ICO flags concerns of ‘poor practices’ in police collection of smartphone data
Regulator identifies inconsistent approaches between forces and tendency to collect excessive information
The Information Commissioner’s Office has identified various “poor practices” in the police’s collection of data from citizens’ smartphones, and has called for clearer rules and more attention to be paid to data protection.
The regulator said its recent investigation on the use of mobile phone extraction (MPE) in criminal investigations was prompted by concerns about an inconsistent approach across differing police forces, a general tendency to inappropriately rely on citizen consent as the basis for data processing, and a prevalence of “poor practices… including an overly wide approach to extracting data”.
The ICO’s resultant report identifies cause to “call into question the appropriateness of some of the current police practices in MPE… [and] recommends that a number of measures are implemented across law enforcement in order to improve compliance with data protection law and regain some public confidence that may have been lost”.
The first of the regulator’s 13 recommendations is the introduction of much clearer rules about when, why, and how extraction should be used. These should ideally be codified in a statutory code of practice, the ICO said.
The second recommendation is that the basis for lawful processing should be examined, with particular attention paid to whether consent is relied upon too much and inappropriately.
The way in which the use of MPE is authorised should be unified across the criminal-justice system, the ICO said, and the police should also assess whether its current implementations of the technology meet the “integrity” standards laid out by the Forensic Science Regulator.
“More robust policies” for the processing and deletion of data not relevant to an investigation need to be put in place, and the police should also engage with the Crown Prosecution Service at an earlier stage to enable data extraction “to be more targeted, such that privacy intrusion is minimised".
The seventh recommendation is that the police must implement measures to ensure the use of MPE complies with data-protection legislation – with particular reference to the length of time for which information is retained.
Better engagement with those whose phones authorities wish to access is also encouraged – including full explanations of what the process will involve and their rights in relation to MPE.
The police should implement a “national training standard” for all officers involved in data extraction, the ICO said.
The report recommends that the technology used to undertake extractions requires an update, and that “future procurements should take account of privacy-by-design principles”.
Data-protection officers should be consulted by senior officers before the new technology is used, and a full data-protection impact assessment should also take place.
The last recommendation is that: “Wider work being undertaken across criminal justice, including revisions to the Victims’ Code, the Attorney General’s Guidelines on Disclosure and the Criminal Procedure and Investigations Act 1996 Code of Practice, should incorporate measures that address data protection and privacy concerns.”
Information commissioner Elizabeth Denham will, in the coming days, write to all chief constables and police and crime commissioners to encourage them to take on board the recommendations, and advise that the regulator is willing and able to support forces in planning and implementing the suggested measures.
“This can by no means be the end of the story,” the report said. “Data protection and privacy is one aspect of a much broader set of issues in this space, and there are significant steps across the whole system that need to be taken to increase the public’s confidence in how their personal data is used in a criminal justice context. The commissioner therefore calls for a national consortium of relevant organisations to work together to improve the system as a whole in order to ensure public confidence in the wider process.”
The use of MPE technology has proven controversial in the past.
In 2018, Police Scotland bought 41 “cyber kiosks” – which allow law enforcement to bypass encryption measures and access data on PCs and smartphones. But it was almost 18 months before the force was able to deploy them, after members of the Scottish Parliament expressed concerns about the legal basis for the use of the technology.
Last year a cross-party selection of Westminster MPs also criticised new guidance for forces across England and Wales that they should ask rape victims to allow officers to access data on their devices and social-media accounts.
A standard consent form designed for nationwide use tells victims: “If you refuse permission for the police to investigate, or for the prosecution to disclose material which would enable the defendant to have a fair trial, then it may not be possible for the investigation or prosecution to continue."
CMA says that all of society will lose out ‘if the market power of these firms goes unchecked’
Joint Council for the Welfare of Immigrants files judicial review
Use of kits supplied by Randox has been paused ‘until further notice’
Most department staff have remained onsite during pandemic, although some ‘ad hoc’ arrangements have been made