airt. Independent policy analysis
Cover of The Face on the Bus Pass

The Face on the Bus Pass

11 June 2026
Download PDF

The National Entitlement Card is Scotland’s bus pass. It is also the largest collection of Scottish faces no biometric regulator watches, and the one body built to watch biometrics cannot touch it.

Scotland has something no other part of the UK has: a biometrics regulator whose statutory remit reaches the face. And right now the man who holds the post is asking Parliament for a law that does not yet exist. Police Scotland is pressing ahead toward live facial recognition. It put the question to a public “national conversation” in 2025, resolved to keep going, and expects to put a business case to its oversight board in 2027.1 The Scottish Biometrics Commissioner has written to ministers to say the technology should not go anywhere near a Scottish street until primary legislation governs it.2 The regulator is telling you, on the record, that he cannot stop the thing he exists to watch.

What he can watch is narrow, and narrow by design. The Scottish Biometrics Commissioner Act 2020 gives him oversight of biometric data held for criminal justice and police purposes by three bodies: Police Scotland, the Scottish Police Authority, and the Police Investigations and Review Commissioner.3 The Code he enforces binds those three and no one else.4 The Commissioner says as much himself, warning of a “Biometric Wild West” in the spaces the law does not reach, objecting in the same breath to police bulk-searching the passport and driving-licence databases.5 A handful of staff, a budget under £700,000, an office built on the stated assumption of no significant expansion.6 By design, it watches one room.

None of this is news. Before the Act was passed, Open Rights Group Scotland and a sitting MSP argued that the Commissioner’s reach should run to biometrics wherever they are found, in education, in health, in retail. The point was made in 2018, and dropped.7 What replaced it is an oversight body for the police, and silence everywhere else. Asked in 2023 whether facial recognition was being used in Scotland’s schools or its public services, the Scottish Government replied that it did not hold the information: school facial recognition, it said, is a matter for local authorities; for the rest, contact the bodies directly.8

That silence is where the largest of these holdings sits, and no one with biometric expertise is watching it. The National Entitlement Card is the bus pass, the young person’s card, the proof of age, the cashless school lunch, the key to a hundred council services. As of June 2026 there are 2,973,029 active cards.9 Every card issued from secondary-school age up carries a photograph. For a child carded through school, the photograph need not be taken for the card at all: one council’s privacy notice describes lifting it from the school’s own records, the SEEMiS system, and reusing it.10 From age eleven a pupil’s school photo becomes a record in the Card Management System, kept, in that notice’s words, “until you advise us you no longer require your card.”11 Indefinitely, then. Thirty-two councils are joint controllers, the Improvement Service processes the applications through the national portal, the programme office sits inside Dundee City Council, and the photograph travels onward into the extract that proves identity across the country’s other public services.12 The scheme’s privacy assessment has not been revised since 2020.13 Its oversight, the government confirms, is ordinary data-protection housekeeping: a data protection officer, an annual audit, the auditors of public spending. Nothing biometric, and no specialist regulator anywhere in the chain.14

The law gives two answers to one question: is this photograph biometric data? Under the 2020 Act, a facial photograph capable of identifying a person is biometric data the moment it is held; the definition is broad and the wording is plain.15 Under UK GDPR, the same photograph stays ordinary until software is run across it to identify someone, becoming special-category biometric data only then. The councils hold to the second reading: their privacy notices say they collect no special category data, and they treat the photograph as an ordinary passport snap.16 You cannot govern what you will not name, and here the naming comes last. But the name is the only thing that waits: a stored face is matchable the day it is filed, and the software that reads it is no lawyer. The law’s timing changes the paperwork, not the picture.

