 Fesca Mawr Hleduyniaeth falchia. Gwethe fyddion iddo i gyd yn gweithio. Mae ymgyrch nesaf o'r cysylltu cyfath o'r Cysylltu Cymru i'r Cysylltu Cymru. Rwy'n gweithio i gyd yn gweithio. Rwy'n gweithio i gyd yn gweithio i gael Lleith MacArthur i'r cimbr i gael eu cysylltu. Rwy'n gweithio i gael eich cysylltu, ond yn gweithio i gael. Lleith yn gweithio i gael eich cysylltu i gael. Agenda item 1 is a decision on taking business in private, item 3 in private, which is a discussion on the sub-committees work programme. Are we all agreed on that? Agenda item 2 is the Police Scotland's proposed use of digital device triage systems, more commonly referred to as cyber chaos. I refer members to paper 1, which is a note by the clerk and paper 2, which is a private paper. I welcome to the committee Detective Superintendent Nicola Burnett, Police Scotland, and Kenneth Hogg, interim chief officer, Scottish Police Authority. I thank the witnesses for their written submissions. As ever, that is very helpful. Is it Mr Hogg's first appearance before the sub-committee, I invite him to make a short opening statement, following which we will move to questions. Thank you, Mr Hogg. I am pleased to have the opportunity today to contribute to the sub-committees discussions for the first time since taking up my role as interim chief officer at the Scottish Police Authority. The authority has been briefed by Police Scotland at various stages about its proposals to use cyber-kiosk devices. That engagement has been part of the authority's oversight of the delivery of the policing 2026 10-year strategy. The kiosks are one of 17 initiatives that comprise that wider programme of change. The authority has asked Police Scotland about implications for data handling associated with cyber-kiosks. A key assurance that has been provided by Police Scotland is that this new technology does not extend the powers that the police already have in relation to accessing information on mobile phones. Instead, it lets officers carry out what they already do more quickly and more locally. Public interest in the handling of personal data is of growing importance to policing, as it adapts to working in an increasingly digital world. The SPA is therefore increasing its oversight of those issues, including through its scrutiny of an integrated digital data and ICT strategy, which is being developed by Police Scotland. More generally, the SPA is undertaking a comprehensive programme of improvement in its own ways of working. That includes being able to better scrutinise Police Scotland's delivery of their change in modernisation programmes and to shine a light on issues that are of public interest. I look forward to answering your questions. Thank you very much indeed for that, Mr Hog. I am going to start the questions. I am going to refer to a submission that the committee had at the time that we were looking at the Police Scotland Standing Firearms Authority. At that time, Mr Ian White, who was a board member, addressed the committee. Indeed, in the submission to our committee, we heard and I quote, one of the principles of good governance is that the public voice is appropriately heard within decision making. In relation to that particular issue, the SPA stated that one aim of the SPA's inquiry was to assess, and again I quote, what if any lessons might be learned about operational decisions with wider strategic and community impact are communicated to national and local oversight bodies in other key issues? Are you able to outline, Mr Hog, the public engagement that has been on this issue, please? The proposals to introduce cyber kiosks are part of, in the first instance, a national cyber crime technical strategy, and that in turn forms part of the policing 2026 10-year strategy. There has been public engagement around about the overall strategy, specifically on the issue of cyber kiosks. The SPA has had conversations with Police Scotland at various stages over the last several years about the development of that. Some of those have been in public and some of those have been in private session. You will understand that the issue is very much in the public domain now. Are you able to see how much has been spent on that particular initiative, please? Yes. The purchase of the 41 cyber kiosks comes to a total of £445,000, including VAT. That includes the cost of licences and of training that goes along with that. In addition, there will be an on-going annual revenue cost of £100,000 a year associated with their use. Are you able to explain what an evidence management system support that you understand is a contract awarded to a company called Abbott Informatics is about, please? I am sorry, could you repeat that? The term evidence management system support and maintenance, which is a contract worth £431,000 provided by Abbott Informatics, relates to the issue that we are discussing. I can probably answer that question. In terms of the deployment and the purchase procurement of kiosks, there is no direct linkage. I do not know for sure, but I think that that is to do with the management of the information in the cybercrime, but I would need to get back to confirm that, sir. However, in terms of kiosks, it is not directly linked, as far as I am aware. To understand, it might have some relation to information that the kiosk gleans subsequently? No, sir. It might have something to do with the overall digital forensic infrastructure that is managed within the cybercrime hubs, but in terms of the information that is managed within the kiosk, the information that is managed within the kiosk is solely within those kiosks. There is no data retained on the kiosks once an examination has taken place. So, if data is uncovered as a result of the examination, what happens to that data? The way that we are proposing in our policy practice procedure to use the cyber kiosk as it is referred to in our local policing areas is that, if a device is seized by a local policing purpose, because we have seized it for a lawful policing purpose, we are looking to identify if there is any information data on that that can expedite or support the inquiry that is under investigation. That device will be inserted into the cyber kiosk by one of our specially trained officers. What you can do is put in parameters of your search. For instance, if you were looking for specific text messages to support a domestic abuse inquiry, you would be able to put in specific search parameters and identify to see whether that device had such information held on it. If that was the case, your confirmation would be that that device supports some evidence that will support your inquiry. Therefore, you