5.Subsection (1) of section 1 of the Act establishes the office of Scottish Biometrics Commissioner. Subsection (2) introduces schedule 1 which makes detailed provision for the status, remuneration and terms of appointment of the Commissioner, as well as various matters of an administrative nature relating to the Commissioner.
6.Section 2 provides for the Commissioner’s general function. The general function is to support and promote the adoption of lawful, effective and ethical practices in relation to the acquisition, retention, use and destruction of biometric data by Police Scotland, the SPA and the PIRC. It also allows the Scottish Ministers to amend, by regulations, the list of persons subject to the Commissioner’s functions by adding, removing or varying a person or description of a person It should be noted that “person” is defined widely in schedule 1 of the Interpretation and Legislative Reform (Scotland) Act 2010 and includes bodies as well as individuals, whether or not incorporated. However, the Commissioner’s remit extends only to criminal justice and policing, so any person with a range of functions added to the list in section 2(1) would be subject to the Commissioner’s functions only in respect of the handling by that person of biometric data for criminal justice and police purposes.
7.This section goes on to specify that the Commissioner’s general function does not extend to biometric data in relation to which the Commissioner for the Retention and Use of Biometric Material (“CRUBM”) has a function under section 20 of the Protection of Freedoms Act 2012 – which provides that the CRUBM must keep under review national security determinations, including determinations made under section 18G of the Criminal Procedure (Scotland) Act 1995. A national security determination is made if the chief constable determines that it is necessary for biometric data to be retained for the purposes of national security. The CRUBM must keep under review the uses to which the biometric data retained pursuant to a national security determination is being put. As regards Scotland, the CRUBM has a general function of keeping under review the retention and use of biometric data not subject to a national security determination where the data is collected using powers in the Terrorism Act 2000 or the Terrorism Prevention and Investigation Measures Act 2011.
8.Section 2 requires that in exercising the Commissioner’s general function, the Commissioner is to keep under review the law, policy and practice relating to the acquisition, retention, use and destruction of biometric data by Police Scotland, the SPA and the PIRC. The Commissioner is to promote public awareness and understanding of the powers and duties of those bodies in relation to biometric data, how those powers and duties are exercised and how those powers and duties may be monitored or challenged. In exercising those functions, the Commissioner is to have regard to technologies used or capable of being used for the purpose of acquiring, retaining, using or destroying biometric data. The Commissioner must also promote, and monitor the impact of, a code of practice.
9.The Commissioner’s powers relate to biometric data which is acquired, retained, used or destroyed for criminal justice or police purposes. Although the terms “criminal justice purposes” and “police purposes” are not defined, the latter would include any activities which the police legitimately undertake. This goes beyond just the prevention and detection of crime. It would therefore also cover, for example, work the police do to help identify a dead body (even where the death has not been categorised as suspicious). It would also cover work the police do to investigate an act carried out by a child who is below the age of criminal responsibility.
10.Under subsection (5), the Commissioner may carry out, commission or support any research the Commissioner considers appropriate. The Commissioner may also make recommendations concerning any matter relevant to their general function.
11.In exercising the Commissioner’s general function, the Commissioner is to have regard to the interests of particular groups – these are children and young people (those aged under 18 years) and vulnerable persons. Vulnerable persons are those who may have difficulty understanding why and how their biometric data is being processed by the police, the SPA or the PIRC.
12.Section 3 allows the Commissioner to consult, assist or work jointly with a prescribed list of bodies, as well as anyone else the Commissioner considers appropriate, at their discretion. This (like all other sections) is subject to the Commissioner’s general function, so that work could only be undertaken if it would further the objectives of the Commissioner.
13.Section 4 permits the Commissioner to do anything which appears to the Commissioner to be necessary or expedient to the carrying out of their functions, such as entering into contracts, acquiring or disposing of land or obtaining advice, assistance or any other service from a third party (such as legal advice from a solicitor). However, this is subject to the caveat that the Commissioner may only pay a person for advice, assistance or for any other service with the approval of the Scottish Parliamentary Corporate Body (“the SPCB”). This gives the SPCB a role in approving the appointment of a person to provide advice or other service to the Commissioner.
14.Section 5 requires the Commissioner to comply with any direction given by the SPCB in respect of the following: the location of the Commissioner’s office; the sharing of staff, premises, resources or services with other public offices or bodies; the form and content of the Commissioner’s annual report (which will cover relevant issues arising during the year, the Commissioner’s activities during the year and any recommendations arising from that activity); and the process to be followed in appointing members of the advisory group established under section 33. Any such direction is to be made publicly available by the SPCB.
