From back office to business critical: Why information management should be a core policing function

In August last year, the Police Service of Northern Ireland suffered a historic data breach. The personal information of nearly 10,000 police employees was accidentally published online, including their names, locations, and departments.

This was, according to a review by Temporary Commissioner Pete O’Doherty, National Police Chiefs’ Council (NPCC) Lead for Information Assurance and Cyber Security, “the most significant data breach that has ever occurred in the history of UK policing.”

Given Northern Ireland’s complex political history, it was also one which threatened the physical safety of these police officers and staff.

The incident highlighted the severe consequences that can result when policing fails to protect its data. From the details of live investigations and the intimate testimonies of victims, to the personal information of those working to protect the public, the sheer scale and sensitivity of the information held by policing is remarkable.

At the same time, if the data held by policing can be used correctly, it can provide the foundation for new technology and artificial intelligence (AI), or inform more precise approaches to targeting serious crime.

‘Outvoiced and outnumbered’

And yet, policing still doesn’t focus enough on this essential area. In a major new Policing Insight report commissioned by Capita – From back office to business critical: Why information management should be a core policing function – we explore why this function isn’t given the attention it deserves.

Download the FREE access report

Based on interviews with senior police leaders, regulators, and experts with decades of experience both inside and outside policing, it takes a deep-dive into what’s going wrong and the implications of this for modern policing.

The report finds that information management staff don’t have an influential role in decisions made at force level. In fact, according to Aimee Smith, Director of Data at the Metropolitan Police and Chair of the National Police Data Board, they are “completely outvoiced and outnumbered” within policing.

Giles Herdale, an Associate Fellow at RUSI and an independent expert in digital investigation and data ethics, agrees, arguing that: “Information management is not seen as frontline policing activity. It’s seen as a back-office function and, by definition, something that is a lower priority.”

This is compounded by structural problems in how information management is approached across England and Wales, according to interviewees. This includes limited current and past investment, the messy development of police IT systems creating technical debt, weak and outdated central guidance, and enormous variation in local practice in this domain.

The fact that policing is designed around a “Victorian structure”, in the words of former NPCC Lead for Data Compliance Stuart Hyde, makes it even more difficult for policing to get this right.

And though there are some examples of best practice around information management, complying with data regulation is only getting harder for policing. Even with so-called ‘grandfather rights’ in operation – which give extra time for police IT systems to comply with the Data Protection Act – forces are failing to prepare properly for these rules to come into effect.

As Aimee Smith told Policing Insight: “Whatever force it is – whether small, medium or large – they haven’t been doing their due diligence in anticipation of the grandfather rights [expiring].”

She added that there’s a risk that policing is “sitting on a ticking time bomb… the risk is that, as data-savvy solicitors and criminals understand [that we’re starting to use information we shouldn’t hold], they’ll go after process in court and we’ll start to lose cases”.

Enormous potential

In other words, information management is critical – complying with data regulation is essential to convicting criminals. But this is no easy task, considering the amount of material held by policing.

The Police National Database currently contains 2 billion records from 220 individual databases maintained by over 50 law enforcement bodies. As of 2021, the Police National Computer contained records relating to a total of around 13 million people.

The opportunities to leverage information like this are genuinely enormous, especially in the age of AI. We’ve seen constant calls from the Policing Minister, for example, to use facial recognition on police databases to catch criminals.

But the risks are just as significant. The danger is that policing is being too reactive in this area: it’s waiting for a crisis, ignoring the problem until it’s simply too late.

It’s for this reason that information management must be viewed as a business-critical part of policing. As Stephen Russell, Director of Data, Strategy and Technology at Warwickshire Police, stated: “Data management is like painting the Forth Bridge. It’s a constant energy and effort… data quality and governance are parts of your business that you will always need to be focusing on.”

For policing to get back on track, it needs to shift its approach – and do so now.

You can read our FREE access full in-depth thematic report, ‘From back office to business critical: Why information management should be a core policing function’ here.