The dominant hold that Microsoft has on government IT is coming under close scrutiny, following the software giant’s disclosure it cannot warrant the sovereignty of UK policing data hosted within its hyperscale cloud infrastructure.
As exclusively revealed by Computer Weekly on 19 June, Microsoft has advised Scottish policing bodies it cannot warrant that data hosted in its Microsoft 365 and Azure platforms will stay in the UK.
The disclosure features in a series of Freedom of Information (FOI) responses from the Scottish Police Authority (SPA) to questions raised by independent safety consultant Owen Sayers about the authority’s usage of Microsoft’s cloud services.
One of the responses, seen by Computer Weekly, sees Sayers ask the SPA for a list of “any Microsoft cloud services identified as not operating full within the UK” or that require the global transfer of client data.
In its response, the SPA stated: “Microsoft have advised that they cannot warrant data sovereignty for M365.”
Other information released as part of the FOI disclosure reveals that data hosted in Microsoft’s cloud infrastructure is regularly transferred and processed overseas, as well as acknowledgements from Microsoft that global data transfers are part and parcel of how its public cloud infrastructure works.
The importance of Microsoft’s disclosures is that the processing of individual data by law enforcement bodies is governed by the contents of Part 3 of the Data Protection Act (DPA) 2018, which limits the usage of overseas cloud providers by law enforcement entities unless “appropriate safeguards” are in place.
And while the DPA 2018 Part 3 only applies to law enforcement bodies, another public sector organisations operate under regulatory controls that anticipate or require data to be 100% resident in the UK too, said Sayers.
“Until June 2023, the government classification strategy specifically prohibited the offshoring of data, and questions should now be asked as to how HM government’s usage of Microsoft cloud between 2014 and 2023 was allowed to grow as it did erstwhile it mostly contravened that policy,” said Sayers.
Computer Weekly put this question to the Cabinet Office, but did not receive a direct reply.
The importance of the time period proposed by Sayers is that 2014 was the year erstwhile the Cabinet Office sought to streamline the government’s seven-tier Business Impact Levels (BIL) data classification system, utilized by departments to measure the sensitivity of the data they handled.
The process resulted in the creation of the three-tier Government Classification strategy (GCS) and the introduction of a fresh naming convention whereby government data is now classified as being either Official, Secret or Top Secret.
“The policy issued then and updated in 2018 didn’t just change the names, it besides contained any circumstantial provisions about utilizing cloud,” said Sayers. “One of those provisions was that for data classified as being above the old BIL threshold of BIL 2xx, the cloud hosting it had to be accredited and located in the UK.”
In addition to this, Sayers said: “Many government and private sector organisations will have a hazard message in their corporate hazard registry or Data Protection Impact Assessment [DPIA] that reflects Microsoft’s usage of UK datacentres [to] guarantee individual data doesn’t leave the UK and, as such, is sovereign,” he said.
“These clarifications from Microsoft show that this most likely isn’t actual for most processing usage cases, and – as a consequence – those organisations request to look at how that changes both their hazard profile and whether trust in Microsoft’s data residency guarantees has, in fact, been misplaced.”
Computer Weekly asked Microsoft if it could warrant the sovereignty of another forms of public sector data hosted on its hyperscale cloud platform, but the company did not straight answer the question.
Revisions to the public cloud-first policy
According to Sayers, the Microsoft disclosures besides call into question whether the UK government’s long-standing public cloud-first policy remains fit for purpose.
The policy, introduced in January 2017, mandates that all central government departments should take a public cloud-first approach to fresh technology procurements. The remainder of the public sector is not mandated to follow this advice, but is powerfully encouraged to do so.
“Now it’s been confirmed that 1 of HM government’s biggest [public cloud] partners – Microsoft – is offshoring much of the UK’s data, the next government, whatever its make-up, needs to consider if the current cloud-first strategy remains sound,” said Sayers.
The policy is credited with accelerating the pace of cloud adoption in central government, and is known to be kept under regular review by the Cabinet Office.
The policy’s emergence in 2017 was accompanied by guidance from the Government Digital Service (GDS) around the same time that stated public cloud is safe to usage for the vast majority of public sector workloads.
Its publication came respective months after Microsoft opened its first UK datacentre region in September 2016, with the erstwhile Microsoft corporate vice-president of Office 365, Ron Markezich, pitching the launch as the answer to the fact that “some customers request data located and stored in the UK”.
Nicky Stewart, erstwhile ICT chief at the Cabinet Office, told Computer Weekly many public sector IT buyers may have bought Microsoft services “on blind trust” and presumed that, due to the fact that the company operates UK datacentres, their M365 data would have remained in-country.
