Briefing 246

January 2019

General Data Protection Regulations (GDPR) and Biometrics


Historically the gathering, recording, retention and sharing of data or information about an individual has tended to refer to written record keeping whether stored in ‘hard’ copies or electronically. Increasingly, however, the gathering of data and/or information about an individual is being undertaken by machines, operated by both public and private organisations, designed to gather biometric information. ‘Biometric information’ was defined by the Protection of Freedoms Act 2012 (PoFA) as DNA samples, DNA profiles and fingerprints. The PoFA is the Act which governs the Police use of biometrics. However, since the Act became law there has been a very rapid growth in the availability and use of other biometric technologies: these include face recognition, eye/iris recognition, audio recognition and the use of sociometrics and/or custody images. The law has not kept up with these developments and there is now a ‘grey area’ regarding the use of such material. In addition, the rapid development of Artificial Intelligence (AI) could pose further challenges to the legal system (see below).

The gathering and use of biometric information/data affects every person in the UK. In this Briefing, however, we want to highlight some of the particular issues that relate to children and young people who are Looked After.

The Issues

Children and young people in care may be affected by issues relating to biometric information/data in one or more of three ways: 

  • Criminal activity that generates biometric information;
  • Care proceedings that require biometric information;
  • The gathering and usage of biometric information by public and private organisations.

Criminal Activity and Looked After Children

It is important here to note: criminal activity may be perpetrated by looked after children and young people. However, it may also be criminal activity directed against looked after children and young people - the criminal activity may, indeed, be the reason for the child or young person being brought into care in the first place.

The use of fingerprints and DNA evidence in criminal proceedings is of long standing and is relatively uncontroversial. PoFA sets out clear guidelines regarding the retention and use of such biometric material from young people under the age of 18.

  • If a young person under the age of 18 years is convicted of a qualifying offence, their fingerprints and/or DNA profile may be retained indefinitely.
  • If a young person is convicted of a minor recordable offence and receives a custodial sentence of more than 5 years, their fingerprints and/or DNA profile may be retained indefinitely.
  • If a young person is convicted of a minor recordable offence but receives a custodial sentence of less than 5 years, their fingerprints and/or DNA profile may be retained for the duration of the custodial sentence plus 5 years. This is called an ‘excluded offence’.
  • If a young person is convicted of a second recordable offence, their fingerprints and/or DNA profile may be retained indefinitely.

The Biometrics Commissioner acknowledges that the most difficult area of criminal activity and issues relating to the retention of records relates to sexual offending between young people or within families. For more detail on this see paragraphs 137 to 141 Annual Report 2017 (Published March 2018) Commissioner for the Retention and Use of Biometric Material.

There are also issues relating to the right of children to appeal against having their biometric information retained by the police following a No Further Action decision. For more detail on this see paragraphs 151 to 156 in the Commissioner for the Retention and Use of Biometric Material Annual Report 2017 (above).

It will be important for all looked after children and young people convicted of any offence that their social worker is aware of and is able to act on behalf of, the child/young person in order to ensure that records are kept within the guidelines set out above and/or are challenged appropriately.

Care Proceedings that Require Biometric Information

Most often this issue will be about establishing paternity for a child, but may also be important in establishing sibling paternity as well and will aim to resolve such issues through the use of DNA.

Lest it be thought that this is a completely foolproof and trustworthy process it is worth referring to F(Children) (DNA Evidence) [2007] EWHC 3235 (Fam).

The judgment is of interest because it sets out some conclusions arising from difficulties and errors in the DNA testing. During the course of the proceedings, involving several adults and children, it had emerged that there was doubt over the parentage of the children involved. The judge therefore ordered that DNA testing should be undertaken. In the event, it was found that the firm chosen to undertake the testing had procedural defects that meant that the result could not be relied on. A result of a second test, carried out by another firm, was challenged by the alleged parents and so the judge allowed a third test from a third different firm. Their results supported that challenge and the second firm, on review, changed their opinion to agree with the third firm.

It is also, perhaps, worth noting that gaining DNA information may have unexpected and challenging outcomes for any or all of the parties involved and support therefore should be planned in whenever such information is sought.

The Gathering and Usage of Biometric Information by Public and Private Organisations

In recent years there has been an enormous growth in the use of biometric information or data to support everyday activities. Thus an increasing number of schools now use fingerprints or other biometric material such as iris recognition and or facial recognition as a security measure to allow access into the school and within it.

Wherever this is used it can only be with the written agreement of the young person or their parent’s agreement. If parents disagree it cannot be used. For children looked after, the written agreement of a senior manager in social care will have to be obtained and the child will have to be made aware that agreement has been given. Thought will need to be given to the implications of giving agreement to Academy schools or other private companies or organisations and there will need to be robust assurances about how the information is stored, who has access to it and what happens to it once a child has left the school.

The school should set out clearly its processes for managing all such information/data.

The same issues arise with regard to any biometric information gathered whilst a child is in care and what happens to that information once they leave.

The use of video and photography to record entry to children’s homes is not in itself using biometric information but with the growth of Artificial Intelligence and its ability to scan and match faces in many situations could assist this new form of biometric data gathering. The use of AI may, in the future, raise challenges for the judicial system: ‘if the prosecution is relying on the evidence of matches from software using these new algorithms then they will not know on what basis that match is claimed and, by the same logic, the defence will be unable to challenge the evidence, except, of course, in this general sense of pointing to the lack of intelligible evidence.’ For a more detailed discussion of this issue please refer to Section 8.5, New Biometric Algorithms in the Commissioner for the Retention and Use of Biometric Material Annual Report 2017 (above).

Contact us to find out about how tri.x can help your organisation

Copyright©: The content of tri.x Briefing papers can be accessed, printed and downloaded in an unaltered form, on a temporary basis, for personal study or reference purposes. However any content printed or downloaded may not be sold, licensed, transferred, copied or reproduced in whole or in part in any manner or in or on any media to any person without the prior written consent of Antser Group.

Briefings Archive