Oracle Corporation UK: Contracts

(asked on 16th June 2026) - View Source

Question to the Department for Science, Innovation & Technology:

To ask the Secretary of State for Science, Innovation and Technology, whether the Government has conducted a legal assessment of the interaction between the US CLOUD Act and the use of Oracle’s UK Sovereign Cloud for public sector data.


Answered by
Ian Murray Portrait
Ian Murray
Minister of State (Department for Science, Innovation and Technology)
This question was answered on 24th June 2026

Where cloud service providers may be subject to overseas legal obligations, including the United States CLOUD Act, departments are responsible as data controllers to assess and mitigate the associated risks.

The UK has an adequacy decision for certain transfers to the US under the UK Extension to the EU-US Data Privacy Framework. This decision assessed US laws and practices relating to government access to data, including the US CLOUD Act. This analysis is published and available on GOV.UK. Where adequacy is not relied upon, organisations must use alternative safeguards in line with Article 46 of the UK GDPR, such as standard contractual clauses.

Departments’ assessments enable them to identify and implement proportionate mitigations. These may include technical controls, such as encryption and strict access restrictions, contractual safeguards with service providers, and organisational measures governing data handling and oversight. Where relevant, departments must also assess the application of UK international data transfer provisions and ensure appropriate safeguards are in place.

Reticulating Splines