Guidance

Online child sexual abuse and exploitation (OCSAE) innovation lab: privacy notice

Updated 22 December 2023

Version 1.3

December 2023

Andrew Harrison, CAID Security & Data Protection

What is the OCSAE Innovation Lab?

The protection of children from sexual abuse and exploitation is one of the most pressing social needs in the UK and throughout the world today. The threat of Online Child Sexual Abuse and Exploitation (OCSAE) continues to evolve, with offenders seeking new ways to gain access to children, and to evade detection and arrest. In response, police forces must adapt and find new ways to identify offenders and victims in order to prevent continuing abuse and exploitation of victims, and determine the risk the offender poses to children. The Innovation Lab is a valuable resource for law enforcement in developing these new ways of working.

Specifically, the Innovation Lab assists law enforcement develop new tools for preventing, detecting or investigating crimes involving OCSAE, and for safeguarding children.

The Innovation Lab is a secure facility for developing and evaluating new products and services that may provide police forces and other agencies with innovative solutions in the fight against OCSAE. It is hosted by the Metropolitan Police Service (MPS) in London.

The OCSAE Innovation Lab belongs to police forces in England, Wales, Scotland and Northern Ireland, and the National Crime Agency (NCA) – the joint controllers^{[footnote 1]}.

How are products or services selected?

Where a problem is identified that could be solved by innovative products or services, the Home Office requests (on behalf of the joint controllers) proposals from recognised solution providers who can provide knowledge and resources to develop innovative solutions to identified problems in law enforcement.

Proposals from solution providers are assessed and successful proposals are put forward for evaluation. Where the proposed solution needs access to indecent images or videos of children to produce realistic results, evaluation will take place on the OCSAE Innovation Lab system. If evaluation does not require access to indecent images or videos, a separate cloud-based system will be used (not covered by this privacy notice).

If the results of the evaluation are positive, the innovative product or service may be considered for use by police forces or other agencies.

What data do we collect?

We collect images and videos from two sources:

• indecent images and videos of children are obtained from the Child Abuse Image Database (CAID)
• other images, known as “distraction data”, which is not part of the CAID service and provided by appropriate third parties

Images and videos from CAID are used by the OCSAE Innovation Lab for creating and evaluating new solutions. CAID holds the UK national library of indecent images and videos of children, together with related data such as case references, grading data, hash values, series data and victim data.

The images and videos on CAID are collected for law enforcement purposes from:

• suspect devices and media seized by police forces during raids
• reports from police forces or agencies in other countries
• reports to the Internet Watch Foundation (IWF) from members of the public or discovered by IWF staff as part of their job

Only a subset of images or videos from CAID are transferred to the Innovation Lab for use in evaluations. Images and videos may show faces or other features, such as tattoos, that can be used to identify the people in them. They may also show recognisable places.

The people in images and videos may be either:

• victims of child sexual abuse
• suspected or convicted offenders
• others

Others could include family members or other people who appear in images or videos but who are neither victims nor offenders.

Along with the images and videos, we also transfer from CAID:

• grading data, such as the image or video category
• hash values, which are used as identifiers for images and videos
• series data, which are used to link related images and videos

Note that the Innovation Lab does not hold police case references or victim data.

Distraction data is used to train artificial intelligence (AI). It comprises non-illegal images and videos, including adult pornography, which is purchased through contractual agreements from recognised third party providers.

How do we use personal data?

One of the stated aims of CAID is to improve police efficiency in investigating cases involving the creation and distribution of indecent images or videos of children, thereby accelerating the processes of prosecuting offenders and rescuing victims. This includes the use of new products or services where business benefits, including improved performance, can be shown.

To reduce the risks of evaluating new products and services using potentially untried hardware or software packages, it was decided to use a physically separate IT system rather than use the live CAID system. Should unforeseen problems arise during evaluation, the live CAID system and the data it holds will not be affected.

Using a separate IT system also allows the scope of the Innovation Lab to be extended to cover other aspects of OCSAE crime prevention, detection and investigation.