15.However, the Commissioner is only subject to possible control by the SPCB to the extent explicitly specified. Aside from these specified matters (which do not infringe upon the core job of having oversight of the use of biometric data for criminal justice and police purposes), the Commissioner is not an agent of the Crown and there is no general obligation to comply with directions. The Commissioner is therefore independent and is not subject to the general control of the Parliament, the Government, or the SPCB.
16.Subsection (1) of section 6 of the Act requires the Scottish Ministers to prepare, publish and lay before the Scottish Parliament a report on the Commissioner’s functions. This must be done within one year of the expiry of the period covered by the Commissioner’s first strategic plan under section 28. In preparing such a report, subsection (2) requires the Scottish Ministers to consult such persons as they consider appropriate. Subsection (3) requires the Scottish Ministers to consider whether the functions of the Commissioner remain appropriate and whether the list of bodies subject to the Commissioner’s functions and the list of bodies subject to the code of practice should be amended.
17.Following on from the first report, subsection (4) requires the Scottish Ministers to prepare, publish and lay before the Scottish Parliament within every five year period thereafter either another report or a statement as to why a report has not been prepared. If the Scottish Ministers are of the view that there is no need to prepare and publish a report then they must publish and lay before Parliament a statement setting out why they consider such a report to be unnecessary. However, that option is not available in relation to the first report provided for by subsection (1). Subsection (5) makes it clear that the requirements placed on Scottish Ministers under subsections (2) and (3) (in relation to consultation and the content of any report) apply to subsequent reports as they apply to the initial report. Subsection (6) provides the meaning of “relevant document” for the purpose of subsection (4).
18.Section 7 provides that the Commissioner must, in furtherance of the Commissioner’s general function in section 2(1), prepare, and may from time to time revise, a code of practice on the acquisition, retention, use and destruction of biometric data for criminal justice and police purposes. Anything that the Commissioner does, including preparing the code of practice, should be in furtherance of their general function. This therefore reiterates that the Commissioner must prepare a code that supports and promotes the adoption of lawful, effective and ethical practices in relation to the acquisition, retention, use and destruction of biometric data for criminal justice and police purposes.
19.Subsection (2) requires that the code of practice must include provision about when biometric data must be destroyed in cases where a relevant enactment does not make such provision. When making such provision in the code, the Commissioner must have regard to the provision made by relevant enactments. The purpose of these provisions is to ensure that provisions in the code regarding the destruction of biometric data do not duplicate or conflict with existing provisions regarding the destruction of biometric data. The term “relevant enactments” is defined in subsection (6). It should be noted that under section 14 of the Interpretation and Legislative Reform (Scotland) Act 2010, this definition also covers any other any enactments which apply any of the listed enactments. For example, this means that paragraph 7 of schedule 4 of the International Criminal Court (Scotland) Act 2001 (which applies section 18 of the Criminal Procedure (Scotland) Act 1995 – which forms part of Part 2 of that Act) would also be a relevant enactment.
20.Subsection (5) provides that sections 8, 10 and 12 apply to a revised draft code of practice prepared under subsection (1) as they would apply to a draft code of practice. This means that various rules about drafting and seeking approval for the code apply equally to drafting and seeking approval for any revised code. In addition, section 36 (interpretation) provides that, unless the context requires otherwise, a reference to the “code of practice” means the code for the time being in effect. That means that any provision in the Act about matters such as what the code of practice must contain applies equally to any revised code of practice.
21.Section 8 of the Act requires the Commissioner to have regard to the importance of certain matters listed in that section when preparing the code of practice. By virtue of section 7(5), this applies equally when revising the code of practice.
22.Subsection (1) of section 9 states that the constables and police staff of Police Scotland, the SPA and the PIRC must comply with the code of practice when exercising functions to which the code relates. Subsection (2) provides that a court or tribunal in civil or criminal proceedings must take the code of practice into account when determining any question to which the code is relevant. Subsection (3) provides that a failure by any persons listed under section 9(1) to comply with the code of practice does not itself give rise to grounds for any legal action (though it may give rise for grounds for the issuing of a compliance notice under section 23). Subsection (4) provides an enabling power for the Scottish Ministers to amend, by regulations, the list of persons who must have regard to any code of practice at subsection (1) – by adding, removing or altering a person or description of person. As noted at paragraph 6 above in relation to section 2, the term “person” has a wide meaning and includes bodies as well as individuals. Such regulations are subject to the affirmative procedure under section 37(2).
23.Subsection (1) of section 10 lists a set of prescribed consultees whom the Commissioner must consult in preparing a draft code of practice prior to the process for approval of the code proceeding further under section 11 or (in the case of a code that is not the first code) 12. By virtue of section 7(5), this required consultation process applies equally when revising the code of practice. Subsection (1)(m) also allows the Commissioner to use their discretion to also consult anyone else they consider appropriate. Subsection (2) states that any consultation which was undertaken with consultees remains valid even if such consultation took place before this section came into force. This ensures that, once appointed, the Commissioner will be able to begin work on the code straight away.
