Question to the Home Office:
To ask His Majesty's Government whether the contract between Amazon Web Services and the Home Office, agreed on 30 November, includes the guarantees, references or legally required elements for a processing contract under section 59(5) of the Data Protection Act 2018, or the requirements of the statutory code of practice for police vetting to permit lawful processing of law enforcement personal data; if so, what form they take; and whether law enforcement personal data are excluded from the contract if such safeguard provisions are not required.
The supplier has no access to any of the data hosted in the AWS cloud. Certain Policing services are hosted in this environment which are assured and approved for this use. The extent of the processing of personal data covered in the contract is the provision of storage.
The nature of the data stored is entirely under the control of the Home Office and, due to the security controls in place, AWS has no knowledge of what is stored, nor is it provided with instructions on the nature of the processing. By design, the contract does not contain details that would that are not necessary to disclose to AWS for it to be bound by a contract that provides the necessary protections to personal data. The Information Commissioner’s Office is aware of this approach. AWS has no access to any personal data under the controllership of policing or the Home Office.