Strategic Plan 2021-2025

To support and promote the adoption of lawful, effective, and ethical practices in relation to the acquisition, retention, use, and destruction of biometric data for criminal justice and police purposes in Scotland. (Our strategic priorities are directly aligned to the statutory functions of the Commissioner as established in section 2 (3) of the Scottish Biometrics Commissioner Act 2020)

1. Keep under review and report on the law, policy, and practice relating to the acquisition, retention, use, and destruction of biometric data for criminal justice and police purposes in Scotland.
2. Promote public awareness and understanding of criminal justice and policing sector powers and duties in relation to biometric data,
   how these powers are exercised, and how the exercise of these powers can be monitored or challenged. (A public attitudes survey will be conducted in 2021/22 to measure and baseline public attitudes, awareness, and understanding of biometrics in policing in Scotland.)
3. Develop, publish, promote, and assess compliance with a statutory Code of Practice on the acquisition, retention, use, and destruction of biometric data for criminal justice and police purposes in Scotland. (Ibid, section 7, Scottish Biometrics Commissioner Act 2020.)
4. Provide reports to the Scottish Parliament on the outcomes from the use of biometric data and technologies and highlight key issues to inform public debate, thus strengthening democratic accountability.

1. Develop, deliver, and publish, a national assessment framework to help assess the effectiveness and efficiency of biometric data outcomes. Publish annual and other reports to enhance independent oversight, transparency, and public accountability.
2. Contribute to public awareness and understanding of how biometric data and technologies are used for criminal justice and police purposes in Scotland through various mechanisms including a website information hub, public reporting, and an established complaints procedure on our Code of Practice for biometric data subjects.(Ibid, section 15, Scottish Biometrics Commissioner Act 2020.)
3. Deliver a statutory substructure and compliance framework through a Code of Practice approved by the Parliament and Scottish Ministers through regulations, which balances ethical public interest considerations with democratic freedoms and the privacy and human rights of data subjects
4. Contribute towards the National Outcomes for Scotland, specifically:
   • Delivering community safety,
   • protecting equalities & human rights,
   • avoiding discrimination,
   • protecting children and vulnerable adults,
   • and making a positive contribution internationally.

• Independent
• Transparent
• Proportionate
• Accountable

The Scottish Biometrics Commissioner Act 2020 established the office of Scottish Biometrics Commissioner (SBC) and provides for its functions. The Commissioner is independent of Scottish Government and is appointed by Her Majesty the Queen on the nomination of the Scottish Parliament. The Commissioner’s general function is to support and promote the adoption of lawful, effective, and ethical practices in relation to the acquisition, retention, use and destruction of biometric data for criminal justice and police purposes by Police Scotland, the Scottish Police Authority (SPA), and the Police Investigations and Review Commissioner (PIRC)(See section 34 of Scottish Biometrics Commissioner Act 2020 for full definition of ‘biometric data’.) .The Commissioner must lay an annual report on activities each year before the Scottish Parliament and may publish other reports and research, as necessary.

Section 7 of the Act provides that in furtherance of the Commissioner’s general function, the Commissioner must prepare, and may from time-to-time revise, a Code of Practice on the acquisition, retention, use and destruction of biometric data for criminal justice and police purposes. The Commissioner must keep the approved code of practice under review, prepare and publish a report on the Commissioner’s findings, and lay a copy of the report before the Scottish Parliament. The first such report must be laid before the Parliament no later than 3 years after the date on which the first code of practice comes into effect.

Section 15 of the Act requires that the Commissioner must provide a procedure by which an individual, or someone acting on an individual’s behalf, may make a complaint to the Commissioner that a person who is required by section 9 (1) to comply with the code of practice has not done or is not doing so in relation to the individual’s biometric data.

Section 20 of the Act provides that if the Commissioner determines that a person who is required by section 9 (1) to comply with the Code of Practice has not done so or is not doing so, the Commissioner must prepare and publish a report about that failure unless the Commissioner considers that it is sufficiently minor not to merit it. Such reports must be laid before the Scottish Parliament. Section 23 (1) of the Act provides that where the Commissioner considers that Police Scotland, the SPA, or PIRC has not complied or is not complying with the Code of Practice then the Commissioner may issue a compliance notice. A ‘compliance notice’ is a notice requiring the person to whom it is issued to take the steps set out in the notice to address the person’s failure to comply with the code of practice. Further detail on compliance notices can be found in sections 23 to 26 of the Act.

