Nine police forces are seeking to replace their common records managements system (RMS) with a cloud-based alternative – but despite upcoming changes to the UK’s data laws, experts say the strong likelihood of a US-based hyperscaler winning the contract presents continued risks.
Under the UK’s current data regime, moving sensitive police records to one of the US cloud giants introduces major data protection issues. However, the government’s recently proposed data reforms – which would most likely eliminate many of these risks by allowing routine transfers to hyperscalers – could jeopardise the UK’s ability to retain its law enforcement data adequacy with the EU, while issues around data sovereignty would still persist.
Known as Connect, the current RMS is provided to the nine forces – including Kent, Essex, Bedfordshire, Cambridgeshire, Hertfordshire, Norfolk, Suffolk, Warwickshire and West Mercia Police – by software supplier NEC through the Athena programme, which allows the forces involved to collect, collate, interrogate and share intelligence by deploying a common instance of the RMS.
Although the procurement – flagged to Computer Weekly by public sector IT market watcher Tussell – is only at the planning stage, a future contract award notice has already been set for 7 April 2025 (with a start date November 2025), and will have an estimated total value of £100m. The planned tender will aim to support core policing functions such as case management, custody, intelligence, and investigation.
However, experts say there is a “strong possibility” the new RMS will be hosted on hyperscale public cloud infrastructure, which would open up the data to a number of risks under current data protection rules, including the potential for remote access to that data, its onward transfer to a non-adequate jurisdiction (i.e. the US, where the vast majority of hyperscalers are based), and being subject to US surveillance laws.
They added that the risks were particularly acute given the poor track record of forces and regulators when it comes to data protection due diligence for law enforcement systems.
To avoid falling into the same situation with the new cloud-based RMS, the experts made a number of suggestions about the steps the forces’ should be taking now as data controllers, before the procurement progresses further down the line.
While the government’s new Data Use and Access Bill (DUAB) is set to the change legal rules around law enforcement processing in a way that would unequivocally allow routine data transfers to hyperscalers, the experts say doing so could still risk the UK’s ability to retain its law enforcement adequacy with the European Union (EU) when it comes up for renewal in June 2025.
They say the measure would represent a divergence from how law enforcement bodies within the bloc are allowed to process data, and highlighted further issues around data sovereignty arising from the use of hyperscalers that would still persist even if the government’s proposed data reforms are made law.
Computer Weekly contacted the forces involved about the data protection concerns raised around the use of hyperscalers in law enforcement.
“The pre-market engagement is designed to inform the forces of the types of technical solutions and innovation in the market to inform our specification and procurement approach in 2025,” said a Bedfordshire Police spokesperson. “The data protection issues raised will be paramount in our consideration and our final specification will include the data protection requirements necessary to ensure legal compliance and protection of sensitive data.”
Computer Weekly also contacted the Home Office about every aspect of the story. A government spokesperson responded: “The processing of police data must prioritise security. Even where internationally owned cloud providers are used, there are measures put in place to mitigate potential threats and risk.”
Ongoing police cloud concerns
According to a document drafted by two of the nine Athena forces – which was sent to the Competition and Markets Authority (CMA) in November 2022 as it investigated the merger of different RMS suppliers – there is a pressing need to improve the information flows between different police forces.
“In an ideal world, each RMS (or instance of an RMS) would allow, through an API or other interface or form of interworking, information to flow between police services,” it wrote.
However, despite Athena forces highlighting the “benefit of police Ssrvices having interconnected RMS throughout the UK through true cloud-provision and APIs”, there are long-standing issues with the use of hyperscale cloud infrastructure by UK policing and criminal justice bodies.
Since Computer Weekly revealed in December 2020 that dozens of UK police forces were processing more than a million people’s data unlawfully in Microsoft 365, data protection experts and police tech regulators have openly questioned various aspects of how hyperscale public cloud infrastructure has been deployed by UK policing, arguing that they are currently unable to comply with strict law enforcement-specific rules laid out in the DPA.
