{"id":642110,"date":"2023-04-27T10:05:44","date_gmt":"2023-04-27T15:05:44","guid":{"rendered":"https:\/\/news.sellorbuyhomefast.com\/index.php\/2023\/04\/27\/police-scotland-receive-formal-notice-about-cloud-system\/"},"modified":"2023-04-27T10:05:44","modified_gmt":"2023-04-27T15:05:44","slug":"police-scotland-receive-formal-notice-about-cloud-system","status":"publish","type":"post","link":"https:\/\/newsycanuse.com\/index.php\/2023\/04\/27\/police-scotland-receive-formal-notice-about-cloud-system\/","title":{"rendered":"Police Scotland receive formal notice about cloud system"},"content":{"rendered":"
\n

The Scottish biometrics commissioner has served Police Scotland with an information notice, requiring the force to demonstrate that its deployment of a cloud-based digital evidence system complies with the UK\u2019s law enforcement-specific data protection rules.<\/p>\n

At the start of April 2023, Computer Weekly revealed that the\u202fScottish government\u2019s Digital Evidence Sharing Capability\u202f(DESC) service<\/a> \u2013 contracted to body-worn video provider Axon for delivery and hosted on Microsoft Azure \u2013 is currently being piloted despite major data protection concerns raised by watchdogs about how the use of Azure \u201cwould not be legal\u201d.<\/p>\n

According to a Data Protection Impact Assessment (DPIA) by the Sottish Police Authority (SPA) \u2013 which notes the system will be processing genetic and biometric information \u2013 the risks to data subjects\u2019 rights include US government access via the Cloud Act, which effectively gives the US government access to any data, stored anywhere, by US corporations in the cloud; Microsoft\u2019s use of generic, rather than specific, contracts; and Axon\u2019s inability to comply with contractual clauses around\u202fdata sovereignty<\/a>.\u202f\u00a0<\/p>\n

There is also a concern that transferring personal data to the US, a jurisdiction with\u202fdemonstrably lower data protection standards<\/a>, could in turn negatively impact people\u2019s data rights to rectification, erasure and not be subject to automated decision-making.\u00a0\u00a0<\/p>\n

While the SPA DPIA noted the risk of US government access via the Cloud Act was \u201cunlikely\u2026 the fallout would be cataclysmic\u201d.\u00a0<\/p>\n

Off the back of Computer Weekly\u2019s reporting on the DESC service, Scottish biometrics commissioner Brian Plastow served Police Scotland (the lead data controller for the system) an information notice<\/a> on 22 April 2023, which gives the force until mid-June to provide information about their data protection compliance.<\/p>\n

The information notice itself directly references Computer Weekly\u2019s DESC coverage. \u201cI am now sufficiently concerned about the potential implications of DESC that in accordance with the provisions of section 16 of the Scottish Biometrics Commissioner Act 2020, I must now require Police Scotland to provide me with information so that I can determine whether Police Scotland are complying with the data protection elements of my statutory Code of Practice,\u201d he wrote in the formal notice.<\/p>\n

Plastow also outlined specific information he would like to receive, including whether biometric data transfers have taken place; what types have been transferred; in what volumes; and which country the data is being hosted in.<\/p>\n

\u201cIf biometric data has been exchanged as part of DESC, please confirm whether Police Scotland is complying fully with Part 3 of the UK Data Protection Act 2018 relevant to law enforcement processing, and with Principle 10 of the Scottish Biometrics Commissioner\u2019s Code of Practice,\u201d he said, referring to a statutory code which took effect in Scotland on 16 November 2022 following approval by the Scottish government.<\/p>\n

Principle 10 of the code specifically relates to the promotion of privacy-enhancing technologies, and notes that the way in which biometric data is acquired, retained, used and destroyed must ensure the data is protected from unauthorised access or disclosure.<\/p>\n

\u201cTo ensure compliance with the Code of Practice, Police Scotland needs to demonstrate that any use of hyperscale cloud infrastructure<\/a> which involves biometric data is compliant with law enforcement-specific data protection rules,\u201d said Plastow. \u201cThe best way to achieve this would be to have a hosting platform that is entirely located in the UK, and which meets all the requirements of Part 3 of the Data Protection Act 2018 on processing for law enforcement purposes.<\/p>\n

\u201cIf this is not the case with DESC, then to ensure that public confidence and trust is maintained, Police Scotland needs to explain to citizens what the use of the cloud means for their personal data. This means being open with citizens about what country their data will be stored in and, if the answer to that question is not the UK, to explain the obvious risks of that extremely sensitive data then being accessed either judicially or maliciously.\u201d<\/p>\n

Responding to the notice, a Police Scotland spokesperson said: \u201cPolice Scotland takes data management and security very seriously, and is working alongside criminal justice partners to ensure robust, effective and secure processes are in place to support the development of the DESC system.<\/p>\n

\u201cAll digital evidence on the DESC system in Dundee is held securely and is only accessible to approved personnel, such as police officers, [Crown Office and Procurator Fiscal Service] COPFS and defence agents. Access to this information is fully audited and monitored, and processes are in place to ensure any data risks are quickly identified, assessed and mitigated. We will continue to engage with the Biometrics Commissioner to provide the required assurance regarding data protection and security as the pilot in Dundee progresses.\u201d<\/p>\n

\n

<\/i>Lack of regulatory approval<\/h3>\n

Under the notice, Plastow is also seeking information on what discussion took place with the Information Commissioner\u2019s Office (ICO) on questions of international transfers and digital sovereignty, and for Police Scotland to confirm whether all the issues were resolved to the ICO\u2019s satisfaction.<\/p>\n

