Police Scotland five-year digital strategy approved

The Scottish Police Authority (SPA) has approved a five-year digital strategy for Police Scotland that seeks to shift the force from “doing digital” to “being digital” through a series of investments into both new and existing technology capabilities.

Drafted with the assistance of consultancy firm Ernst & Young and XXX Capgemini, the strategy outlines priorities for Police Scotland’s ongoing digital transformation efforts, which include making body-worn video (BWV) cameras widely available; improving its data science and analytics capabilities; replacing ageing legacy infrastructure; investing in cyber security and resilience; and further developing its digital evidence sharing capabilities.

“The Digital Strategy focuses on articulating how digital, data and technology will support Police Scotland to address the increasing digital demands of today,” it said. “The Digital Strategy consolidates individual project and programme strategies and technology approaches, ensuring alignment of data and digital components, and bringing an architectural and technical cohesion to delivery.”

Specific technologies that will be delivered by the strategy include real-time biometric analytics, natural language processing and augmented reality.

Approved by the SPA Board during its 24 August meeting, the strategy is underpinned by six “key enablers”, which include recognising data as an asset; data ethics; cyber resilience; people; sustainability; and value for money.

On more advanced capabilities such as artificial intelligence (AI), machine learning (ML) and facial-recognition, the strategy noted “it is essential that these are only considered for introduction into operational policing after the appropriate Data Ethics assessments have taken place”, which includes using a combination of internal, independent and ongoing post-deployment scrutiny to identify and mitigate any risks.

“As technology continues to advance, we have a positive duty to harness those developments to keep people safe,” said deputy chief constable designate Fiona Taylor during the SPA Board meeting.

“As we introduce new technologies, we will continue to engage with partners in the public, and we welcome the vital support, challenge and active oversight of the Scottish Police Authority. This will help us to address any concerns and ensure the use of new tech is transparent, ethical and aligned with our values.”

However, she added that while “it is vital we continue to set out an ambitious strategic direction … the pace of change will be affected by the availability of funding”.

In the outline business case for the strategy presented by Andrew Hendry, chief digital and information officer for Police Scotland, it noted the need for “staged investment” so that various aspects of the strategy can be implemented as funding is provided.

As part of this, Police Scotland will also seek to achieve contract flexibility by including “off-ramps”, “whereby contracts are let in stages to give us the ability to terminate or change at specified milestones”.

It added that, overall, the strategy will require funding of nearly £399m across the five years, but around £184m of it relates to projects that are already underway.

Data protection issues with major project

In April 2023, Computer Weekly revealed the Digital Evidence Sharing Capability (DESC) service – a key programme outlined in the digital strategy to modernise the criminal justice system that has been contracted to body-worn video provider Axon for delivery and hosted on Microsoft Azure – was being piloted despite the SPA raising concerns about how the use of Azure “would not be legal”.

According to a Data Protection Impact Assessment (DPIA) by the SPA – which notes the system will be processing genetic and biometric information – the system presents several risks to data subjects’ rights.

This includes the potential for US government access via the Cloud Act, which effectively gives the US government access to any data, stored anywhere, by US corporations in the cloud; Microsoft’s use of generic, rather than specific, contracts; and Axon’s inability to comply with contractual clauses around data sovereignty. 

Off the back of Computer Weekly’s coverage, Scottish biometrics commissioner Brian Plastow served Police Scotland (as the lead data controller for the system) with a formal information notice on 22 April 2023, requiring the force to demonstrate that its use of the system is compliant with Part Three of the Data Protection Act 2018 (DPA 18), which contains the UK’s law enforcement-specific data protection rules.

While Police Scotland’s response to Plastow has not been publicly disclosed, he confirmed in correspondence with Computer Weekly that the force “uploaded significant image volumes to DESC during this pilot”, which specifically included stills and CCTV images.

Computer Weekly also revealed that while Police Scotland was aware of the data protection issues highlighted by both the SPA and Information Commissioner’s Office (ICO) – which was clear that the processing could not go forward without formal consultation with the data regulator – the force decided to press ahead with its deployment of the system anyway.

Following the confirmation from Police Scotland that it uploaded significant volumes of biometric information during the DESC pilot, Plastow confirmed his office will be formally assessing the force’s compliance with Scotland’s statutory Code of Practice on the use of biometric data in winter 2023, with a report detailing his findings due to be laid before Scottish Parliament in spring 2024.

The ICO has confirmed to Computer Weekly that it is “actively considering these issues and engaging with relevant authorities”, although no timeline was provided for a decision.

Exit mobile version