The Information Commissioner’s Office (ICO) has provided Police Scotland with advice on how to make its cloud deployments adhere with police-specific data protection laws, but notes that the guidance “does not constitute approval for the roll-out or assurance of compliance”.
Released by the Scottish Police Authority (SPA) under freedom of information (FOI), the advice sent to Police Scotland – which comes over a year after Computer Weekly revealed its Digital Evidence Sharing Capability (DESC) pilot was rolled out with major data protection concerns in January 2024 – provides further item on the ICO’s stance that UK police can legally usage hyperscale public cloud infrastructure.
While the regulator previously confirmed to Computer Weekly in January 2024 that it believed UK police can legally usage cloud services that send delicate law enforcement data overseas with “appropriate protections” in place, it declined to specify what these protections are.
The advice released under FOI now clarifies that the ICO believes compliance can be achieved through the usage of interrelated global agreements, namely the UK’s global Data Transfer Agreements (IDTA) or the Addendum to the European Union’s Standard Contractual Clauses (SCCs).
The ICO advice – signed by deputy commissioner Emily Keaney – further explained the kinds of data protection due diligence it believes are required by police forces to guarantee the data flows are decently mapped and authorised, and besides clarifies the pathways through which the US government can access the policing data via the Cloud Act; which allows US authorities to access data from communication providers operating in its jurisdiction under certain circumstances.
However, data protection experts have questioned the viability of these routes, claiming it is not clear how the ICO has concluded that these controls – which are rooted in the UK General Data Protection Regulation (GDPR) rules – can besides be applied to strict law enforcement-specific rules laid out in Part 3 of the Data Protection Act (DPA) 2018, and whether these mechanisms can in fact prevent US government access.
Despite forces looking to the ICO for guidance on the matter, the regulator was besides clear that it is up to the data controllers themselves (i.e. the policing bodies active in DESC) to figure out and decide for themselves if these protections would in fact make the data retention and processing taking place legal. “The ICO actually said that if you trust upon the advice and it turns out to be wrong, or you are found to have breached the Act, they can and shall inactive prosecute,” said independent safety consultant Owen Sayers, who the guidance was disclosed to under FOI. “So, it’s about as useful as a sunroof in a submarine.”
Legal responsibilities
Commenting on the ICO advice, legal and policy officer at Open Rights Group Mariano delli Santi said that while policing bodies have legal responsibilities as controllers to conduct all of their own due diligence – and should be expected to do so – the regulator besides has a work to supervise how public authorities are utilizing these systems. “It doesn’t truly seem like the ICO is scrutinising global data transfer issues in this area,” he said, adding that the ICO must take an active interest in pushing policing bodies to apply the law. “How are they supervising? What audits have they carried out of public authorities relying on these systems?”
Based off the same set of FOI disclosures, Computer Weekly previously reported details of discussions between Microsoft and the Scottish Police Authority (SPA), in which the tech giant admitted it cannot warrant the sovereignty of UK policing data hosted on its hyperscale public cloud infrastructure.
Specifically, it showed that data hosted in Microsoft infrastructure is routinely transferred and processed overseas; that the data processing agreement in place for DESC did not cover UK-specific data protection requirements; and that while the company has the ability to make method changes to guarantee data protection compliance, it is only prepared to make these changes for DESC partners and not another policing bodies due to the fact that “no-one else had asked”.
The papers besides contain acknowledgements from Microsoft that global data transfers are inherent to its public cloud architecture, and that limiting transfers based on individual approvals by a Police Force – as required under DPA Part 3 – “cannot be operationalised”.
Computer Weekly contacted the ICO about all aspect of the FOI disclosures – including whether Microsoft’s admissions about data sovereignty would change its advice – but it declined to answer any circumstantial questions on the basis that it is prevented from doing so by the “pre-election period of sensitivity”.
However, a spokesperson for the ICO said: “This is simply a complex issue with respective factors to consider, so we have taken the essential time to review and supply our stakeholders with applicable guidance. We consider that law enforcement agencies may usage cloud services that process data outside the UK where appropriate protections are in place.
“Data protection government is simply a risk-based framework which requires all organisations to be accountable for the individual information they process,” they said. “We anticipate all organisations, including law enforcement agencies, to appropriately measure and manage any risks associated with their own processing of individual information. We have carefully considered compliance in this area and proceed to supply advice to law enforcement agencies across the UK on utilizing technologies in a way that complies with data protection law.”