Section 27 of the Act provides that where a person to whom a compliance notice has been issued refuses or fails, without reasonable excuse, to comply with the notice, the Commissioner may report the matter to the Court of Session.

On 12 April 2021, I was appointed by Her Majesty the Queen on the nomination of the Scottish Parliament as the first Scottish Biometrics Commissioner. Over the summer months I engaged widely with key stakeholders and established a business address at Bridgeside House, 99 McDonald Road, Edinburgh.

A suitable ICT platform was introduced, and I began the process of recruiting three staff to assist me in the discharge my functions. By July 2021, I had established a professional Advisory Group (as required by section 33 of the Scottish Biometrics Commissioner Act 2020) and shortly thereafter commenced the process of formal consultation on this Strategic Plan. I wish to take this opportunity to thank everyone who has contributed to this process amidst the challenges and constraints of the ongoing pandemic.

Additional thanks are due to members of my professional Advisory Group, my Audit Advisory Board, to Police Scotland, the Scottish Police Authority, and the Police Investigations and Review Commissioner for their outstanding levels of support. I also wish to acknowledge a particular debt of gratitude to the Scottish Public Sector Ombudsman Rosemary Agnew and her team for facilitating the creation of my physical office at Bridgeside House as part of a shared-services arrangement, and finally to Janice Crerar and the Parliamentary corporation for their ongoing support.

Biometric data such as fingerprints and photographs have been used in policing and criminal justice in Scotland as a means of verification, identification, and exclusion for more than one hundred years. Since the late 1980s, the advent of the forensic technique of DNA profiling has revolutionised the investigation of crime.

It is used daily in the investigation of a wide range of offences to identify offenders from minuscule amounts of body fluids and tissues. In sexual offences, DNA profiling can untangle complex mixtures of body fluids, typically found in such cases, to provide evidence that was previously unavailable. Through the introduction of DNA24, Scottish Police Authority Forensic Services now provides Police Scotland and the Police Investigations Review Commissioner (PIRC) with one of the most advanced DNA interpretation capabilities in world policing.

More recently there has been an exponential growth in a range of new biometrics in law enforcement, perhaps most controversially the use of public space facial recognition surveillance by the police in other UK jurisdictions.(https://www.bbc.co.uk/news/uk-wales-53734716) There has also been a proliferation of databases operating and exchanging biometric data over different legal and functional jurisdictions within the UK and globally, including the application of artificial intelligence (AI) to those databases to develop algorithms for biometric matching.

Such issues raise important questions for society, including how best to balance our need for public safety and security, with broader privacy, ethical, human-rights, and equality considerations. The principles of proportionality and necessity, and the long-established principle of policing by consent in Scotland, suggests the need to be careful about the extent of future encroachment.

Against this context, this strategic plan laid before the Scottish Parliament in November 2021 sets out how I propose to perform my statutory functions during the 4-year period from 01 December 2021 until 30 November 2025 (The commencement period of the Strategic Plan was amended during the Covid-19 Pandemic by the commencement order S.S.I. 2020/250 from 1 April 2021 to 01
December 2021, therefore the period of this Strategic Plan no longer aligns with the provisions of Section 29 (1) of the Scottish Biometrics Commissioner Act 2020, which requires budgetary arrangements to align with the fiscal year.).

In accordance with the requirements of section 28 (3) of the Scottish Biometrics Commissioner Act 2020, and Scottish Statutory Instrument 2020/250, this strategic plan includes information on:

• Identified objectives and priorities for that period,
• How I propose to achieve those objectives and priorities,
• A timetable for doing so,
• Estimated costs

In early 2022, and following extensive consultation, which is currently ongoing, I will submit a finalised draft of the Code of Practice to Scottish Ministers for approval. Once approved, the Code will come into effect under regulations, at which point Scotland will become the first country in the world to have a statutory code of practice on the acquisition, retention, use, and destruction of biometric data for criminal justice and police purposes. This will be a significant human rights landmark for Scotland.

