Reworded and scope limited request - Information relating to countries of data processing by Microsoft

O Sayers made this Freedom of Information request to Information Commissioner's Office Automatic anti-spam measures are in place for this older request. Please let us know if a further response is expected or if you are having trouble responding.

Waiting for an internal review by Information Commissioner's Office of their handling of this request.

Dear Information Commissioner's Office,

I recently made a request to you (your ref: IC-290438-R1T3) for "Information relating to countries of data processing by Microsoft"

Unfortunately you were unable to fulfil this request due to cost barriers and advised how I could reqord the request so as to not breach. S.12 cost limitation; thus -

"Advice and assistance
For the first two parts of your request, if you are specifically interested in any documents falling into the description mentioned in your request which we have relied upon or considered in relation to our own processing using Microsoft Cloud Services (as opposed to other organisations in contact with us as the regulator, we can answer this without breaching the costs limit.
If, alternatively or additionally, you are interested in this in respect of our work with the DESC partners, specifying this would also avoid breaching the costs limit.
Or, if there are other external parties who you believe that we may have discussed these issues with, please provide the names of those parties and this will help us to narrow our searches.
As the third part of your request does not hit the costs limit on its own, it would not need to be changed if the first two parts are altered appropriately."

I would like to act on this helpful advice and resubmit my request as below::

I would be grateful therefore if you could provide me with the following information:

1 - A copy of documents, emails, or analysis conducted by the ICO; or materials relied upon and/or considered by the ICO in creation of DPIA's - in relation to your processing of data under Part 3 of the Data Protection Act 2018 using Microsoft Cloud Services which indicates or evidences that Microsoft shall or shall not process any personal data outside of the UK - including any transfers conducted for support purposes or as a function of their provided software and services.

AND;

2 - A copy of documents, emails, analysis conducted by the ICO or the DESC parties which have been disclosed to you, or similar information in your possession which indicates or evidences that Microsoft may process DESC related personal data outside of the UK - or conduct transfers for support purposes or as a function of their provided software and services.

AND;

3 - A copy of any guidance provided by the ICO to the DESC partners re their processing of personal data for a Law Enforcement purpose for the DESC project if this has been issued, or an expected date of publication if the ICO intend to publish this.

Yours faithfully,

Owen Sayers

icoaccessinformation, Information Commissioner's Office

Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.

If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit:

[1]https://ico.org.uk/about-the-ico/our-inf...

If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.

If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.

If you have requested advice - we aim to respond within 14 days. 

If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.

Copied correspondence - we do not respond to correspondence that has been
copied to us.

For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.

For information about what we do with personal data see our [2]privacy
notice.

If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.

Yours sincerely

The Information Commissioner’s Office

Our newsletter

Details of how to sign up for our monthly e-newsletter can be found
[3]here.

Twitter

Find us on Twitter [4]here.

 

References

Visible links
1. https://ico.org.uk/about-the-ico/our-inf...
2. https://ico.org.uk/global/privacy-notice/
3. https://ico.org.uk/about-the-ico/news-an...
4. http://www.twitter.com/ICOnews

icocasework, Information Commissioner's Office

27 March 2024

Our reference: IC-296932-L3T7 

Dear O Sayers,

Thank you for your recent request for information. We received your
request on 27 March 2024. Your request will be allocated to an Information
Access Officer who will contact you under the reference number above in
due course.
Under statutory timeframes our response to your request is due by 26 April
2024. If you have any queries about this information request you may email
us, quoting our reference number in the subject line.
 
Please note that Information Access Officers are only able to address
information requests to ICO; they are unable to assist with complaints to
ICO, or to provide general advice about the legislation we oversee, as
this work is done by other ICO departments.  
 
Our privacy notice explains what we do with the personal data you provide
to us when you make an information request:
https://ico.org.uk/global/privacy-notice...
 
Thank you for your interest in the work of the Information Commissioner's
Office.
 
Yours sincerely
Information Access Team
Information Commissioner’s Office
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 0303 123 1113 [1]ico.org.uk [2]twitter.com/iconews
Please consider the environment before printing this email

Please be aware we are often asked for copies of the correspondence we
exchange with third parties. We are subject to all of the laws we deal
with, including the data protection laws and the Freedom of Information
Act 2000. You can read about these on our website ([3]www.ico.org.uk).
Please say whether you consider any of the information you send us is
confidential. You should also say why. We will withhold information where
there is a good reason to do so.
For information about what we do with personal data see our privacy notice
at [4]www.ico.org.uk/privacy-notice
 

References

Visible links
1. https://ico.org.uk/
2. https://twitter.com/iconews
3. https://www.ico.org.uk/
4. https://www.ico.org.uk/privacy-notice

icocasework, Information Commissioner's Office

5 Attachments

26 April 2024

Our reference: IC-296932-L3T7
Dear O Sayers,

Please find attached our response to your request for information. 

