Scott Ross, legendary VFX executive and co-founder of Digital Domain, joins the podcast for an unfiltered conversation about the state of the film industry and the visual effects business. With decades of experience and a reputation for telling it like it is, Scott digs into the systemic challenges facing Hollywoodfrom broken economic models in studio filmmaking to the relentless pressure on VFX vendors. He reflects on his time building Digital Domain alongside James Cameron and shares insights from his new book, UPSTART: The Digital Film Revolution Managing the Unmanageable, which chronicles his journey through the chaos and creativity that have defined modern filmmaking.While Scott doesnt sugarcoat the industrys issues, he also sees glimmers of hope. He highlights the rise of global talent and a shift toward more authentic, filmmaker-driven storytelling. The conversation touches on the role of AI, the decline of theatrical experiences, and the urgent need for systemic changewhile still holding onto the belief that the future of cinema is worth fighting for. With honesty, insight, and passion, Scott offers a rare perspective from someone whos been at the center of the digital revolution and still has something to say.Links:UPSTART: The Digital Film Revolution Managing the Unmanageable >Scott Ross on IMDB >

Two days remain.We are rapidly approaching the big Switch 2 Direct on 2nd April, and Nintendo is ensuring the hype train is fully stocked and ready to leave the station as it has just shared a new image of the console via the Nintendo Today app.Now, the vast majority of us will likely see this image tomorrow when the regional clocks tick over to the 'One Day To Go' message that the app has been counting towards in recent days, but thanks to the magic of timezones, those in Japan have already caught a glimpse of the fresh snap.Read the full article on nintendolife.com

Tech giant Oracle is facing criticism for how its handling two seemingly separate data breaches.At least one of the incidents appears to still be unfolding, despite Oracle reportedly denying a breach at all. The other relates to a breach of patient data under the tech giants healthcare subsidiary, Oracle Health.Oracle did not respond to TechCrunchs request for comment about the two incidents.Oracle Health breach affects patient data, per reportsThe breach disclosed most recently involves Oracle Health, which provides hospitals and other healthcare providers with technology to access health records online. Oracle Health is a unit that was combined with Cerner, an electronic health records company that Oracle acquired in 2022 for $28 billion.Bloomberg and Bleeping Computer reported last week that the breach affects patient data, although its unclear exactly what kinds of data were stolen, nor which organizations and companies that use Oracle Health are affected.Oracle notified some of its healthcare customers in March of a breach that happened sometime earlier this year, in which hackers accessed Oracle servers and stole patient data, according to the publications.Contact UsDo you have more information about these two Oracle breaches? From a non-work device and network, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.We are writing to inform you that, on or around February 20, 2025, we became aware of a cybersecurity event involving unauthorized access to some amount of your Cerner data that was on an old legacy server not yet migrated to the Oracle Cloud, read the notification sent to some Oracle Health customers, according to Bleeping Computer.Citing multiple sources, the news site reported that a hacker is trying to extort affected hospitals, reportedly demanding millions of dollars.An Oracle employee, who asked to remain anonymous as they were not authorized to speak to the press, told TechCrunch that the company hasnt been very transparent even with its own employees.My team was not able to access customers environments for a number of days. My concern is not just with patient data breach. Access through hosts allows any and all access to what is hosted, obviously, said the employee. Some customers host other applications like HR and finance. I dont know if it was hacker[-]accessed though.The employee said they had to look at Reddit and internal Slack channels to even figure out something was being looked at.The employee said they felt super ignored, describing the situation as: Nothing to see here, move right along.The employee, however, also said that they saw on Slack that some teams were given language to communicate with clients on March 4: We will investigate the issue you are experiencing.Oracle denies cloud breach, despite mounting evidenceThe other separate breach involves Oracle Cloud servers. And in this case too, Oracle is not being very transparent about what happened.Earlier this month, a hacker going by the online handle rose87168 posted on a cybercrime forum offering the data of six million Oracle Cloud customers, including authentication data and encrypted passwords, as Bleeping Computer reported at the time.To prove that they breached Oracle, rose87168 uploaded a text file containing their online handle that was hosted on an Oracle Cloud server.A screenshot of the archived text file that rose87168 uploaded to an Oracle server. (Image: TechCrunch)Since, several Oracle customers have confirmed that data samples shared by the hacker appear genuine, pointing to further evidence of a breach at Oracle.Strangely, Oracle denied that there was a breach at all.There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data, Oracle told the publication.But not everyone is convinced.This is a serious cybersecurity incident which impacts customers, in a platform managed by Oracle, cybersecurity expert Kevin Beaumont wrote in a blog post analyzing the alleged Oracle Cloud breach. Oracle are attempting to wordsmith statements around Oracle Cloud and use very specific words to avoid responsibility. This is not okay.Oracle need to clearly, openly and publicly communicate what happened, how it impacts customers, and what theyre doing about it. This is a matter of trust and responsibility. Step up, Oracle or customers should start stepping off, said Beaumont.Commenting on one of the alleged Oracle breaches, cybersecurity expert Lisa Forte wrote on Bluesky that, if this ends up being true, and I struggle to see how it wont, this is a very very bad look.