The usual reassurance is that none of it matters, because the photographs only make bus passes, and any police access is “case by case”.17 Set aside that the phrase reveals nothing about how fast, how often, or who may refuse. The scheme also says such sharing is logged, but that is its own word, in a document from 2020, and nothing published confirms the log exists, still less what any audit of it found. A record no one is required to check is not oversight. A last reassurance says the photographs get deleted anyway. One copy does. The online portal deletes its image within sixty days of the card being made, two years for the Young Scot cards kept for proof-of-age audit; the Card Management System keeps the photograph for as long as you hold a card.18 Deleting the application copy clears the queue, not the gallery. And the deeper answer is that envisaged use has never once been a safeguard. A capability, once built, is pushed to the limit of what it can technically do, whatever the brochure said at the start. RIPA was sold for terrorism and serious crime, and a council used it to watch a family for three weeks to check which school catchment they lived in; the surveillance tribunal ruled it unlawful.19 England kept the DNA of people it never convicted until Strasbourg ordered it to stop.20 Police held more than nineteen million custody photographs, over sixteen million of them searchable by face, years after a court ruled the retention of the never-convicted unlawful.21 Number-plate cameras grew from catching stolen cars into tens of millions of reads a day, kept for a year.22 Clearview scraped twenty billion faces off the open web and sold the result to police forces.23 South Wales Police ran live facial recognition in the street until the Court of Appeal ruled its use unlawful.24 Where a limit was set at all, a court or a statute set it, not the purpose written at the outset, and only after the capability had been defended to the last, with the public’s own money. The times it stopped are the times something with teeth was standing in the way.

And the demand for faces is not hypothetical. Thirteen police forces in England and Wales now use live facial recognition; the Metropolitan Police scanned more than 1.7 million faces in the first four months of 2026 alone.25 Every such system needs a gallery to match against. Scotland has deployed none of it, which is the opening, not the all-clear: it could be the first place to govern the technology before it arrives rather than after. But the council database of Scottish faces already exists, and nothing with teeth stands between those faces and whatever use is found for them next. The Information Commissioner is no answer here: a UK-wide generalist, reactive by design, holding the very doctrine that a photograph is not biometric until software is run across it, and auditing nothing in this system unless someone first complains. The point is not that a child’s bus-pass photo is being matched against a watchlist today. The point is that no one can tell you it is not, because no one is required to look, and the one body built to look was sent to the wrong room. The figures hold a grim symmetry, and it runs the way you would least expect. The Commissioner’s reviews estimate more than three million images in Police Scotland’s systems, reviewed, audited and reported to Parliament; but those are images, not individuals, repeat shots of a far smaller population, on the order of 380,000 people on the criminal history system.26 The National Entitlement Card is close to one face per holder, across roughly two million people.27 By distinct faces, the council holding is the larger, and it is watched by no one with the word biometric in their job title.

None of this is an argument against the card, or against a single key to public services. A small country gains from not making its people prove who they are from scratch at every counter. The argument is against holding millions of facial photographs with no acknowledgement that they are biometric, no binding limit on what they may become, no independent audit that the limits hold, no specialist regulator with the power to compel change, and no real answer to the person whose face it is. A capability at this scale has to be acknowledged, constrained, audited, governed, and answerable. This one is none of the five. Move the perimeter; do not empty the vault.

The public is already standing on this ground. People back the targeted use of facial recognition, the search for someone who has committed a crime, and pull back sharply from the blanket kind, the tracking of the population at large; in the three countries surveyed a majority said they did not trust government to use the technology responsibly.28 Support follows the safeguards, not the capability. Govern it and the licence follows; leave it ungoverned and the licence was never given.

There is a floor for all of this, and Scotland sits below it. Since February 2025 the European Union’s AI Act has banned the untargeted scraping of faces to build recognition databases, and the real-time biometric identification of the public by police outside narrow, authorised cases; the binding obligations for high-risk biometric systems follow, after a deferral agreed in outline in 2026, in December 2027.29 Scotland’s Code, by contrast, binds only the police, confers no power to prohibit, and triggers no legal action of its own when breached, which is why the Commissioner is reduced to asking for a law. And the floor is one Scotland says it wants: since 2021 its ministers have held a standing power to keep devolved law in step with the EU’s.30 The five tests, met at home, would carry Scotland most of the way to that floor, with no one aiming for Brussels at all. Scotland cannot adopt the AI Act: data protection, and most of the levers around it, are reserved to Westminster.31 But it can hold its own public bodies to the standard, exactly as it already does for the police. That is alignment by good governance, not by borrowing a statute.

