 Fasf suddenly I'm a huluduniaf's fault, Shag'r athdafnwyn, and welcome. This is the 8th meeting of 2018 of theJustice Sub-Committee on Policing. We have no apologies. Daniel is going to have to leave us a bit early, he has a pressing engagement. Agenda item 1 is a decision on taking business in private. That is a discussion on the sub-committee's work programme. Are we all agreed? Diolch yn fawr. The second item on the agenda is an evidence session on Police Scotland's digital data and ICT strategy. I refer members to paper one, which is a note by the clerk, and paper two, which is a private paper. I welcome Kenneth Hogg, interim chief officer at the police authority, David Page, deputy chief officer, Martin Lowe, acting director of ICT, James Gray, chief financial officer and detective chief superintendent, Jerry McLean, head of organised crime and counter-terrorism for Scotland. You are all very welcome, and I thank you for the written submissions, which, as ever, are very helpful. We will go straight away to questions and the first questions from Margaret. Good afternoon, gentlemen. I wonder if I could start by asking each of you why the transformation of the legacy forces IT platforms is still to a large extent outstanding. Anyone would like to start with that? Mr Page, you do not need to press the button. The investment pre-2013 in the legacy ICT forces to drop off, which is usual when organisations emerge, so there was not any investment going in other than the kind of care and maintenance pre-police reform when we got into police reform in 2013. What was required was two things, a clear strategic ICT plan for delivery and investment to support that. Obviously, there was a piece of work under the I6 project and programme that we have previously discussed at this committee, which was meant to address some of the issues that were required to be dealt with in terms of addressing technology issues. Unfortunately, that programme failed, but that programme was only looking at part of the technology investment that was required. There is a separate component to this outside of technology, which is the actual funding that you need. What we need to do, which is where we have now got to, is a very clear vision strategy and set of plans around the technology requirements to integrate 10 organisations into one, which was the original police reform requirements. Over and above that, obviously, was the publication of the police in 2026 to enable the digital transformation. There were a couple of components that we needed there. One was around making sure that we had the financial competence and governance and controls in place to understand what was required in terms of investment and that we could control that money and we could plan that money appropriately, but also separately to do the work. Unfortunately, we did not have enough people, capability and capacity within our existing teams to do that work. For the most part, the teams were fully stretched just keeping the lights on. It was not until at the back end of last year and early into this year that we were able to use some of the reform funding to get additional resources in to do that detail planning. That detail planning has now been done. We have also put in place, over the last year or so, significantly improved controls around finance, which means that we now have an ICT strategy that is underpinned by proper financial planning, which links into the rest of our change programme. It has been quite a torturous journey, but the last 18 months have seen a significant uplift in our capability, our people, our capacity and the investments that we have been directing into doing this work specifically. I think that it may be as a matter of concern. It was only 18 months ago that you realised that you did not have the in-house capacity. Does anyone else like to tackle this one? That is a pretty fundamental question. From my point of view, convener, I would agree with some of the points that the DCO has made. I think that simply there hasn't been the right levels of investment. The technology estate and the footprint is complex and disparate. Pulling together that kind of integrated vision around digital data and ICT is actually quite a complex piece of work. From my point of view, the organisation did need to set that framework in terms of a strategic plan around 2026 and the three-year implementation plan. As David has said, we are now getting to the point where we are understanding the level of investment that is required to address the gap. When I was brought into the organisation, which was about 20 months ago, one of the things that I was asked to do was to evaluate why we had not made as much progress as we needed to do, both on ICT and broader corporate services transformation, but to look at how we could address the multiple section 22s that we had around financial control. I initiated a series of health checks of the finance function later on the ICT function to see what the gap was between where we were and why we were not doing what we should have been doing and what was needed to close that gap. The first one that we looked at was the finance function, which was where we had a lot of audit Scotland reports on that. A result of that initial analysis, a kind of gap analysis of what we needed to do the job properly versus what we had resulted in a very significant investment in the ICT function of additional capability to make sure that we could manage the money properly and put proper controls into it. Subsequently, we did the same around a health and ICT health check in the summer of last year, and that gave me the information to understand what the gap was in terms of capacity and capability that we needed to fill. Understanding what that looked like then allowed me to bring in professional services to help fill that gap and then develop a strategy now, which has led to the requirement for future investment that we are looking at at the moment to deliver on the transformation. That has been the journey over the last 18 months. Health check, understand the gap in finance, plug the gap and then the same on the technology front. The finance and funding seems to be a key component. Would you like to comment, Mr Gray? What I would say is that I agree with the comments that have been made, but fundamentally, I suppose, if you do not have the strategy, you are not going to be in a position to set out what your funding needs are and then put forward the case to compete against other parts of the public sector for what is a scarce resource of capital funding. We have not been in that position. I do not think that that is particularly news in the order that Scotland for a number of years has been highlighting the fact that one of the significant gaps that Police Scotland SPA had was a lack of an ICT strategy. I was not here in the early years, so I could not comment in any level of detail. However, it looks to me that the way in which it is being tackled has been on an incremental basis. I am looking for bits of money to do bits of improvement, but I am not taking the step back, looking at what the overall requirements need to be to transform the old eight legacy forces into something that is an integrated national police ICT infrastructure and capability. That is the work that is under way. That is the reason why we are starting to get an understanding of the quantum of the investment that is required to take us from those legacy arrangements into something that is required for a national police service. From the SPA perspective, the need to progress work on ICT has been evident since the creation of Police Scotland. The committee has discussed in the past the work undertaken on the I6 programme. For the past year, we have had a strategic plan for policing, the policing 2026 strategy. The work that is being taken forward now has two main functions. One is to create a future purpose ICT system, which moves us on from the eight legacy forces systems. The second is to use that ICT platform as an enabler of wider change across Police Scotland. The work that is being taken forward now, and the work that has been shared with yourselves at the stage of a strategic outline business case, is not a standalone ICT project. It is an integrated digital data and ICT project. It is positioned firmly within the context of that wider 10-year strategic policing plan. That is good that we are looking forward, but I asked you to identify from the SPA point of view what you think had gone wrong in these four years, for example. Was it a case that perhaps I6 projects just swallowed up too much resources to many eggs in one basket? Did SPA come to a conclusion of why we are in this position now? I know what you are doing in the last year or so, but did SPA reach a conclusion? The I6 programme and its ultimate failure were reviewed extensively, including by Audit Scotland, and the lessons from that were learned. One of the questions that the SPA has been asking and has received assurances from is how those lessons have been learned. Colleagues here could point to specific examples of where things are being done now differently having learned the lessons from I6. To answer your direct question, there was a focus on ICT in the past five years. That focus was primarily around I6. That programme did not deliver, and now we are seeking to move on from that with a strategy