Ongoing police cloud concerns
Since Computer Weekly revealed in December 2020 that dozens of UK police forces were processing over a million people’s data unlawfully in Microsoft 365, data protection experts and police tech regulators have questioned various aspects of how hyperscale public cloud infrastructure has been deployed by UK policing, arguing they are presently incapable to comply with strict law enforcement-specific rules laid out in the DPA.
At the start of April 2023, Computer Weekly then revealed the Scottish government’s Digital Evidence Sharing Capability (DESC) service – contracted to body-worn video supplier Axon for transportation and hosted on Microsoft Azure – was being piloted by Police Scotland despite a police watchdog raising concerns about how the usage of Azure “would not be legal”.
Specifically, the police watchdog said there were a number of another unresolved advanced risks to data subjects, specified as US government access via the Cloud Act, which effectively gives the US government access to any data, stored anywhere, by US corporations in the cloud; Microsoft’s usage of generic, alternatively than specific, contracts; and Axon’s inability to comply with contractual clauses around data sovereignty.
Computer Weekly besides revealed that Microsoft, Axon and the ICO were all aware of these issues before processing in DESC began. The risks identified extend to all public cloud strategy utilized for a law enforcement intent in the UK, as they are governed by the same data protection rules.
In January 2024, in consequence to questions from Computer Weekly about whether it besides uses US-based hyperscale public cloud services for its own law enforcement processing functions, the ICO sent over a bundle of DPIAs 495 pages of papers detailing a number of systems in usage by the ICO.
According to these documents, the ICO is explicit that it uses a scope of services that sit on Microsoft Azure cloud infrastructure for law enforcement processing purposes. However, it declined to supply any comment on its legal basis or conducting specified processing, and the degree to which its own usage of these cloud services has prevented it from reaching a formal position on whether the usage of these services conflicts with UK data protection rules.
The ICO advice
The regulator’s view that the usage of hyperscale public cloud services by UK law enforcement bodies can be legal if “appropriate protections” are in place is outlined in emails sent to the SPA on 2 April 2024.
In the correspondence, the data regulator details 2 main pathways that they feel would enable DESC to comply with Part Three’s stringent transfer requirements.
“First, where UK GDPR adequacy regulations apply, in most cases, you will be able to trust on Section 75(1)(b) that you have assessed all the circumstances and decided that appropriate safeguards be to defend the data; or second, by relying on a Section 75(1)(a) ‘legal instrument containing appropriate safeguards for protection of individual data’ which binds the recipient of the data,” said the ICO’s deputy commissioner for regulatory policy.
“We consider that the IDTA or the Addendum to the EU SCCs (the ‘Addendum’) are capable of gathering this requirement. However, you are liable for carrying out due diligence to guarantee that in the circumstantial circumstances of your transfer, and in peculiar the frequently delicate nature of Part 3 data, the IDTA or Addendum does supply the right level of protection.”
While the IDTA is simply a legal contract published by the ICO to safeguard individual data being sent outside of the UK to certain 3rd countries, the SCCs are contracts produced by the European Commission to defend data flows from the EU.
In force since March 2022, UK organisations can either usage the IDTA as a standalone document, or usage the “UK Addendum” to the EU SCCs to make the “restricted transfers” compliant with UK data protection law. However, Sayers said this mechanics can aid with UK GDPR compliance, and does not extend to Part 3 of law enforcement processing.
“It’s amazing that the ICO has referred to UK GDPR adequacy in their guidance, and not Law Enforcement [LED] adequacy” he said. “Whilst many countries enjoy GDPR adequacy from the UK and Europe, very fewer have LED adequacy, and it’s the second that would be required for Policing purposes. It’s not clear how the regulator has made specified a simple mistake.”
International transfers
The ICO added that whether or not an global transfer is being made to the cloud service supplier as a processor, the nature of cloud services means that it is “very likely” there will be further global transfers by the cloud service supplier to its sub processors, which is the work of the policing bodies as controllers to have mapped out.
“Your work (under Section 59) is to guarantee that the cloud service supplier only engages overseas sub-processors with your authorisation and is giving you adequate guarantees that it has in place appropriate method and organisational measures that are adequate to safe that the processing will (a) meet the requirements of [Part 3] and (b) guarantee the protection of the rights of the data subject,” it said.
“As part of your due diligence, for those sub-processors which are not in a country with the benefit of a UK GDPR adequacy regulation, you will request to be satisfied that the cloud service provider’s contracts with its sub processors contain a Section 75 appropriate safeguard. In the same way that you can make restricted transfers under Part 3, a cloud service supplier will be able to trust on the IDTA or Addendum, provided they carry out a TRA [Transfer hazard Assessment].”
