A controversial Home Office push to merge two major national policing systems into one unified law enforcement data lake is £45m over budget and nearly two years overdue, MPs have been told.
The National Law Enforcement Data Service (NLEDS) will merge the Police National Computer (PNC) and Police National Database (PND) into one data pool that can be accessed through a single system and searched via free form queries, and has been previously criticised by privacy campaigners.
The PNC, set up in 1974, holds a range of personal data on individuals – from information on arrests and convictions to vehicles and property – while the PND, introduced much later in 2009, contains police intelligence data such as CCTV footage, as well as other information on individuals, organisations and weapons.
The PND is handling over 1.5 billion records, while the PNC is holding roughly 12 million personal data records on UK citizens, and it appears the plan to merge the two systems – first announced in 2014 – has been beset by delays and funding difficulties.
In response to a set of parliamentary questions regarding the progress of the NLEDS, minister of state for the Home Office and Ministry of Justice Kit Malthouse told MPs “the programme overspend is currently £45m” and that a funding bid had been submitted to HM Treasury as part of an ongoing spending review.
However, he did not disclose how much additional funding it is seeking to finish the project, the completion date for which has been pushed back by nearly two years – from June 2022 to December 2023 for the PNC phase, and from December 2023 to March 2025 for the PND phase, he confirmed.
He added that “the programme is exploring options for how the replacement of PNC and PND could potentially be delivered sooner” and that it would provide a number of “well-documented benefits … through efficiency and effectiveness savings”.
“These include cashable reduction in running costs and a wide range of broader benefits such as reducing the time to identify a person of interest, public time savings, improved searches and reduced training overheads,” he said, adding that an NLEDS pilot in use by seven police forces has saved “up to 66% of police time when performing a roadside identity check”.
In response to specific questions on how the effectiveness of the NLEDS is being assessed, Malthouse also noted that a Data Protection Impact Assessment (DPIA) has been completed, and that an external review team has been appointed to review the “full scope, remit and approach of the programme”, which is due to be completed in April 2021.
However, while the DPIA confirms the “data will be stored electronically on … a commodity cloud service”, it does not actually name the provider.
The Home Office is known to be a long-standing user of Amazon Web Services (AWS), with a tender published in August 2018 relating to the migration of police systems stating: “There is a desire to migrate … [PNC] to AWS as the software and infrastructure on which these systems reside is not of a satisfactory status or versioning.”
A later tender published in March 2020 for a supplier to provide a cyber security wrap around for “services hosted within our commodity cloud environments” also said they “must have knowledge of security managing AWS native Services Eg S3, EC2, DMS Databases, Cloudtrail, and Cloudwatch, for example”.
While the tenders only refer to AWS briefly, Annex A of a Chief Constables Council meeting agenda from July 2018 said the NLEDS programme “is completing build of the new environment in Amazon Web Services and building the new LEDS product, work on which is scheduled to be completed by the end of 2019”.
It added that the cost of the project “has increased substantially and the programme is looking hard at ways of reducing this”.
Concerns with the system merger
A number of privacy campaign groups have raised concerns about the NLEDS, suggesting that it could lead to “over-policing”.
Privacy International, for example, is concerned that granting such broad access to information “will negatively affect the trust between citizens, the police and other agencies”.
“Establishment of LEDS risks leading to over-policing, further embedding distrust in the police of individuals from ethnic minorities and migrant backgrounds, as well as those who are in vulnerable positions, such as trafficking victims or missing persons,” it said. “It is essential therefore to ensure the system and decision-making process is as transparent as possible and subject to sufficient oversight.”
Without sufficient safeguards and oversight, “providing access to a broad range of users and agencies can lead to misuse and exploitation of personal data stored on the database,” it said, before airing particular worries about “providing access to private sector organisations”.
Big Brother Watch has also raised concerns about the fact there has been no consideration of the new system in Parliament: “While modernised policing systems are welcome, there needs to be significant and meaningful consideration of the privacy issues involved in such a large database of personal information, the access to such a database via an application available to all police officers, and the use of machine learning algorithms in the criminal justice system.”
Furthermore, while the DPIA states “all components of the service will be UK-based” and that the service itself “will be hosted via servers located in the UK” if US-based AWS is hosting the system then it could be subject to a range of government surveillance powers, meaning UK citizens’ data is not protected to the same standards as it would be in Europe.
These powers include Section 702 of the US Foreign Intelligence Surveillance Amendments Act (FISA), which gives US government agencies the right to search and collect communications and data on non-US citizens without a warrant.
By not mentioning AWS as a processor, the DPIA has therefore not explained the risks involved with highly sensitive information about millions UK citizens being in reach of the US government, nor how this risk could otherwise be mitigated by technical, organisational or contractual measures.
However, it does mention that “a processor shares much of the accountability for the data processing”, and that “a data processing contract will be in place to manage these relationships”.
“Like controllers, they are obliged to keep records of all categories of processing activities, including details of the controller and any other processors, processing categories, international transfers, general description of technical and organisational security measures,” it said.