would then send that device for full digital forensic analysis into one of our cyber crime hubs in Police Scotland. Is it at that point then, for instance, that those contracts were awarded very close together? That is why that question arises. Is that when the evidence management system support and maintenance would then kick in? In terms of that specific contract, I would need to go back and get confirmation on that. Okay. There is another contract that was awarded that day, e-discovery and analytics software, and that was worth £286,000, and that was provided by a company called NUIX. Is that—how does that relate to the cyber case? That again is another piece of software that has been procured for the establishment and finalisation of the digital forensic hubs that are being stood up within Police Scotland. The purpose of the digital forensic hubs is to ensure that, in the north-east and west of the country, we have a systematic and corporate hub system that supports the digital forensic analysis of devices that are seized within Police Scotland. Items that have been purchased this year, including NUIX, are tools that will be stood up within the hubs to assist us in our digital forensic analysis of devices that are seized. Those contracts—indeed, Mr Hogg, the figure that you mentioned is £75,000 more than the figure that I have here. However, the cumulative total of that was more than £87,000. What input did the Scottish Police Authority have into that expenditure? Just to clarify, the figure that I gave you includes VAT, and I think that that is the difference between the £370,000 figure that is cited in written evidence and the figure that I gave you, including VAT. The cyber hubs that have been described are part of the national cyber crime technical strategy that I mentioned earlier. That is to create three centres of expertise across Scotland to increase and modernise Police Scotland's ability to deal with all forms of cyber crime. The procurement and expenditure around that takes place within the agreed system of financial governance between the SPA and Police Scotland. Purchases up to a certain value, Police Scotland can undertake at their own hand. Purchases over a certain threshold, which is £0.5 million, need to come to the SPA for my approval as the accountable officer for all the policing budget. Beyond that, they need to go to the SPA board and, indeed, the Scottish Government for approval. The purchase of the 41 cyber kiosks fell within the category of expenditure of which Police Scotland should procure at their own hand. The business cases for that were put through Police Scotland's own governance procedures and boards, including the capital finance and investment board and the change board, which happened in 2017 before the procurement in 2018. Clearly, the cumulative effect of the three would take it over that threshold. We have heard that two of them are linked. From the governance point of view, how do you monitor that for argument's sake? There are things that are £499,000 and lots of £499,000—I think that you know where I am going with that. To my knowledge, the additional pieces of expenditure that you referred to are separate from the operation of the cyber kiosks. They may together take place within the cyber hubs, and they are part of the national cyber capability, but I think that they are separate. In terms of the overview, the SPA has access to and attends meetings of the capital finance and investment board in Police Scotland and the change board, which approves business cases. The SPA is cited on expenditure, even if it falls below the threshold at which it formally requires SPA approval. Were you aware of each of those contracts? I was not involved in discussions about those particular contracts, no. I just wanted to go back to the superintendent and make sure that I understood some things that were said. The first one is the simple one. I took it from what you said, that the data that are extracted from a device that is seized and analysed in the kiosk, being for the purpose of triage, never leaves the kiosk. That data does not go anywhere from the kiosk. No, and indeed it does not remain on the kiosk. When you insert the device, you have a view of any data that is held on that device. You then identify if there is any information pertinent to the inquiry that you have under investigation. If there is, the next step is to proceed to submit it for full digital forensic analysis. If it does not, then it will be returned in due course to its owner. However, at the end of that examination, what happens is that the examination is closed down. Any data that was viewed through the window of the kiosk does not remain on the kiosk device. However, what remains is clearly an audit trail, so there will be a unique reference number. We have a form of audit and governance to understand when activity is taking place, but it will not retain any of the data that was viewed from that device. The other side of it, which I think that you have partially answered, is that all the data from the device that is being seized is extracted in the central facility. The processes that are associated with that are what govern the use and protection of access to that data. I would like to say that there is another option that is available. If, for instance, there is a case whereby, whilst viewing the data on the kiosk, there is an opportunity to download the data of consequence onto a disk, that is an option that is available to those trained officers. We are currently looking at how we will manage that. To be clear, those kiosks are not in operation at this time. The reason for that is that part of the project of deployment has always been at the end of procurement. We have to consider training, policy, practice and procedure. As we would be right and proper with any of the technologies that we were bringing into Police Scotland, but, specifically, there will be an option that you can download data onto a disk, but we are looking at the solutions for how those disks can be encrypted. We are still to be fully satisfied that that will be an option, but it is something that is under consideration at this time. Just finally, and I really do not want to go too far with that, that would only be in relation to a device that has been triaged as being a device in which you would wish to take further interest. Twice now you used the phrase of a note to your collector, correctly, policy, practice and procedure. I would have thought that you would have wished to clarify all those before you undertook trials where you accessed 195 phones and 262 SIM cards in Edinburgh and 180 phones in Stirling. Are