that, as I say, improves the legacy eight forces infrastructure, but also positions that within a broader strategic context. Others will dig down as to why that did not move forward and the lessons learned will be there to leave it there, can you hear me? I would really like to ask you about the fundamental purposes. Having read the detailed document that was submitted to the SPA board at its last meeting, I think that one of my concerns is that, although there is a lot of detail about the technology that needs to be built in terms of infrastructure versus other elements of ICT, there is a lot of detail there about the plans and strategy. Could you perhaps detail what it will deliver, or seeks to deliver, in terms of police, core function and practice? Thanks for the question. From my point of view, it is not about technology. For technology's sake, it is about harnessing the benefits of technology to deliver support on those operational efficiencies and improvements in policing. If I may convene, I will take you through some of the core elements in terms of the operational impact. I hope that that will answer your question. The strategy is designed to allow us to resolve some of the challenges that we have around data in terms of reducing our data silos, improving data quality, harnessing data and using and exploiting that data to support better decision making. The data input element has been widely trailed in terms of officers having to input the same sets of data into multiple systems, so clearly the strategy would aim and seek to address that to get to a point where there is a single data input, a single search in terms of a federated search capability. The core operational systems element, which is effectively the part that I6 did not deliver, is still absolutely fundamentally key. Delivering that single national integrated solution that caters for crime, case and queries and the basic elements that officers use is key. The strategy talks about mobility and the need to support much greater officer mobility, again to avoid the need for the scenario where officers need to return to base at the end of their shift and then have to do that in a multiple keying into multiple systems, which in effect does not help with the data quality because that of itself is not going to get a necessarily good outcome in terms of data quality. Mobility is pretty key. Analytics and business intelligence have not really exploited that area significantly and I think that there is a lot of scope to do that. Public contact, so there is quite a bit mentioned in the strategy about what would need to happen in terms of facilitating greater public contact. Online crime reporting, tracking crime, different mechanisms for members of the public to actually contact and deal with the police. A lot of those mechanisms that are fairly obviously used in lots of other parts of the public sector today are not available at the moment. The final thing for me, convener, is the partnership working element and the core platforms that we need to support that partnership working. If I give you a specific example in terms of the criminal justice community and digital evidence sharing, we really have to get our own co-operational policing systems fixed before we can contribute to that wider digital evidence sharing agenda, given that not all but quite a lot of the data and the processes originate in and reside in the police as the first organisation. Those are the kinds of things that we are trying to address within the strategy from an operational perspective. Thank you for that answer and I understand much what you are saying. However, I suggest that most police officers probably do not talk about federated data searches. They are probably talking in terms of language about looking up records and searching for vehicle license numbers. We can all understand that the number of areas that have multiple systems basically creates more time for officers. Have those frustrations and inefficiencies been captured? Do you have measures in place to ensure that any new system is actually improving against those measures and those frustrations that currently exist? Some of that is being looked at at the moment in terms of the SOBC and as we move to the online business case in terms of the benefit. I think that you are right and I agree with you that federated searches are not necessarily a term that I would use from an officer's perspective. It is just about making their job more easy in terms of data input, look up, search, mobility and basic things that will effectively enable them to do their job more effectively. That is the central tenet of the strategy. Can I also ask about the £206 million figure, which is a very large figure? Just put that in context, understand that the Scottish Government over the last four years has spent around £400 million on ICT projects. That would put this at about 5 per cent of Government spend on ICT. I just understand how that figure has been arrived at and how it breaks down, because, as it was pointed out, it is not one shiny metal box that is being purchased, it is multiple systems that are being worked on. I presume that there is a breakdown of that number, but I certainly have not seen it in any of the documentation so far. The first thing that I would say is that, because this is still a strategic outline business case, the numbers are very broad and approximate at the moment. Ranges and £206 million, the figure that you quoted, is at the top of that range at the moment. It is broken down into a number of components, which I can, such as infrastructure, and the example of that is creating the national network. It has solution delivery, programme management, information and data, commercial and procurement and business change management. I can send that data to committee members if that would be useful. The way in which it was calculated was a combination of a bottom-up approach. When Ernst and Young were in, they were working with colleagues within Police Scotland to identify what was in place, what the gaps were and where we needed to get to. On top of that, there was an overlay of looking at other police services that they have worked with previously that have done similar things. This strategy is not about doing anything that is particularly new. It is just bringing Police Scotland into line with what other police services across the UK have been doing. It is looking at how much it is costed in other comparable forces, which is not necessarily the easiest thing to do when you look at where Police Scotland is placed in comparison to the size of the met versus the next below. It was taking all of that into account to say that, based on experiences elsewhere, and what it is that we understand, your particular challenges are what we think the range of cost will be. At the moment, it is still at a very high level. Over the next three months, the more detailed piece of work is now under way to establish those figures up. We have highlighted the figure of £206 million so that there is an awareness of it. It begins a discussion, but detailed work now needs to come in behind that to put more evidence behind the numbers. Given the large value that that is, given that things like the NHS 24 recent IT project cost around £100 million and that it rose to about £150 million, given that the agricultural payments are again around £170 million, that is going to be one of the largest ICT projects that are under way within the Scottish Government, are there any particular considerations that need to be given, given its size and indeed its expense? I think that we need to look at what we currently have planned from an IT spend. We have a three-year financial plan. Of course, the year 2 and year 3 are indicative, because we do not know what the funding settlement is. However, we already have a significant amount of capital expenditure that we had scheduled. Now, whether we would be able to do that is something that would come out of the spending review. To pick up on, if you look at the first five years of Police Scotland, there has been about £90 million spent on ICT. Over the next year and the following two years, we have got £94 million scheduled to spend on ICT. A lot of that £94 million would be part of the overall 206, because the things that we are looking to invest in will feed into the overarching digital data on ICT strategy. To answer your question, I think that what we need to do is to marry up what we currently have in our indicative three-year capital plan into what is coming forward from digital data on ICT, because a lot of that is the same money, because it is the same things that we will be doing. It would also be about the timing and the phasing of delivery, because obviously we are putting something forward that is five years, but that could be flexed, it could be shorter, it could be longer, and that would have a determination as to how much capital is required to be spent in any given year. Obviously, discussions around what we already have or what we have always had at a capital budget and how much of the existing resource or what is scheduled apply to capital at the expense of not investing in other things, such as fleets or estates, in a broader conversation around additional funding. That is not us coming here saying that we are looking for £206 million on top of the funding that we were already thinking