Police Scotland receive formal notice about cloud system
The Scottish biometrics commissioner has served Police Scotland with an info notice, requiring the power to show that its deployment of a cloud-based digital proof system complies with the UK’s legislation enforcement-specific knowledge safety guidelines.
At the beginning of April 2023, Computer Weekly revealed that the Scottish authorities’s Digital Evidence Sharing Capability (DESC) service – contracted to body-worn video supplier Axon for supply and hosted on Microsoft Azure – is at the moment being piloted regardless of main knowledge safety considerations raised by watchdogs about how the usage of Azure “would not be legal”.
According to a Data Protection Impact Assessment (DPIA) by the Scottish Police Authority (SPA) – which notes the system will likely be processing genetic and biometric info – the dangers to knowledge topics’ rights embrace US authorities entry through the Cloud Act, which successfully provides the US authorities entry to any knowledge, saved anyplace, by US firms within the cloud; Microsoft’s use of generic, fairly than particular, contracts; and Axon’s incapacity to adjust to contractual clauses round knowledge sovereignty.
There can also be a priority that transferring private knowledge to the US, a jurisdiction with demonstrably decrease knowledge safety requirements, may in flip negatively influence folks’s knowledge rights to rectification, erasure and never be topic to automated decision-making.
While the SPA DPIA famous the danger of US authorities entry through the Cloud Act was “unlikely … the fallout would be cataclysmic”.
Off the again of Computer Weekly’s reporting on the DESC service, Scottish biometrics commissioner Brian Plastow served Police Scotland (the lead knowledge controller for the system) an information notice on 22 April 2023, which provides the power till mid-June to offer info about their knowledge safety compliance.
The info notice itself straight references Computer Weekly’s DESC protection. “I am now sufficiently concerned about the potential implications of DESC that in accordance with the provisions of section 16 of the Scottish Biometrics Commissioner Act 2020, I must now require Police Scotland to provide me with information so that I can determine whether Police Scotland are complying with the data protection elements of my statutory Code of Practice,” he wrote within the formal notice.
Plastow additionally outlined particular info he want to receive, together with whether or not biometric knowledge transfers have taken place; what varieties have been transferred; in what volumes; and which nation the information is being hosted in.
“If biometric data has been exchanged as part of DESC, please confirm whether Police Scotland is complying fully with Part 3 of the UK Data Protection Act 2018 relevant to law enforcement processing, and with Principle 10 of the Scottish Biometrics Commissioner’s Code of Practice,” he stated, referring to a statutory code which took impact in Scotland on 16 November 2022 following approval by the Scottish authorities.
Principle 10 of the code particularly pertains to the promotion of privacy-enhancing applied sciences, and notes that the best way by which biometric knowledge is acquired, retained, used and destroyed should guarantee the information is protected against unauthorised entry or disclosure.
“To ensure compliance with the Code of Practice, Police Scotland needs to demonstrate that any use of hyperscale cloud infrastructure which involves biometric data is compliant with law enforcement-specific data protection rules,” stated Plastow. “The greatest strategy to obtain this is able to be to have a internet hosting platform that’s totally situated within the UK, and which meets all the necessities of Part 3 of the Data Protection Act 2018 on processing for legislation enforcement functions.
“If this is not the case with DESC, then to ensure that public confidence and trust is maintained, Police Scotland needs to explain to citizens what the use of the cloud means for their personal data. This means being open with citizens about what country their data will be stored in and, if the answer to that question is not the UK, to explain the obvious risks of that extremely sensitive data then being accessed either judicially or maliciously.”
Responding to the notice, a Police Scotland spokesperson stated: “Police Scotland takes knowledge administration and safety very significantly, and is working alongside legal justice companions to make sure strong, efficient and safe processes are in place to assist the event of the DESC system.
“All digital evidence on the DESC system in Dundee is held securely and is only accessible to approved personnel, such as police officers, [Crown Office and Procurator Fiscal Service] COPFS and defence agents. Access to this information is fully audited and monitored, and processes are in place to ensure any data risks are quickly identified, assessed and mitigated. We will continue to engage with the Biometrics Commissioner to provide the required assurance regarding data protection and security as the pilot in Dundee progresses.”
Lack of regulatory approval
Under the notice, Plastow can also be searching for info on what dialogue came about with the Information Commissioner’s Office (ICO) on questions of worldwide transfers and digital sovereignty, and for Police Scotland to verify whether or not all the problems had been resolved to the ICO’s satisfaction.
