The police in Scotland have received advice from the Information Commissioner’s Office (ICO) regarding how to ensure that their cloud deployments are in compliance with laws regarding data protection for law enforcement. However, it is important to note that this guidance does not mean that their deployments have been approved or can guarantee compliance.
The advice, which was made public under freedom of information (FOI) by the Scottish Police Authority (SPA), was issued more than a year after it was revealed that the Digital Evidence Sharing Capability (DESC) pilot launched by Police Scotland in January 2024 raised significant data protection concerns. The ICO has stated that UK police can legally use public cloud infrastructure, as long as appropriate protections are in place. Specifically, the ICO pointed to the use of UK’s International Data Transfer Agreements (IDTA) or the Addendum to the European Union’s Standard Contractual Clauses (SCCs) as means of achieving compliance.
While the ICO’s advice outlines steps that police forces should take to ensure data protection compliance, there are concerns about the validity of these measures to protect against US government access to law enforcement data under the Cloud Act. The ICO has emphasized that it is the responsibility of the data controllers, such as policing bodies involved in DESC, to determine if these protections are sufficient to comply with the law.
Legal and policy experts have raised questions about the effectiveness of the ICO’s guidance and whether it adequately addresses the unique data protection requirements for law enforcement under the Data Protection Act (DPA) 2018. There are concerns about the potential risks associated with using cloud services that may not meet these strict regulations.
Overall, while the ICO has provided advice on how to ensure cloud deployments are compliant with data protection laws, it is ultimately up to the policing bodies to conduct their due diligence and assess the suitability of these measures. The ICO has made it clear that their advice does not guarantee compliance and that they will take regulatory action if any infringements are found.