Meeting date: Thursday, May 9, 2019
Justice Sub-Committee on Policing 09 May 2019
Agenda: Digital Device Triage Systems
- Digital Device Triage Systems
Digital Device Triage Systems
Feasgar math, a h-uile duine, agus fàilte. Good afternoon, everyone. Welcome to the fourth meeting in 2019 of the Justice Sub-Committee on Policing. We have received no apologies.
Agenda item 1 is evidence on Police Scotland’s proposed use of digital device triage systems. I refer members to paper 1, which is a note by the clerk, and paper 2, which is a private paper.
I welcome our first panel of witnesses, who are both from Police Scotland: Deputy Chief Constable Will Kerr, who is responsible for local policing; and Assistant Chief Constable Steve Johnson, specialist crime and intelligence. I thank Police Scotland for its written submission, which is most helpful to the sub-committee.
As this is DCC Kerr’s first appearance at the sub-committee, I invite him to make some brief opening remarks.
Thank you, convener. I will try to make them brief and not a two-minute exercise in Irish speed talking.
I will make a couple of brief opening comments about cyberkiosks and how policing uses technology to help to police and protect our citizens, who increasingly lead their lives online. The issue of cyberkiosks is a challenging one, but it is not unique to Police Scotland. I have experienced it in other jurisdictions and law enforcement agencies. Getting the right balance between the safety and security of the citizen and how we protect their privacy is a key responsibility of policing, and as policing increasingly tries to keep up with the technology that is used by criminals who are looking to cause harm to citizens across Scotland, we always have to be cognisant of that balance. Increasingly, we are policing with that technology in a regulatory and sometimes legislative environment that reflects the analogue age that we used to police in, and not the digital age that we police in now.
To that end, we really welcome the sub-committee’s scrutiny of the issue over the past number of months and beyond. It has really made us challenge ourselves about how we approach that difficult balance. It has led to the establishment of some key bits of architecture for us around reference groups, a more robust look at how we manage equality and human rights impact assessments and, specifically, victim consent forms. We really welcome that; it has added real value to what we do.
However, as I know all too well from my 30 years as a police officer and my previous role as a director in the National Crime Agency, the shocking scale and exponential rise of some forms of crime that are being exploited against our citizens—not least our children and vulnerable citizens, for example through child sexual abuse and exploitation—mean that we need digital evidence in order to protect our citizens and take abusers and offenders before the court. We have a statutory responsibility on behalf of the public in Scotland to use every single technology—legally and proportionately—to make sure that we can protect our citizens.
As I know the sub-committee has reflected, we have only ever acted in good faith on the issue, but I acknowledge, and we absolutely accept, that we should have reflected more on and spent more time considering the privacy issues from the outset. We should also have spent more time at an earlier stage getting clarity on the legal position in that regard.
When the chief constable appeared before the sub-committee on 31 January 2019, he made it clear that we would not consider introducing cyberkiosks until we were satisfied that we had that legal clarity and the confidence of the community that we serve. We think that we are very close to that position. We now have the legal clarity from the Crown Office, under whose direction we act, and from independent senior counsel, Murdo MacLeod. Over the past weeks, we have spent a lot of time with the Scottish Police Authority, including yesterday, and we will continue to discuss the issues with the SPA at its next public meeting on 22 May; we will also meet our reference groups again on 11 June to discuss Murdo MacLeod’s legal opinion. At that point, we think that we will be in that position of community confidence and legal clarity. As quickly as possible thereafter, we would like to roll out the devices.
As a result of the sub-committee’s engagement and scrutiny, we think that the process will be better, and we would like to apply the lessons learned to the increasing use of technology in policing over the next number of years. It is not something that will stop, because this will not be the last time that we use a new or innovative bit of technology.
Convener, thank you for your indulgence.
Thank you for those opening comments.
You acknowledge that you are approaching things differently. It is important that we look forward, but it is also important to learn lessons. What specific lessons has Police Scotland learned about the lead-up to and implementation of the trials in Stirling and Edinburgh?
I will ask Steve Johnson to cover a wee bit of the detail about the trials.
I made the point at the beginning that we approached the issue only from a position of good faith. We are interested in Police Scotland and our officers having the best tools to protect the citizens of Scotland from the vast and growing array of threats that they face. In this case, I think that, internally, we fixated too quickly on the technology that was involved and simply did not spend enough time considering how the use of that technology would be perceived by the very citizens we were looking to protect. The significant learning point for us was not just to take a technical approach to the use of a new tool and a new power but to consider how we use it, how we explain it and how we engage with community and reference groups. That was a key bit of learning for us that we will take forward.
The trials started in 2015. I took on the project in 2016, and it finished during my time in post, in 2017. The used of the word “trial” has been talked about by the sub-committee. My sense of it was that we wanted to get some feedback from the officers on how usable the piece of equipment was and whether it did the job. In particular, we got feedback from officers who were sitting with victims—the feedback predominantly involved victims—who were clearly saying that it was not the worry about their data that made them not want to give us their phones; it was the fact that if they gave us their phones, it would take six months to get them back. We wanted to make sure that, whatever we did to deal with the backlog that we had—and still have—the officers could use the technology.
The trials—or user acceptance or user testing—to see whether the equipment was suitable were commissioned in 2015 and finished in 2017. As the DCC has said, lessons were learned from that. No criteria were set at the start of the trials, but we now have a much more disciplined process. If we are going to put a piece of equipment out there, we will look for specific feedback that will form a review or some analytical product that we can take away. That did not exist in either of the two trials. That said, in Edinburgh, there was a report that was based on the evidence that had been gleaned. In Stirling, however, we had predominantly anecdotal feedback from officers that it was a really good bit of kit. The feedback is similar today: this is what we need to expedite victims’ phones through the systems.
I do not wish to labour the point. However, we have had issues with the initial deployment of armed officers and with stop and search, with John Scott QC saying in his report that the police should be viewed as the front-line defenders of citizens’ human rights. There were concerns about cyberkiosks that were similar to those raised in relation to those two policies, which were controversial at the time. Why were those concerns about cyberkiosks not flagged up and addressed, as they should have been?
That is a reasonable question. On the important issue of human rights protection, I absolutely agree with the statement about Police Scotland being at the vanguard of protecting the rights of citizens in Scotland. Our initial focus was on ensuring that we had the capability and tools to protect Scottish citizens from harm. Perhaps the lesson from the issues that you mention has been to take a balanced perspective earlier, as it is not just about protecting citizens from harm but about how the use of quite intrusive and invasive powers feels to the rest of our citizens.
