Br diverse increase of agency is obviously far greater than transformative. All thanks to Ben MacPherson for his work as a member of the sub committee and I wish him all the very best in his ministerial role. The first item is to welcome falltone back onto the Justice Committee, theossnik committee and ask if there's any declarations of interest that you require to meet Simon Thank you very much indeed. Ikr.— The next decision is on taking business and private and that's item 4, and we will consider our work programme and some other matters. Are members agreed to take that in private? Thank you very much indeed. The next item in our agenda is police Scotland's proposed use of digital device tree-eye systems. We'll take evidence from Sir David Freeland, senior policy offers of Iulodwch i yw ddim lleiwyr gweithio i ymwybodol y gweithio— mae'n gwheilio i ddod500 o gyllid yn fath y bydd. Felly adnodd yn gweithio i gael eu cwestiynau a hynny efo, byddai'n gwêg i'n gweld i'r ddod eich bod yn osbydd yn b Merfyrdd y Llywodraeth ac yn bod yn missi cesfarkadu'r merchawg sounddur. Mae'r ddod yn gweithio yn fath o cwestiynau a byddai'n gymaint i gael ei ddod i gael ei gael eich bod yn fath o bwysig. Thank you for those of you who have given written contributions. That is always very helpful. I want to kick off some questioning please but perhaps to yourself, Chief Superintendent McLean, thank you for the various documents that has been sent to... These trials commenced in 2016, why is it that here we are some two years later and the document in relation to the data protection impact assessment is still marked as draft? Thank you for inviting us along to give evidence to the justice committee today. We welcome the opportunity and more particularly to answer the question that you have put to us. The finance framework in 2016-17 did not support the trials at that time, so those internal trials trying to look at the benefits realisation to front line officers, service improvement and the experience of the public were something that we were keen to examine. However, the constraints within the force at that time did not allow us to progress them. We took some advice at that time. We obviously did not have GDPR with us at that time, so the impact assessments that were considered were different from where we are now. More particularly, your question on about the DPIA and the equality human rights impact assessment. We have drafted them after some consultation with some of the reference groups, which perhaps we will speak about earlier on. We see them very much as needing to be completed, but at the moment living documents until everyone can have a chance to examine them and make a contribution to that. Even as recently as last week, some of the groups who have engaged the external reference group were making contributions, particularly about the EQHRI, RIAA document, I apologise. We are hoping to get them to quite an advanced position where we can finally get sign-off on those documents and get some agreement across the various groups who have contributed towards them. Is there any recognition in the part of Police Scotland that best practice would be to make an assessment in advance of doing something, rather than at the conclusion? I welcome where we are and I welcome the engagement with the stakeholder and the reference groups, and that is very positive, but it would be good to hear that from Police Scotland. I accept that, convener, that we need to make some assessment of that and some of what was talking about the benefits realisation over perhaps the impact to the wider public in terms of introducing new technologies, so I totally accept that position that you have described. I suppose, convener, that there is a piece that until you actually think about the introduction of the technology, the training implications, how it is going to be delivered, the audit compliance around that and the wider impact in the public, it is perhaps only then that you can truly articulate that within the various impact assessments, but I do take your point. You accepted that it is a developing document and is there much changed in from what you would have originally assessed in, if you are saying that it is an evolving situation? Not fairly minor, so the external reference group, some of the contributions there were around the various articles under the convention of human rights, particularly around the right to a fair trial, so article 6 and 8, the right to privacy, so I suppose generally putting, they would look to see a bit more detail, so fleshing out some of the considerations that are within that document, so it is perhaps seems a bit too much police jargon and needs to detail some of the wider implications for the general public, so that is why we are quickly revising that document and I hope they get to position in the next few weeks, so we can get sign off on that. Okay, thank you. Mr Kuros. Thank you very much. I should say just leave your button at the bottom. Thank you very much for inviting the commission and I think this is a really good question that has been asked to the police before, the convener, as this question the 10 of May, human rights impact assessment and equality impact assessment are essential prerequisite to ensure that policy programs and projects are compliant with human rights and they should be done in advance even if you are running a trial, so the commission has significant concerns about the trial of 600 phones and the legality and the procedure how it has been run so far. We have to acknowledge as well that we don't have a full information about the trial, I was just learning about that earlier and while the police has recently adopted an open and multi-stakeholder approach it has not been the case from the outset. I think this highlights why the issue is the importance of a human rights based approach and policing, something that we have recommended for a while but if you allow me to focus on the current human rights impact assessment I'm afraid that the current assessment highlights a number of concerns. First of all the documents conflates certain legalities protections with human rights protections and I will focus on only one because of the time, so the analysis of article 8 relies heavily on data protection requirements. If it reads this article will be heavily protected due to the documents compliance with GDPR. The data protection framework which is a data processing is separate from the human rights framework. Compliance with this framework while necessary is not sufficient by itself to meet human rights requirements. So it is crucial and this is a crucial point I will say and one's other requires further analysis by the police. I don't think it's only a bit of tweaking or a bit of analysis. It requires further and much more analysis because the distinction between privacy and data protection are fundamental to understand how they interact and how they complement each other. Probably the concerns arise when personal identifiable information is collected, stored and used, which is not the case here but it's the case on the hubs and that is a legal question that focuses on justify or unjustify interference. Data protection is about securing data against unauthorized access. It is a technical question about the conditions to facilitate full and lawful protection of the data. So we are worried that these two distinctions are treated as the same and synonyms in the human rights impact assessment. Data protection is an expression of the right of privacy but not the same under the European Convention on Human Rights and for the issues that I could get back to them if the committee wants. It may be that, thank you very much for that, they will pick up on these and that of course there's always the opportunity to perhaps write us to clarify our points there. Do you briefly want to respond to that Chief Superintendent? I accept all the points that Diego made from the Human Rights Commission and my apologies to him and the convener and committee if I was too general in my view of where I said we were with the revision worker and about the impact assessments. But the points that Diego has made I readily accept and it