Microsoft is refusing to inform Scottish policing our bodies the place and the way the delicate regulation enforcement knowledge uploaded to its cloud providers will probably be processed, citing “business confidentiality”.
As a part of a UK-wide effort to maneuver police forces onto cloud-enabled digital infrastructure, Police Scotland and the Scottish Police Authority (SPA) are collectively implementing Microsoft Workplace 365 (O365) to retailer and course of a variety of private and regulation enforcement knowledge.
Nevertheless, in response to paperwork launched by the SPA below freedom of data (FoI) guidelines, Microsoft is refusing at hand over essential details about its worldwide knowledge flows to the SPA and Police Scotland.
With out this data, the policing our bodies are unable to fulfill the regulation enforcement-specific knowledge safety guidelines specified by Half 3 of the Knowledge Safety Act 2018 (DPA18), which locations strict limits on the switch of policing knowledge outdoors the UK.
“MS is unable to specify what knowledge originating from SPA will probably be processed outdoors the UK for assist features,” mentioned the SPA in an in depth knowledge safety influence evaluation (DPIA) created for its use of O365. “To try to mitigate this threat, SPA requested to see … [the transfer risk assessments] for the international locations utilized by MS the place there is no such thing as a [data] adequacy. MS declined to offer the assessments.”
The SPA DPIA additionally confirms that, on prime of refusing to offer key data, Microsoft itself has informed the police watchdog it’s unable to ensure the sovereignty of policing knowledge held and processed inside its O365 infrastructure.
“Microsoft states in their very own threat elements that O365 is just not designed for processing the information that will probably be ingested by SPA,” mentioned the DPIA, including that whereas the system might be configured in ways in which would enable the processing of “high-value” policing knowledge, “that bar is excessive”.
It additional added that whereas Microsoft beforehand agreed to make various modifications to the information processing addendum (DPAdd) getting used for Police Scotland’s Azure-based Digital Proof Sharing Functionality (DESC) – the character of which remains to be unclear – Microsoft has suggested that “O365 operates in a very totally different method and there may be at the moment no method to assure knowledge sovereignty”.
It additional famous that whereas an identical “ancillary doc, like that supplied … through the DESC challenge” may afford “some degree of assurance” for worldwide transfers usually, it could nonetheless fall wanting Half 3 necessities to set out precisely which sorts of knowledge are processed and the way.
Microsoft’s refusal to offer details about its worldwide knowledge processing practices means the delicate regulation enforcement knowledge held by Police Scotland – together with details about witnesses and victims of crime – could possibly be processed in “hostile” international locations, or these with out knowledge adequacy agreements.
The DPIA mentioned this contains China, Serbia, India, the UAE, Brazil, Egypt, South Africa, Chile, Hong Kong and Malaysia.
“MS has declined, resulting from confidentiality, to offer SPA with the assurances it wants for these transfers, together with Worldwide Knowledge Switch Agreements,” it mentioned. “MS is unable to offer assurances that knowledge won’t be processed in these international locations, given their follow-the-sun assist mannequin… Thus, SPA can’t be assured that these assessments included each Half 2 [GDPR] and Half 3 [law enforcement] processing.”
In response to an “abridged DPIA” additionally launched below FoI: “If another firm had declined to inform us who processes what knowledge of ours and the place, and additional declined to offer the proof … we might, in all chance, not progress with a young bid.”
All of this additional underlines – certainly is conclusive proof of – absolutely the necessity for UK cloud functionality, particularly for our public providers which successive governments have completely uncared for Tim Clement-Jones, Liberal Democrat peer
Aside from Microsoft declining to offer details about transfers “for causes of confidentiality”, the DPIA recognized a variety of different points, together with that Microsoft is in possession of the encryption keys (which means it could be capable to entry all the information held and hand it over to the US authorities if required to below the nation’s invasive legal guidelines), and is refusing to permit UK police to vet Microsoft staff who could possibly be accessing the information from abroad.
Laptop Weekly contacted Microsoft concerning the contents of the FoI paperwork and its refusal to offer data to Police Scotland. A spokesperson mentioned the corporate “complies with all legal guidelines and laws relevant to the supply of our services”.
Responding to additional questions from Laptop Weekly about why it’s urgent forward with the O365 deployment regardless of Microsoft’s conduct and the clear knowledge safety points recognized, a Police Scotland spokesperson mentioned: “[The force] continues to work with the Scottish Police Authority on plans to implement Microsoft 365 in widespread with different UK regulation enforcement businesses.
“We work carefully with companions to make sure all required knowledge safety, safety controls and governance are in place. This contains with the Data Commissioner’s Workplace and the Scottish Biometrics Commissioner as required.”