that we would potentially be receiving for capital. It is about trying to build that in and work with Government to establish what is an affordable outcome. I hope that answers your question, but if not, I am happy to expand. I hope that we have time for that. Before we bring Liam in, Mr Loh, can I clarify something? You talked about criminal justice partners. Are you able to outline the extent to which you have had engagement with those partners and did other emergency services, the NHS, about compatibility issues as we go forward? Has there been discussion around that? Yes, convener, there has. I sat on the programme direction group along with ACC Malcolm Graham, which is the Scottish Government-led digital evidence sharing group, along with my counterparts in the COPFS and the court system. We are collectively in that space discussing and considering the options for that wider criminal justice digital evidence technology solution. As I said earlier, my opinion is that we very much need to get our own house in order to support that work. I think that there are good connections and good dialogue with CJ partners. There is work to be done in terms of the next three months' worth of work on engaging with colleagues in NHS and local authorities, but we recognise that that absolutely is a piece of work that needs to be done. That is reassuring. Thank you. Liam. Following up Daniel Lennon's and the convener's line of questioning there, I think that Daniel cited the NHS 24 and fund payments examples of ICT projects, which I think underscores the extent to which many of those projects, starting off with the best intentions that the figures being produced were as robust as they could be, but nevertheless have climbed and climbed quite substantially. What assurances can you give the committee at this stage? The £206 million figure that you have arrived at, albeit that it is not all new money and compass stuff that you have already committed to doing, how confident you are that that figure is not going to climb and climb substantially in line with what we have seen perhaps in other areas. The first thing that I would say is that I will have a higher level of confidence when we get to outline business case stage, because at the moment a strategic outline business case is very much a combination of looking at experiences elsewhere and what we think having done an initial piece of work that the need is internally. Obviously there is a detailed piece of work over the next three months where that will come out with a figure that is more robust and that there will be much more behind it to support it, but with regard to the £206 million, what I would say is that each of the components that make up the £206 million were individually risk assessed based on how much certainty there was over cost and scope, because when you get into the detail, the scope can change things. Based on that risk assessment, optimism bias was applied, so the range was from where there was no risk and it was a certainty on something where you know the cost, there was no optimism bias there, but ranging right the way up to 200 per cent on things where there was a lot of uncertainty. I think that the approach that is being taken from a costing at this stage is robust in that when you look across the piece over the whole £206 million, there is about a 50 per cent average night optimism bias in the strategic outline business case, but that does range from nothing to 200 per cent. However, as we move through the next detailed phase of work to get to the outline business case, we will have a greater degree of certainty over cost. We have had a look forward. I encourage a bit of a look back for a second. We have talked about the extent to which the I6 project was critical in delivering a lot of Blue Scotland's objectives across a wide range of areas that are picked up by auditors. In the report that was taken to the SPA at the end of last month, Mr Page talked about the failure of that project and the technology transformation of the legacy forces ICT platforms, not having made progress and that continues to present multiple problems and challenges to the service in terms of weakening our operational effectiveness data and information management and efficiency in delivering the policing services that communities deserve. Could you be outlining in a bit more detail the practical implications of that? I suppose that police officers and staff have been able to put in place work-arounds to the things that they have not been able to do because of the failure of I6. I'm happy to expand on that. There are two dimensions to this. One is the police officer doing the job. The fact that we've not been able to roll out mobility and the fact that we don't have a single network get across the entire country means that they take much more time doing things if we had those systems in places that they wouldn't need to. They have to go back to their police stations more often and they have to re-key data more often and they can't exchange data. It just builds in delay effectively. There's a big issue around that. The other issue is about use of data. If we get integrated systems, if we add data in analytics to where they were, we'd be able to give them much better information much quicker to allow them to do their job and be much more effective if they're responding to calls for vulnerable people and we had better information flowing through. This is not just our systems. This is how we integrate with the national health service. You can give them better information right up front, which would allow them to deal with whatever situation was in front of them in a much more effective way, or even pull in other partners at a much earlier position. I think that we've commented before on the fact that we tend to be that kind of service of last resort. If we had better information, we'd probably be able to get to the solution much quicker. If you're looking at a threat, one of the things that I did comment on previously was the quantum of investment that we know that serious organised crime and terrorist making and that shouldn't be underestimated. Those individuals and groups are very sophisticated in terms of the way they use the technology. That has a couple of effects and I'll defer to Chief Superintendent McLean on that in a second, but what it means is that it means that our people, our officers trying to combat that, don't have the technology that they need to to keep up with them. It creates a risk for them, obviously, because these guys have got more information, and it means that there's more opportunity for them to get away with it, but it is quite a key area for us. I'd like to, if I may, hand over to Jerry. Thank you, convener and attendees. I'm a business lead for organised crime and counterterrorism, and they're in cyber and perhaps will take some questions later on. Just on this point, I don't have any portfolio responsibility for ICT or that wider strategy, but as a business lead, the user experience is just exactly as described. Some of the recent successes in the organised crime space that you may have seen in the media are some of the recovery of firearms. Those types of groups are ever more sophisticated and challenging to law enforcement, but more particularly to my area of business, which is very specialised in terms of Covid delivery. So, as commercial technology becomes more available, more sophisticated, then us within law enforcement across the UK, and Police Scotland is particularly well placed in terms of UK law enforcement, but it becomes extremely challenging for ourselves. I go back to the point that Mr Gray made earlier on. The experience internally within the organisation has been that incremental approach to see where not there's been opportunities within the capital arrangements over the past few years to try and build some of that capability, and that's maybe some of the things that we'll talk about in cyber later. User experience in telling within the organisation is that those governance procedures are maturing, they are far better in the last 18 months or so, and that's how we're able to put a more informed programme of delivery in place in terms of cyber, in terms of our technical support, and trying to meet some of those challenges that we see in the organised crime space and the counterterrorism space, but they are very real, and we continually, day by day, slip behind the capability of some of those groups out there. Maybe I'll just take you back on the page to the point that you were talking about, the inputting of data and the mobility. Have you been able to unpack and distinguish between issues that arise out of a reduction in civilian staff within Police Scotland, where officers that were being suggested were stepping in to perform some of those roles, and the roles that arise as a result of the lack of the mobility of data and all the rest of it? We've acknowledged previously at this committee that there was a historic approach in response to the redundancies of staff where we'd not actually made the transformation, which was down to the technology. If you're going to make staff redundant or give them the opportunity for redundancy and the work still needs to be done, you need to improve the work, and ideally you would put technology into that space. What we found ourselves in a position of was making staff redundant, not