Computer Weekly previously asked the ICO about the prevalence of US cloud providers throughout the UK criminal justice sector, and whether their use is compatible with UK data protection rules, as part of its coverage of the DESC system. The ICO press office was unable to answer, and referred Computer Weekly\u2019s questions to the FOI team for further responses.<\/p>\n

On 24 April, the ICO FOI team responded that while it has obtained legal advice on the issue, the matter is ongoing and it has not yet come to a formal position on the matter. The advice itself was withheld, however, as it\u2019s subject to legal professional privilege.<\/p>\n

The ICO also confirmed it has \u201cnever given formal regulatory approval for the use of these systems in a law enforcement context\u201d.<\/p>\n

However, the\u00a0SPA\u2019s correspondence with the ICO<\/a> \u2013 also disclosed under FOI \u2013 revealed the regulator largely agreed with its assessments of the risks, noting that technical support from the US or US government access via the Cloud Act would constitute an international data transfer.<\/p>\n

\u201cThese transfers would be unlikely to meet the conditions for a compliant transfer,\u201d it said. \u201cTo avoid a potential infringement of data protection law, we strongly recommend ensuring that personal data remains in the UK by seeking out UK-based tech support.\u201d<\/p>\n<\/section>\n

\n

<\/i>Prior consultation<\/h3>\n

In separate correspondence with Police Scotland<\/a> (again disclosed under FOI), the ICO noted: \u201cIf you have a remaining residual high risk in your DPIA that cannot be mitigated, prior consultation with the ICO is required under section 65 DPA 2018. You cannot go ahead with the processing until you have consulted us.\u201d<\/p>\n

While Plastow welcomed the strategic objectives of DESC to digitally transform how the Scottish justice system manages evidence, he confirmed that his office was never engaged by either the Scottish government or Police Scotland until a meeting held on 29 November 2022.<\/p>\n

At this meeting \u2013 which Plastow himself requested after becoming aware that biometric data could be being shared through the system \u2013 the commissioner\u2019s professional advisory group sought assurances on questions of data security and data sovereignty from Police Scotland.<\/p>\n

After a presentation from the force, members of the advisory group requested that the slides regarding DESC were circulated afterwards. However, the superintendent delivering the presentation indicated that he would need to consider this request, as some of the slides may contain commercially sensitive information: \u201cThe slide pack was never received.\u201d<\/p>\n<\/section>\n

\n

<\/i>A UK-wide issue<\/h3>\n

The release of the SPA DPIA also brings into question the lawfulness of cloud deployments by policing and criminal justice bodies throughout England and Wales, as a range of other DPIAs seen by Computer Weekly do not assess the risks outlined by the SPA around US cloud providers, despite being governed by the same data protection rules.<\/p>\n

In December 2020, for example, a\u202fComputer Weekly investigation<\/a>\u202frevealed that UK police forces were unlawfully processing more than one million people\u2019s personal data \u2013 including biometrics \u2013 on the hyperscale public cloud service Microsoft 365, after failing to comply with key contractual and processing requirements within Part Three of the Data Protection Act 2018, such as restrictions placed on international transfers.\u202f\u00a0<\/p>\n

In particular, the DPIAs disclosed to Computer Weekly via Freedom of Information requests showed that the risks of sending sensitive personal data to a US-based company, which is subject to the US government\u2019s intrusive surveillance regime, were not properly considered.\u00a0<\/p>\n

Other uses of US cloud providers throughout the UK criminal justice sector include the integration of the Ident1 fingerprint database with Amazon Web Services (AWS) under the Police Digital Services (PDS)\u00a0Xchange cloud platform<\/a>; and the HM Courts and Tribunals\u2019 cloud video platform, which is partly hosted on Azure and processes biometric information in the form of audio and video recordings of court proceedings.\u00a0<\/p>\n

In mid-April 2023, the biometrics commissioner for England and Wales, Fraser Sampson, told Computer Weekly<\/a> that UK policing and justice bodies must be able to prove that their increasing use of public cloud infrastructure is compliant with law enforcement-specific data protection rules.<\/p>\n

Speaking specifically about the use of hyperscale public cloud providers to store and process sensitive biometric data, Sampson said the \u201cburden of proof is on police as [data] controllers, not just to provide the information and assurances, but also to demonstrate that their processing complies with all the relevant [data protection] requirements\u201d. He added that the burden of proof was not just a matter of law, but of governance, accountability and building public trust in how the police are using new technologies.<\/p>\n

During an appearance before Parliament\u2019s\u202fJoint Committee on Human Rights in February 2023<\/a>, Sampson noted there was a \u201cnon-deletion culture\u201d in UK policing when it came to the retention of biometric information.<\/p>\n<\/section>\n<\/section>\n

Read More<\/a>
\n Diego Latson<\/p>\n","protected":false},"excerpt":{"rendered":"

The Scottish biometrics commissioner has served Police Scotland with an information notice, requiring the force to demonstrate that its deployment of a cloud-based digital evidence system complies with the UK\u2019s law enforcement-specific data protection rules. At the start of April 2023, Computer Weekly revealed that the\u202fScottish government\u2019s Digital Evidence Sharing Capability\u202f(DESC) service \u2013 contracted to<\/p>\n","protected":false},"author":1,"featured_media":642111,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[294,32471,46],"tags":[],"class_list":{"0":"post-642110","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-police","8":"category-scotland","9":"category-technology"},"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/642110","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/comments?post=642110"}],"version-history":[{"count":0,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/642110\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media\/642111"}],"wp:attachment":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media?parent=642110"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/categories?post=642110"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/tags?post=642110"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}