Microsoft refuses to disclose where and how Scottish policing bodies' sensitive law enforcement data uploaded to its Office 365 cloud will be processed, citing commercial confidentiality. Police Scotland and the Scottish Police Authority are implementing O365 to store and process personal and policing data as part of a UK-wide cloud migration. Microsoft declined to provide transfer risk assessments and would not specify what SPA-originating data would be processed outside the UK, preventing compliance with Part 3 of the Data Protection Act 2018. Microsoft acknowledged O365 is not designed for such data and cannot guarantee data sovereignty. Configuring O365 for high-value policing data is possible but difficult.
"MS is unable to specify what data originating from SPA will be processed outside the UK for support functions," said the SPA in a detailed data protection impact assessment (DPIA) created for its use of O365. "To try and mitigate this risk, SPA asked to see ... [the transfer risk assessments] for the countries used by MS where there is no [data] adequacy. MS declined to provide the assessments."
Microsoft itself has told the police watchdog it is unable to guarantee the sovereignty of policing data held and processed within its O365 infrastructure. "Microsoft states in their own risk factors that O365 is not designed for processing the data that will be ingested by SPA," said the DPIA, adding that while the system can be configured in ways that would allow the processing of "high-value" policing data, "that bar is high".
Collection
[
|
...
]