was the same points that Privacy International made at the last reference group meeting that we held so that they are the substantive points that we are working on and I accept that. Okay, thank you. I just able before I passed to other members for questions to see where we are at this particular moment with Progressive. Are we on schedule for the start date that you anticipated and will all these mechanisms be in place prior to that and assurance on that please? So I think I previously briefed the committee before that we had an addictive roll-out period of around about October of this year 2018. But at the same time we recognised the importance of the consultation engagement. So in general terms where we are there's a lot of progress being made in terms of the training delivery, refining what that would look like across the whole force area to ensure that there's adequate coverage in terms of local officers providing local delivery. We've now had two meetings each of the stakeholders groups so those are the groups such as the Police Federation, HMICS and other groups who are more integral you may say to the criminal justice system. So we've had two meetings of that group the most recent being yesterday and we've had two meetings of the external reference groups so Open Rights Group, Privacy International, there's Invites for Human Rights Commission, Information Commissioner and others and the most recent meeting was last week. In essence the points that we are focused on is the legal basis for the examination of devices and the processes around about the use of cyber kiosks unless or about the equipment itself if would be my view the substantive point being there that the equipment does not extract or store data so thereby it's the wider considerations and I suppose Diego has touched on some of them. We are hurriedly working on three document sets one is a public information leaflet one is a principles of use document which would articulate the mechanisms by which data would be managed and those cyber kiosks would be used and one is an internal document for the users which is a toolkit but to more particular answer your question we're hoping that if we can get all those document sets which we're working on currently ready by about the end of October when those groups meet again we can look at a potential rollout commencing early November. Okay thank you very much indeed I said that was my final one but actually just following on from one of your points if I may please before passing on because we've a number of questions I'm looking at the minute of the meeting of 26 July of the the reference group and an issue that appears in there that has the issue of a situation whereby a witness gives over their phone and then subsequently changes their mind there's reference in there to discussions with Crown Office for Executive Fiscal Service about that is that issue being resolved because a lot of people would understand a different arrangement applying to witnesses than there would be to a suspect or indeed an accused. Yeah so that's a point that we discussed at the stakeholders group and it's very difficult to get a position that covers every eventualities that I'm sure the committee would recognise but what we have been explicit on is what the legal basis would be for the police to seize a phone whether it be from a witness, a victim or indeed an accused person and the legal basis is threefold it would be under warrant on some occasions under a statutory framework such as the issues of drugs act legislation but more particularly more frequently would be a common law power so even in the eventuality that a witness offered a device saying that there's something that has a material bearing on the matter under investigation then the legal basis for which the police would hold that would be a common law power. It's very difficult to cover every eventuality about what can be examined within that device what can be offered and can the witness get that device back depending on the case under investigation so clearly please have some discretion at the disposal but I think as soon as that's been taken as a production and entered into the evidential chain then actually may well be a matter for the prosecution and ultimately the court to deem the fairness in which the device was taken and the material importance of the content on that device. In that minute it specifically says Crown Office Procurator Fiscal's position is that this is an operational matter for the police. So this is around about the discretion element of it and also some of the statutory obligations that we have under disclosure legislation so to apply a test of relevance. Is the phone relevant to the matter under investigation? Should it be taken? Should it be examined? So as I said it's difficult to cover every eventuality on that. I understand that. I wonder whether it would be possible, Chief Superintendent McLean, to maybe get a number of examples of where the brief circumstances of where phones have been seized in respect of for instance an accused person or a suspect or indeed a witness just to give the committee some understanding of parameters and what applied. I appreciate that that would have taken place under the trial but you would like me to provide that at a later stage? Yes, please. I'm happy to do so. I'm happy to do so. Thank you for that Margaret. Good afternoon gentlemen. I wonder if you could maybe give some further information the rationale for the divisional breakdown of the cyber-keyest terminals and also the factors taken into account in deciding where they'd be located and the number that would be located for example Q division, which is Lanarkshire, has four. So why four and other divisions only two? Yes, I'm happy to take that question if that's all right. So there's been a lot of close working between the cyber crime hubs and cyber crime professionals and the divisional management teams within each of the 13 local police seniors across Scotland. So to answer your question in particular what we did was we provided demand analysis. So in terms of all the devices that have been submitted in the last couple of years what did that look like pro-rata pair local policing era? We then very much worked with the local police seniors for them to decide what in terms of their deployment model, how that could be resourced with the cadre of trained officers available at their disposal, aligned to the sort of demand that they think they might see across their divisions. So it was very much a matter for them as to how many devices they could take or could support within each of their areas, aligned with some of the statistical data that we provided per division. So you'll see that in some of the larger geographic areas, like the north of Scotland, A division will be taking five and N division will be taking four. So some of that was about the geographic challenges in those areas. But when you come down to the central belt some of the local policing areas are all different sizes, have different levels of crime and thereby a different level of digital forensic needs. So it was working very closely with the divisional management teams and some of the numbers and the locations they were all set locally by the divisional management teams within the local policing areas. So the ultimate arbiter of how many there were in each division or was there any disagreement or discussion on the number? As I understand it, it was all fairly amicable. There was no real issues around that. I think the point to make is, are those figures appropriate and will they change? The whole piece is that this will be part of a continual review process. So we will continue as once we roll out the kiosk to review what that demand is, the amount of submission, some of the benefits within those areas, some of the demands within local policing, so can the cadre of train officers continue to be resourced if there is a turnover of staff? So it will be under continual review and it may well be that those figures are adjusted as we go along that journey. Thank you, convener. Good afternoon, gentlemen. Just on that last point about the review process, can you give us a timescale of that? Is this