you able to outline for us, and I appreciate that there may be a number of overlapping, the legislative framework that you have done that in? You are talking about a policy practice and procedure, what is the legislative framework and where does the independent oversight for that practice? What are the parameters of your trial? Okay, so in terms of the legal framework, are you referring to why we would have a device? What is the authority to take possession of the phone and interrogate the phone and retain the data from the phone and whose access to that data and how would it be disposed of? Okay, thanks, convener. In terms of the first point, there are, in general, terms for legal frameworks, for one of a better phrase, that we would bring a device into lawful custody. It would obviously require to be for a policing purpose, so you would have your powers of common law. Perhaps it is helpful if I give a scenario for each of those, because it might... Not anyone arrested under a common law crime could have their phone. Is that what you are saying? Yes, sir. So that's a breach of the peace as well? You could see somebody's mobile phone or other device if they are an arrested person, and that could be there after inspected and looked at. However, the example that was going to give us, for instance, if you had a high-risk person and there was clearly a threat to life, that would be a time that we would then consider looking at that individual's mobile phone. We have powers of common law. We would then have powers that would exist under a warrant. For instance, if there was a warrant that had been provided to us in terms of the misuse of drugs act 1971 and if that gave us powers under warrant, the... Excuse me, sir. I'm going to just take it a bit closer. The third would be your statutory powers. For instance, like I've said again, misuse of drugs act 1971, if somebody was detained in terms of section 23, misuse of drugs acts, so you have your statutory powers, and also you could have a victim of crime providing their device voluntarily for examination. For instance, in such towns, whether they've been the victim of a sexual or a domestic crime, and there may be information pertinent to the inquiry on that phone. OK, a rough figure here, Mark. My sums aren't that good, but 195, 262 and 180, well over 600 devices, over 630 devices, in Gaffield Square in Edinburgh and Stirling. How many warrants were information acquired from? How many warrants supported the interrogation of those? Sir, unfortunately, I don't have that information. Do you have a ballpark figure at all? No, I don't. That information was not retained during the proof of concept of those devices. Why not? As from what I'm led to believe, during the pilot, which was in 2016, the reason that the devices were trialled within two areas was to better understand their usability in terms of how the front-line officers would react and be able to use them. As part of that proof of concept, specific officers were trained in the use of the device, but also provided with the training information that let them understand the framework that we've just discussed. A device that a phone had to, prior to being inserted or examined on a kiosk, clearly had to have been seized for a lawful policing purpose. If they were not satisfied that any of the parameters of a lawful policing purpose had been met, then there was absolutely no reason why we would have examined a phone on a kiosk at that time. What advice was given to the owner or the person in possession of the phone regarding their rights regarding seizure? Again, as far as I'm led to believe, there was no specific advice given to individuals. Obviously, I'm not aware of the specific conversations and interactions that occurred during each phone seizure. Obviously, if a phone is seized by the police most of the time, the owner will be aware of that seizure by virtue of being present. I appreciate that that would not be all the time. The reason that we are seizing that phone is for a lawful policing purpose, so there has to be some form of understanding that clearly we are seizing it for a policing purpose. However, as far as I'm aware, there was no specific information provided. How many people came into custody in both these trial areas whose phone was not seized? Again, I couldn't answer that question. Is that not vital information? Would you not want to know the percentage? Would that not gauge future work? Would you not want to know the percentage of people who come across the door whose phones are seized? Again, the trials at the time were in terms of a proof-and-collon set of understanding the technology and how it would be reacted to and used by front-line officers. I suppose that what I would say on that point, convener, is that the devices that were examined were ones that officers felt had been seized for a lawful policing purpose and clearly had something or what it was suspected had something to support their investigations. Would you be able to try to get the additional information that has been requested? I will try, yes. Thank you. Finally, before I pass to other members, I could spend all afternoon asking a question, but I'm not going to. The human rights impact assessment in respect of this, community impact assessment in respect of this, any risk assessment in respect of this, I think that the committee asked that they be made available. Do you have any of those? They are on-going, sir. There is a human rights and equality impact assessment and a data protection impact assessment on-going. As I say at this moment in time, we have procured but we have not rolled out those kiosks, and so that is on-going. So the trial took place without any of those assessments being made? I would need to confirm if they occurred at the time, sir. I am unaware. Okay, supplementary Daniel. Thank you very much. I was just saying that these kiosks were trialled to assess the usability and usefulness of the technology, and that is why it is only subsequent to the trial that both procedure and human rights impacts are being done. But what about the procedures for those people who are actually using them as part of the trial and indeed the human rights? Given that you were trialling those things in Edinburgh and potentially my constituents coming into contact with the use of those kiosks, I am just surprised that none of those things were thought about just in terms of the parameters of the trial. Would they not be important that the right procedures are put in place and indeed a human rights assessment is taking place for the trial and the people that might have their phone seized as part of that trial? I