Over the past few years, we have matured and now have a balanced perspective. We welcome the scrutiny of the sub-committee and others in helping us to mature. We have discussed that at length with the Scottish Police Authority over the past few months. Just this morning, we talked with the SPA chair about making sure that we have earlier conversations with the authority about getting a balanced view of human rights.
Sitting at the heart of the project are the rights of three groups: victims, suspects and the wider community. We felt that the technology had benefits in terms of legality, necessity and proportionality for all three groups.
For victims, the approach will expedite their devices through the system, whereas, at the moment, they can wait up to six months for their device to be examined before they see any form of justice. We felt that using equipment that could triage devices and reduce the backlog would be more proportionate when it comes to removing their device and affecting their private and family lives.
For suspects, there is equality in having an initial assessment while they are still in custody that might be used to make a decision about whether they are liberated or not.
Among the owners of 2,000 devices, which is roughly the backlog that we are sitting with today, there are suspects who have been liberated and who potentially present a risk to the wider communities of Scotland. I want to balance the needs of the victims, the rights of the suspects and the expectations of communities. We have the information—it is sitting there in devices that have not yet been examined—and communities expect us to keep them safe from people whom we should be doing something about. That sits at the heart of our decision making.
I take on board the point about whether we followed formal processes, such as doing a data privacy impact assessment and an equality and human rights risk assessment. I am the senior responsible officer, so I take responsibility for that. I felt that what we were looking at was an extension of existing technology, rather than something new. The learning for me, which we have taken back into the organisation, is that when there is a change in use or a development, we should review existing processes.
I am happy to say that we have now completed those assessments and, as DCC Kerr said, we will take those to the reference groups over the coming weeks.
There is a specific factual question that I want to pin down.
In paragraph 5 of the QC’s opinion that was provided to you, he says—as QCs tend to say—“As I understand it” and continues:
“the examination is conducted ‘off-line’ with the sim-card removed from the device.”
However, in paragraph 21 of our report on the subject, which is based on the evidence that we received, we report that
“262 SIM cards were examined”
as part of the pilot. Without further information, I am unable to reconcile those two points. Can you help me do so?
I think that we can, quite easily.
At the time of the pilot, the devices that were examined through the kiosk were not connected to any external form of data source. As the kiosks are configured now, and as we demonstrated to the QC, we just examine the device. We will take the SIM card out of the device and it will be the data that is held on the handset that is examined.
I understand that. To be clear, during the trial, the SIM cards were examined, but you would not do that now as part of the kiosk activity, although you might do it in other contexts.
We would examine SIM cards as part of the wider forensic download. That is currently the case and probably still will be the case. However, we would not examine them as part of the current process.
I welcome your candour in relation to the mistakes and oversights.
Mr Johnson, you referred to learning in relation to what was perceived to be an extension of practice that was already taking place. You will be aware of the concerns that have been expressed to us by a number of stakeholders about the legal basis for the existing practice in relation to the hubs. As part of that learning, what consideration is being given to those concerns and whether what is happening in the various hubs around Scotland is compliant and is achieving the right balance between what are competing rights?13:15
One of the key aspects of this is the stakeholder reference group; we also intend to have an ethics panel, which will be a regular feature, too. In future, prior to something being instigated or even when we develop a solution, we will go to the ethics panel to talk through the issues, which will help us define our system and user requirements.
On the observations about the legal basis for the proposal, I have always been confident that we had a legal basis and I am assured by the independent counsel’s opinion and the Crown position that we have that legal basis. Fundamentally, at the heart of our responsibilities and duties to citizens is the need to keep them safe—we need to do that.
I am confident that there is a legal basis for the proposal; I am also confident that, because of how we work in Police Scotland now, any area that is trying to develop technical solutions will have reference groups to talk to as part of the thinking process, before a solution is identified. That may be a system that is on the market or something that needs to be developed as part of a system, or it may involve improved use of an existing system.
I will make one additional comment, which may help Mr McArthur. This is a difficult space for us because the world of technology is moving at such a pace. We have to get the appropriate balance between consulting, engaging with and listening to people and keeping up with the technology that criminals are increasingly using.
I know that, 10 years ago, it was high-end serious and organised crime gangs that had encryption and anonymisation or data-masking software. That software is now available free online, and some people who are involved in volume crime use it, which simply would not have been the case five or six years ago.
We are constantly trying to keep up with the technology that criminals are using to make sure that we can protect the public in Scotland. The pace makes it difficult for us to ensure that we do all the stuff that you rightly challenge us on and which we want to do without lagging even further behind the technology that criminals are currently using.
On that point, you fairly said that, in many respects, some of the regulations and requirements placed upon you originate from an analogue age but need to be applied in the digital age.
I suppose the concern is that even something that you applied in the early stages of the digital age will become less relevant as we move on. That seems to beg a question: should Police Scotland be allowed to evolve practice in line with the challenges that you are facing, or should it look for a legal framework that better reflects the space in which you are operating and the balances that you are trying to achieve? Police Scotland will not necessarily ever be able to keep up entirely in real time, but are you looking for a change in the legal framework at this point?
Police Scotland, like any other police service, operates within the legislative environment that parliamentarians give us. I think that the pace of change at the moment is such that we have to look at the regulatory and legislative environment in which we operate the devices, so we would welcome that legislative clarity.
Of course, it is a matter for you as a legislature to decide on the extent of the laws that you give us and the parameters that you put into them. My only caveat is that we need to make sure that our police service has sufficient flexibility to enable us to keep up with the criminals. Professionally, that is what I am interested in.
Following on from Liam McArthur’s question, I, too, appreciate the manner in which you are approaching the sub-committee’s questions; it is really refreshing to hear that honesty. You make a powerful case for the need for some sort of change in order to be able to keep our citizens safe.
You mentioned the ethics panel. Have you thought about what specific things the ethics panel will look at? If the panel was in place, it would look at cyberkiosks, but what other things would it look at?
One of the analogies that I have used relates to cars. I have been in Police Scotland for three years. Three years ago, it felt that, in relation to the criminal landscape, we and the criminals were moving on at a similar pace—if we were both in cars, we were both in first gear. However, if I am absolutely candid, I feel as though I am now stuck in first gear and the criminals have gone through second and third into fourth gear, and they are moving away from us.
