Cloud-based fingerprint system for UK police nears completion

Ongoing cloud concerns in UK policing

In February 2022, police forces across England and Wales were cautioned about the need to conduct thorough data protection due diligence after it was announced by PDS that all 43 forces would be able to use its Police Assured Landing Zone (PALZ), another AWS-powered cloud platform intended to modernise UK policing’s IT capabilities.

The due diligence involves checking that cloud deployments align with Part 3 of the Data Protection Act (DPA) 2018, which sets out, for the first time, specific statutory rules for the processing of personal data by law enforcement entities.

The due diligence required includes, for example, checking whether each force has conducted its own data protection impact assessment (DPIA) ahead of implementation, and seeking assurances about where the data they host in the cloud will be stored geographically.

A Computer Weekly investigation revealed in December 2020 that UK police forces were unlawfully processing over a million people’s personal data on the hyperscale public cloud service Microsoft 365, after failing to comply with key contractual and processing requirements within Part 3 of the DPA.

Computer Weekly also found that UK police forces had failed to conduct the necessary data protection checks before proceeding with their Microsoft cloud deployments.

Failure to comply with Part 3 of the DPA 2018 can put organisations at risk of sizeable monetary penalties, which are overseen and enforced by the Information Commissioner’s Office (ICO).

While the UK data protection watchdog will initially consult with the organisation to advise them on how to make their operations compliant, it also reserves the right to issue two tiers of monetary penalties. These include a “standard maximum penalty” of roughly £9m or 2% of the organisation’s annual turnover, or a “higher maximum” of £18m or 4% of annual turnover. In both cases, the offending organisation will be fined whichever amount is higher.

Independent privacy consultant Owen Sayers, who has more than 20 years’ experience in the delivery of national policing systems, including Ident1, said until a until a DPIA is made publicly available for analysis, it is hard to state categorically whether the service is operating legally or not.

“UK policing may have negotiated special terms with AWS, and the underlying cloud platform may have been radically re-engineered to make it legal for police use,” he said. “But this seems unlikely. The latest AWS listing on G-Cloud 13 for Digital Investigations and Forensic Storage appears the most likely service used by policing in this case.

“Having analysed the terms of service for that G-Cloud listing, I can absolutely state that the terms of service provided fall far short of the legal minimum needed to comply with the Data Protection Act 2018 Part 3.”

Sayers added that any use of AWS by a police force in the UK to process fingerprint, biometric, or any other digital evidence – using the Xchange TF service and relying on those contractual terms – would therefore breach UK data protection laws.

He further added that while this would not necessarily make the data processed on the platform immediately unusable, there were serious implications for both police forces using the service, as well as AWS.  

“Whilst it seems unlikely that the ICO would take action against them – and public policy of the ICO now appears to not do so – there is a real risk that any person who has their data processed in this way and suffers damage or is distressed could raise a claim for the compensation they are entitled to under Section 169 of the DPA 2018 against either (or both of) the controller (police) and the processor (AWS),” he said.

PDS responds

Computer Weekly contacted PDS about the TF programme and Xchange platform’s use of AWS to ask, for example, if the terms of service align with Part 3 of the DPA 2018; whether data was stored and processed in the UK; what assurances it has received from Amazon regarding the storage and processing location; how it has dealt with the risks presented by transfers of data to the US, where there is a demonstrably lower standard of data protection; and whether a DPIA has been conducted.

In response, a spokesperson said the TF programme had worked closely with “information assurance resources throughout the development of the Xchange platform” to ensure a secure-by-design approach.

“Xchange is by design monitored and continuously assured in line with industry best practice. The end-to-end assurance of all platforms is continuously assessed, including changes at a platform or application level, and data protection impact assessments are reviewed accordingly,” they said.

“Quick, safe and proportionate data sharing across forces and partners is vital to investigating complex crime and keeping people safe from harm. Current ways of working, with their reliance on on-premise servers, are not scalable and pose barriers to information sharing which can lead to delays in investigations and negatively impact outcomes for victims of crime.

“UK policing is aligned to the government’s ‘cloud-first’ approach, outlined in the Government Cyber Security Strategy. The Police Digital Service will continue to work with all suppliers to develop and improve all aspects of digital service delivery to help transform operational process and support efficient and effective police services to UK citizens.”

Computer Weekly contacted AWS with the same questions, but it declined to comment.

Commenting on the PDS response, Sayers said: “[The cloud-first policy referred to] does not provide a blanket mandate for selection of unsuitable cloud services to process citizens’ personal data – instead it requires UK public sector to analyse and confirm the suitability of a cloud service before electing to use it.

“It must also be remembered that the Government Security Classification Scheme specifically restricts the use of public cloud for sensitive personal data – a fact often conveniently ignored by public sector organisations seeking to adopt cloud services.”

He added: “PDS themselves have no legal liability and this may be why they are not obviously concerned in this respect; but the ease by which a S169 compensation claim can be made, the evidence indicating that the service is operated outside of DP’18 Part 3, and the difficulty forces and AWS would have to prove its legally operating should be of real concern to them.”

Commenting on potential alternatives for UK policing, Sayers further added that the use of AWS and other public hyper cloud services was not “absolutely essential for these data services” and in any case does not provide any new or novel capabilities.

“UK policing has had the means to share this data inter-force, across the criminal justice sector and with the European Union for at least 15 years, and used private, secure and legally compliant networks to do so,” he said. “It is simply the rush by policing to use public hyper-cloud services that has introduced this new service, and there is really no way that those platforms – AWS, Azure and GCP [Google Cloud Platform] – can currently meet the legal requirements to do so lawfully or safely.”