Alan Stockdale -

Police Scotland five-year digital strategy approved

Police Scotland’s new strategy outlines how the force will approach and invest in its digital transformation over the next five years, but notes its ability to achieve its ambitions is subject to the availability of funding

The Scottish Police Authority (SPA) has approved a five-year digital strategy for Police Scotland that seeks to shift the force from “doing digital” to “being digital” through a series of investments into both new and existing technology capabilities.

Drafted with the assistance of consultancy firms Ernst & Young and Capgemini, the strategy outlines priorities for Police Scotland’s ongoing digital transformation efforts, which include making body-worn video (BWV) cameras widely available; improving its data science and analytics capabilities; replacing ageing legacy infrastructure; investing in cyber security and resilience; and further developing its digital evidence sharing capabilities.

“The Digital Strategy focuses on articulating how digital, data and technology will support Police Scotland to address the increasing digital demands of today,” it said. “The Digital Strategy consolidates individual project and programme strategies and technology approaches, ensuring alignment of data and digital components, and bringing an architectural and technical cohesion to delivery.”

Specific technologies that will be delivered by the strategy include real-time biometric analytics, natural language processing and augmented reality.

Approved by the SPA Board during its 24 August meeting, the strategy is underpinned by six “key enablers”, which include recognising data as an asset; data ethics; cyber resilience; people; sustainability; and value for money.

On more advanced capabilities such as artificial intelligence (AI), machine learning (ML) and facial-recognition, the strategy noted “it is essential that these are only considered for introduction into operational policing after the appropriate Data Ethics assessments have taken place”, which includes using a combination of internal, independent and ongoing post-deployment scrutiny to identify and mitigate any risks.

“As technology continues to advance, we have a positive duty to harness those developments to keep people safe,” said deputy chief constable designate Fiona Taylor during the SPA Board meeting.

“As we introduce new technologies, we will continue to engage with partners in the public, and we welcome the vital support, challenge and active oversight of the Scottish Police Authority. This will help us to address any concerns and ensure the use of new tech is transparent, ethical and aligned with our values.”

Read more about police technology

  • Met Police data platform £64m over budget: A freedom of information request has revealed that the Met’s Connect integrated record management system is running tens of millions over budget, and has already generated more than 25,000 support requests so far.
  • Home Office and MoD seeking new facial-recognition tech: The UK’s Defence and Security Accelerator is running a ‘market exploration’ exercise on behalf of the Home Office to identify new facial-recognition capabilities for security and policing bodies in the UK.
  • Overhaul of UK police tech needed to prevent abuse: Lords inquiry finds UK police are deploying artificial intelligence and algorithmic technologies without a thorough examination of their efficacy or outcomes, and are essentially ‘making it up as they go along’.

However, she added that while “it is vital we continue to set out an ambitious strategic direction … the pace of change will be affected by the availability of funding”.

In the outline business case for the strategy presented by Andrew Hendry, chief digital and information officer for Police Scotland, it noted the need for “staged investment” so that various aspects of the strategy can be implemented as funding is provided.

As part of this, Police Scotland will also seek to achieve contract flexibility by including “off-ramps”, “whereby contracts are let in stages to give us the ability to terminate or change at specified milestones”.

It added that, overall, the strategy will require funding of nearly £399m across the five years, but around £184m of it relates to projects that are already underway.

Data protection issues with major project

In April 2023, Computer Weekly revealed the Digital Evidence Sharing Capability (DESC) service – a key programme outlined in the digital strategy to modernise the criminal justice system that has been contracted to body-worn video provider Axon for delivery and hosted on Microsoft Azure – was being piloted despite the SPA raising concerns about how the use of Azure “would not be legal”.

According to a Data Protection Impact Assessment (DPIA) by the SPA – which notes the system will be processing genetic and biometric information – the system presents several risks to data subjects’ rights.

This includes the potential for US government access via the Cloud Act, which effectively gives the US government access to any data, stored anywhere, by US corporations in the cloud; Microsoft’s use of generic, rather than specific, contracts; and Axon’s inability to comply with contractual clauses around data sovereignty. 

Off the back of Computer Weekly’s coverage, Scottish biometrics commissioner Brian Plastow served Police Scotland (as the lead data controller for the system) with a formal information notice on 22 April 2023, requiring the force to demonstrate that its use of the system is compliant with Part Three of the Data Protection Act 2018 (DPA 18), which contains the UK’s law enforcement-specific data protection rules.

While Police Scotland’s response to Plastow has not been publicly disclosed, he confirmed in correspondence with Computer Weekly that the force “uploaded significant image volumes to DESC during this pilot”, which specifically included stills and CCTV images.

Computer Weekly also revealed that while Police Scotland was aware of the data protection issues highlighted by both the SPA and Information Commissioner’s Office (ICO) – which was clear that the processing could not go forward without formal consultation with the data regulator – the force decided to press ahead with its deployment of the system anyway.

Following the confirmation from Police Scotland that it uploaded significant volumes of biometric information during the DESC pilot, Plastow confirmed his office will be formally assessing the force’s compliance with Scotland’s statutory Code of Practice on the use of biometric data in winter 2023, with a report detailing his findings due to be laid before Scottish Parliament in spring 2024.

The ICO has confirmed to Computer Weekly that it is “actively considering these issues and engaging with relevant authorities”, although no timeline was provided for a decision.

Read more on Artificial intelligence, automation and robotics

Data Center
Data Management