Nine police forces are seeking to replace their common records managements strategy (RMS) with a cloud-based alternate – but despite upcoming changes to the UK’s data laws, experts say the strong likelihood of a US-based hyperscaler winning the contract presents continued risks.
Under the UK’s current data regime, moving delicate police records to 1 of the US cloud giants introduces major data protection issues. However, the government’s late proposed data reforms – which would most likely destruct many of these risks by allowing regular transfers to hyperscalers – could jeopardise the UK’s ability to hold its law enforcement data adequacy with the EU, while issues around data sovereignty would inactive persist.
Known as Connect, the current RMS is provided to the 9 forces – including Kent, Essex, Bedfordshire, Cambridgeshire, Hertfordshire, Norfolk, Suffolk, Warwickshire and West Mercia Police – by software supplier NEC through the Athena programme, which allows the forces active to collect, collate, interrogate and share intelligence by deploying a common instance of the RMS.
Although the procurement – flagged to Computer Weekly by public sector IT marketplace watcher Tussell – is only at the planning stage, a future contract award announcement has already been set for 7 April 2025 (with a start date November 2025), and will have an estimated full value of £100m. The planned tender will aim to support core policing functions specified as case management, custody, intelligence, and investigation.
However, experts say there is simply a “strong possibility” the fresh RMS will be hosted on hyperscale public cloud infrastructure, which would open up the data to a number of risks under current data protection rules, including the possible for distant access to that data, its onward transfer to a non-adequate jurisdiction (i.e. the US, where the vast majority of hyperscalers are based), and being subject to US surveillance laws.
They added that the risks were peculiarly acute given the mediocre track evidence of forces and regulators erstwhile it comes to data protection due diligence for law enforcement systems.
To avoid falling into the same situation with the fresh cloud-based RMS, the experts made a number of suggestions about the steps the forces’ should be taking now as data controllers, before the procurement progresses further down the line.
While the government’s fresh Data usage and Access Bill (DUAB) is set to the change legal rules around law enforcement processing in a way that would unequivocally let regular data transfers to hyperscalers, the experts say doing so could inactive hazard the UK’s ability to hold its law enforcement adequacy with the European Union (EU) erstwhile it comes up for renewal in April 2025.
They say the measurement would represent a divergence from how law enforcement bodies within the bloc are allowed to process data, and highlighted further issues around data sovereignty arising from the usage of hyperscalers that would inactive persist even if the government’s proposed data reforms are made law.
Computer Weekly contacted the forces active about the data protection concerns raised around the usage of hyperscalers in law enforcement.
“The pre-market engagement is designed to inform the forces of the types of method solutions and innovation in the marketplace to inform our specification and procurement approach in 2025,” said a Bedfordshire Police spokesperson. “The data protection issues raised will be paramount in our consideration and our final specification will include the data protection requirements essential to guarantee legal compliance and protection of delicate data.”
Computer Weekly besides contacted the Home Office about all aspect of the story. A government spokesperson responded: “The processing of police data must prioritise security. Even where internationally owned cloud providers are used, there are measures put in place to mitigate possible threats and risk.”
Ongoing police cloud concerns
According to a document drafted by 2 of the 9 Athena forces – which was sent to the Competition and Markets Authority (CMA) in November 2022 as it investigated the merger of different RMS suppliers – there is simply a pressing request to improve the information flows between different police forces.
“In an perfect world, each RMS (or instance of an RMS) would allow, through an API or another interface or form of interworking, information to flow between police services,” it wrote.
However, despite Athena forces highlighting the “benefit of police Ssrvices having interconnected RMS throughout the UK through actual cloud-provision and APIs”, there are long-standing issues with the usage of hyperscale cloud infrastructure by UK policing and criminal justice bodies.
Since Computer Weekly revealed in December 2020 that dozens of UK police forces were processing more than a million people’s data unlawfully in Microsoft 365, data protection experts and police tech regulators have openly questioned various aspects of how hyperscale public cloud infrastructure has been deployed by UK policing, arguing that they are presently incapable to comply with strict law enforcement-specific rules laid out in the DPA.