24.Section 11 of the Act sets out the further procedures which will apply in relation to the first code of practice prepared by the Commissioner. Subsection (1) requires the Commissioner to first submit a copy of the draft code of practice to the Scottish Ministers for approval. Having gained the approval of the Scottish Ministers to the code, the Commissioner must then lay the draft code before the Parliament for consideration. Subsection (2) requires the Commissioner to have regard to any representations made to them within 60 days of laying the draft code of practice. Representations can then be made to the Commissioner by anyone though in practice it is likely that the primary source of representations will be parliamentarians. Subsection (3) provides that, in calculating the 60 day period, no account is to be taken of instances when the Parliament is dissolved or is in recess for more than four days. The additional parliamentary scrutiny and procedural steps which apply to the first code of practice under section 11 operate in addition to the requirement that any code can only be brought into effect by the Parliament approving affirmative regulations under section 13.
25.Subsections (1) to (3) of section 12 of the Act set out the arrangements for the approval process for the code of practice once the Commissioner has finalised a draft code after undertaking the consultation process set out above. The Commissioner must submit a copy of the draft code to the Scottish Ministers for approval. Should the Scottish Ministers decide not to approve the draft code, they must provide their reasons to the Commissioner. Any modifications made to the draft code by Scottish Ministers require to be agreed with the Commissioner. By virtue of section 7(5), this approval process applies equally when revising the code of practice. Steps can then be taken under section 13 to bring the approved draft code into effect.
26.Section 13 states that any code of practice approved under section 12(2) has no effect until the day appointed for the code by regulations made by the Scottish Ministers. Such regulations are subject to the affirmative procedure under section 37(2). While the regulations will not contain the code, the Scottish Ministers must lay a copy of the code before the Scottish Parliament at the same time as the regulations are laid. This is to ensure that the Parliament has the opportunity to consider the code of practice before approving the regulations that bring the code into effect. Once the date for coming into force has been approved by regulations, the Commissioner must publish the code.
27.Section 14 provides that the Commissioner must keep the code of practice under review, prepare and publish a report on their findings, and lay a copy of such a report before the Scottish Parliament. It also provides that the first such report must be laid by the Commissioner before the Parliament no later than three years after the date on which the first code is brought into effect. Any subsequent reports are to be laid before the Parliament no later than four years after the date on which the last report was laid.
28.Subsection (1) of section 15 of the Act requires the Commissioner to establish and retain a procedure by which an individual, or their representatives, can make complaints or other representations to the Commissioner about a breach of the code of practice in relation to that individual’s biometric data. Subsection (2) provides that the procedure is to be available whether or not the individual has already instigated a complaint through the complaints mechanism of the body they are complaining about. In determining the complaints procedure, the Commissioner is to consult various persons under subsection (3). Under subsection (4), the Commissioner must publicise the procedure as the Commissioner considers appropriate and provide a copy of the procedure to anyone who asks for it. Subsection (5) provides that the Commissioner must keep the procedure under review and vary it whenever the Commissioner considers it appropriate to do so, having first consulted the prescribed consultees. Subsection (6) ensures that the rules about the availability of the procedure and the requirement to keep it under review and vary it as necessary apply equally to the revised procedure as they do to the initial one.
29.Section 16 provides the Commissioner with the power to require the production of information from Police Scotland, the SPA and the PIRC (or from any other person who the Commissioner’s functions are subsequently expanded to cover) in order to determine whether the bodies subject to the code of practice are complying with it, or for the purpose of exercising any of the Commissioner’s other functions. When seeking information, the Commissioner is to specify the following: what information is to be supplied; the form the information is to be provided in; the date by which information is due; the place where a person is to supply any information which is to be supplied by personal statement; and the matters to which the information relates. Under subsection (3) a person is exempt from providing information to the Commissioner where, for example, that information would be covered by legal privilege or incriminate that person in a crime. Subsection (4) allows the Commissioner to change their mind and cancel (by notice in writing) an information request. Subsection (5) makes clear that unrecorded information, such as an oral statement, is information for the purposes of section 16. This means that information must be provided even if there is no written record of it.