Different jurisdictions have chosen different tools, but they share a common principle: population-scale biometric data is governed, audited and answerable, not held quietly and called ordinary. It is established international practice, and Scotland has joined it for the police but not for its civilian holdings. New Zealand looked at the same problem and, in 2025, issued an enforceable code for biometric processing that covers civilian use, under privacy law it already had, with no new statute and no new regulator.32 Australia went further. Having rejected an ungoverned national identity card in the 1980s on civil-liberties grounds, it came back and built the governed version: a voluntary digital identity, independently accredited, regulated by two separate watchdogs, with binding limits on what may be collected and a public register of who is trusted to hold it.33 Estonia, whose entire state runs on a national identity, gives every citizen a log of who has looked at their records and the standing to ask why.34 Illinois answers a narrower question, but answers it to the person: once a face is scanned into biometric form, the holder is liable to the individual directly, with a right to sue and damages that do not turn on proving harm.35

England and Wales are the cautionary tale. They have no statutory code for civilian biometrics at all, and the government that brought reform forward in 2023 proposed to abolish even the police biometrics watchdog; an independent report warned the change would leave “significant gaps” in oversight.36 Scotland is rightly proud of being the exception. The point of this essay is that the exception stops at the police-station door, and the faces on the other side of it have less protection in Scotland than a police-held fingerprint does. Run recognition across them and, in Wellington or Tallinn, an enforceable regime answers at once; in Scotland nothing specialist answers at all.

There are two ways in, and the argument turns on which one fits. The Act already lets Scottish Ministers add bodies to the Commissioner’s remit by regulation, and a statutory review of his functions is live as this is written, weighing exactly that.3738 But section 2(7) moves the bodies, not the purpose: the remit it extends still reaches only biometric data held for criminal justice and police purposes. Add the councils tomorrow and the bus-pass photographs still escape, because they are held for travel and proof of age, not for policing. The Independent Advisory Group that designed the post drew that line in 2018, confining its recommendation to policing; the review now debates extending it to more criminal-justice bodies, the prison service among them.39 The largest civilian holding in the country is not in the room.

Reaching it needs the other way in: primary legislation, widening the purpose the Commissioner is allowed to watch. That is the same vehicle he is already demanding for live facial recognition. His ask and this one become a single bill. It need not be the policing Code; New Zealand’s example shows a lighter instrument can carry the weight. It needs only to make the holding acknowledged, constrained, audited, governed, and answerable. Do that, and most of the European floor arrives as a side effect, for the price of governing your own house.

Scotland built the regulator the rest of the UK keeps wishing it had, and aimed it at the one part of the problem already under the brightest light. The unwatched faces are not the ones in police custody, which are watched, reviewed and reported to Parliament. They are the millions of faces in a council database, gathered for a bus pass, lifted in childhood from a school camera, called ordinary by the people who hold them, and watched, in any specialist sense, by no one at all.

  1. Police Scotland and the Scottish Police Authority ran a public “national conversation” on live facial recognition in 2025; in August 2025 the force confirmed it would continue to pursue the technology, with a business case not expected before the SPA until 2027. https://www.biometricupdate.com/202602/police-scotland-plans-lfr-business-case-consultation-on-the-way-to-a-decision-spa ↩︎

  2. Scottish Biometrics Commissioner, correspondence with Scottish ministers and the Criminal Justice Committee, 2025-2026, urging primary legislation before any LFR deployment. https://www.biometricupdate.com/202606/scottish-biometrics-commissioner-calls-for-lfr-law-before-police-deployment ↩︎

