Professor Fraser Sampson (pictured) believes regulating biometric technologies should cover public and private sectors and be wary of cloud-based storage and data breaches

Rules governing the use of biometrics should avoid the fragmentation seen in the UK and work across all measures and sectors, according to the outgoing Biometrics and Surveillance Camera Commissioner.

Professor Fraser Sampson, who recently announced he will resign on 31 October for personal reasons, said that “it makes no practical sense” to regulate just established biometric measures such as fingerprints and DNA held by a few public bodies.

“The vast majority of biometric capability is privately owned and accessed under contractual arrangements between law enforcement and policing bodies and the private sector, which means we rely on trusted partnerships and must therefore be careful whose corporate company we keep,” he wrote in response to a consultation by New Zealand’s Office of the Privacy Commissioner on a new code of conduct on that country’s biometric information.

He welcomed the New Zealand commissioner’s plans to include some newer biometrics in its code, saying he had pressed for this to be the case in the UK, but added he was surprised it planned to exclude DNA due to this being covered by other legislation.

“My experience is that a fragmented, sometimes competing legislative framework (as exists for fingerprints and DNA – and anachronistically, footwear impressions – in the UK) can lead to confusion amongst practitioners,” Sampson wrote.

He wrote that plans to make the New Zealand code as technology-neutral as possible should consider the need to provide sufficient clarity on specific biometric technologies, which practitioners require even if they initially welcome more flexibility. However, he said that the use of artificial intelligence does require a technology-neutral approach based on consistently applied principles. Sampson has contributed to the Accountability Principles for AI international framework project.

Sampson has also questioned whether law enforcement’s biometric data should be stored in cloud-based services, with the separate Scottish Biometrics Commissioner having raised questions over Police Scotland’s intention to move to a cloud system. This is partly due to questions over whether cloud storage overseas will allow the host countries to access biometric data.

“More generally, the recently reported data breaches from police forces around the UK have underscored the continuing need for vigilance and scrutiny around data storage policies, practices and remedies,” Sampson wrote.