“You’ve got Microsoft touting what they describe as sovereign cloud, but what do they mean by sovereign…because truly sovereign data would not be offshored under any circumstances – and surely wouldn’t be subject to any 3rd country jurisdiction, which is always going to be the case erstwhile something is hosted in Microsoft or another US-based cloud,” she said. “Is sovereignty just presumed due to the fact that the data is being kept in the UK?”
It is not hard to see why specified a presumption might have been made by public sector IT buyers.
When the Microsoft UK datacentre improvement plan was first announced in November 2015, erstwhile UK government chief technology officer Liam Maxwell said the news would have “great implications for business, local government and for lots of people who have always found the issue of data sovereignty and data location to be troubling”, during a press Q&A Computer Weekly attended.
In an interview with the BBC, Microsoft’s erstwhile cloud enterprise group chief, Scott Guthrie, said beginning UK datacentres would address the data sovereignty concerns of privacy watchdogs and regulators.
“For any things – like healthcare, national defence and public sector workloads – there’s a variety of regulations that says the data has to stay in the UK,” he said. “Having these 2 local Azure regions means we can say this data will never leave the UK, and will be governed by all of the regulations and laws.”
The company besides has protected documentation hosted on its website, dating back to 2018, aimed at users of the public sector G-Cloud procurement framework that assures them its services are hosted within UK datacentres for usage by UK government customers.
A misinterpretation of guidance?
Despite these statements, Sayers said Microsoft has never given assurances that any data stored on its systems would always stay in the UK.
“People just chose to read it in that way,” he said. “All Microsoft has always done is warrant that data would be stored at remainder in a circumstantial geography, and even then that warrant is limited to certain services.”
He continued: “In that regard, I have any limited sympathy for Microsoft, [because] users of its services possibly haven’t read the terms of service decently or conducted much in the way of due diligence before signing up to usage its services. If they had done so, all this would have come into the public domain much sooner.”
All the SPA did was ask Microsoft to confirm what the terms of service for its cloud products meant in practice, he continued. “Microsoft didn’t duck the question – and it looks very much like the Scottish Police Authority were just the first to ask it.”
Computer Weekly asked Microsoft if any government departments had always contacted it straight for assurances about the sovereignty of data stored and processed within M365, but the company did not respond to the question.
The UK government’s Cloud guide for the public sector document, which was jointly published in November 2023 by the Cabinet Office’s technology arm, the Central Digital and Data Office (CCDO) and the Government Commercial Function, states that it is down to departments to decide where their cloud data should be hosted and, in short, their work to guarantee suppliers meet their requirements.
“There is no government policy which straight prevents departments or services from storing cloud-based data in any circumstantial country. However, you request to consider the implications of where you host your data,” the paper stated.
“It is the work of each government department to take risk-based decisions about their usage of cloud providers for the retention of government data.”
User-centred work for sovereignty
Something that complicates the image further is that while a department might presume their data is hosted in the UK, any parts of the public sector let their cloud engineers to call the shots on where data is hosted for cost-cutting reasons, said Stewart.
“In a setup like that, it’s feasible that a choice could be made to put data offshore based on economics without reasoning about the regulatory implications of that or the implications of the contract, due to the fact that a cloud engineer is effectively sitting miles distant from the cloud contract – unless they’ve got a procurement professional hanging over their shoulders, which 9 times out of 10 they won’t,” she said.
As an example of this, she pointed to the publically referenceable NHS England Cloud Centre of Excellence financial operations (FinOps) guidance.
This states cloud purchasing decisions are made by the organisation’s engineers, who are liable for provisioning services, which it describes as a “shift of responsibilities distant from the conventional central procurement and approvals model”.
This suggests, she added: “Once your business has been deployed in the cloud, you’re at the mercy of cloud engineers due to the fact that they’re the ones making the decisions about fundamentally where data is going to be hosted.”
Central government’s usage of M365
The Microsoft data sovereignty disclosure besides puts the government’s championing of M365 as the “standard for productivity” under scrutiny, given that nearly all department uses the suite.
The only exceptions to this are the Department for Digital, Culture, Media and athletics (DCMS), which relies on rival offering Google Workspace, and the Cabinet Office – although the second is in the midst of a multiyear migration to M365.
Discussing the deployment at a TechUK Cabinet Office marketplace engagement event on 21 April 2023, the department’s chief data and information officer, Mike Hill, said M365 is the “government standard for productivity” – as defined by the Central Digital and Data Office (CDDO).
“There are only 2 departments within government – ourselves [the Cabinet Office] and DCMS – who stay on Google,” he said. “So what we’re looking to do is align to the government standard, to make it easier to interoperate, to share information, and to be more productive as departments…[and] to be much more simplified by adopting the standard set by the CDDO.”