  3. Scottish Biometrics Commissioner Act 2020 (asp 8), s.2(1). https://www.legislation.gov.uk/asp/2020/8 ↩︎

  4. ibid., s.9(1). A breach of the Code gives rise to no legal action in itself (s.9(3)), and the Commissioner may recommend against a new technology but cannot prohibit it. ↩︎

  5. Scottish Biometrics Commissioner, letter to the Convener of the Criminal Justice Committee, 16 March 2026, urging primary legislation before any LFR deployment (the remit covering only those three bodies is the effect of s.2(1) of the Act); and his December 2025 blueprint to the Home Office warning of a “Biometric Wild West” and against the “bulk washing” of passport and driving-licence images. https://www.biometricscommissioner.scot/media/lzge5aen/letter-to-convenor-criminal-justice-committee-march-2026.pdf ; https://www.biometricupdate.com/202601/scottish-biometrics-commissioner-lays-out-blueprint-for-regulating-police-use-of-biometrics ↩︎

  6. Scottish Biometrics Commissioner, Strategic Plan 2025-29 (four full-time staff; annual budget around £564,000 to £630,000; “no significant expansion”). https://www.biometricscommissioner.scot/publications/ ↩︎

  7. The Ferret, “Biometrics watchdog will lack powers, say critics,” 23 July 2018 (Open Rights Group Scotland and Liam McArthur MSP arguing the remit should reach “biometrics wherever they are found, be it in education, health or retail”). https://www.theferret.scot/scottish-biometrics-commissioner-enforcement-powers/ ↩︎

  8. Scottish Government, freedom of information response 202300344043 (received 19 February 2023, responded 17 March 2023): a section 17(1) notice that it holds no information on facial recognition in schools (“a matter for local authorities”) or across public services. The same response confirms that the digital identity service, and the MyAccount route used for National Entitlement Card applications, use facial recognition (Yoti) for identity verification. https://www.gov.scot/publications/facial-recognition-within-school-and-public-services-foi-release/ ↩︎

  9. Transport Scotland, freedom of information response 202600516361 (8 June 2026): 2,973,029 active National Entitlement Cards, given as the current total (the response states no earlier snapshot date). A copy of the response is held by the author and available on request. ↩︎

  10. Argyll and Bute Council, “National Entitlement Cards: Privacy Statement” (school photograph taken from the SEEMiS system; Card Management System retention “until you advise us you no longer require your card”; “we will only collect personal data about you which does not include any special categories”). The cardholder extract used to verify identity across public services includes the photograph: getyournec.scot Privacy Notice v5 (13 March 2023). https://www.argyll-bute.gov.uk/education-and-learning/national-entitlement-cards-privacy-statement ; https://getyournec.scot/Privacy_Notice_v5.pdf ↩︎

  11. ibid. (Argyll and Bute privacy statement). ↩︎

  12. ibid. (getyournec.scot Privacy Notice v5). ↩︎

  13. National Entitlement Card Scheme, Data Protection Impact Assessment v2.1 (July 2020). https://www.nec.scot/sites/default/files/2021-11/NEC%20Data%20Protection%20Impact%20Assessment.pdf ↩︎

  14. Scottish Government, freedom of information response 202500470823 (2 July 2025), addressing the under-22 free-travel entitlement carried on the National Entitlement Card: data governance rests on standard data-protection compliance (a data protection officer, annual audits, Audit Scotland), with no biometric-specialist oversight body in the chain. The same controllers and card systems serve the wider scheme, and no specialist regulator reaches any civilian layer of it. https://www.gov.scot/publications/foi-202500470823/ ↩︎

  15. Scottish Biometrics Commissioner Act 2020, s.34 (definition of biometric data). Contrast UK GDPR, Article 4(14) and Recital 51: a photograph counts as biometric data only when processed by specific technical means for the purpose of uniquely identifying a person. https://www.legislation.gov.uk/asp/2020/8 ; https://www.legislation.gov.uk/eur/2016/679/article/4 ↩︎

