Appendix 3

Communications between the Authority and the Information Commissioner

From: [Redacted]
Sent: 09 December 2022 10:00
To: Davie, Lindsey
Cc: [Redacted]
Subject: ICO to partners re DESC/Cloud issues

Dear colleagues

Thank you for meeting with us at such short notice. We discussed questions on 3 interrelated topics around the DESC programme that had been raised with us – I have summarised our thinking at present below.

International transfers for the purpose of system/tech support

We understand that technical support for DESC may at times be provided by teams in a third country without a UK adequacy decision.
Our initial view is that:
 if technical support staff in a third country access personal data on DESC this would constitute an international transfer under data protection law.
 This processing would fall under Part 3 of the Data Protection Act 2018 (DPA 2018).
 These transfers would be unlikely to meet the conditions for a compliant transfer set out in s73-76 DPA 2018.

In order to avoid a potential infringement of data protection law we strongly recommend ensuring that personal data remains in the UK by seeking out UK based tech support. If 24 hours support is required and a ‘follow the sun’ approach is necessary to deliver that, it may be that technical questions could be answered by support teams based in third countries without these teams accessing and processing any personal data.

As discussed we are currently seeking a view on whether the processing for the purpose of tech support may fall under UK GDPR as supplemented by DPA18. However we must emphasise that at this stage we do not have a formal view. We intend to come to you in writing with a formalised view as soon as possible – which may differ from the statement above. If this is the case we will detail why.

The US CLOUD Act

We understand that your contracted processor Axon will use Microsoft as a sub processor. Microsoft is an American company and subject to requests through US CLOUD Act.
You have raised an interesting question regarding the potential transfer of personal data by Microsoft to a US law enforcement agency under a warrant granted under the CLOUD Act would constitute an international transfer under Part 3 DPA 2018. Although we do not think that it is the intention of the legislation, the drafting may lead to such a transfer being, in principle, possible.

In any event, partners involved in the DESC project must be assured they are meeting all their obligations under data protection law including those set out in S59, S64 and S66 of the DPA 2018.

Again, this comes with the caveat this is our initial view only. We intend to come to you in writing with a formalised view as soon as possible – which may differ from the statement above. If this is the case we will
detail why.

Variability of the contract with Microsoft / EDPS paper

We understand that you have concerns that there is no contract in place between Axon and Microsoft and that Microsoft may vary the service provided without your agreement as a controller. We would expect Police Scotland / the Scottish Police Authority/ COPFS to take all reasonable steps to ensure compliance with s59 DPA 2018 and to mitigate and safeguard against any risks that Microsoft (as sub processor) may vary the terms of the contract without Police Scotland / SPA/ COPF’s agreement.
Please keep us updated on:

 Whether you decide to progress with the pilot in January
 If you do decide to move ahead with the pilot the actions that you have taken in relation to our advice above.

Any questions do let us know.
Regards,

[Redacted]
Information Commissioner’s Office, Queen
Elizabeth House, Sibbald Walk, Edinburgh EH8 8FT.
T. [Redacted] ico.org.uk twitter.com/iconews
For information about what we do with personal data see our privacy notice at
www.ico.org.uk/privacy-notice