Apple Intelligence, the iPhone makers suite of AI-powered tools and features, is gaining new features. Most notably, the company on Monday announced that Apple device owners will now be able to take advantage of Priority Notifcations, which allows Apples AI to highlight your most time-sensitive notifications in a new format. Other updates are coming to the Image Playground app and the Mac. Plus, Apple Intelligence is now available to iPhone and iPad users in the EU and on the Apple Vision Pro headset in U.S. English.The changes are rolling out with the release of Apple software, iOS 18.4, iPadOS 18.4, and macOS Sequoia 15.4. Apple notes that its AI features are also available in a number of new languages, including French, German, Italian, Portuguese (Brazil), Spanish, Japanese, Korean, and Chinese (simplified). Localized English has also been added for both Singapore and India.Though Apple Intelligence was introduced at the companys Worldwide Developer Conference last year as its new generative AI offering, the reality is that Apple was not prepared to release all its AI-powered features at once. Thats led to a slow and steady rollout of numerous AI updates since the release of iOS 18.1 where Apple Intelligence first went live. For instance, features like ChatGPT integration, Image Playground, and others didnt arrive until iOS 18.2 (and iPadOS 18.2, macOS Sequoia 15.2) months later. Image Credits:AppleAmong the new additions coming Monday, Priority Notifications may be the most useful if successfully implemented. Now, instead of having to dig for important updates across all your notifications which often include nonessential updates and other marketing messages from apps youll be able to see those that deserve attention appear at the top of the stack.Other Apple Intelligence improvements arriving today include the ability to create a memory movie on Mac by typing a description, and an added Sketch style in Apples AI image generation app, Image Playground, for the creation of academic and detailed sketches.Apple had previously announced that its AI suite would arrive in the EU in April 2025 a delay Apple blamed on EU tech regulations, like the Digital Markets Act. Meanwhile, Vision Pro users will be able to use AI features like Writing Tools, Image Playground, Genmoji and more with the expansion of Apple Intelligence to the mixed reality platform. The update also includes a handful of new emojis, including a paint splatter, a face with bags under its eyes, a fingerprint, a root vegetable, and a shovel, among others. The recently announced recipe companion, Apple News+ Food, is arriving Monday, as well, alongside new child safety features and other tweaks to the revamped Apple Photos app and other Apple services.Apple brings Apple Intelligence to the Vision ProApple takes on recipe apps with Apple News+ Food

Audiences may soon here Beep Beep at a local cinema, as distributor Ketchup Entertaiment has just acquired Coyote vs. Acme, the ill-fated live-action/3DCG hybrid film that was shelved by Warner Bros. Discovery in 2023 for a tax write-off, much to the anger of Hollywood and Looney Tunes fans, according to The Hollywood Reporter. As reported 10 days ago, Ketchup was in talks to pick up the film reportedly for close to $50 million. Terms of the final deal were not announced.In a statement made today, Gareth West, CEO of Ketchup Entertainment, said, Were thrilled to have made a deal with Warner Bros. Pictures to bring this film to audiences worldwide.Coyote vs. Acmeis a perfect blend of nostalgia and modern storytelling, capturing the essence of the beloved Looney Tunes characters while introducing them to a new generation. We believe it will resonate with both longtime fans and newcomers alike.Coyote vs. Acme is directed by Dave Green, with a screenplay by Samy Burch, James Gunn, and Jeremy Slater. Based on Ian Fraziers 1990 humor article Coyote v. Acme, the flick was adapted for the big screen by Burch. Mixing courtroom procedural and zany comedic elements, the story centers on a down-and-out billboard lawyer who decides to represent Wile. E. Coyote in his lawsuit against ACME Corporation over its defective products.John Cena (Peacemaker) stars alongside Lana Condor (To All the Boys Ive Loved Before), Will Forte (Ruby Gillman, Teenage Kraken), P.J. Byrne (Gen V), and others.The VFX were created by BUF, DNEG, Double Negative, Firebrand VFX, Framestore, Jellyfish Pictures, and Warner Brothers, with George Murphy acting as visual effects supervisor.Ketchup recently distributed Warner Bros. Discoverys The Day the Earth Blew Up: A Looney Tunes Movie, which opened in theaters March 14. Dan Sarto is Publisher and Editor-in-Chief of Animation World Network.

Researchers from Los Alamos National Laboratory (LANL) have developed a 3D printed perfusion bioreactor (3D-PBR) created to improve how human bone marrow-derived mesenchymal stem cells (MSCs) grow and differentiate.With contributions from the University of New Mexico (UNM), the device also supports co-culture with vascular cells. Designed to address the limitations of basic cell culture models while capturing the complexities of real tissue environments, this compact device aims to make cellular differentiation studies more practical and precise.Published in Nature, the 3D-PBR is made using Formlabs 3B Low Force Stereolithography (SLA) 3D printer, relying on a biocompatible resin composed of methacrylate monomer and urethane dimethacrylate. After printing, the researchers carefully cleaned the components with isopropyl alcohol and cured them under UV light at 60C for 30 minutes, a process that not only ensures structural stability but also enhances clarity for imaging.The fully assembled 3D-PBR system with the modular peristaltic pump and 3D printed cell culture media reservoir. Photo via LANL.Dual-compartment setup supports cell interactionWhat sets this device apart is its design, featuring two compartments separated by a porous polyethylene terephthalate (PET) membrane with a pore size of 0.4 m. This membrane allows media transport and cellular interaction between the compartments without compromising their separation.One compartment, designed for vascular cells, includes Luer-lock ports for controlled fluid flow and has a rectangular channel measuring 11.8 mm 4.8 mm 0.8 mm. The other compartment, intended for MSCs, has an oval-shaped channel measuring 15.8 mm 4.8 mm 0.8 mm. Despite its intricate design, the entire system, including the peristaltic pump and 3D printed media reservoir, fits within a compact volume of 60 cubic inches.Researchers chose this resin-based polymer over the commonly used polydimethylsiloxane (PDMS), which often struggles with issues like molecular absorption and manufacturing constraints. The new approach provides greater flexibility and durability, allowing for more complex structures that are better suited for various experimental conditions.During their experiments, the team cultured MSCs within a collagen-fibrin gel, a material selected for its ability to provide structural support and mimic extracellular matrix conditions. They prepared the gel with MSC concentrations of 3.8 10 cells/mL for bone differentiation and 2.6 10 cells/mL for fat differentiation.Meanwhile, human umbilical vein endothelial cells (HUVECs) were introduced to the vascular compartment at a concentration of 1 10 cells/mL, forming a confluent monolayer over a period of 21 days. To further enhance the differentiation process, researchers applied flow rates of 23 L/min and 100 L/min, which are known to promote bone-generating conditions.The team then used fluorescent microscopy to evaluate how well the MSCs differentiated within the 3D-PBR. Imaging markers such as VE-Cadherin, ActinRed 555, and NucBlue provided clear visuals of cell structures and interactions. The results were encouraging, with MSCs demonstrating high viability, 92% for MSCs and 91% for HUVECs.More importantly, the cells cultured within the 3D-PBR exhibited enhanced differentiation compared to static conditions, showing greater complexity and maturity in bone cell structures along with more consistent fat cell differentiation.To verify the devices structural integrity, researchers conducted CT scans, confirming that the compartments were well-sealed and suitable for extended experiments. This step was crucial to ensuring the reliability of the devices design.While the results are promising, the researchers noted a few limitations. Their focus was mainly on biocompatibility and differentiation, without examining how signals from vascular cells might influence MSC growth at a molecular level.The need for different media types meant vascular cells were introduced only after MSCs had begun differentiating, which the team aims to address by developing a common medium and conducting gene expression analysis.Moving forward, researchers believe the 3D-PBRs compact design, compatibility with standard lab equipment, and adaptability make it a valuable tool for studying bone formation, fat differentiation, and other tissue engineering applications requiring realistic environments.Assembly process of the vascular and MS compartments in the 3D-PBR. Photo via LANL.Advances in 3D printed bioreactors3D printing has improved bioreactor development by allowing researchers to quickly create compact, efficient designs that support better cell growth and interaction.For instance, scientists from Massachusetts Institute of Technology (MIT) and Indian Institute of Technology (IIT) Madras developed a 3D printed microfluidic bioreactor for growing human brain tissue using SLA 3D printing and dental resin. Priced at just $5, the reusable device served as a low-cost alternative to commercial culture dishes for drug testing and treatment research.During tests, stem cells cultured in the bioreactor showed enhanced proliferation and viability compared to those grown in conventional dishes. The cells developed into a neocortex-like structure with no decline in viability over seven days. Researchers plan to enhance the device with valves and pumps, aiming for efficient, affordable drug testing and pathogen interaction studies.Argentinian biotechnology firm Stmm Biotech closed a $17 million Series A funding round to advance its 3D printed bioreactor development using its proprietary Brick Printing Technology and Sclereid 3D printer. The technology aimed to miniaturize traditional bioreactors into desktop-sized units, enhancing productivity by approximately 70 times.Funds were intended to support workforce expansion to around 200 employees and international growth. Led by Varana with participation from several investors, the funding brings Stmms total to $20 million at the time, with pilot-scale commercialization planned in 2022.What3D printing trendsshould you watch out for in 2025?How is thefuture of 3D printingshaping up?To stay up to date with the latest 3D printing news, dont forget to subscribe to the 3D Printing Industry newsletter or follow us on Twitter, or like our page on Facebook.While youre here, why not subscribe to our Youtube channel? Featuring discussion, debriefs, video shorts, and webinar replays.Featured image shows the fully assembled 3D-PBR system with the modular peristaltic pump and 3D printed cell culture media reservoir. Photo via LANL.Ada ShaikhnagWith a background in journalism, Ada has a keen interest in frontier technology and its application in the wider world. Ada reports on aspects of 3D printing ranging from aerospace and automotive to medical and dental.

