The development of a national, cloud-based digital fingerprint system for UK police is due for completion in December 2022, and will facilitate easier access to and sharing of more than 8.4 million fingerprint data records via the cloud.
Known as the Transforming Forensics (TF) programme, the capability is hosted by the Police Digital Service (PDS), which is aiming to deliver the first full deployment in March 2023.
The PDS said that through access to a digital suite of tools – housed on the PDS Xchange platform, which is powered by Amazon Web Services (AWS) – police forensic teams would be able to send fingerprint and crime scene images in real time, allowing them to identify suspects within hours instead of days, as well as improve work processes by taking them off paper and into automated workflows.
It added that they would also be able to evaluate, compare and identify fingerprints using the national Ident1, an existing fingerprint database created by Home Office Biometrics (HOB), which was successfully integrated into PDS Xchange in April 2022.
“What TF has created with this capability and the Xchange platform moves fingerprints into the digital age whilst de-risking obsolescence,” said Andrew Price, director of corporate, forensic and technical services at the East Midlands Special Operations Unit.
“This game-changing moment now swings the focus to prioritise the integration between HOB and TF, a crucial requirement for delivering the ‘holy grail’ of fingerprint identification and maximise investigative outcomes.”
TF programme director Richard Meffen added: “We’re delighted to have delivered the Xchange platform and fingerprint capability. We’ve worked closely with technical and forensic subject matter experts across the country to ensure this product is truly transformational.
“This is a great example of the value we can create by working closely with policing, partner agencies and the Home Office to ensure a successful outcome that will have a significant and positive impact on how fingerprints are delivered and run in the digital age.
The PDS also claimed that the automated workflows provided would help police be “fully compliant” with internationally recognised security and safety standards, as well as data protection rules around the retention and deletion of information.
It added the new fingerprint capabilities would further enable policing to deliver on ambitions set out in the National Policing Digital Strategy, published in February 2020, which sets out five digital priorities for the decade ahead.
These priorities are delivery of a seamless citizen experience, addressing harm, enabling officers and staff, embedding a whole public system approach, and empowering the private sector.
Ongoing cloud concerns in UK policing
In February 2022, police forces across England and Wales were cautioned about the need to conduct thorough data protection due diligence after it was announced by PDS that all 43 forces would be able to use its Police Assured Landing Zone (PALZ), another AWS-powered cloud platform intended to modernise UK policing’s IT capabilities.
The due diligence involves checking that cloud deployments align with Part 3 of the Data Protection Act (DPA) 2018, which sets out, for the first time, specific statutory rules for the processing of personal data by law enforcement entities.
The due diligence required includes, for example, checking whether each force has conducted its own data protection impact assessment (DPIA) ahead of implementation, and seeking assurances about where the data they host in the cloud will be stored geographically.
A Computer Weekly investigation revealed in December 2020 that UK police forces were unlawfully processing over a million people’s personal data on the hyperscale public cloud service Microsoft 365, after failing to comply with key contractual and processing requirements within Part 3 of the DPA.
Computer Weekly also found that UK police forces had failed to conduct the necessary data protection checks before proceeding with their Microsoft cloud deployments.
Failure to comply with Part 3 of the DPA 2018 can put organisations at risk of sizeable monetary penalties, which are overseen and enforced by the Information Commissioner’s Office (ICO).
While the UK data protection watchdog will initially consult with the organisation to advise them on how to make their operations compliant, it also reserves the right to issue two tiers of monetary penalties. These include a “standard maximum penalty” of roughly £9m or 2% of the organisation’s annual turnover, or a “higher maximum” of £18m or 4% of annual turnover. In both cases, the offending organisation will be fined whichever amount is higher.
Independent privacy consultant Owen Sayers, who has more than 20 years’ experience in the delivery of national policing systems, including Ident1, said until a until a DPIA is made publicly available for analysis, it is hard to state categorically whether the service is operating legally or not.
“UK policing may have negotiated special terms with AWS, and the underlying cloud platform may have been radically re-engineered to make it legal for police use,” he said. “But this seems unlikely. The latest AWS listing on G-Cloud 13 for Digital Investigations and Forensic Storage appears the most likely service used by policing in this case.
“Having analysed the terms of service for that G-Cloud listing, I can absolutely state that the terms of service provided fall far short of the legal minimum needed to comply with the Data Protection Act 2018 Part 3.”
Sayers added that any use of AWS by a police force in the UK to process fingerprint, biometric, or any other digital evidence – using the Xchange TF service and relying on those contractual terms – would therefore breach UK data protection laws.
He further added that while this would not necessarily make the data processed on the platform immediately unusable, there were serious implications for both police forces using the service, as well as AWS.
“Whilst it seems unlikely that the ICO would take action against them – and public policy of the ICO now appears to not do so – there is a real risk that any person who has their data processed in this way and suffers damage or is distressed could raise a claim for the compensation they are entitled to under Section 169 of the DPA 2018 against either (or both of) the controller (police) and the processor (AWS),” he said.
Computer Weekly contacted PDS about the TF programme and Xchange platform’s use of AWS to ask, for example, if the terms of service align with Part 3 of the DPA 2018; whether data was stored and processed in the UK; what assurances it has received from Amazon regarding the storage and processing location; how it has dealt with the risks presented by transfers of data to the US, where there is a demonstrably lower standard of data protection; and whether a DPIA has been conducted.
In response, a spokesperson said the TF programme had worked closely with “information assurance resources throughout the development of the Xchange platform” to ensure a secure-by-design approach.
“Xchange is by design monitored and continuously assured in line with industry best practice. The end-to-end assurance of all platforms is continuously assessed, including changes at a platform or application level, and data protection impact assessments are reviewed accordingly,” they said.
“Quick, safe and proportionate data sharing across forces and partners is vital to investigating complex crime and keeping people safe from harm. Current ways of working, with their reliance on on-premise servers, are not scalable and pose barriers to information sharing which can lead to delays in investigations and negatively impact outcomes for victims of crime.
“UK policing is aligned to the government’s ‘cloud-first’ approach, outlined in the Government Cyber Security Strategy. The Police Digital Service will continue to work with all suppliers to develop and improve all aspects of digital service delivery to help transform operational process and support efficient and effective police services to UK citizens.”
Computer Weekly contacted AWS with the same questions, but it declined to comment.
Commenting on the PDS response, Sayers said: “[The cloud-first policy referred to] does not provide a blanket mandate for selection of unsuitable cloud services to process citizens’ personal data – instead it requires UK public sector to analyse and confirm the suitability of a cloud service before electing to use it.
“It must also be remembered that the Government Security Classification Scheme specifically restricts the use of public cloud for sensitive personal data – a fact often conveniently ignored by public sector organisations seeking to adopt cloud services.”
He added: “PDS themselves have no legal liability and this may be why they are not obviously concerned in this respect; but the ease by which a S169 compensation claim can be made, the evidence indicating that the service is operated outside of DP’18 Part 3, and the difficulty forces and AWS would have to prove its legally operating should be of real concern to them.”
Commenting on potential alternatives for UK policing, Sayers further added that the use of AWS and other public hyper cloud services was not “absolutely essential for these data services” and in any case does not provide any new or novel capabilities.
“UK policing has had the means to share this data inter-force, across the criminal justice sector and with the European Union for at least 15 years, and used private, secure and legally compliant networks to do so,” he said. “It is simply the rush by policing to use public hyper-cloud services that has introduced this new service, and there is really no way that those platforms – AWS, Azure and GCP [Google Cloud Platform] – can currently meet the legal requirements to do so lawfully or safely.”