Calendar An icon of a desk calendar. Cancel An icon of a circle with a diagonal line across. Caret An icon of a block arrow pointing to the right. Email An icon of a paper envelope. Facebook An icon of the Facebook "f" mark. Google An icon of the Google "G" mark. Linked In An icon of the Linked In "in" mark. Logout An icon representing logout. Profile An icon that resembles human head and shoulders. Telephone An icon of a traditional telephone receiver. Tick An icon of a tick mark. Is Public An icon of a human eye and eyelashes. Is Not Public An icon of a human eye and eyelashes with a diagonal line through it. Pause Icon A two-lined pause icon for stopping interactions. Quote Mark A opening quote mark. Quote Mark A closing quote mark. Arrow An icon of an arrow. Folder An icon of a paper folder. Breaking An icon of an exclamation mark on a circular background. Camera An icon of a digital camera. Caret An icon of a caret arrow. Clock An icon of a clock face. Close An icon of the an X shape. Close Icon An icon used to represent where to interact to collapse or dismiss a component Comment An icon of a speech bubble. Comments An icon of a speech bubble, denoting user comments. Comments An icon of a speech bubble, denoting user comments. Ellipsis An icon of 3 horizontal dots. Envelope An icon of a paper envelope. Facebook An icon of a facebook f logo. Camera An icon of a digital camera. Home An icon of a house. Instagram An icon of the Instagram logo. LinkedIn An icon of the LinkedIn logo. Magnifying Glass An icon of a magnifying glass. Search Icon A magnifying glass icon that is used to represent the function of searching. Menu An icon of 3 horizontal lines. Hamburger Menu Icon An icon used to represent a collapsed menu. Next An icon of an arrow pointing to the right. Notice An explanation mark centred inside a circle. Previous An icon of an arrow pointing to the left. Rating An icon of a star. Tag An icon of a tag. Twitter An icon of the Twitter logo. Video Camera An icon of a video camera shape. Speech Bubble Icon A icon displaying a speech bubble WhatsApp An icon of the WhatsApp logo. Information An icon of an information logo. Plus A mathematical 'plus' symbol. Duration An icon indicating Time. Success Tick An icon of a green tick. Success Tick Timeout An icon of a greyed out success tick. Loading Spinner An icon of a loading spinner. Facebook Messenger An icon of the facebook messenger app logo. Facebook An icon of a facebook f logo. Facebook Messenger An icon of the Twitter app logo. LinkedIn An icon of the LinkedIn logo. WhatsApp Messenger An icon of the Whatsapp messenger app logo. Email An icon of an mail envelope. Copy link A decentered black square over a white square.

Data protection watchdog raises concerns over Police Scotland pilot scheme

© Shutterstock / GorodenkoffPolice are using pilot scheme to store biometric data but watchdog has concerns about how safely it is being protected.
Police are using pilot scheme to store biometric data but watchdog has concerns about how safely it is being protected.

Scotland’s data protection watchdog for justice has written to Police Scotland amid concerns over the way the force has been storing “significant” amounts of sensitive information, including data from arrests.

The Scottish biometrics ­commissioner has served Police Scotland with an information notice for operating a pilot scheme in which CCTV and mobile phone footage, as well as digital images that could be used in court cases, are stored on a cloud-based server run by a US company.

The pilot is part of a £33 ­million Scottish Government initiative to transform how evidence is managed across the justice system, launched by then-justice secretary Humza Yousaf in 2019.

The Digital Evidence Sharing Capability (DESC), is designed to allow users such as police officers, prosecutors, court staff and defence agents to digitally access evidence in a user-friendly way.

However, the biometrics ­commissioner, Dr Brian Plastow – a former police chief superintendent who is independent of ministers and accountable to MSPs – has written to Police Scotland questioning the legality of the scheme, and the potential for the US Government to access to the data.

What is an information notice?

An information commissioner may serve an information notice (IN) on an organisation where it reasonably requires information to assess the security of its network and information systems; and the implementation of security policies. The IN will describe the information required, why it is required, how it should be provided and the time period involved.

Plastow told The Sunday Post: “Based on the information so far provided to me by Police Scotland, I am not satisfied that biometric data within the Scottish Government DESC project is being properly protected from unauthorised access.”

The dispute comes as the way in which UK police store data is under increased scrutiny following a recent major data breach in Northern Ireland that compromised personal details of 10,000 staff and serving officers of the country’s police service.

