Report Summary
Issued 15 July 2025, this FOI response provides information and correspondence in relation to non-UK data processing, explains why some of the information is exempt from disclosure, and confirms that some of the requested information is not held by the Scottish Police Authority.
To access the full document please open the PDF document above.
To view as accessible content please use the sections below. (Note that some tables and appendixes are not available as accessible content).
Request
Your request for information dated 17 June 2025 is copied below.
Given the recent passing of the Data (Use and Access Bill) in Parliament, the radical changes it introduces for Law Enforcement data processing, and the elapsed time since I last sought information on the status of the DESC programme and its legal compliance with the existing DPA 2018 Act, I wish to request information on the programme status.
This will allow the creation of a baseline to measure changes over time as a result of the new bill once Royal Assent is given; which I feel is a reasonable endeavour of significant public interest due to the nature of risks to subjects interests and cost to the public purse.
I request you apply this context into any public interest test weighted exemption you may seek to apply.
This FOISA request is part of a batch sent to all DESC participants on the same date, but I seek individual responses from each DESC participant and not collaborative ones.
The information I require is as follows:
1 - The latest in force Data Protection Impact Assessment conducted under S.64 of the DPA 2018 (the Act) by the Authority for your participation in DESC if one is held.
2 - Copies of any communication made under S.65 between the Authority and the Commissioner in respect of identified high risks to the rights and interests of an individual over the past 12 months.
This may logically include draft DPIA's and materials under preparation, or not included in the current in force DPIA.
3- Copies of any other communications between the Authority and the Commissioner over the last 12 months relating to any identified risks in relation to offshore (i.e. non-UK located, or remotely initiated) processing by any processor or sub-processor - whether or not these were communicated to the Commissioner under S.65.
4 - Copies of any communications between the Authority and Microsoft, or the Authority and Axon (both being previously identified as Authority data processors) over the past 12 months in relation to their processing of personal data covered under Part 3 of the DPA 2018 (i.e. relating to the processing of personal data processed for a Law Enforcement purpose).
NB: This may logically include information relating to services outside of the DESC service itself, such as M365 or general Azure services (Microsoft), or body-worn video, etc. (Axon), that the Authority may already consume or intend to consume for Law Enforcement processing purposes.