The Code will set out an agreed framework of standards for biometric data which strikes the right balance between the needs and responsibilities of policing and our criminal justice system in terms of enforcing the law and keeping citizens safe, and the fundamental obligation to guarantee the basic human-rights and freedoms of individual members of the public. The Code of Practice will be supported by a national Assessment Framework for Biometric Data Outcomes in Scotland. The Assessment Framework has been developed by the Scottish Biometrics Commissioner as a quality management assessment tool with the assistance of the Improvement Service and is based on the Public Sector Improvement Framework in Scotland. (https://www.improvementservice.org.uk/products-and-services/performance-management-and-benchmarking/public-sector-improvement-framework)

It is a privilege to have been selected to serve the people of Scotland as the first Scottish Biometrics Commissioner, and to lay my first strategic plan before the Scottish Parliament.

Dr Brian Plastow
Scottish Biometrics Commissioner
Brian.Plastow@biometricscommissioner.scot
24 November 2021

As a values-led organisation, we will conduct our activities in a way that is Independent, Transparent, Proportionate and Accountable:

• Independent - We will always act independently and publish impartial and objective review reports. Our professional advice will be informed and unbiased. The Scottish Biometrics Commissioner is a juristic person, appointed by Her Majesty the Queen on the nomination of the Scottish Parliament and is independent of Scottish Government.
• Transparent  - We will be open about what we do and give reasons for our decisions. We will publish our reports and findings and will not restrict information unless deemed necessary to protect the identity of data subjects, or due to wider public interest considerations.
• Proportionate - We will ensure that our activity is proportionate and does not exceed what is necessary to achieve our statutory purpose. We will minimise the burden of any review activity on Police Scotland, the Scottish Police Authority, and the Police Investigations and Review Commissioner. We will ensure that the way that we do what we do is proportionate, necessary, effective, and efficient.
• Accountable - We will be accountable for what we do to the Scottish Parliament and will submit ourselves to whatever scrutiny is appropriate to our function. We will promote equality, diversity, and human rights in everything that we do. 

The Scottish Biometrics Commissioner has developed a national assessment framework of forty-two quality indicators for biometric data outcomes. This assessment framework is based on the Public Sector Improvement Framework in Scotland (PSIF) and has been independently validated by the Improvement Service in Scotland (https://www.improvementservice.org.uk/). The framework also serves as a self-assessment tool for Police Scotland, SPA Forensic Services and the Police Investigations and Review Commissioner who have been fully consulted on its content.

Once approved by Scottish Ministers, our forthcoming Code of Practice together with our national assessment framework for biometric data outcomes will provide a substructure through which to assess compliance with the Code of Practice and more generally in the evaluation of overall direction, execution, and results. This will help improve independent oversight, governance, and scrutiny.

Our assessment framework mirrors the 6 PSIF framework domains most applicable to criminal justice and policing. These framework domains have been used by HM Chief Inspector of Constabulary in Scotland (HMICS) and are illustrated as follows:

• Leadership and governance
• Planning and process
• People
• Resources
• Partnerships
• Outcomes

PSIF allows people to understand and manage the relationship between what their organisation does and the outcomes it achieves.This framework shall guide our work and together with our Code of Practice can also serve as a self-evaluation model for policing and criminal justice agencies when considering their approach to biometric data and technologies.

PSIF is a recognised management framework endorsed by Scottish Government which allows organisations to achieve success and to understand gaps and viable solutions, empowering them to progress.

To ensure synergy within the wider policing family in Scotland, the Scottish Biometrics Commissioner will also adopt the six framework themes from PSIF already used by HMICS and Police Scotland that are of most relevance to the policing and criminal justice context in Scotland. Those themes are:

Outcomes

We will focus on the overall performance of the organisation in relation to biometric data and technologies and seek to examine success in delivering demonstrable, high quality and improved outcomes in support of statutory functions and national outcomes.

• Leadership and governance - We will examine strategic leadership and governance, scrutiny, and accountability arrangements for biometric data and technologies to assess whether the organisation is delivering its overall vision in support of statutory functions and national outcomes.
• Partnerships - We will assess how well partners work together to support the delivery of criminal justice, community safety and policing outcomes in relation to biometric data and technologies. This will include an assessment of partnership working in Scotland, and where appropriate to the functions of the organisation, wider UK, and international partnerships in connection with biometric data sharing and the operation of shared biometric databases and technologies.
• Planning and process - We will examine the effectiveness of strategy and planning processes in relation to the acquisition, retention, use, and destruction of biometric data. We will consider whether processes comply with the Code of Practice developed by the Scottish Biometrics Commissioner and consider safeguards and special arrangements when collecting biometric data from children, young people, and vulnerable persons.
• People - We will assess whether staff working with biometric data and technologies have the skills and competencies required to deliver on agreed outcomes and priorities. This will include an assessment of familiarity with the concept of unconscious bias, and how well staff understand the reliability and validity of technologies and how human interaction with such technologies can impact on equalities, human-rights, ethical and privacy considerations. We will look for evidence of respect for human-rights through all themes of our assessment framework.
• Resources - A key element of resourcing is the consideration of best value. We will assess whether organisations collecting biometric data for criminal justice and policing purposes in Scotland have the resources to manage and control Scottish biometric data in accordance with Scottish legislation, operational policies, and any Codes of Practice in terms of its use.