Los Angeles sometimes faces derision for itslack of history, but one beloved element of its past is being revived in Culver City. As of last November, Helms Bakery, which baked and delivered bread to Angelenos from 1931 to 1969, is now back in action, this time as a market hall with a forthcoming all-day cafeand, of course, a bakery. To lead the project, Studio UNLTD channeled a bit of nostalgia when incorporating elements of the original industrial bakery space but largely pushed a design that looks more to the future than the past. To be able to pump life into something and give the district back its heritage was really the thing that drew me to this project, Greg Bleier, founding principal of Studio UNLTD, told AN. Bleier, a seasoned interior designer for revered area restaurants such as Bestia and Bavel, also jumped at the chance to work with the chef and restaurateur Sang Yoon, who spearheaded this latest addition to the Helms District, where he operates a location of his beloved restaurant Fathers Office amid design showrooms, retail shops, and an art bookstore.The new market and restaurant from chef Sang Yoon revives the name and location of a legendary Los Angeles bread brand that closed in 1969. (Stephen Paul)The chef is known in part for his obstinacy about condiments: His Office burger is famously served as is, topped with caramelized onion, bacon, and Gruyre, with no substitutions and no ketchup. At Helms Bakery, Yoon collaborated with Studio UNLTD more cordially, perhaps, though Bleier noted that the concept took some inspiration from the chefs appreciation of the popular upscale Erewhon markets; Bleier also indulged Yoons desire to include a vintage-style flipboard, which announces daily specials. (Yoons team operates the entire market.)Oak cladding skirts the front of the counters.(Stephen Paul)Otherwise, Studio UNLTD set out to design a flow that would allow customers to shop from Helms Bakerys various counters, picking up coffee and juice pastries, as well as provisions, in a seamless experience. Im a big fan of facades that step in, Bleier said with a laugh. The first thing I did was step the facade of the building to create a covered patio area so that [we] werent just pushing people out onto the street. From there, Studio UNLTD employed an eyebrow element to create a datum to define the stalls; branding from local firm folklor adds to the retro-chic vibe. Bleier and his team leveraged existing elements from the building, including a bow-trussed roof and skylights that bathe the space in light while incorporating what he referred to as the basic tectonics of architecture, like character oak cladding on the skirt fronting the counters, plaster finishings, concrete, glass, and steel. The 6,880-square-foot main floor is dotted with subtle art deco elements, while khaya mahogany planks were used to create custom checkout stands, a nod to the Helms Bakery delivery coaches and their wooden racks.Studio UNLTDs design for Helms Bakery features subtle art deco references, with like minded branding by folklor. (Stephen Paul)Studio UNLTDs designs spin the projects inherent nostalgia with a contemporary touch. The forthcoming cafe, Dinette, also from Yoon, will feature an entry with fluted-glass panels. Inside, antique mirror and glass frame the seating areas.Studio UNLTD aimed to celebrate the history of the Helms Bakery brand with elements such as antique-inspired mirrors while maintaining a fresh-looking design scheme. (Stephen Paul)The cleanliness and brightness and the simplicity of it is where that modernity shines, Bleier explained of the renovated Helms Bakery. Consider it a new addition that also creates another chapter in Los Angeless evolving history.Project SpecificationsDesign Architect: Studio UNLTDArchitect of Record: Oakes ArchitectsGeneral Contractor: WNM RealtyInterior Design: Studio UNLTDStructural Engineering: Reiss Brown EkmekjiElectrical Engineering: Creative Engineering GroupLighting Design: Studio UNLTDGlazing Contractor: Rubens Glass ServiceAV: SquareEye NetworksSignage/Wayfinding: FolklorWindows: Torrance SteelLighting: Neptune Glassworks, Lusive, Nuura, RejuvenationArchitectural Lighting: Amerlux, Core Lighting, Tivoli, BK Lighting, Columbia Lighting

All images courtesy of the National Park ServiceA Years-Long Collaboration Sees a Traditional Tlingit Tribal House Return to Glacier BayMarch 31, 2025Kate MothesPeople have lived in the area around modern-day Glacier Bay National Park, along Alaskas rugged southern coastline, for at least around 3,000 years. Nearby, in Groundhog Bay, evidence of human habitation extends back a mindboggling 9,000-or-more years.In the mid-18th century, advancing glaciers forced ancestral Huna Tlingit people to abandon their homes. While they could visit certain areas occasionally to hunt and fish, the evolving conditions and ice prevented them from living there. And when the area was designated a national monument in 1925, it seemed possible the displacement would be permanent.I never, ever thought that I would ever see the day, in my lifetime, that Tlingits could return to the Homeland, says local resident Jeff Skaflestad in the opening of the National Park Services short film, Sanctuary for the Future. But in 2016, thanks to many years work and a collaboration between the National Park Service and the Hoonah Indian Associationthe tribal government of the Huna Tlingit clansXunaa Shuk Ht marked a momentous homecoming.Both a space for tribal ceremonies and a nexus of living history, the house is a sacred place for the Indigenous community that also provides visitors the opportunity to learn about Huna Tlingit culture, history, and oral traditions.Xunaa Shuk Ht, which roughly translates to Huna Ancestors House, was brought to life by three Tlingit craftsmen: Gordon Greenwald, Owen James, and Herb Sheakley, Sr., who spent countless hours carving their ancestors stories into meticulously selected trees and wooden panels.In a large carving shed in nearby Hoonah, Alaska, the artisans, along with occasional help from friends and neighbors, worked on totem poles, boats, oars, and architectural details. Having Elders come in and talk with us, just to share with us, that was a highlight of my days, James says. Sheakley adds that as they began carving, it was an obvious decision to make their own tools, too, as a way of connecting to time-honored traditions.https://www.nps.gov/nps-audiovideo/audiovideo/70b705f7-d8a1-4a94-924d-803504e62921720p.mp4It was a collaboration between the clans, says tribal administrator Bob Starbard. We had to get the Elders to talk about what stories could be told, what crests should be on, in which order where everything should be located.Popular culture often misrepresents the purpose and subject matter of totem poles, erroneously attributing the figures to gods or mythical creatures. While aesthetically remarkable and complex, ancestral Tlingits didnt really even consider the motifs to be art. Instead, they are chapter titles to oral history, Greenwald says, often based on real things that have happened as opposed to mythical stories.In Xunaa Shuk Ht, the totems serve as structural supports, literally holding up the house and framing an elaborately carved wall, or screen, which portrays a geographical representation of different clans histories.Following the dedication in 2016, additional Raven and Eagle Totems were raised in front of the house in 2017, and Yaa Naa Nx Kooteyaa, the Healing Pole, was raised a little ways away, along the Tlingit Trail, in 2018. Plan your visit to Xunaa Shuk Ht and learn more about the Huna Tlingit Homeland on the parks website.Next article