Computer Weekly beforehand requested the ICO about the prevalence of US cloud suppliers all through the UK legal justice sector, and whether or not their use is appropriate with UK knowledge safety guidelines, as a part of its protection of the DESC system. The ICO press workplace was unable to reply, and referred Computer Weekly’s inquiries to the FOI workforce for additional responses.
On 24 April, the ICO FOI workforce responded that whereas it has obtained authorized recommendation on the difficulty, the matter is ongoing and it has not but come to a formal place on the matter. The recommendation itself was withheld, nonetheless, because it’s topic to authorized skilled privilege.
The ICO additionally confirmed it has “never given formal regulatory approval for the use of these systems in a law enforcement context”.
However, the SPA’s correspondence with the ICO – additionally disclosed below FOI – revealed the regulator largely agreed with its assessments of the dangers, noting that technical assist from the US or US authorities entry through the Cloud Act would represent a global knowledge switch.
“These transfers would be unlikely to meet the conditions for a compliant transfer,” it stated. “To avoid a potential infringement of data protection law, we strongly recommend ensuring that personal data remains in the UK by seeking out UK-based tech support.”
Prior session
In separate correspondence with Police Scotland (once more disclosed below FOI), the ICO famous: “If you have a remaining residual high risk in your DPIA that cannot be mitigated, prior consultation with the ICO is required under section 65 DPA 2018. You cannot go ahead with the processing until you have consulted us.”
While Plastow welcomed the strategic targets of DESC to digitally remodel how the Scottish justice system manages proof, he confirmed that his workplace was by no means engaged by both the Scottish authorities or Police Scotland till a gathering held on 29 November 2022.
At this assembly – which Plastow himself requested after turning into conscious that biometric knowledge might be being shared by way of the system – the commissioner’s skilled advisory group sought assurances on questions of knowledge safety and knowledge sovereignty from Police Scotland.
After a presentation from the power, members of the advisory group requested that the slides relating to DESC had been circulated afterwards. However, the superintendent delivering the presentation indicated that he would want to think about this request, as a few of the slides might include commercially delicate info: “The slide pack was never received.”
A UK-wide concern
The launch of the SPA DPIA additionally brings into query the lawfulness of cloud deployments by policing and legal justice our bodies all through England and Wales, as a spread of different DPIAs seen by Computer Weekly don’t assess the dangers outlined by the SPA round US cloud suppliers, regardless of being ruled by the identical knowledge safety guidelines.
In December 2020, for instance, a Computer Weekly investigation revealed that UK police forces had been unlawfully processing multiple million folks’s private knowledge – together with biometrics – on the hyperscale public cloud service Microsoft 365, after failing to adjust to key contractual and processing necessities in Part Three of the Data Protection Act 2018, equivalent to restrictions positioned on worldwide transfers.
In explicit, the DPIAs disclosed to Computer Weekly through Freedom of Information requests confirmed the dangers of sending delicate private knowledge to a US-based firm, which is topic to the US authorities’s intrusive surveillance regime, weren’t correctly thought-about.
Other makes use of of US cloud suppliers all through the UK legal justice sector embrace the combination of the Ident1 fingerprint database with Amazon Web Services (AWS) below the Police Digital Services (PDS) Xchange cloud platform, and the HM Courts and Tribunals’ cloud video platform, which is partly hosted on Azure and processes biometric info within the type of audio and video recordings of courtroom proceedings.
In mid-April 2023, the biometrics commissioner for England and Wales, Fraser Sampson, instructed Computer Weekly that UK policing and justice our bodies should be capable of show their rising use of public cloud infrastructure is compliant with legislation enforcement-specific knowledge safety guidelines.
Speaking particularly about the usage of hyperscale public cloud suppliers to retailer and course of delicate biometric knowledge, Sampson stated the “burden of proof is on police as [data] controllers, not just to provide the information and assurances, but also to demonstrate that their processing complies with all the relevant [data protection] requirements”. He added that the burden of proof was not only a matter of legislation, however of governance, accountability and constructing public belief in how the police are utilizing new applied sciences.
During an look earlier than Parliament’s Joint Committee on Human Rights in February 2023, Sampson famous there was a “non-deletion culture” in UK policing when it got here to the retention of biometric info.
