THE Information Commissioner's Office (ICO) says it has "significant concerns" and "lacks confidence" in the PSNI's handling of data being accessed from mobile phones.
A scathing report from the data watchdog finds a raft of compliance failures by the service - including that officers are not giving clear consideration to whether the processing of information from mobile phones has a "lawful basis".
It follows controversy over the PSNI's illegal seizure of data from journalists Barry McCaffrey and Trevor Birney in a discredited criminal probe into a police watchdog document that appeared in Loughinisland massacre documentary.
Among the items police were forced by judges to return were Mr Birney's wife's mobile phone and his daughter's pink phone, with agreement only reached months later for confidential data obtained from laptops, hard drives, mobile phones seized from their homes and office to be put out of reach of the PSNI, which had originally planned to retain it for 10 years.
The ICO "has significant concerns regarding how processing is taking place and how this impacts on the privacy and data protection rights of people in Northern Ireland".
It says the PSNI "does not offer a compelling case that it gives explicit consideration to the lawful basis for processing mobile phone data" and warns a lack of overarching policy or "relevant data protection impact assessment" means there are "ambiguities as to which lawful basis" of its actions.
"Much rests on the individual officer's assessment as to what is appropriate in the circumstances of the case."
The ICO warns "a reasonable line of enquiry" is not always "justification for an extraction request" and questions "whether the PSNI has adequate protections in place to safeguard privacy".
"Consent is not an appropriate lawful basis for this level of intrusion into the privacy of others. This is particularly relevant here since, by default, the PSNI takes all available data."
The PSNI is operating its data extraction and analysis without accreditation and "no plans to achieve this status before 2022" - meaning it "cannot demonstrate it is using extraction methods that provide results to an independently regulated standard".
Despite organisations required to `not store law enforcement data for longer than is necessary' the PSNI could not "provide any evidence of systematic review or deletion of materials".
It is also "not complying with its duties to provide adequate privacy information".
The ICO said it is "significantly concerned" about the lack of risk assessment over PSNI mobile phone data extraction.
"The lack of a clearly-articulated legal basis for the processing represents a fundamental principle which the PSNI is currently not observing... [with] lack of evidence that the PSNI is considering privacy and information rights".
Assistant Chief Constable Jonathan Roberts said "mobile phone data extraction is a complex area of policing covered by a broad range of legislation" and is "a challenge for police across the UK".
"It is crucial to the Police Service of Northern Ireland that the public have confidence in how we use their data and that our actions are compliant with Human Rights and Data Protection legislation.
"We are committed to addressing all of the Commissioner's recommendations and a plan to achieve this is being finalised.
"We will engage with our oversight bodies - including the Policing Board - about this report and keep them updated on our progress."