing lack of transparency in the delivery of scientific advice to Government on biometrics is unacceptable and goes against the Government's own guidance, as set out in the 2010 Principles of scientific advice to Government. To improve its transparency, we recommend that the remit, membership and outputs of the forensics and biometric policy group should be placed in the public domain immediately. A commitment should also be made to the publication of the minutes of all future meetings, unless there are overriding reasons of national security for not doing so. In response to the Second Report oft he Science and Technology Committee Session 2013- 14 the previous Government said “The Forensic Policy Group within the Home Office is leading on the development oft his strategy and delivery of this strategy will inevitably result in the Forensic Policy Group changing into a wider, more representative group. Once this change has taken place the strategy and minutes of the new group will be published.” As the Committee has noted, that Strategy has not yet been published. In January 2015, the Government made a commitment to gather evidence in order to fully understand the desired outcomes of any strategies and to consider the future requirements. We are currently gathering evidence from police forces and forensic suppliers, consulting a wide range of stakeholders and developing options for inclusion within the strategy. Therefore whilst we are in the development phase, we will not be publishing the outputs of the meetings. We have separated the work into two strategies as discussed below in response to recommendation 3. We remain committed to publishing both the Forensic and Biometric Strategies by the end of 2015 and at that time we will consider future arrangements for overseeing delivery. A Strategy for Biometrics Recommendation 3: The Government undertook to publish a joint forensics and biometrics strategy by the end of 2013. Over a year later, there is no strategy, no consensus on what it should include, and no expectation that it will be published in this Parliament. In its absence, there remains a worrying lack of clarity regarding if, and how, the Government intends to employ biometrics for the purposes of verification and identification and whether it has considered any associated ethical and legal implications. The Government should be developing a strategy that exploits emerging biometrics while also addressing public concerns about the security of personal data and the potential for its use and misuse, with particular reference to biometric data held by the State. We expecta comprehensive, cross-departmental forensics and biometrics strategy to be published by the Government no later than December 2015. 4 Government Response to the Committee’s Sixth Report of Session 2014-15 The Government recognises the need to develop a strategic approach to the use and retention of biometrics. This approach should recognise that biometrics is fast-changing and provides opportunities for better secure identity verification, better public services, improved public protection and the ability to identify and stop criminals. This should be balanced against safeguarding the rights of the individual from unnecessary intrusion. The Government’s biometric strategy and associated policy framework will support an aligned approach on the use and retention of biometrics and how its implementation is governed. Whilst forensics and biometrics both involve the use of science and technology, they are different. The Government is developing two separate but aligned Forensic and Biometric strategies and remains committed to publishing both strategies by the end of 2015. Testing Biometric Systems Recommendation 4: When biometric systems are employed by the state in ways that impact upon citizens’ civil liberties, it is imperative that they are accurate and dependable. Rigorous testing and evaluation must therefore be undertaken prior to, and after, deployment, and details of performance levels published. It is highly regrettable that testing of the ‘facial matching technology’ employed by the police does not appear to have occurred prior to the searchable national database of custody photographs going live. While we recognise that testing biometric systems is both technically challenging and expensive, this does not mean it can be neglected. When testing does occur, the continued use of a variety of testing protocols by suppliers makes it difficult to analyse and compare, with any degree of confidence, the performance of different systems. Following the abolition of the Biometrics Assurance Group, it is unclear who is responsible for interpreting the outcomes of biometric testing for the Government. The Government should explain, in its response to this report, why the facial matching technology employed by the police was not rigorously tested prior to being put into operational use. We further recommend that the Government details what steps it is taking to encourage suppliers of biometric systems to comply with established UK testing standards. Since the introduction of the first National Automated Fingerprint Identification System (NAFIS) biometric specialists in the Home Office and previous NDPB’s (PITO and NPIA) have worked with suppliers and end-users to assure the accuracy of national biometric systems, both as part of the tender process and throughout the life of the contracts. As understanding of biometric technologies has matured, a worldwide consensus has developed on ways of testing systems, resulting in the development of ISO standards. Biometrics experts at the Home Office Centre for Applied Science & Technology (CAST) are working with BSI and ISO to develop international standards for biometric testing which already include ISO 19795— Biometric Performance Testing and Reporting and ISO Government Response to the Committee’s Sixth Report of Session 2014-15 5 TR 29189—Evaluating Examiner Assisted Biometric Systems (of which IDENT1 is an example). To support the development and delivery of the Home Office Biometrics Programme, CAST are working with the Home Office Test and Design Consultancy Services to document the Home Office biometric accuracy testing approach to ensure consistency and transparency across the Home Office. It is expected that this document will be complete by the end of the year. Performance levels of biometric systems cannot be characterised by a single figure. Publicising detailed results of performance is an area requiring careful consideration, as not only is the accuracy testing of large scale biometric systems very complex, so is interpreting the data. System performance is very dependent on the specifics of the application, making direct comparisons between systems difficult and in many cases meaningless. In addition, disclosing details of a system’s limitations may create opportunities for those who wish to subvert it. The Biometric Assurance Group (BAG) was primarily established to assure the ID Cards programme and was ended once the programme no longer required its services (the final BAG meeting was held on 11 June 2009). Responsibility for the design and execution of biometric tests resides with the Senior Responsible Officer of the agency procuring the system, working in conjunction with its suppliers. The extent of testing required is related to the risks associated with the operation of the system. Biometrics specialists within the HO and CAST can advise on the technical design of tests and interpretation of results. Organisations such as the National Physical Laboratory (NPL) offer a testing and evaluation service which industry takes advantage of. CAST also uses NPL services for peer review of its own evaluations. The core facial recognition algorithm used by the Police National Database had already been tested by