Scotland’s watchdog sends fresh warning over storing biometric data on Microsoft cloud
Scotland’s data protection watchdog has requested that the Scottish police assess the security of storing biometric data on Microsoft’s servers.
Biometrics Commissioner Brian Plastow wants more information on a platform called Digital Evidence Sharing Capability (DESC). A pilot project, it is testing easier access by police and court employees to images, CCTV footage and other sensitive data used in court cases.
Plastow warned that storing sensitive data of UK citizens on a cloud server run by a United States company opens questions about U.S. government access to Scottish data. The DESC project is run by government contractor Axon and hosted on Microsoft’s Azure.
“Based on the information so far provided to me by Police Scotland, I am not satisfied that biometric data within the Scottish government DESC project is being properly protected from unauthorized access,” he told The Sunday Post.
According to the U.S. Cloud Act, federal law enforcement agencies can compel domestic companies to provide data stored on servers regardless of whether the data is owned by a firm based outside the U.S.
“In other words, there is a risk U.S. federal authorities could compel the technology supplier to surrender very sensitive Police Scotland data without their knowledge or consent,” says Plastow.
Similar concerns have dogged the Scottish Police Authority itself.
This could put the DESC pilot at odds with the UK data protection law and the Scottish Biometrics Commissioners Code of Practice, the commissioner says. The legality of the scheme is being reviewed by the UK’s information commissioner.
The Scottish police have said that digital evidence-sharing is limited and does not include fingerprint, bodycam or DNA evidence. The pilot is part of a £33 million (US$42 million) Scottish government initiative to transform how evidence is managed across the justice system.
This is not the first time Plastow has sounded an alarm over stored biometric data. Earlier this year, after the commissioner found that the police had stored large amounts of biometric data from arrests on Microsoft servers, the Scottish Police Authority agreed to accept his recommendations. This included better protection of children’s data and increasing transparency and “right to information” for data subjects.
The Cloud Act and the question of U.S. government’s access to foreign citizens’ data is not only a concern in the UK. The US and the EU have spent months trying to reach a deal for the EU-U.S. data privacy framework with debates centering around concerns about U.S. spy agencies accessing Europeans’ private data. The mechanism is designed to safely transfer European Union citizens’ personal data to the United States, including biometric data.