We have to keep abreast of the technological advances and the tangible benefits that they bring, which many industries and our citizens see. However, using and adapting them for law enforcement purposes is often very challenging, albeit that in an open forum you can see that they make common sense. The apps that some of us have on our phones that are about keeping vulnerable people safe or which relate to missing persons are probably fine for a charity to use, but the minute that we bring them into a law enforcement environment there is a whole level of bureaucracy—probably very necessary bureaucracy—that we would want to go through.
We will involve an ethics panel at the very early discussion stages, explaining the nature of the operational problems and the strategic solutions to those problems. We will engage the panel to get its views on what the impacts might be on a broad range of stakeholders, from narrowly defined groups to the wider citizenship of the country. We will probably do that earlier rather than later, but we will also do it as a matter of course when we are definitely developing a solution, whether we do that for ourselves as an agency or with partners.
A lot of that landscape will be particularly challenging as we move forward. Looking at our budgets and the cost of technology, we are very clear that we cannot afford to do it on our own; we will have to engage with the private sector. We are already lagging and we will have to go into new territory. A lot of the structure that the deputy chief constable talked about is an enabling structure from an analogue world. Our OCGs will go to a technology expo in Brazil and buy the latest Chinese technology with cash. We cannot even dream of keeping up with that.
What sort of decisions can an ethics panel such as you envisage make? The missing persons example that you gave is a good one. Could the panel recommend that, in that instance, third sector or voluntary organisations might be best placed to have that information but you need a partnership with them to get the information, as relevant?
We would look to engage openly and ask what the role of the police should be in that environment. The missing persons issue is predominantly about an article 2 right to life. It is difficult to see how a charity other than the likes of search and rescue would engage in that. We would be looking for feedback from as broad a spectrum as we could engage with about what the impact on citizens might be, regardless of the background of those citizens.
You asked about what space we would like to use the panel in. It is about how we work with partners and share information on the vast and growing number of calls that we receive about people who have some form of vulnerability, and when we need to access information outside policing to protect that person, how we do that in a sensitive way that respects the individual’s privacy. That is increasingly what policing is being pulled into, so we need to work with partners to come up with a balanced way of protecting that person, while not being overly intrusive or invasive.
Do you envisage the panel looking at things such as drones, for example?
Yes. To give you a sense of that, we are piloting drones in the north of the country for exactly that reason—using new technology to help us to deal with the more than 21,000 people who go missing in Scotland every year. Nearly two thirds of those people have some sort of mental health issue or need some sort of support, and a quarter of them are children.
We need to use technology to get out as quickly as possible into mountainous or remote areas to find that person and make sure that they are safe. That is what we are interested in doing. How we do that, explain it, and communicate and engage with the public about the use of the technology so that they feel confident that we are using it for the express and only purpose of keeping them safe is incredibly important. That new technology—although drones are not all that new—is developing almost by the week at the moment.
Can I just clarify something? We are all guilty, politicians more than most, of using acronyms, but is an OCG an organised crime group?
Have you never watched “Line of Duty”?
No, I do not watch “Line of Duty”.
I have a couple of questions about Cellebrite. Has Police Scotland lost data as a result of the hack on Cellebrite?
No. As far as I am aware, our systems administrators have reported no data leakage or data breach.
Are you aware of the specific hack to which I am referring?
I do not know the specific details. However, as an information asset owner, I would expect to be told if we had had a breach of our data.
The equipment that is used is available for a citizen to buy.
Cellebrite is a commercial company. As far as I am aware, the equipment can be bought from a number of places and people.
The equipment, including the licence for it, is on sale on the internet from a well-known retailer. Does it give you any cause for concern that citizens—never mind organised crime groups—have access to that equipment?
Frankly, no. As I said, our worry is that organised crime gangs and criminals sometimes get access to such technology before the police do. Police Scotland and I are interested, principally, in ensuring that we have the right triage tools and capabilities to be able to keep up with the criminals and keep people safe. It would be naive of me to say that we would ever stop criminals assessing such material from the commercial market. The world has moved on.
The challenge is that some of our organised crime groups are in the tech business and will present as legitimate companies. As well as being involved with drug supplying, firearms abuse and trafficking, such groups provide technical services. They are developing their business model to the advantage of criminals at a pace that we have never seen. Through procurement routes and system administration, we need to ensure that our island site use, if you like, of such technology is safe from interference and disruption.
You mention procurement. Are you content that the procurement for this specific exercise, in relation to chronology, was done appropriately? Have you learned lessons from it?
I can see lots of raised eyebrows around the table. However, the words on the paper show that I, as the senior responsible officer, procured cyberkiosks for circa £370,000, without including VAT—or about £440,000, with VAT included—which was well within the budget that was available to me under the procurement model.
In December 2018, there was the award for the licensing, support and maintenance of the broader Cellebrite suite. The cyberforensics team uses a proportion of the Cellebrite contract, and it is right for that to be reviewed. The contract, which is worth nearly £840,000, was entered into through the information and communications technology department, so I did not have any part in the procurement of the Cellebrite kiosks. However, we got a secondary benefit through the procurement of the Cellebrite entities for which I was responsible, because our maintenance, service and supply costs were reduced as a consequence of that contract. That was already in train and was part of the normal relicensing and renegotiation of the maintenance contract, which we had had for some years. That contract sat at the heart of not only cyberforensics but other capabilities that Cellebrite provides across Police Scotland.
If I have understood you correctly, I accept that the licence has wider uses and does not apply only to cyberforensics, and that, in any case, it was in place. However, on reflection, was the timing of the acquisition of the specific equipment appropriate?
The project was instigated in 2014, and we were keen to procure the equipment as soon as possible. There was a gap in funding, which resulted in a gap of about a year and a half between phases 1 and 2, which related to cyberhubs, and phase 3, in which we wanted to introduce cyberkiosks. We progressed the procurement of the cyberkiosks based on evidence that we had seen from forces in England and Wales. That work was done in its own right, and that time was factored into the project.
The maintenance contract, on which I was not sighted, was different.13:30
Convener, I get the import of your question. On reflection, we should have engaged earlier—before the point of purchase—in considering the human rights issues that we have discussed. I understand absolutely the point that you are making.
To what extent did the existence of a licence that could apply more broadly impact on the decision to buy that specific piece of kit?
