Nine police forces are on the lookout for a new cloud-based records management system (RMS) to replace their existing one. While the UK is gearing up for changes in data laws, experts warn that if a US cloud giant lands the contract, it could pose significant risks. Sensitive police records are particularly vulnerable under the current UK data protection laws when migrated to US-based systems.
Proposed reforms from the government might allow for easier data transfers to these large American cloud providers, but that could compromise the UK’s ability to maintain data adequacy with the EU. Data sovereignty concerns will still linger. The current RMS, known as Connect, is supplied by NEC through the Athena program and is used by nine forces, including Kent and Essex. It helps these forces share and analyze intelligence efficiently.
The procurement process is still in its early stages, but a contract award is already anticipated for April 2025, with a value estimated at £100 million. This system aims to improve essential policing functions such as case management and investigation. However, experts believe the new RMS will likely be hosted on hyperscale cloud infrastructure, exposing sensitive data to various risks, including potential unauthorized access and issues with US surveillance laws.
The track record of policing bodies regarding data protection raises further concerns. Many experts suggest that police forces must take proactive steps as data controllers before moving forward with the procurement. The new Data Use and Access Bill (DUAB) aims to simplify the legal rules around law enforcement data processing, allowing more direct transfers to hyperscalers. Still, this may hurt the UK’s standing with the EU when it comes to data adequacy.
Computer Weekly has reached out to the respective police forces regarding these data protection issues. A spokesperson from Bedfordshire Police emphasized the importance of data protection in their planning. Similarly, the Home Office reassured that security measures would be prioritized when using international cloud providers.
Reports show that the Athena forces are struggling with data transfer inefficiencies and the need for improved communication between different police RMS systems across the UK. Despite recognizing the potential benefits of interconnected systems, reliance on US hyperscale providers poses long-lasting challenges for UK policing.
In previous years, there have been significant breaches in compliance when police forces have used cloud services. For example, Police Scotland was testing a digital evidence-sharing system hosted on Microsoft Azure, despite warnings about its legality under UK law. Concerns include the ability of US authorities to access data due to current laws like the Cloud Act.
The implications extend beyond immediate data concerns. Experts point to the broader issue of the UK relying heavily on US tech providers, potentially compromising data sovereignty. There’s a growing sense that this dependence creates inefficiencies in domestic law enforcement, effectively outsourcing critical aspects of data handling to foreign entities.
As the UK government prepares to revise its law enforcement data regulations, these changes might offer a way for hyperscalers to process data with fewer restrictions than currently required. This shift could undermine the safeguards that allow data transfers to adhere to strict privacy laws, raising alarms about compliance with existing EU standards.
In the face of these challenges, police forces are urged to conduct detailed assessments to support lawful data transfers. Experts assert that thorough due diligence is essential, focusing on the nature and risk of the data being shared, ensuring robust protections are in place, and considering the ultimate destination of that data. This foundational work is crucial for maintaining compliance and addressing the persistent vulnerabilities in cloud data management.
With shifting regulatory landscapes ahead, police authorities must balance the need for modern technology solutions with the imperative of securing sensitive data. The conversation around data and sovereignty continues to evolve, underlining the necessity for continuous scrutiny and proactive management in the realm of policing and cloud computing.