Paul Fleet - Fotolia
Police forces ‘must’ do data protection due diligence checks before using PDS-backed AWS cloud
Police forces across England and Wales are being reminded not to overlook their data protection-related compliance responsibilities when making use of the Police Digital Service’s Amazon-powered cloud platform
Police forces across England and Wales are being cautioned to remember that the onus is on them to ensure their use of the Police Digital Service’s (PDS) Amazon-powered cloud platform is in compliance with Part 3 of the Data Protection Act 2018.
This is in the wake of ongoing concerns about whether police forces across the UK are doing enough to ensure compliance with the required data protection laws before adopting public cloud services.
PDS went public earlier this month with the news that the latest iteration of its Amazon Web Services (AWS)-powered cloud platform is now available for use by all 43 police forces across England and Wales.
The platform, known as the Police Assured Landing Zone (PALZ), is designed to provide forces with access to a suite of tools – spanning online storage, compute capacity and cloud-based collaboration – that will allow them to incorporate cloud technologies into their ICT systems.
“Quick, safe and proportionate data sharing across forces and partners is vital to investigating complex crime and keeping people safe from harm, and PDS is following the government’s ‘cloud-first’ approach, aligned with the Government Cyber Security Strategy to achieve this,” a PDS spokesperson told Computer Weekly.
“The Police Assured Landing Zone provides policing with a reuseable, pre-assured design built in partnership with Amazon Web Services, and is one of a number of cloud-based technology providers that the PDS is working with, to assist forces to deliver on the ambitions set out in the National Policing Digital Strategy.”
The PDS is responsible for overseeing the delivery of the National Police Digital Strategy, and the organisation is understood to have begun working with AWS on PALZ in 2020, resulting in the first version of the platform being made available in 2021.
“This collaboration [with AWS] supports the National Policing Digital Strategy’s ambitions of ‘enabling officers and staff’ and ‘empowering the private sector’,” said PDS in a blog post announcing the latest iteration of PALZ on 2 February 2022.
“PDS is working with providers like AWS to offer ‘modernised core technology’, through the adoption of a ‘cloud-first’ principle for the use of applications and data.”
The over-arching aim of the National Police Digital Strategy is to ensure the police forces within the PDS’s remit have access to the digital capabilities they need to make better, more efficient use of the data they have at their disposal to solve crimes and protect the public.
To deliver on this goal, the strategy document talks about a need for a “nationally coordinated transition to the cloud” with forces encouraged to adopt a “cloud-first” mentality for applications and data where it makes economic sense to do so.
Independent privacy consultant Owen Sayers, who has more than 20 years’ experience in the delivery of national policing systems, told Computer Weekly that police forces must not overlook their data protection compliance obligations in the rush to abide with the National Police Digital Strategy’s “cloud-first” stance.
“There are dozens of things that [forces] need to analyse in-depth to adopt one of these [public] cloud services, or something sitting on one of these cloud services,” he said.
An important part of these checks is to ensure their proposed cloud implementations align with Part 3 of the Data Protection Act (DPA) 2018, which also requires each force to conduct a data protection impact assessment (DPIA) ahead of deployment.
This specific part of the DPA 2018 sets out, for the first time, specific statutory rules for the processing of personal data by law enforcement entities.
The DPA also further stipulates that forces must seek permission before transferring any data internationally to a third country, which means – in the context of PALZ – forces should seek assurances about where the data they host in the cloud will be stored.
Given PALZ is built on the AWS cloud infrastructure, forces can stipulate what region they want to store their data in, which should – Computer Weekly understands – include an option to have it hosted within its UK datacentre region.
Even so, failing to comply with Part 3 of the DPA 2018 can put organisations at risk of sizeable monetary penalties, which are overseen and enforced by the Information Commissioner’s Office (ICO).
In situations like this, the UK data protection watchdog will initially consult with the organisation to advise them on how to make their operations compliant, while reserving the right to issue two tiers of monetary penalties. These include a “standard maximum penalty” of roughly £9m or 2% of the organisation’s annual turnover, or a “higher maximum” of £18m or 4% of annual turnover. In both cases, the offending organisation will be fined whichever amount is higher.
This is why it is essential that forces do their due diligence before signing up to use PALZ, added Sayers.
“PDS can list and promote these services, but since they are not a competent authority, the DPA 2018 does not apply to them – meaning they have zero liability here,” he said. “It’s the forces who use this service who [risk] breaking the law and it is them who needs to do their due diligence of what the PDS is trying to sell to them.”
The PDS said PALZ had been “specifically designed to align with the National Police Chief Council’s [NPCC] Information Security Principles and came equipped with “control mapping” documentation that forces can use to “mitigate risks” identified when carrying out their DPIAs.
Computer Weekly contacted both PDS and AWS to clarify if all the data housed within the PALZ would be hosted in the UK, and whether its terms of service align with the UK Data Protection Act 2018 Part 3.
In response, a spokesperson for PDS told Computer Weekly: “PDS is satisfied, having considered all aspects of the complex legislation and guidance affecting this area of business, that our approach with cloud-based tech providers continues to be both lawful and appropriate. PDS has always acted lawfully, taking expert legal advice and consulting with the Information Commissioner’s Office.”
It added: “PDS continues to work with forces around providing advice and support for local DPIA arrangements and helping them to respond to changing circumstances and operational priorities.”
AWS, meanwhile, did not directly address the question, but a spokesperson for the public cloud giant said the organisation and its partners were “proud to be working with the PDS and police forces across the UK”.
“Technology is transforming the way crime is reported and data is managed, making it easier to collaborate with agencies across the UK public sector,” the spokesperson said.
“Adopting cloud is an essential step on the path to accelerating innovation and building the capabilities that UK policing needs to respond with agility to future challenges.”
Read more about use of cloud technologies by UK police
- The roll-out of Microsoft 365 to dozens of UK police forces may be unlawful, because many have failed to conduct data protection checks before deployment and hold no information on their contracts.
- A Lords inquiry into the adoption of advanced algorithmic technologies by police in England and Wales has been told that new tools are being introduced without proper training and with little scrutiny of their impacts.