Skip navigation

Ensuring robust and flexible protections against the use of biometric data

The capture, storage, and use of biometric data – such as facial images, DNA, even the way you walk and move – by public bodies raises new and rapidly changing social, legal, and ethical challenges. Professor Carole McCartney and Dr Aaron Amankwaa of Northumbria University Law School applied their research expertise into forensic investigation and the use of biometric materials to develop flexible regulatory models in Scotland, across the UK, and in New Zealand.

Much media coverage on the use of biometric data reports on the dangers posed by private entities, like social media companies e.g., Facebook, mobile technology companies and the creators of fitness-tracking or location-mapping apps, such as Apple. However, public bodies run by national governments also have tremendous capacity for collecting and keeping archives of biometric data matchable to individuals and traceable through families. This combined data could be sufficient to identify, trace, and record individuals, breaching the right to privacy.

The risks posed by private entities holding sensitive personal data are valid, but the social, legal, and ethical concerns raised by the use of biometric data by public bodies are very different. As voluntary consumers of private corporations, we consent to sharing images of friends and family and location and movement information for convenience and wellbeing when we sign up. However, the data we share with governments is often a pre-requisite for getting legal documents, such as passports and driving licences, or accessing social services. These forms of identity and social services underpin our daily lives, e.g., needing to provide originals and copies of our documents to get jobs, register with doctors and dentists, and travel abroad for both work and pleasure. Therefore, we engage with governments not as customers, with the ability to close our accounts and opt out, but as citizens in a relationship defined by rights and duties.

Human rights must be protected, but biometric data can also be an important tool in the prevention, detection, and investigation of criminal activity. The security of citizens is one of the principal obligations of governments, so biometric capture and use must be rigorous enough to help protect us from crime, but also have sufficient safeguards that our privacy is protected from undue invasion. 

Moreover, the ways that biometric data can be recorded and used, is changing rapidly. Any form of regulation and oversight runs the risk of becoming quickly obsolete. Biometric regulation is thus a moving target that presents one of the urgent challenges of the modern state.

McCartney’s research into forensic science established three core principles to ensure ‘integrity’. Viability assesses the use of forensic data for measures such as accuracy, validity, reliability, and credibility through quality assurance and audit mechanisms. Legitimacy prevents unlawful storage, exchange, or further manipulation of data through legally binding instruments and bodies that can oversee legal processes and guarantees. Acceptability involves securing trust and confidence through public access and independent oversight, ensuring ethical principles among others, are upheld. These ‘three pillars’ uphold a comprehensive regulatory structure, that can respond to legal and operational issues and ethical concerns about rapidly developing technologies.

Their work led to changes in the Scottish Biometrics Commissioner Act 2020. A new Biometrics Commissioner for Scotland position was created to establish guidance for the acquisition, retention, and use of biometric data in Scotland flexible enough to adapt to innovation and new technology, complemented by a Code of Practice. 

The Biometric Commissioner for the UK affirmed in their 2020 Annual Report that the Scottish Biometrics Commissioner Act would serve as the model for the future regulatory framework across the UK. Building from this, McCartney has worked with the UK National Crime Agency (the lead agency tackling organised crime, including human-, weapon- and drug-trafficking; cybercrime; and economic crime) to deliver workshops discussing the use of biometric materials in criminal investigations.

Between 2018 and 2020 McCartney and Amankwaa worked closely with the New Zealand Law Commission to advise on specific areas of forensic and biometrics policy, including the use of DNA databanks. The Law Commission published a comprehensive report in October 2020 proposing new legislation governing the use of DNA in criminal investigations. This report cited McCartney and Amankwaa’s evidence 24 times, and their views were reflected in a number of their recommendations shaping the scope and powers of the new legislation.

As technology using and storing biometric data advances and increasingly shapes our lives, McCartney and Amankwaa’s research and the three pillars of integrity ensures the regulatory integrity to protect our privacy and security has the flexibility to remain responsive and effective to new challenges.


Back to top