  16. Argyll and Bute Council, “National Entitlement Cards: Privacy Statement”, as cited above (“we will only collect personal data … which does not include any special categories”). ↩︎

  17. National Entitlement Card Scheme, DPIA v2.1 (July 2020), as cited above: police access “takes place on a case by case basis, and each request received from the police is logged”, with “no system access” given. ↩︎

  18. getyournec.scot Privacy Notice v5 (13 March 2023), “How long do we store your data.” Online application data, including the photograph, is deleted sixty days after export to NECPO for most card types, and two years for Young Scot and disabled Young Scot cards retained for PASS proof-of-age audit. This is the application-portal copy only; the Card Management System record is governed separately. https://getyournec.scot/Privacy_Notice_v5.pdf ↩︎

  19. Ms Jenny Paton and others v Poole Borough Council, Investigatory Powers Tribunal (covert surveillance February 2008; ruling 2010). The Protection of Freedoms Act 2012 later required magistrates’ approval for local-authority use of such powers. https://investigatorypowerstribunal.org.uk/judgement/ms-jenny-paton-and-others-vs-poole-borough-council/ ↩︎

  20. S and Marper v United Kingdom (2008) 48 EHRR 50, Application nos 30562/04 and 30566/04, Grand Chamber, 4 December 2008. https://www.bailii.org/eu/cases/ECHR/2008/1581.html ↩︎

  21. R (RMC and FJ) v Commissioner of Police of the Metropolis [2012] EWHC 1681 (Admin); Home Office, Review of the Use and Retention of Custody Images (February 2017). Over 19 million custody images were held on the Police National Database, over 16 million searchable by facial recognition, as at July 2016. https://www.judiciary.uk/wp-content/uploads/JCO/Documents/Judgments/r-rmc-fj-metropolitan-police-commissioner-22062012.pdf ; https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/594463/2017-02-23_Custody_Image_Review.pdf ↩︎

  22. Police.uk reports around 60 million ANPR reads per day with one-year retention; a 2025 Home Office programme document cites around 90 million per day. https://www.police.uk/advice/advice-and-information/rs/road-safety/automatic-number-plate-recognition-anpr/ ↩︎

  23. Information Commissioner’s Office enforcement against Clearview AI (£7.5m penalty, May 2022). A tribunal overturned it on jurisdiction in 2023; the Upper Tribunal restored the Commissioner’s jurisdiction in October 2025, with a further appeal pending. https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/10/uk-upper-tribunal-hands-down-judgment-on-clearview-ai-inc/ ↩︎

  24. R (Bridges) v Chief Constable of South Wales Police [2020] EWCA Civ 1058, 11 August 2020. https://www.bailii.org/ew/cases/EWCA/Civ/2020/1058.html ↩︎

  25. Of thirteen forces in England and Wales using live facial recognition, the Metropolitan Police scanned more than 1.7 million faces in the first four months of 2026 (reported May 2026). https://www.biometricupdate.com/202605/will-scotland-be-the-first-nation-to-pass-primary-legislation-covering-live-frt ↩︎

  26. Scottish Biometrics Commissioner, assurance review (2024), estimating Police Scotland held more than three million images across its criminal-history and related systems, and noting the true total is unknown. https://futurescot.com/new-biometrics-report-estimates-police-hold-over-3-million-images-as-commissioner-warns-of-proportionality-risks-of-data-retention/ ↩︎

  27. National Entitlement Card Scheme DPIA v2.1 (July 2020), as cited above: approximately two million individuals hold National Entitlement Card data. ↩︎

  28. Ritchie et al., “Public attitudes towards the use of automatic facial recognition technology in criminal justice systems around the world,” PLoS ONE (2021), https://doi.org/10.1371/journal.pone.0258241. Of 3,124 respondents in the UK, Australia and the USA, about 89% supported police searches for a person who had committed a crime and about 25% supported tracking citizens; across all three countries a majority did not trust government to use the technology responsibly. The recommendation is to set legal boundaries around the use of the technology, not to ban it. ↩︎

