Challenging over-policing: our response to the public consultation on the Law Enforcement Data Service (LEDS)
PI submitted a response to the the UK College of Policing public consultation on the Law Enforcement Data Service (LEDS), a new, UK-wide police "mega-database". The consultation is open until 9th September 2020.
- LEDS poses serious threats to privacy and other fundamental rights, and therefore any adopted measures must be clear, with direct lines of responsibility.
- LEDS consultation documents require a lot more transparency. Concrete information is needed around the safeguards that will be implemented.
- PI recommends the implementation of robust policies and procedures to ensure the appropriate handling and deletion of data on LEDS.
- PI is urging anyone with an interest in LEDS to submit their views to the College of Policing by 9th September 2020.
The Law Enforcement Data Service (LEDS) is a unified, common interface to a new mega-database currently being developed by the Home Office National Law Enforcement Data Programme (NLEDP). We believe that the development of the programme poses a threat to privacy and other rights and must be subjected to strong oversight, safeguards, and transparency measures.
As we explained in our analysis, the data in LEDS is vast, ever-increasing, worryingly mixes both evidential and intelligence material – which have traditionally been collected, kept, and searched for different reasons – and makes it all searchable in the same single interface.
In June 2020, the College of Policing announced a public consultation into the LEDS Code of Practice, a crucial policy which outlines how the database is to be used and protected. The public consultation is open until 9th September 2020.
PI has submitted a response to the LEDS consultation (which is attached below) and is urging anyone with an interest in LEDS to utilise our response and submit their own views to the College of Policing.
Our response highlights that the actual information provided about LEDS in the consultation documents leaves a lot to be desired. Concrete information is needed around the safeguards that will be implemented, how role-based access controls will be allocated and reviewed, who will oversee this process, the data that will be kept, and the extent to which it will be shared with other organisations and third parties.
The LEDS Code of Practice and the Guidance Document are ambiguous, talk in the abstract, and fail to explain in any real detail how relevant safeguards will be achieved. Any adopted measures must be clear and implementable, with direct lines of responsibility
PI has previously written to three Parliamentary Committees (the Science and Technology Committee, the Home Affairs Committee, and the Joint Committee on Human Rights) urging them to review the development of LEDS and its Code of Practice. Numerous organisations supported our letters, since this is the only parliamentary oversight that LEDS will be subject to prior to its launch.
LEDS will be accessed by both police and a diverse range of agencies, including – but not limited to – the National Crime Agency, HMRC, and the Gangmasters and Labour Abuse Authority. LEDS will also be accessed by a number of private sector organisations that have aims that are complementary to law enforcement.
Whilst an initial list of organisations with access to LEDS has been provided, this list is not exhaustive and does not contain all the private organisations that will be granted access. This is very problematic, considering the impact that being wrongly entered into or accessed through the database can have on an individual’s private life.
In the longer term, the Home Office seeks to enable further data sharing between a range of organisations. This will be done by the addition of more systems to the platform or through links to systems owned by other organisations, such as Border Force.
LEDS will combine the data from the Police National Computer (PNC) and the Police National Database. The Home Office recognises that allowing access to both the PNC and the PND via a single search will return a larger number of results than would have been offered about individuals previously.
The Police National Computer, holds information on citizens – such as their vehicles and property – as well as arrests, charges and court disposals (including but not limited to convictions). The PNC holds 12.6 million persons’ records – the equivalent of approximately 1/5th of the UK’s population.
The Police National Database, introduced in 2009, receives daily intelligence data from “law enforcement” agencies (predominantly police constabularies) concerning persons, events, locations, organisations (including criminal) and objects. The number of records on PND is not easily established, as due to how it stores information there is no equivalent to a single person’s record. Additionally, LEDS will continue to integrate a number of other data sources into its common interface.
It remains unclear how those individuals entered on the LEDS database will be safeguarded against deliberate misuse of their data, such as so-called “LOVEINT” – the use of massive and intrusive databases to spy on partners.
Further, the consultation documents fail to make clear how indidividuals will be protected from incorrect or invalid data being entered about them in LEDS. LEDS will contain a significant amount of intelligence material, which may include subjective information from first-hand experience of the reporting officer, from covert human intelligence sources, and from lawfully authorised technical deployments such as trackers or listening devices. To the extent that the intelligence material is inaccurate, those inaccuracies may go un-corrected for a considerable period of time – if ever. Worryingly, neither the Code nor its Guidance document explain in sufficient detail how they will be safeguarding people, promoting accountability and understanding.
In our response to the LEDS consultation, we recommend that:
• Robust controls should be implemented to ensure that the images and data contained in LEDS cannot be used by police forces for any other purposes such as AFR technology or to build parallel databases.
• A robust system of redress should be implemented to allow individuals to challenge their inclusion in LEDS if they fear it to be unlawful, as well as sufficient transparency to allow individuals to understand if they are included.
• Clearer rules are required, provding greater foreseeability about when, why and how the police and other third parties are able to use and access LEDS.
• Robust policies and procedures need to be put in place to ensure the appropriate handling and deletion of data.
• More transparency is needed surrounding the way role-based access controls will be assigned, controlled, monitored, and publicly notified.
• Further guidance should be provided on how police forces should engage with individuals whose data has been stored on LEDS to inform them and what their rights are.
• Details of the redress or disciplinary procedures as a result of misuse of LEDS should be made clear.
• LEDS users should publicly disclose what access they have, how individuals can exercise their data rights, and how to seek redress.
• The Code and guidance document should be very clear on how additional organisations will be given access to LEDS and should include a consultation process for such addition.
• The Code should outline how or if the UK’s intelligence agencies will have access to LEDS. If GCHQ, MI5 or MI6 is to have access to LEDS, the Code should make this clear and outline their powers and responsibilities.
• The Code should outline how or if contractors and companies involved in developing, maintaining, or providing staff for the use of LEDS will have access.
• There should be clear querying and escalation guidelines against LEDS, in line with minimum access controls.
• Appropriate technical and legal safeguards must be in place to ensure that LEDS is not used for immigration enforcement.
• A Data Protection Impact Assessment should be made public to increase transparency about the use of LEDS and replace the existing privacy impact assessment.
• The governance framework should be finalised without delay and incorporated into the Code.
Full details of our response to the consultation questions can be found in the documents attached below. We urge anyone with an interest in LEDS to utilise our response and to submit their views to the College of Policing by 9th Spetember 2020.