The Scottish Police Authority’s data protection impact assessment, released under freedom of information rules, shows that Vole declined to provide details on international data flows, citing “commercial confidentiality.” Without those details, the cops cannot comply with Part 3 of the Data Protection Act 2018, which restricts the transfer of policing data outside the UK.
The SPA warned in its assessment that Microsoft could not guarantee data sovereignty within Office 365, admitting that “O365 is not designed for processing the data that will be ingested by SPA.” In other words, the software wasn’t built to handle the highly sensitive law enforcement records that Police Scotland wants to shove into it.
To make matters worse, Microsoft has refused to hand over transfer risk assessments for countries where the UK has no data adequacy agreement. That means sensitive policing records, including witness and victim details, could end up being processed in places like the United States, China, India, Egypt, South Africa or Brazil.
“MS has declined, due to confidentiality, to provide SPA with the assurances it needs,” the assessment noted.
Tim Clement-Jones, Liberal Democrat peer, told Computer Weekly that this “is conclusive proof of the absolute necessity for UK cloud capability, especially for our public services which successive governments have totally neglected.”
He added that the Competition and Markets Authority “is dragging its heels on the big tech cloud services duopoly, and this should be an urgent wake-up call.”
The SPA documents also reveal other headaches. Microsoft holds the encryption keys, meaning it could hand the data to the US government under the Cloud Act if asked. It also refuses to let UK police vet its overseas staff, despite their potential access to sensitive records.
An abridged version of the assessment states: “If any other company had declined to tell us who processes what data of ours and where, and further declined to provide the evidence … we would, in all likelihood, not progress with a tender bid.”
Independent security consultant Owen Sayers praised Police Scotland for at least asking the right questions, unlike most UK forces that simply followed the National Enabling Programme’s centralised blueprint.
“Credit does have to go to Police Scotland here for joining in the diligence already uniquely conducted by the SPA. Unfortunately, the answers are less than confidence-building.”
Despite the red flags, Police Scotland insists it will push ahead with the rollout. A spokesperson said the force “continues to work with the Scottish Police Authority on plans to implement Microsoft 365 in common with other UK law enforcement agencies.”
However, the new Data Use and Access Act (DUAA), which passed in June, effectively stripped out the strict transfer rules that hyperscale cloud providers could never meet. In short, what used to be unlawful transfers have now been made legal, purely to accommodate the likes of Microsoft. The SPA’s own paperwork admitted this amounted to retroactively legalising years of non-compliance.
Critics warn this leaves the UK’s policing data exposed to foreign jurisdictions, with little more than Microsoft’s word as protection. Given that Redmond itself told the French Senate in June that it cannot shield European data from US snooping, that doesn’t carry much weight.
