Infrastructure > Devices

Ongoing Windows XP use among Met Police data audit concerns

Neil Merrett Published 01 June 2017

Despite praising some good practice around security manuals and guidance provided to the force's staff, data regulator warns there is considerable to improve data management


The Information Commissioner’s Office (ICO) has said there is “significant scope” for the Metropolitan Police Service (MPS) to improve its compliance with the Data Protection Act as the force moves to address issues such as a sporadic reliance on Windows XP.

As part of a consensual audit of MPS' operations carried out by the ICO earlier this year to considering technical and organisational capabilities to protect personal data manually and electronically, the force was found to deliver some areas of good practice such as the provision of an information management policy.

Praise was given to guidance provided to staff through its MPS security manual and its METSEC code that focus on ensuring the reporting of security incidents and ensuring the security of mobile devices.  

However, in considering areas for improvement, the ICO was concerned that the Met was still making use of the now unsupported Windows XP Operating System for certain desktop and laptop computers, despite accepting that a project was in place to replace its use across the force.

“Without critical Windows XP security updates there is a residual risk to personal data,” said the audit findings.

The data regulator also identified weaknesses around the removal of access to MPS applications and its buildings when no longer applicable to individuals. According to the report, MPS was aware of the issue and looking to better tackle the risk of unauthorised access for the buildings.

Other key concerns included a lack of testing for backing up the force's file systems to ensure data could be recovered in case of a disaster, as well as the force's broader aproach to planning data initiatives.

“A number of Business Continuity (BC) plans are incomplete or overdue for review. Some had not been tested and do not include how to maintain or recover records in the event of an adverse situation,” added the audit. “The database used to store BC information is unsupported and not backed up.”

Responding to the audit, MPS said it was undergoing a refresh of its information technology infrastructure, planning and equipment use such as desktop computers. Yet the force argued that plans to upgrade its approach to technology were complicated due to the variety of specialist legacy software programmes still in use by different parts of the MPS.
“Replacements or remediation for this software that are compatible with a more modern operating system have to be ready before the roll-out is completed to ensure continued operational effectiveness,” said a spokesperson for the force.

“We have completed the upgrade of just over 17,000 devices to Windows 8.1, and this reduces the number of desktops running XP to around 10,000.”

Related articles:

Police Scotland enacting post-audit data protection overhaul

Records management tops ICO police data control concerns

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.