The Scottish biometrics commissioner, Brian Plastow, is urging the UK data regulator to conduct a formal investigation into whether Police Scotland’s cloud-based Digital Evidence Sharing Capability (DESC) complies with data protection laws. This call comes after Microsoft revealed that it cannot guarantee the sovereignty of UK policing data hosted in the Azure public cloud.
Plastow expressed concerns about the uncertainty surrounding police cloud deployments, especially in light of recent criticism of the Information Commissioner’s Office (ICO) police cloud guidance. He believes that a formal investigation by the ICO into the law enforcement processing arrangements for DESC by Police Scotland and DESC partners in Scotland is necessary to ensure compliance with UK data protection law.
The revelations about the DESC service being piloted by Police Scotland on Microsoft Azure, despite concerns raised by a police watchdog, have raised red flags about data sovereignty and potential risks to data subjects. These issues extend to all cloud systems used for law enforcement purposes in the UK.
Plastow had previously issued Police Scotland with a formal information notice over DESC and expressed ongoing concerns about the uploading of sensitive biometric data to the system. The disclosure that Microsoft cannot guarantee the sovereignty of UK policing data hosted on its public cloud infrastructure further underscores the need for a thorough investigation.
The ICO’s police cloud guidance has also come under scrutiny for being too generic and not addressing the specific challenges posed by Microsoft’s admissions. Plastow emphasized the importance of compliance with data protection laws and called for the ICO to investigate the DESC deployment.
Independent security consultant Owen Sayers echoed the need for an independent investigation into DESC, citing concerns about the regulator’s advice and self-interest risks. He suggested that a judicial review or public inquiry may be necessary to address these issues.
In a recent assurance review, Plastow highlighted concerns about Police Scotland’s handling of biometric data, including uncertainties around retention policies for images. He also noted that Police Scotland was awaiting legal advice from the ICO on the compliance of its DESC deployment with UK data protection law.
The ICO’s previous investigation into Police Scotland’s mobile phone data extraction practices, which resulted in recommendations for improvement, underscores the importance of ensuring compliance with data protection laws in law enforcement activities.
In response to calls for an investigation, the ICO stated that competent authorities may use cloud-based platforms in compliance with data protection laws as long as appropriate protections are in place. The ICO has provided guidance to DESC partners and will take action if any concerns about non-compliance arise.