Open Rights Group submission to Justice Committee on Police Scotland’s interim Vulnerable Person’s Database

Open Rights Group submitted analysis of Police Scotland’s interim Vulnerable Person’s Database to the Justice Committee at the Scottish Parliament.

Open Rights Group are grateful for the opportunity to provide evidence to the Justice Committee on the Committee’s recent correspondence with Police Scotland’s interim Vulnerable Person’s Database (iVPD).

Open Rights Group have been concerned about the iVPD since it was first reported on by the BBC on 26 September 2017. It appeared at the time as a well meaning attempt to seek early intervention but it was undermined by the lack of clear weeding and retention guidelines, and without a clear data collection practice that had lead to the collection and retention of irrelevant or Not Applicable information. These concerns have remained throughout Open Rights Group’s consideration of the issues. May 2018 – Freedom of Information Request. In the May 2018 response Police Scotland confirmed that there were currently 913,122 unique nominals recorded on the iVPD. The entries that make up these nominals include expected categories such as Child Concern, Domestic Abuse and Youth Offending, but also contained information categories as “No concern / Not applicable”.

This category raised concerns for Open Rights Group as there is a strong requirement under data protection standards for data controllers, Police Scotland in this case, to only collect, process, and retain information that is “adequate, relevant, and limited to what is necessary”, known as data minimisation. A category of information that is by definition Not Applicable would suggest a failure to adhere to that principle. It was vital to Open Rights Group that this category was removed entirely as a data collection field, and the data contained assessed for its relevance and re-allocated if the information is relevant and necessary for the task.

Further, the request revealed that Police Scotland had not received any official communication from the Information Commissioner’s Office about the iVPD. While the ICO may have been informally advising Police Scotland about the compliance with data protection law as it was reported, it is a source of concern that despite the lack of an active weeding and retention policy, a privacy impact assessment, and the collection of information that is of “No Concern / Not Applicable” that the ICO had not made an official notice to Police Scotland. February 2019 – Freedom of Information Request

Open Rights Group noted correspondence between the Justice Committee and Police Scotland on the iVPD over the course of several months. The most pertinent update from Police Scotland is from a letter dated 12 December 2018 from Police Scotland to the Convenor which stated that a weeding upgrade will go live on 4 February 2019. A recent letter from 8 April 2019 confirmed that a weeding and retention operation began on 4 February 2019.The letter stated that the iVPD now “complies with relevant data protection legislation”.Open Rights Group submitted a new request under the Freedom of Information (Scotland) Act 2002 to confirm these changes. The request was made for information regarding the iVPD as of 13 February 2019, 9 days after the weeding and retention operation began:

The number of unique entries on the iVPD?

A breakdown of the categories, and numbers in each category.

  • A copy of the weeding and retention policy.
  • Any official communication received from the Information Commissioner’s Office.
  • A copy of the Privacy Impact Assessment of the iVPD?

The response from Police Scotland, was received on 5 April 2019. The information provided was accurate as of 28 February 2019, 24 days after the weeding and retention operation began. The response confirmed that there were 723,282 unique nominals recorded on the iVPD. A reduction of 189,840. This is a welcome development to see the weeding and retention operation beginning. However, Open Rights Group maintains that there are still some continuing concerns and feel it is premature to refer to the iVPD as being in “compliance with relevant data protection legislation”.No Concern / Not Applicable – the second largest category

Due to the recording facility Police Scotland use the category breakdown includes recording multiple incidents, so there may be two entries in two categories relating to the same incident, meaning the total number, when broken down by category rises to 2,062,572. The same categories from the 2018 freedom of information request remained, Child Concern was the highest category, but amongst the other categories the leading category by some distance is “No Concern / Not Applicable” with 487,887.That there are any entries in No Concern / Not Applicable is of concern to Open Rights Group. As stated before, by definition these entries do not conform with the standard of data minimisation. This does not strike Open Rights Group as a system in compliance with data protection legislation.The existence of a weeding and deletion policy is encouraging. With retention periods corresponding to different categories the retention periods would appear to yield closely to retaining data for only as long as is strictly necessary.However, further questions are raised with the compliance of data protection legislation in Police Scotland’s response to the request for access to the data privacy impact assessment. In the response Police Scotland admit that there is no data privacy impact assessment (DPIA) for the iVPD. While a DPIA is not mandatory for all processing operations. It is mandatory for processing that is likely to result in a high risk to individuals. Considering the previous reporting from the BBC on the “shock” that some had felt at being added to the iVPD without their knowledge, it would seem appropriate and at a minimum good practice for Police Scotland to produce a Data Protection Impact Assessment (DPIA) for the iVPD. It is concerning that there is not a DPIA to hand. It also raises questions as to what the status of the DPIA that the ICO make reference to in the letter of 7 December to the Convenor.Finally, the continued lack of action from the ICO in any official capacity is perplexing. This is a situation that is clearly requiring some attention to be paid, a large number of individuals in Scotland have had their personal data added to a database shared with public authorities across Scotland without their knowledge, and until recently without any way of systematically removing individuals that were no longer of relevance, some of which were of no relevance to begin with. It would have been expected that Police Scotland’s lack of action on this area would have merited consideration from the Information Commissioner’s Office, or even a letter setting out the expected actions for Police Scotland to take.The merits of the iVPD system lie in creating better links between important services and those who need them. These links are of no use if they are done without proper communication, and clear safeguards against creating a large unwieldy database. Open Rights Group understands what Police Scotland were trying to achieve and that the database was never supposed to be as permanent as it has become. However, it was clearly an oversight to begin building a database without clear policies in place, and meaning that the iVPD was in breach of data protection laws. The current actions suggest a path towards compliance but Open Rights Group would disagree with the suggestion that iVPD is now in compliance with relevant data protection legislation.