At the start of April 2023, Computer Weekly revealed the Scottish government’s Digital Evidence Sharing Capability (DESC) service – contracted to body-worn video provider Axon for delivery and hosted on Microsoft Azure – was being piloted by Police Scotland despite a police watchdog raising concerns about how the use of Azure “would not be legal”.
Specifically, the police watchdog said that there were a number of other unresolved high risks to data subjects, such as US government access via the Cloud Act, which effectively gives the US government access to any data, stored anywhere, by US corporations in the cloud; Microsoft’s use of generic, rather than specific, contracts; and Axon’s inability to comply with contractual clauses around data sovereignty.
Computer Weekly also revealed that Microsoft, Axon and the ICO were all aware of these issues before processing in DESC began. The risks identified extend to every public cloud system used for a law enforcement purpose in the UK, as they are all governed by the same data protection rules.
In June 2024, Computer Weekly then reported details of discussions between Microsoft and the Scottish Police Authority (SPA), in which the tech giant admitted it cannot guarantee the sovereignty of UK policing data hosted on its hyperscale public cloud infrastructure.
Specifically, it showed that data hosted in Microsoft infrastructure is routinely transferred and processed overseas; that the data processing agreement in place for DESC did not cover UK-specific data protection requirements; and that while the company may have the ability to make technical changes to ensure data protection compliance, it is only prepared to make these changes for DESC partners and not other policing bodies because “no one else had asked”.
The documents also contain acknowledgements from Microsoft that international data transfers are inherent to its public cloud architecture, and that limiting transfers based on individual approvals by a police force – as legally required under DPA Part 3 – “cannot be operationalised”.
Although the ICO released its police cloud guidance in the same set of freedom of information (FoI) disclosures – which highlights some potential data transfer mechanisms it thinks can clear up ongoing legal issues – data protection experts questioned the viability of the suggested routes on the basis the mechanisms are rooted in the GDPR rather than the law enforcement-specific rules contained in Part 3, and that is it not clear if they can in fact prevent US government access.
Connect itself has also run into data protection issues. In August 2024, for example, Computer Weekly reported that the Met Police went ahead with its deployment of Connect – which is separate to any deployments made by Athena forces – despite multiple “issues of concern” being raised over data protection and weaknesses in its search functionality.
According to a scrutiny report by the Mayor’s Office for Police and Crime (Mopac), dated 19 July 2022, Connect’s audit capabilities do not “fully replicate the audit capability of legacy systems”, to the point where it would be operating in contravention of the UK Data Protection Act 2018’s logging requirements around, for example, the collection and alteration of data.
“This is not MPS specific but is a national issue – the ICO [Information Commissioner’s Office] are aware of these issues at a national level and with [West Midlands], who have gone live,” it said. “MPS have suggested, as part of the government consultation on data protection law, that this section of the DPA 2018 is revised.”
Computer Weekly also revealed that Connect was around £64m over budget at that point, while officers and staff had raised more than 25,000 support requests in its first four months of operation.
Connecting to hyperscalers
According to a public sector technology procurement expert – who wished to remain anonymous due to their ongoing involvement in the procurement of cloud systems – the use of hyperscale public cloud providers is the “default position” of the UK criminal justice sector, adding that it’s “almost 99.9% certain” the new RMS will be moved onto hyperscale infrastructure.
They added that this is particularly concerning given invasive US surveillance laws that open up the possibility of US government access to the data.
“You can architect a system within an inch of its life to do whatever, but…if they’re headquarter to the US, they’re subject to US law,” they said, highlighting both the Cloud Act and Executive Order 12333, which grants powers of covert direct access to US intelligence agencies, as examples of these surveillance practices.
The anonymous source further highlighted a research paper by a group of academics from Queen Mary University London, which analyses how US laws could provide access to European data held by American hyperscalers: “It shows even if they cracked data transfer issues and so on, this executive order is always going to be the elephant in the room, because it’s the one that allows the US Secret Services back doors into all the systems.”