At the start of April 2023, Computer Weekly revealed the Scottish government’s Digital Evidence Sharing Capability (DESC) service – contracted to body-worn video supplier Axon for transportation and hosted on Microsoft Azure – was being piloted by Police Scotland despite a police watchdog raising concerns about how the usage of Azure “would not be legal”.
Specifically, the police watchdog said that there were a number of another unresolved advanced risks to data subjects, specified as US government access via the Cloud Act, which effectively gives the US government access to any data, stored anywhere, by US corporations in the cloud; Microsoft’s usage of generic, alternatively than specific, contracts; and Axon’s inability to comply with contractual clauses around data sovereignty.
Computer Weekly besides revealed that Microsoft, Axon and the ICO were all aware of these issues before processing in DESC began. The risks identified extend to all public cloud strategy utilized for a law enforcement intent in the UK, as they are all governed by the same data protection rules.
In June 2024, Computer Weekly then reported details of discussions between Microsoft and the Scottish Police Authority (SPA), in which the tech giant admitted it cannot warrant the sovereignty of UK policing data hosted on its hyperscale public cloud infrastructure.
Specifically, it showed that data hosted in Microsoft infrastructure is routinely transferred and processed overseas; that the data processing agreement in place for DESC did not cover UK-specific data protection requirements; and that while the company may have the ability to make method changes to guarantee data protection compliance, it is only prepared to make these changes for DESC partners and not another policing bodies due to the fact that “no 1 else had asked”.
The papers besides contain acknowledgements from Microsoft that global data transfers are inherent to its public cloud architecture, and that limiting transfers based on individual approvals by a police force – as legally required under DPA Part 3 – “cannot be operationalised”.
Although the ICO released its police cloud guidance in the same set of freedom of information (FoI) disclosures – which highlights any possible data transfer mechanisms it thinks can clear up ongoing legal issues – data protection experts questioned the viability of the suggested routes on the basis the mechanisms are rooted in the GDPR alternatively than the law enforcement-specific rules contained in Part 3, and that is it not clear if they can in fact prevent US government access.
Connect itself has besides run into data protection issues. In August 2024, for example, Computer Weekly reported that the Met Police went ahead with its deployment of Connect – which is separate to any deployments made by Athena forces – despite multiple “issues of concern” being raised over data protection and weaknesses in its search functionality.
According to a scrutiny study by the Mayor’s Office for Police and Crime (Mopac), dated 19 July 2022, Connect’s audit capabilities do not “fully replicate the audit capability of legacy systems”, to the point where it would be operating in contravention of the UK Data Protection Act 2018’s logging requirements around, for example, the collection and alteration of data.
“This is not MPS circumstantial but is simply a national issue – the ICO [Information Commissioner’s Office] are aware of these issues at a national level and with [West Midlands], who have gone live,” it said. “MPS have suggested, as part of the government consultation on data protection law, that this section of the DPA 2018 is revised.”
Computer Weekly besides revealed that Connect was around £64m over budget at that point, while officers and staff had raised more than 25,000 support requests in its first 4 months of operation.
Connecting to hyperscalers
According to a public sector technology procurement expert – who wished to stay anonymous due to their ongoing engagement in the procurement of cloud systems – the usage of hyperscale public cloud providers is the “default position” of the UK criminal justice sector, adding that it’s “almost 99.9% certain” the fresh RMS will be moved onto hyperscale infrastructure.
They added that this is peculiarly concerning given invasive US surveillance laws that open up the anticipation of US government access to the data.
“You can architect a strategy within an inch of its life to do whatever, but…if they’re headquarter to the US, they’re subject to US law,” they said, highlighting both the Cloud Act and Executive Order 12333, which grants powers of covert direct access to US intelligence agencies, as examples of these surveillance practices.
The anonymous origin further highlighted a research paper by a group of academics from Queen Mary University London, which analyses how US laws could supply access to European data held by American hyperscalers: “It shows even if they cracked data transfer issues and so on, this executive order is always going to be the elephant in the room, due to the fact that it’s the 1 that allows the US Secret Services back doors into all the systems.”
While the paper itself only analyses usage of hyperscale public cloud under GDPR, and not the more stringent Law Enforcement Directive (LED) or the UK’s DPA Part 3 applicable to Athena data, it makes clear that even under the little restrictive data protection government of UK GDPR, it is highly hard to make usage of these systems compliant with applicable laws.
“In this paper, we analyse whether organisations established in the EU can usage US cloud providers (including their European subsidiaries) as processors under the GDPR. US law enforcement and intelligence agencies can compel cloud providers subject to US jurisdiction to disclose client data. This work to disclose under US law does not have a basis in EU or associate State law,” it said.
“As a result, disclosure to the US government might breach the GDPR, including: the request that a processor only processes individual data on the controller’s instructions; the request of a lawful basis; and the rule of intent limitation. In addition, in any cases, the disclosure might affect unlawful global data transfers. Thus, it is challenging to usage US providers for the processing of European individual data in compliance with the GDPR.”
Unlike the Cloud Act that can be utilized to compel data disclosures, the paper notes the legal implications for EO 12333 are somewhat different, in that it rests on the safety services ability to adversarially access the data via clandestine method means, and so does not require the active engagement of cloud providers.
However, according to Owen Sayers – an independent safety consultant and advisor on DPA Part 3 compliance, with more than 25 years of experience in delivering safe solutions to policing – whether or not cloud providers are active participants, and whether or not the US government does utilise the Cloud Act to gain access to UK data, the transfers would be unlawful anyway as UK law lays down a series of circumstantial steps that must be followed for each and all transfer of a circumstantial part of individual data under Part Three.
“These steps are not being followed, and Microsoft have made clear that they cannot be followed (actually, they’ve said, ‘Impossible to operationalise’). due to the fact that the steps laid down in the DPA 2018 Part 3 are not and cannot be followed, that is 1 of the main reasons why the processing being done on these clouds is in breach of UK law,” he said.
“It makes zero difference at all if the US government bogeyman tries to usage Cloud Act to look at the data or not, as the data was illegally transferred regardless of Cloud Act.”
Commenting on the UK’s deficiency of sovereignty and control over its delicate policing data due to the usage of hyperscalers, Liberal politician peer Timothy Clement-Jones said it “creates major public mistrust” in how people’s data is being handled.
He added that the deficiency of guarantees from hyperscalers about preventing US government access opens up the anticipation of more data being accessed overtime as political developments there push things in a more authoritarian direction: “We’re bad adequate in terms of praying in aid ‘national security’ whenever we want to do something different, like with the last data protection bill, but the Americans are even worse than we are really… they’re ultra-national safety sensitive.”
Clement-Jones besides criticised the UK government’s reliance on Microsoft and AWS for cloud services, and further highlighted issues with supplier lock-in: “Trying to get into the UK cloud marketplace is like breaking into Fort Knox due to the fact that you have these vendor lock-in tactics. I brought those to the attention of the [Competition and Markets Authority] CMA, and they’ve assured me that they’re going to deal with all that.
“But the fact that the British government, let alone a police authority, doesn’t have control over its own data is shocking.”
For Mariano delli Santi, legal and policy officer at the Open Rights Group (ORG), these legal difficulties can be sidestepped by simply choosing cloud service providers that do not fall under US jurisdiction, which would besides mean not procuring from those firms’ EU or UK subsidiaries or holding companies. He added that encryption could besides offer a measurement of protection for delicate policing data, but only if the holders of the encryption keys are not obliged to cooperate with the US government.
The essential due diligence
While the ICO said in its police cloud guidance that the UK’s global Data Transfer Agreements (IDTA) or the Addendum to the European Union’s Standard Contractual Clauses (SCCs) can be relied on to make restricted law enforcement transfers to cloud service providers, it added that they would need to conduct a Transfer hazard Assessment (TRA) beforehand to guarantee there is an equivalent level of data protection erstwhile it is sent offshore.
In the case of DESC, the ICO has confirmed that it has not been advised on whether a TRA has been completed by either Police Scotland, Microsoft, or any of the another partners, and has not been provided with copies. Computer Weekly has sent out FoI requests for these documents.