Yours sincerely,

Information Access Team
Information Commissioner’s Office 

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 0303 123 1113 [1]ico.org.uk [2]twitter.com/iconews
Please consider the environment before printing this email
Please be aware we are often asked for copies of the correspondence we
exchange with third parties. We are subject to all of the laws we deal
with, including the data protection laws and the Freedom of Information
Act 2000. You can read about these on our website ([3]www.ico.org.uk).
Please say whether you consider any of the information you send us is
confidential. You should also say why. We will withhold information where
there is a good reason to do so.
For information about what we do with personal data see our privacy notice
at [4]www.ico.org.uk/privacy-notice

References

Visible links
1. https://ico.org.uk/
2. https://twitter.com/iconews
3. https://www.ico.org.uk/
4. https://www.ico.org.uk/privacy-notice

Dear Information Commissioner's Office,

Please pass this on to the person who conducts Freedom of Information reviews.

I am writing to request an internal review of Information Commissioner's Office's handling of my FOI request 'Reworded and scope limited request - Information relating to countries of data processing by Microsoft'.

Before I do so, I would however like to acknowledge and thank the ICO for including information which arguably falls outside of your obligation to provide for this request, viz. the guidance provided by the Deputy Commissioner to DESC partners on 4th April.
Whilst this information was adjunct to my request, nonetheless this advice is relevant to my request for review as shall become clear shortly.

The areas of review I would like to request are as follows:

1 - Application of the S.42 Legal Privilege exemption
Whilst I normally fully respect claims against this exemption, recognising the importance of maintaining the ability to receive sound, reasoned, and professional legal advice without fear of improper disclosure, on this occassion I feel I must ask you to review the basis of your public interest test and re-consider if non-disclosure of the advice is sustainable.

In the applied public interest test the ICO have considered opennes & transparency, interest in the issues around Law Enforcement use of Public Cloud and issues relating to how law enforcement bodies process personal data. These are reasonable, and though I do not feel sufficient weight has been given to the latter two, I would not challenge your S.42 exemption if these were the only matters requiring consideration.

Regrettably however upon examination of the Deputy Commissioner's 'guidance', I note a number of serious issues - which we might consider legal 'mechanical' problems, given their importance and effect.
The guidance presents a view from the ICO that Law Enforcement "may use cloud service providers that process personal data outside the UK in accordance with Part 3 DPA, subject to appropriate protections" - which is logical, but then seeks to apply a number of controls, mitigations and protections which do not apply to Part 3 DPA (Standard Contractual Clauses, IDTA and UK GDPR Adequacy).

At this point it is important that we recognise the amended SCC's make internal references only to EU GDPR, UK GDPR and to EU Regulation 2016/679, they do not refer at any point to EU Directive 2016/680 or Pt3 DPA.
The use of SCC's written to conform with one piece of legislation in order to justify potentially unsound transfers of sensitive personal data under another legal instrument is thus both confusing and concerning, and even if this were the only issue with the guidance that alone would be sufficient to prompt me to request release of the underpinning relevant internal legal advice.

In addition however, the ICO's guidance refers to S.75 (Pt3 DPA) to sanction use of SCC's, whilst ignoring the effect of the more significant parts of Part 3 DPA relating to required mandatory controls for International Transfers entirely - and in particular the effect of S.73(4)(b).
I would contend this section, and the associated S.77 provision, are the crux of the issue when considering International Transfers by a Law Enforcement Competent Authority to any non-relevant authority in a third country.

S.73(4)(b) has two vitally important implications:
1 - it limits certain Competent Authorities from being permitted to transfer data to a non-relevant authority at all; and
2 - it introduces a further 4 (four) Conditions under S.77, along with two obligations of notification (one of which is arguably optional), that must be fulfilled by any Competent Authority who is not disbarred from transferring data under S.73(4)(b)(1).

Previous FOI disclosures from the ICO have revealed that they have received a very limited number of the required S.77 notifications from Policing and other Law Enforcement Competent Authorities (in truth, virtually none in real terms), and as such any advice which fails to reinforce, or even mention, these obligations should automatically be questioned as suspicious.