going to be, is there an end date to it? And then you're going to say, well, we'll consider expansion and that kind of thing and rolling out more. Is that the plan or are you, can you just give us an idea of timescales basically? Sure. So I think what's come out loud and clear about this is auditing compliance is a really important part around the data security, data privacy. So what we propose to do once we go into a go live and it'll be an incremental roll out, so simultaneously in the east, north and west of the country, but incrementally to a full roll out over a course of perhaps three months, certainly by the early part of 2019, would be our aspiration. What we'd look to do is, upon going live in a particular area, start to generate some information, some performance data on about that. So how many submissions, any breaches, non-compliance issues, report that in through the Scottish Police Authority, but also we're looking at the publication scheme to see whether or not we can make that data publicly available on the Police Scotland website, if you will. So very much public facing that point of view. Sorry, on you go, non you go. Our aim is to be reviewing the deployment model probably after about six months, so from the point of going live in one part of the country, it'll probably take us about three months to complete the whole country or thereabouts. So probably about six months we'll do a full review of that whole process, but what we will do is capture learning as we move from one area to the next so that hopefully the product that's delivered towards the end of that roll out will be the best product that we can have. And if you found in a particular area that basically was being underused or not used, would it then be taken away or is that, would that be the idea? Well it may not be as extreme as that, I think there'd be an opportunity to maybe do a bit of deconfliction, so if there's some local policing areas that have more devices that are underused and some that have greater demand then I think there's a conversation to be had around about that. You know, I suppose in the circumstances we approach this in a very positive fashion, but for recognising the public interest around about that and some of your responsibilities, but if we start to realise some of the benefits that we think we will, then there probably is a consideration about, you know, would we look at making greater use of that type of technology, is the demand there, or actually have we quelled a lot of the demanding, stripped a lot of the volume out of the front end? Okay, thank you. Okay, Mr Keras, you wanted to come in. If I may just roll back a bit before talking about deployment, to your very, very relevant question about legality, which is very important under human rights and the rule of law, and it covers two aspects. One is the existence of a legal framework, and some of that has been expressed by Police Scotland, but the other point is, once there is a legal framework, the question is on the quality of that legal framework. So, accessing sensitive and personal data certainly engages Article 8, and there is a cluster of cases in Strasbourg coming from the European Court of Human Rights that confirm that everything from Copland to Kennedy to SM Marper, so that's quite clear. This cyber cause can access private data, and we know that everything from text to photos, web browsing, and even more sensitive data as biometric data, so many of our phones, my phone has my fingerprints and voice, et cetera. In a criminal law context, it even can have some information about journalistic material or legally privileged information, so incredibly sensitive data. So, the framework and the legality is an important one. So, we could say that it is possible to find more private information in a mobile phone than in a bedroom or in a house, and if we keep this metaphor for a second, the police needs a warrant to search your house. If this is the case, certainly a more or equally intrusive digital measure will require similar safeguard, but this is the first time that I hear the police mentioning the idea of using a warrant. I think that the commission would not be satisfied if there is no similar legal safeguard as when we search a house in Scotland. Chief Simpson McLean, I took that to be one of the options that could be used. Can you clarify the issue of a warrant before Daniel comes in, and then perhaps Mr Freeland, you would like to comment on what you have heard, please? Just to clarify, the legal basis was threefold. One was a warrant, one was a statutory power that the police would have at that particular time, and one would be a common law power. More particularly in relation to the warrant, what I meant by that was that the warrant empowered the police to search at that particular time and location to recover a number of items that were pertent to the investigation. The warrant would empower the search, which may include the taking of mobile devices, but it has been a long-held principle within Scottish law. As the view of Crown Office, particularly through our stakeholder reference group, is that having taken it under either warrant, statutory powers or a common law power, we are then entitled to examine electronic digital devices. I would like to say for the committee's awareness that the whole issue of the use of this type of evidence and how it is obtaining digital evidence is a priority issue for our office at the moment. We are looking at this across the UK in relation to all law enforcement agencies, very much supported by the information privacy international that has already provided us on police force's use. The legality of obtaining the data in and of itself is an important area. We want to do more work to understand, particularly in relation to the statutory powers. Actually, are those statutory powers fit for purpose? Do they allow an intrusion into the digital space where those powers were formulated maybe decades ago when we weren't considering this? We want to understand better what the legal position is at lawful in the first place. If it is not lawful in the first place, then there needs to be some legislative solution to bring the statutory powers up to date. Who would determine that? Ultimately, the legal basis is between the Parliament and the courts. Obviously, we need to make sure that there is a substantive legal basis, but it is an issue that Diego and myself and others will want to explore with Police Scotland further. That is quite a show-stopper statement that you have just made there. Just to clarify, you are saying that you are not clear whether there is sufficient legal basis for the police to access the data in this way using these devices. Is that correct? For our purposes, we need to know that the processing of personal data is lawful. The police have said that various lawful bases are warrant statutory or common law powers, and we just want to understand the extent of those powers. We are not experts in criminal law itself, so we need to do some work to understand, actually, whether that is lawful and fair. I would be quite interested by response from the police on that and whether you are confident that you can access the data lawfully and whether or not you think that there are sufficient access or sufficient grounds on the basis of existing legislation. To be quite explicit, I am confident, and I think that that is borne out with the many prosecutions that go through Scottish courts and examined every day and every year. Any challenges around that? Was the position at the courts upheld? Did the police half of the power to examine those devices? I previously talked to the committee before about 15,000 or so devices that go through our cybercrime hubs every year and then make their way into the criminal justice system, and they are able to push back any of those challenges. That is a position that is held by Crown as well, and we have asked them as part of the stakeholders group, are they comfortable with that position, and they would echo that and support that? Can I also follow-up? One of the reasons that I wanted to come in is the point that Mr Cure has raised. The sheer scope of information that is now