Police Scotland chose not to consult the data regulator before deploying its cloud-based digital evidence-sharing system, despite identifying a number of “high risks” with the data processing, freedom of information (FOI) disclosures have revealed.
The disclosures besides show that although the Information Commissioner’s Office (ICO) had previously been informed of the risks and acknowledged them, it was asking for clarification on their seriousness and why a formal consultation was not sought nearly 3 months after the system’s pilot deployment with live individual data.
At the start of April 2023, Computer Weekly revealed the Scottish government’s Digital Evidence Sharing Capability (DESC) service – contracted to body-worn video supplier Axon for transportation and hosted on Microsoft Azure – was being piloted by Police Scotland despite a police watchdog raising concerns about how the usage of Azure “would not be legal”.
Specifically, the police watchdog said there were respective another unresolved advanced risks to data subjects, specified as US government access via the Cloud Act, which effectively gives the US government access to any data, stored anywhere, by US corporations in the cloud; Microsoft’s usage of generic alternatively than circumstantial contracts; and Axon’s inability to comply with contractual clauses around data sovereignty.
However, correspondence disclosed under FOI rules between Police Scotland and the ICO now reveals the force believed it was not essential to formally consult with the regulator about DESC due to the fact that there were “mitigations” in place and there was “ongoing and detailed engagement” with the regulator.
The correspondence besides reveals that Police Scotland believed US government access via the Cloud Act would be “unlikely” due to the fact that the data it holds in Microsoft does not fit the criteria of that legislation. However, Police Scotland added: “There is no known case law to date to illustrate this position.”
The correspondence besides reveals that despite being in full view of the advanced risks through erstwhile meetings with another DESC partners, the ICO was following up with Police Scotland for clarification on the risks and why there was no formal consultation initiated by the force in April 2023 – nearly 3 months after the strategy had already been deployed.
Computer Weekly contacted Police Scotland about all aspect of the communicative and all claim made by data protection experts.
“We have worked closely with criminal justice partners to guarantee all required data security, protection controls and governance are in place and legally compliant ahead of any national roll-out of the Digital Evidence Sharing Capability system,” said a spokesperson. “We recognise the public interest in DESC data safety controls and proceed to engage with the Scottish Biometrics Commissioner and the Information Commissioner’s Office as required.”
Computer Weekly besides contacted the ICO about why it only sought clarification 3 months after DESC’s roll-out, especially given it had already been made aware of the advanced risks through another avenues, but received no consequence on this point.
“This is simply a complex issue with respective factors to consider, so we have taken the essential time to review and supply our stakeholders with applicable guidance. We consider that law enforcement agencies may usage cloud services that process data outside the UK where appropriate protections are in place,” said an ICO spokesperson.
Ongoing police cloud concerns
Since Computer Weekly revealed in December 2020 that dozens of UK police forces were processing the data of over a million people unlawfully in Microsoft 365, data protection experts and police tech regulators have questioned various aspects of how hyperscale public cloud infrastructure has been deployed by UK police, arguing they are presently incapable to comply with strict law enforcement-specific rules laid out in Part 3 of the Data Protection Act (DPA) 2018.
Computer Weekly then revealed in April 2023 that the Scottish government’s DESC service was being piloted by Police Scotland despite the clear data protection concerns; and that Microsoft, Axon and the ICO were all aware of these issues before processing in DESC began. The risks identified extend to all cloud strategy utilized for law enforcement purposes in the UK, as they are governed by the same data protection rules.
In January 2024, in consequence to questions from Computer Weekly about whether it besides uses US-based hyperscale public cloud services for its own law enforcement processing functions, the ICO sent over a bundle of Data Protection Impact Assessments (DPIAs) – 495 pages of them – detailing a number of systems in usage by the ICO.
According to these documents, the ICO is explicit that it uses a scope of services that sit on Microsoft Azure cloud infrastructure for law enforcement processing purposes. However, it declined to supply any comment on its legal basis or conducting specified processing, and the degree to which its own usage of these cloud services has prevented it from reaching a formal position on whether the usage of these services conflicts with UK data protection rules.
Other fresh FOI disclosures revealed that following Police Scotland’s pilot DESC deployment in January 2023, Microsoft admitted to the Scottish Police Authority (SPA) that it cannot warrant the sovereignty of UK policing data hosted on its hyperscale public cloud infrastructure.