Computer Weekly contacted the ICO, Police Scotland and Microsoft for confirmation on whether any transfer hazard assessments had been carried out, but did not receive a consequence to this point.
Further information
The advice besides provides further information on how the due diligence responsibilities of policing bodies can be applied erstwhile entering into a contract with cloud service providers.
It says, for example, that police forces should take into account whether an IDTA or an Addendum is contained in the contractual commitments; whether the TRA carried out confirms it provides an adequate level of protection; and whether the processor is obliged to update the controller about changes to its list of sub-processors.
“We are aware that clarifying amendments to Part 3 DPA have been tabled under the Data Protection and Digital Information Bill, intended to supply greater legal certainty in relation to global data transfers for controllers and processors transferring individual data for law enforcement purposes,” it added.
However, according to Nicky Stewart, a erstwhile ICT chief at the UK government’s Cabinet Office, if law enforcement data controllers specified as Police Scotland are relying on SCCs to supply equivalent protection to keeping all of the data in the UK, “we might as well just send all of the data to the US”.
Noting many legal challenges against utilizing SCCs as a transfer mechanics for European data to the US (due to government specified as the Cloud Act that allows the US government to access company data), she added that the guidance “seems very weak”.
Computer Weekly asked the ICO about its reliance on UK GDPR mechanisms and another claims made about the guidance, but received no circumstantial responses to these points.
The Cloud Act
A follow-up email from the ICO’s regional manager for Scotland besides provides more clarity and item on how the US government could possibly extract UK law enforcement data from Microsoft or Axon.
They said the first pathway is for a US public authority to service a qualifying lawful US order on an organisation which falls within US jurisdiction: “Such orders require the organisation to supply information in its possession, custody, or control regardless of where in the planet that information is stored.
“Information processed by a UK company may be accessed via this pathway by an order served straight on the UK company (if US jurisdiction can be established) or indirectly by an order served on the US parent company (if it can be established that the US parent company has the essential possession, custody, or control of the requested data).”
They added that the second pathway is for a US authority to service an order on a UK communication service supplier under the UK-US Data Access Agreement: “This Agreement incorporates additional safeguards, in peculiar preventing access to data relating to individuals located in the UK and the usage of obtained data in death punishment cases.”
They noted that while the ICO does not consider that policing bodies covered by Part 3 must halt utilizing cloud services due to concerns over the Cloud Act and data protection compliance, the Act does not alter organisations’ data protection obligations.
“Whichever pathway is used, UK data protection law provides safeguards for individuals and each request must be considered individually on its merits,” they said. “For both pathways, in practice, recipients of requests may find they request to open a dialog with the US public authority making the request (or with the US Department of Justice’s Office of global Affairs for orders made under the UK-US DAA), for example, in order to clarify or verify the legality of the request and guarantee their consequence complies with UK data protection law.”
Generic advice
Commenting on the Cloud Act elements of ICO advice, Delli Santi further described it as “generic”, and noted the efforts of Dutch public sector bodies to proactively identify, map and mitigate various risks associated with the usage of Microsoft Teams, OneDrive, SharePoint and Azure Active Directory.
A DPIA on the usage of these services commissioned by the Dutch Ministry of Justice said that although Microsoft mitigated a number of risks identified by the assessment, the fact that the data can be ordered through the Cloud Act means “there is simply a advanced hazard for the processing of delicate and peculiar categories of data … as long as the organisation cannot control its own encryption keys.
“Even if the likelihood of occurrence is highly low, the impact on data subjects in case of disclosure of their delicate and peculiar categories of individual data to US law enforcement or safety services can be highly high,” it said. “This is due to the deficiency of notification and the deficiency of an effective means of redress for EU citizens. This hazard even occurs erstwhile these data are exclusively processed and stored in the EU.”
For Delli Santi, given everything that is public cognition about how these systems work, it raises the question of “why don’t they [the ICO] just straight-up conduct and audit? To me, it seems like there’s quite a few smoke, so possibly you want to check if there’s something burning.”
While the SPA DPIA for DESC explicitly noted that the encryption keys are held by Axon, alternatively than Police Scotland, the ICO advice does not mention anything about the request for organisations to control their own keys; or the fact that encryption is not considered to be a applicable or effective safeguard under Part 3 (as it does not let for “supplementary measures” that would enable data to be sent to jurisdictions with demonstrably lower data protection standards, specified as the US).
Computer Weekly asked the ICO whether it has conducted any audits, as well as the ICO’s view on encryption, but received no consequence on these points.
