Scots victims could be illegally compromised by £33m criminal justice IT system

A £33 million criminal ­justice IT system could ­illegally ­compromise the ­personal data of ­thousands of ­Scots victims.

Watchdogs have raised ­serious concerns about trials of the ­Digital Evidence Sharing Capability (DESC) service by Police Scotland and said the Crown Office could already have ­broken the law.

The system – bought by the Scottish Government from US firm Axon – allows witness statements, body-cam footage, ­fingerprints and other details to be uploaded and shared with other agencies. But the Sunday Mail can reveal the ­Scottish Police Authority (SPA) and biometrics commissioner have given formal warnings over its legality and security.

They have raised fears it could lead to class action lawsuits, hacking and the prospect of the US government snooping on citizens.

Opposition politicians have demanded a halt to the roll-out until concerns are answered.



Russell Findlay
Russell Findlay

Scottish Tory shadow justice secretary Russell Findlay said: “SNP ministers cannot press ahead with this system without seeking categorical assurances about the security of the highly sensitive and personal data of crime victims and witnesses. It appears these concerns have already been flagged within ­Scottish ­policing, so it would be grossly irresponsible, and financially improper, to ­proceed ­without ensuring they are addressed.”

Scottish Lib Dem justice spokesperson Liam ­McArthur said: “These documents raise real ­questions about why Police Scotland has pressed ahead with this scheme while the legal status is still up in the air. It’s an approach that opens up the risk of legal challenges ­bogging down the service in ­litigation for years.”

Concern revolves around files being held by a US firm’s “cloud” servers. This could leave Scottish authorities unable to comply with UK data protection laws.

Join the Daily Record WhatsApp community!



Get the latest news sent straight to your messages by joining our WhatsApp community today.

You’ll receive daily updates on breaking news as well as the top headlines across Scotland.

No one will be able to see who is signed up and no one can send messages except the Daily Record team.

All you have to do is click here if you’re on mobile, select ‘Join Community’ and you’re in!

If you’re on a desktop, simply scan the QR code above with your phone and click ‘Join Community’.

We also treat our community members to special offers, promotions, and adverts from us and our partners. If you don’t like our community, you can check out any time you like.

To leave our community click on the name at the top of your screen and choose ‘exit group’.

If you’re curious, you can read our Privacy Notice.

Axon’s system is being hosted on Microsoft Azure. But in an impact assessment drafted by the SPA and seen by the Sunday Mail, the watchdog warned transfers to overseas cloud providers are likely to be ­illegal. It added its “concerns relate to the provider, a wholly owned US ­company, and its ­sub-processor, Microsoft Azure”.

The document said US law allows its attorney ­general and intelligence ­services director to jointly authorise targeted surveillance of people outside the US, as long as they are not a US citizen.

US law also allows its government to access any data, stored ­anywhere by US firms in the cloud. While the data protection impact assessment said the risk of US government access via the Cloud Act was “unlikely”, it added the fallout would be “cataclysmic”.



Liam McArthur
Liam McArthur

Scottish biometrics commissioner Brian Plastow also raised concerns. He served Police ­Scotland with a formal notice in April requiring it to demonstrate its use of the system was compliant with the Data Protection Act.

Police Scotland confirmed in July it had “uploaded significant volumes of images to DESC during this pilot”, while insisting appropriate encryption was in place. But Plastow said this “did not ameliorate specific concerns”.

Top news stories today

He is now reviewing whether Police Scotland is ­complying with a data code of conduct.

The SPA said: “There are often associated risks when introducing new digital solutions” and it is satisfied “Police Scotland is taking all necessary steps to address and mitigate these” before rollout.

Police Scotland said it was ­continuing to “identify, assess and mitigate any risks relating to data sovereignty”. The Scottish Government said: “We take the privacy of citizens’ data very seriously.”

Axon said it “has established and continues to enhance data protection measures to support customers, including our contract with the Scottish Government”.

Don’t miss the latest news from around Scotland and beyond – sign up to our daily newsletter here.

Logo-favicon

Sign up to receive the latest local, national & international Criminal Justice News in your inbox, everyday.

We don’t spam! Read our [link]privacy policy[/link] for more info.

Sign up today to receive the latest local, national & international Criminal Justice News in your inbox, everyday.

We don’t spam! Read our privacy policy for more info.

This post was originally published on this site be sure to check out more of their content.