The commissioner said that “highly sensitive” information that could be used in court cases in Scotland is being hosted on a large cloud-based platform by a US-based company which also holds the encryption keys to the data – and said he had concerns that this is not being properly protected from being accessed by a foreign state.

The commissioner’s general function is to support and promote the adoption of lawful, effective, and ethical practices in relation to the acquisition, retention, use and destruction of biometric data for criminal justice and police purposes.

Plastow said: “Specific ­concerns relate to a United States federal law that allows US federal law enforcement to compel US-headquartered companies via a warrant or subpoena to provide requested data stored on servers, regardless of whether the data is stored in the US or on foreign soil – in this case the UK. In other words, there is a risk US federal authorities could compel the technology supplier to surrender very sensitive Police Scotland data without their knowledge or consent.”

Dr Brian Plastow.
Dr Brian Plastow.

He added: “Biometric data must be protected from unauthorised access. In other words, by using a US-headquartered cloud solution to host sensitive Scottish biometric, and indeed other criminal procedure data, and by not retaining the encryption keys, there is a concern that DESC may contravene both UK Data Protection law and the Scottish Biometrics Commissioners Code of Practice.”

The matter has now gone to the UK’s Information Commissioner’s Office for a ruling on the legality of the scheme.

Scottish Liberal Democrat ­justice spokesperson Liam McArthur MSP said it was “troubling” that Police Scotland have pressed ahead with the pilot while its legal status was still unclear. “This would not be the first time they have rolled out new technology on shaky legal grounds,” he said. “The public will want to know the police are storing evidence and personal data securely and in a way that can’t be abused, especially in light of the fact the US government has sought access to this sort of data before.

“I am glad the ­commissioner is stepping in to demand answers from Police Scotland and hope this can be swiftly resolved.”

He added: “The ­commissioner’s powers shouldn’t just be limited to police data, though. The use of biometrics in health, education and the private sector is growing.”

Scottish Labour’s shadow justice spokesperson Pauline McNeill said: “Police Scotland must ensure they are handling this important personal data sensitively and in line with the law.”

Police Scotland confirmed the pilot was still up and running but insisted: “The scope of the digital evidence-sharing capability is limited and does not include fingerprint, bodycam or DNA evidence. Material in the system is limited to CCTV, video doorbell, mobile phone footage and digital images that will potentially be used as productions in summary court cases.

“This has been agreed with our DESC partners – Scottish Government Crown Office and Procurator Fiscal Service, Scottish Courts and Tribunal Service, and the defence community.”

Police Scotland added: “We continue to engage with the Biometrics Commissioner, the Information Commissioner’s Office and relevant partners as part of our commitment to the ethical use of data in policing.”

‘Best solution would be to build a Scottish-based system’

By Professor Angela Daly, expert in regulation of new (digital) technology

The police hold large amounts of data about their own employees – as exposed in the PSNI leak – and about police processes and investigations.

The need to secure this data properly is also an issue in Scotland, with revelations that the Scottish Government’s Digital Evidence Sharing Capability (DESC) has involved Police Scotland uploading large amounts of images comprising sensitive personal data to Microsoft Azure’s cloud-based system.

As Microsoft is a US-based company, it is subject to the US’s Cloud Act which facilitates US Government access to data stored by US companies in locations throughout the world.

The Scottish Biometrics Commissioner is right to be concerned. Digital evidence is highly sensitive. It is crucial that it is secured and its integrity assured. Indeed, the long-standing Post Office Horizon IT miscarriage of justice shows how important the reliability of digital evidence is for the correct and proper functioning of the legal system, due process and the administering of justice.

The individuals whose data this is, whether police personnel or the public, have privacy and data protection rights which must also be protected in their interactions with the police, and they should not have to worry about foreign law enforcement and security services accessing this data in ways which are not in line with our human-rights-based system.

Offshoring storage to an international cloud service, in particular one run by a foreign company, is not a good means of doing this. Better would be to build Scotland-based systems that can be properly overseen and secured here in Scotland.

While the US is a “friendly” nation, we need to be concerned about the threats to our national security and digital sovereignty that the outsourcing of our digital evidence system in Scotland to a US company poses. Having effective oversight and control can only be achieved by keeping it here in Scotland and not on a US company’s cloud service.