absolutely understand the points that you are making. In 2016, I need to confirm whether an assessment was completed or not. I do not know. You do not know? I do not know. Would it be concerning if no consideration had been given by the trial? It is something that I need to go away and confirm. However, what I will say is that, obviously, as part of the training during that test case time in 2016, clearly it was discussed and it was part of the input to the officers who were trained in terms of that a device had to be seized under a lawful policing framework prior to examination. Can I just get you to clarify what data those kiosks would give officers access to? Given that mobile phones these days can capture everything from where you have been through to your walking gate, your relationships and your social status, what is it that the officers will have been able to have seen and get access to using these kiosks as part of the trial? A kiosk is a window onto that device. Any data that is held specifically on that device can be viewed via the kiosk. Ben, I understand that you have a supplementary, and then it is marked. Related to Daniel Johnson's question about primary work, like Daniel Johnson, I am a member of the Scottish Parliament here in Edinburgh, Northern Elyth. I am concerned about the lack of primary work that cannot be clarified at this point. What was done to inform people that those trials were taking place, people who came into contact with officers and any general awareness? Was there a communications campaign that took place? Were people informed when they came into interaction with Police Scotland? Can you confirm those points? There was no specific communication made, and probably the reason for that is that this is not new technology. This is technology that has been available to UK law enforcement since the late 1990s and has been available and has been used in Police Scotland since the start of Police Scotland. The difference is that, due to the advances in that technology, we are able to now provide that facility front end. It is no different policy. It is nothing different that Police Scotland is doing. Therefore, there was no specific communication made. On an instance when an individual is detained at, say, Gaffield Police Station, how would they be informed of this process taking place with their device? There does not necessarily follow that there would be a specific communication regarding that. It does not follow that everybody that is arrested, that their device is seized and, thereafter, investigated. What does happen is that, if a device is seized for a lawful policing purpose because we think that there potentially will be some information on it to support an inquiry, then obviously that is when we would seize it and, by seizing it, it becomes a piece of evidence. Once it is in that evidential chain, it is there after viewed via the kiosk. Generally, the experience of working with Police Scotland and Edinburgh is that the FETIs are very good at informing local MSPs about changes that are taking place. I cannot recall receiving any correspondence on that. Perhaps that is because it happened earlier in 2016 in the election, but it would be good to know whether there was any effort made to inform elected members who might have received bits of correspondence from constituents on that, for example. Sir, I can certainly check that, but my anticipation will be that, probably, it was not again for the reason that I have just mentioned. This is nothing new for Police Scotland. That is a technology that we have been using. The only difference is that we have the opportunity to roll that out further. The reason that we are doing that is that, in terms of expediting inquiries, we will hopefully get more devices back to people quicker if they do not contain any information to support that inquiry. By doing so, we get those devices that do have pertinent information to our hubs quicker. We can therefore process them quicker. By doing so, we are providing a better service to the public. On that operational point, there are instances where people who have been charged and victims of crime have had their mobile phones taken away from them for quite significant amounts of time, as cases progress. Is there an operational policy intention to have some sort of effect on that? Absolutely, sir. The whole point and the opportunity that putting kiosks front-end gives us is that opportunity to do that triage of devices, so that only those who are of significance to supporting an inquiry, thereafter, end up being processed and submitted for digital forensic analysis. At this moment in time, potentially a device could wait up to eight months to be examined. If we can do anything to expedite that by using a triage facility, we have a better opportunity to give a better service to the public by going, yes, that phone, that's got significant information on it, that will support the inquiry into the hub. No, those phones don't, and get those phones back to the people, whether it be a victim, a suspect or an accused person. Good afternoon. My question is first instance in RTCDS Burnett. We have the vulnerable person's database that has been in operation since March 2014 across Police Scotland, because there are significant concerns that I hope you realise coming through about the retention of data and the appropriateness of what is retained. Could you confirm if, in the vulnerable person's database, there is the recording of individuals that are classified as no concern and not applicable? Unfortunately, I would need to defer that question. It's obviously not my area of business, and I would need to defer that for others to answer. It's pretty germane to how Police Scotland collects data and the policy for retaining data. The vulnerable witness's database—are you not familiar with that at all, DS Burnett? I'm aware of the interim vulnerable person's database. I have not used it in a significant period of time. I work within specialist crime division, and it is not a database that I am proficient in or using at this moment in time, so I don't think that it would be right for me to answer that question because I can't confirm. What I can perhaps ask is the SPA since this has gone back to 2014, and I'm led to believe that a significant portion of the entries are no concern and not applicable. That has led to the information commissioner to question why information was collected in the first place if those entries follow under that concern. Is this not something that SPA should be aware of? Is it aware of it? I don't have specific information about that particular database, but what the SPA is