For the avoidance of doubt, figure it out
While the ICO advice already explicitly stated that police forces must do their own due diligence on whether the IDTA or the Addendum would make their transfers via hyperscale public cloud architecture compliant, the follow-up email outlining details of the Cloud Act takes it further by stating that its advice should not be taken as ICO approval or assurance of the deployment.
“For the avoidance of doubt, the advice we have provided is under our general work to supply advice and support, and does not constitute approval for the roll-out or assurance of compliance under data protection law,” it said. “The advice does not compromise our ability to usage our regulatory powers in the future should any infringements come to light.”
Computer Weekly asked the ICO about the origin of its advice, and whether the ICO sought its own legal advice to inform its guidance for DESC, but received no consequence on these points.
Computer Weekly besides asked whether it is realistic – given the mediocre state of due diligence throughout the criminal justice sector in relation to cloud deployments – to anticipate police forces to accurately measure the risks and guarantee all Part 3 requirements are being met, but received no consequence on this point.
Commenting on the guidance, Stewart said that outlining the appropriate protections while putting all the legal hazard back on Police Scotland “doesn’t seem to be peculiarly helpful”.
In terms of climbing out of the situation, she said that while there is no easy fix, there are options, which include either backtracking out of Microsoft deployments and migrating all of the data over to Part Three-compliant cloud suppliers, or have Microsoft be prepared to deploy solutions that are “effectively wholly sovereign”, and which are able to buffer US government access and “follow the sun” arrangements.
However, she added that this will clearly drive up cost: “Either way, it’s going to be more expensive, and I fishy fundamentally what this is boiling down to is the cost to Microsoft to make concessions, or to the police forces.”
Sayers broadly agreed, but noted that making the essential changes to Microsoft’s terms of service and method platform would not be trivial. “I raised this with Microsoft in emails in Q1 2019, and laid out all of the steps they would request to take to comply with the DPA,” he said.
“They elected not to make those changes, but alternatively to trust on Police Forces doing their diligence to confirm the suitability or otherwise of their services. It’s taken any time for individual to ask them the right questions, but clearly now the SPA have done so, Microsoft have been open that their service doesn’t meet the requirements today.”
Scottish biometrics commissioner Brian Plastow – who issued Police Scotland with a formal information announcement over DESC in April 2023 and previously shared concerns about unauthorised access to Scottish law enforcement data in an open letter published in October 2023 – said the ongoing uncertainty around police cloud deployments would benefit from a formal investigation by the ICO.
“I would welcome an investigation by the ICO into whether the circumstantial law enforcement processing arrangements for DESC by Police Scotland and DESC partners in Scotland, which includes biometric data, is full compliant with UK data protection law,” he said.
“Principle 10 of the Scottish Biometrics Commissioner’s Code of Practice approved by the Scottish Parliament in November 2020 besides requires Police Scotland to guarantee that biometric data is protected from unauthorised access and unauthorised disclosure in accordance with UK GDPR and the Data Protection Act 2018,” said Plastow.
“Therefore, compliance with the ICO requirements is simply a key compliance feature of the Scottish Code of Practice. However, only the ICO has the statutory authority to find compliance (or not) with UK data protection law, and it would appear that the ongoing level of uncertainty around DESC is specified that it would benefit from circumstantial investigation by the ICO.”
Decision-making
Given the ICO’s own usage of Azure for law enforcement processing, Computer Weekly asked whether this had an impact on its decision-making, but received no consequence on this point.
Sayers said that given the ICO is simply a regulator, it should have never offshored Part 3 data from the UK, “yet their own DPIAs show they knew they were doing so even before this Microsoft information was received”, he said. “They’ve repeated the same mistake as lots of another UK public sector bodies by assuming that due to the fact that Microsoft have any UK datacentres, this means the data actually stays in, and is supported from, those locations. That’s not how Public Cloud actually works.”
Sayers added that the ICO must answer questions about what steps it has taken to address this processing themselves, as well as how they came to the conclusion that a hyperscale cloud could meet their needs given they are constrained by Section 73(4) of the DPA from sending this kind of data outside of the UK to an IT service provider.
However, while the ICO noted the policing bodies active as data controllers are liable for ensuring DESC compliance prior to its roll-out, the regulator previously let the pilot go ahead with live individual data while in full view of the risks.
Although this has been public knowledge since Computer Weekly initially reported on DESC in April 2023, the fresh correspondence disclosed to Sayers provides further item on why the ICO and Police Scotland did not undertake a formal consultation process, despite both parties being aware of the data protection concerns. This will be covered in an upcoming Computer Weekly story.
