Nine police forces are looking for to interchange their frequent information managements system (RMS) with a cloud-based various – however despite upcoming modifications to the UK’s data legal guidelines, specialists say the robust chance of a US-based hyperscaler profitable the contract presents continued dangers.
Under the UK’s present data regime, transferring delicate police information to one of many US cloud giants introduces main data protection points. However, the federal government’s just lately proposed data reforms – which might most probably get rid of many of those dangers by permitting routine transfers to hyperscalers – might jeopardise the UK’s potential to retain its legislation enforcement data adequacy with the EU, whereas points round data sovereignty would nonetheless persist.
Known as Connect, the present RMS is offered to the 9 forces – together with Kent, Essex, Bedfordshire, Cambridgeshire, Hertfordshire, Norfolk, Suffolk, Warwickshire and West Mercia Police – by software program provider NEC by the Athena programme, which permits the forces concerned to gather, collate, interrogate and share intelligence by deploying a typical occasion of the RMS.
Although the procurement – flagged to Computer Weekly by public sector IT market watcher Tussell – is barely on the strategy planning stage, a future contract award discover has already been set for 7 April 2025 (with a begin date November 2025), and can have an estimated whole worth of £100m. The deliberate tender will purpose to assist core policing features comparable to case administration, custody, intelligence, and investigation.
However, specialists say there’s a “robust chance” the brand new RMS will probably be hosted on hyperscale public cloud infrastructure, which might open up the data to plenty of dangers below present data protection guidelines, together with the potential for distant entry to that data, its onward switch to a non-adequate jurisdiction (i.e. the US, the place the overwhelming majority of hyperscalers are based mostly), and being topic to US surveillance legal guidelines.
They added that the dangers have been significantly acute given the poor monitor document of forces and regulators on the subject of data protection due diligence for legislation enforcement techniques.
To keep away from falling into the identical state of affairs with the brand new cloud-based RMS, the specialists made plenty of solutions in regards to the steps the forces’ ought to be taking now as data controllers, earlier than the procurement progresses additional down the road.
While the federal government’s new Data Use and Access Bill (DUAB) is ready to the change legal guidelines round legislation enforcement processing in a method that will unequivocally enable routine data transfers to hyperscalers, the specialists say doing so might nonetheless threat the UK’s potential to retain its legislation enforcement adequacy with the European Union (EU) when it comes up for renewal in April 2025.
They say the measure would symbolize a divergence from how legislation enforcement our bodies inside the bloc are allowed to course of data, and highlighted additional points round data sovereignty arising from the usage of hyperscalers that will nonetheless persist even when the federal government’s proposed data reforms are made legislation.
Computer Weekly contacted the forces concerned in regards to the data protection concerns raised round the usage of hyperscalers in legislation enforcement.
“The pre-market engagement is designed to tell the forces of the sorts of technical options and innovation available in the market to tell our specification and procurement method in 2025,” stated a Bedfordshire Police spokesperson. “The data protection points raised will probably be paramount in our consideration and our closing specification will embody the data protection necessities needed to make sure legal compliance and protection of delicate data.”
Computer Weekly additionally contacted the Home Office about each side of the story. A authorities spokesperson responded: “The processing of police data should prioritise safety. Even the place internationally owned cloud suppliers are used, there are measures put in place to mitigate potential threats and threat.”
Ongoing police cloud concerns
According to a document drafted by two of the 9 Athena forces – which was despatched to the Competition and Markets Authority (CMA) in November 2022 because it investigated the merger of different RMS suppliers – there’s a urgent want to enhance the data flows between totally different police forces.
“In a great world, every RMS (or occasion of an RMS) would enable, by an API or different interface or type of interworking, info to movement between police providers,” it wrote.
However, despite Athena forces highlighting the “good thing about police Ssrvices having interconnected RMS all through the UK by true cloud-provision and APIs”, there are long-standing points with the usage of hyperscale cloud infrastructure by UK policing and prison justice our bodies.
Since Computer Weekly revealed in December 2020 that dozens of UK police forces have been processing greater than 1,000,000 folks’s data unlawfully in Microsoft 365, data protection experts and police tech regulators have overtly questioned numerous features of how hyperscale public cloud infrastructure has been deployed by UK policing, arguing that they’re at the moment unable to adjust to strict legislation enforcement-specific guidelines specified by the DPA.
