PCD 1312 - Lawful Business Monitoring

PCD 1312 - Lawful Business Monitoring 

The HMICFRS Counter Corruption Report (March 2022) stated that: By 31st March 2023 the MPS should ensure that it has full IT monitoring capability to effectively protect the information contained within its systems and help it to identify potentially corrupt officers and staff.’  

The purpose of this decision is to meet the HMICFRS recommendation. The MPS is seeking to procure VigilancePro Software as a Service (SaaS) solution to deliver Lawful Business Monitoring. 

The Investigatory Powers Regulations 2018 allows businesses, including public authorities and police forces, to monitor the use of their Information Communications Technology (ICT) systems. Police systems contain confidential and sensitive data. The Metropolitan Police Service (MPS) must ensure that its systems, and the data they contain, are only accessed and used for a proper policing purpose. Moreover, the Met Values and the Code Ethics require that MPS systems are used in a way which upholds integrity and professionalism.  

Lawful Business Monitoring (LBM) will identify and prevent misuse. It will be operated by the MPS Directorate of Professional Standards (DPS). Members of the workforce found to have misused MPS systems will be held to account. Information retrieved from monitoring may be used in misconduct, criminal and performance meetings.  

The Deputy Mayor for Policing and Crime is recommended to:   

1. Approve the implementation and ongoing support of VigilancePro Software as a Service (SaaS) solution, with forecasted IT-related revenue costs of £2.925m over five years.  This includes £639,000 project implementation costs for 2022/23 and overall contract costs for an initial two years, with operational extensions for three years, until October 2027. All costs will be met from approved MPS budgets. 

2. Approve the procurement and direct award of a contract to CDW Ltd. (Value Added Reseller), via the Health Trust Europe Framework, for the provision of Lawful Business Monitoring, supplied by VigilancePro Ltd, at a total contract value of £2.519m. This includes a provision of £500,000 headroom to ensure future increases in data costs. 

 PART I - NON-CONFIDENTIAL FACTS AND ADVICE TO THE DMPC 

1. Introduction and background 

1. Lawful business monitoring (LBM) is a legitimate activity for forces to monitor their information systems and methods of communication. LBM is governed by the Investigatory Powers (Interception by Businesses etc. for Monitoring and Record-keeping Purposes) Regulations 2018, which authorises public authorities to monitor and record internal business communications.  

2. The use of LBM helps ensure that access to police systems and use of communication devices is for a lawful policing purpose. By using LBM, forces seek to identify unlawful access to police records, wrongful disclosure of police data, computer misuse and inappropriate use of communication devices. The use of IT monitoring is covered by LBM legislation. This can be used to automate proactive checks on the access to all a force’s IT systems and communication devices.  

3. Almost all police forces in England and Wales have, or are in the process of adopting, LBM capability.  LBM will provide the MPS with a significantly enhanced capability to identify and root out corrupt and offensive behaviours and to prevent and deter them. This will help restore the trust and confidence of Londoners in the MPS. 

2. Issues for consideration 

1. The risk of misuse of MPS ICT systems has been highlighted in a number of high-profile cases, particularly those involving officers sending abusive, offensive, racist and misogynistic messages on WhatsApp. This continues to have a negative impact on the trust and confidence of the public in the MPS.  

2. LBM supports the priority of increasing trust and confidence. It will provide a significantly increased capability to address the culture in policing and the high standards of professionalism we expect of officers and staff. 

3. The HMICFRS Counter Corruption Report (March 2022) states: By 31st March 2023 the MPS should ensure that it has full IT monitoring capability to effectively protect the information contained within its systems and help it to identify potentially corrupt officers and staff. 

4. Entering into a contract to procure VigilancePro software by the end of October 2022 and subsequent implementation will enable the MPS to monitor their information systems and methods of communication, including mobile devices, to ensure all activity is for a lawful policing purpose. 

5. The MPS has committed to discuss the parameters for the use of the software with the London Policing Ethics Panel in due course. 

6. Further information is provided in the restricted section of this report. 

3. Financial Comments 

1. The purchase and introduction to service of VigilancePro software requires project revenue costs of £639K in 2022-23 and £2,286K ongoing revenue costs over the next five years (total £2.925m).  There is no impact on Capital.  