According to the procurement expert Computer Weekly spoke with, the TRA process should take into account a number of aspects, including the nature of the data being transferred; the kind of risks attached to it from a data protection perspective; what protections the data is being provided with, both at transit and at rest; and the eventual transfer destination.
“You then get into things like supporting service on a follow the sound model. Even if data is in the UK, if the [technical] support comes from outside and it touches the data, it’s considered the data transfer by the European Data Protection Board and by the ICO,” they said, noting that it is not clear to them from the ICO guidance if a TRA should be a 1 off assessment, or something that is conducted each and all time data is transferred offshore.
However, Sayers clarified that the IDTA’s suggested by the ICO have no relevance to Part 3 provisions, and that TRA’s – which “are besides of dubious legal value” – would surely should be conducted case-by-case basis for each part of data transferred.
“To usage Hyperscale platforms lawfully, a police officer needs to establish it’s strictly essential to send each circumstantial part of individual data offshore, confirm public interest overrides any data subjects rights for that data, give circumstantial instructions to the cloud supplier as to how the data must be handled, and then make a study on all these things to the ICO,” he said. “That’s impractical and evidently inefficient, so in practice they just usage the cloud platform but don’t do these assessments.”
An FoI consequence from the ICO in July 2023 backs this proposition up, indicating that only 148 legal notifications of transfers by law enforcement agencies were in the erstwhile 5 years, while in the same period most UK police forces moved their core IT services to Microsoft cloud.
“Given the rate of adoption, we should have seen tens of thousands of these notifications at the very least,” said Sayers.
Outside of the TRA, Nicky Stewart – a erstwhile Cabinet Office IT chief and elder advisor to the recently launched Open Cloud Coalition (OCC) – said that police data controllers will request to complete a scope of further due diligence measures before finalising the procurement process for the cloud-based Athena replacement.
This includes writing contracts that explicitly mention Part 3 requirements, which Stewart says would gotta include a definition of data sovereignty that the ICO agreed with, as well as be “very clear about what the consequences of breaching that would be”, adding that policing bodies would “effectively gotta make it a [contract] termination event”.
She added: “There will most likely be a prime contractor sitting between the hyperscaler and the police, so they would gotta construct it [the contract] in specified a way as to effectively obligate that prime contractor to control hosting providers.
“You’d besides gotta compose the contract in specified a way that the consequences of not switching would be more costly and more painful to the prime contractor than staying. Ideally, the work should be strong adequate that the prime contractor…[will look at the cost of switching] and not go with that supplier in the first place.”
On the barriers of switching, delli Santi noted that if policing bodies cannot walk distant from their hyperscaler contracts for any reason – whether that be due how data is stored, idiosyncrasies in how the software operates, or a deficiency of flexibility in the systems that makes it hard to migrate data out – it puts the companies “in a much stronger position against you, due to the fact that they know you can’t walk away”.
Ultimately, this means there is small incentive to change the systems to be full compliant with UK data rules.
Clement-Jones, a lawyer by background, said that “putting together standard clauses in these circumstances is beautiful straightforward”, but added that direction is needed from the centre to guarantee police forces know how to manage these issues.
Conflicting priorities
“In very many cases, the public sector either doesn’t admit that there are also cloud providers, or even recognise that there’s an manufacture around that,” said Stewart, adding that it is “absolutely a case” of conflicting imperatives within policing that mean data protection and sovereignty is put to 1 side in favour of efficiency and accessibility.
Stewart offered 2 explanations of why this was the case: 1 being cost (“the reason why data is held offshore is frequently due to the fact that it’s cheaper”), and the another being that data hosting decisions are in the hands of cloud engineers, who will frequently prioritise data resilience or availability over the data protection compliance implications of those decisions.
Clement-Jones agreed that there were conflict imperatives around between sovereignty and data protection on the 1 hand, and efficiency and data accessibility on the other: “I’ve been told people don’t care about sovereignty.”
Highlighting the global CrowdStrike outage in July 2024, he added that the thought of pitting sovereignty against operational efficiency or accessibility is “ludicrous”, especially given the effect the CrowdStrike issue had on Microsoft’s systems globally.
