Scottish Biometrics Commissioner seeks clarity on police cloud data sharing compliance
The Biometrics Commissioner in Scotland, Brian Plastow, is seeking information on whether the deployment by the Scottish police of a cloud-based digital evidence sharing system on a pilot basis complies with data protection elements of his statutory code of practice.
This is contained in an information notice sent to the Head of the Scottish Police Crime, Public Protection and Local Crime, Bex Smith, on 22 April. Plastow says he requires a response on four key questions by 14 June at the latest.
In the notice, Plastow underlines the importance of the Scottish government’s Digital Evidence Sharing Capability (DESC), an initiative which aims to create a unified platform for access to and management of digital evidence by criminal justice stakeholders, and the need for the police to ensure data security and sovereignty.
Plastow appears to have been prompted by two things; a recent report by tech publication ComputerWeekly which noted that the Police had gone ahead with the DESC pilot even without major data protection questions being resolved, and also the fact that some of the data shared within the framework of the DESC involves biometrics. UK Biometrics Commissioner Fraser Sampson also weighed in on the need for law enforcement to be transparent about how its use of cloud technology complies with regulations.
He reminds Smith of the stipulations in the statutory Code of Practice which, among other things, prohibit unauthorized access to or disclosure in the way biometric data is obtained, retained, used, or destroyed for criminal justice and policing purposes.
Thus, in order to ensure compliance with the Code of Practice, Plastow asks the police to “demonstrate that any use of hyperscale cloud infrastructure which involves biometric data is complaint with law enforcement-specific data protection rules,” while suggesting that “one of the best ways to do this would be to have a hosting platform that is entirely located in the UK and which meets all the requirements of Part 3 of the Data Protection Act 2018 on processing for law enforcement purposes.”
On whether the police are complying with the data protection elements as prescribed in his code, Plastow also asks to know if and what type of biometric data have so far been exchanged as part of the DESC pilot and in what volume, the country hosting any biometric data which has been shared in the cloud, and if there have been any discussions with the UK Information Commissioner on questions of international transfer of data and digital sovereignty.
The DESC project is contracted to Axon and hosted on Microsoft Azure. This is also a major concern as this makes access by the U.S. government to the shared data possible through the Cloud Act which allows the U.S. government access to data stored by any U.S. company in the cloud in the country, according to ComputerWeekly.
Plastow in his annual report last year suggested the police have been responsible in their use of biometric data and relate technologies for the purposes of criminal justice and law enforcement.