EDRi-gram | On the ground | Privacy and data protection | Data protection standards | Privacy and confidentiality | Surveillance and data retention

When the police’s IT-systems are not in order, everyone loses

Without the trust of citizens, the police cannot do their job properly. That is why it is important that the police are extremely careful with citizens' data. But an analysis by EDRi member Bits of Freedom shows that of all 36 'mission critical' systems of the police, not one complies with the rules on privacy and information security.

By Bits of Freedom (guest author) · January 13, 2021

A blurred image of a police car with yellow tape put across saying "Citizens' Data | Police should not cross privacy rules

Mission critical

This analysis concerns 36 systems, which, according to the police, “must remain operational at all times, so that the police can do their job”. They are the systems for registering repeat offenders and license plates, taking statements and interrogations, exchanging information between police officers, processing fingerprints, analysing big amounts of sensitive data and many other functions. None (!) of these systems comply with the rules on privacy and security by design that follow from the law and police policies.

The table below is a summary of our analysis: everything, except the gray fields, are supposed to be green.


Designed by: Foto: Photoholgic

 

The fields related to information security and privacy systems are especially in bad shape. For example, police officers who change jobs retain database access from their previous job, which means that corrupt officers have unnecessary access to a lot of information. Data is also retained for far too long. And it is not clear whether the current security is adequate since the police has not identified all the risks to the security of the information. The police rely more and more on IT, but we cannot trust the police with IT.

Everyone loses out

The risks are immense. After all, the police have extensive powers to collect, retain, use and disclose personal data to third parties, including people who have not been identified as suspects. But this is only possible if we can also trust that the police will treat this information responsibly. But if that is missing, everyone, including the police themselves, will suffer.

The nation’s best-known law enforcement agency has a long history of law violations

A witness to a liquidation does not tell their story to the police if they themselves are in extra danger as a result. If you are a victim of a rape, the last thing you want is for someone who has nothing to do with that investigation to look through your police statement. But the police themselves also benefit from a careful handling of sensitive data. If data security is not in order, the police run the risk of a major investigation breaking down because a corrupt police officer leaks information to serious criminals.

Long history of law violations

The large-scale violations of laws and regulations in the field of privacy and information security is not new. The nation’s most well-known law enforcement agency has a long history of law violations. Eight years ago we also made an analysis of the reports on compliance with the same law. The result was depressing. Not a single police force met all legal requirements. A few police forces complied with less than twenty percent (!) of the standards and then only “in outline”. Since then the police have made some improvements, but this analysis shows that the protection of sensitive data is still poor.

It is about time that the regulatory body does what the police themselves do: hand out fines

Expectations for the near future are no better. In a status update the police note “a negative outcome” and that “even scores have gone down”. According to the police, “a realistic expectation is that 50% of our applications complying will meet legal requirements by the end of 2020”. As far as we are concerned, past experiences give no reason to be so optimistic. But more importantly: that also means that half of the applications still do not meet the legal requirements.

The police must be fined

Two things need to happen now. First, the police must finally be forced to comply with the law. The House of Representatives should ensure that there are consequences and that the minister can longer get way with vague promises that “the police is improving”. Our patience has been tested sufficiently. It is about time that the Dutch Data Protection Authority will do what the police themselves do: hand out fines. It is ludicrous that the police have been getting away with this for years.

A witness to a liquidation will not tell their story to the police if that puts them in extra danger.

Secondly, it is important that the minister not only looks the law itself in the planned amendment of the law, but also at its feasibility. The police previously stated that data that must be removed is not removed because the computer systems are too old. If you want to create a new law that functions properly, you might also have to invest in police IT-systems.

(Contribution by Rejo Zenger Beleidsadviseur)

This is a translation of a Dutch article. A big thank you to two translators: Alex Leering and Martin van Veen.

The article was first published by Bits of Freedom.

Background

The analysis is based on 35 rapports, with a total of some 750 pages, which we acquired using a public access to information request. That did not go without a fight. The police first refused to disclose the documents because information about these vulnerabilities “would endanger the safety of society”. Remarkably, these vulnerabilities have still not been resolved after all this time. It required a judge to force the police to reply to our appeal. There is one report the police still anxiously keeps secret. That is why we went to court again.

 

All publicised reports: