By Stephanie Hare

SCOTLAND is set to regulate biometric data, which includes DNA, fingerprint, facial images, iris, voice, and behavioural data. The Biometric Data Bill was recently announced in Scotland’s Programme for Government and is open for consultation until October 1.

UK law governs biometrics primarily as a police matter. It does not regulate the use of biometrics in the private sector, which means that a person has greater rights over their DNA when it is being handled by the police than by a company. And the Protection of Freedoms Act 2012 only regulates the use of biometrics in schools in England and Wales, not Scotland or Northern Ireland. With the new bill open for consultation, Scotland has an opportunity to decide whether it wants to see greater use of biometrics by the Government and the private sector at all.

Already the Draft Scottish Biometrics Code of Practice under consideration is superior to the biometrics regulation being proposed by the Home Office for the rest of the UK. The Home Office has defied since 2012 a High Court ruling that it is “unlawful” to keep the face and voice data of anyone taken into custody and released without charge, or anyone who is acquitted. Such data of innocent people should be automatically deleted from police databases, just as the police are required to delete DNA and fingerprint data. In Scotland, it will be.

Unlike the Home Office Biometrics Strategy, which limits its thinking to the here and now, the Scottish strategy is actually strategic by including not only DNA, fingerprint and facial images but also “second-generation biometrics” such as iris recognition, behavioural biometrics and voice pattern analysis.

However, the draft Scottish code still ignores the use of biometrics by private companies, whose poor track record at keeping our data secure inspires little confidence, and whose executives have yet to be held to account. This omission is all the more glaring given that Amazon, Google, Microsoft, Kairos and Axon have all requested that government regulate facial recognition technology.

Even as the use of our biometric data creeps more deeply into daily life, there is little public debate about whether people even want this, much less guidance for companies and consumers.

Nowhere is this more apparent than in the use of biometrics in schools. Since the mid-2000s, children across the UK have had their facial image, fingerprints and in some cases even infrared palm scans taken by schools for registration, to pay for school meals, or even to borrow library books. In Scotland, this practice dates even earlier, to 1999. While children in England and Wales have been covered since 2012 by the Protection of Freedoms Act, which requires schools to obtain consent from both the child and at least one parent, children in Scotland have no such protection. As a result, their biometric data has been collected for years without any clarity over how it is secured.

For the sake of convenience, an entire generation of children has been conditioned to use their most personal data – from their bodies – to interact with the authorities without any oversight or accountability. At a minimum, Scotland should give its children the same protections as children in England and Wales. Better yet, the Scottish people should demand that they do so – and lead the way in facing up to biometrics.

The Scottish Biometric Data Bill is an opportunity to secure a biometric data framework that protects all individuals while giving clarity to civil authorities and private companies. By setting a higher standard and taking greater responsibility for the ethical use of biometrics, Scotland could even inspire the rest of the UK to follow suit.

Stephanie Hare is researcher and broadcaster and will be speaking at an event by The Data Lab today. For more information, visit