Commenting on Microsoft’s refusal to expose key data and its acknowledgement to Scottish police that it can not assure the sovereignty of its knowledge, Liberal Democrat peer Tim Clement-Jones – who has beforehand highlighted hyperscalers’ lack of compliance with Half 3 within the Lords – informed Laptop Weekly it demonstrates the necessity for the UK to have its personal sovereign cloud capabilities.
“All of this additional underlines – certainly is conclusive proof of – absolutely the necessity for UK cloud functionality, particularly for our public providers which successive governments have completely uncared for,” he mentioned. “The Competitors and Markets Authority is dragging its heels on the massive tech cloud providers duopoly, and this ought to be an pressing wake-up name.”
Refusing key data
Whereas the DPIA showcases how Police Scotland and the SPA are unable to fulfil their authorized obligations on account of Microsoft’s stonewalling on knowledge flows, different documentation disclosed below FoI responses highlights that they’ve been making an attempt to get solutions to their questions for a lot of months.
In response to e-mail correspondence between Police Scotland and Microsoft, one power consultant famous in February 2025: “There’s a heavy onus upon Police Scotland/SPA to reveal a granular understanding of the place our knowledge traverses, its safety and that there are satisfactory safeguards to guard private knowledge within the occasion it’s transferred/accessed outdoors of the UK.”
They added that Half 3 additionally locations obligations on the processor – on this case, Microsoft – to offer proof about its worldwide knowledge transfers.
Though earlier correspondence exhibits the power initially asking for clarification on varied features of the corporate’s worldwide transfers – together with the way it can adjust to varied Half 3 necessities, a listing of sub-processors, and documentation on its knowledge flows – on 7 October 2024, Microsoft took over a month to reply.
When it did reply, on 13 November, Police Scotland felt the knowledge supplied was insufficient. In a follow-up the following day, a Police Scotland worker famous that the workforce reviewing the documentation supplied “already really feel it’s not answering the questions within the element that we require” as they “can’t discover the solutions to the questions” being requested.
An additional Microsoft e-mail from 30 November signifies that, someday between the preliminary contact from Police Scotland after which, the corporate’s authorized and business groups had been alerted to the power’s requests for clarification on key knowledge safety.
In response to later emails, whereas the power requested additional clarification on knowledge flows and sub-processor areas inside Microsoft’s Content material Supply Community (CDN) on 27 November 2024, the corporate suggested “that is commercially delicate” and finally “declined this data”.
Though there’s a hole within the correspondence disclosed, different emails from Police Scotland present that, in some unspecified time in the future between December 2024 and February 2025, Microsoft additionally informed the power that it isn’t required “to reveal any of its confidential contractual preparations or compliance paperwork”, and refused to offer any additional data.
“Ought to Police Scotland contemplate it needed to hold out its personal TRA [transfer risk assessment] concerning transfers of private knowledge in reference to Microsoft 365 … now we have revealed intensive data on-line in our Service Portal to assist with that train,” mentioned a Microsoft consultant, whose title has been redacted.
They added that whereas M365 “is just not designed to course of particular classes of private knowledge on a big scale”, together with regulation enforcement knowledge, it’s as much as knowledge controllers – Police Scotland and the SPA on this occasion – to find out the perfect configuration for the system to fulfill their native authorized necessities: “As the information processor, Microsoft has no management over such use and usually would have little or no perception into such use.”
In response to the Scottish Police Authority DPIA, “the Microsoft place was that the controls required for Half 3 knowledge are usually not inherent within the product and it could be for the client to make sure the required controls have been applied”.
It added that Microsoft has additionally said that it can not assure which sub-processors could also be processing knowledge at a given time, resulting from its “follow-the-sun” assist mannequin, noting that whereas each nation within the European Financial Space (EEA) is deemed knowledge satisfactory for Half 3 knowledge, no nation on the earth outdoors of the zone has this adequacy standing.
Credit score does must go to Police Scotland right here for becoming a member of within the diligence already uniquely carried out by the SPA. Though Microsoft Cloud and M365 is used already up and down the UK by police and regulation enforcement our bodies, to this point solely SPA – and now Police Scotland – have actually requested any of the necessary questions. Sadly, the solutions are lower than confidence-building Owen Sayers, impartial safety marketing consultant
This might subsequently preclude them from receiving policing knowledge, until the strict switch situations of Half 3 are being met.
Laptop Weekly contacted Microsoft about the place it’s sending and processing knowledge uploaded by Police Scotland, however obtained no response on this level.
A supply near the difficulty mentioned: “Very important dangers have been recognized, together with Microsoft’s conceited refusal to declare its sub-processors. That is very totally different from the Microsoft that tried to reassure its EU clients of its trustworthiness only a few weeks in the past.”