held on Omoba for instance is very significant. There is one point in my mind about having access to that and the hurdles and protections that you put around that. The other point, and it is associated, but it is not identical in my mind, is that permission may be granted for one purpose and one form of data, but then what are the protections and provisions to prevent accessing other kinds of data? Is that a valid concern or are there considerations that I would be very interested in hearing from Mr Freeland around that as well? That is absolutely right. This is the first time that we hear about warrants, and I think they rely on common law for those searches and digital searches, but the email that I use is more in relation to a house that I stop and search, that digital stop and search, because of the sensitive information and very personal information about individual identity and social relations. The email would be more accurate if it is about a house. If we need a warrant to search a house and we would need something similar in terms of legal safeguards, that is the first point. The second point is that a warrant has to be specific, a warrant by itself could be unlawful, as you already know. It has to be specific enough to cover the reference that they are mentioned, so it cannot be about all the data in the mobile phone. It has to be relevant to the case, otherwise it would be unlawful. It requires a bit more of nuance than a warrant. Having said that, there are statutory powers that allow the police to do that, and the legality is quite clear. There are other cases that are not clear for us. From our perspective, in terms of purpose, data protection law is always quite clear that information should be obtained for a specified, explicit and legitimate purpose, and that purpose should be established at the outset. To then further re-use it for some completely different purpose or unrelated purpose would not comply with data protection law. I will just echo the point there. One of the other principles of data protection law is that the information that you obtain must be adequate, relevant and limited to the specific purpose. In this context, there is very much evidence-led policing and not obtaining everything, just in case there might be something there, but actually following the evidence. Just briefly, does modern technology not make that very problematic in that once you've unlocked the phone, you've unlocked the whole thing and actually sort of saying, well, I'm only going to look at this one bit is actually quite difficult, especially if it's police looking through potentially social media or something like that, but it's very expansive. Is that problematic? It potentially is. There is then an intrusion. If you're going through all text messages, then there's potentially an intrusion into other people's private conversations, which are not relevant to the case, rather than focusing on, well, the conversations between the particular persons who are already of interest. If that kind of interrogation leads to actually some other people of interest, then the evidence leads you to something that is further relevant to the case, but extracting everything wholesale already puts you at a risk of non-compliance. So are you satisfied on the basis of what you've seen that the police have got sufficient granularity of thinking to deal with that? At the moment, I want to understand the process at the cyber hub end of things in greater detail. I don't know if you briefly want to respond to that, Chief Superintendent McLean. I'm conscious there are occasions where you might crave a warrant to search for item A and cover item B, and there are issues around that legally, of course. I look to cover every eventuality, but I think that the overriding principle is that the fairness of the search and the evidence used against and accused otherwise will be a matter for the court to determine in terms of how the police came by that information. I'm not a versed in of the points made by either David or Diego, and one of the key parts that we have built into the delivery of the cybercursor triage devices is the assurance of proportionality and necessity. Very much the checks and balances from the point of the investigating officer, doing an electronic submission, checking that through a supervisor, through the trained officer and potentially through to a cyber hub will all be based on what is the matter that is on their investigation, what search parameters are you applying to that device and what is it that you think you may find within that, so that it is not just a phishing exercise that you think is the point that Diego was making that if you're looking too wide then you're going beyond some of your responsibilities. If it's one matter that's under investigation then your search of that device should be appropriate to that, so proportionality and necessity, it may well be that you have a raft of evidence from other sources, independent witnesses, and it may well be that the examination of devices is not relevant in particular circumstances, so proportionality and necessity are two key elements of the kiosk delivery. I have a couple of members to come in, perhaps before they do. Again referring to your data protection impact assessment, question 47 relates to article 8 and it clearly hasn't provided reassurance to Mr Keros, but it does say in response to how you would deal with article 8 respect for private and family life and the various elements thereof, it says, yes, as per any inquiry or investigation involving digital media there's an element of collateral intrusion, this will be managed using current and established policy procedures and practices. Are you able to briefly expand on what? So I think it's just the point that David was making, you know, if we take a device and we examine it then we image the whole device, we extract, download, examine all of the data on that device, we then try and secure that data, we don't make it available to other officers, we look at the sense of material and it's legally privileged, journalistic, I mean in terms of looking at considerate, so it must be a better user language. So we try to mitigate the collateral intrusion but we accept from the very outset that if you are going to image a device or other parts of investigations you always run the risk of some collateral intrusion. Okay, thank you, Margaret. I want to take a comment on privacy and international reports which suggested that police forces are using the technology in the UK without the clear safeguards for the public, in particular they suggest that Police Scotland are acting unlawfully in this area and that citizens' rights and interests are not fully protected. Now you said quite clearly that warrant in certain circumstances should be obtained, are you confident that it always has been obtained and where is the independent scrutiny to safeguard against abuse and misuse of what you've already said could be very sensitive and personal information? Okay, so if I can answer that one conveniently. I think that having read the privacy and international reports it gives an overview of how these types of technologies have been used across the UK, so some of them are different types of technologies, some of them are being applied differently and often there's very different sets of policy and procedures around the use of that. More particularly the assertion that Police Scotland are acting unlawfully, I would defend that position and say that that's not correct. One in terms of cyber kiosks or devices we have not rolled them out, so we are developing policy and procedure around that and I've already touched on it. You're not rolling them out but you have trialled them and that had an impact on the public. Okay and then more particularly the second piece about a warrant, so just if I can perhaps convener, come back and clarify. I was not suggesting at any time that we would ask for a warrant to examine a mobile device, what I'm seeing is that mobile devices will often be seized as part of a wider search that has been facilitated under the powers of a warrant and that independent scrutiny about fairness will be applied within the court