the US National Institute of Standards and Technology (an agency oft he US Dept of Commerce) and was shown to be one oft he best in terms of accuracy. Experience shows that a critical factor in obtaining good performance is ensuring that the quality of the images is maintained and measures are being implemented to address this. Public Attitudes Recommendation 5: We welcome the Government's commitment to the principle of proportionality when it is considering implementing a biometric application. However, we are not convinced that the Government has clear steps in place—such as conducting mandatory privacy impact assessments—to measure consistently whether or not a specific biometric application is proportionate. We have seen in the past how public trust in emerging technologies may be severely damaged in the absence of full and frank debate. Despite growth in commercial and Government applications of biometrics, the Government appears to have made little 6 GovernmentResponse to the Committee's Sixth Report of Session 2014-15 effort to engage with the public regarding the increasing use of their biometric data, and what this means for them, since the scrapping of the Government's ID card scheme in 2010. This is exactly the type of issue that the Government's joint forensics and biometrics strategy should have addressed. We recommend that the Government sets out, in its response to this report, how it plans to facilitate an open, public debate around the growth of biometric systems. The Biometrics Strategy is currently in development and therefore we cannot make firm commitments regarding the content or scope at this stage. However, we of course understand that there are public concerns around the use and retention of biometrics and we will consider how best to undertake public consultation on this issue as our plans progress. The Home Office sponsors an ethics group to provide scrutiny, challenge and review of ethical issues raised by forensic science, focussed on DNA. We are considering whether the same ethical oversight should be applied to the collection, use and retention of fingerprints and custody images. Data Storage and System Security Recommendation 6: High profile cyber-attacks and data loss incidents have undermined the public's confidence in the ability of both Government and industry to store their data securely. Security considerations should never be an "afterthought" or an optional extra. We welcome the Minister's confirmation that the security of the Government's biometric systems is "bolted on" at the beginning of the design process. However, such assurances alone will do little to diminish the public's concerns while data losses continue to occur. We recommend that, in its response to this report, the Government outlines the steps taken to mitigate the risk of loss, or unauthorised release, of the biometric data that it holds. The Home Office Biometric Programme takes the security of biometrics and associated data very seriously. The Home Office systems currently holding biometric data employ a range of defence in depth measures appropriate to the value of the data. These measures are subject to regular effectiveness reporting and are subject to third-party assurance and annual assessment to ensure their fitness for purpose. The biometrics team use a “secure by design” philosophy where security is considered at the start of the project. A risk discovery process is conducted at the start of a project. The impact of loss and corruption are captured through stakeholder workshops. The threats to the system are then analysed and appropriate controls are defined and implemented. Although the Biometrics Strategy is currently in the early stages of development and we cannot make firm commitments regarding the content or scope, we acknowledge that Government Response to the Committee’s Sixth Report of Session 2014-15 7 security standards and data loss are an important part of biometrics. Therefore we will take account of the Committee’s recommendation as we develop the strategy further. Recommendation 7: Current legislation places responsibility on the institution rolling out a (biometric) system to ensure that appropriate security measures are in place when storing personal data. However, we are concerned that there is no proactive, independent oversight of whether this is occurring. Conducting a privacy impact assessment at the outset of all projects and policies that collect, retain or process personal data would help to ensure that those implementing a biometric system are fully aware of, and compliant with, the necessary security measures. We therefore reiterate the recommendation made in our report, the Responsible Use of Data, that privacy impact assessments should be conducted at the outset of all projects and policies that collect, retain or process personal data, including biometric data. The Information Commissioners Office (ICO) Code of Practice provides guidance as to when a Privacy Impact Assessment (PIA) should be undertaken, whilst making it clear that carrying out a PIA is not a requirement of the Data Protection Act (DPA). The ICO encourages Government departments to ensure that privacy and data protection is a key consideration in the early stages of any project, and then throughout its lifecycle to ensure that potential problems are identified at an early stage. PIAs are widely carried out across Government where personal data is collected, transferred or stored, including at the Home Office. Internal guidance sets out the process for all staff to follow to ensure that risks to privacy are considered an early stage to protect individuals’ data and safeguard their rights of privacy. We believe that assessing and managing risks to privacy is crucial to the strategic and operational management of the Department. The Home Office has previously conducted PIAs in respect of biometrics. Prior to the launch of Mobile ID, a PIA was conducted in 2009 and this was updated in 2012. In addition, as part of the Government's data science programme, we are developing an ethical framework to ensure we maximise the use of the greater amount of available data to create insight that can improve public policy and government operations, in a way that the public would understand and feel comfortable with. Recommendation 8: In our opinion, under no circumstances should the state roll out a biometric system that does not provide any scope for human intervention. In the interests of greater transparency of data collection and use, we reiterate our earlier recommendation; namely that the Government drives the development of a set of information standards that companies can sign up to, under which they commit to explain to individuals their plans for the use of personal data (including biometric data), in clear, concise and simple terms. 8 GovernmentResponse to the Committee's Sixth Report of Session 2014-15 The Government considers that consumer awareness and trust in how personal information is used by companies can provide benefits and reassurance to both businesses and citizens. The Government is working with the Digital Catapult and the British Standards Institution, along with businesses and consumer representative bodies, to develop a “Trust Framework’ for commercial use of personal data. The Framework is being designed to give consumers more clarity anda greater level of control on how their data is collected, stored and used by companies. The Digital Catapult is looking to run a number of pilot projects over 2015, with the aim of completing the initial stages of the Framework by March 2016. The government appointed a Chief Data Officer in March 2015, supported by a Government Data Standard to ensure transparency in the use of data by Government, and a common approach to data that is consistent with relevant legislation.