Scottish biometrics commissioner Brian Plastow is urging the UK data regulator to investigate whether Police Scotland’s cloud-based Digital Evidence Sharing Capability (DESC) complies with data protection laws. This comes after Microsoft admitted it cannot guarantee the sovereignty of UK policing data hosted on the Azure public cloud.
Plastow expressed concern about the uncertainty surrounding police cloud deployments, especially in light of recent criticism of the Information Commissioner’s Office’s (ICO) guidance on police cloud usage. He emphasized the need for a formal investigation to ensure that DESC, which includes biometric data, meets UK data protection requirements.
The issue dates back to April 2023, when it was first reported that the Scottish government’s DESC service, hosted on Microsoft Azure and piloted by Police Scotland, faced legal concerns. The police watchdog raised alarms about potential risks, such as US government access under the Cloud Act, generic contracts, and data sovereignty issues.
Despite these warnings, DESC processing began without resolution of these issues. Plastow issued an information notice to Police Scotland in April 2023, but his concerns persisted. Subsequent revelations in June 2024 confirmed that Microsoft could not guarantee data sovereignty for UK policing data on its cloud infrastructure.
The situation has raised questions about compliance with data protection laws, particularly in regards to biometric data processing. Plastow pointed out the importance of ICO oversight in determining compliance with UK GDPR and the Data Protection Act. He stressed the need for a specific investigation into DESC to address ongoing uncertainties.
Criticism of the ICO’s guidance on police cloud usage has further fueled calls for a thorough investigation. Concerns have been raised about the risks associated with police cloud deployments and the need for robust data protection measures. Plastow highlighted the necessity of ensuring that DESC and similar systems adhere to legal requirements to protect sensitive data.