Microsoft’s control over government IT is being questioned due to revelations that data hosted on its cloud infrastructure may not remain in the UK. The disclosure, obtained through freedom of information requests, highlights concerns about data sovereignty for Scottish policing bodies using Microsoft 365 and Azure platforms. The Data Protection Act limits the use of overseas cloud providers by law enforcement agencies, raising questions about government data security and adherence to regulations.
The government’s public cloud-first policy, introduced in 2017, is now being scrutinized in light of Microsoft’s offshoring of UK data. The need for a reassessment of the cloud-first strategy to ensure data sovereignty is emphasized, as the government’s reliance on Microsoft could pose risks to sensitive government data. The lack of transparency from Microsoft regarding data residency guarantees and the potential implications of offshoring on data security call for a review of government cloud procurement practices.
Furthermore, the challenges of ensuring data sovereignty within the public sector are highlighted by the decentralization of decision-making around cloud deployments. With cloud engineers often responsible for selecting data hosting locations, the risk of offshoring sensitive data without proper consideration of regulatory implications is a concern. The need for a user-centered approach to data sovereignty and cloud procurement within the public sector is emphasized to avoid potential security risks.
The increasing dominance of Microsoft in the public sector, particularly through the use of M365 as the government’s standard productivity suite, raises concerns about the exposure of government data to international processing. The financial implications of government spending on Microsoft products and services, particularly through third-party resellers, highlight the need for improved oversight and risk management in cloud procurement practices. The potential offshoring of government IT and the lack of true data sovereignty within central government underscore the importance of reassessing cloud procurement strategies to protect sensitive government data.