ICO finds excessive data collection by police forces in England and Wales
The Information Commissioner’s Office has found via an investigation that police forces in England and Wales are extracting and storing “excessive amounts of personal data” from mobile phones without an appropriate basis in existing data protection law.
According to Information Commissioner Elizabeth Denham, police forces recognise the value of mobile phone data for achieving appropriate criminal justice outcomes, as well as the challenges that the high volumes of data can bring, but excessive extraction of mobile phone data can “dissuading citizens from reporting crime”.
Upon conducting an investigation, the data protection watchdog found that “police data extraction practices vary across the country, with excessive amounts of personal data often being extracted, stored, and made available to others, without an appropriate basis in existing data protection law.”
“People expect to understand how their personal data is being used, regardless of the legal basis for processing. My concern is that an approach that does not seek this engagement risks dissuading citizens from reporting crime, and victims may be deterred from assisting police,” Denham warned.
She, however, said that a number of measures need to be implemented across law enforcement to ensure their data collection practices are in accordance with data protection law without impacting the effectiveness of criminal investigations. Personal data extraction from mobile phones should also be regulated to regain some public confidence that may have been lost.
“Many of our laws were enacted before the phone technology that we use today was even thought about. The existing laws that apply in this area are a combination of common law, statute law and statutory codes of practice. I found that the picture is complex and cannot be viewed solely through the lens of data protection. As this report makes clear, a whole-of-system approach is needed to improve privacy protection whilst achieving legitimate criminal justice objectives,” she added.
Mobile data extraction should involve informed consent of witnesses and suspects
Commenting on this, Paul Bischoff, Privacy Advocate at Comparitech.com, says that police forces need a concrete policy in place that dictates how they can take data from people’s smartphones. In many situations, witnesses and suspects might want to assist in a police investigation or report a crime, but would not be willing to hand over smartphone data to police.
“If they refuse, police have grounds to drop the investigation altogether, or worse, use the refusal as probable cause to implicate the smartphone owner in the crime. Ultimately, this leads to distrust of police and fewer crimes getting the attention they deserve.
“People who are not charged with a crime should be allowed to give informed, opt-in consent to police searches of their phones. “Informed” would mean police tell subjects what information they are gathering, for what purpose, how long the data may be retained, and who it may be shared with,” he adds.
Lamar Bailey, senior director of security research at Tripwire, says that police officers should not be burdened with a complicated data retrieval procedure when carrying out complex criminal investigations as an officer in the field has more than enough stress.
“Departments need standard, well-defined, secure processes for collection and storage of this data that are easy to follow. An office in the field has more than enough stress without having to go through a complicated data retrieval procedure at the scene of the crime. A witness has the expectation that any data he hands over will be kept secure and no additional unrelated data will be taken without his consent,” he adds.