Nine police forces are seeking to replace their common records managements system (RMS) with a cloud-based alternative â but despite upcoming changes to the UKâs data laws, experts say the strong likelihood of a US-based hyperscaler winning the contract presents continued risks.
Under the UKâs current data regime, moving sensitive police records to one of the US cloud giants introduces major data protection issues. However, the governmentâs recently proposed data reforms â which would most likely eliminate many of these risks by allowing routine transfers to hyperscalers â could jeopardise the UKâs ability to retain its law enforcement data adequacy with the EU, while issues around data sovereignty would still persist.
Known as Connect, the current RMS is provided to the nine forces â including Kent, Essex, Bedfordshire, Cambridgeshire, Hertfordshire, Norfolk, Suffolk, Warwickshire and West Mercia Police â by software supplier NEC through the Athena programme, which allows the forces involved to collect, collate, interrogate and share intelligence by deploying a common instance of the RMS.Â
Although the procurement â flagged to Computer Weekly by public sector IT market watcher Tussell â is only at the planning stage, a future contract award notice has already been set for 7 April 2025 (with a start date November 2025), and will have an estimated total value of ÂŁ100m. The planned tender will aim to support core policing functions such as case management, custody, intelligence, and investigation.
However, experts say there is a âstrong possibilityâ the new RMS will be hosted on hyperscale public cloud infrastructure, which would open up the data to a number of risks under current data protection rules, including the potential for remote access to that data, its onward transfer to a non-adequate jurisdiction (i.e. the US, where the vast majority of hyperscalers are based), and being subject to US surveillance laws.
They added that the risks were particularly acute given the poor track record of forces and regulators when it comes to data protection due diligence for law enforcement systems.
To avoid falling into the same situation with the new cloud-based RMS, the experts made a number of suggestions about the steps the forcesâ should be taking now as data controllers, before the procurement progresses further down the line.
While the governmentâs new Data Use and Access Bill (DUAB) is set to the change legal rules around law enforcement processing in a way that would unequivocally allow routine data transfers to hyperscalers, the experts say doing so could still risk the UKâs ability to retain its law enforcement adequacy with the European Union (EU) when it comes up for renewal in June 2025.
They say the measure would represent a divergence from how law enforcement bodies within the bloc are allowed to process data, and highlighted further issues around data sovereignty arising from the use of hyperscalers that would still persist even if the governmentâs proposed data reforms are made law.
Computer Weekly contacted the forces involved about the data protection concerns raised around the use of hyperscalers in law enforcement.
âThe pre-market engagement is designed to inform the forces of the types of technical solutions and innovation in the market to inform our specification and procurement approach in 2025,â said a Bedfordshire Police spokesperson. âThe data protection issues raised will be paramount in our consideration and our final specification will include the data protection requirements necessary to ensure legal compliance and protection of sensitive data.â
Computer Weekly also contacted the Home Office about every aspect of the story. A government spokesperson responded: âThe processing of police data must prioritise security. Even where internationally owned cloud providers are used, there are measures put in place to mitigate potential threats and risk.â
Ongoing police cloud concerns
According to a document drafted by two of the nine Athena forces â which was sent to the Competition and Markets Authority (CMA) in November 2022 as it investigated the merger of different RMS suppliers â there is a pressing need to improve the information flows between different police forces.
âIn an ideal world, each RMS (or instance of an RMS) would allow, through an API or other interface or form of interworking, information to flow between police services,â it wrote.Â
However, despite Athena forces highlighting the âbenefit of police Ssrvices having interconnected RMS throughout the UK through true cloud-provision and APIsâ, there are long-standing issues with the use of hyperscale cloud infrastructure by UK policing and criminal justice bodies.
Since Computer Weekly revealed in December 2020 that dozens of UK police forces were processing more than a million peopleâs data unlawfully in Microsoft 365, data protection experts and police tech regulators have openly questioned various aspects of how hyperscale public cloud infrastructure has been deployed by UK policing, arguing that they are currently unable to comply with strict law enforcement-specific rules laid out in the DPA.