environment as to where not the police did have the powers at that particular time to take those devices and conduct the investigation or examination that they undertook thereafter. Yeah I suppose I'm a wee bit concerned that finally you're saying the court will decide, I would hope the guidelines were sufficiently robust that it would be quite clear in your own mind that there would be no question when you got to court that I had been seized lawfully, so I think there's a bit of confusion there. Can I ask you there for if the reference group find that there's not sufficient legal basis for the police to access data, will the roll-out continue? Sorry was that to myself, so could you just repeat the question? If the reference group find that there's not sufficient legal basis for the police to access data will the roll-out continue? Well the roll-out has not come in so it's not so much that it will continue but I may have been pedantic there but I think if they were to raise substantive points then those are points that need to be addressed and that's the whole point of the consultation. I take it you're assuming that it is going to go ahead, we've gotten a number of kios, we seem to be into a lot of detail, I think it's a reasonable assumption that it is going to be rolled out but if the review reference group comes back and says that there isn't sufficient legal basis will the roll-out still continue? I think at that point if we had no legal basis we would have to suspend the roll-out, I think we would have to accept that, if there was no legal basis to use that technology in Scotland then it would be inappropriate for us to continue the roll-out. So it's absolutely essential that you work very closely with Mr Garret and Mr Freeland to ensure that you are absolutely clear and there's no confusion about exactly your powers and that they are being used appropriately. Very much so and we welcome the opportunity. I just wanted to finally nail down the issue of warrants and access to data and to do so I give an example. There's a court case on, the accused is as would normally the case being told by the court must go nowhere near any witness. A witness sees the accused outside their house, they live on their own using the mobile phone to photograph the house and what appears to be going on in the house. The report of the police, I take it there for point 1, the police can reasonably get a warrant to look at that mobile phone to get the corroborating evidence that such activity was taking place but in doing so they will look through the folder of all the photographs. If they were to find for example illegal images of young children would the police be able to act on that second point as well as the first scenario that I've dealt with? I think that if the police thought they had to seek a warrant, the warrant would be to empower them probably to be in a private place to recover that device. The warrant would not be, and that's the accepted principle in Scotland, the warrant would not be required to examine the phone and thereby the content. The second point I think you make is around about self-incrimination. If the police are being proportionate and applying the rules of necessity and proportionality and looking for one piece of information within a digital examination that has a bearing on the matter on the investigation but in doing so find something completely different then they would have some responsibility as law enforcement to bring that to the attention of prosecutors for the potential for either other powers to be afforded to them or to consider a separate investigation and possibly prosecution for those matters. That's fine. I think the issue with the warrant is something that I mentioned before perhaps I wasn't very clear is that it has to be a very specific warrant in this particular case because if you have a warrant to search a house and you go into the house and there is a folder or documentation that it says confidential that warrant not necessarily will allow you to to open that documentation. So it's similar with a mobile phone. You can see this and you can confiscate the mobile phone but a different issue is to examine the content of the data. And this is like another human rights implication which is on article six of the convention and in terms of fair rules of evidence and it means that proper examination of the method in which the evidence was obtained and admitted and the criminal proceedings are correctly are a matter for the court and it's a matter for the law where the evidence is of dubious quality and the rights of the defense have been respected or is improperly obtained. It's for the national court but certainly engages article six and this is a completely different level from article eight. So article eight, article six and even article 10 are significantly engaged in in this new policy and they need to be rigorously scrutinised and examined before it's rolled out. Sir Curtis, are you cited on the document data protection impact assessment that Police Scotland have produced? I was sent the document a week ago because that's correct. In relation to, this is question 45, in relation to the implication that it says one word in relation to article six that there are no implications. That's correct. That's what I was about to say that there were further concerns on our side in relation to the impact assessment. So there are no consideration of article six, there are no consideration of article 10 and freedom of information and speech. Article seven and nine, apparently, that are no implications. That's correct. And article eight relies heavily on GDPR. So there are significant concerns when it comes to the impact assessment but we are willing to work with the police to try to help as much as we can to solve some of these questions. I do think that the point has been covered, not unusually, Sir Steven since a step ahead of me. I will put it at a slightly different angle if it does run the risk a bit of a repetition of answers. I think that we're all quite concerned about the possibility of the collateral damage, as it's been called, of possibly private conversations between people not involved in any investigation being brought in. To put another sort of angle on it about Sir Stevenson had done a device that was being checked and came through a private conversation or whatever. There was another situation that came to light, perhaps something that the public would expect the police to act on such as a possible attack or something of that nature. Given how it had been identified, what would be done in that situation? I mean more like rather than the last answers that came in more practically, so just for the general person in the street, how would you proceed with that? Again, not knowing the specifics of the example that we're talking about, but if there was a general threat to someone's safety or public safety, then I think there's a responsibility in the police to act upon that. That may be an overriding principle. Whether or not that would undermine a prosecution at a later stage is perhaps a secondary issue, you know, and the overriding pieces about protecting the public around about that. It would very much depend on the nature of it. The point that is fairly common is that police will often secure a warrant to search a premises where they believe drugs have been supplied, and often within those premises they'll find other materials. The most routine one is perhaps a firearm, so they have a warrant to be in those premises. They have a warrant to search, but they have no power to seize a firearm, but clearly there's an overriding principle around public safety and potentially other serious offences that people have committed. At that point, not ordinarily, we would seek another warrant to remove the firearm from those premises. It's not infrequent that those types of circumstances come up, but what I would say in terms of digital forensics is that it's less frequent a situation where there are elements of self-incrimination. The checks and balances that are important to put in place are only proportionality and necessity so that you're not taking a very wide view of all the data that's within