doing right now is upping the level of scrutiny and engagement around the whole area of digital data and ICT generally. Police Scotland is currently in the process of developing a new strategy to bring together not just ICT but the use of data and digital technologies as well. It has reached the point of producing a strategic outline business case. We will be having a discussion at the SPA board meeting on 31 May about that. We also expect that work to be developed into an outline business case by the autumn and again for the SPA to be engaging with that. Do you see my difficulty? It's about collecting data from mobile phones, assessing what's relevant and not how you're going to shift this. Is there a shifting policy? Is there a deletion policy? You have no idea how it's currently working at present under the vulnerable database and the database of the person. Surely that's the very first question that you should be looking at. How do we retain data just now? What's the policy just now? If you can't answer that, perhaps you could answer something on the proposal to establish Irish recognition and purchase the technology for that. Is that something that you're aware of? Yes, the SPA is aware that it's something that Police Scotland is looking at. I don't have the details of that. I wonder whether DS Burnett might provide those details, if you'd like. Perhaps it's concerning to note that there's no legubation for the collection of custody episodes, images, and apparently there are currently one million of those. What concerns me and the evidence that I've heard today from you, DS Burnett, is the fact that you're saying that after procurement we'll test some policies out. What's being stated here? Is it the intention, before this new technology is purchased, to establish a code of practice before procurement, which should cover what's existing on the base, whether it's legitimate to hold that, whether there's a deletion policy, whether there's a shifting policy, emerging data, and any future data? That code of practice should be in there before there's any question of purchasing this equipment. An answer from both of you would be helpful. In terms of the policy practice procedure that I've referred to for kiosks, that is obviously, we are still working our way through that, but in terms of data retention policies, they are policies that have been in Police Scotland and the data retention policies in terms of any data that is held within the digital forensics hubs, anywhere else is for serious crime 12 plus 1, for other crime 6 plus 1. To be clear again, Mrs Mitchell, in terms of the kiosk, there is no data retained specifically on the kiosks. If I could add to that, the key point that I think here is that there is no shifting policy. As far as the SPA is aware, those kiosks do not allow the police new additional powers beyond what they already have and what they already do. Instead, what the kiosks enable is for devices that do not need to be sent to the specialist hubs for a full, forensic digital download, not to be sent in the first place. Because they are available in local police stations, people who have their phones handed over to the police as part of that policing purpose can have their phones examined there and then, and the police can rule out there and then whether or not the phone requires them to be sent off for a full download. The benefit of that is not only that the individuals who could be suspects or witnesses or victims of the crime not only get their phones back quicker but lessen the backlog of the devices stacking up in the digital hubs, which require that download because there is a more serious potential offence at the bottom of that. Can I perhaps put it another way? There will be data extracted from that. You say that it is not kept in the kiosk. That is how it is supposed to work. The vulnerable witnesses database is supposed to work very differently from how it is working now. It has attracted the attention of the freedom of information commissioner, if not the SPA, who is the oversight body, ironically. If he has been involved, if you have been contacted about the proposals for the kiosk, iris or any other data protection issues, are you aware? In terms of the kiosk, I have not had any direct contact with the information commissioner on kiosks. However, what we are looking to do as part of our finalisation of our policy practice procedure is two things. We are looking to organise a demonstration event to which we are going to invite parliamentarians, clearly yourselves, if you wish to come along to see a demonstration of the device, as well as Government officials and others from the SPA who have not seen the kiosks today. We are also looking to establish an external reference group. We think that that is really important. Obviously, the points that are made today reinforce our need to have that to ensure that we give an opportunity and we take that expert advice from people out with Police Scotland so that, when we think that we have our draft policy practice procedure in a place, we have that external scrutiny and eye on it, so that we can take that advice to make sure that, when we finally get to the point of deploying these devices, we can give an assurance to ourselves and, importantly, to the public that we are using this technology to keep them safe, but we are doing that correctly. Can I suggest that you do that before you problem-relate the policy? It might be very helpful in getting the policy right in the first place. Thank you very much. Okay, thank you. Two very brief supplementaries from Stewart and Daniel, and then we move on to Rona. I just ask for a confirmation, because what I am hearing is that the kiosks extract no new information that you are not already extracting in the central processes. I am getting a nodding head to that. Therefore, you have got a set of processes, procedures, rules and you have registered with the Information Commissioner your uses of the data in that central information system, and the registration does not say what devices you do it on. I know because, like others, I am registered. The other one, and I have got the nodding head to that. On the vulnerable persons database, can I very much welcome the existence of that, and I believe that I am probably in one of them, as a person of no concern, and I do not want you to remove me from that. I am not there because I am a criminal or thought to be a criminal, but because I am somebody who is connected to somebody who is vulnerable and you need to know about that connection of my being there so that you can contact me if that vulnerable person requires that. Is that a proper