It was a contributory factor, but our main aim was to ensure that the equipment could be used by officers. One of the negative elements of the trial, and one of the reasons for other equipment and suppliers not being preferred, was the fact that we could not tie down specific parameters in our search, which rather defeated the object of having a triage device. We wanted to be able to be more proportionate in our approach, by limiting our view to tested devices. Whichever turned out to be the successful triage device would be able to limit the timespan or the number of search parameters that we would have, which would be more proportionate than our simply looking at a whole device for testing at one point in time. The feedback that was received from our user acceptance process, and from colleagues on the differences in how they wanted to use the system compared with their counterparts in England and Wales, was the reason for the Cellebrite option being preferred.
I have a technical point about the chronology of the procurement process that you mentioned in your answer. Any thorough business case should look at an asset’s capital acquisition cost and the on-going maintenance, servicing and licensing costs for the remainder of its lifecycle. Are you saying that, in this case, the capital acquisition cost was assessed separately, and by different people, from the on-going costs? That strikes me as odd, so I would be grateful if you could clarify whether that was the case and whether it is standard practice.
It is odd, but it is fixable and is being addressed to ensure that we do not end up in that position again.
I have another question about the trial process, just for clarity. You said that the feedback that came from the trial in Stirling was largely positive, which suggests that it was not wholly so. What issues were raised?
I think that I have just answered that in replying to the convener. Officers want to be able to do a number of things: triage is just one aspect of what we might call demand management. For an investigating officer, there are secondary benefits in being able to get a quick view into a device so that they can see any relevant inculpatory and exculpatory evidence that might be there. They can then make decisions that will support their own on-going investigation, and also inform others who have to make difficult decisions, such as a custody sergeant who must decide whether to liberate someone. During the trials of the two triage models, it was felt that only one had the ability to narrow down the search. The other would have required an officer to look at a whole device and then try to make a determination; it did not add anything to what we had been doing already.
The feedback was wholly positive. Officers felt that they would be better able to serve victims, who, in nine out of 10 cases, would be sitting in front of them. However, as I said at the start of my remarks, officers then faced a challenge. Victims were reluctant to hand over their devices not because we would be able to see their private data—that aspect was mainly understood, and victims were clear about it—but because they did not want us to take them away for months on end to obtain evidence. Officers felt very challenged by that, because they wanted to do the right thing by both victims and suspects. They felt that if they needed to protect the wider public from suspects they should be able to have information or intelligence to enable them to make the right decisions at the right time.
Did you get feedback from suspects about having their equipment taken?
No—the feedback was purely from the officers who were involved. In addition, anecdotally speaking, we often get messages or information from suspects who believe that we have had their devices for too long or have taken too many of them, which they feel is an imposition. We use exactly the same process for victims; it is just that the numbers tend to be different. On average, we will receive one device from a victim, whereas the number from a suspect could be anything from two to 10 or 12. Triage offers us the opportunity to look at suspects’ devices through the cyberkiosk, and give back to them any that we do not need to secure for evidence. That narrows down the number that we need to secure, which means that our approach can be more proportionate.
We are always cognisant of the fact that we have a responsibility under article 6 of the European convention on human rights, on the right to a fair trial. From the perspective of the suspect, we have to be thorough with the victims because there could be exculpatory evidence there, and we have to be extremely thorough with the suspect, on behalf of the victims and society, in order to get the best evidence.
I have a question that relates to the worrying reports that we have heard in recent weeks from south of the border about victims being informed that they have to surrender their devices as evidence in rape and sexual assault cases and that failure to do so might result in cases not being taken forward. On hearing that report, and knowing about the cyberkiosk trials that took place in Edinburgh, my immediate concern was that the equipment could have put some of my constituents in that very position.
I want to ask about the generalities that those reports raise, but first I will ask about the specifics. Are you aware of the equipment being used in that way or in a comparable way in similar circumstances in Scotland? I would be grateful for your insight into that.
Steve Johnson will address your specific question about the trial in Edinburgh, but first I will make a couple of general observations.
The language that has been used to describe the issue in England and Wales has not been particularly helpful. In some cases, it has been a bit misleading. If I can, I want to give you an assurance about the position that Police Scotland will take. In protecting the sensitive needs of victims of traumatic sexual offences or abuse in Scotland, we are interested in taking a focused look at evidence that might be held on digital devices that will help to protect those victims and prosecute the offender, so it is done in a narrow way with a significant consideration of minimising collateral intrusion.
In the coverage in England and Wales, there has been some suggestion that, if the victim does not offer up their device, the case will not proceed. That is just not the case at all. The investigation might be more difficult, but it is on us, as your police service, to make sure that we manage the investigation and look for other corroborative evidence. That is not on the victim in any way, shape or form. We all need to be careful. I think that some of the commentary in the south was slightly misleading, and it undervalued and undermined the sensitive position in which victims find themselves.
In general terms, the approach that is taken by officers in Scotland is victim centred. There will be a dialogue between the investigating officer and the victim of the crime and they will talk through the benefits of the surrender of the device and the potential pitfalls from an evidential perspective. That is always an on-going dialogue.
It is always challenging, particularly with vulnerable victims, given that there will be private data on the device. In much of the commission of the more serious offences and sexual offences, some people feel embarrassed and some people feel scared of providing that data. What we will do in specific cases is what we currently do with the devices. We work with victims and seek their consent, which would have been given during the trial. If consent is not given for us to have their device, we will work through other investigative means to try to find evidence as best we can and achieve the best evidence to present to the courts. We work hard. It is never the case that we do not do that.
The approach in Edinburgh would have been the same as it would have been elsewhere in Scotland. During the pilot period, the service to victims in Edinburgh would have been no different from the service anywhere else. It would have been to the highest standard that we could possibly get.
Thank you for that answer. Concerns have been voiced by Edinburgh Rape Crisis Centre, among others, that there might be circumstances similar to those that were discussed, either through use of the equipment that we are discussing or more widely. I take it from your answer that the equipment has been used in cases involving these sorts of crimes.
Are you satisfied that there are no circumstances in which people might have felt pressurised, either through the explicit actions of your officers or, just as importantly, through any inadvertent actions? Given the sensitivities of those situations, inadvertent actions are just as important. Are you satisfied that there are no such circumstances? If there are, what actions are you taking to follow those circumstances up?
