Scottish Biometrics Commissioner Brian Plastow has urged the ICO to investigate Police Scotland’s Digital Evidence Sharing Capability (DESC) hosted on Microsoft Azure. This follows Microsoft’s admission of inability to ensure UK policing data sovereignty on Azure, raising data protection concerns.
Plastow highlighted ongoing uncertainty and criticized delays in ICO guidance on police cloud usage. He emphasized compliance doubts regarding DESC’s handling of biometric data and its alignment with UK laws.
Concerns emerged in April 2023 about legality and risks of using Azure for policing, including potential US government access under the Cloud Act. Plastow issued Police Scotland an information notice in response, but concerns persisted.
Microsoft’s June 2024 admission further complicated matters, impacting broader public sector data hosting requirements. The ICO’s generic police cloud guidance also contributed to regulatory confusion.
Plastow argued for an ICO investigation, citing Principle 10 of the Scottish Biometrics Commissioner’s Code and the need for compliance with ICO requirements.
Freedom of Information disclosures revealed procedural gaps in oversight, with Police Scotland not consulting the ICO before deploying DESC with live personal data. Independent calls for an investigation underscored broader concerns over data retention and compliance with legal standards in law enforcement data management.