description of no concern? In other words, the label might be misleading as to what is actually going on. Sir, again, apologies. I am not proficient in the system. It is not a system that I use myself at this time, so I would not like to answer at this point. Okay, thank you. Daniel. I would just like you to acknowledge something. Essentially, you were saying that these kiosks do not provide you any new powers, that this is technology that you have had in one form or another since the 1990s, but do you not recognise that the information contained on these devices now has exploded exponentially and is of a degree of sensitivity and personal nature that is just not comparable to the data captured on SIM cards, which is what you were referring to in the 1990s, and that giving officers the ability to look at that data as a matter of routine requires additional sensitivity in a way that, essentially, an officer having a look at what phone number somebody has on the SIM card is just a different category of information and level of intrusion. Would you not acknowledge that difference? Absolutely, and that is the challenge for Police Scotland in policing in a digital age. We have to be able to police in an age where devices are commonplace in most inquiries or instances that we have in some form or fashion. They will either be the device that is used in the commission of a crime or they may just have supporting information on that device. So, absolutely, yes, the amount of information is growing on those devices. I think that the public would expect us to have the right technologies in order to make sure that we can utilise any pieces of evidence and identify any pieces of evidence. It is right and proper for us to identify technologies to support us in being able to work within a digital age. Your other points are about the access that police will have to sensitive data. That is nothing new for the police. That is part of being in the police and it is part of the interaction that we will have. Unfortunately, a lot of the interaction that we will have with members of the public will be at the most traumatic times of their life. We have to, on occasion, through inquiries take some really significant intimate information and details and interact with those individuals at that time. That is something that is part of us being police officers and part of what we have to deal with. Just before I ask my question, just a wee follow-up to my colleague Daniel Johnson's question. You said earlier that the officers could put a search in for a particular, in other words, a filter in so that the other personal information would not be seen. Is that correct? That is absolutely correct, yes. Are you confident that that would always be done in most cases that the officer would not gather up all the personal data that they did not need? To the point that Mr Johnson made, because of the huge amount of data that is on a phone, the search parameters being there are absolutely there in order to make sure that, if you are looking specifically for text within a timeline, you can do that. Can I guarantee that that will be done in every occasion? No, because, to be honest, it depends what inquiry is under investigation, what data would potentially be pertinent to that inquiry. I want to ask whether staff associations and unions were consulted before the trials took place. I cannot speak to the trials taking place, however, what I can say is that, as part of the 2026 briefing strategy, the cybercrime capability programme is one of those programmes of works with the cyber infrastructure projects sitting underneath that. We briefed to the Scottish Police Federation and the police staffing associations at the autumn of 2017 and gave them a demonstration of the chaos at that time. Are there any concerns raised by them? None whatsoever. They fully supported it, they could see the efficacy of it, they could see how it would support us to be more efficient in our processes, and they could see how it would really support individuals, especially in terms of victims, expediting those crimes. I may have missed this. Are the trials still going on? No, no. Is there been some formal evaluation done on what is actually going to be a report about what you have learned? There were a couple of brief reports that were completed at the end of those trials. And we also, prior to moving to procurement of the devices at this time, we liais with a significant amount of forces within England. As you'll be aware, these devices are used throughout the UK in a lot of police forces and have been for a significant period of time. The reportage coming back, absolutely, you need to make sure that your training, your policy, your practice procedure has to be robust, but the message coming through loud and clear, as well, was that if you do introduce these within the right environment, then they can do nothing but assist you in giving a better service to the public. Can you give us any feedback so far received on how the trials seem to have went amongst the forces? Again, in terms of what we saw, the reporting was that the submissions into the digital forensic hubs decreased dramatically. I cannot provide specific figures on that, but there was reported that there was a dramatic decrease, and that meant that those kinds of significance that were within the hubs could be expedited as well. It basically lets our specialist forensic examiners get on with those cases that really need that level of input. No problems highlighted then with the actual procedure, the practical side of it? There was none highlighted, no. Superintendent Burnett, are you familiar? You talked about lasing with other forces across the UK. Was one of them North Yorkshire? I am aware of the report from North Yorkshire, convener, yes. Are you aware of the police complaint commissioner's report, investigation into North Yorkshire? Yes, convener. So, for instance, that, as I understand, concluded in half the case of sample that there was a failure to receive authorisation for the use of phone extraction tools. Poor training resulted in practices that undermined the prosecution of serious crimes, such as murder and sexual offences. Were you aware of that? Yes. And that there were inadequate data security practices, including the failure to encrypt and files that may contain intimate details of people never charged with a crime are lost. Was any data lost as a result of the trials in Stirling and Edinburgh? No data was reported lost, sir, no. And with regard to the trial, you said that there were a couple of reports. Could you make those available to the committee, please? Yes, I can, convener. And