Evaluation of a product or service will typically involve loading software on to the Innovation Lab, and possibly attaching special hardware, and then conducting trials using the images, videos and related data from CAID. Evaluation aims to determine the performance of the product or service, and its suitability for law enforcement uses.

The Innovation Lab system is operated by MPS staff. Evaluation of the product or service is performed by the Innovation Lab team with help from the supplier.

Suppliers may be permitted limited access to the system during the installation and testing of their product or service. All access by supplier staff is supervised by police officers and they will not have access to CAID related data or information.

The results of the evaluation are documented in a report, which will inform the decision on whether the technology, product or service provides improved capability or performance of value to law enforcement in the fight against OCSAE.

In addition, the evaluation process may generate other output from the normal function of the product or service. Such outputs may be used by suppliers, police forces or other agencies in further trials (outside the scope of the Innovation Lab).

How are we able to process this data?

The personal data processed by the Innovation Lab includes information regarding criminal sexual activity involving children. The Data Protection Act defines such personal data as “special category” data. It is processed for law enforcement purposes only.

The sensitive processing performed by the Innovation Lab is necessary for:

• exercise of functions conferred on police forces and the NCA by legislation
• reasons of substantial public interest
• protecting the vital interests of data subjects or others, and
• safeguarding children and individuals at risk

The Innovation Lab is involved in protecting the vital interests of victims of child sexual abuse and exploitation by helping suppliers develop tools that will enable police forces to identify and rescue them. The aim is to protect victims from further sexual, physical, mental or emotional harm. This includes assessing the risk an offender poses to children.

The tools developed with the help of the Innovation Lab are also used for detecting and investigating criminal offences, as well as preventing threats to public safety.

In the circumstances, it is not possible to obtain consent from the data subjects, either because the identity of the data subject is not known beforehand or because attempting to obtain consent could prejudice rescue operations or criminal investigations.

Where do we process personal data?

The OCSAE Innovation Lab is hosted in MPS premises in London, UK. The data from the CAID image library and database are stored on the Innovation Lab system – no personal data is stored outside the UK.

I15 is the main processor for the Innovation Lab, processing data on behalf of the Joint Controllers and in accordance with an authorised Data Processing Agreement.

The Innovation Lab can only be accessed locally by terminals within the same MPS premises.

No images or videos are shared with third parties. Limited other data may be shared with suppliers, police forces or other agencies, as described later in this privacy notice.

How do we secure personal data?

Security and privacy have been built into the design of the OCSAE Innovation Lab, right from the start.

The Innovation Lab has features that enhance personal privacy and control security risks, such as:

• isolation of Innovation Lab from public networks and from other police systems
• strong encryption of images, videos and other data in transit
• physical security to protect system assets
• careful vetting and ongoing welfare monitoring of staff
• controlled user access to images, videos and other data
• controlled export of evaluation outputs
• auditing of user activity on the system, and
• incident reporting and management

Security risk assessments and data protection impact assessments have been conducted and are regularly reviewed to ensure they remain accurate and reflect how the system is built and used.

The Innovation Lab is formally assured and subject to regular security testing by independent external organisations, as required by Government and police policies.

How long do we keep personal data?

Images, videos and other personal data are retained on the OCSAE Innovation Lab only for as long as they are needed for evaluation of products and services. The contract for operating the Innovation Lab is reviewed annually and will be discontinued when there are no further products or services requiring evaluation.

Images, videos and related data from CAID are refreshed periodically. Any images or videos deleted from CAID will therefore also be removed from the Innovation Lab at the next data refresh.

Apart from the periodic refreshes, there are no mechanisms to remove individual CAID images or videos from the Innovation Lab.

Where ‘distraction data’ is required to be deleted, this will be actioned in line with the contractual agreement in place and on the direction of the data partners requirements.

When the Innovation Lab is no longer needed for product or service evaluations, all data from CAID and partner providers will be securely erased or destroyed, in accordance with Government and police policies and standards.

