Connect with us

Tech News

UK data regulator should investigate police cloud deployments

Published

on

UK data regulator should investigate police cloud deployments

Scottish biometrics commissioner Brian Plastow is calling for the UK data regulator to formally investigate whether Police Scotland’s cloud-based Digital Evidence Sharing Capability (DESC) is compliant with data protection laws, after Microsoft disclosed it cannot guarantee the sovereignty of UK policing data hosted in the Azure public cloud.

Plastow told Computer Weekly the Microsoft disclosure, coupled with recent criticism of the Information Commissioner’s Office’s (ICO) long-awaited police cloud guidance, had generated ongoing uncertainty around police cloud deployments and would benefit from a formal investigation.

“I would welcome an investigation by the ICO into whether the specific law enforcement processing arrangements for DESC by Police Scotland and DESC partners in Scotland, which includes biometric data, is fully compliant with UK data protection law,” he said.

Plastow’s comments follow more that a year’s worth of revelations, dating back to April 2023, when Computer Weekly first reported that the Scottish government’s DESC service – contracted to body-worn video provider Axon for delivery and hosted on Microsoft Azure – was being piloted by Police Scotland despite a police watchdog raising concerns about how the use of Azure “would not be legal”.

Specifically, the police watchdog said there were a number of other unresolved high risks to data subjects, such as US government access via the Cloud Act, which effectively gives the US government access to any data, stored anywhere, by US corporations in the cloud; Microsoft’s use of generic rather than specific contracts; and Axon’s inability to comply with contractual clauses around data sovereignty.

Computer Weekly also revealed that Microsoft, Axon and the ICO were all aware of these issues before processing in the DESC began. The risks identified extend to every cloud system used for a law enforcement purpose in the UK, as they are governed by the same data protection rules.

See also  Russia Blocks Signal App Citing Violation Of Laws

In the wake of that reporting, Plastow issued Police Scotland with a formal information notice over DESC in April 2023, but noted in October 2023 that the force’s response “did not ameliorate” his concerns around the uploading of sensitive biometric data to DESC.

In June 2024, Computer Weekly then revealed that Microsoft had admitted to Scottish policing bodies that it cannot guarantee the sovereignty of UK policing data hosted on its hyperscale public cloud infrastructure.

Microsoft’s admissions also represent an issue for the whole public sector, as previous government information classification schemes specifically prohibited the offshoring of certain data, while the new G-Cloud 14 framework has introduced a UK-only data hosting requirement.

The same month, Computer Weekly also revealed the contents of the ICO’s long-awaited police cloud guidance, which was criticised by data protection experts for being too “generic”; placing all the onus back on forces to essentially figure out how their cloud deployments can be made legally compliant; and not taking into account Microsoft’s admission that it cannot guarantee the sovereignty of UK policing data.

Following the disclosure of Microsoft’s admissions and the ICO advice – both of which were contained in correspondence released under freedom of information rules – Plastow expanded some more on the reasons why a formal investigation is needed.

“Principle 10 of the Scottish Biometrics Commissioner’s Code of Practice approved by the Scottish Parliament in November 2022 also requires Police Scotland to ensure that biometric data is protected from unauthorised access and unauthorised disclosure in accordance with UK GDPR and the Data Protection Act 2018,” said Plastow.

“Therefore, compliance with the ICO requirements is a key compliance feature of the Scottish Code of Practice. However, only the ICO has the statutory authority to determine compliance (or not) with UK data protection law, and it would appear that the ongoing level of uncertainty around DESC is such that it would benefit from specific investigation by the ICO.”

See also  With the right tools and strategy, public cloud should be safe to use

Part of the uncertainty arises from further FOI disclosures that showed Police Scotland chose not to formally consult with the regulator, despite it and other policing bodies identifying a number of “high risks” with the data processing, while the ICO itself did not follow up for clarification on the risks or the lack of consultation for nearly three months after the initial pilot deployment with live personal data.

This is despite the ICO having been made aware of the issues through previous meetings with other DESC partners.

In January 2024, in response to questions from Computer Weekly about whether it also uses US-based hyperscale public cloud services for its own law enforcement processing functions, the ICO sent over a bundle of documents detailing a number of systems in use by the ICO.

According to these documents, the ICO is explicit that it uses a range of services that sit on Microsoft Azure cloud infrastructure for law enforcement processing purposes. However, it has declined to provide any comment on its legal basis for conducting such processing or how it has resolved the Part 3 of the Data Protection Act (DPA) 2018 issues for itself on multiple occasions.

Commenting on Plastow’s call for the ICO to formally investigate the DESC deployment, independent security consultant Owen Sayers said it should be a completely independent process, and that the regulator should be recused from any involvement given its “shonky advice and clear self-interest risk”, claiming “it needs a judicial review or public inquiry in my honest opinion”.

In January 2024, Plastow completed an assurance review on Police Scotland’s handling of biometric data, which estimated that while Police Scotland certainly holds over three million images, the total number of images held is simply unknown.

See also  Google Cloud MFA enforcement meets with approval

“There are concerns around the necessity and proportionality of retention policies for images,” he wrote.

“Police Scotland and the SPA [Scottish Police Authority] have established a weeding and retention practice for convicted persons, which follows CHS [Criminal History System] conviction retention periods. This means that there is a risk that images could be retained longer than necessary.

“All reviewed bodies are aware of this issue. Police Scotland’s work on deletion of images not linked to a live prosecution or conviction is ongoing. The Forensic Services (FS) of the SPA has implemented a manual solution to ensure that weeding practices adhere to the 1995 Act and the SBC Code of Practice.

During the review on DESC, it was observed that Police Scotland was still awaiting legal guidance from the ICO regarding the compliance of its deployment with UK data protection laws.

Previously, the ICO had investigated Police Scotland for their lack of diligence in mobile phone data extraction, which was introduced without a mandatory data protection impact assessment (DPIA).

In the case of mobile phone extraction, the ICO conducted an investigation and provided six recommendations for Police Scotland to enhance their practices.

In response to Computer Weekly’s inquiry about Plastow’s request for an investigation, an ICO spokesperson stated that competent authorities can utilize cloud-based platforms in accordance with data protection laws if appropriate safeguards are in place.

The DESC partners were given guidance on this matter and instructed to implement it. Any concerns regarding non-compliance with DESC would be addressed according to the ICO’s regulatory action policy.

Trending