For Owen Sayers, an impartial safety marketing consultant and enterprise architect with over 20 years’ expertise in delivering nationwide policing techniques, “the character and period” of the discussions between Scottish policing our bodies and Microsoft are “enlightening”, providing perception into each “the issue in getting straight solutions to questions that Microsoft routinely don’t anticipate to reply” and the poor state of due diligence throughout policing usually.
“Credit score does must go to Police Scotland right here for becoming a member of within the diligence already uniquely carried out by the SPA,” he mentioned.
“Though Microsoft Cloud and M365 is used already up and down the UK by police and regulation enforcement our bodies, to this point solely SPA – and now Police Scotland – have actually requested any of the necessary questions: The place does our knowledge go? Do you’ve a map or knowledge movement mannequin? What assurances are you able to give us round our regulatory DPA Half 3 wants?
“Sadly, the solutions are lower than confidence-building.”
Legalising unlawful practices
Additionally contained within the Scottish Police Authority DPIA are acknowledgements that whereas UK regulation has not too long ago modified to accommodate police use of hyperscaler cloud suppliers, that is basically an admission that policing our bodies have been unlawfully storing and processing knowledge of their structure for years.
The evaluation added that whereas the information reforms have supplied extra authorized certainty, they nonetheless don’t clear up points across the sovereignty of information.
In March 2025, Laptop Weekly reported that the UK authorities’s Knowledge Use and Entry Act (DUAA) – which obtained Royal Assent in June 2025 – would amend Half 3 by merely eradicating the necessities that hyperscale cloud providers have been beforehand unable to adjust to.
For instance, whereas the DPA 2018 does enable for abroad transfers to “non-law enforcement recipients” – that’s, cloud suppliers – that is solely permissibleif the information controller can present it’s strictly needed to take action. This implies data can solely be despatched on a case-by-case foundation for particular, restricted functions when there is no such thing as a different, much less intrusive technique of reaching the identical aim.
Nevertheless, in June 2024, Laptop Weekly confirmed that UK policing knowledge uploaded to Microsoft providers is routinely despatched offshore for some types of processing, whereas IT assist is supplied on a worldwide follow-the-sun mannequin.
To avoid the dearth of compliance with these switch necessities, the federal government has merely dropped them from the DUAA, which means policing our bodies will now not be required to evaluate the suitability of the switch or report it to the information regulator.
This and different modifications imply policing knowledge might be routinely offshored to jurisdictions with decrease knowledge safety requirements, with out adherence to DPA18 situations round strict necessity.
Commenting on the elimination of Half 3’s strict worldwide switch necessities through the DUAA, which at that time was nonetheless a invoice, the SPA’s DPIA famous: “If it have been authorized to make the transfers within the present laws, it’s unclear why DUAB seeks to alter the textual content.”
In its abridged model despatched to the ICO, the SPA added that there’s a threat the DUAA “will probably be deemed to have sanctioned anti-competitive measures by altering the UK knowledge safety laws primarily to accommodate hyperscale cloud suppliers”.
It continued: “If the invoice (or act) have been to be struck down, then the place would revert to non-compliant processing. It could be laborious to argue in any other case, on condition that the invoice particularly modifications the weather of concern highlighted by SPA throughout DESC.”
It added that whereas the switch necessities have modified on account of the brand new act, it can introduce a “code of conduct” for corporations to enroll to, that are prone to replicate the earlier switch situations. “On condition that Microsoft at the moment consider that the necessities in S59 are for us to adjust to and never them, they might decline to signal a code of conduct on this respect,” mentioned the SPA.
It additionally famous: “If the DUAB doesn’t obtain Royal Assent earlier than O365 is deployed, then the processing wouldn’t be authorized (on condition that DUAB makes modifications to Half 3 particularly for this goal).”
Whereas the information on this context pertains to policing our bodies, the issue is way wider, with senior Microsoft representatives publicly admitting to the French senate in June 2025 that it can not assure that European knowledge will probably be protected against entry by US authorities below the nation’s Clarifying Lawful Abroad Use of Knowledge (Cloud) Act.
This successfully offers the US authorities entry to any knowledge, saved anyplace, by US companies within the cloud.
The SPA acknowledged within the DPIA that whereas disclosures below the Cloud Act are comparatively uncommon in the mean time, there are not any protections towards it, and “there may be proof that the present US administration is flexing its attain when it comes to Microsoft accounts for its adversaries”.
