FOI Release - IOPC & NICE DEMS

This is a request that I initiated in November 2021, in response to an article in Police Oracle about the Independent Office for Police Conduct [IOPC] adopting the NICE Digital Evidence Management System for handling data relating to their work. Police Oracle isn't a free site (though the subscription is worthwhile and I do recommend it quite highly) but the link is here.

It was also variously reported on other non-paywall websites or on LI : here, here, here and in press releases, blogs and promo materials by NICE themselves (here).

THIS FOI REQUEST IS NOW PUBLISHED HERE - you might want to open it to have as a read along...

Why make the request?

The reason I raised this FOI wasn't out of mere curiosity (though sometimes that is indeed the reason - I'm not above pushing an FOI request out 'just to find something out'); it was a specific point of legal interest that the article piqued.

The IOPC is one of a specific group of Law Enforcement Competent Authorities who are subject to much greater restrictions than the rest when it comes to offshoring data (and of course this commonly happens in Hyperscale Cloud Services).

I wanted to understand if they'd taken this into acount in what they called their 'robust' procurement process. Had it in fact been robust enough, and how on earth had they met the requirements of Section 73(4)(b) of the Act?

Section 73(4)(b) & what it means for IOPC (& similar orgs)

Sending personal data outside of the UK under Data Protection Act 2018 Part 3 [DPA Pt3] is a complex business for any Law Enforcement Competent Authority [LECA] - especially since Brexit.

Although it happens constantly (and nowadays it's done pretty much by default) across Law Enforcement, the legislation actually expects transfers outside of the UK to be rare and exceptional events.

It does give enough latitude to allow them to other non-UK LAW Enforcement bodies (it would be daft not to do so), but transfers to anyone else - such as an IT provider (or indeed a Cloud Provider) - are in theoty much harder to do, and there are 3 Conditions (S.73 "General Principles") that need to be met.

All three of these need to be considered and fulfilled (and Condition 2 is tricky for anyone) - but Section 73(4)(b) is the one that's genuinely interesting in this case.

Essentially, if you aren't listed specifically in s.73 as being allowed to send data processed for a Law Enforcement Purpose outside of the UK to a non-Law Enforcement recipient, then you can't do so.

The list of organisations who operate under this constraint is in the box on the right and its quite an interesting list...

You'll note that the ICO & a raft of other orgs are listed by name, whilst yet more are caught under the catch-all of the No. 1, 2, 3 or 4 categories.

The IOPC is number 18 - so they aren't allowed to offshore this type of data to (for example) a Cloud Provider.

Its worth pointing out here that the Scottish Police authority also have this constraint applied to them, and they both documented it and came to the correct decisions in their DPIA (spoken about in the Computer Weekly article about DESC here). This tell us that folks do know about the limitation and some of them DO also apply it - but did the IOPC?

Do NICE DEMS process data off-shore?

So this is a two part consideration:

1. Do NICE themselves off-shore the data? and
2. Do NICE use a platform that off-shores the data ?

Lets take these in reverse order, because the 2nd part is easy to answer: NICE sits on Azure and Azure definitely doesn't comply with UK legal requirements for DPA Part 3, and for some key services it definitely does send the data outside of the UK (or provides support from outside of the UK - which the ICO recently clarified in their DESC advice to Police Scotland is definitely a transfer). Consideration 2 certainly suggests there's some off-shoring going on here.

The first question might however have a different answer today than it had when I made the FOI request, because whilst on 1st February 2022 the NICE Master Service Agreement on the HMG Digital Marketplace said this:

"2.5 Data transfers outside EU/EEA. Customer expressly agrees that NICE may Process Personal Data outside the territory of the European Union (EU), the European Economic Area (EEA) or Israel. In the event NICE transfers Personal Data to a country which is not an EU or EEA member state or Israel in order to provide the Services under the Agreement NICE shall ensure that the specific requirements under applicable Data Protection Laws for such data transfer are met. If requested by Customer, NICE affiliate will enter into the Standard Contractual Clauses with Customer as set out in Exhibit 2 to this DPA."

NOW (as of today 26th May 2023) it doesn't. The lastest version of the Terms of Service can be found linked here and that Annex 1 Para 2.5 is quite different - it now talks about Restricted Transfers, SCC's, etc., etc.*

* Just to be clear - SCC's etc. have absolutely zero bearing on making such a transfer of Law Enforcement personal data legal. Actually the whole terms of service for NICE refer to GDPR throughout and that's not the relevant legislation in play.

As a result, those terms of service absolutely still don't meet the Part 3 legally required terms of service so NICE would fail my simple test for a legal processor for ANY type of Law Enforcement Competent Authority to use if I examined them - but I digress for a sec.

This is quite an interesting change for them to have made, but the bottom line today is that its quite impossible from this information alone to determine if NICS still do send this data to coutries outside of the EU/EEA or indeed to Israel (where they are HQ'ed).

They may do or they may not, and only someone like the ICO who has powers to disclose could rally find out, and lets be honest - that's not going to happen, plus thats not the main topic of examination in the FOI anyway.

The updated Digital Marketplace listing does also say that the data stays domiciled in the United Kingdom however and it didn't previously claim this.

Back to the FOI & IOPC...

