Met police data platform deployed with data protection issues


The Metropolitan Police Service (MPS) deployed its Connect integrated record management system in November 2022 despite multiple “issues of concern” being raised over data protection and weaknesses in its search functionality.

The Connect system – contracted to software supplier NEC Software in May 2018 for up to £150m – is intended to help the force with end-to-end management of various policing processes, from intelligence and investigations to custody and prosecution, by giving officers instant access to real-time information across eight previously disparate systems through a single operational platform.

According to a scrutiny report by the Mayor’s Office for Police and Crime (Mopac), dated 19 July 2022, the first phase of the system’s roll-out would be going ahead in November 2022, despite updates from the force highlighting data protection “issues of concern with search functionality, audit capability and right of access”.

The report noted, for example, that Connect’s audit capabilities do not “fully replicate the audit capability of legacy systems”, to the point where it would be operating in contravention of the UK Data Protection Act 2018’s logging requirements around, for example, the collection and alteration of data.

“This is not MPS specific but is a national issue – the ICO [Information Commissioner’s Office] are aware of these issues at a national level and with [West Midlands], who have gone live,” it said. “MPS have suggested, as part of the government consultation on data protection law, that this section of the DPA 2018 is revised.”

According to a freedom of information (FOI) disclosure reported on by Computer Weekly, Connect is currently around £64m over budget, while officers and staff have raised more than 25,000 support requests in its first four months of operation.

Data protection issues

While the scrutiny report noted that Connect will feed data into the MPS’ Integrated Intelligence Platform (IPP) to “limit the impact of the search limitations”, it added that the combined search functionality of the two systems “will be less sophisticated than current systems allow” and that “some search functionality will be lost altogether”.

The limitations of the IPP system also means there will be an “overwhelming volume of data being returned to sift through (estimated at 4-6 times the amount from existing systems).”

The issue of the MPS not being able to effectively record and retrieve data in its systems was also raised by the London Assembly’s Police and Crime Committee chair, Caroline Russell, during its May 2023 meeting, where she noted the force was unable to provide information on the locations of a fifth of the strip searches it had conducted on children.

Relating this back to the development of Connect, Russell told Computer Weekly: “We know the Met has failed in the past to properly record critical data on the strip searching of children.

“If computer systems do not prompt transparency, then officers are being set up to fail in the mission of protecting Londoners and earning their trust and confidence.”

The report further noted that Connect’s search functionality is “inferior to that in [the Met’s ‘Criminal Intelligence’ database] CRIMINT”, and that it creates compliance challenges around data deletion as it “removes files from being searchable and retrievable, but doesn’t technically delete them”.

It said that both of these issues will add to problems the MPS already has with responding to subject access requests in a timely manner, and “potentially means the MPS would be unable to comply with a subject access request to remove data”.

The report added that if this issue cannot be resolved “there is a risk of ICO involvement” and that “these issues were not flagged to MOPAC at the time of approval. We cannot say whether they were known inside the MPS.”

During the London Assembly’s May 2023 meeting, Mopac chief executive Diana Luchford said in relation to Connect: “I am concerned that we do not have the technological expertise that we need in Mopac to provide the most effective oversight that we could. We obviously are doing the best we can, but that is something we need to address.”

Met, Mopac and ICO respond

Computer Weekly asked the Met a number of questions about the oversight board document – including how all of the issues identified were resolved before the November 2022 roll-out; whether the system can now meet the statutory logging requirements; whether it formally consulted with the ICO on its data processing within connect; why none of the issues were flagged to Mopac before approval; whether it is now able to effectively retrieve data from the system; and if the system now has the capability to fully delete data – but was told to submit a FOI request for the answers. An FOI request was submitted prior to publication.

Computer Weekly also contacted the ICO about the open discussion of data protection issues between Mopac and the MPS, and asked for clarification on whether the data regulator was made aware of the issues or otherwise approached by any of the bodies involved in rolling out Connect.

“The ICO has had limited engagement over the Connect system prior to its initial deployment in November 2022,” said an ICO spokesperson. “We have been made aware of some compliance issues, and understand that work is ongoing to resolve these and we anticipate further engagement with the MPS in connection with that matter.”

Computer Weekly also asked if the ICO was able to provide further information on its engagement with the force, and whether it believes the data protection risks were adequately mitigated, but this was referred to the regulator’s information access team as an FOI request.

“We can neither confirm nor deny whether we have been made aware of the issues that you refer to in your request,” said the ICO in response to that request.

It added, “Nothing in the above should be taken as being either confirmation or denial that the ICO has received correspondence from the quoted bodies”.

Computer Weekly also contacted both the Met and Mopac about why the ICO’s potential involvement was seen as a risk. While the Met said this question would need to be submitted as an FOI, Mopac did not respond.

Computer Weekly approached Mopac for comment about other aspects of the story on multiple occasions, but it did not respond.

MPS suggests law change

Responding to the Met’s suggestion that data protection laws be changed to accommodate use of the system, Owen Sayers – an independent security consultant and enterprise architect with over 20 years’ experience in delivering national policing systems – said that calls for data protection law changes are becoming an increasingly common answer to tech problems being encountered by UK police.

“I have heard this four times recently now. The inescapable conclusion is that the systems being increasingly adopted by policing are legally unfit for purpose; but that rather than properly establish their requirements and communicate them to vendors, policing technologists would rather change primary legislation,” he said.

“This is not simply naive – it reflects a fundamental issue which ought to call into question the competence and suitability of those persons calling for such changes to the law to hold their influential positions.”

He added that calls for changes to the UK’s data protection laws instead of changes to the technology being deployed are “reflective of serial failures on their part” to consider the legal constraints on the highly regulated police and law enforcement sectors.

“The simple reality is that everything the police need to do in technology terms is fully achievable within the laws that exist today. They simply cannot be done on the platforms that police technologists have elected to adopt,” he said, referring to the increasingly widespread adoption of hyperscale public cloud systems throughout UK policing in spite of the clear data protection risks.

“There is no need to change the law – all they need to do is apply good practice and select solutions that meet the requirements as they stand.”

Sayers further noted that the relevant data laws for UK police are not new, having been introduced in May 2016 and in full effect since May 2018: “Those people who are now making overtures to ‘change the law because it doesn’t reflect technology’ would be wiser to recognise that if the technology they’ve selected isn’t legal to use, they’ve actually picked the wrong technology.”

Computer Weekly asked the Met if it would like to respond to either Sayers’ or Russell’s comments, but was told an FOI would need to be submitted for the answers.



Source link