Press release: Critical ICO report says the Police must stop taking data from victims' phones without better safeguards

Today, the ICO has issued a long-awaited and critical report on Police practices regarding extraction of data from people's phones, including phones belonging to the victims of crime.

The report highlights numerous risks and failures by the police in terms of data protection and privacy rights. The report comes as a result of PI’s complaint, dating back to 2018, where we outlined our concerns about this intrusive practice, which involves extraction of data from devices of victims, witnesses and suspects in criminal investigations.  

Key points from the ICO report:

* The Information Commissioner has called for a Code of Practice on mobile phone extraction to ensure our rights are protected.
* Police cannot seize phones merely to go on fishing expeditions, but must focus any extraction on clear lines of enquiry.
* Current police practices regarding extracting data from mobile phones, especially from victims and witnesses, must be reformed.

(See Section 3 of 'Notes to Editors' for more key points from the ICO report)

The ICO found that it is 'unlikely' that victims and witnesses will be able to provide informed and freely given consent for data to be taken from their phone, given that they are being asked in a policing context. The ICO concluded that police procedures in this regard must be reformed to respect the autonomy and agency of victims and witnesses while also having a sufficient legal basis and minimising the data extracted.

The data obtained from suspects, complainants and witnesses was not always categorised, but sometimes kept together in bulk, leading to risks of serious compliance failures.

Crucially, the ICO’s investigation found that there were numerous security concerns regarding unauthorised access and unintentional disclosure of extracted data. The highly sensitive personal data was not always being encrypted whilst being exported to other digital media. The unencrypted data was variously put on CDs, DVDs and USB drives, and often transported by couriers or other unsecured means.

The report also confirms PI’s concerns that the data extracted and processed from the mobile phones was often too excessive. Despite the availability of privacy-enhancing functions in the software tools, police forces simply grabbed more data than necessary in the investigative process.

Dr. Ksenia Bakina, PI's Legal Officer said:

"Today's critical report by the ICO vindicates what PI has been saying for over two years. The Police are taking data from people's phones, including the victims of crime, without applying proper safeguards. This has to stop.

"Currently, there is no clear policy guidance or independent, effective oversight for the police's use of MPE technology. Considering the extensive use of mobile phones in our everyday lives, and the significant amount of sensitive personal data stored on them, the public need to know that there are rules and safeguards in place - otherwise the Police are left to make up their own rules.

"The ICO's report is a welcome step in the right direction. However, it is just a first step. We need to ensure that the report is a wake up call that the police finally heed. MPE technology should only be used where it is strictly necessary. Otherwise, the police risk diminishing the public confidence in the criminal justice system. The fear that personal data obtained from mobile phones will be compromised can negatively affect the willingness of complainants to come forward and report the most serious offences."

NOTES TO EDITORS

1. In April 2018, PI submitted a complaint to the ICO regarding the UK police agencies' inconsistent and unlawful extraction of data from mobile phones of suspects, victims and witnesses.

2. Today's ICO report resulted from an investigation that was initiated, in part, because of that complaint. As stated in the report, page 12: "This investigation took into consideration concerns raised by with Commissioner from individuals affected by MPE and also a complaint made by Privacy International (PI). PI’s report “Digital stop and search: how the UK police can secretly download everything from your mobile phone” raised a wide range of concerns about MPE and called for an urgent review of the police’s use of it."

3. Further key findings from the ICO report include:

* The MPE process had numerous risks and failures of compliance with data protection principles. The Commissioner supports PI's complaint that there is no consistency in the lawful basis that dfferent police forces rely upon to seize and examine the electronic devices.
* The police do not operate under a clear policy that enforces proper safeguards to ensure that privacy considerations play a key role in this highly intrusive process. As a result, the report is calling for 'introduction of better rules, ideally set out in a statutory code of practice, that will provide greater clarity and foreseeability about when, why and how the police and other law enforcement agencies use mobile phone extraction'.
* The ICO report also highlights that no Data Protection Impact Assessments (DPIAs) have been submitted by police forces and it is unclear if they have been undertaken at all, when processing extracted mobile phone data under the Data Protection Act 2018. This makes it difficult to assess the extent to which police forces have considered risks associated with the processing of personal data.
* Significantly, Data Protection Officers within police forces were not always consulted when designing processing operations for mobile phone extractions.
* The seriousness of the crimes under investigation did not appear to be a key consideration in determining the extent of the extraction and therefore the level of impact on privacy. The police forces did not take all reasonable steps to mitigate the risks associated with personal data taken from a mobile phone. On the whole, there was a lack of consistency, nationally, in the application of individuals’ information rights and in how MPE is authorised and managed.
* When MPE takes place, there is a high likelihood that sensitive personal data will be processed. The law requires that a higher threshold of strict necessity should be met for this type of processing, but this higher threshold does not appear to be routinely considered.
* The Commissioner notes that there was insufficient evidence of a phased approach being taken which demonstrated the justification and authorisation for extraction and examination of data at each stage of an investigation, and a direct link between reasonable lines of enquiry was not evident.  

4. Read PI's technical explainer on mobile phone extraction for more informaton.

5. Read PI's 'Digital Stop and Search Report' that lead to this complaint to the ICO.

6. Big Brother Watch has written about the problematic ways in which the police seek data from victims, and fail to prosecute when victims do not consent to what may be excessive collection.