Our strategic objectives and priorities for 2021 to 2025 are directly aligned with the exercise of our general functions as specified in section 2 (3) of the Scottish Biometrics Commissioner Act 2020. These objectives, priorities, and our envisaged outputs in each year for the period of this strategic plan are illustrated on a year-by-year basis as follows:

Year 1 from 01 December 2021 – to 30 November 2022

Our four strategic objectives and priorities and how our priorities will be achieved

1. Keep under review and report on the law, policy, and practice relating to the acquisition, retention, use, and destruction of biometric data for criminal justice and police purposes in Scotland.
   • Develop a National Assessment Framework for biometric data outcomes for the policing and criminal justice sector in Scotland. Use framework methodology to keep under review and report on the law, policy, and practice. Promote framework as a self-assessment tool for policing and criminal justice.
     Output: Publish National Assessment Framework (February 2022)
2. Promote public awareness and understanding of criminal justice and policing sector powers and duties in relation to biometric data, how these powers are exercised, and how the exercise of these powers can be monitored or challenged.
   • Ongoing public engagement including a public attitudes and awareness survey and the provision of capacity building materials through the website of the Scottish Biometrics Commissioner. Establish, publish, and maintain complaints procedure in
     parallel with Code of Practice.
     Output 1: Provide public information hub on Commissioner’s Website (January 2022)
     Output 2: Publish Public Complaints mechanism in parallel with Code of Practice (by summer 2022)
3. Develop, publish, promote, and assess compliance with a statutory Code of Practice on the acquisition, retention,
   use, and destruction of biometric data for criminal justice and police purposes in Scotland.
   • Deliver a statutory substructure and compliance framework through a Code of Practice approved by the Parliament and Scottish Ministers through regulations, which balance ethical public interest considerations with democratic freedoms and the privacy and human rights of data subjects.
     Output: Code of Practice laid before Parliament for approval (by summer 2022)
4. Provide reports to the Scottish Parliament on the outcomes from the use of biometric data and technologies and highlight key issues to inform public debate, thus strengthening democratic accountability.
   • Establish and maintain Advisory Group to enhance capacity and capability. Use networks and information gathering techniques and analysis to identify key issues. Identify potential research opportunities in Scotland, and opportunities for knowledge exchange with other UK jurisdictions and internationally. Collate materials for annual report.
     Output: Establish and maintain Advisory Group (from July 2021)
     Output: First annual report to Parliament (summer 2022)

Link to National Outcomes for Scotland:

• Delivering community safety.
• Protecting equalities & human rights.
• Avoiding discrimination.
• Protecting children & vulnerable persons.
• Making a positive contribution internationally.

Year 2 – from 01 December 2022 – to 30 November 2023

Our four strategic objectives and priorities and how our priorities will be achieved

