The Open Rights Group has backed the Scottish government's plans to immediately delete mugshots at the end of legal retention periods – something Whitehall said is impossible in its own systems.
The Scottish government is consulting on proposals to improve oversight of the use and retention of biometric data, which would see the nation appoint its first biometrics commissioner.
They would be responsible for overseeing adherence to a Code of Practice that sets out the rules on how long authorities can keep DNA, fingerprints and custody images.
The code (PDF), which has been published as part of the consultation, is clear that retaining biometric data interferes with people's right to privacy, and that "the obvious approach is to have a presumption in favour of deletion following the expiry of any minimum retention period as prescribed in law".
As such, all data must be deleted as soon as the relevant retention period had passed – and authorities must ensure records are deleted from both the primary database and any other databases they are replicated on.
Zero arrests, 2 correct matches, no criminals: London cops' facial recog tech slammedREAD MORE
Establishing such a rule would be in contrast to the situation in England and Wales, where custody images are retained indefinitely in a mammoth database – it now holds 21 million shots of faces and identifying features – and only removed if someone requests it.
This is widely thought to go against a 2012 High Court ruling that said keeping images of presumed innocent people on file was unlawful, and that there must be a distinction between convicted and non-convicted people.
But the Home Office has countered that it isn't technically possible to automatically link or delete records because national and local databases don't talk to each other, and that doing it manually would be too costly to justify. It claimed ongoing efforts to update the systems will address this in the longer-term.
However, its approach – and ministers' attitudes – is a source of constant frustration for activists and opponents.
By comparison, the Scottish government's proposal demands automatic deletion, and indicates that in cases where a system won't allow it, steps must still be taken to protect un-convicted people, until legacy systems are replaced.
"In relation to custody images held by Police Scotland on legacy force custody systems where there is no automated means of distinguishing between records of convicted and non-convicted persons, it will suffice for the records within those systems to be protected from access in the operational environment until deleted as those systems are shut down," it said.
Campaigners have welcomed the plan, and urged the Home Office to follow suit.
"Open Rights Group called for rules establishing an automatic deletion procedure," said the organisation's Scotland director, Matthew Rice. "It is welcome to see them included in the Code of Practice for Scotland and we encourage the rest of the UK to follow Scotland's lead."
UK Home Office grilled over biometrics, being clingy with folks' mugshotsREAD MORE
Elsewhere in the code, the Scottish government proposed handing out a "biometrics information sheet or leaflet" as a "practical way" to ensure that people whose biometric data is captured understand how it might be used and how they can appeal.
This is another area in which Whitehall has fallen short in the eyes of critics, who argue that most people who have been taken into custody have no idea their images are retained or that they need to request they be deleted.
The Scottish government also noted that the code covered not just DNA, fingerprints and custody images – but also biometric data generated by second-generation tech, like facial recognition software, remote iris recognition and voice pattern analysis.
It said that the code would apply to Police Scotland and the Scottish Police Authority, as well as any bodies that collect data while exercising powers of arrest for devolved purposes – but not for national security or private companies.
However, the Open Rights Group said that this "does not reflect the direction of travel for biometrics in our lives" as there is an increasing amount of surveillance carried out by housing associations and private firms in the retail sector.
"These applications will have an effect on individuals' rights, and the Code should reflect that," Rice said. "At the moment, adoption in other areas such as public bodies or private bodies is on a voluntary basis. The Code should go further and apply to those bodies directly."
Rice also called for there to be more power granted to the biometrics commissioner should an organisation break the code. As proposed, a breach is not a civil or criminal offence. Rather, the role-holder can only be able to issue an "improvement notice".
The consultation closes on 1 September. ®