30.Section 17 enables the Commissioner to apply to the Court of Session where any person to whom an information notice has been given does any of the following: refuses or fails to comply with any requirement specified in the notice; refuses or fails to answer any question asked by the Commissioner; or alters, suppresses, conceals or destroys any information that they have been told to produce. There is an exemption where there is a reasonable excuse for having done any of these things. The Commissioner may also apply to the Court if they believe a person is likely to do any of these things (without reasonable excuse). After receiving an application and hearing any evidence or representations on the matter, the court may make such an enforcement order as it considers appropriate and/or deal with the matter as if it were a contempt of court. This recourse to the court provides a way (subject to appropriate safeguards) for the Commissioner to obtain information from bodies to which the Commissioner’s functions and the code of practice apply.
31.Section 18 provides that an oral or written statement made by a person required to provide it under section 16 is not admissible in any criminal proceedings against that person. The effect of this is that individuals cannot incriminate themselves when responding to a requirement to provide information.
32.Section 19 contains a confidentiality provision that covers the following: the Commissioner (including any former Commissioners); the Commissioner’s staff (or past staff); and an agent (or former agent) of the Commissioner. These persons would be guilty of an offence if they knowingly disclosed information which had been obtained in the course of the Commissioner’s activities, knowing that the information is not at the time of disclosure, and has not previously been, in the public domain. There is an exception under which disclosure is authorised where it is made with the consent of the person from whom the information was obtained, or where it is necessary for the purposes of exercising the Commissioner’s functions, or where it is made for the purposes of legal proceedings (whether criminal or civil – and including the purposes of the investigation of any offence or suspected offence). A person guilty of an offence is liable to a fine on summary conviction or conviction on indictment. The fine on summary conviction is up to the statutory maximum, which is defined in schedule 1 of the Interpretation and Legislative Reform (Scotland) Act 2010 as the prescribed sum under section 225(8) of the Criminal Procedure (Scotland) Act 1995 (currently £10,000). The fine on indictment can be unlimited as section 211(1) of the 1995 Act makes any fine on conviction on indictment unlimited.
33.Subsection (1) of section 20 requires the Commissioner to publish a report about a failure to comply with the code of practice, unless the failure is sufficiently minor not to merit a report. Subsection (2) provides that the Commissioner may prepare and publish a report about any other matter relating to the Commissioner’s functions. A report under subsection (1) or (2) may include recommendations on matters mentioned in subsection (5).
34.Subsection (3) requires the Commissioner to lay a copy of a report published under subsection (1) or (2) before the Parliament. Subsection (4) makes clear that one report can cover several separate failures to comply with the code of practice by different persons. Subsection (6) provides that sensitive information must be withheld in a report. This means information cannot be included in a report on the grounds that to do so would or might be unlawful, would or might prejudice the administration of justice or would otherwise be contrary to the public interest.
35.Section 21 provides that where the Commissioner’s report under section 20 includes a recommendation addressed to a person in relation to whom the Commissioner has functions under section 2(1), and that recommendation relates to technologies used or capable of being used to acquire, retain, use or destroy biometric data, the Commissioner must impose on the person a requirement to respond to that recommendation.
36.Where a report includes a recommendation that does not relate to technologies used or capable of being used to acquire, retain, use or destroy biometric data, the Commissioner can choose whether or not to impose a requirement to respond to that recommendation.
37.Where a requirement to respond to a recommendation in a report is imposed by the Commissioner, the Commissioner must give a copy of the report to the relevant person, and the person must respond in writing by the deadline set by the Commissioner. The written response must set out the actions which the person has taken, or will take, to respond to the recommendation, or the reasons why the person has decided not to implement the recommendation (in cases where the recommendation is not being implemented either in full or in part).
38.This section requires the Commissioner to publish any response to a recommendation contained in a report, and to lay the published response before the Parliament, unless there is a reason it would be inappropriate to do so. In particular, in publishing a response, the Commissioner is (so far as reasonably practicable) to have regard to the same considerations as set out in section 20(6) – namely, the need to withhold information where the Commissioner considers that to include it would or might be unlawful, would or might prejudice the administration of justice, or would not be in the public interest. The Commissioner is also permitted to publicise any failure to respond in a way which the Commissioner considers appropriate.
39.Subsection (1) of section 23 enables the Commissioner to issue a compliance notice to a person who the Commissioner considers has failed, or is failing, to comply with the code of practice. Subsection (2) defines what is meant by a ‘compliance notice’: this is a notice requiring the person to whom it is addressed to take specified steps to address the failure to comply. This may be a case of taking steps to remedy the breach or, where the breach is not one that is capable of being remedied, it may be a case of taking steps to avoid a similar future breach.
40.Paragraphs (a) to (f) of section 24 specify the content which must be included in any compliance notice issued by the Commissioner. This will include, crucially, an explanation of why the notice has been issued, the steps the person is to take, and an explanation of the possible consequences if there is not compliance with the notice.