putting the technology in, not making that transformation there, the work still needed to be done and actually moving officers into backfill. I think that the intention was to do it on a temporary basis, but obviously they were there for much longer because we didn't deliver on the technology. The effect of that, of course, is that it brings officers out of operational policing into effectively what could be described as back-office roles, so that has an effect. In terms of things like re-keying, it just means that it takes two, three, four times as much as it should do to enter a data. They get the information, it enters into one data, then somebody else starts to key it into another data, then they photocopy it and it goes into another data. It just wastes a huge amount of time. It's all of those issues that are added together that make us really, really inefficient. We are reversing. We've got a clear strategy and a clear plan to move police officers out of back-office support roles. That was something that we've laid out. We're strategically looking at our workforce balance. What we should be doing is having the right people with the right skills, doing the right jobs, and where police officers have got warrant cards or specialist skills that we need, they should be only in those places where we need them because they are our operational asset for the most part and they should be in operational roles. The technology enables them to be more efficient in their operational roles and enables staff to be more efficient in delivery of support. Obviously, going forwards from a workforce mix perspective, there are opportunities for civilian staff to support operational policing in operational roles as well. For the most part, we've got to get the technology right to enable that underneath it. At the moment, we're dealing with all of that legacy manual processes. People have not been in the right places to do the right jobs. Part of 2026 is a workforce strategy. That will have to be integrated with the right financial planning, with the right technology enablement. Obviously, where we want to get to is operational police officers being deployed with better capacity to do the jobs out on the front line, with our staff in the back office focusing on the jobs that they need to do but with the right technology. That way, we can be more efficient and allow police officers better time. We can save money and operate within our budgets and ideally get the types of investment through to specialist technology that Jerry and his colleagues need to ensure that we can keep up and ahead of ideally the opposition, if you like, in this space. Just picking up the point that I want to see if McLean is making in terms of the commercial development of IT and what you've said there on the page to keep a pace or even keep ahead of it. I mean, I'm taking it that the sort of IT structures that you're looking for, particularly integrated with criminal justice partners, is so bespoke that what you're not trying to build in is an expectation that the costs of this technology are likely to come down or come down markedly over the coming years. I'll pick up on that. I mean, the approach that we are taking is an enterprise approach as far as possible. We're certainly not looking to custom-build everything if that's what you mean by bespoke. Where we can, we will use off-the-shelf products, enterprise-scale products, products that will be able to be deployed across the entire organisation. Of course, there are always going to be operational areas where you need a very kind of custom or niche or bespoke type of solution, but in general the principle is that it's going to be enterprise-scalable kind of technology. I'm sorry just to be very clear. We're not trying to bespoke or gold plate the investments here. If you look at our starting point, which is 10 different organisations doing things in different ways, often with different technologies, just by moving us to single-platform technology, which is proven across the UK in law enforcement elsewhere. If we can just get people to move to those almost like vanilla solutions, we can jump forward to quite considerably our capability. We are looking to do the best, cheapest investment to get us to the right space early. This isn't about people sitting in room developing super duper technology. We're absolutely not going there. This is about core, basic technology for the entire service to let people do their jobs really efficiently. That works from a financial perspective, but it also allows us to have the investment because we're creating capacity by doing that to support the types of investment that we need in cyber, where it is becoming more specialist. Again, we can work with colleagues across the UK to get those types of investment. It was just to pursue the line of questioning that Liam McArthur had started. That was from your report, Mr Page, to the SPA board, where you said that the pressure on officers operating inefficient processes without date or no technology, while at the same time facing threat, harm and risk from criminals, who are investing heavily in the most sophisticated technology and using that well, leaves not only those front-line officers and other officers at risk but the public as well. How worried should we be about this and how immediate do we have to be in addressing this situation? I think that it's very clear. If you look at recent events like the TSB challenges, where there was a technology failure within a bank, in very short order criminals were exploiting that, developing what they needed to do to exploit that and were stripping a significant amount of money off people with the bank not having the ability to defend itself at that point. That's just a very recent example of it. Again, Gerry can talk about some of the other vectors of attack that criminals and organised crime have. As we become more digital, every single day that goes past, every kid that comes out of school, they are driving that digital way of life. As that grows and grows and grows, the threat will extrapolate even further. The size of the opportunity, as everyone gets more involved in digital, gets greater, which creates a much bigger opportunity for criminals. As Gerry said, a lot of the criminals can buy off the shelf technology now. If you go globally, there is a military-grade technology out there that these people can buy. The opportunity and the risk to the public becomes bigger. The organised criminals have access to technology that is cutting edge. What we have to try and do is keep pace with that, because if we don't, then the consequences are going to be self-evident. I would agree and echo that. I have gone on record before by saying that that is some of our more intrusive and covert tactics. It is almost like targeting another covert organisation who has better equipment and capability than ourselves. We are very much alive to that, so hopefully some of the successes are shown that we are adjusting our tactical model, our operational deployment model. We have to think about the officer's safety, because when we are putting them out there with old and dated kit, it is very visible to people out there who pose some threat to us as police officers, particularly when we are in that covert environment and are not necessarily identifiable. We have had to debrief, adjust our tactics accordingly and think about when we should be deploying the physical element of it, in other words, officers towards those types of groups, and what other means we can use to work around about that. Again, with the technological challenges, that is extremely difficult. Is that to be addressed right here and now? It is part of the programmes of work that we have put forward through those governance groups that I talked about. I know that there is a lot of focus on the cyber capability programme, but we have some other programmes of work that are going through a change board on which SP has some visibility of trying to see whether we can close that gap so that we have that support to our officers who are out there doing good jobs in difficult circumstances. Just to put on record, some of the recent convictions and some high-profile coverage of some of the operational work is to be commended. On that point, in terms of capacity, resource and timescales, in order to, as Mr Page said, get to the point where your services have the advantage over organised criminals and counter-terrorism rather than reacting as you state, it seems to be generally the position at the moment, what sort of timescale resource and investment would be required to make that change? In terms of some of those high-risk areas, we are very much alive to the part about data privacy and the intrusive tactics that we use, so we understand that and, again, we are very alive to that. Nevertheless, the way that people live their day-to-day lives, we all leak and generate digital data around the border, so that provides other opportunities. The reason I say all of that is that the way we are deploying some of those covert assets against those high-risk threats is very traditional, so it is pretty much the way we have been doing it in policing for the past 20 or 30 years and certainly has been my experience. There is a real opportunity with the caveat and checks and balances around data privacy and data security to lean more towards technology