At the start of April 2023, Computer Weekly revealed theâŻScottish governmentâs Digital Evidence Sharing CapabilityâŻ(DESC) service â contracted to body-worn video provider Axon for delivery and hosted on Microsoft Azure â was being piloted by Police Scotland despite a police watchdog raising concerns about how the use of Azure âwould not be legalâ.
Specifically, the police watchdog said that there were a number of other unresolved high risks to data subjects, such as US government access via the Cloud Act, which effectively gives the US government access to any data, stored anywhere, by US corporations in the cloud; Microsoftâs use of generic, rather than specific, contracts; and Axonâs inability to comply with contractual clauses around data sovereignty. Â
Computer Weekly also revealed that Microsoft, Axon and the ICO were all aware of these issues before processing in DESC began. The risks identified extend to every public cloud system used for a law enforcement purpose in the UK, as they are all governed by the same data protection rules.
The risks identified [from DESC] extend to every public cloud system used for a law enforcement purpose in the UK, as they are all governed by the same data protection rules
Specifically, it showed that data hosted in Microsoft infrastructure is routinely transferred and processed overseas; that the data processing agreement in place for DESC did not cover UK-specific data protection requirements; and that while the company may have the ability to make technical changes to ensure data protection compliance, it is only prepared to make these changes for DESC partners and not other policing bodies because âno one else had askedâ.
The documents also contain acknowledgements from Microsoft that international data transfers are inherent to its public cloud architecture, and that limiting transfers based on individual approvals by a police force â as legally required under DPA Part 3 â âcannot be operationalisedâ.
Although the ICO released its police cloud guidance in the same set of freedom of information (FoI) disclosures â which highlights some potential data transfer mechanisms it thinks can clear up ongoing legal issues â data protection experts questioned the viability of the suggested routes on the basis the mechanisms are rooted in the GDPR rather than the law enforcement-specific rules contained in Part 3, and that is it not clear if they can in fact prevent US government access.
Connect itself has also run into data protection issues. In August 2024, for example, Computer Weekly reported that the Met Police went ahead with its deployment of Connect â which is separate to any deployments made by Athena forces â despite multiple âissues of concernâ being raised over data protection and weaknesses in its search functionality.
According to a scrutiny report by the Mayorâs Office for Police and Crime (Mopac), dated 19 July 2022, Connectâs audit capabilities do not âfully replicate the audit capability of legacy systemsâ, to the point where it would be operating in contravention of the UK Data Protection Act 2018âs logging requirements around, for example, the collection and alteration of data.
âThis is not MPS specific but is a national issue â the ICO [Information Commissionerâs Office] are aware of these issues at a national level and with [West Midlands], who have gone live,â it said. âMPS have suggested, as part of the government consultation on data protection law, that this section of the DPA 2018 is revised.â
Computer Weekly also revealed that Connect was around ÂŁ64m over budget at that point, while officers and staff had raised more than 25,000 support requests in its first four months of operation.
Connecting to hyperscalers
According to a public sector technology procurement expert â who wished to remain anonymous due to their ongoing involvement in the procurement of cloud systems â the use of hyperscale public cloud providers is the âdefault positionâ of the UK criminal justice sector, adding that itâs âalmost 99.9% certainâ the new RMS will be moved onto hyperscale infrastructure.
They added that this is particularly concerning given invasive US surveillance laws that open up the possibility of US government access to the data.
âYou can architect a system within an inch of its life to do whatever, but…if theyâre headquarter to the US, theyâre subject to US law,â they said, highlighting both the Cloud Act and Executive Order 12333, which grants powers of covert direct access to US intelligence agencies, as examples of these surveillance practices.
The anonymous source further highlighted a research paper by a group of academics from Queen Mary University London, which analyses how US laws could provide access to European data held by American hyperscalers: âIt shows even if they cracked data transfer issues and so on, this executive order is always going to be the elephant in the room, because itâs the one that allows the US Secret Services back doors into all the systems.â
While the paper itself only analyses use of hyperscale public cloud under GDPR, and not the more stringent Law Enforcement Directive (LED) or the UKâs DPA Part 3 applicable to Athena data, it makes clear that even under the less restrictive data protection regime of UK GDPR, it is extremely difficult to make use of these systems compliant with relevant laws.