While the paper itself only analyses use of hyperscale public cloud under GDPR, and not the more stringent Law Enforcement Directive (LED) or the UK’s DPA Part 3 applicable to Athena data, it makes clear that even under the less restrictive data protection regime of UK GDPR, it is extremely difficult to make use of these systems compliant with relevant laws.
“In this paper, we analyse whether organisations established in the EU can use US cloud providers (including their European subsidiaries) as processors under the GDPR. US law enforcement and intelligence agencies can compel cloud providers subject to US jurisdiction to disclose customer data. This obligation to disclose under US law does not have a basis in EU or Member State law,” it said.
“As a result, disclosure to the US government might breach the GDPR, including: the requirement that a processor only processes personal data on the controller’s instructions; the requirement of a lawful basis; and the principle of purpose limitation. In addition, in some cases, the disclosure might involve unlawful international data transfers. Thus, it is challenging to use US providers for the processing of European personal data in compliance with the GDPR.”
Unlike the Cloud Act that can be used to compel data disclosures, the paper notes the legal implications for EO 12333 are slightly different, in that it rests on the security services ability to adversarially access the data via clandestine technical means, and therefore does not require the active involvement of cloud providers.
However, according to Owen Sayers – an independent security consultant and advisor on DPA Part Three compliance, with more than 25 years of experience in delivering secure solutions to policing – whether or not cloud providers are active participants, and whether or not the US government does utilise the Cloud Act to gain access to UK data, the transfers would be unlawful anyway as UK law lays down a series of specific steps that must be followed for each and every transfer of a specific piece of personal data under Part Three.
Timothy Clement-Jones, House of Lords
“These steps are not being followed, and Microsoft have made clear that they cannot be followed (actually, they’ve said, ‘Impossible to operationalise’). Because the steps laid down in the DPA 2018 Part 3 are not and cannot be followed, that is one of the main reasons why the processing being done on these clouds is in breach of UK law,” he said.
“It makes zero difference at all if the US government bogeyman tries to use Cloud Act to look at the data or not, as the data was illegally transferred regardless of Cloud Act.”
Commenting on the UK’s lack of sovereignty and control over its sensitive policing data due to the use of hyperscalers, Liberal Democrat peer Timothy Clement-Jones said it “creates major public mistrust” in how people’s data is being handled.
He added that the lack of guarantees from hyperscalers about preventing US government access opens up the possibility of more data being accessed overtime as political developments there push things in a more authoritarian direction: “We’re bad enough in terms of praying in aid ‘national security’ whenever we want to do something different, like with the last data protection bill, but the Americans are even worse than we are really… they’re ultra-national security sensitive.”
Clement-Jones also criticised the UK government’s reliance on Microsoft and AWS for cloud services, and further highlighted issues with supplier lock-in: “Trying to get into the UK cloud market is like breaking into Fort Knox because you have these vendor lock-in tactics. I brought those to the attention of the [Competition and Markets Authority] CMA, and they’ve assured me that they’re going to deal with all that.
“But the fact that the British government, let alone a police authority, doesn’t have control over its own data is shocking.”
For Mariano delli Santi, legal and policy officer at the Open Rights Group (ORG), these legal difficulties can be sidestepped by simply choosing cloud service providers that do not fall under US jurisdiction, which would also mean not procuring from those firms’ EU or UK subsidiaries or holding companies. He added that encryption could also offer a measure of protection for sensitive policing data, but only if the holders of the encryption keys are not obliged to cooperate with the US government.
The necessary due diligence
While the ICO said in its police cloud guidance that the UK’s international Data Transfer Agreements (IDTA) or the Addendum to the European Union’s Standard Contractual Clauses (SCCs) can be relied on to make restricted law enforcement transfers to cloud service providers, it added that they would need to conduct a Transfer Risk Assessment (TRA) beforehand to ensure there is an equivalent level of data protection when it is sent offshore.
In the case of DESC, the ICO has confirmed that it has not been advised on whether a TRA has been completed by either Police Scotland, Microsoft, or any of the other partners, and has not been provided with copies. Computer Weekly has sent out FoI requests for these documents.