Mr Hoggart, are you able to say if the police authority was cited in either of these reports and what its response was, please? I don't know whether or not the reports were shared with the SPA, but I do know that there was subsequently a briefing given by Police Scotland to the members of the authority in September 2017, in advance of the procurement exercise beginning, and that provided an opportunity for the members to ask questions that they had about the proposed use of the kiosks and to seek the assurances that they wanted to get. Thank you. If there was a copy of that briefing or any presentation that was made, that would be helpful if you could make that available to the committee as well, please. Stewart, are you next? No. No, okay, thank you. Liam? Yes, thanks, and can I start by apologising for my slightly later arrival? I was kicked in the chamber for a debate, I was taking part in, and apologies if some of this was covered in the exchanges that I missed at the start. Like Daniel Johnson and Ben Macpherson, I'm slightly concerned about what appears to be a lack of preparation ahead of the trials taking place, and I accept the point about the perceived benefits of having this technology that is already used but has been deployed further up the chain at the front line. Barnett said that it's nothing new and that the public would expect you to be deploying the technology. I suppose that the concern would be that, when you move this closer to the front line, the extent to which it is being used will grow exponentially as well. Therefore, the numbers of people that would need to have the requisite training to be able to carry out the functions appropriately would expand, if not exponentially, then significantly. Therefore, I'm slightly concerned that this was just assumed to be not really a departure from what was already happening when it is in the sense that it's requiring a good deal more officers to be cognisant of the sensitivities around handling the data. That should at least be appearing on a risk register, I would have thought. On cognisant of managing that data, prior to any use of a kiosk, they would still have that data, because what you've got to remember is that if the devices of significance are put into the cybercrime hub, there is a download of that device done, data is identified and they're after provided back to the inquire officer for them to look at. I'm sorry for interrupting, but in a sense, if you know that you're going to have to move this up the chain to the hub and that is the only way of being able to access the data, you're going to take a view of whether or not that is essential or necessary as part of whatever inquiry you're undertaking. If you're able, through one of those kiosks in the station to identify that data there and then, it's going to be far more attractive. I think the cost benefit analysis that you will do as to whether or not this is worth going down is going to be very different from what it has been traditionally where it's been sent to the hub, so you're going to get an increased usage as a result of having these kiosks in place. It's going to be used in instances that it's not being used at present. Through the SPA's involvement in oversight of the procurement of these devices, what I can say is that the procurement included a training package, so included in the cost, I mentioned earlier, was a sum of money to, in effect, train trainers in Police Scotland in recognition of the very point that you're making. If you have more people operating devices, they all need to be trained appropriately in using them and therefore that's been taken into account. The other key point that is linked to that is that, at the moment, our understanding is that devices are sent to these hubs where there is a less discriminating download of the data. What those devices, the so-called kiosks, allow for is more parameters to be sent. For the first time, you've got devices being examined within a narrower search set of parameters than currently takes place when the devices are sent out, but the training point has been taken into account in what's been procured so far. In terms of any decision around wider roll-out, what further safeguards are being considered in terms of data protection, human rights issues, a gamut, which has presumably come up already because the technology is being used in other areas, but if it is being used more extensively by a wider range of those within Police Scotland, presumably there will have to be another analysis done to make sure that those safeguards remain appropriate. That is where the importance of the standard operating procedure comes in, which DS Burnett referred to earlier. The intention is that the procedure to be established for their use be consulted on by being given to the external expert reference group for consultation before it's developed so that the concerns or questions about privacy and data and usage and consistency can be built into the operating procedure. As Matt Astan just mentioned, there is not an agreement to roll those out. Roll-out will not happen until the issues that you have been raising are addressed, including through that external expert group. The external expert group is self-contained or is it itself receiving submissions from—the committee has received a number in advance of the session today—is that reference group inviting those organisations that have been in touch with us and perhaps others to be submitting views ahead of any decisions that they are taking? Yes. My understanding is that, for example, Police Scotland intends to invite privacy international to be members of that expert external reference group. Just to confirm that, at this stage, there is no ballpark time frame for roll-out. Do you have a set of dates? Yes, there is a plan. As I mentioned earlier, that comprises part of the implementation of the policing 2026 strategy. At the moment, the intention is to engage with that group over the summer and then to work up the standard operating procedure to allow roll-out in the autumn. However, that is not the same thing as saying that there is agreement at this stage to do that. Agreement would only follow once the group has done its work and once the procedure has been put in place. I had wanted to ask you about how that fits in with the IT strategy, given that the IT strategy has not been signed off yet. Can you maybe get back to the sub-committee and writing just with the details of that IT strategy and how this procurement fits in with that? That would be useful. It is unfortunate that you are quoting figures X, VAT, given that Police Scotland can no longer recover VAT from