âIn this paper, we analyse whether organisations established in the EU can use US cloud providers (including their European subsidiaries) as processors under the GDPR. US law enforcement and intelligence agencies can compel cloud providers subject to US jurisdiction to disclose customer data. This obligation to disclose under US law does not have a basis in EU or Member State law,â it said.
âAs a result, disclosure to the US government might breach the GDPR, including: the requirement that a processor only processes personal data on the controllerâs instructions; the requirement of a lawful basis; and the principle of purpose limitation. In addition, in some cases, the disclosure might involve unlawful international data transfers. Thus, it is challenging to use US providers for the processing of European personal data in compliance with the GDPR.â
Unlike the Cloud Act that can be used to compel data disclosures, the paper notes the legal implications for EO 12333 are slightly different, in that it rests on the security services ability to adversarially access the data via clandestine technical means, and therefore does not require the active involvement of cloud providers.
However, according to Owen Sayers â an independent security consultant and advisor on DPA Part Three compliance, with more than 25 years of experience in delivering secure solutions to policing â whether or not cloud providers are active participants, and whether or not the US government does utilise the Cloud Act to gain access to UK data, the transfers would be unlawful anyway as UK law lays down a series of specific steps that must be followed for each and every transfer of a specific piece of personal data under Part Three.
The fact that the British government, let alone a police authority, doesnât have control over its own data is shocking Timothy Clement-Jones, House of Lords
âThese steps are not being followed, and Microsoft have made clear that they cannot be followed (actually, theyâve said, âImpossible to operationaliseâ). Because the steps laid down in the DPA 2018 Part 3 are not and cannot be followed, that is one of the main reasons why the processing being done on these clouds is in breach of UK law,â he said.
âIt makes zero difference at all if the US government bogeyman tries to use Cloud Act to look at the data or not, as the data was illegally transferred regardless of Cloud Act.â
Commenting on the UKâs lack of sovereignty and control over its sensitive policing data due to the use of hyperscalers, Liberal Democrat peer Timothy Clement-Jones said it âcreates major public mistrustâ in how peopleâs data is being handled.
He added that the lack of guarantees from hyperscalers about preventing US government access opens up the possibility of more data being accessed overtime as political developments there push things in a more authoritarian direction: âWeâre bad enough in terms of praying in aid ânational securityâ whenever we want to do something different, like with the last data protection bill, but the Americans are even worse than we are really⌠theyâre ultra-national security sensitive.â
Clement-Jones also criticised the UK governmentâs reliance on Microsoft and AWS for cloud services, and further highlighted issues with supplier lock-in: âTrying to get into the UK cloud market is like breaking into Fort Knox because you have these vendor lock-in tactics. I brought those to the attention of the [Competition and Markets Authority] CMA, and theyâve assured me that theyâre going to deal with all that.
âBut the fact that the British government, let alone a police authority, doesnât have control over its own data is shocking.â
For Mariano delli Santi, legal and policy officer at the Open Rights Group (ORG), these legal difficulties can be sidestepped by simply choosing cloud service providers that do not fall under US jurisdiction, which would also mean not procuring from those firmsâ EU or UK subsidiaries or holding companies. He added that encryption could also offer a measure of protection for sensitive policing data, but only if the holders of the encryption keys are not obliged to cooperate with the US government.
The necessary due diligence
While the ICO said in its police cloud guidance that the UKâs international Data Transfer Agreements (IDTA) or the Addendum to the European Unionâs Standard Contractual Clauses (SCCs) can be relied on to make restricted law enforcement transfers to cloud service providers, it added that they would need to conduct a Transfer Risk Assessment (TRA) beforehand to ensure there is an equivalent level of data protection when it is sent offshore.
In the case of DESC, the ICO has confirmed that it has not been advised on whether a TRA has been completed by either Police Scotland, Microsoft, or any of the other partners, and has not been provided with copies. Computer Weekly has sent out FoIÂ requests for these documents.
According to the procurement expert Computer Weekly spoke with, the TRA process should take into account a number of aspects, including the nature of the data being transferred; the kind of risks attached to it from a data protection perspective; what protections the data is being provided with, both at transit and at rest; and the ultimate transfer destination.
âYou then get into things like supporting service on a follow the sound model. Even if data is in the UK, if the [technical] support comes from outside and it touches the data, itâs considered the data transfer by the European Data Protection Board and by the ICO,â they said, noting that it is not clear to them from the ICO guidance if a TRA should be a one off assessment, or something that is conducted each and every time data is transferred offshore.
However, Sayers clarified that the IDTAâs suggested by the ICO have no relevance to Part Three provisions, and that TRAâs â which âare also of dubious legal valueâ â would certainly have to be conducted case-by-case basis for each piece of data transferred.
âTo use Hyperscale platforms lawfully, a police officer needs to establish itâs strictly necessary to send each specific piece of personal data offshore, confirm public interest overrides any data subjects rights for that data, give specific instructions to the cloud provider as to how the data must be handled, and then make a report on all these things to the ICO,â he said. âThatâs impractical and obviously inefficient, so in practice they just use the cloud platform but donât do these assessments.â
An FoI response from the ICO in July 2023 backs this suggestion up, indicating that only 148 legal notifications of transfers by law enforcement agencies were in the previous five years, while in the same period most UK police forces moved their core IT services to Microsoft cloud.
âGiven the rate of adoption, we should have seen tens of thousands of these notifications at the very least,â said Sayers.
Outside of the TRA, Nicky Stewart â a former Cabinet Office IT chief and senior adviser to the recently launched Open Cloud Coalition (OCC) â said that police data controllers will need to complete a range of further due diligence measures before finalising the procurement process for the cloud-based Athena replacement.
This includes writing contracts that explicitly reference Part Three requirements, which Stewart says would have to include a definition of data sovereignty that the ICO agreed with, as well as be âvery clear about what the consequences of breaching that would beâ, adding that policing bodies would âeffectively have to make it a [contract] termination eventâ.
She added: âThere will probably be a prime contractor sitting between the hyperscaler and the police, so they would have to construct it [the contract] in such a way as to effectively obligate that prime contractor to switch hosting providers.
âYouâd also have to write the contract in such a way that the consequences of not switching would be more expensive and more painful to the prime contractor than staying. Ideally, the obligation has to be strong enough that the prime contractorâŚ[will look at the cost of switching] and not go with that provider in the first place.â
On the barriers of switching, delli Santi noted that if policing bodies cannot walk away from their hyperscaler contracts for any reason â whether that be due how data is stored, idiosyncrasies in how the software operates, or a lack of flexibility in the systems that makes it difficult to migrate data out â it puts the companies âin a much stronger position against you, because they know you canât walk awayâ.
Ultimately, this means there is little incentive to change the systems to be fully compliant with UK data rules.
Clement-Jones, a lawyer by background, said that âputting together standard clauses in these circumstances is pretty straightforwardâ, but added that direction is needed from the centre to ensure police forces know how to manage these issues.
Conflicting priorities
âIn very many cases, the public sector either doesnât acknowledge that there are other cloud providers, or even recognise that thereâs an industry around that,â said Stewart, adding that it is âabsolutely a caseâ of conflicting imperatives within policing that mean data protection and sovereignty is put to one side in favour of efficiency and accessibility.
Stewart offered two explanations of why this was the case: one being cost (âthe reason why data is held offshore is often because itâs cheaperâ), and the other being that data hosting decisions are in the hands of cloud engineers, who will often prioritise data resilience or availability over the data protection compliance implications of those decisions.
Clement-Jones agreed that there were conflict imperatives around between sovereignty and data protection on the one hand, and efficiency and data accessibility on the other: âIâve been told people donât care about sovereignty.â
Highlighting the global CrowdStrike outage in July 2024, he added that the idea of pitting sovereignty against operational efficiency or accessibility is âludicrousâ, especially given the effect the CrowdStrike issue had on Microsoftâs systems globally.