It appears clear that the Deputy Commissioner's guidance is very limited in its determination and consideration of the applicable legislation, and fundamentally flawed in its efforts to apply amended SCC's - in ways that are really quite hard to reconcile wqith the status of the ICO as regulator.

The S.42 FOI exemption makes clear that the matters under consideration are highly complex:
"The issue of the use of cloud services for law enforcement purposes has raised complex legal concerns requiring detailed analysis. As a result, there has been lengthy and in-depth discussions between the ICO departments conducting this work and the ICO’s internal legal advisors to ensure that the ICO is able to adequately advise data controllers including the DESC partners, as well as ensure that the ICO is suitably advised in respect of its own processing.
These confidential discussions have been ongoing since the ICO first became aware of the issue in 2022 and have continued up to April 2024, when the ICO issued its formal advice to the DESC partners, which it was unable to provide until that time due to the complex nature of these discussions."

I concur - Pt3 DPA is a quite different legislative framework to UK GDPR, with just sufficient similarity in language and terms to confuse non-specialists when they seek to interpret or employ it.
It is far from uncommon in my experience to find GDPR specialists seeking to apply UK GDPR thinking and controls incorrectly to Pt3 DPA processing, and there is every indication that this is what has happened in this case also.

Given the import surrounding ICO guidance and advice - even when caveated as heavily as this letter from Ms Keaney has been when presented to DESC partners - and the wide use to which it shall undoubtedly be applied across the UK Law Enforcement sector, it is (I am sure you will agree) vitally important that the accuracy and provenance of advice can be examined, and where it may prove necessary, corrected.

This cannot be done whilst it is withheld under the S.42 exemption and as a result the potential for improper processing informed by this potentially spurious advice is unlimited.

I beleive that should be re-factored into your public interest test.

2 - S.44 Legal prohibition exemption
The ICO have sought to apply this exemption on the basis of S.132(1) of the DPA 2018, viz.:

"A person who is or has been the Commissioner, or a member of the Commissioner’s staff or an agent of the Commissioner, must not disclose information which—
(a) has been obtained by, or provided to, the Commissioner in the course of, or for the purposes of, the discharging of the Commissioner’s functions,
(b) relates to an identified or identifiable individual or business, and
(c) is not available to the public from other sources at the time of the disclosure and has not previously been available to the public from other sources, unless the disclosure is made with lawful authority."

The S.44 exemption consideration has asserted that S.132(d) contains circumstances that would allow disclosure, "however none of them apply here".
On this basis the assertion is that the exemption may apply without further examination or justification.

I respectfully disagree with that position.

S.132(2) lays down circumstances to allow release of the information as follows:

"(2)For the purposes of subsection (1), a disclosure is made with lawful authority only if and to the extent that—
(a) the disclosure was made with the consent of the individual or of the person for the time being carrying on the business,
(b) the information was obtained or provided as described in subsection (1)(a) for the purpose of its being made available to the public (in whatever manner),
(c) the disclosure was made for the purposes of, and is necessary for, the discharge of one or more of the Commissioner's functions,
(e) the disclosure was made for the purposes of criminal or civil proceedings, however arising, or
(f) having regard to the rights, freedoms and legitimate interests of any person, the disclosure was necessary in the public interest."

There has been no evidence presented by the ICO in their FOI response that they have been unable to receive consent from Police Scotland or the Scottish Police Authority as the sender's of the information (sub-para 'a'), or that they have applied any public interest test (sub-para 'f'). Only if they can show these conditions to have been examined would it be feasible to claim that no circumstances allowing release exist.

Unless that evidence can be supplied I do not beleive that the ICO's assertion that no permitting circumstances apply can be relied upon, and would ask that you revoke that exemption unless you can determine that the actions required to rule out those circumstances in sub-para 'a' and 'f' would allow release, were in fact taken in response to my request.

For clarity, I have no issue whatsoever with the application of S.40 exemption for personal data.

Yours faithfully,

Owen Sayers

icoaccessinformation, Information Commissioner's Office

Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.

If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit:

[1]https://ico.org.uk/about-the-ico/our-inf...

If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.

If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.

If you have requested advice - we aim to respond within 14 days. 

If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.

Copied correspondence - we do not respond to correspondence that has been
copied to us.

For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.

For information about what we do with personal data see our [2]privacy
notice.

If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.

Yours sincerely

The Information Commissioner’s Office

Our newsletter

Details of how to sign up for our monthly e-newsletter can be found
[3]here.

Twitter

Find us on Twitter [4]here.