and make a different use of the human element of a police officer in terms of evidence gathering. That is some of the things that we are trying to do through the technical surveillance 21, so 21st century, programme of work. It is probably a more medium to long term, so we are looking at a three-year programme of work with various deliveries within that. It just very much depends on what investment is available to that, but for the front-line officers, they could be starting to realise the benefits of that within six to twelve months, albeit that what we are trying to do is a programme that is incremental, so it is not just working towards an end state at each stage if it would be an improvement, but the end state would take us far in advance of any other force in the UK. The technology platform that we need to build for policing, which will support the covert work that Gerry is talking about, is effectively an ecosystem of data and technology, all of which underpins the work that is going on in that area. A lot of what local or territorial policing police officers on the ground do in terms of their interaction with the public, the data that they can pick up, that stuff feeds through into that journey there, just as important as everything else. One of the things that we have to do is get the entire infrastructure working efficiently, so those points of data and the public are always going to be one of the best access points in terms of intelligence. We have to have the ability to pick up that information, process that data, feed it through a large organisation and get it to the right people at the right time, which is why, in terms of the investment profile and the technology plan, we have to do the strategic things that have become the data enablers to get the types of cutting-edge technology, which is where we are going to need for technology 21 and the cova area to get to. It has to be built on an absolute solid technology platform that captures all that data and feeds it through, so we are going to do it as structured away as we can, as efficient as we can, but it is the totality of this that makes that work. In order to create that advantage at the specialist level, generic progress is required, if that is what you are saying. Thank you, convener. I hope that you do not throw out all the old stuff. There is a bit of computer code that I wrote in 1974, which is still being used, and most of you will have seen the output from it and used it. The old stuff will work well if you use it in the right way and do not throw everything out. I just want to dwell on the lessons from failure. We have had reference to TSB, British Airways, we are grappling with problems, they have been selling tickets at £1, which they should have been selling at hundreds of pounds, London Ambulance Service in the 1990s, Scottish Qualification Authority in the early 2000s and now the I6. I used to lecture on project failure, so I particularly ask, are you looking out with your own narrow interests to see if there are lessons to learn from others? For example, the Federal Aviation Authority is a very good matrix for analysing failure, the nuclear industry has the same, the health service has the same. Are you looking outside to see how others have failed, how they have dealt with that failure and how they have learnt with that failure to reduce the possibility of future failure? Absolutely. Audit Scotland produced a very helpful digital lessons on public sector IT projects, which had a variety of challenges and failures. We built that into our thinking. We have already engaged with OGC in terms of gateway reviews. We have had a strategic gateway zero review done over an entire portfolio at the moment. One of the other things that I did when I mentioned earlier about 18 months ago, 20 months ago, I did a health check around the finance function to look at what we needed to do there. Effectively, we have done that across the organisation because if we are going to run a strategic transformation, one of the very early lessons that comes out of Audit Scotland or any of those analysis around things that have failed or things that have worked, it is about having the right skills and the right capabilities in the organisation supported by the right professionals. As part of the utilisation of reform funding, which is what we have been doing over the past year or so, we have brought a substantial amount of skills into the organisation, principally civilian skills around risk management, audit capability. We have built a full change function and have put significant additional resource into the IT function and into the finance function. Part of that is how you do the risk mitigation around avoiding those types of failure, bringing in professional advisers into areas where we do not have the long-term skills because you would not need them on a long-term basis, taking cognisance of where others have failed. We are building an entire ecosystem around that because we are fully aware of the track record of public sector IT failures and our own failure in I6. We are investing a huge amount of effort and money to make sure that we give ourselves the best chance of success. This is too important for Scotland and for the public to fail. It is far too important for our police officers who are out on the ground who have to deal with the threat of armour risk on a day-to-day basis. I am going to move on to something else, but just before I do, the private sector fails as well. It is just more difficult to find out about their failures. I invite you to consider that TSB would be a good example. The other thing that I just want very briefly, because I think my colleagues have covered some of this, is whether you have actually got a timeline. Now, we are running out of time here, so it might be that you could write to us with a timeline showing the different activities that you are going to undertake. Would that be appropriate to convener to help us to move on? In your answer to Liam McArthur, you talked about the extensive staff re-organisation that was required to implement the ICT strategy. What engagement you had with unions and staff organisations about priorities and the timescale of that? I will pick up on that. There is a bi-monthly engagement forum with all the staff associations and unions. Through the first phase of that, I have taken it to SOBC stage. I have presented the last two meetings of that particular forum. The documents and some of the core products that were produced as part of that first phase have obviously been shared with the members and the attendees of that forum. I have asked for feedback and offered a discussion with those members, and that is in train at the moment. As part of the next stage, as we move into the detail testing, I think that, as James said, testing some of the assumptions from SOBC to get to OBC and drill into that in a bit more detail, clearly there is a need and an opportunity for that engagement to continue with the staff associations and the trade unions. We intend to do that over the next three months. There is more I could ask, but I think that we are running a little bit short of time. That is fine, thank you. Can I ask about the I6 contract, which is repeatedly referred to as a failure but, at the end of the day, the money was recouped. The Accenture contract was for £46.1 million. I appreciate that it might not be a like for like, but it seems quite a considerable jump to the sums that are now being talked about. Is this greatly enhanced? Is this I6 not to cover all the aspects of deficiency? Is it filling the complete gap? I can say that the DCO is keen to intervene, but it is exactly that, convener. The I6 programme itself was very specific in terms of the six modules that were going to be crime, vp, criminal justice, custody, missing persons and productions. All of that I6 capability almost transfers into what I have talked about in terms of co-operational systems and the need for that integrated national system. However, that piece is much bigger, as you have alluded to. It is significantly bigger, so the two things are not the same in terms of scale and hence investment. Yes, getting to the I6 equivalent within the programme is still, in my view, fundamentally key, but there is an awful lot more going to be wrapped around the programme and the transformation than just what was included in the former I6 programme. For the avoidance to the doubt, there are no gaps. If this is I6 plus, it is what needs to be done at this time in looking ahead. Yes, we do not believe that there are gaps. The work that has been done through that first phase has been fairly extensive across all functions and business functions of the organisation, so it is almost I6 plus and plus again, I would probably describe that. In the written submission, you provide a lot more helpful information around the cyber kiosks. Could you clarify the terms and amounts of the cyber procurement contract? My understanding is that the kiosks cost approximately £440,000 and we purchased 41 of them, but I can provide a breakdown of that. That was one component of a wider cyber spend last year, which was £3.4 million, but I will provide details on that. What about any suggestion that there is a trigger point that would involve more involvement for the Scottish Police Authority and that trigger point is half a million? That is a