Digital Forensics Managed Services

This Business Justification concerns the contract for Digital Forensics Managed Services (DFMS) SS315104 (PCD115). The DFMS contract (due to expire in April 2024) includes the provision of front line solutions (digital kiosks – ‘new kiosks’), lab based forensic services (for complex forensic methods and analysis) and complex services (research & development and casework).

The supply of lab based services and complex services has been in place since contract commencement and has been operating to a generally acceptable level although with limitations in regards to more technically complex forensic cases and some capacity shortfalls which have largely been created by marketplace dynamics.

The provision of the new kiosks was due to be in place by December 2017 and, for the reasons set out in this report, is outstanding. Further work has now been identified and estimated in order to have a new kiosk solution in place for Policing. The delays to the implementation of the new kiosks have been mitigated by the MPS extending its pre-existing licensing provisions for digital kiosks (‘existing kiosks’) (which were in place prior to the DFMS contract commencing). The extension of this licensing has enabled continuity of service and ensured that capacity and capability has been unaffected by delays and that victims of crime have not been negatively impacted by these delays.

The MPS is reporting on the technical and regulatory issues within the proposed solution for the new kiosks and the cost of carrying out the proposed changes, the potential risks in relation to the performance and future cost of the kiosks as well as alternative options.

The Deputy Mayor for Policing and Crime is recommended to:

1. Approve the recommendations set out in the restricted section of the report.

1. Introduction and background

1.1. The Digital Forensics Managed Services (DFMS) contract was originally let and awarded on behalf of the MPS and is accessible by other forces. Due to the issues experienced with the implementation of the kiosk solution the contract has not been heavily promoted and no other Force is using the contract for forensic services.

1.2. The volume and complexity of digital technologies has been forecast to increase rapidly with projected tangible growth (approx. 11% p.a. to 26%) in the number of submissions of mobile devices (tablets and phones) and an exponential growth in the amount of data to be processed. Over the last two to three years the MPS has seen a 10% increase in demand each year. The use of technology will become increasingly sophisticated such that the devices are not used in a stand-alone manner but are linked to the internet of things using machine to machine communications. Social media will play an increasingly dominant role in communications, gradually replacing fixed and even mobile voice communications. Policing has a need to maintain and develop its capability in these areas to identify and detect crime.

1.3. The DFMS contract looked to introduce 96 digital kiosks (commencing in December 2017) for police officers to use to initially download data from mobile phones, and through the course of the contract use the kiosks to download from computers and CCTV. The contract was set up for a seven year term so that innovation identified at the lab level could be brought in to the kiosk technology, ensuring that policing was accessing more affordable and better technology to recover evidence from digital devices. The long-term nature of the contract ensured that future developments could be directly led by the challenges and solutions developed at Lab level. Within this period the marketplace has moved far quicker than originally anticipated and there are now emerging options in the marketplace meeting the MPS’ aspirations for innovation.

1.4. The provision of the Mass Consultants Ltd (‘Mass’) kiosks has been delayed due to a number of factors including some areas where there are MPS dependencies surrounding delays to infrastructure and the removal of a dependency on a forensic case management system. However, predominantly the issues faced regarding the implementation of the kiosks surround the ability to provide a workflow system with the kiosk. The workflow enables a non-specialist user (with minimal training) to carry out the same tasks to download data in a consistent manner and is therefore integral to the forensically sound recovery of digital evidence. Whilst the workflow was included within the contract it was envisaged that minimal changes to a COTS solution would be needed to adapt that workflow. After significant work between the MPS and Mass during 2017 and 2018 it was identified that the proposed workflow would not be sufficiently robust to ensure user consistency, efficiency and importantly, validation under forensic regulation. During 2018 the MPS developed detailed requirements for a workflow system and during the later parts of 2018 the parties worked and agreed an alternative solution (the Kiosk Companion Application - ‘KCA’) and a variation (on a 50/50 split was agreed in Dec 18) to put the work in place. Work to create and test the KCA was carried out during the first half of 2019.

1.5. At the conclusion of testing of the KCA a number of defects, changes and unsentenced issues were identified and worked on by the parties culminating in a list of required changes in Autumn 2019. This identified 6 issues where the Parties disagreed as to the ownership of the cost and liability of the amendments. Within the MPS there were 10 major or critical changes required to the KCA requested by the MPS plus the additional 6 unsentenced observations also being identified as critical or major to the workflow functionality.

