Cops hacked the Police National Computer to unlawfully retain suspects' biometric data

Police employees have been hacking the Police National Computer to unlawfully retain suspects' biometric data, it has emerged.

The manipulation of the national IT system has come in response to public demands to restrict the length of pre-charge bail, the Biometrics Commissioner has suggested.

In his 122-page annual report (PDF), the commissioner noted that it had become “not uncommon” for the police to release suspects in ongoing investigations without officially placing them on bail, as the forces “clearly feel under pressure” to meet the Home Office's guidance to bring charges within 28 days of an initial arrest.

Police databases are set up to automatically delete the biometrics data of people who are released without being put on bail. In some cases in which investigations are ongoing, although suspects have been released from custody, the police have taken to manipulating their systems to subvert the automatic deletion process – and in three situations, the commissioner believed this to be unlawful.

Many police forces have custody IT systems, which are synchronised with the Police National Computer (PNC), the UK's centralised collection of databases accessible to a broad range of law enforcement and investigatory authorities in the country.

When a police force releases an arrestee without placing them on police bail, their custody IT systems will either close or cancel that arrestee's bail record. This automatically generates a No Further Action (NFA) entry on the PNC, for which the automated procedure is to quickly delete the arrestee's biometric records from the relevant national databases, although there is a procedure for retaining that data, even in situations when the arrestee has no previous convictions.

The commissioner wrote that the automatic deletion “will happen even in circumstances where no decision has actually been made about the case and the arrestee has specifically been told that he or she remains under investigation.”

In his annual report, he stated:

Over the past few months I have become aware of a number of cases where biometric material has been lost – or at risk of loss – as result of this problem and I have little doubt but that there have been numerous other cases in which, by this route, unnecessary (and probably unnoticed) deletions have been triggered unwittingly by forces.

Breaking the law to uphold it

Not all of such information is being lost, however. Some forces are savvy to the issue and have hacked the PNC in different ways to avoid the deletion of suspects' biometric data, despite those suspects not being on police bail.

Explaining these hacks, the commissioner noted that some forces “manipulate the interface between the force custody system and the PNC so as to ensure that the closure of the custody record does not automatically update the relevant PNC record as NFA,” while others “allow the custody record automatically to update the PNC with an NFA disposal but then immediately manually amend that PNC disposal so as to remove the NFA disposal and to show the case as still pending.”

In some cases, forces have allowed “the custody record automatically to update the PNC with an NFA disposal but then immediately add a ‘Biometrics Commissioner’ or other ‘marker’ to the PNC record to ensure that the biometrics are retained.”

The “Biometrics Commissioner” marker, also known as a UZ marker, informs the PNC not to delete the data held as it may be being referred to the commissioner, for purposes such as getting a National Security Determination to extend the length of time that the data may be held.

There have been “numerous instances of the inappropriate use of a UZ marker,” however. The commissioner reported “a recent instance in relation to a police force which had for some months had three UZ markers present on the PNC in circumstances where no application had been made or notified to me.”

Although these markers have now been removed after numerous prompts to the force concerned, it seems almost certain that the relevant biometrics were being held unlawfully through much of that period.

While acknowledging that police are, in many of these instances, “feeling the pressure” to reduce the length of time in which suspects are held on police bail, the commissioner did not explicitly refer to reforms that the Home Secretary announced last year. Largely in response to protracted investigations such as Operation Yewtree, the Home Office waved around a statutory expectation that pre-charge bail would last less than 28 days.

At the time, Home Secretary Theresa May said: “It is simply not acceptable for individuals to spend months and in some cases years on pre-charge bail, with no system of review, only for charges never to be brought against them.”

The commissioner stated he had “repeatedly raised this 'no bail' problem with Home Office officials and others” and called for “appropriate guidance” to be issued regarding “the propriety/acceptability of releasing arrestees otherwise than on bail in circumstances where they are still under investigation.” ®