short of half a million. What more could you have? The business requirements that we run with are in response to the business need. The trigger points are what they are. £500,000 is the spend limit for us within the police. £500,000 to a million goes to the accountable officer to Mr Hogg and then over £1 million is the main board. We do not cut the business requirements around those limits. We have the opportunity to—one of the things that we do is to make sure that we have modular and right-sized approaches to things. If it is all possible, we would try to avoid really big programmes because, like I6, when they get really big, it is easier to have a fail. What we would like to try to do is to have smaller-sized programmes where you have benefits linked to the capital mucher or the expenditure. We are conscious of that. The other issue that we do is pace. In order for us to move at pace, we have to go through the right governance. One of the things that we try to make sure that we do is adhere to all the governance that we need to do as we go through that journey. We are very careful to make sure from a finance control governance perspective that we adhere to the governance procedures that are required of us. It is one of the points that Aldrich Scotland made previously about financial control. You have provided a lot of documents to Mr Page and a number of them are redacted. I would have thought that it would be possible to say the position of the author of the business case. Who was the author of the business case in respect? The strategic outline business case. No, I am talking about the cyber chaos in the business case. That came from the head of the cyber crime unit. I can provide a bit more detail. As Mr Gray said, £445,000 was the figure for the kiosks. In terms of how we came to what we thought the business need or business requirement was, we tried to provide three kiosks to the 13 local policing areas. That was how we came to the figure of 39. We expected that perhaps from time to time we might get some hardware failures. It was to try and keep one or two devices within the cyber crime units as resilience to that. We were working on a figure of about 40 devices at that time. Would we have wanted more? Would it have delivered more benefits? We think it probably wouldn't. It is something that we will have to review in the future. Again, that was trying to work within the financial framework on some of the capital funds that were available at that time. We were alive to the fact that there would be a notification to SPA and possibly signed up with Scottish Government. I think that that is reflecting some of the documentation from 2016. However, the business requirement from the business area was working on that premise of three devices to each of the 13 local policing areas, coming to the figure of 39 with some resilience bit went to that. In the business case, not only did we not determine who the author was, it was undated. What was the date of that business case? Are you able to say? I am not able to say here, but I could perhaps go about that, yes. That would be helpful, thanks. As regards approval, at different points in the information that we have provided, there is a suggestion that it is ACC Johnson at page 5 in the documents. At page 10, it talks about permission granted by the force executive. Who signed that off within Police Scotland? If I may, I am probably best signed some detail of that. What was happening there, and again, evidence has been provided before to the committee to yourself, convener, are on about the trials. In about mid 2016, there were some trials based on the anecdotal evidence that was coming from forces south of the border, who were using that same type of technology. Again, we were looking for that window of opportunity within capital funds that may become available within the business area. To try and get some agreement for those trials, there was a request made to the force executive and others, the chief officers, as to where not those trials could go ahead and that is reflecting some of the documentation that you are seeing. The funds were not available in 2016. We revisited that with more trials in 2017, and it was only late in 2017, which I think was probably when the business case was written, but I will check the detail of that, that again was put back to the force executive. ACC Johnson, having the portfolio lead for specialist crime and intel, was citing that, so that is why you are seeing someone who has his name mentioned in some of those documents. Ultimately, that business case in the programme of work was put through the change board and notification to the Scottish Police Authority. I will click colleagues in, but before I do one question there, Mr McLean, again, the mention of UK other law enforcement areas. Page 4 talks about consulting UK law enforcement. Can you say who was consulted and what was learned in particular as I raised on the last occasion the experience and the criticism that was voiced for by the oversight body looking at North Yorkshire's application of these devices was extremely critical? Yes. Having the portfolio lead for cyber, we have representation on the national cyber operations group, so we were aware at number of the forces south of the border. We are using that technology and have been using it for over 10 years. When we did the consultation through the operations group, we found that all but four of the 43 forces south of the border were using some other type of devices from different providers. We went to six forces. I can provide the details of that, but the metropolitan was obviously the largest. They were using around about 130 kiosks at that time. From memory, I think we did Northumbria, Lancashire, we went to the Garda in Ireland and I think there was one other force within. We consulted with about half a dozen other forces to see what their experience had been, to see what the challenges were and to see what their operating principles were around that. Our reflections were that that was broadly positive. There had been no significant challenges, there had been some experience, as you say. There were definitely operational benefits within it, but one of the observations that we made was that there was a real absence of consistent ways of working and, in effect, a code of ethics, if you like, but a sort of operating procedure in terms of how we might take them from and how we'd operate them within a force. That code of practice is something that, at very early stages, we were keen to develop and have an ethical response in terms of how we might use them in the future. If I could perhaps refer you to your letter of fifth of June on the financial governance of the SPA of those kiosks, you say that, as it fell below the half a million value, it didn't need SPA approval. Is that your position? Yes, that's correct. For a capital investment over half a million pounds, that would need to be submitted to myself as a counterpart officer for approval. That's a capital investment, but the whole contract that we understand came to £545,000 over that half a million deadline or limit. Wouldn't it be expected that the SPA would then, under financial governance, look at the contract? No, the investment total £445,000 and that included within that not only the capital investment for the kit but it included the licence costs and also costs associated with training. Can I stop you there and ask where your figures differ from the ones that I have in front of me, which suggests that the technology, the licensing, the training and the annual fees amounted to a contract worth £545,000, i.e., over the half a million pound threshold. The figures that I'm quoting to you are the figures that I have from Police Scotland. I'm happy to clarify that, if you like, but when I gave evidence to this committee a month ago, I used the same figures on the same basis. Well, we have a discrepancy, and perhaps we can find out. I wonder if the issue is perhaps the capital costs alone, but clearly if there are revenue, the combined costs, we have a series of figures here. In addition to the capital costs, there are approximately £100,000 of annual operating costs associated with those once they are rolled out, and that cost is not currently being incurred. The point that I wanted to make is that, as I can, I have looked closely at the issue of cyber kiosks, not least since the committee has raised concerns about them. I don't have concerns about that. This is not a situation in which I have a sense that Police Scotland were trying to avoid scrutiny by the SPA by bringing in a cost below a threshold. The SPA has in any case looked at that over the months and years, over its gestation. That proposal dates back to 2015's cyber infrastructure technical strategy. I think that I have provided to the committee a presentation that dates back to September of last year, where Police Scotland briefed members of the SPA on that, among other elements of reform. I genuinely don't have concerns that there is either a lack of scrutiny or some issue about trying to avoid a threshold for referring that to the SPA. I don't have concerns about the latter. I most certainly have concerns about the financial governance that the SPA undertook when the whole contract, according to our figures, differ from yours, still seems to differ from yours. Perhaps we can get some