According to recent correspondence between Scottish Police and Microsoft, there is a concern that UK police data stored in Azure environments may not remain within the UK as required by national law. The Scottish Police are currently implementing a new system called Digital Evidence Sharing Capability (DESC) to streamline information sharing, with data being stored in Azure environments.
However, Microsoft acknowledged that data stored on its public hyperscaling platform may be transferred between different data centers, including those outside the UK. This practice raised concerns about compliance with the UK Data Protection Act, which mandates that police data must remain sovereign. While Microsoft has made adjustments to ensure DESC data stays in the UK, other services have not been modified due to lack of requests or contractual obligations.
Security specialist Owen Sayers, who has worked with UK police for over 20 years, highlighted that Microsoft is not fully complying with data protection legislation in the UK, not only for police data but also for other government departments using Azure. Legal requirements on data compliance by government departments are in place, and it is unclear if Azure data storage adheres to these regulations consistently.
Sayers pointed out that data sovereignty may only apply to data at rest, not actively processed data, leading to a lack of clarity in data location policies. Microsoft emphasized its commitment to data protection and residency requirements but has not committed to altering Azure services to meet these demands. Instead, the company has informed police departments on Azure operations, allowing them to assess compliance with legislation independently.
In conclusion, the ongoing discussion between Scottish Police and Microsoft highlights the challenges of ensuring data sovereignty and compliance with UK legislation for police and government departments using Azure services. While efforts have been made to address concerns regarding DESC data, broader compliance issues persist, requiring further evaluation and potential adjustments to ensure legal adherence.
Article Source
https://www.techzine.eu/news/privacy-compliance/121539/uk-police-data-stored-in-azure-left-uk-despite-legislation-prohibiting-just-that/