Microsoft refuses to divulge data flows to Police Scotland
Tech giant Microsoft is declining to share key information with Police Scotland about where the sensitive data it uploads to Office 365 will be processed, leaving the force unable to comply with UK-wide data protection laws
Microsoft is refusing to tell Scottish policing bodies where and how the sensitive law enforcement data uploaded to its cloud services will be processed, citing “commercial confidentiality”.
As part of a UK-wide effort to move police forces onto cloud-enabled digital infrastructure, Police Scotland and the Scottish Police Authority (SPA) are jointly implementing Microsoft Office 365 (O365) to store and process a range of personal and law enforcement data.
However, according to documents released by the SPA under freedom of information (FoI) rules, Microsoft is refusing to hand over crucial information about its international data flows to the SPA and Police Scotland.
Without this information, the policing bodies are unable to satisfy the law enforcement-specific data protection rules laid out in Part 3 of the Data Protection Act 2018 (DPA18), which places strict limits on the transfer of policing data outside the UK.
“MS is unable to specify what data originating from SPA will be processed outside the UK for support functions,” said the SPA in a detailed data protection impact assessment (DPIA) created for its use of O365. “To try and mitigate this risk, SPA asked to see … [the transfer risk assessments] for the countries used by MS where there is no [data] adequacy. MS declined to provide the assessments.”
The SPA DPIA also confirms that, on top of refusing to provide key information, Microsoft itself has told the police watchdog it is unable to guarantee the sovereignty of policing data held and processed within its O365 infrastructure.
“Microsoft states in their own risk factors that O365 is not designed for processing the data that will be ingested by SPA,” said the DPIA, adding that while the system can be configured in ways that would allow the processing of “high-value” policing data, “that bar is high”.
It further added that while Microsoft previously agreed to make a number of changes to the data processing addendum (DPAdd) being used for Police Scotland’s Azure-based Digital Evidence Sharing Capability (DESC) – the nature of which is still unclear – Microsoft has advised that “O365 operates in a completely different manner and there is currently no way to guarantee data sovereignty”.
It further noted that while a similar “ancillary document, like that provided … via the DESC project” could afford “some level of assurance” for international transfers generally, it would still fall short of Part 3 requirements to set out exactly which types of data are processed and how.
Microsoft’s refusal to provide information about its international data processing practices means the sensitive law enforcement data held by Police Scotland – including information about witnesses and victims of crime – could be processed in “hostile” countries, or those without data adequacy agreements.
The DPIA said this includes China, Serbia, India, the UAE, Brazil, Egypt, South Africa, Chile, Hong Kong and Malaysia.
“MS has declined, due to confidentiality, to provide SPA with the assurances it needs for those transfers, including International Data Transfer Agreements,” it said. “MS is unable to give assurances that data will not be processed in those countries, given their follow-the-sun support model… Thus, SPA cannot be assured that those assessments included both Part 2 [GDPR] and Part 3 [law enforcement] processing.”
According to an “abridged DPIA” also released under FoI: “If any other company had declined to tell us who processes what data of ours and where, and further declined to provide the evidence … we would, in all likelihood, not progress with a tender bid.”
All of this further underlines – indeed is conclusive proof of – the absolute necessity for UK cloud capability, especially for our public services which successive governments have totally neglected
Tim Clement-Jones, Liberal Democrat peer
Other than Microsoft declining to provide information about transfers “for reasons of confidentiality”, the DPIA identified a range of other issues, including that Microsoft is in possession of the encryption keys (meaning it would be able to access all the data held and hand it over to the US government if required to under the country’s invasive laws), and is refusing to allow UK police to vet Microsoft employees who could be accessing the data from overseas.
Computer Weekly contacted Microsoft about the contents of the FoI documents and its refusal to provide information to Police Scotland. A spokesperson said the company “complies with all laws and regulations applicable to the provision of our products and services”.
Responding to further questions from Computer Weekly about why it is pressing ahead with the O365 deployment despite Microsoft’s conduct and the clear data protection issues identified, a Police Scotland spokesperson said: “[The force] continues to work with the Scottish Police Authority on plans to implement Microsoft 365 in common with other UK law enforcement agencies.