We are as satisfied as we can be that no pressure is applied to a victim or a witness. That would be entirely inappropriate. During the trial, the recording process for that consent would have been different. It would either have been recorded in a statement from the witness or in the pocket notebook of the officer concerned.
As a result of the conversations that we have had with the sub-committee, the consent process is a lot more structured and corporate minimum standards are attached to it. Those standards ensure that officers have a detailed discussion with the victim or witness, so that they understand exactly the very focused grounds, time and parameters for the search that we will be conducting on their device and so that they know that, during the cyberkiosk triage process, we do not download any of that material. It is just a staging post. It is a triage stage to see whether there is any useful evidence to support the case and investigate the offence that has been reported to us. We then submit the evidence to the cyberhub. The process is now better and significantly more structured. It has been improved as a result of these discussions but, even under the previous regime, I would be surprised if pressure had been put on a witness.
That is reassuring. You raised the fact that the way in which officers seek consent is now much more structured. Can you describe in more detail how that consent is requested and the information that is provided around that consent? Finally, how is that process being kept under review? That is also very important.
It is useful to note that the officers who deal with those more sensitive cases are some of our most highly skilled and trained officers; they have specific expertise in dealing with very vulnerable victims. In relation to how consent is requested, previously, we used a pocket notebook or statement form to record the consent. Predominantly, that would have been after a dialogue about the pros and cons of sharing that device and allowing us to examine it for the evidence that we need to prove the case that that person is making the complaint about. As I said, most victims are not reluctant around that side of it.
After feedback from the sub-committee, we have improved in relation to the word “inform”. Victims are already informed by the officers, but in relation to the audit trail, we are working with a consent group, which is meeting towards the end of May. The group will work on the document that we provide to victims of crime; it is also our intention to make it freely available to citizens in Scotland, so that people can see what that consent means and how the police will approach our examination of digital devices. A greater degree of clarity will be provided to the victims, rather than just the verbal dialogue between the investigating officer and the victim.
They will also be able to provide some additional assurance. An information leaflet is given. We want to be as fully transparent as we can be. As a result of these discussions, we intend to put frequently asked questions on to our public-facing website, so that the public can constantly see what we are doing, why we are doing it and how we are doing it. We are doing all that to try and layer the process of informed consent. It is a form that ensures that people do not feel in any way—either directly or inadvertently—pressurised, and that they have all the information that they need to make a decision about informed consent. We are constantly and consistently up front with people about how we will use their digital device.
That is useful.
I will make a final request for information. I am very interested in the ethics panel that you say you are constituting. Can you provide the sub-committee with details on how that panel will be constituted, who will sit on it and what its terms of reference will be? That would be helpful.
Yes, we will write to the sub-committee with that detail.
On a couple of occasions, Deputy Chief Constable Kerr referred to minimising the level of collateral intrusion. I understand that if officers are interrogating a device, they can focus on photos and, therefore, be nowhere near email correspondence or social media messaging and posts, but how, in practice, how do they limit collateral intrusion within each segment?13:45
They do that by using very focused search parameters that are signed off at supervisory level. I will give a practical example. If an allegation is made that somebody is the victim of a sexual offence or has been subjected to a sexual attack by somebody called Stephen over a three or four-day period, we would have very specific parameters for searching the device. We would search for the name “Stephen”, with whom the person might have shared some texts or messages, a couple of days to either side of the three or four-day period. That is how focused the search would be. We would not look for anything else on the phone or tablet in question. It would very much be a case of conducting a specific search to support investigative needs.
As Steve Johnson said, use of the cyberkiosk is a triage stage. Once we had found something, we would submit the device to the cyberhub for more forensic recovery of the evidence, and we would engage with the Crown Office to find out what information could be used for a potential prosecution.
That is helpful, but what you have described is a word search. How does the process operate when you are looking at photographic evidence?
We would not look at photographs unless the victim or the witness told us that there was evidence on the device that related to photographs.
So, it would be up to the victim or the witness to volunteer the relevant photos, video footage or whatever.
That is the whole point about informed consent. The victim or the witness can tell us which material on their device they think would be of evidential value. At that stage, they can give informed consent for us to apply very stringent and tight search parameters in an attempt to find the evidence on the device to support the investigation or a prosecution.
The point has been extremely well made that the police face a huge challenge in trying to keep up to date with new digital technology and how criminals use it, let alone trying to be one step ahead. They also face a challenge in preserving the ability to investigate while respecting the procedural safeguards on protection of the public, which Liam McArthur asked about.
I refer you to what Murdo MacLeod QC suggested in his legal opinion. He said:
“It seems to me that there might be merit in at least considering a code of practice, underpinned by statute, covering the seizure and examination of ICT devices and any other relevant digital equipment.”
Such a code of practice could be reviewed because the law struggles to keep up with new digital technology and the challenges that it presents. What is your view on that?
That is a very important question and—I would not pretend otherwise—a difficult one.
Our position is that the chief constable, in discharging his legal responsibilities to the citizens of Scotland, has, from the Crown Office and from independent senior counsel’s advice, confirmation that we have the legal power to use the cyberkiosks to get on with our job of protecting the citizens of Scotland. We would welcome a code of practice or additional legislative clarity on use of the devices, but we need to be absolutely clear about the fact that it is our responsibility to protect the citizens of Scotland today. We have legal clarity that we have the power to use the cyberkiosks. We want to get on with using them, but we would certainly welcome some additional clarity on how we police in the digital age and where the balance lies when it comes to privacy, responsibility, security and safety.
The position that I was coming from was that a code of practice would be more flexible and could be changed quite quickly so that you could always keep one step ahead.
In its submission, the Crown Office and Procurator Fiscal Service said:
“The proposal of a requirement for a search warrant in any circumstance where a digital device is being examined ‘unless it is explicitly and clearly defined by other law’, could delay the analysis of devices or delay the return of devices to their owners”.
There is also the issue of resource implications if the examination of devices is not covered by statute. What was the figure for the number of devices that would be submitted per year? Was it 1,500?
In his most recent letter, the Crown Agent, David Harvie, referred to 15,000 devices being submitted to the cybercrimes hubs each year.
To answer your question, we agree with the position as set out by the Crown Agent in his most recent letter to the sub-committee. Our responsibility is as investigators, and his fiscals and prosecutors want to get the people responsible for crime in front of sheriffs and courts as quickly as possible. If we were to go down the route of getting a warrant every single time we wanted to seize a device or to secure digital forensic evidence from a device, that would undoubtedly affect expedition of investigations. That is an honest and straight answer. Bear in mind the fact that most investigations will now have a digital footprint.
