UK data regulator should investigate police cloud deployments

Scottish biometrics commissioner Brian Plastow is calling for the UK data regulator to formally investigate whether Police Scotland’s cloud-based Digital Evidence Sharing Capability (DESC) is compliant with data protection laws, after Microsoft disclosed it cannot guarantee the sovereignty of UK policing data hosted in the Azure public cloud.

Plastow told Computer Weekly the Microsoft disclosure, coupled with recent criticism of the Information Commissioner’s Office’s (ICO) long-awaited police cloud guidance, had generated ongoing uncertainty around police cloud deployments and would benefit from a formal investigation.

“I would welcome an investigation by the ICO into whether the specific law enforcement processing arrangements for DESC by Police Scotland and DESC partners in Scotland, which includes biometric data, is fully compliant with UK data protection law,” he said.

Plastow’s comments follow more that a year’s worth of revelations, dating back to April 2023, when Computer Weekly first reported that the Scottish government’s DESC service – contracted to body-worn video provider Axon for delivery and hosted on Microsoft Azure – was being piloted by Police Scotland despite a police watchdog raising concerns about how the use of Azure “would not be legal”.

Specifically, the police watchdog said there were a number of other unresolved high risks to data subjects, such as US government access via the Cloud Act, which effectively gives the US government access to any data, stored anywhere, by US corporations in the cloud; Microsoft’s use of generic rather than specific contracts; and Axon’s inability to comply with contractual clauses around data sovereignty.

Computer Weekly also revealed that Microsoft, Axon and the ICO were all aware of these issues before processing in the DESC began. The risks identified extend to every cloud system used for a law enforcement purpose in the UK, as they are governed by the same data protection rules.

In the wake of that reporting, Plastow issued Police Scotland with a formal information notice over DESC in April 2023, but noted in October 2023 that the force’s response “did not ameliorate” his concerns around the uploading of sensitive biometric data to DESC.

In June 2024, Computer Weekly then revealed that Microsoft had admitted to Scottish policing bodies that it cannot guarantee the sovereignty of UK policing data hosted on its hyperscale public cloud infrastructure.

Microsoft’s admissions also represent an issue for the whole public sector, as previous government information classification schemes specifically prohibited the offshoring of certain data, while the new G-Cloud 14 framework has introduced a UK-only data hosting requirement.

The same month, Computer Weekly also revealed the contents of the ICO’s long-awaited police cloud guidance, which was criticised by data protection experts for being too “generic”; placing all the onus back on forces to essentially figure out how their cloud deployments can be made legally compliant; and not taking into account Microsoft’s admission that it cannot guarantee the sovereignty of UK policing data.

Following the disclosure of Microsoft’s admissions and the ICO advice – both of which were contained in correspondence released under freedom of information rules – Plastow expanded some more on the reasons why a formal investigation is needed.

“Principle 10 of the Scottish Biometrics Commissioner’s Code of Practice approved by the Scottish Parliament in November 2022 also requires Police Scotland to ensure that biometric data is protected from unauthorised access and unauthorised disclosure in accordance with UK GDPR and the Data Protection Act 2018,” said Plastow.

“Therefore, compliance with the ICO requirements is a key compliance feature of the Scottish Code of Practice. However, only the ICO has the statutory authority to determine compliance (or not) with UK data protection law, and it would appear that the ongoing level of uncertainty around DESC is such that it would benefit from specific investigation by the ICO.”

Part of the uncertainty arises from further FOI disclosures that showed Police Scotland chose not to formally consult with the regulator, despite it and other policing bodies identifying a number of “high risks” with the data processing, while the ICO itself did not follow up for clarification on the risks or the lack of consultation for nearly three months after the initial pilot deployment with live personal data.

This is despite the ICO having been made aware of the issues through previous meetings with other DESC partners.

In January 2024, in response to questions from Computer Weekly about whether it also uses US-based hyperscale public cloud services for its own law enforcement processing functions, the ICO sent over a bundle of documents detailing a number of systems in use by the ICO.

According to these documents, the ICO is explicit that it uses a range of services that sit on Microsoft Azure cloud infrastructure for law enforcement processing purposes. However, it has declined to provide any comment on its legal basis for conducting such processing or how it has resolved the Part 3 of the Data Protection Act (DPA) 2018 issues for itself on multiple occasions.

Commenting on Plastow’s call for the ICO to formally investigate the DESC deployment, independent security consultant Owen Sayers said it should be a completely independent process, and that the regulator should be recused from any involvement given its “shonky advice and clear self-interest risk”, claiming “it needs a judicial review or public inquiry in my honest opinion”.

In January 2024, Plastow completed an assurance review on Police Scotland’s handling of biometric data, which estimated that while Police Scotland certainly holds over three million images, the total number of images held is simply unknown.

“There are concerns around the necessity and proportionality of retention policies for images,” he wrote.

“Police Scotland and the SPA [Scottish Police Authority] have established a weeding and retention practice for convicted persons, which follows CHS [Criminal History System] conviction retention periods. This means that there is a risk that images could be retained longer than necessary.

“All reviewed bodies are aware of this issue. Police Scotland’s work on deletion of images not linked to a live prosecution or conviction is ongoing. The SPA FS [Forensic Services] has introduced a manual workaround to ensure weeding is compliant with the 1995 Act and the SBC Code of Practice.”

On DESC, the review noted that at the time of the fieldwork being conducted, Police Scotland was still awaiting legal advice from the ICO on whether its deployment was compliant with UK data protection law.

The ICO previously investigated Police Scotland around its lack of due diligence over mobile phone data extraction, which was introduced by the force without it having completed a data protection impact assessment (DPIA) as required by law.

In the case of mobile phone extraction, the ICO investigated and made six recommendations for improvement to Police Scotland.

Responding to Computer Weekly’s request for comment about Plastow’s call for an investigation, a spokesperson for the ICO said: “We have carefully considered whether competent authorities may use clou-based platforms in compliance with data protection law. Our view is that they may where appropriate protections are in place.

“We have ensured that DESC partners have been provided with guidance on this and have been asked to implement this. Should we have any concerns that DESC has not been implemented in a compliant way, as you would expect this would be considered and actioned in line with our regulatory action policy.”