someone's device, but you're looking more particularly about the data that may have a bearing on the matter on their investigation. Liam, how are you? I was going to ask about the external and the stakeholder groups, and in a sense how they interact. I think that we've heard mention of both having met on a couple of occasions most recently over the course of the last week. It would be helpful to understand the frequency with which those groups are expected to meet. Indeed, the interrelationship between them is the commonality between them, a Police Scotland presence in both. Is there any other mutual membership arrived at, and what is the interaction between those two groups? So, for the committee, I'll just quickly run through the stakeholders group. I suppose broadly put they are the group that may have a more relationship with the criminal justice system, if you will, so that's made up of the Police Authority, of HMICS, of SPA Forensic Services, Crown Office Procurator Fiscals, Police Scotland Information Management, Police Federation, Staff Associations, and I chair that group at this moment in time. The reference group is chaired by our business relationship and partners, so it's a Police Scotland senior civilian member of staff who has no connection with cybercrime, and we have offered the chair of that particular group to the attendees and they are considering that position where they would wish to chair that group. The people that attend that are Mr Amaranwar, human rights solicitor, open rights group, Privacy International. There's invites to human rights commission, Diego. Information commissioners office, victim support, and the director and assistant director from Cyprus, the Institute for Policing Research attend that group. So that very point, Mr McArthur, was put to the external reference group, what relationship would they seek to have. They wanted to retain some independence from the other group, but they did ask that they could have access to the SPA Police Authority, member that sat in that other group, so that they could have some any issues that they wanted to escalate or to articulate that they could report that to the Police Authority. So Mr Robert Hayes, who attends that group, is happy to facilitate that, and from time to time, at the request of the external reference group, we'll also attend that group. You mentioned earlier, I think, in relation to Mr Keros' concern around aspects of article 8, that this had been put to stakeholder group and that Crown Office Procurator Fiscal Service had given assurance around the way that issue we dealt with under current practice. That suggests that the reference group will raise issues that the stakeholder group will then back back or satisfy itself or are not issues. What's the report back mechanism for the reference group, which presumably had raised these issues in good faith and would expect a substantive answer as to why this concern was unfounded? Yes. So the minutes are published and a number of actions are taken from those respective groups, and what we're trying to do is provide an overview to each of the groups about the respective meetings. So whether Crown makes substantive points around about disclosure obligations, whether the reference group makes substantive issues around the legal basis for phones being examined, then we will try to take them back to get a respective view from each of the groups and some of the key stakeholders on them and feed that back into the groups. And tabling in the meetings, how frequently? I apologize, so we're meeting almost on a monthly basis at this moment in time. Diolch yn fawr i'r ffordd. I mean, what's your understanding or experience of the way in which that interrelationship is functioning? We haven't attended the meetings yet, so we were sent an invitation and we considered the invitation and we will attend the next meeting. So at this moment I would be unable to answer that specific question, but our views will be expressed in different ways through the website, the commission, but also through different reports to this Parliament and even international bodies as you know we engage heavily with the UN. If I could turn to some of the practicalities, we've heard about the purpose of the kiosk, the kind of triage, the process where there is evidence of value to a particular investigation that will then be passed on to the hub. Is that in every instance or would there be further investigation undertaken at a more local level if evidence of value is found to be on the device or is it at that point it automatically passed on to the hub for further examination? So we're writing up the guidance documents in terms of the principles of use and we're saying there's probably only a few exceptions where devices wouldn't go through a triage process and they're more particularly around about child sexual exploitation or abuse and perhaps some professional standards issues where it may not be appropriate for local officers in terms of the wellbeing of those officers to look at that type of imagery or perhaps on the professional standards piece to be involved in the investigation at that stage, but what we are saying is that all devices taken through that local triage process, what would happen is that the device is already legally taken, we would hope, there will be a number of checks and balances in terms of supervisory checks around about that and it would already have been logged within police systems as a production and exhibit or a piece of evidence if you will. What the triage process allows the officer at the front line to do is to apply some disclosure principles and in particular a test of relevance, is there anything within that device that has a material bearing on the matter under investigation? If the answer to that question at that point is no to the investigating officer, as provided by the trained operator, then the device can be returned to the owner quite quickly thereafter. It may be interesting for the committee that I've looked at some figures since I think the Prorske events that the committee in Ireland may, until now, there's been almost 5,000 devices submitted to our cybercrime hubs for full examination and full forensic examination and download of those devices. At the figures we work at the moment, we suspect that probably less than 10 per cent of them would have passed that test of relevance in terms of having anything that was material of bearing or benefit to the matter under investigation. The largest way that those devices now sit within our cybercrime hubs that could have been probably returned to the owners at a much earlier stage. The second advantage around it is that the officer who is taking the device, who is going to the triage operators, can quite quickly look at any material that may be relevant to the investigation and perhaps build it into an investigation or interview strategy that he or she is compiling at that moment in time. In the absence of triage devices, what would ordinarily happen is that we go to a cybercrime hub and it's likely to be a number of months before the investigating officer would get any response in terms of what may or may not be on that device. So it provides a much better service at the front end to the investigating officers and I think it provides a much better service to the public, but more particularly for me, when some of the contributions made here today, perhaps there is a risk about the amount of data that we are downloading and examining from devices which are needless and it's all about a process. The overriding principle is that those triage devices do not extract or store any data on them but what it does provide is an opportunity to apply that test of relevance and see whether or not the device needs to go any further in the criminal justice process. We have heard examples earlier about child pornography, for example, and then the duties or the expectations upon officers to follow up those leads. There will be examples that are considerably less serious but possibly foul of the law in some way. I suspect that there will be a public anxiety that, in a sense, the phone is being taken and scrutinised for one purpose, but there is a risk of