1. Keep under review and report on the law, policy, and practice relating to the acquisition, retention, use, and destruction of biometric data for criminal justice and police purposes in Scotland.
   1. Conduct a review of policy and practice in relation to the acquisition, retention, use, and destruction of biometric data relating to children, young people, and vulnerable adults. Assess impact of Age of Criminal Responsibility (Scotland) Act 2019 relative to biometric data.
      Output 1: Thematic report on biometric data relating to children, young people, and vulnerable adults to the Scottish Parliament (March 2023).
   2. Review rules of permissible retention as prescribed in Scottish law.
      Output 2: Report to Scottish Parliament on review of law regarding permissible retention periods (October 2023).
      Note on output 2: (With reference to previous IAG recommendations in Scotland and Gaughran v. United Kingdom on DNA, fingerprint, and photograph retention – new ECtHR ruling on 13 February 2020 on indefinite retention).
2. Promote public awareness and understanding of criminal justice and policing sector powers and duties in relation to biometric data, how these powers are exercised, and how the exercise of these powers can be monitored or challenged.
   • Ongoing public and stakeholder engagement and the provision of capacity building materials through the website of the Scottish Biometrics Commissioner. Maintain complaints procedure in parallel with Code of Practice. Conduct investigations into any complaints received from data subjects.
     Output: Maintain complaints mechanism and publish Commissioner’s determination in event of any individual breach of the Code of Practice
3. Develop, publish, promote, and assess compliance with a statutory Code of Practice on the acquisition, retention, use, and destruction of biometric data for criminal justice and police purposes in Scotland.
   1. Maintain statutory substructure and compliance framework through a Code of Practice approved by the Parliament and Scottish Ministers through regulations, which balance ethical public interest considerations with democratic freedoms and the privacy and human rights of data subjects.
      Output: Keep Code of Practice under ongoing review through scrutiny programme and programme of annual compliance assessments.
4. Provide reports to the Scottish Parliament on the outcomes from the use of biometric data and technologies and highlight key issues to inform public debate, thus strengthening democratic accountability.
   1. Maintain Advisory Group to enhance capacity and capability. Use networks and information gathering techniques and analysis to identify key issues. Identify potential research opportunities in Scotland, and opportunities for knowledge exchange with other UK jurisdictions and internationally.
      Output: Commissioner’s 2nd Annual report to Parliament (summer 2023)

Link to National Outcomes for Scotland:

• Delivering community safety.
• Protecting equalities & human rights.
• Avoiding discrimination.
• Protecting children & vulnerable persons.
• Making a positive contribution internationally.

Year 3 – from 01 December 2023 – to 30 November 2024

Our four strategic objectives and priorities and how our priorities will be achieved

1. Keep under review and report on the law, policy, and practice relating to the acquisition, retention, use, and destruction of biometric data for criminal justice and police purposes in Scotland.
   • Conduct a review of policy and practice in relation to the acquisition, retention, use, and destruction of photographs and facial images including facial search and facial recognition technologies for criminal justice and police purposes.
     Output: Thematic report on facial images and technologies to Scottish Parliament (March 2024)
2. Promote public awareness and understanding of criminal justice and policing sector powers and duties in relation to biometric data, how these powers are exercised, and how the exercise of these powers can be monitored or challenged.
   • Ongoing public and stakeholder engagement and the provision of capacity building materials through the website of the Scottish Biometrics Commissioner. Maintain complaints procedure in parallel with Code of Practice. Conduct investigations into any complaints received from data subjects.
     Output: Maintain Complaints mechanism and publish Commissioner’s determination in event of any individual breach of the Code of Practice
3. Develop, publish, promote, and assess compliance with a statutory Code of Practice on the acquisition, retention, use, and destruction of biometric data for criminal justice and police purposes in Scotland.
   • Maintain statutory substructure and compliance framework through a Code of Practice approved by the Parliament and Scottish Ministers through regulations, which balance ethical public interest considerations with democratic freedoms and the privacy and human rights of data subjects.
     Output: Keep Code of Practice under ongoing review through scrutiny programme and annual programme of compliance assessments.
4. Provide reports to the Scottish Parliament on the outcomes from the use of biometric data and technologies and highlight key issues to inform public debate, thus strengthening democratic accountability.
   • Maintain Advisory Group to enhance capacity and capability. Use networks and information gathering techniques and analysis to identify key issues. Identify potential research opportunities in Scotland, and opportunities for knowledge exchange with other UK jurisdictions and internationally.
     Output: Commissioner’s 3rd Annual report to Parliament (June 2024)

Link to National Outcomes for Scotland:

• Delivering community safety.
• Protecting equalities & human rights.
• Avoiding discrimination.
• Protecting children & vulnerable persons.
• Making a positive contribution internationally.

