HM Inspectorate of Constabulary says potential of National Crime Agency’s National Data Exploitation Capability ‘remains unfulfilled’ due to outdated and unfit IT, poor access and management of data and under-resourcing
The National Crime Agency’s National Data Exploitation Capability (NDEC) is not reaching its full potential, according to a report from HM Inspectorate of Constabulary and Fire and Rescue Services.
The NDEC was established in 2018 to assist the NCA in tackling serious and organised crime by analysing or exploiting bulk datasets. The inspectorate stated that it could not determine NDEC’s final cost, as it received contradictory evidence from documents and interviews; however, its team estimated the cost to be approximately £92m.
The inspection stated that many of the NCA’s IT systems are “outdated and unfit for purpose,” resulting in a lack of investment, which means the cost of replacing outdated systems is increasing. It added that the agency has been slow to adopt cloud computing. This means its staff cannot automatically move data between systems operating on each of the three security tiers of Government Security Classifications Policy, something it described as “a significant limitation”.
It recommended that the agency and the Home Office plan a timeline for replacing its legacy IT systems, as well as working out how to allow transfers of data between the three security classifications, by the end of September 2025.
When the inspection took place, the NDEC had access to several bulk datasets, but these did not include material from the nine regional organised crime units shared among police forces. There were also no plans to routinely analyse data held on the Law Enforcement Data Service, which is due to replace the Police National Computer, and other data-sharing arrangements were often based on staff knowing someone in another organisation. It said the NCA does not have an effective system of version control for datasets and should establish “a more rigorous approach to data management”.
The inspection stated that NDEC personnel and leaders were confused about their approved staffing levels, and that the NCA provided inconsistent and contradictory information on this matter. It added that five reviews of NDEC by the agency had found that resourcing required urgent attention, but none had included a clear action plan to resolve it.
However, the inspectorate praised NDEC personnel for their understanding of the legislation governing their work. The NCA is not subject to the regulatory regime required by the Investigatory Powers Act 2016 but in 2020 it invited the Information Commissioner’s Office to audit NDEC’s data-handling processes. While the report said this was encouraging, it recommended a more systematic and robust arrangement.
The inspectorate submitted the full report to the Home Secretary in February. The published version excludes details on operational matters.