Alsu - stock.adobe.comNewsUK law enforcement data adequacy at riskThe UK government says reforms to police data protection rules will help to simplify law enforcement data processing, but critics argue the changes will lower protection to the point where the UK risks losing its European data adequacy BySebastian Klovig Skelton,Data & ethics editorPublished: 31 Mar 2025 15:55 The UK government has introduced its Data Use and Access Bill (DUAB) to Parliament, but proposed reforms to police data protection rules could undermine law enforcement data adequacy with the European Union (EU).Currently going through the committee stage of Parliamentary scrutiny, theDUABwill amend the UKs implementation of the EU Law Enforcement Directive (LED), which is transposed into UK law via the current Data Protection Act (DPA) 2018 and represented in Part Three of the DPA, specifically.In combination with the current data handling practices of UK law enforcement bodies, the bills proposed amendments to Part Three which include allowing routine transfer of data to offshore cloud providers, removing the need for police to log justifications when accessing data, and enabling police and intelligence services to share data outside of the LED rules could present a challenge for UK data adequacy.In June 2021, theEuropean Commission granted data adequacy to the UKfollowing its exit from the EU, allowing the free flow of personal data to and from the bloc to continue, butwarnedthe decision may yet be revoked if future data protection laws diverge significantly from those in Europe.While Computer Weeklys previous reporting on police hyperscale cloud use has identified major problems with the ability of these services to comply with Part Three, the governments DUAB changes are seeking to solve the issue by simply removing the requirements that are not being complied with.For example, while the DPA 2018 does allow for overseas transfers to non-law enforcement recipients that is, cloud providers this is only permissibleHowever, in June 2024, Computer Weekly confirmed that UK policing data uploaded to Microsoft services is routinely sent offshore for some forms of processing, while IT support is provided on a global follow-the-sun model.To circumvent the lack of compliance with these transfer requirements, the government has simply dropped them from the DUAB, meaning policing bodies will no longer be required to assess the suitability of the transfer or report it to the data regulator.Commenting on the transfer issue during a DUAB debate in the House of Lords, Liberal Democrat peer Tim Clement-Jones highlighted how, as it stands, cloud service providers routinely process data outside the UK, and are unable to provide necessary contractual guarantees to policing bodies as required by Part Three: As a result, their use for law enforcement data processing is, on the face of it, not lawful.He added: The governments attempts to change the law highlight the issue and suggest that past processing on cloud service providers has not been in conformity with the UK GDPR [General Data Protection Regulation] and the DPA.Through the DUAB, the government has also expanded the list of lawful recipients to now include a processor whose processing is governed by, or authorised in accordance with, a contract with the controller that complies with section 59, which outlines key elements that must be contained in any contract between a law enforcement controller and processor.This includes specific details of the exact types of data, the categories of data subjects and the specific purpose of the processing, as well as explicit guarantees from the processor about how it will comply with all the requirements of Part Three.However, given the international nature of the data sharing that takes place on commodity hyperscale architecture, cloud providers are either unable or unwilling to make contractual guarantees that satisfy all aspects of Part Three.As Microsoft told the Scottish Police Authority (SPA), in relation to its Azure-hosted Digital Evidence Sharing Capability, the company cannot accept specific consent [to transfer data internationally] on a case-by-case basis as this would be impossible to operationalise.All of this effectively means that under the DUAB, the data can be routinely offshored to jurisdictions with lower data protection standards, without adherence to LED conditions around strict necessity.Similarly, while the LED provided a five-year grace period to ensure all legacy police systems could record justification logs for why a particular piece of information has been accessed with systems procured after May 2016 were required to have this capability from the start most policing systems in the UK still do not have this capability.Instead, the UK government has simply removed the requirement to record these justifications, arguing that the change will save police time and that the data has little evidentiary value because people are unlikely to record an honest justification anyway.According to Owen Sayers a long-term commentator on DPA Part Three compliance issues with more than 25 years of experience in delivering secure solutions to policing and the wider criminal justice sector changing the law in this way will permanently diverge UK law from the LED requirements.He added that while UK police have been breaking the law in practice since the DPA came into effect in May 2018, the law they were breaking was at least aligned to those in the European Union.Even though in practical terms the UK hasnt actually been protecting personal data as theyre required to under the LED, their law did at least give recourse to a data subject to take action about this processing (even if no one actually did so), he said.Once DUAB comes into force, however, the landscape has totally changed. Not only will UK law enforcement bodies be sending massive amounts of personal data (including a lot of data about EU citizens) offshore to a range of countries not deemed adequate by the EU, but UK law will have change to make it legal for them to do so.By making these changes under DUAB, the government have thrown into sharp relief that law enforcement bodies are breaching the law today theyve literally confirmed it by modifying the law to give Microsoft and AWS this special status.Computer Weekly contacted the Home Office about the threat to the UKs LED adequacy created by the governments proposed changes to the law enforcement data protection regime.We have introduced some targeted amendments in the Data Use and Access Bill to improve public trust and to drive up law enforcement efficiency by simplifying the legislation. We are committed to data adequacy and had the UKs adequacy decisions in mind when producing this bill, said a spokesperson. Any changes to our data protection regime must not come at the expense of security, and high standards of protection will continue to be applied.A Home Office source told Computer Weekly that that the use of cloud providers in particular has caused some confusion, and that measures contained within the bill are intended to give law enforcement the confidence to use cloud processors. However, they said the use of cloud services must not come at the expense of security and high standards of protection will continue to be applied.Read more about police technologyDriving licence data could be used for police facial recognition: The governments Crime and Policing Bill could allow police to access the UK driving licence database for use in facial recognition watchlists, but the Home Office denies biometric data would be repurposed in this way.Axon still in possession of Police Scotland encryption keys: Suppliers possession of encryption keys for Police Scotland data sharing system opens potential for access and transfer of sensitive data without the knowledge or consent of the force.UK police forces supercharging racism with predictive policing: Amnesty International says predictive policing systems are supercharging racism in the UK by taking historically biased data to further target poor and racialised communities.In The Current Issue:Can a future digital NHS survive another change?Digital twins drive efficiency across machines and infrastructureDownload Current IssueWhat to expect from Atlassian Team 25 conference CW Developer NetworkSLM series - Nooks: Downsizing AI without shrinking its smarts CW Developer NetworkView All Blogs