According to the procurement expert Computer Weekly spoke with, the TRA process should take into account a number of aspects, including the nature of the data being transferred; the kind of risks attached to it from a data protection perspective; what protections the data is being provided with, both at transit and at rest; and the ultimate transfer destination.
“You then get into things like supporting service on a follow the sound model. Even if data is in the UK, if the [technical] support comes from outside and it touches the data, it’s considered the data transfer by the European Data Protection Board and by the ICO,” they said, noting that it is not clear to them from the ICO guidance if a TRA should be a one off assessment, or something that is conducted each and every time data is transferred offshore.
However, Sayers clarified that the IDTA’s suggested by the ICO have no relevance to Part Three provisions, and that TRA’s – which “are also of dubious legal value” – would certainly have to be conducted case-by-case basis for each piece of data transferred.
“To use Hyperscale platforms lawfully, a police officer needs to establish it’s strictly necessary to send each specific piece of personal data offshore, confirm public interest overrides any data subjects rights for that data, give specific instructions to the cloud provider as to how the data must be handled, and then make a report on all these things to the ICO,” he said. “That’s impractical and obviously inefficient, so in practice they just use the cloud platform but don’t do these assessments.”
An FoI response from the ICO in July 2023 backs this suggestion up, indicating that only 148 legal notifications of transfers by law enforcement agencies were in the previous five years, while in the same period most UK police forces moved their core IT services to Microsoft cloud.
“Given the rate of adoption, we should have seen tens of thousands of these notifications at the very least,” said Sayers.
Outside of the TRA, Nicky Stewart – a former Cabinet Office IT chief and senior adviser to the recently launched Open Cloud Coalition (OCC) – said that police data controllers will need to complete a range of further due diligence measures before finalising the procurement process for the cloud-based Athena replacement.
This includes writing contracts that explicitly reference Part Three requirements, which Stewart says would have to include a definition of data sovereignty that the ICO agreed with, as well as be “very clear about what the consequences of breaching that would be”, adding that policing bodies would “effectively have to make it a [contract] termination event”.
She added: “There will probably be a prime contractor sitting between the hyperscaler and the police, so they would have to construct it [the contract] in such a way as to effectively obligate that prime contractor to switch hosting providers.
“You’d also have to write the contract in such a way that the consequences of not switching would be more expensive and more painful to the prime contractor than staying. Ideally, the obligation has to be strong enough that the prime contractor…[will look at the cost of switching] and not go with that provider in the first place.”
On the barriers of switching, delli Santi noted that if policing bodies cannot walk away from their hyperscaler contracts for any reason – whether that be due how data is stored, idiosyncrasies in how the software operates, or a lack of flexibility in the systems that makes it difficult to migrate data out – it puts the companies “in a much stronger position against you, because they know you can’t walk away”.
Ultimately, this means there is little incentive to change the systems to be fully compliant with UK data rules.
Clement-Jones, a lawyer by background, said that “putting together standard clauses in these circumstances is pretty straightforward”, but added that direction is needed from the centre to ensure police forces know how to manage these issues.
Conflicting priorities
“In very many cases, the public sector either doesn’t acknowledge that there are other cloud providers, or even recognise that there’s an industry around that,” said Stewart, adding that it is “absolutely a case” of conflicting imperatives within policing that mean data protection and sovereignty is put to one side in favour of efficiency and accessibility.
Stewart offered two explanations of why this was the case: one being cost (“the reason why data is held offshore is often because it’s cheaper”), and the other being that data hosting decisions are in the hands of cloud engineers, who will often prioritise data resilience or availability over the data protection compliance implications of those decisions.
Clement-Jones agreed that there were conflict imperatives around between sovereignty and data protection on the one hand, and efficiency and data accessibility on the other: “I’ve been told people don’t care about sovereignty.”
Highlighting the global CrowdStrike outage in July 2024, he added that the idea of pitting sovereignty against operational efficiency or accessibility is “ludicrous”, especially given the effect the CrowdStrike issue had on Microsoft’s systems globally.
