Without the trust of citizens, the police cannot do their job properly. That is why it is important that the police are cautious with data about citizens. But an analysis by Bits of Freedom shows that of all 36 'mission critical' systems of the police systems, not one complies with the rules on privacy and information security.

Mission critical

It concerns 36 systemsThe rapports on which this analysis is based can be found at the bottom of this page., which, according to the police, “must remain operational at all times, so that the police can do their job”. They are the systems for registering repeat offenders and licence plates, taking statements and interrogations, exchanging information between police officers, processing fingerprints, analysing big amounts of sensitive data and many other functions. None (!) of these systems comply with the rules on privacy and security by design that follow from the law and police policies. There is even “no specific attention at all” for this with three systems.

The table below is a summary of our analysis: everything, except the grey fields, are supposed to be green.

Especially in the field of information security and privacy the systems are in bad shape. For example, police officers who change jobs retain database access from their previous job, which means that corrupt officers have unnecessary access to a lot of information. Data is also retained for far too long. And it is not clear whether the current security is adequate since the police has not identified all the risks to the security of the information. The police rely more and more on IT, but we cannot trust the police with IT.

Everyone loses out

The risks are immense. After all, the police have extensive powers to collect, retaining, use and disclose personal data to third parties, including people who have not been identified as suspects. But this is only possible if we can also trust the police that they will treat his information responsibly. But if that is missing, everyone, including the police themselves, will suffer.

Because a witness to a liquidation does not tell his story to the police if he himself is in extra danger as a result. If you are a victim of a rape, the last thing you want is for someone who has nothing to do with that investigation to sniff through your police statement. But the police themselves also benefit from a careful handling of sensitive data. If data security is not in order, the police run the risk of a major investigation breaking down because a corrupt police officer leaks information to serious criminals.

Long history of law violations

The large-scale violations of laws and regulations in the field of privacy and information security is not new. The nation's most well-known law enforcement agency has a long history of law violations. Eight years ago"It is shocking that none of the police forces complies with all legal requirements." (NL) we also made an analysis of the reports on compliance with the same law. The result was depressing. Not a single police force met all legal requirements. A few police forces complied with less than twenty percent (!) of the standards and then only “in outline”. Since then, the police have made some improvements, but this analysis shows that the protection of sensitive data is still poor.

Expectations for the near future are no better. In a status updateRead the status update of the police here (NL) the police mention "a negative outcome" and even that "scores have gone down". According to the police, "a realistic expectation is that 50% of our applications complying will meet legal requirements by the end of 2020". As far as we are concerned, past experiences give no reason to be so optimistic. But more importantly: that also means that half of the applications still do not meet the legal requirements.

The police must be fined

Two things have to happen now, as far as we are concerned. First, the police must finally be forced to comply with the law. The Dutch Parliament should be angry at the minister and no longer let him get way with soothing words such as "the police is improving". The time of tolerance is over. And therefore it is about time that the Dutch Data Protection Authority will do what the police themselves do: hand out fines. It is ludicrous that the police have been getting away with this for year.

Secondly, it is important that the minister not only looks the law itself in the planned amendment of the law, but also at its feasibilityRead more about the planned revision of the legislation (NL). The police previously stated that data that must be removed is not removed because the computer systems are too old. If you want to create a new law that functions properly, you might also have to invest in police IT-systems.

This is a translation of a Dutch article. A big thank you to two translators: Alex Leering en Martin van Veen.