The UK government says reforms to police data protection rules will help simplify law enforcement data processing, but critics argue the changes will lower protection to the point where the UK risks losing its European data adequacy.Currently going through the committee stage of Parliamentary scrutiny, the Data Use and Access Bill (DUAB) will amend the UKs implementation of the European Union (EU) Law Enforcement Directive (LED), which is transposed into UK law via the Data Protection Act (DPA) 2018 and represented in Part Three of the act specifically.In combination with the current data handling practices of UK law enforcement bodies, the bills proposed amendments to Part Three could present a challenge for UK data adequacy.The DUAB changes the law to allow routine transfer of data to offshore cloud providers, remove the need for police to log justifications when accessing data, and enable police and intelligence services to share data outside of the LED rules.In June 2021, theEuropean Commission granted data adequacy to the UKfollowing its exit from the EU, allowing the free flow of personal data to and from the bloc to continue, butwarnedthe decision may yet be revoked if future data protection laws diverge significantly from those in Europe.While the government argues that its reforms will simplify police data processing, critics say the proposals represent enough of a divergence from EU law that it will likely undermine the UKs LED adequacy.They add that many of the governments changes to police data protection rules are a response to a widespread lack of compliance with key provisions in the DPA 2018, such as the need to log justifications when accessing data or implement controls that limit the offshoring of sensitive law enforcement data to non-law enforcement bodies, including cloud providers.Computer Weekly contacted the Home Office about every concern raised, and the threat to the UKs LED adequacy created by the governments proposed changes to the law enforcement data protection regime.We have introduced some targeted amendments in the Data Use and Access Bill to improve public trust and to drive up law enforcement efficiency by simplifying the legislation. We are committed to data adequacy and had the UKs adequacy decisions in mind when producing this bill, said a spokesperson.Any changes to our data protection regime must not come at the expense of security, and high standards of protection will continue to be applied.In exiting the EU, the UK became a third country under the blocs rules, which means the European Commission (EC) will have to periodically assess whether the countrys data protection framework and practices provide an essentially equivalent level of protection for EU citizens data.The EC will therefore have to make two separate adequacy determinations under both the General Data Protection Regulation (GDPR) and LED by the end of June 2025.Data protection experts previously claimed to Computer Weekly in February 2021 that any adequacy decision made under the LED would be principally political in nature if it fails to directly address how the data practices of the UKs criminal justice sector and intelligence services undermine the data and fundamental rights of EU citizens. If this is not addressed, they said a positive adequacy decision could be open to legal challenges in the European courts.In October 2024, the UK Parliaments European Affairs Committee (EAC) in a warning about the risks of the UK losing its data adequacy highlighted many of the same issues as the experts Computer Weekly spoke to, noting these would be of interest and potential concern to both the EC and European Court of Justice (CJEU) as they consider the UKs adequacy statuses.This includespotential divergenceon data protection standards that would make it harder for people to exercise their data rights;the possibility that the UK government undermines end-to-end encryption; theindependence and effectiveness of the Information Commissioners Office(ICO); aspects ofthe UKs national security regime under the Investigatory Powers Act 2016, including data collection and retention, surveillance powers and practices, and the role of the Investigatory Powers Tribunal; and any legal cases which provide grounds for concern about UK data protection standards.The EAC also highlighted potential risks posed by onward transfers of data from the UK to other third countries, including under the UK-US Cloud Agreement.However, the EACs findings were published a day before the DUAB was announced, and two days before the text was published online, meaning its inquiry focused on the previous governmentsData Protection and Digital Information (DPDI) Bill which was dropped from the legislative agenda during the UKs pre-general election wash up period.While the ECs adequacy decision will rest on the exact contents of DUAB for which there is still no official Keeling Schedule it will be looking to assess whether the framework provides an essentially equivalent level of data protection for EU citizens data.While some of the more controversial measures contained in the previous DPDI Bill including removing the need for data protection impact assessments and abolishing the dual biometrics and surveillance camera commissioner role have been dropped in the DUAB, many aspects of it have been carried over.There are also a number of new measures that may create fresh adequacy-related problems, particularly changes to the international data transfer regime for police.While an amendment to the DUAB was tabled by Liberal Democrat peer Lord Clement-Jones that would have required the secretary of state to carry out a formal impact assessment of the bill concerning the UKs data adequacy, government ministers argued against it during the Lords first committee stage on 16 December 2024.Responding to Clement-Jones during that debate, Baroness Jones, parliamentary under-secretary of state at the Department for Science, Innovation and Technology (DSIT), said maintaining adequacy was a priority for the government, noting that the free flow of personal data with the EU is vital to research, innovation and safety.For that reason, the government is doing all that it can to support its swift renewal. I reassure noble Lords that the bill has been designed with EU adequacy in mind, she said.The government has incorporated robust safeguards and changed proposals that did not serve our priorities and were of concern to the EU. It is, though, for the EU to undertake its review of the UK, which we are entering into now. On that basis, I suggest to noble Lords that we should respect that process and provide discretion and not interfere while it is underway.A similar position has been adopted by information commissioner John Edwards, who in response to the DUAB said: Whilst ultimately a decision for others, in my view the proposed changes in the bill strike a positive balance and should not present a risk to the UKs adequacy status.However, the position of the UK government and ICO differs significantly from the views of a number of specialists familiar with both the EU LED and the UK DPA Part Three. Computer Weekly contacted the Home Office about what robust safeguards have been put in place, and which DUAB proposals have been changed that were of concern to the EU, but received no response on this point.Chris Pounder director of data protection training firm Amberhawk wrote in a blog post that the DUAB would allow the secretary of state to designate that certain police datasets can become subject to Part Four national security rules, rather than Part Three law enforcement rules, over which the ICO has limited enforcement powers.The proposal has the effect of taking large volumes of personal data out of the UKs data protection regime, he wrote.Part Four processing is also completely separate from the LED or GDPR and has no equivalent in EU law, effectively lifting police data out of the scope of EU law in instances where the secretary of state decides police and intelligence bodies can share the data. The [DUAB] proposal has the effect of taking large volumes of personal data out of the UKs data protection regime Chris Pounder, AmberhawkComputer Weekly contacted the Home Office about the removal of policing data from the data protection regime, but received no on-the-record response on this point.Pounder further noted that while the ICO is being abolished in favour of the Information Commission, the problem remains in the DUAB that the secretary of state will be able to appoint the most important members of the Commission, which has the potential to give them undue influence over the new bodys decision-making processes.The Commission still has to have regard for: the desirability of promoting innovation and competition; the importance of the prevention, investigation, detection and prosecution of criminal offences; and the need to safeguard national security, he wrote. In other words, these regards could fetter decisions to protect the privacy of data subjects.Pounder added the DUAB will also permit the secretary of state to apply a data protection test when considering whether a country, part of a country, or a controller located in a country offers an adequate level of protection.He said the provisions will increase the risk of divergence from EU transfer standards if the EC and UK government have differing views on what adequate means here. Also I dont