Published in News

Vole tells Scottish cops it cannot guarantee data stays in the UK

by on20 June 2024

You are not in the EU any more we don’t care that much

Despite the UK's post-Brexit agreement to safeguard data within the country, global tech giant Microsoft is refusing to provide a guarantee, raising significant concerns about data privacy and security.

Microsoft's admission to the Scottish police, a key user of its services, that it cannot ensure the residency of UK police data on its cloud service underscores the potential disruption to law enforcement operations.

Documents released by the Scottish Police Authority under freedom of information laws show Microsoft cannot promise that data for Police Scotland's Digital Evidence Sharing Capability will stay in the UK, as legally required.

The partial release indicates that data on Microsoft's cloud is often moved and processed abroad; the current data agreement for the DESC doesn't meet UK data protection laws; and while Microsoft can technically adjust for compliance, it's only doing so for DESC partners, not other police services, because they haven't requested it.

The information shows Microsoft admits to inherent international data transfers in its cloud architecture. This means the issues with Scottish Police affect all UK government users facing similar data offshoring restrictions.

This means that no UK police can claim Microsoft processes data lawfully and using this technology while breaching of UK law," he said.

Part 3 of the Data Protection Act 2018 requires law enforcement data to be kept in the UK, and the new G-Cloud 14 framework mandates UK-only data hosting for other public sector data.

A spokesvole told Computer Weekly magazine: "Microsoft is committed to data protection and residency for Azure, which supports Axon's Digital Evidence Sharing Capability… we haven't altered our contractual commitments affecting Azure's operation. We've helped Police Scotland understand Azure to ensure DESC's use complies with law enforcement obligations under Part 3 of the Data Protection Act 2018."

In April 2023, Computer Weekly disclosed that Police Scotland was testing the Scottish government's DESC service, provided by Axon and hosted on Microsoft Azure, despite legal concerns.

The police watchdog highlighted unresolved risks, such as US government access through the Cloud Act, Microsoft's generic contracts, and Axon's failure to meet data sovereignty clauses.

The Scottish Police Authority's data protection officer reported Microsoft's admission that data could leave the UK, citing cloud computing's nature and their global support model.

It said that despite Volish assurances, concerns remain about Scottish police's control over data transfers abroad, as required by Part 3 of the DPA.

The authority's data protection officer noted that by agreeing to the Data Processing Addendum, it was consenting to international transfers, a stance they believe is non-compliant with specific sections of Part 3.

Under Part 3, each data transfer must be individually approved and reported to the Information Commissioner's Office.

Last modified on 20 June 2024
Rate this item
(0 votes)