The Scottish Biometrics Commissioner has sent a letter to Bex Smith, Assistant Chief Constable of Police Scotland, outlining concerns about the use of a U.S.-based cloud solution for storing sensitive biometric data.
The letter specifically addresses the Digital Evidence Sharing Capability (DESC) pilot in Dundee. The Commissioner highlights the potential risks of storing sensitive biometric data in a cloud solution headquartered in the U.S. The DESC solution contract was awarded to Axon, a U.S.-headquartered technology company, which partners with Microsoft Azure for cloud hosting. According to the Commissioner, this arrangement could expose the data to U.S. laws, including the Cloud Act, potentially without Police Scotland’s knowledge.
The letter also cites multiple instances of security breaches involving U.S.-based cloud services. The Commissioner points out that U.S.-headquartered technology providers continue to be high-value targets for hackers and hostile foreign states.
Additionally, the Commissioner notes that the Scottish Code of Practice on biometrics currently extends only to Police Scotland, the Scottish Police Authority (SPA), and the Police Investigations and Review Commissioner (PIRC). This limitation could undermine public confidence as biometric data is shared throughout the criminal justice system in Scotland, including in the DESC system.
“I have already highlighted in my annual reports to the Parliament that this is a significant risk which could undermine public confidence and trust in the criminal justice ecosystem in Scotland,” Plastow wrote.
The letter aims to facilitate a full and frank discussion between the Commissioner and Police Scotland, especially as Police Scotland completes its self-assessment for compliance with the Scottish Code of Practice.
October 17, 2023 – by the FindBiometrics Editorial Team