self-incrimination that would span a wide range of fairly minor misdemeanors but would still be counted as offences. What assurances about that collateral impact can you offer in terms of the proportionality of the use being made? I have talked through some of the processes in terms of the supervisory checks and the proportionality necessity. That starts at the initial device having seized and an electronic submission through the cybercrime processes that the device has been possessed. I suppose the thing is that at the moment what you have got is a hub process and I understand the issues around the delays and the time taken to carry out those investigations and return devices to individuals. However, at the flipside, there are far more individual officers and possibly civilian staff. Potentially all officers are now in a position where they would be interrogating those devices and be required to be trained in how to handle that. The use of which discretion may potentially vary. Therefore, officers who are absolutely on the money in terms of the way that they apply those protocols. However, there has to be a heightened risk of officers being less able to interpret those protocols in a way that the public would expect and where concerns would then arise. Just by dint of spreading out the numbers of individuals that would have to be trained and then implement and act within those protocols, there has to be a heightened risk of officers. Does that not? I accept the point from me, but I think that the key word that was used there was discretion, so discretion is at the disposal of officers at this moment in time. I suppose that if we are thinning out the volumes that go to the cybercrime hubs and the amount of examinations, thereby we are reducing that risk and potential for those numbers. I know that you are seeing the numbers that are at the front end, but there is discretion available to those officers at the front, so they are fairly minor matters and it is difficult to give an explicit position, but it would depend on the severity of the crime or the information that they have come across. However, I do not know that necessarily there is an additional risk. I think that that risk is ever present here at this moment in time and is dealt with by a way of discretion. I think that the risk comes from the fact that, as you have accepted that the exposure to a vast amount of data means that there is more potential for information to come to light that would then require an exercising of that discretion that does not happen to the same extent now. I appreciate that all officers will have a level of discretion and we would not want it otherwise. You need to trust them to act with a degree of common sense and proportionality, but that exposure to a vast amount of data, I would have thought, leaves open a wider risk that that discretion is exercised in a less proportionate fashion. One final point of my making, but I am conscious of your time. I will try and get this very short. Currently, the process that we go to a cybercrime hub would be a full examination, so all the data that we push back to the investigating officer to make that determination, so I think that that affords them a greater opportunity to look at self-incrimination across all the data. The process that we are looking to introduce is that the investigating officer would ask a very closed search parameters of the trained officer to examine the device and come back with, in effect, a positive or a negative response. That amount of data is closed off in many respects to the investigating officer, and thereby I think that the risk is reduced. That is a very important point in terms of training. As far as we know, there are 18 police officers trained. We do not know what the type of training is. Most privacy protocols fail because it is not a technical question. It is a human question, as you said, so it is the people who are exposed to that, who are exposed to that information to our individuals. It is not the machine. I think training is a very fundamental question. The other point is that obviously there are good reasons to interfere with the right to privacy. Article A2 for C is those and prevention crime and national security, et cetera. However, we think that without independent oversight, clear guidance and examination of the pressing social need to introduce this measure and the proportionality of the measure, there is a higher risk of being arbitrary or of being subject to abuse. We think that some of those questions are still an answer. I echo that a lot of the internal governance around the use of these devices is absolutely crucial that there is proper guidance on what to do, crucial that there is proper training, and crucial that there is internal oversight, as well as external oversight of this as well, by way of audit, step sampling and ensuring that officers know what they are doing and that training is not a one-off at the start. However, if training needs arise through audit or whatever, those are addressed at an appropriate stage as well. I just want to engage with some of the numbers. First question, how long does the triage take? It will probably depend on the type of device, the complexity of the device. I'll probably go to my technical expert to answer that for me. All devices are different. The triage system much like the software that is used in the lab will prompt you to do certain things. I think that what we all understand is a burner phone, which is a phone that is not a smartphone. It does not contain very much. It may only have the stuff on the SIM that is going to be very quick. What does very quick mean? Very quick could be less than an hour. If we go to perhaps an iPhone, depending on the size of the iPhone, although yesterday they were going to be releasing something that is absolutely enormous in terms of storage capacity, that can take up to two to three hours. Depending on how much data is on it, that is a triage system. It still has to go through the system. On the triage system, you are going to set parameters and that is going to narrow down the field of what you are going to look at, and that is where you are close questioning of. Right. That is useful. It leads me to my real question, which is, why is triaging done in the hubs currently? If 90 per cent of what you are getting in is ultimately found to be of no interest, are you triaging to try to find that 90 per cent? We do not triage in the hubs. Why? You know the level of submissions that we have for me to run several phones through and produce something else for someone to review, that lets me put more phones through and get more phones processed. So there is maybe an element of sausage factory in this? Well, if I may, if the maximum is three hours, that means that of the 41 devices they will each be in use for doing triage for 30 hours per month, that is what the numbers tell me. It strikes me that in a sense you are trying to get the things that are not worth dealing with out of the way first and that is good news. Is there an implication that the 5,000 that are currently going to the hubs is constrained by the present arrangements and that you would expect it might, that more than 5,000 would go through the triage system but at the same time the number that would go to the hubs would reduce? Is that where we are heading to? Absolutely. I think that the pressures that are on the hubs are matters of volume and we also have to satisfy the needs of procurator fiscals who will give deadlines for things that they want and that has to be one of the first things that we do. We really are running out of time and I want to be trying. So really we are trying to do two things with these devices. First of all return the phones to those people where the phone is of no interest much quicker get that out of the way. But secondly to get to the hubs a greater number of serious cases that can be properly fully analysed so that we improve law enforcement where a mobile phone is part of the equation. If I may convener so that the 5,000 figure that I gave you is what we would have expected for this year I think I previously given evidence to the committee saying we are on track for about 