Report Summary
Issued 6 March 2023, this FOI response provides the Authority's Data Protection Impact Assessment (DPIA) and supporting information related to the Digital Evidence Sharing Capability service , and explains why some of the information is exempt from disclosure.
Request
It is now well over a year since it was announced in the press that the Scottish Government would bring in a new digital Evidence platform (DESC) based on Axon Technology, which sits on the Microsoft Azure Public cloud.
I would be grateful if you would provide me with the following information relating to this project and its current status from your orgnsiations perspective as a listed participant:
1 - A copy of the Data Protection Impact Assessment(s) conducted on the AXON 'Evidence.com' and digital evidence management cloud services under the terms of s64 of the Data Protection Act 2018, to include any and all of the following families of Axon services in use or planned for deployment for DESC.
Please note:
A DPIA should not in general contain any specific information of security measures requiring redaction before release, but I am aware that some Policing and Justice organisations do include this information in their DPIAs.
Reasonable redaction of such information strictly to the extent necessary to maintain the security of Police or Justice operations (if this is included in the DPIA) is acceptable.
General redaction of core information relating to relevant DPIA content required to evidence achievement against statutory obligations would however be unacceptable and should be unnecessary since its release is obviously and materially in the public interest and confirmation that public and citizen interests will be suitably protected under the law is the core function of a DPIA.
2 - A copy of the specific terms of service applied within the contract between Axon and the Authority relating to Data Protection Act Part 3; or confirmation that their standard Terms of Service have been applied without modification.
3 - Details of any sub-processor engaged by Axon as part of their DESC service delivery and the countries in which data shall or may be processed.
If element 4a below is not in place please apply element 4b - one of them should be applicable, but both cannot be:
4a - Copies of any specific diligence material, contractual terms or other undertakings from Axon and their sub-processors that they will not transfer any personal data processed for a Law Enforcement purpose by the Authority outside of the UK without the Authorities prior written and specific approval in each instance, as required under S59(7) go the Act;
OR -
4b - Copies of the guidance issued by the Authority to any officers and staff relating to the steps and procedures required by the Authority (under DPA 2018 s.77) before the upload of personal data processed for a Law Enforcement purpose to any Axon cloud services where an undertaking not to transfer the data outside of UK has not been given in contract.
5 - Copies of the communications between the authority and the ICO, and/or other professional or advisors, which informed the creation of the DPIA and/or supported decisions around the procurement or use of the Axon evidence.com related products for the processing of personal data for a Law Enforcement purpose by the Authority.