Police Scotland's technology department is understaffed and could lack appropriate safeguards against data breaches and IT disasters, the public spending watchdog has warned.
Audit Scotland has identified multiple challenges and services which "may be exposed to significant risk" in Police Scotland's ICT department.
The department has "a lack of available capacity and capability of suitably skilled resource" with "skill deficiencies in certain areas", it found.
Staff do not have "comprehensive knowledge" of all systems, meaning records could be deliberately or accidentally lost - an offence which carries the penalty of a £500,000 fine.
The force also has no system to track the cost of cyber attacks, it found.
Audit Scotland said the department delivers a "good quality service" but said "at a time of financial austerity there is both the necessity to rationalise and the challenge to invest in new technological solutions".
Management have agreed to develop an improvement plan to address these challenges.
Audit Scotland said: "There were approximately 50 vacancies within the structure and management were actively recruiting.
"However, the recruitment and retention of suitably skilled staff continues to be a challenge.
"This is attributed to public sector salary scales and the time taken for staff vetting."
The ICT department relies on contractors for key projects but this creates a risk of over-reliance on external parties, can add to cost, and limits the development of in-house knowledge, Audit Scotland said.
Police Scotland recently received Cabinet Office accreditation to access the Public Services Network which allows public bodies to share data throughout the UK.
Accreditation is reviewed annually to ensure organisations are protected from internal or external threats.
Audit Scotland said the ICT department may not have appropriate measures to prevent records being lost or removed.
It said: "The ICT department acknowledges that they do not currently have a comprehensive knowledge of all software, physical or information assets across the estate due to numerous historic records of varying degrees of accuracy.
"As a result, the ICT department may not be aware of all business critical information resources and may not have the most appropriate measures in place to protect them against deliberate or accidental loss."
Auditors found "no structured approach to increase and maintain staff awareness of good information security procedures and practices".
It added: "Data loss incidents in Scotland over the last few years have been shown to generate a lot of negative press coverage.
"Aside from the reputational damage this may cause, the powers of the Information Commissioner's Office which investigates data protection breaches have increased and this can result in significant fines of up to £500,000.
"It should be noted that SPA and Police Scotland have not had any fines."
Audit Scotland said the delivery of full disaster recovery plans is "a key challenge".
It said: "Legacy plans do not exist for all business critical systems. ICT contingency and disaster recovery plans are being developed by the IT resilience team with reference to appropriate international standards."
Police Scotland has dealt with a number of cyber attacks, including a disruption of its public websites and "a selection of client-based malware attacks".
Auditors found the ICT department is taking appropriate action to mitigate these risks but "cost does not seem to feature in the risk assessment".
It said: "As the threat from cyber security develops and attacks grow in magnitude and complexity, it is essential that the ICT department identifies and assesses the impact of the cost incurred and potential reputational damage that may occur when dealing with a cyber attack.
"The key challenges going forward are recognising the need to have a costing model that tracks costs incurred due to cyber-attacks and captures learning points for going forward."
The Police Scotland ICT Strategy is still in its draft stages following the cancellation of a £40 million i6 contract with Accenture, which is not considered in the report.
The report also does not address the call centre reforms instigated by the deaths of John Yuill and Lamara Bell in a crash on the M9 last July, auditors said.
Martin Leven, director of ICT at Police Scotland, said: "The overall conclusion of the whole report was that ICT provides a good level of support to the service and it has identified a number of areas which we are working on to ensure we can continue to demonstrate and deliver continual progress.
"We are absolutely committed to improving the ICT infrastructure across Police Scotland, moving away from a network of legacy systems to solutions which will allow officers and staff to more effectively carry out their duties and introducing innovation to streamline what we do and how we do it, to keep communities safe."
Why are you making commenting on The Herald only available to subscribers?
It should have been a safe space for informed debate, somewhere for readers to discuss issues around the biggest stories of the day, but all too often the below the line comments on most websites have become bogged down by off-topic discussions and abuse.
heraldscotland.com is tackling this problem by allowing only subscribers to comment.
We are doing this to improve the experience for our loyal readers and we believe it will reduce the ability of trolls and troublemakers, who occasionally find their way onto our site, to abuse our journalists and readers. We also hope it will help the comments section fulfil its promise as a part of Scotland's conversation with itself.
We are lucky at The Herald. We are read by an informed, educated readership who can add their knowledge and insights to our stories.
That is invaluable.
We are making the subscriber-only change to support our valued readers, who tell us they don't want the site cluttered up with irrelevant comments, untruths and abuse.
In the past, the journalist’s job was to collect and distribute information to the audience. Technology means that readers can shape a discussion. We look forward to hearing from you on heraldscotland.com
Comments & Moderation
Readers’ comments: You are personally liable for the content of any comments you upload to this website, so please act responsibly. We do not pre-moderate or monitor readers’ comments appearing on our websites, but we do post-moderate in response to complaints we receive or otherwise when a potential problem comes to our attention. You can make a complaint by using the ‘report this post’ link . We may then apply our discretion under the user terms to amend or delete comments.
Post moderation is undertaken full-time 9am-6pm on weekdays, and on a part-time basis outwith those hours.
Read the rules hereLast Updated:
Report this comment Cancel