written evidence, clarify that and we can return to this at a later date. It seems to me that this is something that is absolutely germane for our moving forward and establishing exactly a very robust role from the SPA in its financial governance remit. Perhaps we will follow up, Mr Hogg, with just some clarification around the points, maybe a correspondence exchange. You mentioned a briefing—I am conscious of what you are wanting in—but it is the case that Police Authority received no briefing from Police Scotland in advance of the trial. The position is that the Police Authority did not receive a specific briefing about the trials in advance of their deployment. Yes, that is correct. I just wanted to nail down how the governance works. To reference 30 years ago, in my experience at the Bank of Scotland, where I could spend a quarter of a million as often as I liked in a day, as long as I had budget cover, the key thing was that I was a decision maker up to that level, but I was required within 24 hours to tell the next level up and done it. That applied from a teller who had £1,000 authority to lend money all the way up and eventually at £3 million had gone to the board. Is there a similar duty in the structure of how that works, that there is a decision maker up to one level but also a process by which the activities of the decision maker are reported to the next level in very short order? Is there two elements of it that make a robust system of governance? I will start that and then hand over to my colleague from Police Scotland. The system of financial governance that exists between the SPA and Police Scotland is set out in various documentation, including financial regulations, and that specifies the arrangements in place for the sort of referrals that you are talking about. Within Police Scotland and under the chief financial officers' overview, they have their own system of approvals, which we had also cited on. At that point, I would be happy to hand over to the chief financial officer for the detail on that. There are probably two things that I would say here, making a distinction between business cases and the letting of contracts, which is a procurement type activity. We have an investment governance framework that sets out the governance requirements for business cases that is linked to financial value and with regard to where the funding comes from, whether it is reform or whether it is core capital, and that is all documented. We follow that so that it applies both internally to Police Scotland governance and through SPA governance. There is a requirement for a business justification case that gets signed off and needs to be reported up. I wonder if I can just intervene to try and short-circuit this a little bit. I am really just seeing whether, when a decision maker makes a decision, and the procurement process is normally done by clerks, not to be too rude, being a mechanical process, but when the decision maker is a decision, is there a formal process by which the decision maker's decision is referred up the line in short order so that there is appropriate oversight, not to interfere with the decision to be aware and to be able to take account of the aggregate effect of all the decision maker's decisions? I understand what you are coming from in terms of the nature of the question. Our governance is very much driven around a series of boards—finance board, change board, audit and risk board up to the force executive board. Any of our business cases that would be affected? I am not trying to be rude, but I am conscious of time. I understand that there will be a complex matrix of how decisions are made, but I am not actually focusing on how decisions are made. I am focusing on what happens after the decisions are made. The decisions are made at a committee, so the approval for any given business case or major capital expenditure would be presented to a committee. It would be either the change board or the corporate finance and investment board that would make the decision, not the individual. There would not be a case of an individual making a decision on an expenditure that they could go on. Who gets informed that that decision is made? However, it is made, who gets told that it is being made? We would have an audit record at each of the individual governance boards of the decision that was made, who was present in the meeting. Depending on the size of the decision, it would either be—and that comes into our schemes and dedication on the actual financials. What would happen then is that it would either be accelerated up to the force executive, or alternatively it would be recommended for approval— For information or for decision? It depends on the nature of the decision. That is two parts, one is capital, well, one is money level. The other is about effect to the organisation. It might be that it is a relatively small expenditure, but the actual public effect or the effect on the organisation is such that it warrants a discussion at the force executive. Of course, what we do is also to recommend things that go across to the relevant committees within the finance committee or within the SBA, be it the finance committee or whatever, but everything would be decided in a committee governance structure. There is no unilateral decision making that is then—we seek additional support. I will pass. Yet the Scottish Police Authority was not notified in this particular instance, on the cyber chaos. I cannot comment on that. I was not here at that time. Okay. Rona Cymru. Thank you, convener. Mr Hogg, if I can ask you please, following on from your answer to Margaret Mitchell and the convener, just to clarify, you are comfortable with the approach that Police Scotland have taken regarding the introduction of the cyber chaos? In terms of the way in which the proposed expenditure was handled, I do believe that it was handled in line with the existing processes, both then and now. I have since looked at the written evidence that Police Scotland submitted to the committee and just to confirm the figures that the total cost of the purchase of the kiosks plus software plus training package came to £444,821, including VAT. In addition to that, there was a £101,000 annual revenue support cost, which would commence, this says, from today in 1920. Does that not take it above the threshold for you to be briefed then? You said that it was under the whole contract. No, because the way in which the threshold is determined alludes to the capital cost. Most capital costs will come with an on-going revenue cost over many years, but the thresholds are set in relation to the capital cost. I am happy to share, for example, the scheme of delegation that would set that out. Okay. Do you not have expected a community impact assessment to have been carried out, given that there were significant changes to operational policing matters? Is that not something the SPA would have been wanting? Well, I have been looked at this. The key point is that this was not a change to operational policing in terms of policing capability. This allowed policing to do in local police stations what they were already doing in regional hubs, and it avoided the issues of backlogs arising by sending devices off to doing that. That is the rationale for that. I understand that, but for a community impact assessment to assess what impact it would have on a particular community, is that not something the SPA would have wanted to have seen done? In this particular case, in respect of the trials, I do not believe that it was necessary, in terms of further roll-out of the key asks. I know that Police Scotland is setting up a reference group and that the terms of their use are going to be consulted on with the external reference group. I gather that they are now looking at undertaking additional impact assessments, but in terms of the trials that took place previously, I do not believe that an additional community impact assessment was required at that time. In the written evidence and in the previous session that we had, it was emphasised to us that the use of the kiosk is about efficiency and trying to make sure that devices are not taken from individuals for long periods of time in an unnecessary manner. The cyber kiosk technologies have been available to UK law enforcement for some time. However, as a constituency MSP, where I know that part of the trial happened at Gayfield Playstation, the remit of Gayfield goes into my constituency even though the station is partially outside. I do have some concerns that there were not any assessments undertaken, given the intrusive nature of the technology in that somebody handing over their mobile phone, which in the modern day and age has so much information about an individual, for there not to be an awareness about it, particularly around human rights, equalities, community impact assessment, as my colleagues have said, and data protection and security. If a constituent had come to me at a surgery and said, please have taken my phone and looked at every piece of data on it, I, even as a constituency MSP, loaned more widely, was not aware of that happening. I would have some concerns around individuals' human rights and their right to private life. I am reassured that there will be a greater determination to make those assessments for full roll-out, but is there any sense of regret or hindsight that you