Specifically, it showed that data hosted in Microsoft infrastructure is regularly transferred and processed overseas; that the data processing agreement in place for DESC did not cover UK-specific data protection requirements; and that while the company has the ability to make method changes to guarantee data protection compliance, it is only making these changes for DESC partners and not another policing bodies due to the fact that “no 1 else had asked”.
The papers besides contain acknowledgments from Microsoft that global data transfers are inherent to its public cloud architecture.
While long-awaited official advice was sent to Police Scotland by the ICO in April 2024 – which details the data protection due diligence required and how it believes police cloud deployment can be made legally compliant – the regulator was clear that its guidance “does not constitute approval for the roll-out or assurance of compliance under data protection law”.
Police Scotland’s mitigations
In line with issues identified by the SPA, Police Scotland’s DPIA for DESC – which was completed and signed off on 19 January 2023, just days before the roll-out on 24 January – showed that 2 unmitigated advanced risks remained.
These risks were that sub-processors of Axon are not subject to the terms and conditions, and that the suppliers are subject to the US Cloud Act.
Reaching out to the force for clarification after its pilot deployment, the ICO said: “We note that in the DPIA there seems to be 2 advanced risks that have not been reduced but have been ‘accepted’ and we wanted to search clarity on these.
“In our gathering of 19 January 2023, it was our knowing there were no unmitigatable advanced risks outstanding and so the processing could go ahead, and the DPIA wouldn’t be submitted to us under Section 65 DPA 2018 but alternatively it would be provided to us informally.”
Highlighting the 2 risks, the ICO added: “As you will know if you have carried out a DPIA that identifies a advanced risk, and you cannot take any measures to reduce this risk, you request to formally consult with us under Section 65 DPA 2018. You cannot go ahead with the processing until you have done so.”
Responding to the ICO’s request for clarification on the advanced data protection risks present with DESC in April 2023, Police Scotland’s data protection officer (DPO) noted that “to comply with Part 3, PSoS is clear that law enforcement data (content data) must be stored and processed in the UK at all times.”
The DPO then went on to outline the DESC contract mandates for UK-based data retention and processing, which Axon confirmed in writing: “In delivering this requirement, Axon has partnered with Microsoft to deliver the cloud infrastructure and retention of the DESC solution. Microsoft’s datacentres are located in the UK and are assured to national policing standards set by the Home Office.”
They added that Police Scotland had undertaken due diligence in respect to sections 59, 64 and 69 of Part 3 of the DPA, and that Axon had provided the force with the applicable information.
This includes details of its contract with Microsoft, which states that data will only be processed in the 2 Police Assured safe Facilities (PASF)-accredited datacentres in the UK; the applicable sub-processor agreements; and assurances that all sub-processors engaged are subject to the terms and conditions of the contract.
However, in later correspondence between the SPA and Police Scotland, from December 2023, the force’s chief technology officer outlined to the police watchdog’s DPO which of its services “may store and process data outside of the specified geo”, including Azure Cloud Services; Azure Data Explorer (ADX); Language Understanding; Azure device Learning; Azure Databricks; Azure Serial Console; preview, beta and another pre-release services.
In their clarification email to the ICO, the Police Scotland DPO acknowledged that 1 of Axon’s sub-processors – Twilio SMS – was utilized 3 times throughout the pilot despite the mitigations in place, which included the notification strategy that alerted the force to its use.
“Mitigations considered for pilot were that Microsoft processes data only in the 2 PASF-assured datacentres in the UK and data in transit is encrypted. Further diligence is now being undertaken with regards the circumstantial sub-processor engagement to be in line with the full terms and conditions as per the contract,” they said.
“PSoS recognises the risks described but considers the usage of a global cloud supplier is the only real and applicable solution. This is informed by current knowing around the hazard and likelihood of our data being exposed in specified ways and the request to operate a modern and safe environment for the collection and management of law enforcement content across disparate partners.”
Linking Police Scotland’s approach to Microsoft’s late disclosed admission that it cannot warrant UK data sovereignty, independent safety consultant Owen Sayers said while the company should have acted proactively to address the issues with customers erstwhile it was flagged to them in early 2019, “the problem is actually down to police forces and another law enforcement bodies who have tried to put legally and operationally peculiar processing requirements on a commodity hyperscaler cloud platform without decently knowing or caring about its limitations”.
Regarding Police Scotland’s claims that Microsoft processed data in the UK, Sayers said: “We knew this to be a false position, and now we have evidence that it has always been a false position. At the point of Police Scotland discovering this to be the case, they should have stopped processing in DESC – otherwise they would be in breach of the act – and offshoring data.”