41.Subsection (1) of section 25 enables the Commissioner to vary a compliance notice to allow more time for compliance or, with the consent of the person to whom the compliance notice was issued, to change the steps that are required to be taken. Subsection (2) clarifies that a compliance notice can only be varied before the deadline for taking the steps specified in the compliance notice has passed. This prevents a compliance notice from being modified retrospectively, after the deadline for compliance with it has already passed. Subsection (3) specifies how in practice the Commissioner can vary a compliance notice.
42.Subsection (1) of section 26 enables the Commissioner to revoke a compliance notice if the Commissioner so wishes. Subsection (2)(a) provides that the revocation of a compliance notice can only take place before the steps specified in the compliance notice have been taken. This prevents a compliance notice from being revoked after completed action has already been taken specifically because the notice required it. Subsection (2)(b) provides that a compliance notice can only be revoked by the Commissioner by giving notice in writing to that effect to the person to whom the compliance notice was issued.
43.Subsection (1) of section 27 enables the Commissioner to report a refusal or failure, without reasonable excuse, to comply with a compliance notice to the Court of Session. Subsection (2) allows the court, after hearing evidence or representations on the matter, to make an order to enforce the compliance notice and/or deal with the refusal or failure to comply with the notice as if it were contempt of court. Under section 17, the court can also do both of these things in relation to a failure or refusal to comply with an information notice.
44.Section 28 requires the Commissioner to prepare and publish a strategic plan covering a four year period, and to lay the plan before the Scottish Parliament before the beginning of the said four year period. The first four year period is to commence on 1 April in the year following the coming into force of this section, and then each subsequent period of four years will also be covered by a strategic plan. Section 40(4) includes a power to allow the commencement regulations to amend this section to specify the date on which the first four year period is to begin, so that the section will act as an easy reference point.
45.Each strategic plan must set out the Commissioner’s objectives and priorities for the four year period and how they plan to achieve them, what the costs will be, and the timescale applicable. The Commissioner is able to review and revise the strategic plan at any time, and any such revised plan is subject to the same rules on publication and laying. However, it should be noted that revising a plan will not alter when the four year period begins and ends. Accordingly, a revised plan only needs to contain information relating to the remainder of the four year period in question, but it must cover the same topics. Before publishing a plan or a revised plan, the Commissioner is to consult on a draft on it with the SPCB and anyone else the Commissioner considers appropriate. This gives the SPCB an opportunity to comment on the strategic objectives and priorities of the Commissioner before a strategic plan is published and laid before the Parliament. Who else it will be appropriate to consult will likely depend on the proposals under consideration.
46.Section 29 requires the Commissioner to prepare a budget before the start of each financial year and seek the approval of the SPCB by such a date as the SPCB determines. Under subsection (2), the Commissioner may seek to revise the budget during the year by submitting revised proposals to the SPCB for approval. When preparing a budget or a revised budget, the Commissioner is required to ensure that resources will be used economically, efficiently and effectively and must, under subsection (4), certify this in any budget or revised budget proposal.
47.This section requires the SPCB to designate either the Commissioner or a member of the Commissioner’s staff as the accountable officer. The functions of the accountable officer are set out in subsection (2) and include: the signing of the accounts; ensuring that the finances are kept in good order; and ensuring that resources are used economically, efficiently and effectively. Subsection (3) provides a degree of protection for an accountable officer who is not also the Commissioner should they be required to act in any way which is inconsistent with their responsibilities. Before any such action can be taken, the accountable officer must obtain written authority from the Commissioner and send a copy of the authority to the Auditor General for Scotland as soon as possible. Under subsection (4), the accountable officer is directly answerable to the Parliament for the exercise of those functions specified in subsection (2).
48.Section 31 sets out the accounting and auditing requirements that apply to the Commissioner. The Commissioner must keep proper accounts and accounting records and prepare annual accounts for each financial year. A financial year is defined in schedule 1 of the Interpretation and Legislative Reform (Scotland) Act 2010 and is a year ending with 31 March. In fulfilling these duties, the Commissioner must comply with any directions given by the Scottish Ministers, who are responsible for such matters under section 19 of the Public Finance and Accountability (Scotland) Act 2000.
49.Under subsection (1)(c) of section 31 of the Act, a copy of the accounts are to be sent to the Auditor General for Scotland for auditing. The provisions of sections 21 and 22 of the 2000 Act then require the Auditor General to audit the accounts or appoint someone suitably qualified to do so. It also requires the accounts to be sent to the Auditor General not later than 6 months after the end of the financial year in question. Once the accounts have been audited, the 2000 Act makes provision for them to be sent to the Scottish Ministers, whereupon Ministers are required to lay them before the Parliament within 9 months of the end of the financial year in question.
