Scotland’s data protection watchdog for justice has written to Police Scotland amid concerns over the way the force has been storing “significant” amounts of sensitive information, including data from arrests.
The Scottish biometrics commissioner has served Police Scotland with an information notice for operating a pilot scheme in which CCTV and mobile phone footage, as well as digital images that could be used in court cases, are stored on a cloud-based server run by a US company.
The pilot is part of a £33 million Scottish Government initiative to transform how evidence is managed across the justice system, launched by then-justice secretary Humza Yousaf in 2019.
The Digital Evidence Sharing Capability (DESC), is designed to allow users such as police officers, prosecutors, court staff and defence agents to digitally access evidence in a user-friendly way.
However, the biometrics commissioner, Dr Brian Plastow – a former police chief superintendent who is independent of ministers and accountable to MSPs – has written to Police Scotland questioning the legality of the scheme, and the potential for the US Government to access to the data.
What is an information notice?
An information commissioner may serve an information notice (IN) on an organisation where it reasonably requires information to assess the security of its network and information systems; and the implementation of security policies. The IN will describe the information required, why it is required, how it should be provided and the time period involved.
Plastow told The Sunday Post: “Based on the information so far provided to me by Police Scotland, I am not satisfied that biometric data within the Scottish Government DESC project is being properly protected from unauthorised access.”
The dispute comes as the way in which UK police store data is under increased scrutiny following a recent major data breach in Northern Ireland that compromised personal details of 10,000 staff and serving officers of the country’s police service.
The commissioner said that “highly sensitive” information that could be used in court cases in Scotland is being hosted on a large cloud-based platform by a US-based company which also holds the encryption keys to the data – and said he had concerns that this is not being properly protected from being accessed by a foreign state.
The commissioner’s general function is to support and promote the adoption of lawful, effective, and ethical practices in relation to the acquisition, retention, use and destruction of biometric data for criminal justice and police purposes.
Plastow said: “Specific concerns relate to a United States federal law that allows US federal law enforcement to compel US-headquartered companies via a warrant or subpoena to provide requested data stored on servers, regardless of whether the data is stored in the US or on foreign soil – in this case the UK. In other words, there is a risk US federal authorities could compel the technology supplier to surrender very sensitive Police Scotland data without their knowledge or consent.”
He added: “Biometric data must be protected from unauthorised access. In other words, by using a US-headquartered cloud solution to host sensitive Scottish biometric, and indeed other criminal procedure data, and by not retaining the encryption keys, there is a concern that DESC may contravene both UK Data Protection law and the Scottish Biometrics Commissioners Code of Practice.”
The matter has now gone to the UK’s Information Commissioner’s Office for a ruling on the legality of the scheme.
Scottish Liberal Democrat justice spokesperson Liam McArthur MSP said it was “troubling” that Police Scotland have pressed ahead with the pilot while its legal status was still unclear. “This would not be the first time they have rolled out new technology on shaky legal grounds,” he said. “The public will want to know the police are storing evidence and personal data securely and in a way that can’t be abused, especially in light of the fact the US government has sought access to this sort of data before.
“I am glad the commissioner is stepping in to demand answers from Police Scotland and hope this can be swiftly resolved.”
He added: “The commissioner’s powers shouldn’t just be limited to police data, though. The use of biometrics in health, education and the private sector is growing.”
Scottish Labour’s shadow justice spokesperson Pauline McNeill said: “Police Scotland must ensure they are handling this important personal data sensitively and in line with the law.”
Police Scotland confirmed the pilot was still up and running but insisted: “The scope of the digital evidence-sharing capability is limited and does not include fingerprint, bodycam or DNA evidence. Material in the system is limited to CCTV, video doorbell, mobile phone footage and digital images that will potentially be used as productions in summary court cases.
“This has been agreed with our DESC partners – Scottish Government Crown Office and Procurator Fiscal Service, Scottish Courts and Tribunal Service, and the defence community.”
Police Scotland added: “We continue to engage with the Biometrics Commissioner, the Information Commissioner’s Office and relevant partners as part of our commitment to the ethical use of data in policing.”
‘Best solution would be to build a Scottish-based system’
By Professor Angela Daly, expert in regulation of new (digital) technology
The police hold large amounts of data about their own employees – as exposed in the PSNI leak – and about police processes and investigations.
The need to secure this data properly is also an issue in Scotland, with revelations that the Scottish Government’s Digital Evidence Sharing Capability (DESC) has involved Police Scotland uploading large amounts of images comprising sensitive personal data to Microsoft Azure’s cloud-based system.
As Microsoft is a US-based company, it is subject to the US’s Cloud Act which facilitates US Government access to data stored by US companies in locations throughout the world.
The Scottish Biometrics Commissioner is right to be concerned. Digital evidence is highly sensitive. It is crucial that it is secured and its integrity assured. Indeed, the long-standing Post Office Horizon IT miscarriage of justice shows how important the reliability of digital evidence is for the correct and proper functioning of the legal system, due process and the administering of justice.
The individuals whose data this is, whether police personnel or the public, have privacy and data protection rights which must also be protected in their interactions with the police, and they should not have to worry about foreign law enforcement and security services accessing this data in ways which are not in line with our human-rights-based system.
Offshoring storage to an international cloud service, in particular one run by a foreign company, is not a good means of doing this. Better would be to build Scotland-based systems that can be properly overseen and secured here in Scotland.
While the US is a “friendly” nation, we need to be concerned about the threats to our national security and digital sovereignty that the outsourcing of our digital evidence system in Scotland to a US company poses. Having effective oversight and control can only be achieved by keeping it here in Scotland and not on a US company’s cloud service.
Enjoy the convenience of having The Sunday Post delivered as a digital ePaper straight to your smartphone, tablet or computer.
Subscribe for only £5.49 a month and enjoy all the benefits of the printed paper as a digital replica.Subscribe