1.6. In January 2020 Mass provided a Rough Order of Magitude (ROM) cost for the unsentenced observations for the value set out in the restricted section of the report. Whilst the 10 MPS requested changes are still subject to analysis of the impacts and costs it’s likely that these will be in roughly the same order of magnitude.

1.7. The potential solutions for the unsentenced observations included three caveats relating to the availability of resources, the technical impacts and constraints that the changes will bring and the potential appetite of the software provider to deliver the required changes. Each of these caveats places significant risks on the viability of the proposals.

1.8. The MPS has maintained its capability for downloading and analyzing data from phones by extending the licensing provisions for the digital kiosks which were in place prior to the commencement of the Mass contract. New releases of the existing kiosks’ software has meant that the MPS capability has been maintained and improved during the period of delay and that there have been no negative impacts for the victims of crime.

2. Issues for consideration

2.1. This information is contained in the restricted section of the report.

3. Financial Comments

3.1. The original contract costs were £21.8M to the MPS with a contract value of up to £200M for other forces. The contract is currently within its fourth year (commencing April 2017) and is tracking against expected contract value.

3.2. The MPS has only paid one milestone payment for the first milestone (for contract start-up). An additional milestone for activities to readiness for deployment of the kiosk is not fully invoiced and not currently due. The milestone payment is due once the parties agree that the kiosk solution can ‘go live’.

3.3. Under either scenario set out under the recommendations (within restricted section of the report) additional kiosk licensing or hardware would be needed for 2020/21 and with additional central hub licenses ongoing per annum.

3.4. The average annual spend under the DFMS contract is approx. £1m per annum for the provision of specialist services and management of the contract and £1m for outsourced services per annum. Under the Recommendation set out in the restricted section of the report. The cost of the continued services from year 1 onward is in line with the existing budget for digital forensic services (£2.184m).

3.5. In year 0 (2020/21) the expected additional costs to revenue budgets will be an added pressure. This will be funded from within Forensics budgets.

3.6. In addition there is currently a £200k budget in the capital plan for 2020/21, for updating the existing Kiosk hardware. The budget shortfall value (£46k) is included within the overall revenue costs and will be converted to capital and be added to the capital plan.

4. Legal Comments

4.1. The Mayor’s Office for Policing and Crime (MOPAC) is a contracting authority as defined in the Public Contracts Regulations 2015 (the Regulations). All awards and modifications to public contracts for goods and/or services valued at £189,330 or above shall be performed in accordance with the Regulations.

4.2. The recommendations set out in the restricted section of the report are in accordance with the Mayor’s Office for Policing and Crimes’ Scheme of Delegation.

5. Commercial Issues

5.1. Due to the current delays for roll out of a kiosk solution under the contract with Mass, the MPS will need to extend existing licences in use within the MPS which are otherwise due to expire by September 2020. As these current systems now have end-of-life hardware, it will be necessary to replace the current hardware (as well as software). These costs are included in the economic case within the restricted section of the report. The replacement hardware and software will be procured through existing available ICT Frameworks or via Single Tender Action in accordance with the Public Contracts Regulatins (PCR) 2015. The preferred route to market will be via call off from an ICT framework.

5.2. The recommendations set out within the restricted section of the report are in accordance with the terms of the contract with Mass and the Public Contract Regulations 2015.

6. GDPR and Data Privacy

6.1. The MPS is subject to the requirements and conditions placed on it as a 'State' body to comply with the European Convention of Human Rights and the Data Protection Act (DPA) 2018. Both legislative requirements place an obligation on the MPS to process personal data fairly and lawfully in order to safeguard the rights and freedoms of individuals.

6.2. Under Article 35 of the General Data Protection Regulation (GDPR) and Section 57 of the DPA 2018, Data Protection Impact Assessments (DPIA) become mandatory for organisations with technologies and processes that are likely to result in a high risk to the rights of the data subjects.

6.3. The Information Assurance and Information Rights units within MPS will be consulted at all stages to ensure the project meets its compliance requirements.

6.4. GDPR standard clauses are included within all contracts. A DPIA assessment will be carried out for any changes to existing or new projects or contracts and privacy by design principles will be considered and incorporated. Where required a DPIA and a Data Processing Contract will be put in place prior to any processing activities being undertaken.

7. Equality Comments

7.1. The recommendations set out within the restricted section of the report are in accordance with the MPS’ equality policies and ethics as well as the provisions of the Equality Act 2010.

8. Background/supporting papers

8.1. Report .