understand how a country is not deemed adequate, but a controller, processor, or recipient located in that country is, Pounder added.While the UK has already taken steps to award its own law enforcement adequacy to countries not recognised by the EU including the Isle of Man, Jersey and Guernsey the EU has not yet reacted to these changes.Thomas Barrett, a partner at CyXcel who leads the organisations data protection and privacy practice, and has previously advised the Home Office and Ministry of Justice on compliance with the DPA 2018, said there are certain scenarios where specialist police units within forces may have to collaborate with intelligence services for particular operations for example, in terrorism cases where intelligence services have information but no power of arrest as police do adding while it raises red flags I would be surprised how many of these are made.He added that in cases where this power is used, it has the potential to be more targeted, more proportionate, and safer, because only one set of data protection requirements would apply to this processing, rather than potentially three currently.As a result, Barrett said the changes being made to UK law via the DUAB are very unlikely to materially affect the countrys LED adequacy.It would be counter-productive to remove adequacy over such small changes theres so much [law enforcement] cooperation. Looking at the detail, I struggle to see how you really make hay of a lot of it.He said the real risk to LED adequacy therefore lies at the political level, which will be decided between the EC and the UK government.Independent privacy consultant Owen Sayers, a long-term commentator on DPA Part Three compliance issues with more than 25 years of experience in delivering secure solutions to policing and the wider criminal justice sector, said for the first time UK legislation would place individual data processors such as cloud providers on the same broad footing as overseas law enforcement organisations, exempting them from the list of mandatory transfer conditions outlined in Article 39 of the LED.This includes that the transfers be strictly necessary, that no data subject rights override the public interest of the transfer, that transferring to another policing body or competent authority in LED parlance would be ineffective, and that the controller provides specific instructions of how to process the data in that particular case.Under the UKs current law enforcement-specific data protection rules, police data controllers are bound by the DPA 2018s stringent transfer requirements, which fully mirror EU law.This means that, as it stands, each individual law enforcement data controller must ensure that a contract in writing exists between itself and the data processor, which sets out details of the processing, including its duration, nature, and the type and categories of personal data involved. To be valid, the contract or terms of service must be explicit in how they meet the DPA requirements.Police data controllers are also required to ensure the processor seeks and receives permission before transferring data to a third country, for each particular transfer made. This means each transfer must be assessed on a case-by-case basis.Police data controllers are further required to perform a case-by-case analysis and justification for all personal data offshored to such processors, and to report this to the ICO. Although police forces have used Microsoft and Amazon Web Services services for the past six years meaning millions of these transfers will have taken place the ICO revealed in a Freedom of Information (FoI) response to Sayers that only 148 such notifications had been received up to June 2023.As previously reported by Computer Weekly, the use of hyperscalers under current UK law presents a number of data protection concerns, including US government access via the countrys invasive surveillance laws, and an inability to comply with the strict transfer requirements contained within the DPA 2018.In June 2024, Computer Weekly reported details of discussions between Microsoft and Scottish policing bodies obtained via FoI rules in which the tech giant admitted it could not guarantee the sovereignty of UK policing datahosted on its hyperscale public cloud infrastructure.As a result of these FoI responses, Sayers said the law is breached far more often than it is adhered to: The evidence to show that multiple parts of the Part Three legislation are consistently breached or simply ignored by policing and their justice partners is overwhelming. In truth, the number of organisations who do apply the law as its currently written is less than a handful, though those that do so do it very well.Mariano delli Santi, legal and policy officer at the Open Rights Group (ORG), said these issues mean it is an open question whether cloud providers can adhere to Part Three requirements in practice. Given the issues around sovereignty, is a cloud provider able to enforce the contractual agreements entered into with the police? I think thats an issue that would cause concern, he said.Since the re-election of Donald Trump, delli Santi pointed out that the US government has broken several adequacy-related commitments made to the EU around enhancing scrutiny and ensuring the proportionality of their intelligence services operations.The Trump Administration fired members of the Privacy and Civil Liberties Oversight Board, and then doubled down with the Federal Trade Commission. Both bodies were fundamental pieces of the EU-US Data Protection Framework [DPF] which, at this point, is quite certain to be struck down by the CJEU, he said, adding the UK-US Data Bridge, which acts as an extension of the DPF, will also go down if the EU invalidates the framework.It has now become obvious that the EU-US DPF will not last for long, and it has just as obviously become unfeasible to rely on US cloud providers for storing personal data unless you are willing to compromise the security and sovereignty of the data you transfer. Indeed, European lawmakers have already started to discuss this.Based on all the above, it is now a fact that relying on US cloud services constitutes a threat to the sovereignty, security and autonomy of the UK. Until now, this has been treated as a risk-mitigation issue at best, or something to be swept under the carpet at worst.Highlighting the lack of clarity from the UK data regulator around cloud data sovereignty and the applicability of standard contractual clauses in this context, delli Santi said this has created a grey area in which transfers have been allowed to continue.The UK government, on their side, have tried to formalise this approach with the DUAB, which introduces a new data transfer regime specifically designed to accommodate the ICOs tolerant approach toward data transfers that lack effective safeguards, and allow data transfers to countries such as the United States by sidestepping human rights and data security concerns.He added that the UK needs an exit plan to progressively cut reliance on US digital infrastructure and services and we need this plan fast, which includes contingencies to move away holding companies or subsidiaries of US firms geographically based in Europe, which still fall under US jurisdiction. Given the issues around sovereignty, is a cloud provider able to enforce the contractual agreements entered into with the police? I think that would cause concern Mariano delli Santi, Open Rights GroupAny of these companies are under an obligation to cooperate with law enforcement and international security authorities in the United States, which can be ordered to hand over data without necessarily having to tell the contracting party, said delli Santi.According to the governments explanatory notes published for the DUAB in October 2024 (paragraph 1022), Schedule 8 of the bill seeks to widen the transfer conditions by expanding the list of intended recipients to specifically include processors acting on behalf of, and in accordance with a contract with, a controller.It added that while transfers to processors in third countries are currently permissible, this amendment clarifies the existing law and provides legal certainty to UK controllers that they can transfer personal data to their processors operating outside of the UK.The explanatory notes also specify that the DUAB will no longer require controllers to notify the commissioner on each occasion data is transferred; it simply requires notification