Question to the Cabinet Office:

To ask the Minister for the Cabinet Office, what assessment he has made of the level of risk to UK citizens' data where that data is hosted on public cloud providers; and steps his Department takes to protect UK citizens' data on public cloud providers.

It is the responsibility of every government department, including the Cabinet Office, to make a risk-based assessment of their use of cloud providers for the storage of government data up to “OFFICIAL” level, including UK citizens’ data. When considering a commercial provider, departments should take into account the cloud security principles developed by the National Cyber Security Centre (https://www.ncsc.gov.uk/guidance/implementing-cloud-security-principles).

The Cabinet Office carries out this risk assessment for each service it delivers to ensure that appropriate controls are in place to protect citizen data.

Departments are required to follow the Technology Code of Practice when choosing a cloud provider, and this is assessed as part of the spend controls function. Departments must show that they have chosen the technology which provides the best value for money while meeting user needs. The Central Digital & Data Office carries out ongoing engagement with departments to review their decision-making about hosting. This includes qualitative analysis through user research as well as spend controls.