50.Under subsection (3) of section 31 of the Act, the Commissioner must make a copy of their audited accounts available for inspection, free of charge, to anyone on request.
51.Section 32 requires the Commissioner to prepare and publish a report on the Commissioner’s activities each financial year, which must include a review of what the Commissioner has done to fulfil each of their functions, a review of issues which have been identified by the Commissioner as being relevant to the use of biometric data in the criminal justice and policing context, and any recommendations in relation to those issues. While not a requirement, it would be open to the Commissioner to also outline work to be undertaken in the following reporting year. The SPCB could direct that the annual report is to include a forward-look, using its powers under section 5. The report is to be laid before the Parliament within seven months of the last day of the financial year to which the report relates – meaning by 31 October.
52.Subsection (1) of section 33 requires the Commissioner to establish and maintain an advisory group. Under subsection (2) the purpose of the group is to give the Commissioner advice and information about matters relating to the Commissioner’s functions. Subsection (3) provides that the members of the group are to be chosen by the Commissioner. However, this is subject to the proviso that it is for the SPCB to approve the number of members of the group and the persons to be appointed as members. Subsection (4) allows the Commissioner to pay members of the group such remuneration and allowances as the Commissioner, with the approval of the SPCB, determines. Subsection (5) makes it clear that the procedure of the group is to be such as the Commissioner determines.
53.This section defines what is meant by the term “biometric data” where it appears in the Act. For the purposes of this Act, biometric data means information about an individual’s physical, biological, physiological or behavioural characteristics which may establish the identity of an individual, either on its own or when combined with other information of a biometric or non-biometric nature. The reference to combining information with other information means that something like a partial fingerprint is still treated as biometric data. In addition, because the definition is about “an individual” generally rather than the particular individual in question, information such as DNA would be biometric data even where it is taken from an individual who is an identical twin (and whose biometric data is therefore not unique in this regard).
54.Information about a person’s physical characteristics would include data that would facilitate facial recognition. Information about a person’s biological characteristics would include a DNA profile, which can be derived from blood, saliva, hair etc. Information about a person’s physiological characteristics would include vein patterns. Information about a person’s behavioural characteristics would include an analysis of that person’s gait or speech pattern. A number of examples of biometric data are given in the Act, but these are examples only and are not exhaustive. It should be noted that the definition covers both the material itself and the information which is derived from it.
55.Section 35 enables the Scottish Minsters to, by regulations, change or clarify the meaning of biometric data in section 34 of the Act. This allows the definition of biometric data to be kept relevant in an environment where change is fast-paced. This power is subject to the affirmative procedure under section 37(2).
56.Section 36 provides the definition of various terms used in the Act: “code of practice”, “Commissioner” and “Parliamentary corporation”.
57.Subsection (1) of section 37 provides that regulations made under the Act may include incidental, supplementary, consequential, transitional, transitory or saving provision and may make different provision for different purposes. Under subsection (2), any regulations made by Scottish Ministers under section 2(7), section 9(4), section 13(1) and section 35 are subject to the affirmative procedure (as to which, see section 29 of the Interpretation and Legislative Reform (Scotland) Act 2010). Subsection (3) provides that the procedure for regulations making ancillary provision under section 38 depends upon whether or not the regulations modify the text of primary legislation. Subsection (4) provides that this section does not apply to commencement regulations under section 40(2).
58.This section enables the Scottish Ministers, by regulations, to make incidental, supplementary, consequential, transitional, transitory or saving provision in connection with the Act or any regulations made under it.
59.Section 39 introduces schedule 2 which amends enactments in order to bring the Commissioner within their provisions.
60.Subsection (1) of section 40 provides that this section and sections 37 (regulations), 38 (ancillary provision) and 41 (short title) come into force on the day after Royal Assent. Subsection (2) provides that the rest of the Act will come into force on such day as the Scottish Ministers by regulations appoint. Subsection (3) provides that regulations made under this section may include transitional, transitory or saving provision and may make different provision for different purposes. Subsection (4) sets out that commencement regulations may amend section 28(6)(a) so that a date for the beginning of the first four year period for a strategic plan is specified, instead of a description of a date, once the date of commencement of section 28 is known.
61.Section 41 provides that the short title of the Act is the Scottish Biometrics Commissioner Act 2020.
62.Schedule 1 makes detailed provision concerning the appointment, status, disqualification, terms of office and remuneration, pension and subsequent appointments of the Commissioner. It also provides for the ability to fill the role on a temporary basis, as well as for the appointment of other staff.
63.Paragraph 1 of the schedule provides that the Commissioner is not to be regarded as being a servant or agent of the Crown. In addition, the Commissioner’s status is that of a juristic person distinct from the natural person holding the office of Commissioner. The Commissioner’s staff are not to be regarded as civil servants. Given that the Commissioner is not a Crown servant or agent, it follows that the Commissioner’s property belongs to the Commissioner (as Commissioner) and not to the Crown.