“We work closely with partners to ensure all required data security, protection controls and governance are in place. This includes with the Information Commissioner’s Office and the Scottish Biometrics Commissioner as required.”
Commenting on Microsoft’s refusal to divulge key information and its acknowledgement to Scottish police that it cannot guarantee the sovereignty of its data, Liberal Democrat peer Tim Clement-Jones – who has previously highlighted hyperscalers’ lack of compliance with Part 3 in the Lords – told Computer Weekly it demonstrates the need for the UK to have its own sovereign cloud capabilities.
While the DPIA showcases how Police Scotland and the SPA are unable to fulfil their legal obligations as a result of Microsoft’s stonewalling on data flows, other documentation disclosed under FoI responses highlights that they have been trying to get answers to their questions for many months.
According to email correspondence between Police Scotland and Microsoft, one force representative noted in February 2025: “There is a heavy onus upon Police Scotland/SPA to demonstrate a granular understanding of where our data traverses, its security and that there are adequate safeguards to protect personal data in the event it is transferred/accessed outside of the UK.”
They added that Part 3 also places responsibilities on the processor – in this case, Microsoft – to provide evidence about its international data transfers.
Although earlier correspondence shows the force initially asking for clarification on various aspects of the company’s international transfers – including how it can comply with various Part 3 requirements, a list of sub-processors, and documentation on its data flows – on 7 October 2024, Microsoft took over a month to respond.
When it did respond, on 13 November, Police Scotland felt the information provided was inadequate. In a follow-up the next day, a Police Scotland employee noted that the team reviewing the documentation provided “already feel it’s not answering the questions in the detail that we require” as they “can’t find the answers to the questions” being asked.
A further Microsoft email from 30 November indicates that, sometime between the initial contact from Police Scotland and then, the company’s legal and commercial teams had been alerted to the force’s requests for clarification on key data protection.
According to later emails, while the force requested further clarification on data flows and sub-processor locations within Microsoft’s Content Delivery Network (CDN) on 27 November 2024, the company advised “this is commercially sensitive” and ultimately “declined this information”.
Although there is a gap in the correspondence disclosed, other emails from Police Scotland show that, at some point between December 2024 and February 2025, Microsoft also told the force that it is not required “to disclose any of its confidential contractual arrangements or compliance documents”, and refused to provide any further information.
“Should Police Scotland consider it necessary to carry out its own TRA [transfer risk assessment] regarding transfers of personal data in connection with Microsoft 365 … we have published extensive information online in our Service Portal to help with that exercise,” said a Microsoft representative, whose name has been redacted.
They added that while M365 “is not designed to process special categories of personal data on a large scale”, including law enforcement data, it is up to data controllers – Police Scotland and the SPA in this instance – to determine the best configuration for the system to meet their local legal requirements: “As the data processor, Microsoft has no control over such use and typically would have little or no insight into such use.”
According to the Scottish Police Authority DPIA, “the Microsoft position was that the controls required for Part 3 data are not inherent in the product and it would be for the customer to ensure the required controls were implemented”.
It added that Microsoft has also stated that it cannot guarantee which sub-processors may be processing data at a given time, due to its “follow-the-sun” support model, noting that while every country in the European Economic Area (EEA) is deemed data adequate for Part 3 data, no country in the world outside of the zone has this adequacy status.
Credit does have to go to Police Scotland here for joining in the diligence already uniquely conducted by the SPA. Although Microsoft Cloud and M365 is used already up and down the UK by police and law enforcement bodies, so far only SPA – and now Police Scotland – have really asked any of the important questions. Unfortunately, the answers are less than confidence-building
Owen Sayers, independent security consultant
This would therefore preclude them from receiving policing data, unless the strict transfer conditions of Part 3 are being met.
Computer Weekly contacted Microsoft about where it is sending and processing data uploaded by Police Scotland, but received no response on this point.