of the categories of information that will be transferred.Microsoft and Police Scotland case studyThere are long-running concerns that the current rules around data transfers are not being followed by a range of UK police data controllers given the routine nature of data transfers in hyperscale public cloud architecture for processing and support purposes.For example, in April 2023, Computer Weekly revealedtheScottish governments Digital Evidence Sharing Capability(DESC) service contracted to body-worn video provider Axon for delivery and hosted on Microsoft Azure was being piloted by Police Scotland despite a police watchdog raising concerns about how the use of Azure would not be legal.Specifically, the police watchdog said there were a number of other unresolved high risks to data subjects, such as US government access via the Cloud Act, which effectively gives the US government access to any data, stored anywhere, by US corporations in the cloud; Microsofts use of generic, rather than specific, contracts; and Axons inability to comply with contractual clauses around data sovereignty.In June 2024, Computer Weekly reported details of discussions between Microsoft and the Scottish Police Authority (SPA), in which the tech giant admitted it cannot guarantee the sovereignty of UK policing datahosted on its hyperscale public cloud infrastructure.Specifically, it showed that data hosted in Microsoft infrastructure is routinely transferred and processed overseas; that the data processing agreement in place for DESC did not cover UK-specific data protection requirements; and that while the company claimed it has the ability to make technical changes to ensure data protection compliance on transfers, it is only prepared to make these changes for DESC partners and not other policing bodies because no one else had asked.The documents also contain acknowledgements from Microsoft that international data transfers are inherent to its public cloud architecture, and that limiting transfers based on individual approvals by a police force as required under DPA Part Three cannot be operationalised.Computer Weekly also revealed in December 2024 that Axon headquartered in the US and therefore directly subject to its surveillance laws is still in possession of the encryption keys for DESC, opening up the potential for access and transfer of sensitive data without the knowledge or consent of Police Scotland.In June 2021, the European Data Protection Board (EDPB) debunked the idea that encryption is an effective safeguard when the data is either decrypted for processing in the cloud, or the keys are otherwise held by a technology service provider.For example, the EDPB noted that when cloud service providers require access to data in the clear for processing i.e. unencrypted, which is every time they need to process text data because there are currently no technologies that enable in the clear processing on this type of information transport encryption and data-at-rest encryption, even taken together, do not constitute a supplementary measure that ensures an essentially equivalent level of protection if the data importer is in possession of the cryptographic keys.However, Sayers argued that even if the US government does utilise its various surveillance laws to gain access to UK data, the transfers would be unlawful anyway as UK law lays down a series of specific steps that must be followed for each and every transfer of a specific piece of personal data under Part Three.These steps are not being followed, and Microsoft has made clear that they cannot be followed actually, theyve said impossible to operationalise. Because the steps laid down in the DPA 2018 Part Three are not and cannot be followed, that is one of the main reasons why the processing being done on these clouds is in breach of UK law, he said.It makes zero difference if the US government bogeyman tries to use the Cloud Act to look at the data or not, as the data was illegally transferred regardless of the Cloud Act. The steps laid down in the DPA 2018 Part Three are not and cannot be followed [which is] one of the main reasons why the processing being done on these clouds is in breach of UK law Owen Sayers, independent privacy consultantHe added: The intention [of the new DUAB] is to put non-UK processors principally hyperscalers on the same broad legal footing as overseas law enforcement organisations.He pointed out that the bill would enable UK policing bodies to send data overseas to offshore processors with minimal restrictions. The bill actually puts overseas processors above overseas law enforcement processors, in the respect that it completely removes obligations to record what data is transferred to them, inform the ICO or make any assessments as to whether a particular transfer is safe and consider the data subjects rights in advance of sending the data.Sayers added that while these and other changes to Part Three would be directly contradictory to EU law, the most likely outcome would be the CJEU finding that the UK regime falls far below EU standards and thus moves to block UK data transfers.He further added that individual member states may also deem UK laws to be too divergent from their domestic laws to continue to send data, noting the chance of this is high given there are 27 member states, each with their own implementation of the LED.You can 100% use cloud for law enforcement data, but it needs to be sovereign and fully conformant with the law. If you need to change the law to accommodate a specific provider, then youve picked the wrong supplier.Computer Weekly contacted the Home Office about the changes to the law enforcement data transfer regime, and UK policings track record of non-compliance with existing data rules via its use of hyperscalers.A Home Office source told Computer Weekly that the use of cloud providers, in particular, has caused some confusion, and that measures contained within the bill are intended to give law enforcement the confidence to use cloud processors. However, they said the use of cloud services must not come at the expense of security, and high standards of protection will continue to be applied.Clement-Jones highlighted how cloud service providers routinely process data outside the UK and are unable to provide necessary contractual guarantees to policing bodies, as required by Part Three. As a result, their use for law enforcement data processing is, on the face of it, not lawful, he told the House of Lords.He added this non-compliance creates significant financial exposure for the UK, including potential compensation claims from data subjects for distress or loss, something that is exacerbated by the sheer volume of data pressed by law enforcement bodies: If only a small percentage of cases result in claims, the compensation burden could reach hundreds of millions of pounds annually.Clement-Jones concluded that the governments attempts to change the law suggest that past processing on cloud service providers has not been compliant with the relevant data protection laws.As a result, he proposed an amendment to bring attention to the fact that there are systemic issues with UK law enforcements new use of hyperscaler cloud service providers to process personal data, which would strictly limit overseas transfers to law enforcement bodies with a legitimate operating need that is, not cloud service providers.While the Lords were not invited to take a decision on Clement-Joness hyperscaler amendment, government minister Baroness Jones said the DUABs bespoke path for personal data transfers from UK controllers to international processors is crucial [as] we need to ensure that law enforcement can make effective use of them to tackle crime and keep citizens safe. One of the biggest problems in data protection is a lack of understanding and clarity [so] anything that can make it clearer and easier to follow can only be a good fit Thomas Barrett, CyXcelShe added the aim of the DUABs reform around international law enforcement transfers is to provide legal clarity in the bill to law enforcement agencies in the UK so that they can embrace the technology they need and make use of international processors with confidence.She added: Such transfers are already permissible under the legislation, but we know that there is some ambiguity in how the law can be applied in practice. This reform intends to remove those obstacles. The noble Lord would like to refrain from divergence from EU law. I believe that in