Home Office: Amazon Web Services

(asked on 11th December 2023) - View Source

Question to the Home Office:

To ask His Majesty's Government whether Home Office data processed by Amazon Web Services under their contract, agreed on 30 November, will be disclosable to foreign governments, as per section 3 of the GDPR data protection impact assessment attached in Appendix 2 of the Supplier Terms.


Answered by
Lord Sharpe of Epsom Portrait
Lord Sharpe of Epsom
Parliamentary Under-Secretary (Home Office)
This question was answered on 21st December 2023

The Home Office holds one of the largest and most comprehensive data sets across Government. Ensuring this data is safe, secure, and is able to be fully utilised to the maximum benefit to the taxpayer is our primary concern. The Home Office agreement with AWS is based on predicted usage and is part of the Crown Commercial contract, called the One Gov Value Agreement 2 (OGVA2) which is a framework allowing all Government departments to combine to leverage an unprecedented discount on AWS services which would not be possible if each department held separate contracts.

AWS provide the below statement which reinforces our requirement under a shared responsibility model to secure our data in such a way that we retain control of any disclosure:

“Protecting the privacy of our customers is something that we take seriously at AWS. We recommend that customers encrypt their data as part of their overall security model when adopting cloud, and there are AWS services available to help you encrypt your data in transit and at rest (such as AWS Key Management Service and AWS CloudHSM). To be clear, the US Cloud Act / US Patriot Act do not give US Law Enforcement unfettered access to data, and only apply to evidence sought in connection with a crime over which the US has jurisdiction. We have a history of challenging government requests for customer information that we believe are inappropriate and, where we need to act to protect customers, we do; we will notify customers before disclosing any data and please be assured that content that has been encrypted is rendered useless without the applicable decryption keys.”

Reticulating Splines