Computer Weekly contacted Police Scotland for clarification on erstwhile precisely it became aware that Microsoft could not warrant UK data sovereignty, as well as what actions it took upon this discovery. It did not respond on these points.
Commenting on the last-minute completion of the DPIA by Police Scotland – just 5 days before the pilot deployment – Nicky Stewart, a erstwhile head of IT at the UK Cabinet Office, said: “It’s not time at all. That’s the kind of thing that should’ve been done months in advance if you’re in a complex deployment like that.”
She added: “It smacks of, ‘We’re so deep in this, we haven’t got the time or the money to back out, effectively we’re locked in, therefore, we’re just going to go with it’. It begs the question of how much this to and froing between the ICO and the information assurance people is costing the taxpayer.”
The Cloud Act issue
In their clarification email to the ICO, Police Scotland’s DPO further added: “Any usage of the US Cloud Act to access data requires the supplier to decrypt the data, and the supplier confirmed that specified a request would be legally challenged by the vendor and the client informed of the request.”
In outlining the circumstantial provisions of the Cloud Act, the DPO noted that any US government effort to access Police Scotland’s data via an order to Microsoft “would seem unlikely” due to the fact that it relates to investigations and prosecutions taking place in a different jurisdiction, and would be improbable to include data on US persons.
“Under the US Cloud Act issue, DESC data could, in theory, be obtained via US orders by warrant, subpoena or court order. Although technically possible, it would seem improbable that US authorities would compel Axon or Microsoft to disclose data (constituting an global transfer Under Part 3 DPA 18) held within the DESC solution,” they said.
“This is improbable to fit well within the scope of the Cloud Act or Bilateral Agreement and PSoS do not think that it is the intention of the legislation. The Cloud Act is besides more circumstantial about what persons it covers. The Act and Bilateral Agreements between 2 nation states are intended only to be utilized to mark citizens or residents of the country seeking the order. It is so improbable that it extends that it could not compel the release of data held about DESC partners’ staff and end users, who are improbable to fit the criteria of a US individual or resident.”
However, the DPO besides noted: “There is no known case law to date to illustrate this position.”
While Police Scotland’s watchdog, the SPA, agreed in its own DPIA that the hazard of US government access via the Cloud Act was “unlikely”, it added that “the fallout would be cataclysmic” if it did occur.
It besides noted that the encryption keys are held by Axon, meaning “they would be able to decrypt and supply the data, possibly without our cognition or consent, where compelled by US authorities to do so” – something the DPO does not mention in their clarification.
The FOI disclosures further uncover that Scottish biometrics commissioner Brian Plastow – who has called on the ICO to formally analyse UK police hyperscale public cloud deployments after seeing its cloud advice for policing – besides took a very different view of the risks associated with the Cloud Act and unauthorised data access.
In emails from Plastow to 2 ICO employees – written in August 2023, ahead of an open letter he published in October sharing his concerns with the system – the biometrics commissioner said: “I am certain in my own head that DESC does not comply with the [biometric] Code of Practice in Scotland due to the fact that the data is not protected from unauthorised access. Any arguments to the contrary are undermined by the fact that data could be accessed (under US law) without the cognition or consent of Police Scotland.”
In a follow-up from September 2023, which warned the ICO employees of the open letter about to be published, Plastow added: “I think that it is almost inevitable that (regardless of any ICO view on compatibility with UK data protection law) they [Police Scotland] run the hazard of being found in breach of rule 10 of the Scottish Code of Practice erstwhile we look at this formally over the winter.”
He further outlined his 2 primary concerns: “A major concern (in terms of the code) is that a third-party contractor (Axon or Microsoft) could surrender Police Scotland data to a abroad jurisdiction without either the cognition or consent of Police Scotland (regardless of whether that surrender may be lawful under the terms of any US and UK agreement under the US Cloud Act).
“The second major concern is that Microsoft Cloud platforms (including Azure) have rather a mediocre track evidence of data leaks and hacks emanating from hostile states like Russia and China. As late as July [2023], this has resulted in delicate data (including US government data) being successfully hacked from the cloud.”
In the final follow-up disclosed between Plastow and ICO employees, from October 2023, the commissioner one more time highlighted that Police Scotland does not hold its own decryption keys.