I suppose we are back to proportionality and striking the right balance.
Thank you, gents. We have already overrun, as you might have noticed. I will just ask one final question. I think that we have covered the substantive questions, but we might send some others in a letter, to which we would appreciate your response.
I note in your correspondence the points about the assessments that have been made and sharing them with the reference groups. We obviously hope to see them. Do you have a timetable for the proposed roll-out of the devices?
We do not have a specific timetable. However, I could give an overview of when we would like to get them out. We will have another discussion on the issue with our statutory accountability body, the Scottish Police Authority, on 22 May. We will then reconvene the external reference groups on 11 June, because we want to take Murdo MacLeod QC’s advice to them and have a full discussion about whether the range of internal policies provide them with enough confidence that we can then get on with it. At this stage, we intend to roll out the devices towards the end of the summer, subject to those discussions.
Okay—and you will keep the sub-committee advised.
We will, convener.
We will suspend for a short period to change the witnesses.13:52 Meeting suspended.
13:53 On resuming—
Welcome back, everyone, and welcome to Professor Susan Deacon, who is the chair of the Scottish Police Authority.
We will move straight to questions. In your submission to the sub-committee, you talk about the spending threshold above which Police Scotland must refer spending to the SPA. That is an accepted position. Is it at the appropriate level? You clearly want autonomy, but there might be significant interest in something like a firearm or a piece of equipment that might cost a relatively modest sum compared to some of the sums we are talking about. Can you talk about the relationship and how you see oversight working in such circumstances?
I am glad that you raised that issue, convener, because it strikes at the heart of explaining the multiple roles that the authority has under the terms of the Police and Fire Reform (Scotland) Act 2012. It has two distinct roles in relation to processes and responsibilities, which have been conflated to some degree in the sub-committee’s report and in some of the discussions. Therefore, it might be helpful if I draw them out. I realise that time is pressing, so I will do that as briefly as I can.
The authority has a statutory responsibility to maintain, improve and develop policing. We are also the budget holder of the £1.2 billion that covers Police Scotland, the forensic service and the SPA corporate function. We are held to account for that—we present the accounts to Parliament and they are overseen by Audit Scotland. In that context, it is important that we have in place a range of levels of delegation for expenditure. The financial thresholds that were referred to—which have been discussed quite fully in the context of the sub-committee’s inquiry—are part of our decision-making processes in relation to use of public money in the SPA budget. This particular project fell beneath the spending threshold at which it would have been required to come to the SPA, which is—as you said—established practice.
The second and equally important function of the authority is to hold the chief constable to account. As the convener absolutely correctly said, there are a wide range of areas of policing in which there might not be significant new expenditure, but where changes, practices and developments are being taken forward that involve a public-interest concern. Sometimes those two aspects combine and there will be public-interest issues that involve significant expenditure, which we will scrutinise. However, they are two distinct functions, processes and roles of the authority.
A big change in the authority over the recent period is that it has moved towards placing significantly more emphasis on our activities in our function of holding the chief constable to account. Effective performance of that public interest role and oversight of operational policing matters are being demonstrated in real time in our consideration of use of cyberkiosks, and of a number of other operational policing matters. We of course accept that statute is clear that operational responsibility lies with the chief constable; however, he is accountable to the authority for that. We believe that we have recently improved significantly in that area, and will continue to do so.
I will expand on that point. At the risk of sounding slightly esoteric, I wonder whether there is a third function of the police authority.
Policing by consent is hugely important, so I wonder whether there needs to be a focus on that in the current framework, given the structure of there being a single police force. I argue that the SPA is possibly the right and proper place for that. Where there are new possibilities for the police, such as cyberkiosks, is it a right and proper function of the SPA to consider whether citizens consent to the new function that police have at their disposal? Do you agree that that could be a function of the SPA and, if so, how can the SPA develop and take that forward?
I do not think that policing by consent is at all an esoteric notion: rather, it is absolutely fundamental to the operation of policing in this country. When the point was raised with me at the Justice Committee a few months ago, I recall saying that I firmly believe that for the authority and Police Scotland, consent must
“run like a thread through all that we do.”—[Official Report, Justice Committee, 30 October 2018; c 20]
The question is how we do that effectively and critically, and how we live up to the expectations of the Parliament. The SPA was created specifically to provide a clear separation between the Scottish ministers and the Police Service, and to ensure that the chief constable is free from undue political influence in making decisions about investigation of crime. That goes right back to the intent of the statute. It is therefore important to ensure that there is sufficient oversight to ensure that public-interest issues are raised without that gap being closed, as Parliament—rightly—said it should not be.
Some of that is done through formal processes of holding the chief constable to account in public, but much of it is done through the reporting that goes on through the authority. I am pleased that in their annual reports last year, both Audit Scotland and Her Majesty’s inspectorate of constabulary in Scotland gave the SPA a clean bill of health for the first time in terms of us operating openly and transparently.14:00
All the practices that I am trying to summarise briefly are now all conducted fully in public. The paperwork is available on the website, as are webcast meetings, discussions, the chief constable’s reports and so on.
My ambition and my aspiration are that the authority reaches into various interest groups. We have already done an awful lot more engagement with local authorities and in community meetings at which we meet people around different parts of the country, for example. However, I want to continue to develop that engagement because that is how we can fulfil our function of being a buffer between politics and policing while ensuring good accountability and public engagement with what the police are doing so that, ultimately, policing is always provided by consent in Scotland.
I have a couple of small points related to the authority to spend that was talked about. I presume that the authority to spend—which in the case of the CC is clearly £500,000—is subject to having as yet unspent budget. That is fine—that is correct, as I expected.
Is authority to spend also related to a duty to report? I have worked in an environment in which one could spend a certain amount but always had to report within a specified period that one had done so, so that the information flowed up and down the system appropriately. I take it that that is the case with the police?
Yes. We are governed by a quite extensive range of financial regulations, which we keep under review, and by appropriate schemes of delegation. You are absolutely correct that the chief constable also has, in his own right, responsibilities and accountabilities on expenditure and spending within the budget that has been assigned to him. Various tiers of reporting flow from that.