At the beginning of April 2023, Computer Weekly revealed the Scottish authorities’s Digital Evidence Sharing Capability (DESC) service – contracted to body-worn video supplier Axon for supply and hosted on Microsoft Azure – was being piloted by Police Scotland despite a police watchdog elevating concerns about how the usage of Azure “wouldn’t be legal”.
Specifically, the police watchdog stated that there have been plenty of different unresolved excessive dangers to data topics, comparable to US authorities entry by way of the Cloud Act, which successfully provides the US authorities entry to any data, saved wherever, by US companies within the cloud; Microsoft’s use of generic, relatively than particular, contracts; and Axon’s lack of ability to adjust to contractual clauses round data sovereignty.
Computer Weekly additionally revealed that Microsoft, Axon and the ICO have been all conscious of those points earlier than processing in DESC started. The dangers recognized lengthen to each public cloud system used for a legislation enforcement function within the UK, as they’re all ruled by the identical data protection guidelines.
The dangers recognized [from DESC] lengthen to each public cloud system used for a legislation enforcement function within the UK, as they’re all ruled by the identical data protection guidelines
Specifically, it confirmed that data hosted in Microsoft infrastructure is routinely transferred and processed abroad; that the data processing settlement in place for DESC didn’t cowl UK-specific data protection necessities; and that whereas the corporate might have the power to make technical modifications to make sure data protection compliance, it’s only ready to make these modifications for DESC companions and never different policing our bodies as a result of “nobody else had requested”.
The paperwork additionally include acknowledgements from Microsoft that worldwide data transfers are inherent to its public cloud structure, and that limiting transfers based mostly on particular person approvals by a police drive – as legally required below DPA Part 3 – “can’t be operationalised”.
Although the ICO launched its police cloud steerage in the identical set of freedom of knowledge (FoI) disclosures – which highlights some potential data switch mechanisms it thinks can clear up ongoing legal points – data protection experts questioned the viability of the suggested routes on the idea the mechanisms are rooted within the GDPR relatively than the legislation enforcement-specific guidelines contained in Part 3, and that’s it not clear if they’ll the truth is stop US authorities entry.
Connect itself has additionally run into data protection points. In August 2024, for instance, Computer Weekly reported that the Met Police went forward with its deployment of Connect – which is separate to any deployments made by Athena forces – despite a number of “problems with concern” being raised over data protection and weaknesses in its search performance.
According to a scrutiny report by the Mayor’s Office for Police and Crime (Mopac), dated 19 July 2022, Connect’s audit capabilities don’t “totally replicate the audit functionality of legacy techniques”, to the purpose the place it could be working in contravention of the UK Data Protection Act 2018’s logging necessities round, for instance, the gathering and alteration of data.
“This isn’t MPS particular however is a nationwide problem – the ICO [Information Commissioner’s Office] are conscious of those points at a nationwide stage and with [West Midlands], who’ve gone dwell,” it stated. “MPS have advised, as a part of the federal government session on data protection legislation, that this part of the DPA 2018 is revised.”
Computer Weekly additionally revealed that Connect was round £64m over funds at that time, whereas officers and employees had raised greater than 25,000 assist requests in its first 4 months of operation.
Connecting to hyperscalers
According to a public sector expertise procurement professional – who wished to stay nameless resulting from their ongoing involvement within the procurement of cloud techniques – the usage of hyperscale public cloud suppliers is the “default place” of the UK prison justice sector, including that it’s “nearly 99.9% sure” the brand new RMS will probably be moved onto hyperscale infrastructure.
They added that that is significantly regarding given invasive US surveillance legal guidelines that open up the potential for US authorities entry to the data.
“You can architect a system inside an inch of its life to do no matter, however…in the event that they’re headquarter to the US, they’re topic to US legislation,” they stated, highlighting each the Cloud Act and Executive Order 12333, which grants powers of covert direct entry to US intelligence companies, as examples of those surveillance practices.
The nameless supply additional highlighted a research paper by a gaggle of teachers from Queen Mary University London, which analyses how US legal guidelines might present entry to European data held by American hyperscalers: “It exhibits even when they cracked data switch points and so forth, this govt order is at all times going to be the elephant within the room, as a result of it’s the one that permits the US Secret Services again doorways into all of the techniques.”
While the paper itself solely analyses use of hyperscale public cloud below GDPR, and never the extra stringent Law Enforcement Directive (LED) or the UK’s DPA Part 3 relevant to Athena data, it makes clear that even below the much less restrictive data protection regime of UK GDPR, this can be very troublesome to make use of those techniques compliant with related legal guidelines.