For delli Santi, while the legal, contractual and technical issues are worth paying attention to, whatâs more pressing is that the UK government in particular seems to be avoiding political questions around data sovereignty and technological dependency on US infrastructure.
âThere is a lot of focus worldwide about the issue of tech and data sovereignty. In the EU, for instance, technological sovereignty and strategic independence have become top of the list political priorities. This includes the development of domestic digital infrastructure to reduce reliance on US firms for things related to both the economy or delivery of public services,â he said.
What happens if the US goes south and you have all your police data in a country ruled by Donald Trump? Mariano delli Santi, Open Rights Group
âCountries like Brazil are also trying to break away from strategic dependence on foreign technology. India has been doing this for a very long time with the so-called India Stack. What strikes me is that this is nowhere to be found in UK government policies.â
He said that, in essence, dependence on US technological providers âmeans youâre paying rentâ on your own capabilities, and further noted that many US tech firms have a track record of extracting ever-increasing volumes of money once they have public sector clients locked in, adding: âThey know youâre a hostage.â
On the perceived conflict between sovereignty and efficiency, delli Santi said that relying on big tech IT providers in this way creates inefficiencies through a lack of autonomy: âBeing dependent on fundamentally big foreign [tech] monopolies constrains your ability to pursue your own policies. In a sector like law enforcement, you might want more freedom to determine what you do domestically.
âSomething that ought to be emphasised is that this is a national problem. Youâre basically outsourcing law enforcement to certain degrees, to people you have very little control over and people youâre creating a dependency on, which means sooner or later they will do something you donât like and you canât do anything about it.
âWhat happens if the US goes south and you have all your police data in a country ruled by Donald Trump?â
A changing data protection landscape
Despite the concerns around current police processing in the cloud, the UK governmentâs new DUAB â introduced to Parliament on 23 October 2024 â is set to change the law enforcement data protection rules, including altering the transfer requirements in a way that would likely enable the processing that experts say has been taking place unlawfully on these cloud systems up until now.
âThe intention is to put non-UK processors (principally hyperscalers) on the same broad legal footing as overseas law enforcement organisations,â said Sayers, adding that the bill would enable UK Competent Authorities (i.e. policing bodies) to send data overseas to offshore processors with minimal restrictions.
âThe bill actually puts overseas processors above overseas law enforcement processors in the respect that it completely removes obligations to record what data is transferred to them, inform the ICO or make any assessments as to whether a particular transfer is safe and consider the data subjects rights in advance of sending the data.â
Sayers added that while these and other changes to Part Three would be directly contradictory to EU law, potentially leading to a number of scenarios where the UK loses its law enforcement data adequacy, the most likely outcome would be the CJEU finding that the UK regime falls far below EU standards and thus moves to block UK data transfers.
He further added that individual member states may also deem UK laws to be too divergent from their own domestic laws to continue to send data: âThere are 27 Member States, each with their own version of DPA Part 3 to consider â therefore, the chance of some of these doing so is high.â
Although one of the main issues with the Metâs implementation of Connect was that it was unable to meet the statutory logging requirements of Part Three, the DUAB as introduced will also seek to remove these requirements by allowing police to access personal data from police databases during investigations, without having to manually record the âjustificationâ for the search.
The removal of police logging requirements, however, could represent a further divergence from the EUâs Law Enforcement Directive (LED), which requires logs to be kept detailing how data is accessed and used.
âThe logs of consultation and disclosure shall make it possible to establish the justification, date and time of such operations and, as far as possible, the identification of the person who consulted or disclosed personal data, and the identity of the recipients of such personal data,â it said.
Computer Weekly previously contacted DSIT about the removal of the logging requirements and whether it believes this measure represents a risk to the UK being able to renew its LED adequacy decision in April 2025, but DSIT declined to comment on the record.
Commenting on the DUAB, Clement-Jones said that the removal of police logging requirements was âegregiousâ, adding that if the law changes to allow police data transfers to, and processing in, infrastructure not owned or controlled by UK bodies, it could âabsolutelyâ be a problem for the UKâs LED adequacy retention.