That is an area that Audit Scotland has looked at closely over recent years. Both the SPA and Police Scotland have acknowledged that things were not, in the early years of the system, nearly as robust as they might have been, which was maybe to some degree inevitable with such a big change and a new system.
However, again, I am pleased that Audit Scotland in particular has reported to the Public Audit and Post-legislative Scrutiny Committee in recent times that the methods of financial stewardship and financial management and, indeed, the financial discipline of the SPA and, by extension, Police Scotland are now much more robust.
There is always room for improvement and development—I think that I have said that every time that I have appeared before Parliament in my current role. We made a lot of changes to our governance arrangements last year to address the criticisms that Parliament, including this sub-committee, made.
We are continuing to make changes—we are reviewing schemes of delegation. It is one of the areas that we want to do more work on in the period to come.
What kind of information does the SPA have and what action has it taken concerning Police Scotland’s recent purchase of two remotely piloted aircraft systems?
I am happy to address that question. We have responded to the sub-committee’s correspondence with us on that point. That response provides more detail and points you towards various meetings, discussions, papers and so on that have been considered by the authority. However, in summary, I can say that the issue was first considered by the authority back in December 2017. I remember it quite vividly because it was my very first meeting as chair.
Various reports have been given by the chief constable and his reports since then. We receive regular updates, including most recently through our strategy, policy and performance committee, which also considered the issue of cyberkiosks when it met yesterday. We also received evidence on and copies of the various assurance processes that were gone through before the devices were put into practice. We will be receiving further reports from Police Scotland once it has evaluated the devices and how they have operated.
That, in very short summary, is exactly the kind of process that we are now strengthening all the time. We are trying to get the correct level of oversight and inquiry around operational policing developments in the right way, at the right time, so that we strike a balance and ensure that the right practices and considerations—community impact assessments, privacy impact assessments and so on—have been carried out. We also need to make sure that Police Scotland can continue to move forward and make best use of the technology that is available, and that we do not delay that process unduly.
Is the cost below the threshold?
It seems to me, having looked at how the SPA has functioned, that there is a conflict between its role in delivering Police Scotland’s budget and monitoring its policy and the role that you have said that you are looking at strengthening, which is to hold the chief constable to account on public interest issues, on which I think it is fair to say that the SPA has been very firmly in the background up to now. Can you give some examples of how you are strengthening that aspect of the current functions?
As I said previously to the Justice Committee, not only do I not believe that there is a conflict between our need to maintain and improve policing and our need to hold the chief constable to account—in other words, to both challenge and support policing—but the need for us to do both those things is what is in the letter of the law in the 2012 act, on which the Justice Committee has recently completed an extensive inquiry. We are aiming to ensure that the SPA is performing the functions set out in the 2012 act, and I agree with the observations made by this sub-committee and others in the Parliament that in the early years of police reform the SPA was not doing that.
I have touched on some of how we will go about that. We have ensured that all the Police Authority’s business is conducted in public, just as the Parliament’s is, other than when there is a good reason for a matter to be considered in private, when we state what that reason is, just as the Parliament does. As I say, that has been recognised by others who—if you like—police us.
We have also reached out significantly to different groups and engaged much more fully at a range of levels to test the proposals that are coming before us. I recall that a few months into my tenure, the general secretary of the Scottish Police Federation described the SPA in a media interview as a bunch of “bean counters”. I think that was the expression that was used. We need to be able to count beans, but we also need to do other things, and that is a big shift.
There has been regime change, literally, within the board of the Police Authority and the senior leadership team of Police Scotland, who were all SPA appointments, and I think that the whole tone and tenor of the way that we conduct ourselves across the leadership of the policing system is now much more open and engaged.
I want to do something that takes much more investment of time and money, which is to build in more processes for interaction with the authority. By the end of this year, for example, I hope to see some practical things such as our website being very different, not just in appearance but in how people can engage with us through it, and more proactive communication.
I am conscious of the time so I will pause there, but I hope that that goes some way towards addressing your question.
Yes, thank you.
I have a supplementary on that before I bring in Liam McArthur. Does the SPA ever take evidence—if that is the term—or hear from stakeholders?
We have been doing more of that. I realise that MSPs’ time is precious, but I encourage colleagues in the Parliament, perhaps through parliamentary researchers or the Scottish Parliament information centre, to follow some of the work that is going on in the authority, in the same way that I follow the work of the Parliament.
For example, increasingly, we have brought in other views and voices to our regular board meetings, which are held in public. We have brought in local authority views and spoken to people who have been involved in the work in Glasgow on violence reduction, including those who work for housing providers. We have also brought in a range of voices from within the police service itself, so that we do not always hear from the senior leadership team—important though that is—but from people in different parts of the organisation, particularly divisional commanders, who fulfil important roles and functions. That is the direction of travel that we want to pursue.
I mentioned our strategy, policy and performance committee, which provides the SPA with strengthened oversight and follows on from a policing committee that existed under the previous governance structure. As the committee develops its role—its first meeting took place only in February—it wants to do much more in that space. Board members have been doing more in that space by meeting different groups and so on.
It is helpful to get that on the record.
I reassure Professor Deacon that members of my staff and I are closely monitoring the SPA’s activities, and I am sure that the same is true of colleagues.
I return to the issues relating to oversight. It appears that the SPA approved the business case for cybercrime infrastructure, including cyberkiosks, in March 2015. However, Police Scotland’s timeline of the approval process suggests that the contract for the kiosks was awarded prior to the SPA board’s approval of Police Scotland’s three-year implementation plan and its associated three-year and 10-year financial plans. I would be grateful if you could confirm that that is the case. Notwithstanding the points that you have made about Police Scotland’s operational discretion, if that is the case, did what happened fall short of what would be expected? What discussions have you had with DCC Kerr and other colleagues in Police Scotland about what needs to change? DCC Kerr accepted that what happened in this instance fell short of what would be expected. From the SPA’s perspective, what needs to change to address those concerns?
As I have indicated, some of the changes have taken place over the past year. With regard to the sub-committee’s report on cyberkiosks, I have agreed with DCC Kerr that we will sit down and go through the matter end to end. We will look at how, if Police Scotland were to carry out a similar project, it should be done differently, because it is important that we learn from that experience.
There are two distinct issues: financial decision making and wider oversight. However, the key area of improvement has been Police Scotland’s active engagement with a range of views and interests. Therefore, I am pleased that Police Scotland looked at that matter and did not wait for the sub-committee’s inquiry into cyberkiosks to be completed. As the chair of the SPA, I think that the SPA ensuring that other appropriate bodies are engaged in the oversight of policing is as important as ensuring that we fulfil that function when we are best placed to do so.