Year 4 – from 01 December 2024 – to 30 November 2025

Our four strategic objectives and priorities and how our priorities will be achieved

1. Keep under review and report on the law, policy, and practice relating to the acquisition, retention, use, and destruction of biometric data for criminal justice and police purposes in Scotland.
   • Conduct a review of policy and practice in relation to the acquisition, retention, use, and destruction of DNA for criminal justice and police purposes including the source biological samples and materials from which data is derived.
     Output: Thematic report on DNA and source samples and materials to Scottish Parliament (February 2025)
2. Promote public awareness and understanding of criminal justice and policing sector powers and duties in relation to biometric data, how these powers are exercised, and how the exercise of these powers can be monitored or challenged.
   • Ongoing public and stakeholder engagement and the provision of capacity building materials through the website of the Scottish Biometrics Commissioner. Maintain complaints procedure in parallel with Code of Practice. Conduct investigations into any complaints received from data subjects.
     Output: Maintain Complaints mechanism and publish Commissioner’s determination in event of any individual breach of the Code of Practice
3. Develop, publish, promote, and assess compliance with a statutory Code of Practice on the acquisition, retention,
   use, and destruction of biometric data for criminal justice and police purposes in Scotland.
   • Maintain statutory substructure and compliance framework through a Code of Practice approved by the Parliament and Scottish Ministers through regulations, which balance ethical public interest considerations with democratic freedoms and
     the privacy and human rights of data subjects.
     Output: First 3 Year review report on Code of Practice to Scottish Parliament and annual programme of compliance assessments (October 2025)
4. Provide reports to the Scottish Parliament on the outcomes from the use of biometric data and technologies
   and highlight key issues to inform public debate, thus strengthening democratic accountability.
   • Maintain Advisory Group to enhance capacity and capability. Use networks and information gathering techniques and analysis to identify key issues. Identify potential research opportunities in Scotland, and opportunities for knowledge exchange with other UK jurisdictions and internationally.
     Output: Commissioner’s 4th Annual report to Scottish Parliament (June 2024)

Link to National Outcomes for Scotland:

• Delivering community safety.
• Protecting equalities & human rights.
• Avoiding discrimination.
• Protecting children & vulnerable persons.
• Making a positive contribution internationally.

On inception, the Scottish Biometrics Commissioner was allocated an annual budget of £420K. This was based on a policy assumption in the legislative planning phase that there would be no significant expansion of the Commissioner’s functions and that the Commissioner might need to employ four staff members to assist in the discharge of the Commissioner’s responsibilities.

From 2022 and beyond the Commissioner’s office will have completed its first business cycle and budget requirements should become more stable and predictable. There are still unknown variables such as the potential volume of complaints about breaches of the Code of Practice, and potential extension of the Commissioner’s powers to include other UK-wide policing bodies operating in Scotland, or to other areas within the Scottish Criminal Justice portfolio.

Those unknown variables aside, the Commissioner’s budget requirement to discharge this strategic plan is as follows:

The projected costs associated with the delivery of this 4-year strategic plan take account of the Commissioner’s responsibilities under section 29 (3) of the Scottish Biometrics Commissioner Act to ensure that resources are used economically, efficiently, and effectively. The Commissioner may revise this strategic plan should material circumstances change.

The Commissioner must also comply with the provisions of sections 31 and 32 of the Act and is accountable to the Parliament Corporation for the signing the accounts of the expenditure and receipts of the Commissioner and ensuring propriety and regularity of finances. (The Parliamentary corporation must designate the Commissioner or a member of the Commissioner’s staff as the accountable officer for the purposes of the provisions of section 30 of the Scottish Biometrics Commissioner Act 2020 (functions of the accountable officer)). The Commissioner must keep proper accounts and accounting records, prepare in respect of each financial year a statement of accounts, and send a copy of the statement to the Auditor General for Scotland for auditing.

The Commissioner must comply with any directions which the Scottish Ministers give the Commissioner in relation to the keeping of accounts and accounting records and the form of the annual statement of accounts.

Performance measurement is important to enable any organisation to ensure it is achieving its objectives and making the best possible use of resources. With good reporting, it also enables accountability, which in the case of Parliamentary Officeholders, includes accountability to Parliament and to the taxpayers who fund their activities and have a keen interest in their effectiveness.

Performance measurement by regulators or independent officeholders is particularly complex because their intended outcomes (for example improving public confidence in the use of biometric data for policing and criminal justice purposes) are delivered by the organisations that they regulate ( Performance measurement by regulators, Good Practice Guide, the National Audit Office, London: 2016.). There are also external factors outside regulators’ control, and outcomes can take a long time to become evident. Therefore, any framework of performance measurement should begin with the objectives that the organisation is trying to achieve.