For delli Santi, while the legal, contractual and method issues are worth paying attention to, what’s more pressing is that the UK government in peculiar seems to be avoiding political questions around data sovereignty and technological dependency on US infrastructure.
“There is simply quite a few focus worldwide about the issue of tech and data sovereignty. In the EU, for instance, technological sovereignty and strategical independency have become top of the list political priorities. This includes the development of home digital infrastructure to reduce reliance on US firms for things related to both the economy or transportation of public services,” he said.
“Countries like Brazil are besides trying to break distant from strategical dependence on abroad technology. India has been doing this for a very long time with the alleged India Stack. What strikes me is that this is nowhere to be found in UK government policies.”
He said that, in essence, dependence on US technological providers “means you’re paying rent” on your own capabilities, and further noted that many US tech firms have a track evidence of extracting ever-increasing volumes of money erstwhile they have public sector clients locked in, adding: “They know you’re a hostage.”
On the perceived conflict between sovereignty and efficiency, delli Santi said that relying on large tech IT providers in this way creates inefficiencies through a deficiency of autonomy: “Being dependent on fundamentally large abroad [tech] monopolies constrains your ability to prosecute your own policies. In a sector like law enforcement, you might want more freedom to find what you do domestically.
“Something that ought to be emphasised is that this is simply a national problem. You’re fundamentally outsourcing law enforcement to certain degrees, to people you have very small control over and people you’re creating a dependency on, which means sooner or later they will do something you don’t like and you can’t do anything about it.
“What happens if the US goes south and you have all your police data in a country ruled by Donald Trump?”
A changing data protection landscape
Despite the concerns around current police processing in the cloud, the UK government’s fresh DUAB – introduced to Parliament on 23 October 2024 – is set to change the law enforcement data protection rules, including altering the transfer requirements in a way that would likely enable the processing that experts say has been taking place unlawfully on these cloud systems up until now.
“The intention is to put non-UK processors (principally hyperscalers) on the same broad legal footing as overseas law enforcement organisations,” said Sayers, adding that the bill would enable UK Competent Authorities (i.e. policing bodies) to send data overseas to offshore processors with minimal restrictions.
“The bill actually puts overseas processors above overseas law enforcement processors in the respect that it completely removes obligations to evidence what data is transferred to them, inform the ICO or make any assessments as to whether a peculiar transfer is safe and consider the data subjects rights in advance of sending the data.”
Sayers added that while these and another changes to Part 3 would be straight contradictory to EU law, possibly leading to a number of scenarios where the UK loses its law enforcement data adequacy, the most likely result would be the CJEU uncovering that the UK government falls far below EU standards and thus moves to block UK data transfers.
He further added that individual associate states may besides deem UK laws to be besides divergent from their own home laws to proceed to send data: “There are 27 associate States, each with their own version of DPA Part 3 to consider – therefore, the chance of any of these doing so is high.”
Although 1 of the main issues with the Met’s implementation of Connect was that it was unable to meet the statutory logging requirements of Part Three, the DUAB as introduced will besides search to remove these requirements by allowing police to access individual data from police databases during investigations, without having to manually evidence the “justification” for the search.
The removal of police logging requirements, however, could represent a further divergence from the EU’s Law Enforcement Directive (LED), which requires logs to be kept detailing how data is accessed and used.
“The logs of consultation and disclosure shall make it possible to establish the justification, date and time of specified operations and, as far as possible, the recognition of the individual who consulted or disclosed individual data, and the identity of the recipients of specified individual data,” it said.
Computer Weekly previously contacted DSIT about the removal of the logging requirements and whether it believes this measurement represents a hazard to the UK being able to renew its LED adequacy decision in April 2025, but DSIT declined to comment on the record.
Commenting on the DUAB, Clement-Jones said that the removal of police logging requirements was “egregious”, adding that if the law changes to let police data transfers to, and processing in, infrastructure not owned or controlled by UK bodies, it could “absolutely” be a problem for the UK’s LED adequacy retention.
