Dismissing data protection concerns, Police Scotland ignored warnings over storing biometric data collected in police practices in a Cloud sharing system. The admission from Police Scotland casts doubt on police limitations to use public cloud technologies under a robust regulatory approach to share with other police forces and relevant authorities at home or overseas.
Particularly, the security concern of data held in the cloud is relevant with regards to the migration of data. When migrating large amounts of company or mass data from one location to another, there is always an inherent risk of data loss, ransomware attacks, insider threats, misconfiguration and privacy issues.
Police Scotland confirmed in a statement the completion of the mass cloud migration of “significant volumes of images” to the Digital Evidence Sharing Capability service, hosted on Microsoft Azure. The system is being piloted under contract with body-worn camera provider Axon and was previously deemed “not legal” and compliant with human right standards by the police watchdog at the start of April 2023.
It comes after the UK police unit said that the equipment of facial recognition technology in policing was identifying hundreds of suspects and aiding investigations. The South Wales Police force assessed that 140 right matches to offenders per month could benefit their work. However, the positive use cases in different investigations has always met criticism around privacy and racial profiling.
Scotland Police should adhere to 11 principles on ethics, privacy, lawful authority and respect which it is flouting.
Scottish biometrics commissioner Brian Plastow in April instructed that use of the DESC system should be compliant with Part Three of the Data Protection Act 2018 (DPA 18).
Computerweekly.com reports that Plastow’s response from Police Scotland in a letter was reassuring that “data is encrypted by the DESC solution prior to being hosted on a Microsoft Azure UK data centre.” With the US Cloud Act permitting home companies i.e. Microsoft in the cloud access to any data, it is critical that EU or Scottish UK data is protected.