64.Paragraphs 2 and 3 provide for the following: that the Commissioner will be appointed by the Queen on the nomination of the Scottish Parliament; that a Commissioner may serve only one term of office; and that a person is disqualified from being appointed Commissioner if at the time of the appointment or in the year preceding the appointment, the person is or has been a member of the Scottish Parliament, of the European Parliament, of the House of Commons or of the House of Lords. This is to ensure that the Commissioner is free from political influence given that the role will involve scrutinising laws over which these institutions have influence or control. Provision is also made to disqualify employees, office-holders or members of any body listed under section 2(1) of the Act. This is to prevent anyone being appointed as Commissioner who currently is (or has recently been) a member, employee or appointee of the bodies which the Commissioner is to monitor. These disqualification criteria continue to apply during the Commissioner’s time in office (see paragraph 5(1)(b) of the schedule).
65.Under paragraph 4, a Commissioner may hold office for a single term of up to eight years, as determined by the SPCB at the time of appointment. This is consistent with the tenure arrangements set out in the Scottish Parliamentary Commissions and Commissioners etc. (Scotland) Act 2010.
66.Paragraph 5 sets out the circumstances under which a Commissioner’s appointment may terminate early. A Commissioner may resign, or may become disqualified from holding office under paragraph 3. The Commissioner can also be removed from office where either the SPCB is satisfied that the Commissioner has breached their terms and conditions of appointment and the Parliament resolves to remove the Commissioner as a result, or where the Parliament resolves that it has lost confidence in a Commissioner’s willingness, suitability or ability to perform the Commissioner’s functions. A resolution in either scenario requires the support of at least two thirds of (normally) the total number of members of the Parliament. However, the number of votes required is based on the number of seats, so the percentage does not reduce if a seat is temporarily vacant pending a by-election.
67.Paragraph 6 provides that the validity of any acts of the Commissioner is unaffected by any procedural defects in the Parliament’s nomination or by the Commissioner subsequently becoming disqualified from acting as the Commissioner.
68.Paragraph 7 enables the SPCB to set and pay such remuneration, allowances, pension and gratuities to the Commissioner as it determines. It will be for the SPCB to decide whether payments are made and the amounts of any payments. The SPCB must indemnify the Commissioner for liabilities incurred by the Commissioner in the exercise of their functions.
69.Paragraph 8 sets out restrictions on subsequent appointments held by a Commissioner once they have left office. Unless permission is granted by the SPCB, a former Commissioner may not, within the specified period, subsequently be any of the following: be employed or appointed in any capacity by the Scottish Biometrics Commissioner; be a member, an employee or appointee of Police Scotland, the SPA or the PIRC; hold any other office, employment or appointment or engage in any other occupation which that person could not have held or engaged in under paragraph 9(2)(a) when they were the Commissioner. Paragraph 9(2)(a) covers any specific absolute prohibitions on simultaneous appointments which are contained in the Commissioner’s terms and conditions. The restrictions under paragraph 8 run from the date of leaving office until the end of the financial year following the one in which the person ceased to be the Commissioner. Therefore, if the Commissioner left office on 1 December 2021, the restriction would subsist until 31 March 2023. The restriction in paragraph 8(1) is in place to avoid a subsequent appointment being seen to compromise the independence of the Commissioner. For example, this could arise if a former Commissioner were to become an office-holder of an authority which they would have been able to investigate when in post as the Commissioner. Accordingly, while the restriction under paragraph 8(1)(b) currently applies to Police Scotland, the SPA and the PIRC, if the persons over which the Commissioner has functions are changed in future under section 2(7) then this will automatically flow through to this provision.
70.Under paragraph 9, the SPCB may determine the terms and conditions of the Commissioner’s appointment insofar as not already set out in the Act, including prohibiting the Commissioner from holding any other office, employment or appointment – or requiring that the Commissioner first obtain the approval of the SPCB before holding any other office, employment or appointment. Again, this is to avoid an appointment being seen to compromise the independence of the Commissioner.
71.Paragraph 10 makes provision for the appointment of a temporary Commissioner to hold the office either during a period when the post is vacant or where the Commissioner is unable to perform their functions. During that period, the SPCB may appoint as temporary Commissioner a member of the Commissioner’s staff or another person who is not disqualified from holding the post under paragraph 3 of this schedule. However, staff are exempted from the normal disqualification provisions to allow for greater flexibility and in recognition of the short-term nature of the appointment. The SPCB will determine the terms, conditions and duration of the appointment and may relieve the individual from the post at its discretion (by notice in writing), or at the request of the individual.