A source close to the issue said: “Very significant risks have been identified, including Microsoft’s arrogant refusal to declare its sub-processors. This is very different from the Microsoft that tried to reassure its EU customers of its trustworthiness just a few weeks ago.”
For Owen Sayers, an independent security consultant and enterprise architect with over 20 years’ experience in delivering national policing systems, “the nature and duration” of the discussions between Scottish policing bodies and Microsoft are “enlightening”, offering insight into both “the difficulty in getting straight answers to questions that Microsoft routinely don’t expect to answer” and the poor state of due diligence across policing generally.
“Credit does have to go to Police Scotland here for joining in the diligence already uniquely conducted by the SPA,” he said.
“Although Microsoft Cloud and M365 is used already up and down the UK by police and law enforcement bodies, so far only SPA – and now Police Scotland – have really asked any of the important questions: Where does our data go? Do you have a map or data flow model? What assurances can you give us around our regulatory DPA Part 3 needs?
“Unfortunately, the answers are less than confidence-building.”
Legalising illegal practices
Also contained in the Scottish Police Authority DPIA are acknowledgements that while UK law has recently changed to accommodate police use of hyperscaler cloud providers, this is essentially an admission that policing bodies have been unlawfully storing and processing data in their architecture for years.
The assessment added that while the data reforms have provided more legal certainty, they still do not clear up issues around the sovereignty of data.
For example, while the DPA 2018 does allow for overseas transfers to “non-law enforcement recipients” – that is, cloud providers – this is only permissibleif the data controller can show it is strictly necessary to do so. This means information can only be sent on a case-by-case basis for specific, limited purposes when there is no other, less intrusive means of achieving the same goal.
To circumvent the lack of compliance with these transfer requirements, the government has simply dropped them from the DUAA, meaning policing bodies will no longer be required to assess the suitability of the transfer or report it to the data regulator.
This and other changes mean policing data can be routinely offshored to jurisdictions with lower data protection standards, without adherence to DPA18 conditions around strict necessity.
Commenting on the removal of Part 3’s strict international transfer requirements via the DUAA, which at that point was still a bill, the SPA’s DPIA noted: “If it were legal to make the transfers in the current legislation, it’s unclear why DUAB seeks to change the text.”
In its abridged version sent to the ICO, the SPA added that there is a risk the DUAA “will be deemed to have sanctioned anti-competitive measures by changing the UK data protection legislation primarily to accommodate hyperscale cloud providers”.
It continued: “If the bill (or act) were to be struck down, then the position would revert to non-compliant processing. It would be hard to argue otherwise, given that the bill specifically changes the elements of concern highlighted by SPA during DESC.”
It added that while the transfer requirements have changed as a result of the new act, it will introduce a “code of conduct” for companies to sign up to, which are likely to reflect the previous transfer conditions. “Given that Microsoft currently believe that the requirements in S59 are for us to comply with and not them, they may decline to sign a code of conduct in this respect,” said the SPA.
It also noted: “If the DUAB does not receive Royal Assent before O365 is deployed, then the processing would not be legal (given that DUAB makes changes to Part 3 specifically for this purpose).”
While the data in this context relates to policing bodies, the problem is much wider, with senior Microsoft representatives publicly admitting to the French senate in June 2025 that it cannot guarantee that European data will be protected from access by US authorities under the country’s Clarifying Lawful Overseas Use of Data (Cloud) Act.
This effectively gives the US government access to any data, stored anywhere, by US corporations in the cloud.
The SPA acknowledged in the DPIA that while disclosures under the Cloud Act are relatively rare at the moment, there are no protections against it, and “there is evidence that the current US administration is flexing its reach in terms of Microsoft accounts for its adversaries”.
Sayers told Computer Weekly it is “worrying” that Police Scotland and Microsoft are continuing to rely on guidance from the ICO that UK GDPR measures can be used to address Part 3 obligations: “That’s completely incorrect – you cannot substitute one data protection regime for another in this way, and whereas GDPR expects data to routinely transfer, Part 3 explicitly restricts that.”