There is no formal mandate stating that government departments should usage M365, but what there is – a government origin told Computer Weekly – is simply a want within Whitehall for departments to usage the same tools wherever possible.
“There is simply a drive to make a better connected, department-to-department, collaborative information-sharing and communication infrastructure,” the origin said. On this point, Computer Weekly is aware that long-time Google Workspace user DCMS added Microsoft Teams to the scope of communications tools it uses in 2023.
“Civil servants frequently control between departments, and this increased connectivity should make the IT support for that process more manageable, as well as aid information sharing between departments,” the origin added.
Having all department moving the same productivity software sounds sensible from a collaboration and consistency perspective, said Rob Anderson, chief analyst and service director, covering the public sector, at IT marketplace watcher GlobalData, but there could be financial drawbacks.
“Over the last 2 to 3 years, we’ve seen an increase in government spending with Microsoft [overall], with most of that spending going through third-party resellers. The amount of money spent straight with Microsoft does not seem that much, but erstwhile you take into account [the resellers], it is significant,” he said.
As an example, Anderson pointed to a contract that came to light in April 2023, which saw the Department for Work and Pensions (DWP) sign a five-year deal worth £250m with Microsoft via third-party reseller Softcat.
This is simply a follow-on to a three-year contract worth £70.8m between the pair, which ran until March 2023, meaning the amount of money DWP spends on Microsoft products each year has more than doubled.
“When you look at the number of employees DWP has, it works out at about £600 a year per user, which for a suite of productivity tools sounds ridiculous,” said Anderson.
In 2013, Anderson worked for a short time in the Cabinet Office as a Crown Representative, whose work active tracking the amount spent on tech contracts, including Microsoft deployments.
“When I was working in that Crown Rep function 10 or 11 years ago, we were afraid if more than £100 per worker per year [was spent] on Microsoft,” he said.
Other notable deals include the three-year Microsoft Azure provisioning contract HM gross & Customs (HMRC) awarded to Softcat for £81.5m in June 2024, said Anderson.
“This is in addition to the five-year contract with another reseller called Bytes that was awarded last year for [M365] licensing worth £166.3m, which is equivalent to £500 per user per year,” he said. “In total, since April 2021, HMRC has committed to £265m of spend on Microsoft products and services.”
There has besides been a noticeable uptick in the number of contract awards in the wider public sector mentioning Microsoft, he added.
“[It’s] increased dramatically over the last 3 years – totalling £1.44bn in 2023/24, rising from £1.26bn in 2022/23 and just £562m in 2021/22,” he said. “Just £169m across those 3 fiscal years was direct to Microsoft [rather than to its resellers] – 7% by value of the full spend over the last 4 years.”
Given the push to standardise on M365 within central government, Microsoft’s public sector dominance is poised to increase. “Without any actual competition, and by steadily removing Google from the equation, the likelihood is Microsoft will hold all the cards.”
This could possibly mean more government data is exposed to the hazard of being processed overseas, said Sayers. “It should be assumed now that all M365 data does travel internationally by default, which is politically bad for the UK government. This fundamentally means we’ve offshored the full of UK government IT.”
This comes at a time erstwhile rising geopolitical instability across the planet is prompting governments in another countries to double down on sovereignty to guarantee their citizens’ data remains in-country for privacy reasons, said Stewart.
“True data sovereignty is becoming a truly large thing in another parts of the world, but we just happily push all our data into non-sovereign entities, believing what they say about [sovereignty], erstwhile in fact we don’t know what will happen to our data,” she told Computer Weekly. “Nobody appears to be owning or caring about this in the UK, not least of all our own government.”
Computer Weekly requested a message from the UK Cabinet Office in consequence to Microsoft’s disclosures about being incapable to warrant the sovereignty of M365 data, but the department did not straight answer the question.
The department was besides asked if it had always sought assurances from Microsoft that any government data that resides in M365 will stay in the UK at all times, but – again – no direct consequence to this question was forthcoming.
Next steps for public sector IT buyers
With the Microsoft disclosures now out in the open, Sayers said public sector buyers request to be aware that the sovereignty claims and assurances made by another public cloud providers might besides not be rather what they seem.
“The issues here relate to Microsoft – but the problem may not be limited only to them. Most users of hyperscaler public cloud services do not realise this, but all the major hyperscaler terms of service let the cloud supplier – at their sole discretion – to decision your data anywhere within their global services without asking for circumstantial permission,” he said.
“The degree to which they disclose to the client where data is sent varies. Google is reasonably transparent, whilst Amazon Web Services and Microsoft are somewhat more opaque, but they all have this common issue to any degree.”
