Without Good Cyber Security, A Connected Justice System Will Fail Us All
Guest blog: Ashley Mitchell, Head of Growth and Marketing at Risk Ledger as part of our #DigitalJustice2021 week.
A ‘connected’ justice system has many benefits for all users but if it isn't cyber resilient, the pain will be worse than not being connected at all.
The idea of a ‘connected’ justice system that makes use of digital processes and devices to enhance the capacity and capabilities of the justice system is an incredibly alluring proposition for anyone who has ever had to interact with it.
Anecdotes about police officers hand copying paper forms onto more paper, only for it to go missing in transit to the next agency in a system with the power to make life changing decisions for end users, are plentiful and soul-destroying to everyone concerned with a good functioning justice system at the heart of UK democracy. A 2015 Government Digital Service (GDS) study found that paperwork was the third highest cost across policing in the UK.
Even talking about a 'justice system' is a bit of a misnomer. The myriad of agencies - police forces, the Crown Prosecution Service (CPS), courts and many more - who play some role in the journeys of end users have never been put into sync by a single architect to facilitate seamless collaboration towards shared objectives. This 'system' is actually a group of agencies with entirely different ways of collecting, measuring, processing, and transferring data. They’re silos.
Where there is opportunity, there are risks
This presents a huge opportunity for the UK tech community to work with the agencies to drag justice in the UK into the 21st century. TechUK's Digital Justice Week will celebrate a plethora of great ideas about how to do this. Go read about them!
However, a digitally connected justice system also introduces significant data protection and cyber security risks across the entire justice ecosystem that can literally have life, death and liberty consequences for end users.
We all know that cyber-crime is on the rise but old-fashioned crimes, like the trade in illegal drugs and firearms, are increasingly cyber-enabled. Collecting and using digital evidence of these crimes is essential to the delivery of justice but how do we maintain a secure chain of custody for the large volumes of digital evidence going through the system when there is no organisation reviewing the cyber security practices of all the relevant agencies and their third parties? How long will it be until organised crime groups (OCGs to all the 'Line of Duty' fans) exploit poor cyber security to manipulate or otherwise interfere with this digital evidence trail?
In 2016, 15 unencrypted DVDs containing recordings of sensitive personal data of victims and the perpetrator of a crime were lost during the transfer between Surrey Police and the CPS. How does a justice system function if trust in its processes and outcomes is fraying around its cyber edges?
When it comes to data protection, victims, witnesses, agency officers, accused individuals and even their families are entitled to interact with agencies in the justice system safe in the knowledge that their sensitive personal data will only be accessed by authorised individuals and used in authorised ways. At the same time, a 'connected' justice system must rely on the free flow of sensitive data between those agencies who need it to deliver services.
In 2018, Gloucestershire Police were fined by the Information Commissioner's Office (ICO) for a data protection breach that led to the exposure of the names of child abuse victims in an email communication. Without adequate data protection policies and processes in place in these agencies and their network of third parties, the scope for serious data protection breaches will grow exponentially over time. Damage to this fundamental trust in the 'system' could be fatal to engagement from vulnerable groups most in need of a robust and secure justice system.
There is a solution
We shouldn't despair. This is not a call to reverse the progress towards a connected justice system or even to slow it down. At Risk Ledger, we want the justice system to learn from other industries that trade in highly sensitive data like banking and healthcare, by implementing comprehensive, cyber security focused third-party risk management programmes.
This is the process of reviewing and then minimising the cyber security and data protection risks introduced by third-party access to sensitive data, or other privileged access to networks and systems. Ensuring the justice ecosystem has a good base level of cyber security in place, and reviewing this regularly, must be integral to all digitisation programmes.
Risk Ledger is a member of TechUK and our third-party security risk management platform has been adopted recently by the City of London Police who wanted to reduce the financial and time resources required to assess the cyber security maturity of their third parties while making their reviews more comprehensive assessing more risk domains.
We recently ran a seminar on third-party risk management for nearly 100 information governance leaders in the Police Information Assurance Forum looking at this exact issue and would be happy to run a similar event for other sections of the justice system.
Latest News from
Voting Open: techUK Digital Twin Steering Group Chair and Vice Chair25/01/2023 16:05:00
Voting is now open for the techUK Digital Twin Steering Group Chair and Vice Chair positions. The elections will be open until 14 February 2022.
A UK Plan for Chips25/01/2023 15:05:00
The UK needs a plan for 'chips' if we are to fulfil the aim to become a science and tech superpower
Financial Services Policy Explainer | Payment Services Regulations (PSR) Review and Call for Evidence23/01/2023 11:20:00
Helping to map the UK’s Joint Regulatory Oversight Committee’s (JROC) upcoming strategic work, HM Treasury’s latest Review, and Call for Evidence of the UK’s payments regulatory environment will shape the following stages of determining digital technology suppliers’ contributions to building the payments infrastructure of UK Open Banking
How UK tech companies are playing their part to tackle the rise of online fraud20/01/2023 13:10:00
Fraud is now the most commonly experienced crime in the UK, costing over a hundred billion pounds every year, with online fraud making up an increasing proportion of incidents.
Made in the UK, Sold to the World Awards 202317/01/2023 16:10:00
Celebrating UK business success around the world, The Department for International Trade’s Made in the UK, Sold to the World Awards are launching in January 2023
Welcome to techUK’s National Security Week! #NatSec202316/01/2023 10:20:00
This week, techUK is showcasing pioneering work across the technology sector which has the power to contribute to and transform UK national security and techUK’s members thought leadership on this.
techUK statement on an amendment to introduce expanded senior management liability provisions in the Online Safety Bill16/01/2023 09:20:00
Amendments have been presented by MPs that introduce expanded senior management liability provisions to the Online Safety Bill
Government Science for Office publishes Wireless 2030 report13/01/2023 16:20:00
The Government Office for Science has published its Wireless 2030 report, examining four possible scenarios for the future of wireless connectivity in the UK.