For example, we are doing a lot of work on assurance mapping, with which some of you might be familiar. Typically, we look at the issue at four levels, but the work will ensure that we make best use of the various assurance processes and methods that are available. That should apply internally within the organisation right through to the external bodies that examine independently the activities within, in this instance, Police Scotland.
The big shift in Police Scotland—I hope that this will become the new normal and be embedded in its practice—has come from the work that it has done with reference groups and external stakeholders. I was struck when I heard the director of the Open Rights Group on the radio this morning—some of you will have heard him, too—saying that, although many police forces across the UK are now using devices such as cyberkiosks, Police Scotland is the only one that is engaging with groups such as his, and he said that that engagement is “laudable”. That is a direct quote.
The big prize going forward is to ensure that those practices are embedded at every stage in the decision-making processes, initially within Police Scotland, but then through the other tiers of oversight, and we play a significant part in that, too.14:15
I think that that is entirely right and proper. I have to note that it was only after the intervention of the sub-committee that that engagement began to take place, but we are undoubtedly now in a better place.
I am conscious of the time. We did not have an opportunity to explore with the previous panel the legal advice that Police Scotland has taken on cyberkiosks, but I am sure that we will follow that up in writing. The Scottish Criminal Bar Association has called into question the extent to which Police Scotland appears to be resting on the outcome of two particular cases and is drawing principles from them that appear to be broader, certainly according to the SCBA, than the court intended. The cases are JL and EI v HM Advocate and HM Advocate v Rollo.
We have also had the Faculty of Advocates express an opinion on the legislative requirements around the use of cyberkiosks, with Clare Connelly saying,
“the traditional legal approach is not fit for purpose”.
Have you or anybody else at the SPA engaged with the Faculty of Advocates and the Scottish Criminal Bar Association on their concerns? Have you taken an interest in the question that was asked and the documentation that was provided to Police Scotland, upon which the independent legal advice was founded?
We have taken a very close interest in all those things. Ultimately, it is for the chief constable—I know that he has made this point in the Parliament, at committee, before—to take decisions on operational policing and be satisfied that he is working within the legal framework that he is presented with.
That said, I again refer to the meeting of our strategy committee that took place yesterday, and its consideration of the issue of cyberkiosks. It has taken account of the sub-committee’s report, but it also sought additional information from Police Scotland, including sight of the legal opinions and so on. I have only had a read-out from the chair and the members of that committee, as the meeting took place only yesterday, but the minute will be published. The committee was satisfied from its point of view that the key areas of assurance and legal advice have now been robustly followed through by Police Scotland.
As I think DCC Kerr said earlier, we will also consider the matter at the SPA board at the end of the month. As I have said publicly, when the sub-committee published its report, I asked the chief constable to further report to us, in the light of that report and the concerns that had been raised, on what his proposals for the roll-out of the devices now were, and to state clearly what he believes the legal basis to be. That brings me back to asserting—I think it is important that we recognise and respect this—what the operational responsibilities of the chief constable are, and I think that he is on the record making the point that he seeks to operate within the law.
There is also a wider point—the point that Margaret Mitchell made earlier is crucial in this regard—about the challenge of the law keeping pace with change. However, that is obviously a matter for legislators and not one for us.
It is certainly a matter for legislators. However, DCC Kerr said earlier this afternoon that seeing the legal framework advance to reflect the digital age as opposed to the analogue age is something that he is supportive of. Do you share that view?
Absolutely. Any body—any public body, in particular—that is trying to operate within the letter of the law wants to have a clear and robust legislative framework that is readily applicable to the real world and the real-time decisions that the body has to take.
As members of the sub-committee and others have said, the law is struggling to keep pace in this area. We want to identify areas in which the current legal framework is not providing the clarity that we require. The authority has commissioned a wider piece of work around the overarching question of the balance between the protection and safety of citizens and privacy issues, which every country and policing system in the world is grappling with. We want to draw on the body of research and data that is available so that we can consider precisely the type of question that you have raised and, we hope, provide informed opinions in any future discussions on those matters that might take place here or at Westminster.
I will follow up on Liam McArthur’s earlier question, as I am interested in the end-to-end review that you carried out with Will Kerr. I reference your point that the oversight that the SPA provides should not be limited purely to financial matters but should extend to the public interest.
Are there plans to introduce a test whereby new equipment or procedures are considered by the board because of public interest? Existing technology or new equipment that might be low spend could be used in new ways that might elicit a public interest concern. Is there a test or process to capture that concern and bring it to the attention of the SPA?
I did not pick you up properly. Did you say that the role of the SPA is or is not limited to financial consideration?
That it is not.
Thank you. I was worried that you had said that it was limited. I reinforce the point that the SPA’s role is not limited to financial consideration.
Unlike financial thresholds, which are precise, considering which aspects of the development and delivery of operational policing require further oversight and scrutiny is a question of judgment for all of us and, indeed, for other bodies, such as HMICS, which choose the particular areas of policing that they will look at in greater depth.
This links to the discussion with DCC Kerr that I referred to, but I also have this conversation with the chief constable, his other deputies and others in his team. The key area that we are considering is how we get a better forward plan. As the sub-committee’s report highlights, these things are many years in the development. Too often in the past, developments in policing have been at an advanced stage before the authority has started to really look at them and apply our judgment as to what more we should do about them, what more we should ask and who else we should consult or take advice from. That has changed in the recent period and we have been vigilant about that, but there is more that we can do to avoid it.
We are on a journey. I would like to think that a year from now, we will have completed a shift that means that we have a much better forward look on developments that are likely to take place in policing, and that we build them into the planning of our business and build our capacity and capability to ensure that we carry out the tests and raise the questions that the public and the Parliament expect of us. To some degree—necessarily so—it will always be a question of judgment.
I am conscious of time restraints. The session has been a bit rushed. I am grateful for your evidence and the evidence of our previous witnesses.
That concludes our evidence session. The sub-committee had more questions, including some for the authority. We will write with any questions that we have not covered and, as ever, we will be grateful for your response.
The next meeting of the Justice Sub-Committee on Policing will be on Thursday 30 May, when we will consider Police Scotland’s capital budget.Meeting closed at 14:24.