15,000 devices a year so that's based on the numbers of the last couple of years. So I think the 5,000 is an indicative figure in a four month period and the 15,000 would be the expected scene in the course of a year. But the principles articulate remain the same. Yeah I think as soon as we get to the cybercrime hub we are into full examination, joint reports and at the criminal justice system. Can I ask the status of the individual whose phone is being triaged for an hour? What is their status when this is taking place? It would depend on the circumstances of the police contact with that individual. It may well be they're an accused person and they've been arrested and it may well be they've been a witness to an incident and they've provided their phone and the police have taken it under a common law power. It very much depends on the circumstances, convener. Is that following the new change to the right? Is that the only two statuses that someone could have there? So they could be not officially accused or they could be officially accused or a witness? Or are we including not officially accused as being a witness? No I'm not being pedantic with words but it's clearly because the concern clearly and just to articulate the concern is that there's the potential for some huge fishing exercise. Now I know you'll say that you would neither have the time nor energy for that but that is the concern that someone becomes involved in something that they're perhaps the subject of finding themselves in a police station and there's an opportunity to look at their phone. So their status at that moment, never mind the status of the inanimate object, I think is very important. So I've described the legal basis of which the police could take the device and I don't think there's any change to that. What the criminal justice legislation has provided is two distinctions between some having had their liberty taken away from them and having been arrested so they have been deprived of their liberty at that stage whether they're officially accused or otherwise. But the reason that the term witness is important because we had that earlier discussion about the remarks that are in some of your papers there about the Crown determining it's an operational police matter where a witness to withdraw their wish to have their phone examined. Yeah. So my view would be a witness is something very different from someone who has been arrested. Indeed. Indeed. Daniel, you had questions? Yeah, I just like to follow on from Lou MacArthur's points about training. I mean, both Mitch Coeurys and Mr Friedland said that training is very important. What I didn't hear was whether or not, based on what you've seen, whether you think that the training will be sufficient based on what you've seen from Police Scotland so far. Have you had any sight? No, the quick answer is no. Unfortunately, no. And again, Mr Findlay already explained the importance of continuous training, not only that there is a training, but the scope of the training, human rights, is a key element, and then that is continuous. So I'd just really like to go back to Mr MacLean. I mean, I think, based on what we've heard this afternoon, that we're in September now, and based on what you're saying, that you are seeking to roll these kiosks out in November, I understand, but strikes me from what we've heard. There still needs to be resolution around the legal framework, principles, and particularly human rights. That hasn't been done or hasn't concluded yet, and therefore you need that to be concluded surely in order to devise the training which needs to take place before that. So we've really got a matter of seven or eight weeks to both conclude those legal and human rights principles, devise the training and deploy the training. Is that enough time to do all of that? I accept, Mr Johnson, that we've been extremely ambitious, so the training has been devised, it's been written up, you're right, we are very ambitious in terms of the time frames, but I'll go back to that point earlier on. We understand that the rollout can only be once I've concluded all those other matters. Sorry, how on earth can you devise training prior to really concluding the work on the human rights basis upon which you'll be carrying out this work? I really struggle with that in a quite fundamental way. I apologise, I should perhaps be a bit more explicit there, so what I mean by that is the actual training in terms of the operation of the devices, but hopefully we're building upon a knowledge base. I mean police officers have not come to this blindly, it's built on a knowledge base where we understand proportionality, necessity, our legal powers, our responsibilities around about the articles, so we're hopefully building upon that, but you're absolutely right, the document sets that will support the delivery they need to be concluded and we've set some quite ambitious timescales around about that. At what point does that ambition become over ambition, if I can put it like that? We'll remain optimistic, but we understand there's a lot of work to be done. Thanks, convener. Police Scotland have stated before that downloading data from devices on to disks may be an option that's still being considered, and has there been a solution for encrypting disks being found? So the technology that we've bought or procured has the ability to export data, but we've taken a conscious decision and that's been welcomed by the groups not to export any data on to disk, so the position that we will have is the devices will not extract data, will not store data and will not export data on to any disk or any other format. Okay, and what was the reason behind that decision? Well it's primarily around about data security, data privacy, so as soon as you export that, there's a whole range of audit and compliance you need to consider on about that. As part of the on-going review, we will see if there's an evidence base for that, but in the absence of that, it's not something that we're going to put in place at this time. Okay, that's fine. Okay, thank you. Okay, can I just say, Chief Superintendent McLean, that the committee is obviously very keen to understand police operations and put as much, ensure that there's as much support to tackle crime? I wonder would you reflect, and it's to go back to a comment that I made right at the beginning, that this is completely back to front. There's been significant public expenditure curiously just short of the amount that would trigger involvement for the police authority. Work was undertaken with no assessments. We would want an assurance that that won't be the way that you go about business henceforth, and that you will engage meaningfully with Mr Feiland, Mr Queeros and indeed others on the wide-ranging concerns that remain about this, not with standing the work that's been done. We do welcome the engagement, but do you understand the depth of concern there is? Excuse me. Absolutely convenient, and I'll give you that assurance, which is why a person become involved in a number of the groups. Hopefully, Mr Feiland and Mr Queeros will participate within that, and we'll see that openness and transparency that we're trying to bring to what's quite a complex issue. I think that it's wider than just cyber chaos. I think that it's a wider piece of them at Digital Forensics for law enforcement, and yes, there are absolutely lessons that will learn, and I can give that assurance that we will be more considered in the future about how we approach these challenges. Okay, and we hear about the additional technology that's on-route and the additional capacity there. Just to follow up from my colleague Margaret Mitchell's comment there, we also get to reaffirm that if you fail to get the approval of your colleagues, either side their Asher guards, the serious human rights and legal aspects, that this won't proceed. Yeah, and I think that I'm on record saying that if there's no legal basis for us to continue with this technology, then it will not proceed. Okay, thank you very much indeed. Can I thank you all for your written evidence for attending today? That's much appreciated, and we now move into private session. Thank you.