Without Good Cyber Security, A Connected Justice System Will Fail Us All
A ‘connected’ justice system has many benefits for all users but if it isn't cyber resilient, the pain will be worse than not being connected at all.
The idea of a ‘connected’ justice system that makes use of digital processes and devices to enhance the capacity and capabilities of the justice system is an incredibly alluring proposition for anyone who has ever had to interact with it.
Anecdotes about police officers hand copying paper forms onto more paper, only for it to go missing in transit to the next agency in a system with the power to make life changing decisions for end users, are plentiful and soul-destroying to everyone concerned with a good functioning justice system at the heart of UK democracy. A 2015 Government Digital Service (GDS) study found that paperwork was the third highest cost across policing in the UK.
Even talking about a 'justice system' is a bit of a misnomer. The myriad of agencies - police forces, the Crown Prosecution Service (CPS), courts and many more - who play some role in the journeys of end users have never been put into sync by a single architect to facilitate seamless collaboration towards shared objectives. This 'system' is actually a group of agencies with entirely different ways of collecting, measuring, processing, and transferring data. They’re silos.
Where there is opportunity, there are risks
This presents a huge opportunity for the UK tech community to work with the agencies to drag justice in the UK into the 21st century. TechUK's Digital Justice Week will celebrate a plethora of great ideas about how to do this. Go read about them!
However, a digitally connected justice system also introduces significant data protection and cyber security risks across the entire justice ecosystem that can literally have life, death and liberty consequences for end users.
We all know that cyber-crime is on the rise but old-fashioned crimes, like the trade in illegal drugs and firearms, are increasingly cyber-enabled. Collecting and using digital evidence of these crimes is essential to the delivery of justice but how do we maintain a secure chain of custody for the large volumes of digital evidence going through the system when there is no organisation reviewing the cyber security practices of all the relevant agencies and their third parties? How long will it be until organised crime groups (OCGs to all the 'Line of Duty' fans) exploit poor cyber security to manipulate or otherwise interfere with this digital evidence trail?
In 2016, 15 unencrypted DVDs containing recordings of sensitive personal data of victims and the perpetrator of a crime were lost during the transfer between Surrey Police and the CPS. How does a justice system function if trust in its processes and outcomes is fraying around its cyber edges?
When it comes to data protection, victims, witnesses, agency officers, accused individuals and even their families are entitled to interact with agencies in the justice system safe in the knowledge that their sensitive personal data will only be accessed by authorised individuals and used in authorised ways. At the same time, a 'connected' justice system must rely on the free flow of sensitive data between those agencies who need it to deliver services.
In 2018, Gloucestershire Police were fined by the Information Commissioner's Office (ICO) for a data protection breach that led to the exposure of the names of child abuse victims in an email communication. Without adequate data protection policies and processes in place in these agencies and their network of third parties, the scope for serious data protection breaches will grow exponentially over time. Damage to this fundamental trust in the 'system' could be fatal to engagement from vulnerable groups most in need of a robust and secure justice system.
There is a solution
We shouldn't despair. This is not a call to reverse the progress towards a connected justice system or even to slow it down. At Risk Ledger, we want the justice system to learn from other industries that trade in highly sensitive data like banking and healthcare, by implementing comprehensive, cyber security focused third-party risk management programmes.
This is the process of reviewing and then minimising the cyber security and data protection risks introduced by third-party access to sensitive data, or other privileged access to networks and systems. Ensuring the justice ecosystem has a good base level of cyber security in place, and reviewing this regularly, must be integral to all digitisation programmes.
Risk Ledger is a member of TechUK and our third-party security risk management platform has been adopted recently by the City of London Police who wanted to reduce the financial and time resources required to assess the cyber security maturity of their third parties while making their reviews more comprehensive assessing more risk domains.
We recently ran a seminar on third-party risk management for nearly 100 information governance leaders in the Police Information Assurance Forum looking at this exact issue and would be happy to run a similar event for other sections of the justice system.