Skip to main content

Internet: Data Protection

Question for Cabinet Office

UIN 139352, tabled on 14 March 2022

To ask the Minister for the Cabinet Office, what assessment he has made of the level of risk to UK citizens' data where that data is hosted on public cloud providers; and steps his Department takes to protect UK citizens' data on public cloud providers.

Answered on

17 March 2022

It is the responsibility of every government department, including the Cabinet Office, to make a risk-based assessment of their use of cloud providers for the storage of government data up to “OFFICIAL” level, including UK citizens’ data. When considering a commercial provider, departments should take into account the cloud security principles developed by the National Cyber Security Centre (https://www.ncsc.gov.uk/guidance/implementing-cloud-security-principles).

The Cabinet Office carries out this risk assessment for each service it delivers to ensure that appropriate controls are in place to protect citizen data.

Departments are required to follow the Technology Code of Practice when choosing a cloud provider, and this is assessed as part of the spend controls function. Departments must show that they have chosen the technology which provides the best value for money while meeting user needs. The Central Digital & Data Office carries out ongoing engagement with departments to review their decision-making about hosting. This includes qualitative analysis through user research as well as spend controls.

Answered by

Cabinet Office
Named day
Named day questions only occur in the House of Commons. The MP tabling the question specifies the date on which they should receive an answer. MPs may not table more than five named day questions on a single day.