For delli Santi, while the legal, contractual and technical issues are worth paying attention to, what’s more pressing is that the UK government in particular seems to be avoiding political questions around data sovereignty and technological dependency on US infrastructure.
“There is a lot of focus worldwide about the issue of tech and data sovereignty. In the EU, for instance, technological sovereignty and strategic independence have become top of the list political priorities. This includes the development of domestic digital infrastructure to reduce reliance on US firms for things related to both the economy or delivery of public services,” he said.
Mariano delli Santi, Open Rights Group
“Countries like Brazil are also trying to break away from strategic dependence on foreign technology. India has been doing this for a very long time with the so-called India Stack. What strikes me is that this is nowhere to be found in UK government policies.”
He said that, in essence, dependence on US technological providers “means you’re paying rent” on your own capabilities, and further noted that many US tech firms have a track record of extracting ever-increasing volumes of money once they have public sector clients locked in, adding: “They know you’re a hostage.”
On the perceived conflict between sovereignty and efficiency, delli Santi said that relying on big tech IT providers in this way creates inefficiencies through a lack of autonomy: “Being dependent on fundamentally big foreign [tech] monopolies constrains your ability to pursue your own policies. In a sector like law enforcement, you might want more freedom to determine what you do domestically.
“Something that ought to be emphasised is that this is a national problem. You’re basically outsourcing law enforcement to certain degrees, to people you have very little control over and people you’re creating a dependency on, which means sooner or later they will do something you don’t like and you can’t do anything about it.
“What happens if the US goes south and you have all your police data in a country ruled by Donald Trump?”
A changing data protection landscape
Despite the concerns around current police processing in the cloud, the UK government’s new DUAB – introduced to Parliament on 23 October 2024 – is set to change the law enforcement data protection rules, including altering the transfer requirements in a way that would likely enable the processing that experts say has been taking place unlawfully on these cloud systems up until now.
“The intention is to put non-UK processors (principally hyperscalers) on the same broad legal footing as overseas law enforcement organisations,” said Sayers, adding that the bill would enable UK Competent Authorities (i.e. policing bodies) to send data overseas to offshore processors with minimal restrictions.
“The bill actually puts overseas processors above overseas law enforcement processors in the respect that it completely removes obligations to record what data is transferred to them, inform the ICO or make any assessments as to whether a particular transfer is safe and consider the data subjects rights in advance of sending the data.”
Sayers added that while these and other changes to Part Three would be directly contradictory to EU law, potentially leading to a number of scenarios where the UK loses its law enforcement data adequacy, the most likely outcome would be the CJEU finding that the UK regime falls far below EU standards and thus moves to block UK data transfers.
He further added that individual member states may also deem UK laws to be too divergent from their own domestic laws to continue to send data: “There are 27 Member States, each with their own version of DPA Part 3 to consider – therefore, the chance of some of these doing so is high.”
Although one of the main issues with the Met’s implementation of Connect was that it was unable to meet the statutory logging requirements of Part Three, the DUAB as introduced will also seek to remove these requirements by allowing police to access personal data from police databases during investigations, without having to manually record the “justification” for the search.
The removal of police logging requirements, however, could represent a further divergence from the EU’s Law Enforcement Directive (LED), which requires logs to be kept detailing how data is accessed and used.
“The logs of consultation and disclosure shall make it possible to establish the justification, date and time of such operations and, as far as possible, the identification of the person who consulted or disclosed personal data, and the identity of the recipients of such personal data,” it said.
Computer Weekly previously contacted DSIT about the removal of the logging requirements and whether it believes this measure represents a risk to the UK being able to renew its LED adequacy decision in April 2025, but DSIT declined to comment on the record.
Commenting on the DUAB, Clement-Jones said that the removal of police logging requirements was “egregious”, adding that if the law changes to allow police data transfers to, and processing in, infrastructure not owned or controlled by UK bodies, it could “absolutely” be a problem for the UK’s LED adequacy retention.