Audit logs are retained only for as long as the Innovation Lab exists. They will be securely erased or destroyed as part of the decommissioning process.

When do we share personal data?

No images, videos or associated personal data obtained from CAID or partners are shared with any other organisations (“third parties”).

Other information from the Innovation Lab may be shared with the following:

• product or service suppliers
• police forces and other agencies
• the Home Office

The results of an evaluation are documented in a report, which will inform the decision on whether the product or service provides improved capability or performance of value to law enforcement in the fight against OCSAE. Copies of the report are delivered to the recipients listed above, as appropriate.

In addition, the evaluation process may generate other output from the normal function of the product or service. Such outputs may be used by suppliers, police forces or other agencies in further trials (outside the scope of the Innovation Lab).

Any outputs generated by the products or services under evaluation are examined by a police officer to ensure they do not contain images, videos or other personal data prior to export from the Innovation Lab.

Should an evaluation produce results that are useful to an ongoing investigation, this information will be given to the relevant police forces or agencies. Evaluation results may also be used to update CAID (e.g., if new images or videos are discovered that are part of an existing series).

What rights do data subjects have?

The Data Protection Act allows limits to be applied to data subject rights where processing of their personal data is for law enforcement purposes. Information provided to data subjects may be restricted where it is necessary and proportionate to:

• avoid obstructing an official inquiry or investigation
• avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences
• protect public security, or
• protect the rights and freedoms of others

The data subject rights that may be restricted for these reasons include:

• the right to be informed about processing of personal data
• the right of confirmation of processing and access to their personal data
• the right to rectification of inaccurate or incomplete data, and notification of any rectification performed
• the right to erasure or restriction of processing of data, and notification of any erasure or restriction performed
• the right to appropriate decision-making

The Data Protection Act also excludes data relating to child abuse from subject rights to confirmation of processing, access to data and limitations on third country transfers where this is not in the best interests of the data subject.

People appearing in images or videos (data subjects) are not routinely notified that their data is held in the Innovation Lab. Many of the data subjects are unidentified; and where data subjects are identified, the Innovation Lab does not hold the name or contact details for them.

Requests from data subjects wishing to exercise their rights under the Data Protection Act are examined on a case-by-case basis. All limits on data subject rights allowed by the Act would normally be applied.

Note that restrictions on access to, or copying of, indecent images or videos in the Protection of Children Act 1978 and the Sexual Offences Act 2003 must also be considered. Specifically, it would be unlawful for police forces to provide data subjects with copies of indecent images or videos of children.

Data subjects do have the right to complain to the Information Commissioner’s Office if they believe that their rights have been improperly restricted.

What automated decision-making do we use?

The OCSAE Innovation Lab is used to evaluate a variety of products and services, including some that use decision-making technologies such as artificial intelligence. These may be used to assist officers in their decision-making (e.g., automated identification of “data of interest” to support an officer’s investigation).

Note, however:

• the Innovation Lab is only indirectly involved in ongoing police investigations and safeguarding operations
• (b) there are no plans to implement fully automated decision-making on CAID in the future

How can you contact us?

The joint controllers for the OCSAE Innovation Lab are the police forces in England, Wales, Scotland and Northern Ireland, and the National Crime Agency. The Lead Controller is Merseyside Constabulary.

The Data Protection Officer for CAID and the Innovation Lab is David Gray of Norfolk Constabulary. He can be contacted via email at David.Gray@norfolk.pnn.police.uk or in writing to:

National Online CSE Coordinator
Norfolk Constabulary
OCC, Falconers Chase
Wymondham
Norfolk
NR18 0WW

The OCSAE Innovation Lead Controller can be contacted via the Data Protection Officer.

Subject Access Requests should be addressed to your local police force. Contact details can be found on your local police force’s web site.

1. Note that the joint controllers are “competent authorities” as defined by the Data Protection Act 2018. Processing is performed by or on behalf of the Joint Controllers for law enforcement purposes. ↩