 

References

Visible links
1. https://ico.org.uk/about-the-ico/our-inf...
2. https://ico.org.uk/global/privacy-notice/
3. https://ico.org.uk/about-the-ico/news-an...
4. http://www.twitter.com/ICOnews

icocasework, Information Commissioner's Office

10 June 2024

Our reference:  IC-296932-L3T7

Dear O Sayers,

Thank you for your recent request for an internal review of our response
to your information request.

You can expect us to respond in full by 5 July. This is 20 working days
from the date we received your request for internal review. If, for any
reason, we cannot respond by this date we will let you know and tell you
when you can expect a response.

Yours sincerely,
Information Access Team
Information Commissioner’s Office 

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
i[1]co.org.uk [2]twitter.com/iconews
Please consider the environment before printing this email

Please be aware we are often asked for copies of the correspondence we
exchange with third parties. We are subject to all of the laws we deal
with, including the data protection laws and the Freedom of Information
Act 2000. You can read about these on our website ([3]www.ico.org.uk).
Please say whether you consider any of the information you send us is
confidential. You should also say why. We will withhold information where
there is a good reason to do so.
For information about what we do with personal data see our privacy notice
at [4]www.ico.org.uk/privacy-notice

References

Visible links
1. https://ico.org.uk/
2. https://twitter.com/iconews
3. https://www.ico.org.uk/
4. https://www.ico.org.uk/privacy-notice

icocasework, Information Commissioner's Office

1 Attachment

5 July 2024

Our reference: IC-296932-L3T7
Dear Owen Sayers,

Please find attached the response to your Internal Review.
If having exhausted the review process you are not content that your
request or review has been dealt with correctly, you have a further right
of appeal to this office in our capacity as the statutory complaint
handler under the legislation. To make such an application, please visit
our website if you wish to make a complaint under either the Freedom of
Information Act or Environmental Information Regulations.

Yours sincerely,

Helen Sweeney
Lead Information Access Officer
Information Commissioner’s Office 
0330 414 6673

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 0303 123 1113 [1]ico.org.uk [2]twitter.com/iconews
Please consider the environment before printing this email
Please be aware we are often asked for copies of the correspondence we
exchange with third parties. We are subject to all of the laws we deal
with, including the data protection laws and the Freedom of Information
Act 2000. You can read about these on our website ([3]www.ico.org.uk).
Please say whether you consider any of the information you send us is
confidential. You should also say why. We will withhold information where
there is a good reason to do so.
For information about what we do with personal data see our privacy notice
at [4]www.ico.org.uk/privacy-notice

References

Visible links
1. https://ico.org.uk/
2. https://twitter.com/iconews
3. https://www.ico.org.uk/
4. https://www.ico.org.uk/privacy-notice

O Sayers left an annotation ()

Escalation made to ICO as per the ICO Review teams recommendation.

icocasework, Information Commissioner's Office

1 Attachment

8 October 2024

Our reference: IC-296932-L3T7
Dear O Sayers,

We write regarding your request for information under the above
reference. 

At the time of our response, we withheld our correspondence with the SPA
in full under s.44 FOIA/ s.132 DPA, as we did not have lawful authority to
disclose it . We can now advise that we have had further correspondence
with the SPA about your request since the date of our response and were
able to obtain consent for a limited disclosure of some of this
information, which we now attach.

The information redacted and labelled ‘s.44’ is that which we still do not
have lawful authority to disclose to you. Some further documents have been
withheld in full under s.44 FOIA. The explanation of the application of
s.44 FOIA in our original response applies to the information we are now
withholding.

Additionally, some information has been redacted under s.40(2) FOIA, this
is the personal data of a third party which it would not be lawful for us
to disclose. 

Yours sincerely,

Information Access Team
Information Commissioner’s Office 

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 0303 123 1113 [1]ico.org.uk [2]twitter.com/iconews
Please consider the environment before printing this email
Please be aware we are often asked for copies of the correspondence we
exchange with third parties. We are subject to all of the laws we deal
with, including the data protection laws and the Freedom of Information
Act 2000. You can read about these on our website ([3]www.ico.org.uk).
Please say whether you consider any of the information you send us is
confidential. You should also say why. We will withhold information where
there is a good reason to do so.
For information about what we do with personal data see our privacy notice
at [4]www.ico.org.uk/privacy-notice

References

Visible links
1. https://ico.org.uk/
2. https://twitter.com/iconews
3. https://www.ico.org.uk/
4. https://www.ico.org.uk/privacy-notice