Policy paper

Data storage and processing infrastructure security and resilience - call for views

Updated 20 July 2022

© Crown copyright 2022

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/data-storage-and-processing-infrastructure-security-and-resilience-call-for-views/data-storage-and-processing-infrastructure-security-and-resilience-call-for-views

Introduction

The UK’s ability to unlock the power of data is underpinned by the security and resilience of the infrastructure upon which data use relies. The National Data Strategy and the National Cyber Strategy 2022 set out the UK government’s commitment to create a stronger risk management framework to protect this infrastructure. It is a vital national asset that delivers public services and supports our economy. Moreover, this infrastructure:

  • Will be increasingly important as we level up the entire UK by enhancing digital connectivity across the country
  • Will be essential to achieving the Integrated Review’s vision for the UK to be recognised as a science and technology superpower by 2030
  • Will be essential to the UK capitalising on its independent status and repatriated powers, to operate a pro-growth and innovation-friendly economy that expands the use of data and digital technology whilst maintaining high data protection standards, as set out in the recent Data Reform Consultation
  • Will be increasingly important to our defence policy as we protect the UK against the cyber threats it faces
  • Will ensure that the UK is seen as an attractive and trustworthy jurisdiction to locate or invest in new infrastructure

This call for views concerns UK data storage and processing infrastructure, such as data centre[footnote 1] infrastructure[footnote 2], cloud platform infrastructure and managed service provider infrastructure. The call for views does not cover telecommunications infrastructure, as this has been consulted on with regards to the updated Telecommunications (Security) Act 2021 (including the designated vendor direction powers, and security regulations and code of practice consultations). We also recognise that cloud computing services are already regulated by the Networks and Information Systems (NIS) Regulations 2018 and a recent consultation considers adding Managed Service Providers (MSPs) to the NIS.

The UK government is developing a stronger risk management framework to address 2 risks associated with data storage and processing infrastructure. Firstly, data is strategically important at a national and global level. This makes the infrastructure where large volumes of data accumulate an attractive target to those who may have the intention or capability to threaten the UK’s national security, economy or ways of life. Secondly, the UK is now reliant on large-scale data storage and processing services for the delivery of our essential services and the functioning of our broader economy. This means that ensuring the continuity of service of data storage and processing infrastructure is of national interest.

The UK government is seeking views and evidence to understand the current landscape and potential options to best support and steward data storage and processing infrastructure providers. This call for views seeks to develop the government’s evidence base, and collect views prior to developing policy.

Part 1 explores the risks to UK data storage and processing infrastructure.

Part 2 explores the security and resilience measures in place for data centres. This section is limited to data centres because within data storage and processing infrastructure the sector is relatively unregulated for security and resilience. The government, therefore, has the most questions about risk management of data centres. The data centre sector is also increasingly becoming both a technology and a real estate sector, so we are interested in hearing about how security and resilience practices are embedded in their operations and culture. We will only ask about other organisations, such as cloud platform providers, in relation to their use of and relationships with data centres. We are also seeking examples of, and commentary on, regulations in place in similar sectors or peer countries.

Part 3 asks data centre operators, cloud platform providers and MSPs who provide data storage and processing infrastructure for a breakdown of their customer base. This will inform the government’s assessment of the impact that risks to data storage and processing infrastructure have on the economy of the UK.

We understand that some of the responses, such as issues relating to customers or security arrangements, will be commercially sensitive, or respondents may not want to share details for security reasons. Please note, however, that we will handle this data carefully and securely. More details on this can be found in the How to respond section and our privacy notice.

How to respond

This call for views will run until 23:59 on Sunday 7 August. We welcome all forms of insight from any kind of stakeholder. We would appreciate it if respondents can note their level of certainty for any claims made and wherever possible provide evidence to support. We request that submissions are limited to 10 pages or 5,000 words.

You can respond as an individual or on behalf of an organisation. This call for views is open to any organisation or member of the public who wishes to contribute. We are particularly interested in hearing from the organisations listed below.

  • Organisations who provide third-party data storage and processing infrastructure, such as but not limited to:
    • Data centre operators[footnote 3]
    • Cloud platform providers, often referred to as infrastructure-as-a-service and platform-as-a-service providers
    • Managed service providers
  • Organisations who directly depend on third-party data storage and processing infrastructure, such as but not limited to:
    • Internet exchange point operators
    • Content delivery network providers
    • Telecommunications operators
    • Financial services organisations
  • Other organisations with significant involvement with or awareness of data storage and processing infrastructure, such as trade bodies[footnote 4], data centre suppliers or service providers, consultancies, real estate organisations, and research institutions.

Within these organisations, responses from senior executives or board level leaders responsible for security and resilience are preferred. If organisations operate multinationally, we would prefer the leader responsible for security and resilience of UK based operations to respond. If responsibility for risks are shared across multiple roles, responses from the senior risk owner are preferred for each risk, where relevant.

Please consult the glossary provided to define the terms used in this call for views.

We ask that responses are submitted online. In exceptional circumstances, if you need to submit a hard copy, please contact us at datainfrastructureviews@dcms.gov.uk and we will advise how to do this. Should you require another format (e.g. braille or large font) please contact datainfrastructureviews@dcms.gov.uk

When submitting your response, please state:

  • Which questions you are answering (there is no need to respond to all questions in the call for views, if they are not all relevant to you);
  • Whether you are willing to be contacted (if so, please provide contact details);
  • Whether you prefer for your response to remain confidential and non-attributable (if so, please specify).