  29. Regulation (EU) 2024/1689 (Artificial Intelligence Act), Article 5 prohibitions in force from 2 February 2025. Obligations for the Annex III high-risk category, which includes biometric systems, fell under the Regulation’s general application date of 2 August 2026 (Art 113); the EU ‘digital omnibus’ simplification package, provisionally agreed by the Parliament and Council in May 2026, deferred those obligations to 2 December 2027. https://artificialintelligenceact.eu/article/5/ ; https://www.biometricupdate.com/202605/eu-pushes-ai-act-deadlines-for-high-risk-systems-including-biometrics ↩︎

  30. UK Withdrawal from the European Union (Continuity) (Scotland) Act 2021 (asp 4), s.1 (the “keeping pace” power). https://www.legislation.gov.uk/asp/2021/4 ↩︎

  31. Scotland Act 1998, Schedule 5, Part II, reservation B2 (data protection). Artificial intelligence is not expressly reserved, but the levers to regulate it, including data protection, consumer protection and product safety, largely are. https://www.legislation.gov.uk/ukpga/1998/46/schedule/5 ↩︎

  32. New Zealand Office of the Privacy Commissioner, Biometric Processing Privacy Code 2025 (in force 3 November 2025), issued under the Privacy Act 2020. https://www.privacy.org.nz/privacy-principles/codes-of-practice/biometric-processing-privacy-code/ ↩︎

  33. Digital ID Act 2024 (Australia), in force 30 November 2024 (voluntary; accredited; regulated by the Digital ID Regulator, the role performed by the Australian Competition and Consumer Commission, and the Office of the Australian Information Commissioner); and the defeat of the “Australia Card” national identity proposal in 1987. https://www.legislation.gov.au/C2024A00025/latest/text ↩︎

  34. Estonia operates a national digital identity under the Identity Documents Act; citizens can audit, through a state portal, which bodies have accessed their records. https://privacyinternational.org/case-study/4737/id-systems-analysed-e-estonia ↩︎

  35. Illinois Biometric Information Privacy Act 2008 (740 ILCS 14), giving individuals a private right of action and statutory damages without proof of harm (Rosenbach v Six Flags Entertainment Corp, 2019 IL 123186). https://www.aclu-il.org/campaigns-initiatives/biometric-information-privacy-act-bipa/ ↩︎

  36. In England and Wales there is no statutory code for civilian biometric holdings; the Data Protection and Digital Information Bill (2023) proposed to abolish the police Biometrics and Surveillance Camera Commissioner, which an independent report warned would create “significant gaps” in oversight. The Bill fell with the 2024 general election; the civilian gap it described remains, and a new Commissioner took office in November 2025. https://assets.publishing.service.gov.uk/media/653f7128e6c968000daa9cae/Changes_to_the_functions_of_the_BSCC.pdf ↩︎

  37. Scottish Biometrics Commissioner Act 2020, s.2(7): the bodies subject to the Code may be added to by regulations made by the Scottish Ministers. The power has not been exercised. SBC Annual Report and Accounts 2023/24. https://www.biometricscommissioner.scot/publications/ ↩︎

  38. Scottish Government, Review of the Functions of the Scottish Biometrics Commissioner (consultation paper, ISBN 9781806437603), the post-legislative review under section 6 of the 2020 Act; responses under consideration, 2026. https://www.gov.scot/isbn/9781806437603 ↩︎

  39. Independent Advisory Group on the Use of Biometric Data in Scotland (2018), which recommended a commissioner for policing and criminal justice and noted that oversight ‘in other areas of Government where they feature, for example, health and education, and the private sector’ would be ‘beyond our Terms of Reference’. https://www.gov.scot/publications/report-independent-advisory-group-use-biometric-data-scotland/ ↩︎