“In this paper, we analyse whether or not organisations established within the EU can use US cloud suppliers (together with their European subsidiaries) as processors below the GDPR. US legislation enforcement and intelligence companies can compel cloud suppliers topic to US jurisdiction to reveal buyer data. This obligation to reveal below US legislation doesn’t have a foundation in EU or Member State legislation,” it stated.
“As a consequence, disclosure to the US authorities would possibly breach the GDPR, together with: the requirement {that a} processor solely processes private data on the controller’s directions; the requirement of a lawful foundation; and the precept of function limitation. In addition, in some instances, the disclosure would possibly contain illegal worldwide data transfers. Thus, it’s difficult to make use of US suppliers for the processing of European private data in compliance with the GDPR.”
Unlike the Cloud Act that can be utilized to compel data disclosures, the paper notes the legal implications for EO 12333 are barely totally different, in that it rests on the safety providers potential to adversarially entry the data by way of clandestine technical means, and due to this fact doesn’t require the energetic involvement of cloud suppliers.
However, in accordance with Owen Sayers – an unbiased safety guide and advisor on DPA Part Three compliance, with greater than 25 years of expertise in delivering safe options to policing – whether or not or not cloud suppliers are energetic members, and whether or not or not the US authorities does utilise the Cloud Act to realize entry to UK data, the transfers can be illegal anyway as UK legislation lays down a collection of particular steps that have to be adopted for each switch of a particular piece of private data below Part Three.
The incontrovertible fact that the British authorities, not to mention a police authority, doesn’t have management over its personal data is surprising Timothy Clement-Jones, House of Lords
“These steps usually are not being adopted, and Microsoft have made clear that they can’t be adopted (truly, they’ve stated, ‘Impossible to operationalise’). Because the steps laid down within the DPA 2018 Part 3 usually are not and can’t be adopted, that is likely one of the important explanation why the processing being accomplished on these clouds is in breach of UK legislation,” he stated.
“It makes zero distinction in any respect if the US authorities bogeyman tries to make use of Cloud Act to take a look at the data or not, because the data was illegally transferred no matter Cloud Act.”
Commenting on the UK’s lack of sovereignty and management over its delicate policing data resulting from the usage of hyperscalers, Liberal Democrat peer Timothy Clement-Jones stated it “creates main public distrust” in how folks’s data is being dealt with.
He added that the dearth of ensures from hyperscalers about stopping US authorities entry opens up the potential for extra data being accessed time beyond regulation as political developments there push issues in a extra authoritarian route: “We’re unhealthy sufficient by way of praying in assist ‘nationwide safety’ each time we need to do one thing totally different, like with the final data protection invoice, however the Americans are even worse than we’re actually… they’re ultra-national safety delicate.”
Clement-Jones additionally criticised the UK authorities’s reliance on Microsoft and AWS for cloud providers, and additional highlighted points with provider lock-in: “Trying to get into the UK cloud market is like breaking into Fort Knox as a result of you will have these vendor lock-in ways. I introduced these to the eye of the [Competition and Markets Authority] CMA, they usually’ve assured me that they’re going to take care of all that.
“But the truth that the British authorities, not to mention a police authority, doesn’t have management over its personal data is surprising.”
For Mariano delli Santi, legal and coverage officer on the Open Rights Group (ORG), these legal difficulties might be sidestepped by merely selecting cloud service suppliers that don’t fall below US jurisdiction, which might additionally imply not procuring from these companies’ EU or UK subsidiaries or holding firms. He added that encryption might additionally provide a measure of protection for delicate policing data, however provided that the holders of the encryption keys usually are not obliged to cooperate with the US authorities.
The needed due diligence
While the ICO stated in its police cloud steerage that the UK’s worldwide Data Transfer Agreements (IDTA) or the Addendum to the European Union’s Standard Contractual Clauses (SCCs) might be relied on to make restricted legislation enforcement transfers to cloud service suppliers, it added that they’d need to conduct a Transfer Risk Assessment (TRA) beforehand to make sure there’s an equal stage of data protection when it’s despatched offshore.
In the case of DESC, the ICO has confirmed that it has not been suggested on whether or not a TRA has been accomplished by both Police Scotland, Microsoft, or any of the opposite companions, and has not been supplied with copies. Computer Weekly has despatched out FoI requests for these paperwork.
