UK commissioner urges police transparency on cloud biometrics

The burden of proof for the safety of law enforcement agencies using cloud biometrics services lies with the police, UK Biometrics and Surveillance Camera Commissioner Fraser Sampson told Computer Weekly.

Police and related organizations are increasingly using public cloud infrastructure, and must be able to show that doing so complies with specific rules for the protection of law enforcement data, he says. A culture of preserving data among law enforcement agencies, as previously identified by Sampson, makes the protection of stored data all the more important.

A contract for the Digital Evidence Sharing Capability operated by the Scottish government was recently awarded to Axon, and will be hosted on Microsoft Azure, according to the report. The Scottish Police Authority’s Data Protection Impact Assessment cited a concern that the storage of cloud data by U.S. providers could violate the law because the American government could in theory demand access to the biometric data.

UK police have been accused of failing to be adequately transparent about their use of facial recognition by Sampson. Transparency around biometrics is also made more important by the reduction in oversight that appears will be in place if and when Sampson’s position is eliminated as planned.

“Past performance is a good predictor of future performance, and the police rap sheet on data protection and databases isn’t great,” Sampson told Computer Weekly.

The Home Office accidentally lost hundreds of thousands of records, some including biometrics, in 2021, despite years of attempts to get facial images deleted from a database held by the same body.

Law enforcement and justice system agencies should be able to answer questions “immediately and unequivocally,” according to Sampson, as a matter of policy. Agencies should not only put risk mitigation measures in place, but also be ready to respond to questions about them.

“If you want the public to have trust and confidence in your kit and what you’re doing, and your contracted partners, then you have to be able to show that,” he said. “This is not just a nuisance. If people ask these questions of the police, that is not simply a nuisance, and it’s not someone trying to catch them out – it’s an elemental function of leadership and governance in policing that we don’t only respond to these challenge questions, we invite them.”

Sampson also notes the importance of having assurances about how securely data is stored in the cloud, and having control over it, as a matter of importance for national sovereignty. While that does not mean the data needs to be stored in a particular place, it does mean that it should be stored in a particular way.

Article Topics

Biometrics and Surveillance Camera Commissioner  |  cloud services  |  facial recognition  |  Fraser Sampson  |  police  |  UK