72.Paragraphs 11 and 12 allow the Commissioner to appoint staff, subject to the consent of the SPCB as to the numbers, and to determine their terms and conditions subject to the approval of the SPCB.
73.Paragraph 13 allows the Commissioner to pay pensions, allowances and gratuities to current or former members of staff, including the establishment of one or more pension schemes and the payment of allowances or gratuities by way of compensation for loss of employment. Approval for such arrangements must be obtained from the SPCB.
74.Under paragraph 14, while the Commissioner can delegate any function to any person, ultimately the Commissioner remains responsible for the performance of those delegated functions. Having delegated functions, the Commissioner is still able to decide to perform those functions personally.
75.Paragraph 1 of schedule 2 adds the Commissioner to the list of authorities in schedule 2 of the Scottish Public Services Ombudsman Act 2002 (“the 2002 Act”). The effect is to:
make the Commissioner open to investigation by the ombudsman (see section 5 of the 2002 Act),
oblige the Commissioner to have a complaints handling procedure that complies with the statement of principles published by the ombudsman under section 16A of the 2002 Act,
permit the Commissioner to be made subject to the further requirement to have a complaints handling procedure that complies with a model complaints handling procedure prepared by the ombudsman, per sections 16B and 16C of the 2002 Act.
76.Paragraph 2 of schedule 2 adds the Commissioner to the list of Scottish public authorities in schedule 1 of the Freedom of Information (Scotland) Act 2002. This means that the Commissioner will be subject to the requirements which that Act places on public bodies, including requirements to provide information to the public on request and to have in place a scheme for the pro-active publication of information it holds.
77.Being a public authority within the meaning of the Freedom of Information (Scotland) Act 2002 also makes the Commissioner a “Scottish public authority” to which the Environmental Information (Scotland) Regulations 2004 apply.
78.It also means that the Commissioner falls within the definition of a “public body” under section 44 of the Climate Change (Scotland) Act 2009. This means that the Commissioner must act in a way calculated to contribute to the delivery of climate change targets and any climate change adaptation programme and in the way that the Commissioner considers is most sustainable. The Commissioner can also be made subject to further climate change duties, including reporting duties.
79.In addition, as a public authority within the meaning of the Freedom of Information (Scotland) Act 2002, the Commissioner is a “public authority” or “public body” for the purposes of the General Data Protection Regulation by virtue of section 7 of the Data Protection Act 2018 (subject to the power under that section to remove that status not being exercised). The General Data Protection Regulation (also commonly referred to by the acronym “GDPR”) is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. There are particular rules applied to bodies classified as “public authorities” (over and above those applied to all data processors) in the GDPR and the Data Protection Act 2018. An analysis of those rules is beyond the scope of these Notes.
80.Paragraph 3(a) of schedule 2 adds the Commissioner to the list of bodies in schedule 5 of the Public Services Reform (Scotland) Act 2010 (“the 2010 Act”). This means that it is a body in relation to which an order can be made under section 14 of that Act where it would improve the exercise of public functions, having regard to efficiency, effectiveness and economy. An order under section 14 of the 2010 Act can (subject to restrictions, and only after the Scottish Parliament has approved a draft of the order):
modify, confer, abolish, transfer or provide for the delegation of any function of a public body,
amend the constitution of a public body.
81.Paragraph 3(b) of schedule 2 adds the Commissioner to the list of bodies in schedule 6 of the 2010 Act. The effect of this is that the Scottish Ministers cannot propose any provision by order under section 14 (the powers to improve the exercise of the Commissioner’s functions having regard to efficiency, effectiveness and economy discussed above) or section 17(1) (power to remove or reduce burdens) unless requested to do so in writing by the SPCB. It also means that the Scottish Ministers cannot lay any subsequent draft order containing such provision unless the SPCB consents.
82.Paragraph 3(c) of schedule 2 adds the Commissioner to the list of bodies in schedule 8 of the 2010 Act. This means that the Commissioner will be subject to the duties to report after each financial year on:
expenditure (see section 31 of the 2010 Act), and
the steps it has taken to promote and increase sustainable growth and improve the Commissioner’s efficiency, effectiveness and economy (see section 32 of the 2010 Act).
83.Paragraph 4 of schedule 2 makes the Commissioner subject to the duties created by the Public Records (Scotland) Act 2011 to produce, implement and keep under review a records management plan.
84.Paragraph 5 of schedule 2 adds the Commissioner to the list of contracting authorities subject to the duties created by the Procurement Reform (Scotland) Act 2014 regarding their procurement activities and some specific measures aimed at promoting good, transparent and consistent practice in procurement.