According to the procurement professional Computer Weekly spoke with, the TRA course of ought to keep in mind plenty of features, together with the character of the data being transferred; the sort of dangers hooked up to it from a data protection perspective; what protections the data is being supplied with, each at transit and at relaxation; and the last word switch vacation spot.
“You then get into issues like supporting service on a comply with the sound mannequin. Even if data is within the UK, if the [technical] assist comes from outdoors and it touches the data, it’s thought of the data switch by the European Data Protection Board and by the ICO,” they stated, noting that it’s not clear to them from the ICO steerage if a TRA ought to be a one off evaluation, or one thing that’s carried out each time data is transferred offshore.
However, Sayers clarified that the IDTA’s advised by the ICO haven’t any relevance to Part Three provisions, and that TRA’s – which “are additionally of doubtful legal worth” – would definitely should be carried out case-by-case foundation for every bit of data transferred.
“To use Hyperscale platforms lawfully, a police officer wants to ascertain it’s strictly essential to ship every particular piece of private data offshore, affirm public curiosity overrides any data topics rights for that data, give particular directions to the cloud supplier as to how the data have to be dealt with, after which make a report on all this stuff to the ICO,” he stated. “That’s impractical and clearly inefficient, so in observe they simply use the cloud platform however don’t do these assessments.”
An FoI response from the ICO in July 2023 backs this suggestion up, indicating that solely 148 legal notifications of transfers by legislation enforcement companies have been within the earlier 5 years, whereas in the identical interval most UK police forces moved their core IT providers to Microsoft cloud.
“Given the speed of adoption, we should always have seen tens of 1000’s of those notifications on the very least,” stated Sayers.
Outside of the TRA, Nicky Stewart – a former Cabinet Office IT chief and senior adviser to the recently launched Open Cloud Coalition (OCC) – stated that police data controllers might want to full a variety of additional due diligence measures earlier than finalising the procurement course of for the cloud-based Athena substitute.
This consists of writing contracts that explicitly reference Part Three necessities, which Stewart says must embody a definition of data sovereignty that the ICO agreed with, in addition to be “very clear about what the implications of breaching that will be”, including that policing our bodies would “successfully should make it a [contract] termination occasion”.
She added: “There will in all probability be a major contractor sitting between the hyperscaler and the police, so that they must assemble it [the contract] in such a method as to successfully obligate that prime contractor to change internet hosting suppliers.
“You’d even have to write down the contract in such a method that the implications of not switching can be costlier and extra painful to the prime contractor than staying. Ideally, the duty needs to be robust sufficient that the prime contractor…[will look at the cost of switching] and never go together with that supplier within the first place.”
On the obstacles of switching, delli Santi famous that if policing our bodies can’t stroll away from their hyperscaler contracts for any purpose – whether or not that be due how data is saved, idiosyncrasies in how the software program operates, or an absence of flexibility within the techniques that makes it troublesome emigrate data out – it places the businesses “in a a lot stronger place in opposition to you, as a result of they know you’ll be able to’t stroll away”.
Ultimately, this implies there’s little incentive to alter the techniques to be totally compliant with UK data guidelines.
Clement-Jones, a lawyer by background, stated that “placing collectively normal clauses in these circumstances is fairly simple”, however added that route is required from the centre to make sure police forces know how you can handle these points.
Conflicting priorities
“In very many instances, the general public sector both doesn’t acknowledge that there are different cloud suppliers, and even recognise that there’s an business round that,” stated Stewart, including that it’s “completely a case” of conflicting imperatives inside policing that imply data protection and sovereignty is put to 1 facet in favour of effectivity and accessibility.
Stewart supplied two explanations of why this was the case: one being value (“the rationale why data is held offshore is actually because it’s cheaper”), and the opposite being that data hosting decisions are in the hands of cloud engineers, who will typically prioritise data resilience or availability over the data protection compliance implications of these choices.
Clement-Jones agreed that there have been battle imperatives round between sovereignty and data protection on the one hand, and effectivity and data accessibility on the opposite: “I’ve been informed folks don’t care about sovereignty.”
Highlighting the global CrowdStrike outage in July 2024, he added that the thought of pitting sovereignty in opposition to operational effectivity or accessibility is “ludicrous”, particularly given the impact the CrowdStrike problem had on Microsoft’s techniques globally.