“The argument that Police Scotland (and Scottish Government) seem to be rehearsing is that the risks to data sovereignty (and security) through activation of the provisions of the US Cloud Act are low,” he said. “Therefore, they plan to simply tolerate the hazard that biometric data (and another delicate law enforcement data) could be accessed and acquired by a abroad state without their cognition or consent.”
Commenting on Police Scotland’s breakdown of the Cloud Act provisions, Stewart said the DPO was likely downplaying the risk, at least unknowingly, due to the fact that they do not account for the past behaviour of US intelligence services like the National safety Agency (NSA), which was revealed by Edward Snowden to be collecting data on millions of non-Americans via an extended global dragnet; or the possible for the US government to slip into full-blown authoritarianism via a government change.
“Some deranged president sitting in his prison cell chucking out executive orders to sequester data isn’t beyond the bounds of possibility,” she said, adding that expanding geopolitical instability around the planet could besides lead to a change in attitudes within the US government, which could make accessing the data seem more permissible.
“You hear arguments around that, depending on who you’re talking to in government, saying, ‘Oh, they’re our allies so it doesn’t matter’.”
Stewart further added that even if the Cloud Act does only apply to US citizens, “look at what the NSA did”.
Computer Weekly contacted Police Scotland about all of these claims but received no circumstantial response.
No request for consultation
In the email’s concluding paragraph, the DPO said no formal consultation was sought with the ICO due to the fact that “suitable mitigations as outlined were in place and the DPIA was being updated as regularly as possible through consultation with partners, legal practitioners, data protection and safety representatives, and regular consultation with ICO for guidance and advice”.
They added that due to the fact that mitigations were either in place or planned, as well as the “ongoing and detailed engagement” with the ICO, “it was not viewed that a more formal consultation was not required prior to pilot”.
Given Microsoft’s admission that it cannot warrant the sovereignty of policing data, even in UK-based datacentres, Sayers said the measures put in place do not mitigate the risks to the rights and interests of the data subjects and that, in any event, not all of the mitigations were put in place prior to the processing of live individual data.
“The fact they were in communication with the ICO, which included a circumstantial direction from the ICO to PSoS that they must not go live with advanced risks without referral, is simply a reason why they SHOULD have referred, not why they didn’t,” he said.
“I am, however, not amazed that the ICO has done nothing about this – they’re bending over backwards not to take action against DESC due to the fact that that would require them to besides take action against another forces, and indeed against themselves for breaching the act in the same manner.”
The ICO told Computer Weekly in April 2023 that it had “never given formal regulatory approval for the usage of these systems in a law enforcement context” and confirmed in January 2024 that it was besides utilizing Microsoft’s hyperscale public cloud architecture for law enforcement processing purposes.
While the recently released correspondence suggests the regulator did not know about the advanced risks prior to DESC’s deployment, emails from the ICO to DESC partners in December 2023 show these risks were already known to the regulator by that point, as it made clear that these would contravene Sections 59, 64 and 66 of Part 3 of the DPA if they were not resolved.
Earlier Police Scotland exchanges with the ICO released in a erstwhile circular of FOI disclosures show the force and regulator had meetings in December 2022 and January 2023 in which DESC and its risks were discussed.
Separate correspondence with the SPA – besides disclosed under FOI – revealed the regulator mostly agreed with the watchdog’s assessments of the risks, noting that method support from the US, or US government access via the Cloud Act, would constitute an global data transfer.
“These transfers would be improbable to meet the conditions for a compliant transfer,” it said. “To avoid a possible infringement of data protection law, we powerfully urge ensuring that individual data remains in the UK by seeking out UK-based tech support.”
However, an ICO email from 20 January 2023 summarised the meetings, noting that the DESC pilot would begin on 24 January and would affect live individual data; that “there will be no global transfers active in the provision of method services”; and that Police Scotland is “assured as the controller” that it is gathering all of the law enforcement data protection obligations.
Computer Weekly contacted the ICO for clarification of erstwhile precisely it became aware of the advanced risks, given that it had acknowledged them in December 2023 before reaching out to Police Scotland for further information in April. Computer Weekly besides asked what due diligence the regulator had done itself, or whether it was relying solely on assurances from Police Scotland, as well as if its own usage of Azure for law enforcement processing had an impact on its decision-making.
The ICO did not answer any questions about the specifics of this story, citing the “pre-election period of sensitivity”. It has alternatively forwarded the questions to its information access squad as an FOI request.