Whereas the SPA DPIA says the Data Commissioner’s Workplace (ICO) has urged (in earlier recommendation already reported on by Laptop Weekly, which preceded the DUAA) that UK police could use cloud providers processing knowledge abroad if “applicable protections” are in place, it additionally famous that the continuing “lack of clear definitions for these protections creates uncertainty and potential authorized vulnerabilities for regulation enforcement businesses”.
Sayers informed Laptop Weekly it’s “worrying” that Police Scotland and Microsoft are persevering with to depend on steerage from the ICO that UK GDPR measures can be utilized to handle Half 3 obligations: “That’s fully incorrect – you can’t substitute one knowledge safety regime for an additional on this approach, and whereas GDPR expects knowledge to routinely switch, Half 3 explicitly restricts that.”
In response to Laptop Weekly’s nameless supply, the paperwork disclosed below FoI “encapsulate the whole lot that’s fallacious with the UK’s use of cloud”.
They added: “The SPA’s acknowledgement that Microsoft could possibly be perceived as receiving beneficial therapy, in violation of our procurement laws, suggests the SPA is solely retaining its fingers crossed within the hope that its anti-competitive method received’t be challenged.
The supply additional added: “The SPA’s futile hope that Microsoft would possibly signal a code of conduct … to make all the problems and dangers go away is solely not ok – it’s excessive time that the SPA woke as much as the truth that it has a alternative, and exercising that alternative will cut back Microsoft’s stranglehold on UK regulation enforcement and assist to cut back the UK’s digital subservience to the hyperscale duopoly.”
Laptop Weekly contacted each Police Scotland and the SPA about why they’re urgent forward with the challenge, regardless of Microsoft’s behaviour and the clear knowledge safety dangers recognized, however neither straight responded to the factors raised.
A spokesperson for the SPA mentioned: “The authority recognises the potential advantages of utilizing Microsoft 365 for policing. We’re working with Police Scotland and the Data Commissioner’s Workplace to know and mitigate potential dangers related to its potential use.”
The SPA, nonetheless, did verify that it doesn’t at the moment use M365 within the cloud.
A rock and a tough place
Whereas the SPA famous within the documentation launched that it could not ordinarily tolerate such opacity from different suppliers, it additionally mentioned that ridding itself of Microsoft is just not a clean-cut course of.
Highlighting the setup of the Nationwide Enabling Programme (NEP) – an initiative collectively created in 2017 by the Nationwide Police Chiefs’ Council (NPCC) and the Affiliation of Police and Crime Commissioners (APCC) to spearhead the supply of latest cloud-enabled methods of working for all 48 of the UK’s police forces – the SPA mentioned stopping contracts with Microsoft would put itself out of step with Police Scotland and the remainder of the UK.
“By not utilizing Microsoft, SPA wouldn’t be following the NEP method, leading to main deviation from the programme and issues for the PSoS [Police Scotland] adoption given our shared IT infrastructure,” it mentioned.
“The potential of discovering different suppliers who may provide an identical service is distant, which means organising and tendering for a number of suppliers at one-off prices. The continuing administration of a number of contracts can be time-consuming and improve the chance of a possible lack of service.”
The DPIA additionally famous it could be dearer, because the Police Digital Service (PDS), which is tasked with overseeing the event and deployment of the multi-pronged Nationwide Policing Digital Technique, has managed to agree widespread pricing and reductions for police forces utilizing Microsoft.
“Because of this Microsoft’s on-line service phrases and knowledge processing addendum apply straight between every power as controller and Microsoft as processor,” it mentioned. “On their very own, PSoS/SPA wouldn’t have been in a position to safe these reductions.”
Laptop Weekly beforehand reported in December 2020 that almost 30 police forces had unlawfully rolled out M365, largely as a result of they have been counting on a DPIA and contracts centrally created and held by the NEP, as a substitute of conducting their very own due diligence as required by Half 3.
Of the 30 police forces concerned within the preliminary M365 rollout, 29 responded to Laptop Weekly’s FoIs that they’d not accomplished their very own DPIAs on the time of publication, and that they maintain “no data” on both the contract or phrases and situations in place with Microsoft.
The SPA famous in its DPIA that “the NEP is just not mandated to make UK police forces compliant with knowledge safety laws”, including that whereas it has supplied a blueprint for forces to observe, the onus is on particular person forces to make sure compliance and perceive how the structure works.
“SPA is a late adopter of Workplace 365. The explanation for that’s the due diligence that now we have undertaken,” mentioned the abridged DPIA.
“We’re conscious of the dangers and points, and, for my part, we’re in a greater place than most organisations utilizing O365 in that now we have pored via MS documentation to higher perceive the product and undertaken session with each Microsoft and the ICO to know the panorama and dangers/advantages. We’re not merely seeking to deploy the product as a result of different forces have performed it.”
