According to correspondence between Scottish police and Microsoft, the latter cannot guarantee that UK police data stored in Azure environments stays within the UK, even though national legislation mandates this.
Police forces in Scotland are currently testing a new system called the Digital Evidence Sharing Capability (DESC), which should simplify sharing information and evidence between different departments. That data is stored in Azure environments and must remain within UK borders.
However, Microsoft regularly sends data stored on its public hyperscaler platform back and forth between different data centers, including outside the UK. In correspondence with Scotland police, Microsoft even said that such practices are ‘inherent’ in Azure’s architecture. The information surfaced in response to Freedom of Information request. British IT magazine Computer Weekly subsequently reported on the matter.
Police didn’t observe the law
Because the data ‘travels’ to other places outside the UK, the police force did not comply with a section of the UK’s Data Protection Act, which says that law enforcement data must remain sovereign. Incidentally, while Microsoft has made adjustments that ensure DESC data does not leave the country, it reportedly has not done so for other services. The reason is that ‘no one else had asked’. Nor is the company contractually obligated to do so either.
Tip: Microsoft Cloud keeps personal data within the EU: is it enough?
The information request came from British security specialist Owen Sayers, who has provided IT services to his country’s police for over 20 years. He tells Computer Weekly that it is now 100 percent clear that Microsoft is not complying with data protection legislation in the UK. This applies not only to police data but also that of other government departments using Azure.
In addition to the Data Protection Act at issue in this particular case, other types of legislation impose similar requirements on data compliance of UK government departments. In practice, there is no reason to believe that data storage in Azure is handled differently in those cases.
‘Sovereignty does not apply to actively processed data’
According to Sayers, the exchanges show that data sovereignty applies only to data at rest, not actively processed data. The IT specialist says government agencies assumed the sovereignty guarantee extended to all data types. Instead, the ‘follow the sun’ model applies. In other words, data does not consider location and goes where it can.
In response, Microsoft says it takes data residency and protection requirements seriously. However, the company has not made any contractual commitments that change how Azure services already work. The company basically explained to the police departments how Azure works. Based on that explanation, they can determine whether they can continue using the platform to comply with legislation.
Also read: Microsoft Cloud for Sovereignty isn’t all it’s cracked up to be