The characteristics of good performance measurement frameworks for regulators typically share the following features:

• Focussed - On the strategic organisational aims and objectives. Any performance measures used should clearly map onto the Commissioner’s general functions, objectives, and priorities.
• Appropriate - To, and useful for, decision-makers within the organisation, and meeting the needs of stakeholders outside the organisation.
• Balanced - Giving a picture of what the organisation is doing, covering all significant areas of work.
• Robust - For example, to withstand expansion of the remit of the organisation, or personnel changes.
• Integrated - With the organisation’s business planning and management processes. 
• Cost-effective - Balancing the benefits of performance information against costs.

Source: Choosing the Right FABRIC, National Audit Office (2016) and others.

To demonstrate balance between our strategic functions and broader corporate responsibilities, our Key Performance Indicators (KPI’s)
are segmented into 7 Key Performance indicators relating to our four strategic priorities, and eight other measures of overall corporate
performance as follows:

Our 4 Strategic objectives and priorities – with corresponding Key Performance Indicators (KPI’s)

1. Keep under review and report on the law, policy, and practice relating to the acquisition, retention, use, and destruction of biometric data for criminal justice and police purposes in Scotland.
   1. measures official meetings we conduct with representatives from the bodies to whom our functions extend. Our target is to meet a minimum four times each year with each organisation.
   2. measures our legal requirement to maintain a professional advisory group. Our target is for the advisory group to meet formally no less than 3 times each year.
   3. measures the number of large-scale thematic audit and assurance reviews we conduct each year. Our target is to conduct one large scale thematic each year.
2. Promote public awareness and understanding of criminal justice and policing sector powers and duties in relation to biometric data, how these powers are exercised, and how the exercise of these powers can be monitored or challenged.
   4. measures the number of public information newsletters we publish each year. Our target is to produce four newsletters each year.
   5. measures footfall to the public information published on our website. Our performance indicator is to increase footfall to our website by 5% each year against the year 1 post-launch baseline.
3. Develop, publish, promote, and assess compliance with a statutory Code of Practice on the acquisition, retention, use, and destruction of biometric data for criminal justice and police purposes in Scotland.
   6. measures our legal requirement to assess compliance with a Code of Practice. Our target is to publish one compliance assessment report each year for each organisation to whom our functions extend. This will be done before each anniversary of the Code taking effect.
4. Provide reports to the Scottish Parliament on the outcomes from the use of biometric data and technologies and highlight key issues to inform public debate, thus strengthening democratic accountability.
   7. measures our public reporting obligations. Our target is to lay two major reports each year before the Scottish Parliament. These are our annual report and one thematic report.

Our other Legal, Corporate and Governance – with corresponding Key Performance Indicators (KPI’s)

5. We will operate within our budget as allocated each year by the Parliamentary Corporation.( Subject to any future expansion of our statutory remit being funded by Scottish Government or the Parliamentary corporation.)
   8. measures our financial performance. Our target is to operate entirely within our allocated budget for each fiscal year.
6. We will respond to complaints received about us and conclude investigations as soon as reasonably practicable.
   9. Measures our initial response to complaints received about us. Our target is to acknowledge 100% of complaints within three working days.
   10. Measures the timeliness of our investigations into complaints made about us. Our target is to communicate the outcome of our investigation within twenty working days in 95% of cases investigated.
7. We will respond quickly to Freedom of Information requests.
   11. Measures our performance in responding to our legal duty to respond to FOI requests within twenty working days. Our target is to respond to 100% of FOI requests within twenty working days.
8. We will respond quickly subject access requests.
   12. Measures our performance in responding to our legal duty to respond to subject access requests within 1 month. Our target is to respond to 100% of subject access requests within twenty-eight working days.
9. We will seek to promote staff wellbeing, retention, and effective attendance management.
   13. Measures staff happiness, safety, security, and wellbeing in the workplace. Our target is to conduct one staff survey every 12 months and to publish the results and any action plan arising.
   14. Measures staff retention levels. Our target is to achieve a minimum of 85% staff retention in any fiscal year.
   15. Measures sickness and effective attendance management. Our target is for the average total number of staff working days lost to sickness or other absence each year to be lower than 6% of total available staff working days.( In this KPI ‘attendance’ does not denote physical attendance at a workplace due to hybrid working arrangements. Instead, it refers to the number of days where staff
       reported that they were unfit for work due to sickness or other reason.)