could have dealt with this more transparently? I will let my Police Scotland colleagues comment more on their practice, but the key point from the SPA perspective is that, at the time of the trials, phones were already being taken by the police for the same policing purposes. It is just that what happened to those phones differed. At that point in time, the phones were sent off to three, now five regional hubs. What happened in the trials is that the phones, instead of being sent off to those regional hubs, were instead assessed locally at the local police station. That is the rationale that has been given when the SPA has asked questions of Police Scotland about why they did what they did with the trials. Was it ever asked, because I noticed the written evidence, that this was only done by suitably trained front-line officers? What sort of training did they go through? How was that? Were checks and balances in place to make sure that that was the case? I saw what Mr Hogg said there, but to answer your questions earlier in the conscious of time, there were 25 officers that gave you a square police office were trained on that, so that was the provider of the technology, trained the cybercrime staff and cybercrime staff in conjunction with that provider, trained those 25 officers, and there was supervision put in place around about that. The trials were very much not about the public experience, because those phones are already legally taken, as Mr Hogg said, going to a central position. It was very much about the experience of the officers at the front end and trying to build that business case to show that there was an opportunity for service improvement and efficiency and trying to push that through what was a capital bid at that time. I still feel a bit uncomfortable that my constituents were not aware of this happening in their vicinity. I think that I would say that I am absolutely aligned to those concerns, and there has been a lot of lessons learned, which is why I think that it is so important that we now do those impact assessments. The direction that we had at the time was because it was more of a change of use that were not required. Annie would report that both what would have been a privacy impact assessment were now a data protection impact assessment that has been completed as has the quality human rights impact assessment, but I see them very much as live documents. If you are minded, I will get copies of them to the committee. I think that that would be very helpful, Mr McLean. I am conscious that Ben has asked a question about training that has gone unanswered. Perhaps I can answer it from the business case, because I think that Police Scotland would, in advance of the cyber case that we have put in place, would have considered the backroom function of the interrogation of data on phones to be a very specialist function. The undated unsigned business case talks in relation to training, the very last sentence says that it can comfortably talk in well under an hour. That does not suggest that it is a like for like transfer. That suggests that it is a roll-out of something different, and that is precisely where the concerns come about. People understand the technical requirements, so I think that it would be very helpful to have those assessments. Obviously, to provide those assessments, I think that if time permitting, if I can come back to that one, can deal? Yes, indeed. So, just in terms of that comment that you have made in the business case, that was actually the report that was provided from the Officers Act, Gayfield School, so that was the supervisor's view of the circumstances, and I think that comment is more attributed to the commercial provider of the equipment, but what actually happened was that there was a day's training, was that enough? Perhaps not. Ahead of any roll-out of the kiosk, which hopefully will be later this year, already the cybercrime unit staff have attended the three days teaching methods course. They are also working up the training package and for the 410 officers that are planned to facilitate that triaging of devices at the front end. So there are 410 officers that are in local policing. There will be a two-day training course, but they will only be able to attend that once they have completed the one-day online mandatory GDPR training, which is going right across the force. So they must include the GDPR and then there is a two-day training course. Ms McLean, that is something entirely different. I am reading from the document that Police Scotland had provided to the committee that has headed up the business case. Now, as I say, it is redacted, so we do not know who the training was provided by. There are other redactions across the term, but that final sentence says that it can be comfortably taught and well under now. That does not seem to be replicating a specialist backroom function, and that is where the concerns come from. Well, in answer to that, convener, what I would say is that I agree with your point about the specialism and interrogation of the data, but in terms of the actual interface with what is a triage device, it is pretty intuitive, it is fairly straightforward, which is the point that I think that the commercial provider is trying to make there. We understood that there was checks and balances and safeguards that were required, which was why it was a one-day training, but the actual use of the device in itself is quite straightforward. Ms McLean, sorry to keep coming back to this, not least because there is a couple of very short. The documents that we have been sent, appendix B, chaos, trial, business case, are you saying that that has been a document put together by the provider of the equipment, rather than by Police Scotland? No, what I am saying is that I think that it is a view provided by the commercial provider, which has been reflected within a police document. Okay, thank you. Ben, and then Stuart. Just very, very quickly, not questioning the integrity of officers at all, but just as a safeguard, are you aware whether the technology is able to delete information from people's devices or is it just able to copy? And if you don't know the answer right now, it would be good to have clarity on that, because, obviously, the ability to delete people's data would be quite concerning if it did have that function. Yeah, so it would do neither. What the technology does is allow a view of the data that is stored on the device and only the data that is stored on the device, and it doesn't materially change that, and that is important because the steps that may fall through the criminal justice system. Thank you, Mr Jordan. Just for clarity, my understanding, and I want to be rebutted or confirmed, is that the kiosk is about triage. In other words, it is about identifying a proportion of the phones that are initially saved that can immediately be returned, because they are not of evidential value, but that the real analyses will continue to be done at the centres. So what it's about is making the centres more efficient and delivering unnecessary phones that are not required back out of the criminal justice system, and therefore it is only a very small part of what would be done in the centres. Is that correct? So exactly that, Mr Stevenson. Our experience at the moment is that we have up to about 15,000 devices submitted to those cybercrime hubs, as described by Mr Hogg. The anecdotal experience of other forces in the UK, and again that was the purpose of the trials and borne out of the trials, that over 90 per cent of those devices would not be submitted in the future and would not be returned to their owners or would be negated from the investigation moving forward. So thereby, you know, a single digit would go to those more specialist of officers who would then carry out the interrogation and extraction of data. Can I clarify one final thing with you, Mr McLean? And again, it's that I'm lifting this from the documentation that is being provided. With regard to the issue of data and the phrase evidential efficacy, we're told that that wasn't collated in relation to the trials. Sorry, convener, could you just repeat that point? Data collated during the trials, and the word that I've got in inverted commas here from my notes is evidential efficacy was not collated. What was the Crown Office procurator Fiscal briefed on following the trials if it wasn't the evidential efficiency of this operation? So the Crown Office were briefed on the trials and they had no objections to the trials going ahead. I think, as I've said earlier on, there's always lessons to be learned and probably there could have been better record keeping around about some of those trials. Some of the figures are there but probably what was more reported back was the user experience of the officers at the front end and some of the investigative benefits from that. As I said previously, I think that if we were to record on the trials again, I would ensure that there was better governance around those trials and some of the detail that was provided. Okay, that's very helpful. That's been a long session. Thanks very much indeed for your evidence. It's been very helpful. We'll perhaps follow up, Mr Hogw, just a letter to clarify that one point and maybe hear from, get these documents from yourself, Mr McLean. Thank you very much indeed. I'm now moving to private session.