At the time of my asking for the FOI it was pretty clear that data uploaded to NICE DEMS definitely went outside of the UK and even went outside of the EU/EEA, and I raised this with the IOPC, thus:

B) You identified that you do not have any information relating to the consideration of S73, but also stated in your response that: "In relation to part 2 we confirmed with the supplier that no data would be transferred outside of the EEA. Therefore, the data protection principles concerning international transfers do not apply to this project."

Those two conditions are mutually exclusive, since a statement to that effect from the supplier would fall under question 2 of my request and I would therefore ask that you provide me with a copy of that statement, or alternatively your justification for not doing so.

In considering any basis you may wish to apply for not disclosing this information I would advise that I believe the existence and detail of such a statement is of material public interest, since the NICE published Terms of Service (Master Service Agreement) on Digital Marketplace state the following (Annex 1, Para 2.5):

"Data transfers outside EU/EEA.

Customer expressly agrees that NICE may Process Personal Data outside the territory of the European Union (EU), the European Economic Area (EEA) or Israel.

In the event NICE transfers Personal Data to a country which is not an EU or EEA member state or Israel in order to provide the Services under the Agreement NICE shall ensure that the specific requirements under applicable Data Protection Laws for such data transfer are met. If requested by Customer, NICE affiliate will enter into the Standard Contractual Clauses with Customer as set out in Exhibit 2 to this DPA."

These terms of service run contrary to your statement that you have received supplier confirmation that personal data processed for Law Enforcement purposes will not leave the UK, and that as a result consideration of S.73 does not apply.

I am seeking such documentary evidence as you may have that confirm these conditions have been modified for IOPC, and that the modification of such terms has been trickled down to Microsoft as a NICE Sub-processor to also modify their standard terms (which include similar clauses). Do you have this?

Basically my point was that to use this supplier and stay compliant with the Act, the IOPC had to have received something in writing from NICE to state that the data would definitely never leave UK - whilst their terms of service said it would.

I wanted IOPC to give me the evidence that they had properly considered S.73(4)(b) of the Act. What I got was a letter, and this attachment. (If you go to the FOI request you'll see them there too, you don't need to use these links).

The attachment confirmed that the data was sub-processed by Microsoft on Azure (so offshoring in contravention of S.73 appeared to definitely be in play), and also that NICE aren't looking for permission to offshore data (but they didn't NEED further permission, their terms of service gave them all the authority they felt they needed).

However the 'smoking gun' that explained how they'd screwed this up was in the letter, as below: (my bold emphasis BTW)

"When the IOPC looks to engage a data processor a due diligence questionnaire is sent to that processor in accordance with Article 28 UK GDPR. When these questionnaires are received they are analysed by the DPO Team who look for any risks and issues that the use of the processor may propose. One of these tests is the transfer of personal data to the EEA or a third country.

NICE systems UK Limited advised that there would be no transfer outside of the EEA. The situation was not explored further as we were assured that the processing would be taking place in the UK only."

The first and most obvious observation (which is why its in bold) is that the IOPC applied entirely the wrong legislation. Their DPO Team clearly didn't know that they processed this evidence data under the DPA 2018 Part 3 whilst fulfilling their role as a Law Enforcement Competent Authority.

That they didn't understand what law they work under pretty shocking, but its also really common - at the Digital Policing virtual conference a couple of years back the PDS DPO spoke at length about GDPR, SCC's and how Policing could use them. Quite concerning.

The second observation (which is nearly as bad TBH) is that instead of doing what anyone would consider to be basic groundwork and looking at the Terms of Service (which clearly stated at the time that a service user gave express agreement that data would be sent outside of the EEA ,and specifically to Israel), they relied on a questionnaire for their 'robust' procurement process.

The IOPC exists to assess, regulate and promote good practices in Policing - so for them to screw this up quite so badly is really a bit appalling. There's no excuse that can be applied here really - they should be doing this stuff better than everyone else simply because of who they are.

I did write to the IOPC DPO - pointing out where they'd made the mistake re picking the wrong legislation, but I never received a response.

Mind you maybe the response I got was the change in the Terms of Service on Digital Marketplace? If so, it still doesn't fix the underlying issues in any real way.

Summary

So where are the IOPC now in terms of use of this NICE DEMS product?

Well if I had received the info published today on Digital Marketplace I'd only be 99% sure that the service they're using isn't legal for them to employ; whereas at the time it was a 100% raging certainty AND it was clear how they'd screwed up.

As it stands, I think its highly likely that IOPC are still in some difficulty - and though I can't say so with absolute certainty, its something that the ICO ought to be asking quesitons about (as might the Biometrics and Surveillance Camera Commissioner, because he's already rightfully expressed concern about this form of processing for DESC and the IOPC almost certainly handle personal data that falls under his aegis from time to time).

I doubt however that the ICO will do much - and I also doubt that the IOPC will either.

The ICO applies no consequences, and in doing so gives an open charter for this sort of thing to happen.

My quick summary of where this leaves us -

• Risk of ICO Action/Enforcement : Neglible
• Risk of other Regulators taking action: Moderate
• Risk from compensation claims : Medium-High (people who go to the IOPC have already suffered damage of some form and may be more disposed to make claims against them)

Close

And that's my first published FOI request. This is a Beta model so I might need to tweak the format and come up with some sort of dashboard for risk... I'll work on that.

Of course if anyone involved in this thinks I've misrepresented anything then let me know - if I have then I'll adjust and properly update accordingly (but its an FOI response so I'm pretty sure of the ground I'm on here TBH...)