According to Computer Weekly’s anonymous source, the documents disclosed under FoI “encapsulate everything that is wrong with the UK’s use of cloud”.
They added: “The SPA’s acknowledgement that Microsoft could be perceived as receiving favourable treatment, in violation of our procurement regulations, suggests the SPA is simply keeping its fingers crossed in the hope that its anti-competitive approach won’t be challenged.
The source further added: “The SPA’s futile hope that Microsoft might sign a code of conduct … to make all the issues and risks go away is simply not good enough – it’s high time that the SPA woke up to the fact that it has a choice, and exercising that choice will reduce Microsoft’s stranglehold on UK law enforcement and help to reduce the UK’s digital subservience to the hyperscale duopoly.”
Computer Weekly contacted both Police Scotland and the SPA about why they are pressing ahead with the project, despite Microsoft’s behaviour and the clear data protection risks identified, but neither directly responded to the points raised.
A spokesperson for the SPA said: “The authority recognises the potential benefits of using Microsoft 365 for policing. We are working with Police Scotland and the Information Commissioner’s Office to understand and mitigate potential risks associated with its potential use.”
The SPA, however, did confirm that it does not currently use M365 in the cloud.
A rock and a hard place
While the SPA noted in the documentation released that it would not ordinarily tolerate such opacity from other suppliers, it also said that ridding itself of Microsoft is not a clean-cut process.
Highlighting the setup of the National Enabling Programme (NEP) – an initiative jointly created in 2017 by the National Police Chiefs’ Council (NPCC) and the Association of Police and Crime Commissioners (APCC) to spearhead the delivery of new cloud-enabled ways of working for all 48 of the UK’s police forces – the SPA said stopping contracts with Microsoft would put itself out of step with Police Scotland and the rest of the UK.
“By not using Microsoft, SPA would not be following the NEP approach, resulting in major deviation from the programme and problems for the PSoS [Police Scotland] adoption given our shared IT infrastructure,” it said.
“The possibility of finding other suppliers who could offer a similar service is remote, meaning setting up and tendering for multiple suppliers at one-off costs. The ongoing management of multiple contracts would be time-consuming and increase the risk of a potential loss of service.”
The DPIA also noted it would be more expensive, as the Police Digital Service (PDS), which is tasked with overseeing the development and deployment of the multi-pronged National Policing Digital Strategy, has managed to agree common pricing and discounts for police forces using Microsoft.
“This means that Microsoft’s online service terms and data processing addendum apply directly between each force as controller and Microsoft as processor,” it said. “On their own, PSoS/SPA would not have been able to secure these discounts.”
Of the 30 police forces involved in the initial M365 rollout, 29 responded to Computer Weekly’s FoIs that they had not completed their own DPIAs at the time of publication, and that they hold “no information” on either the contract or terms and conditions in place with Microsoft.
The SPA noted in its DPIA that “the NEP is not mandated to make UK police forces compliant with data protection legislation”, adding that while it has provided a blueprint for forces to follow, the onus is on individual forces to ensure compliance and understand how the architecture works.
“SPA is a late adopter of Office 365. The reason for that is the due diligence that we have undertaken,” said the abridged DPIA.
“We are aware of the risks and issues, and, in my opinion, we are in a better position than most organisations using O365 in that we have pored through MS documentation to better understand the product and undertaken consultation with both Microsoft and the ICO to understand the landscape and risks/benefits. We are not simply looking to deploy the product because other forces have done it.”
Read more about police technology
UK equality watchdog: Met Police facial recognition unlawful: The UK’s equality watchdog has been granted permission to intervene in a judicial review of the Met Police’s live facial-recognition (LFR) technology use, which it claims is being deployed unlawfully.
MPs propose ban on predictive policing: MPs are attempting to amend the UK government’s forthcoming Crime and Policing Bill so that it prohibits the use of controversial predictive policing systems.
Essex Police discloses ‘incoherent’ facial recognition assessment: An equality impact assessment of Essex Police live facial recognition deployments is plagued by inconsistencies and poor methodology, undermining the force’s claim that its use of the technology will not be discriminatory.
