Response

Request Element 1:
I would be grateful if the SPA can provide me with a list of any Microsoft Cloud Services identified by them as not operating fully within the UK, or requiring international transfer of customer data during their discussions with the Authority, or as a result of any other direct disclosures in the past year made by Microsoft to the SPA.

Microsoft 365 – Microsoft have advised that they cannot guarantee data sovereignty for M365.

Microsoft Azure – Microsoft advised in an email dated 21 November 2023 to the Authority that,

• Microsoft will not store or process customer data outside the customer-specified Geo (e.g. UK) without your authorisation.
• Your authorisation is given by accepting the Microsoft Data Processing Agreement (DPA), which specifies the conditions and purposes for data transfers outside the Geo.
• Microsoft cannot accept specific consent on a case by case basis as this would be impossible to operationalise.
• However, we make an exception for Azure Core Online Services where we commit to store Customer Data at rest within the Geo selected by the customer (Product Terms -> Privacy and Security Terms -> Location of Customer Data at Rest for Core Online Services):
Microsoft Azure Core Services. If Customer configures a particular service to be deployed within a Geo then, for that service, Microsoft will store Customer Data at rest within the specified Geo. Certain services are “non regional” may not enable Customer to configure deployment in a particular Geo or outside the United States and may store backups in other locations. Refer to the Microsoft Trust Center (which Microsoft may update from time to time, but Microsoft will not add exceptions for existing Services in general release) for more details.

• Most Azure services are regional and you can specify the region into which the service will be deployed. Please see here Data Residency in Azure | Microsoft Azure for the list of regional and non-regional services to help with your risk analysis, depending on the services you have.
• For regional Azure Core Online Services, Microsoft will only transfer Customer Data (with customer consent as provided in the DPA) outside of the selected Geo (e.g. UK):
o For the small number of services specified in the Trust Centre: Data Residency in Azure | Microsoft Azure (i.e. Preview, beta, or other pre-release services and Azure Serial Console for console commands and responses); or
o If accessed remotely by Microsoft personnel (including subprocessors) located outside the Geo, but this is only with the Customer’s authorisation. When authorization is needed, Microsoft personnel would contact the customer using the customer’s contact information for the Azure account.
• Given Police Scotland’s data transfer concerns, we can provide an additional amendment for Azure Core Online Services to:
o Commit to store and process Customer Data within your selected Geo (i.e. UK), subject to the exceptions as listed in the Amendment itself (network paths, remote access from personnel with your authorisation, non-regional services). So this expands the Product Terms “Storage at Rest” commitment to store Customer Data at rest to include location of both storage and processing.
o Confirm in writing that Microsoft personnel (including subprocessors) located outside the Geo may remotely operate data processing systems in the Geo, but will not access Customer Data without authorization by the Customer.
• Microsoft may copy customer data between regions within a given Geo for data redundancy or other operational purposes. For example, geo-redundant storage replicates Blob, File, Queue and Table data between two regions within the same Geo for enhanced data durability in case of a major datacentre disaster. This means that Customer Data could be replicated between London and Cardiff (as regions in the UK Geo) but not outside of the UK. However, please note that to maintain resiliency, Microsoft uses variable network paths that sometimes cross Geo boundaries but replication of Customer Data between regions is always transmitted over encrypted network connections. “

We would also refer you to our previous FOI response 2023/24-104, see email of 7 December at page 15.

Request Element 2:
Because I am aware Scottish Government have received a letter from the ICO on 2nd April, and I believe SPA may also have been sent one as a DESC participant, I would like to receive a copy of any letter received by SPA between the time of my last request (27/02/24) and this current one.

Please see information held at Appendix 1.