2. Value for Money is achieved by using a statement of requirement based on the standards adopted by other UK police forces and identified in the GMP framework. These include critical success factors and are tailored to needs of the MPS, with a large number of ICT system users. Both suppliers’ capabilities and pricing were evaluated and scored against defined criteria. Costs have been benchmarked using rough order of magnitude (RoM) costs. 

4. Legal Comments  

1. The MPS is subject to legal requirements to ensure monitoring of its ICT systems is lawful and ethical. The Investigatory Powers Act 2016 establishes the principle that communications may not be intercepted without lawful authority and that this must comply with respect for private and family life under Article 8 Human Rights Act 1988.  

2. The Investigatory Powers Regulations 2018 allow businesses, including public authorities and police forces, to monitor electronic communications on their systems for a number of purposes, including ‘to ascertain or demonstrate the standards which are achieved or ought to be achieved by persons using the telecommunications system in the course of their duties.’   This legal basis is also set out in Part 3 (Monitoring at Work) of the Information Commissioner’s Office (ICO) Employment Practices Code.  

3. MOPAC is a Contracting Authority, as defined in the Public Contracts Regulations 2015. All awards of public contracts for goods and services valued at £213,477 (inclusive of VAT) or above are procured in accordance with the Regulations.   

4. The MOPAC Scheme of Delegation and Consent provides the Deputy Mayor for Policing and Crime (DMPC) with delegated authority to approve business cases for revenue or capital expenditure of £500,000 and above (paragraph 4.8). Paragraph 4.13 of the MOPAC Scheme of Delegation and Consent also provides that the Deputy Mayor for Policing and Crime (DMPC) has delegated authority to approve all contract exemptions for £100,000 or above. Paragraph 7.23 of the Scheme provides that the Director of Strategic Procurement have consent for the approval of the award of all contracts, with the exception of those called in through the agreed call in procedure.  Paragraph 4.14 provides that the DMPC reserves the right to call in any MPS proposal to award a contract for £500,000 or above.  

5. MPS Directorate of Legal Services have reviewed this paper and confirmed it is compliant with procurement regulations. Further information is contained in the restricted section of this report. 

5. Commercial Issues  

1. Procurement will be by direct award contract to CDW Ltd, via the Health Trust Europe Framework (HTE), for VigilancePro Ltd to provide a Lawful Business Monitoring Software as Service (SaaS) solution for an initial period of two years, with optional extensions of up to three years, at a cost of £2,019,000.  

2. The Total Contract Value over 5 years is £2,519,000 (excluding VAT). This includes a provision of £500,000 headroom costs to account for any future increases in data costs.  Costs will be met from existing budgets. 

3. This is a Commercial off the shelf Solution (CotS) with Cloud AD integration that requires minimal development. This supports the MPS Digital Strategy of ‘Cloud first’ and ‘Buy, not build’. The national Insider Threat, Monitoring & Audit System (ITMAS) Framework Agreement operated by Greater Manchester Police (GMP) was initially evaluated to understand solutions available on the market to meet MPS requirements. An evaluation was undertaken to assess two leading solutions. The Health Trust Europe (HTE) framework agreement with CDW Ltd. was used to source proposals from both suppliers and assess their capabilities and costs. 

4. This decision does indirectly contribute to the London Anchor Institutions charter by working to renew confidence in the Metropolitan Police Service and therefore confidence in London. 

6. GDPR and Data Privacy  

1. MOPAC will adhere to the Data Protection Act (DPA) 2018 and ensure that any organisations who are commissioned to do work with or on behalf of MOPAC are fully compliant with the policy and understand their GDPR responsibilities.   

2. A DPIA has been completed for the proof of concept and will be further developed to support full implementation of the software. The DPIA has been assured by the MPS Data Office and completed with the support of legal advice. 

7. Equality Comments  

1. MOPAC is required to comply with the public sector equality duty set out in section 149(1) of the Equality Act 2010. This requires MOPAC to have due regard to the need to eliminate discrimination, advance equality of opportunity and foster good relations by reference to people with protected characteristics. The protected characteristics are: age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, religion or belief, sex and sexual orientation. 

2. An Equalities Impact Assessment (EIA) has been completed with limited consultation at this time, given the nature of LBM. The MPS have committed to further develop the EIA following completion of the proof of concept and as decisions are made about how the software is utilised.  

3. The use of LBM will enable the MPS to proactively identify officers and staff who have used discriminatory language on MPS systems and communication devices.