Police Scotland does not have a force-wide system of knowing what data it holds and whether it is secure, according to an audit by the Information Commissioner’s Office (ICO).

Despite advanced notice that it was going to be audited, when the regulator carried out a site visit its team found that it was “limited in its ability to gain assurance across the organisation”. The ICO said in its report: “The audit would have benefited from further access to key staff and documents.”

Before the visit, the force discussed its scope with the regulator and arranged a series of interviews. It had agreed to a “consensual audit” of its processing of personal data. It focussed on the security of personal data, including technical and organisational measures in place, and on training and awareness.

The ICO’s team found that Police Scotland does not have an information asset register in place to ensure that data is identified, logged, and “continually risk assessed”. So-called information asset owners have only been established for some types of data held.

Other shortcomings identified were a lack of data protection and information security training for new employees, and a failure to make sure training is “fit for purpose”.

Data protection and information security training is not refreshed, said the report, and “it is possible for a member of staff to be employed for over 25 years and not receive any additional training in data protection or information security following the induction course”.

It added: “[Police Scotland] does not conduct training needs analysis for staff responsible for processing personal data which poses a risk that staff groups have not received an appropriate level of data protection and information security training”.

Justice Innovation 2018 Summit: Innovation Through Digital Transformation
Hosted by FutureScot, the summit in Edinburgh on 8 March will provide delegates with the opportunity to examine the implications of the digital revolution for Scotland’s justice system.

The audit was carried out under the existing Date Protection Act, but the ICO will be responsible for enforcing the forthcoming EU General Data Protection Regulation (GDPR) in the UK.

The ICO has four categories of audit result; ‘high assurance’ (green), ‘reasonable assurance’ (yellow), ‘limited assurance’ (amber), and ‘very limited assurance’ (red). Police Scotland was rated amber.

The report did identify areas of good practice. Police Scotland has implemented a “vulnerability management system” to log new technical vulnerability updates. It is using “hacking tools” to identify any additional technical vulnerability. There is a “vulnerability assessment and penetration testing” process to identify, test, and apply solutions to vulnerabilities.

It also has an internal audit programme in place which takes a risk-based approach. These include audits for key systems and processes such as transaction monitoring of the Police National Database and the Driver Validation Service database to ensure compliance with their use.

But the report concluded: “There is a limited level of assurance that processes and procedures are in place and delivering data protection compliance. The audit has identified considerable scope for improvement in existing arrangements to reduce the risk of non-compliance”.

Assistant Chief Constable Alan Speirs told FutureScot: “Police Scotland welcomes the Data Protection Audit Report by the Information Commissioner’s Office which recognises both our good practice and some areas for improvement.  We will consider the recommendations in the report and note its conclusion.”