Police Scotland did not consult with the data regulator before deploying its cloud-based digital evidence-sharing system, despite identifying significant risks with the data processing, according to freedom of information disclosures.
The ICO had previously been informed of the risks associated with the system, but a formal consultation was not sought until nearly three months after the system was deployed with live personal data. Police Scotland believed that mitigations were in place and ongoing engagement with the regulator made formal consultation unnecessary. They also believed that US government access via the Cloud Act was unlikely due to the nature of the data held in Microsoft.
Police Scotland stated that they had worked closely with criminal justice partners to ensure data security, protection controls, and governance were legally compliant before any national rollout of the system.
The issues related to Police Scotland’s deployment of the digital evidence-sharing system highlight concerns about the use of hyperscale public cloud infrastructure by UK law enforcement agencies and the challenges of complying with data protection regulations. Despite assurances from Police Scotland and Axon, concerns remain about the security and sovereignty of data processed in the system.
The risks associated with US government access via the Cloud Act were considered unlikely but could have serious consequences if they were to occur. The ICO and other watchdogs raised concerns about the potential for unauthorized data access and the implications for data sovereignty and security.
Despite the known risks, Police Scotland did not seek formal consultation with the ICO before deploying the system. Independent security experts criticized this decision and raised concerns about the lack of adequate mitigations in place to protect data subjects.
While the ICO acknowledged the risks associated with the system, it did not take formal regulatory action before or after deployment, leading to questions about the effectiveness of data protection oversight in this context. The regulator’s use of Microsoft’s cloud services for law enforcement processing also raises questions about potential conflicts of interest and regulatory compliance.
Overall, the issues surrounding Police Scotland’s deployment of the digital evidence-sharing system highlight the complex challenges of using cloud-based solutions for law enforcement purposes and the importance of robust data protection measures to safeguard privacy and security.