The UK's Department of Science, Innovation, and Technology (DSIT) has seen some backlash regarding its guidance for public sector organizations over the use of cloud services hosted in overseas data centers, published earlier this month.

DSIT's "Multi-region cloud and Software-as-a-Service" guidance was published on February 5 and recommended that organizations use a "multi-region approach" while ensuring that it is "controlled" and "considered" so as to be compatible with UK law.

UK Parliament.jpg
– Thinkstock

The guidance goes on to note: "Government data at OFFICIAL (including the SENSITIVE marking) can be stored and processed in data centers or Cloud regions overseas when satisfactory legal, data protection and security practices are in place; there is no universal requirement for government data classified as OFFICIAL to be physically located in the UK."

In addition, the guidance notes that as the UK has a cloud-first policy, organizations should weigh up the different services, and "non-UK services can be more cost-effective, more sustainable, or have additional features available."

The guidance is not a change in policy, with it noting that the government's cloud-first policy has been in place since 2013, and organizations "may have already hosted data at OFFICIAL in overseas regions"

As reported by ComputerWeekly, this is despite the Government Security Classification Policy (GSCP) having tight restrictions regarding the use of non-UK cloud services until June 2023, when it was updated.

Owen Sayers, an enterprise architect who has previously worked at UK government departments including the UK Home Office, Ministry of Justice, and UK Police Forces, told ComputerWeekly: “It’s clear this [DSIT] guidance acknowledges that despite these restrictions, the UK government has pushed a lot of critical eggs into these offshore cloud platforms, and it should be clear that this was done despite the [GSCP] policy saying not to do so. The approach now seems to be that ‘we are where we are’ and to double down on continuing to do so.”

US cloud companies Amazon Web Services (AWS) and Microsoft launched cloud regions in the UK in 2016. According to ComputerWeekly, to date, AWS has accrued £1.1 billion ($1.36bn) in public sector spending through the G-Cloud procurement framework. In September 2024, AWS committed to investing £8 billion ($10.47bn) in data centers in the UK.

In 2024, Microsoft revealed that it could not guarantee the sovereignty of policing data stored in its public cloud, and declined to comment on whether it could do so for other public sector data.

According to Sayers, the important takeaway from the guidance isn't that public sector data could be hosted overseas - “We know they’ve been doing that for years, but what makes this a remarkable piece of guidance is that it specifically says ‘don’t buy British if you can get it cheaper elsewhere,' and ‘if you seek innovation, you’ll probably have to seek it elsewhere.”

Mark Boost, CEO of Civo, has also criticized the guidance. In a statement to DCD, Boost said: “This guidance from the government is bad for British business, bad for the UK’s economy, and worse for government departments. DSIT says it wants to champion the UK’s fast-growing tech market but is seemingly discouraging public sector bodies from choosing British businesses. Instead, it’s channeling taxpayers’ hard-earned cash offshore and further disincentivizing tech investment into the UK.

“Over the years, we’ve given away so many of our industries. Now, on the brink of another industrial revolution, the government seems intent on doing the same with AI. This is not only wrong, but potentially dangerous. The guidance may make gestures at adequate data protection and security practices, but the fact is that if an organization is processing its data on foreign soil and transferring it across borders, then that data can be subject to foreign laws. For government departments handling sensitive data - including on health and national security - this is an unacceptable level of risk."

Boost added that there are "plenty of providers in the UK" that could satisfy the needs for multi-cloud resiliency. "The government should be supporting British business and investing in our sovereign capabilities, boosting our resilience by nurturing an ecosystem of homegrown providers. Instead, they seem to be encouraging public bodies to look elsewhere at the expense of our data security, and our tech economy."

All of this is set against the backdrop of the UK Government seeking to make the country a tech powerhouse.

The Labour Government designated data centers as critical national infrastructure in September 2024 and has encouraged data center development in the country including pledging to reopen two planning applications for hyperscale campuses which had been blocked by local authorities.

In August 2024, the government opened a consultation to update the UK's national planning policy, including looking at data centers.

“The proposed changes... seek to ensure the planning system meets the needs of a modern and changing economy, by making it easier to build laboratories, gigafactories, data centers, and digital infrastructure, and the facilities needed to support the wider supply chain,” the consultation said, and “giving more explicit recognition of the need to support proposals for new or upgraded facilities and infrastructure (including data centers and electricity network grid connections) that are key to the growth of these industries.”

Earlier this year, the government unveiled its AI Opportunities action plan, which would see it set up AI Growth Zones, areas across the country that will “speed up planning approvals for the rapid build-out of data centers, give them better access to the energy grid, and draw in investment from around the world,” as well as plans for a new supercomputer, and several investment commitments from the likes of Vantage, Kyndryl, and Nscale.

Sayers told ComputerWeekly: “The government is sending out mixed messages here, because the Prime Minister, Chancellor, and the DSIT ministers are all promoting the UK as a leader of innovation and artificial intelligence, whereas this piece of guidance says you’ll probably have to go overseas to find that.”

A DSIT spokesperson told ComputerWeekly that the government is “fully committed to fostering a competitive and resilient cloud market” that “supports both domestic and international providers,” adding, “We are actively driving growth by attracting global investment, with billions already secured for data center development and expansion, enhancing both infrastructure and national security.

“Using overseas data centers strengthens overall resilience, and our multi-region cloud guidance gives public sector organizations the flexibility to select the best cloud hosting solutions – whether that’s in the UK or overseas, prioritizing performance, cost, and reliability while ensuring security and compliance.”

More in Government

More in UK & Ireland