this bill we have drafted the provisions, including this one, with retaining adequacy in mind.Barrett said the DUAB will clarify the law in ways that make it easier to put in place contractual provisions and other measures that adequately protect the data: One of the biggest problems in data protection generally, but particularly here, is a lack of understanding and a lack of clarity anything that can make it clearer and easier to follow for individuals that have to apply this stuff can only be a good fit.Sayers made a similar argument, noting that while many data protection practitioners believe the EU or UK GDPR to be the gold standard of legislation, they simply fail to recognise that GDPR has a sister piece of legislation in the LED that is sufficiently different that you cannot apply GDPR thinking to it.He added: This is a problem I see day in, day out, where a GDPR hammer is used to try to fix an LED nail, and even the ICO is not immune to confusing the two different sets of laws.According to delli Santi, the approach to transfers under the DUAB as it stands is formalising an approach that has already been changed. He added that given the deep commercial, governmental and cultural ties between the UK and EU, the impact of divergence is amplified significantly.The DUAB as introduced will also seek to remove the statutory logging requirements of Part Three, which would allow police to access personal data from various police databases during investigations, without having to manually record the justification for the search.The removal of police logging requirements, however, could represent a further divergence from the EUs LED, which requires logs to be kept detailing how data is accessed and used.The logs of consultation and disclosure shall make it possible to establish the justification, date and time of such operations and, as far as possible, the identification of the person who consulted or disclosed personal data, and the identity of the recipients of such personal data, says the LED.Clement-Jones told Computer Weekly that if the law changes to allow police data transfers to, and processing in, infrastructure not owned or controlled by UK bodies, it could absolutely be a problem for the UKs LED adequacy retention. He added that given these clear access and control issues, the potential removal of police logging requirements is egregious.Computer Weekly contacted DSIT about the removal of the logging requirements and whether it believes this measure represents a risk to the UK being able to renew its LED adequacy decision in April 2025, but DSIT declined to comment on the record.Speaking during the 16 December Lords debate on the bill against the removal of justification logging requirements, Clement-Jones said: The public needs more, not less, transparency and accountability over how, why and when police staff and officers access and use records about them.He added that while policing systems typically capture when, how and by whom data has been accessed, they very rarely capture the justification. This is despite the fact that Article 63 of the LED provided a grace period from May 2018 to May 2023 for member states to implement justification recording mechanisms to bring their legacy systems into compliance with the directive new systems procured from May 2016 onward were required to comply from the start.To alleviate the issue, Clement-Jones tabled a further amendment to ensure the logging requirements remain, which would prevent material divergence from the EU Law Enforcement Directive; although this was also withdrawn.He also highlighted that many commodity IT solutions procured by policing organisations do not capture justifications by default, noting that while a transitional relief period was put in place with the introduction of DPA 2018 to modify legacy systems installed before May 2016 later extended to May 2023 UK law enforcement bodies did not in general make the required changes.Nor, it seems, did it ensure that all IT systems procured after 6 May 2016 included a strict requirement for LED-aligned logging. By adopting and using commodity and hyperscaler cloud services, it has exacerbated this problem, he said, noting the government now wishes to strike the justification requirements completely.This is a serious legislative issue on two counts: it removes important evidence that may identify whether a person was acting with malicious intent when accessing data, as well as removing any deterrent effect of them having to do so; and it directly deviates from a core part of the law enforcement directive and will clearly have an impact on UK data adequacy.DSIT claims that removing the logging obligation will save 1.5 million police officer hours a year and save 42.5m for the public purse, but Sayers pointed out that the published impact assessments dont so far evidence these claims.The reality is that most police IT systems dont have the means to capture the required data, said Sayers, who was previously involved in the design and delivery of many UK national police systems.The factsheets identify this technology problem, which exists on cloud as well as legacy systems like the PNC [Police National Computer], but instead of addressing the issue the government simply want to strike the difficult bits out of the act.He added: The real reason they dont want to capture the information is theyve failed to invest any money in upgrading the legacy IT, and the new systems theyve adopted dont capture that information by default and cant be made to do so.DSIT claims that capturing justification is likely to be of little use in a misconduct investigation, but Sayers poured cold water on this.Public trust, the safety of vulnerable people, as well as the protection of police staff from claims of improper conduct, all rest on being able to prove that access to data was legitimate, he said.Home Office figures show police staff misuse of data to be a significant issue, with 1,630 recorded cases investigated in the year to March 2023, the last figures available.However, Barrett said the removal of justification logging is not a problem, adding its more important to have the ability to track who accessed data and when, because if youre a bad actor youre not going to put down the real reason if youve already got access to these kinds of systems, youre not an idiot, and so youre going to put something like routine checks or some other bland, uninteresting, non-determinative thing.He further added that inputting justifications only increases the administrative burden on police, and that while it is very common, even in much older computer systems, to be able to log time and dates, many systems are simply not architected to record justification.He added: Wed be much better off making sure that all the systems are really good at recording time and access, because the reality is, in your investigation, thats going to be the thing that youre looking at. Not whatever fanciful thing a bad actor has decided to enter as the fake justification for the access.During the DUAB debate, Baroness Jones insisted the removal of logging requirements is not a watering down of provisions. We are just making sure that the safeguards are more appropriate for the sort of abuse that we think might happen in future from police misusing their records.While the DUAB has since progressed to readings in the House of Commons, the police data issues were not addressed outside of vague references to reducing the administrative burden on police officers. It is currently in the committee stage, which will be followed by the report stage and a third reading.So far, the police data issues have not been discussed during the committee stage.Read more about police technologyDriving licence data could be used for police facial recognition: The governments Crime and Policing Bill could allow police to access the UK driving licence database for use in facial recognition watchlists, but the Home Office denies biometric data would be repurposed in this way.Axon still in possession of Police Scotland encryption keys: Suppliers possession of encryption keys for Police Scotland data sharing system opens potential for access and transfer of sensitive data without the knowledge or consent of the force.UK police forces supercharging racism with predictive policing: Amnesty International says predictive policing systems are supercharging racism in the UK by taking historically biased data to further target poor and racialised communities.