For delli Santi, whereas the legal, contractual and technical points are value being attentive to, what’s extra urgent is that the UK authorities specifically appears to be avoiding political questions round data sovereignty and technological dependency on US infrastructure.
“There is a variety of focus worldwide in regards to the problem of tech and data sovereignty. In the EU, as an illustration, technological sovereignty and strategic independence have develop into prime of the listing political priorities. This consists of the development of domestic digital infrastructure to cut back reliance on US companies for issues associated to each the financial system or supply of public providers,” he stated.
What occurs if the US goes south and you’ve got all of your police data in a rustic dominated by Donald Trump? Mariano delli Santi, Open Rights Group
“Countries like Brazil are additionally attempting to interrupt away from strategic dependence on overseas expertise. India has been doing this for a really very long time with the so-called India Stack. What strikes me is that that is nowhere to be present in UK authorities insurance policies.”
He stated that, in essence, dependence on US technological suppliers “means you’re paying hire” by yourself capabilities, and additional famous that many US tech companies have a monitor document of extracting ever-increasing volumes of cash as soon as they’ve public sector shoppers locked in, including: “They know you’re a hostage.”
On the perceived battle between sovereignty and effectivity, delli Santi stated that counting on huge tech IT suppliers on this method creates inefficiencies by an absence of autonomy: “Being depending on basically huge overseas [tech] monopolies constrains your potential to pursue your personal insurance policies. In a sector like legislation enforcement, you may want extra freedom to find out what you do domestically.
“Something that must be emphasised is that it is a nationwide downside. You’re principally outsourcing legislation enforcement to sure levels, to folks you will have little or no management over and other people you’re making a dependency on, which implies in the end they may do one thing you don’t like and you’ll’t do something about it.
“What occurs if the US goes south and you’ve got all of your police data in a rustic dominated by Donald Trump?”
A altering data protection panorama
Despite the concerns round present police processing within the cloud, the UK authorities’s new DUAB – launched to Parliament on 23 October 2024 – is ready to alter the legislation enforcement data protection guidelines, together with altering the switch necessities in a method that will probably allow the processing that specialists say has been happening unlawfully on these cloud techniques up till now.
“The intention is to place non-UK processors (principally hyperscalers) on the identical broad legal footing as abroad legislation enforcement organisations,” stated Sayers, including that the invoice would allow UK Competent Authorities (i.e. policing our bodies) to ship data abroad to offshore processors with minimal restrictions.
“The invoice truly places abroad processors above abroad legislation enforcement processors within the respect that it fully removes obligations to document what data is transferred to them, inform the ICO or make any assessments as as to whether a specific switch is protected and contemplate the data topics rights prematurely of sending the data.”
Sayers added that whereas these and different modifications to Part Three can be instantly contradictory to EU legislation, doubtlessly resulting in plenty of situations the place the UK loses its legislation enforcement data adequacy, the most probably consequence can be the CJEU discovering that the UK regime falls far under EU requirements and thus strikes to dam UK data transfers.
He additional added that particular person member states may deem UK legal guidelines to be too divergent from their very own home legal guidelines to proceed to ship data: “There are 27 Member States, every with their very own model of DPA Part 3 to contemplate – due to this fact, the prospect of a few of these doing so is excessive.”
Although one of many important points with the Met’s implementation of Connect was that it was unable to meet the statutory logging requirements of Part Three, the DUAB as launched can even search to take away these necessities by permitting police to entry private data from police databases throughout investigations, with out having to manually document the “justification” for the search.
The removing of police logging necessities, nonetheless, might symbolize an extra divergence from the EU’s Law Enforcement Directive (LED), which requires logs to be saved detailing how data is accessed and used.
“The logs of session and disclosure shall make it attainable to ascertain the justification, date and time of such operations and, so far as attainable, the identification of the one who consulted or disclosed private data, and the identification of the recipients of such private data,” it stated.
Computer Weekly beforehand contacted DSIT in regards to the removing of the logging necessities and whether or not it believes this measure represents a threat to the UK with the ability to renew its LED adequacy determination in April 2025, however DSIT declined to touch upon the document.
Commenting on the DUAB, Clement-Jones stated that the removing of police logging necessities was “egregious”, including that if the legislation modifications to permit police data transfers to, and processing in, infrastructure not owned or managed by UK our bodies, it might “completely” be an issue for the UK’s LED adequacy retention.
