Scots victims could be illegally compromised by £33m criminal justice IT system

A £33 million criminal ­justice IT system could ­illegally ­compromise the ­personal data of ­thousands of ­Scots victims.

Watchdogs have raised ­serious concerns about trials of the ­Digital Evidence Sharing Capability (DESC) service by Police Scotland and said the Crown Office could already have ­broken the law.

The system – bought by the Scottish Government from US firm Axon – allows witness statements, body-cam footage, ­fingerprints and other details to be uploaded and shared with other agencies. But the Sunday Mail can reveal the ­Scottish Police Authority (SPA) and biometrics commissioner have given formal warnings over its legality and security.

They have raised fears it could lead to class action lawsuits, hacking and the prospect of the US government snooping on citizens.

Opposition politicians have demanded a halt to the roll-out until concerns are answered.

Scottish Tory shadow justice secretary Russell Findlay said: “SNP ministers cannot press ahead with this system without seeking categorical assurances about the security of the highly sensitive and personal data of crime victims and witnesses. It appears these concerns have already been flagged within ­Scottish ­policing, so it would be grossly irresponsible, and financially improper, to ­proceed ­without ensuring they are addressed.”

Scottish Lib Dem justice spokesperson Liam ­McArthur said: “These documents raise real ­questions about why Police Scotland has pressed ahead with this scheme while the legal status is still up in the air. It’s an approach that opens up the risk of legal challenges ­bogging down the service in ­litigation for years.”

Concern revolves around files being held by a US firm’s “cloud” servers. This could leave Scottish authorities unable to comply with UK data protection laws.

Axon’s system is being hosted on Microsoft Azure. But in an impact assessment drafted by the SPA and seen by the Sunday Mail, the watchdog warned transfers to overseas cloud providers are likely to be ­illegal. It added its “concerns relate to the provider, a wholly owned US ­company, and its ­sub-processor, Microsoft Azure”.

The document said US law allows its attorney ­general and intelligence ­services director to jointly authorise targeted surveillance of people outside the US, as long as they are not a US citizen.

US law also allows its government to access any data, stored ­anywhere by US firms in the cloud. While the data protection impact assessment said the risk of US government access via the Cloud Act was “unlikely”, it added the fallout would be “cataclysmic”.

Scottish biometrics commissioner Brian Plastow also raised concerns. He served Police ­Scotland with a formal notice in April requiring it to demonstrate its use of the system was compliant with the Data Protection Act.

Police Scotland confirmed in July it had “uploaded significant volumes of images to DESC during this pilot”, while insisting appropriate encryption was in place. But Plastow said this “did not ameliorate specific concerns”.

He is now reviewing whether Police Scotland is ­complying with a data code of conduct.

The SPA said: “There are often associated risks when introducing new digital solutions” and it is satisfied “Police Scotland is taking all necessary steps to address and mitigate these” before rollout.

Police Scotland said it was ­continuing to “identify, assess and mitigate any risks relating to data sovereignty”. The Scottish Government said: “We take the privacy of citizens’ data very seriously.”

Axon said it “has established and continues to enhance data protection measures to support customers, including our contract with the Scottish Government”.

Don’t miss the latest news from around Scotland and beyond – sign up to our daily newsletter here.

This post was originally published on this site be sure to check out more of their content.