
Microsoft Refuses To Divulge Data Flows To Police Scotland (computerweekly.com)
Police Scotland and the Scottish Police Authority (SPA) are pressing ahead with a Microsoft Office 365 rollout despite Microsoft refusing to disclose where sensitive law enforcement data will be processed. Freedom of Information documents reveal that Microsoft cannot guarantee data sovereignty, may process data in "hostile" jurisdictions, retains encryption key control, and blocks vetting of overseas staff -- all leaving the force unable to comply with strict Part 3 data protection rules. Slashdot reader Mirnotoriety shares an excerpt from a Computer Weekly article: "MS is unable to specify what data originating from SPA will be processed outside the UK for support functions," said the SPA in a detailed data protection impact assessment (DPIA) created for its use of O365. "To try and mitigate this risk, SPA asked to see ... [the transfer risk assessments] for the countries used by MS where there is no [data] adequacy. MS declined to provide the assessments." The SPA DPIA also confirms that, on top of refusing to provide key information, Microsoft itself has told the police watchdog it is unable to guarantee the sovereignty of policing data held and processed within its O365 infrastructure.
"Microsoft states in their own risk factors that O365 is not designed for processing the data that will be ingested by SPA," said the DPIA, adding that while the system can be configured in ways that would allow the processing of "high-value" policing data, "that bar is high." It further added that while Microsoft previously agreed to make a number of changes to the data processing addendum (DPAdd) being used for Police Scotland's Azure-based Digital Evidence Sharing Capability (DESC) -- the nature of which is still unclear -- Microsoft has advised that "O365 operates in a completely different manner and there is currently no way to guarantee data sovereignty." It further noted that while a similar "ancillary document, like that provided ... via the DESC project" could afford "some level of assurance" for international transfers generally, it would still fall short of Part 3 requirements to set out exactly which types of data are processed and how.
"Microsoft states in their own risk factors that O365 is not designed for processing the data that will be ingested by SPA," said the DPIA, adding that while the system can be configured in ways that would allow the processing of "high-value" policing data, "that bar is high." It further added that while Microsoft previously agreed to make a number of changes to the data processing addendum (DPAdd) being used for Police Scotland's Azure-based Digital Evidence Sharing Capability (DESC) -- the nature of which is still unclear -- Microsoft has advised that "O365 operates in a completely different manner and there is currently no way to guarantee data sovereignty." It further noted that while a similar "ancillary document, like that provided ... via the DESC project" could afford "some level of assurance" for international transfers generally, it would still fall short of Part 3 requirements to set out exactly which types of data are processed and how.