Request

I would be grateful if you could provide the following information:

In the previously provided/published DPIA's, emails and supporting documentation for the DESC service, you or your partners provided information which indicated that personal data would be processed only within the United Kingdom in Microsoft Data Centres.

In the ICO's email to the DESC partners of 9th December 2022 they identified that use of servives supported from outside of the UK would constitute an international transfer, and that the contract terms may not adhere to S.59(5) of the DPA 2018. The ICO also indicated that they would provide written guidance to the DESC partners.

I am interested to learn what clarifications, confirmations or new information may have been received since December 2022 wrt the above specifically.

I would be grateful therefore if you could provide me with the following information:

1 - A copy of any documents, emails, analysis conducted by yourself or other DESC party, or similar information in your possession which indicates or evidences that Microsoft and Axon shall not process any personal data outside of the UK - including any transfers conducted for support purposes, or as a function of their provided software and services.

OR Conversely;

2 - A copy of any documents, emails, analysis conducted by the ICO or other party, or similar information in your possession which indicates or evidences that Microsoft and Axon may process personal data outside of the UK - or conduct transfers for support purposes or as a function of their provided software and services.

NOTE: Since only one of those conditions can logically apply I am content to receive a response to either Element 1 or 2 - not both of them.

AND

3 - A copy of any guidance or communication received from the ICO wrt the DESC programme as referred to in their letter of 9th December, or other information received from them which indicates or clarifies the legal position of the DESC programme under the Data Protection Act 2018 Part 3 specifically.”

On 18 March, the following clarification was provided.

“Firstly thank you for the clarification question, I appreciate the opportunity to tune this request rather than have you embark on an exercise which - as you have I think rightly assumed - is not intended to cover GDPR data.

I apologise for not making this clearer in the body text of my request, instead I relied on the header (specifying DESC) to explain the scope and I should have been much clearer.

I can confirm that for this request to the SPA I am interested only in information relating to the processing of personal data which falls under the Data Protection Act 2018 Part 3 requirements - sometimes referred to as the “LED” requirements, and within the scope of systems and processors relating to DESC operations only.

I do not at this time expect you to consider the processing of other personal data you may handle under the UK GDPR regime on other Microsoft or Axon systems UNLESS disclosures made to you relating to those services can reasonably be considered also apply to, or impact upon, the systems and services supporting or operating DESC.

For example if you received information relating to the underlying Microsoft Cloud platform, its operations, or the applicable terms of service or Data Processing Agreements that apply to, underpin, or support any DESC services or operations, such as identity services, email handling, service desk, or security logging I would consider that to be sufficiently relevant to fall under this request. Otherwise such information can be reasonably discounted.