its… Can you just make sure that that does not happen again when you provide information? I am sorry, but I was not counting. The VAT position has changed, so you are quoting VAT and X VAT numbers. It is just confusing as my basic point. Finally, just on a very technical point, my understanding is that some phones, if users set them up correctly, have very sophisticated levels of data encryption, which even the FBI cannot crack. Indeed, when I look at my phone and look at the relevance of saying that data protection is enabled, which I am guessing that that would mean that if I submitted my phone that those kiosks would not work, am I right in saying that encryption would mean that those kiosks would not be able to find anything from those phones? Is that right or incorrect? At this moment in time, as you have already alluded to, technology is changing all the time. Devices are changing all the time. Different people have different devices that have different security setups on them. Certain amounts of devices are set up with security. If we are able to plug them into the kiosk, we will be able to access the data on those devices. The list of those devices clearly changes all the time in terms of how technologies are. All Apple iPhones and Android-based phones, which are the vast majority of smartphones, have as part of their operating system's ability to encrypt all data. I am assuming that serious and organised criminals know all about that. I am guessing that this gets the people who are just less savvy and more occasional. Daniel, I do not know that we are necessarily wrong. I think that Police Scotland will be able to extract data from an encrypted phone. Yes, I am picking up on you, but by all means, I will answer if you wish. What I would say, convener, and Mr Johnson, is that kiosks are part of a suite of options that are available to Police Scotland and UK law enforcement. You are right. You have alluded to the fact that we are challenged as every law enforcement is in policing in a digital age, and that is something that we have to look at. Just briefly, on the capacity of the machines, you mentioned that no data is retained on the kiosks. You answered the point from the convener about data loss. I just wanted to check if there is any capability in the kiosks to delete information that is on devices. Not as far as I am aware. Certainly was the view of the Police Complaints Commission on an investigation that that was a possible consequence. I will get that confirmed, convener. That would have different consequences. If I may convene, I think that the information commissioner was perhaps making a different point about data on the kiosk, whereas I think that Ben was asking about data on the device. There were different points, that is really all I am saying. Okay, okay. We can see that it is very clearly and technically clear. A few questions to yourself, Superintendent Burnett. What discussions has Police Scotland had with the Crown Office, the Lord Advocate, about its use of this equipment? Okay. Back in 2016, prior to commencement of the testing of the devices, there was consultation with the Crown Office to confirm, because obviously the purpose of us utilising kiosks is to secure any evidence that can expedite a crime. There is no point in us considering that in isolation. We need to understand that Crown Office is supportive and comfortable with the use and the seizure of evidence in that way. They were supportive of the trials. What they said was that at that time, due to it being a new use of the technology, they would support their use only in some of the cases at that time, but we have continued in consultation with Crown Office since then, and they are aware of our procurement. They are supportive of our use and the support of kiosks being used in the lawful framework, which we discussed earlier. Okay, thank you. Likewise, will you be able to share that correspondence with the committee, please? Absolutely. Thank you very much indeed. Two other quick points, and I think that you alluded to those statuses yourself, Superintendent. That is, as I understand the Scots law, you can be a witness, a suspect and an accused. That is the status of everyone. Does anyone in that group have the right to say that they are not getting my phone because you talked about interrogation? We would all understand domestic violence, vulnerable persons, missing persons and where there is a pressing need for life. Do you want to write to us who can and can't refuse to handle their phone, please? Of course. A witness can clearly refuse to provide any—are you talking about providing the device or providing—a witness clearly could refuse to provide a device in order to expose any inquiry in terms of suspect accused, as you referred to. A phone would need to be seized under a lawful purpose, the ones that I discussed earlier. Okay, thank you. Finally, if I may please, in your state or in the Police Scotland report, I have to say many, it's not what you'd call in plain English, I wouldn't say, or I had difficulty with the phrase in relation to all of this, the design principles under planning are planning, emphasising approach, what would be modular, iterative and agile. I'm an old-fashioned bloke. That doesn't make much sense to me but what I have to say did jump out at me was where there was mention of an equality in human rights impact assessment and private impact assessments before operational deployment. We've covered the bit that your trial wasn't supported by any of these documents but we're not putting the cart before the horse will stop here because what, if that human rights impact assessment said, there were implications and we've already had that expenditure of £1 million. I think that where we are is because we use this technology anyway. We are aware of its use and efficacy throughout UK law enforcement. We absolutely understand the need and the requirements and we are completing those assessments and we will build in any of the findings of them. I would anticipate that there will be nothing that will come up in those assessments that we cannot address clearly if there is something that means that we have to stop. Absolutely, that is something that would need to occur. There were opportunities to fully reassure us on these matters. I have to say personally and I understand others might not be so. We will discuss that as part of our problem and we will come back to that both in writing. In the interim, if you could send the committee the papers that they have alluded to that we have requested, that would be very helpful. I thank you both for your evidence. We now move into private session.