We recommend reading the call for views in full before completing the online survey.

Responses will be analysed by the Department for Digital, Culture, Media & Sport (DCMS). The Department will process the information you have provided in accordance with the Data Protection Act 2018 (DPA), and will mean that your personal information will not be disclosed to third parties. The information you provide will be used to shape future policy development and may be shared between UK government departments, Ofcom, Information Commissioner’s Office (ICO), the National Cyber Security Centre (NCSC) and the Centre for the Protection of National Infrastructure (CPNI) for this purpose. Personal information will be removed in such instances. Copies of responses, in full or in summary, may be published after the consultation closing date on the Department’s website with personal data removed.

We will publish a summary of the evidence gathered through this call for views.

Part 1: Risks to UK data storage and processing infrastructure

The UK government has developed two outcomes to work towards in relation to the security and resilience of UK data storage and processing infrastructure:

1. The UK is protected from national security threats posed by malign or state actors accessing large-scale or sensitive data[footnote 5] via this infrastructure, for the purposes of exploitation.

2. The UK can rely on continuity of service of large-scale data storage, processing and interconnection services; and is prepared for and can recover from service disruption.

The government, supported by the National Cyber Security Centre and the Centre for the Protection of National Infrastructure, have identified the kind of risks outlined below as likely to lead to:

  • Unwanted access to large-scale data stored in this infrastructure.
  • Disruption of the digital services that the infrastructure underpins.

It is, therefore, a high priority for the UK government to ensure that these are adequately addressed. These kinds of risks were defined based on the distinct factors that increase the likelihood or impact of the risks, and some risks may sit across multiple categories.

  • Sensitive access risks: The risk that access to large-scale or sensitive data, or sensitive systems, is compromised or abused. This can range from cases involving malicious insiders to stolen or illicitly copied credentials, often involving a personnel factor. This includes:
    • Physical access: Individuals physically accessing sensitive systems (e.g. within a data centre) by misusing legitimate credentials.
    • Cyber access: Misuse or compromise of legitimate virtual or logical access to systems or data (e.g. via a spear phishing attack).

  • Aggregation of illicitly accessed data: The risk of malicious actors accessing multiple datasets that can be aggregated to create valuable intelligence where the component datasets may appear to have significantly less value in their own right.

  • Concentration risks: Risks exacerbated by the concentration of infrastructure, operators, or the market. The impacts of concentration risks can cascade, affecting multiple operators or sites rather than individual ones. Examples include:
    • Site proximity: Many sites located in a close proximity which can be impacted simultaneously by physical threats or hazards such as extreme weather.
    • Physical infrastructure: Interconnection points which connect many operators or providers that can be exploited to access large-scale data or disrupt multiple services.
    • Supply chain: Operators using a small number of suppliers or service providers. For example, multiple sites relying on backup fuel power in an energy crisis, leading to a demand for fuel that exceeds supplier capacity in particular regions.

  • State threats: The risks that involve state actors with high technical capability to access data or disrupt services.

  • Unmanaged ownership risks: Risks arising from the inappropriate influence of owners or investors where they are not already managed by existing legislation. For instance, this could include the creation of a new data centre or cloud platform which might gather, alter or disrupt data on behalf of malicious state actors.

  • Multi-impact risks: Any risks that could result in both large-scale or sensitive data being accessed and services becoming disrupted. This includes cases where disruption can lead to, or increase the likelihood of, unwanted data access; and vice versa.

  • Future risks: Risks that will be worsened or increased in likelihood by future technological changes, market disruption or geopolitical changes. For example, if technological advancement undermines standard encryption methods.

1. Are these risks to data storage and processing infrastructure the most appropriate risks for the government to address? If not, why not? [OPEN QUESTION]

Part 2: Security and resilience of data centres

To ensure the security and resilience of UK data storage and processing infrastructure, the UK government is seeking views on the data centre sector as it is relatively unregulated for security and resilience. This section, therefore, explores the effectiveness of existing measures in place that impact security and resilience risks to data centres, as well as measures in other countries or sectors. We will use the findings to inform an assessment of the actions that the UK government should take to appropriately ensure these risks are managed. Please note that when we say, ‘data centres’ we are referring to third-party operated (‘colocation’) data centres, rather than enterprise-owned facilities.

We recognise that data centre operators and other providers of data storage and processing infrastructure are already in scope of a range of security and resilience regulations, as outlined earlier. Below we have set out how this call for views fits in with those regulations:

  • Data centre operators are not directly in scope of the Networks and Information Systems (NIS) Regulations 2018. Part 2 of this call for views focuses on data centre security and resilience, and is agnostic to the policy route that could be used if government policy levers are required. Cloud platform providers are currently in scope of the NIS regulations as ‘digital service providers’. In addition, a recent consultation has explored adding MSPs to this regulatory framework. Please note that the following section (Part 2) does not intend to consult on regulation of these types of entities. It does, however, include questions relevant to them from their perspective as data centre customers, in order for us to fully understand the data centre ecosystem.

  • The National Security and Investment (NSI) Act 2021 has strengthened the UK’s ability to mitigate national security risks arising from investments and other acquisitions of control in the UK economy through a new investment screening regime. This includes a requirement for acquirers to notify and receive clearance for certain particularly sensitive acquisitions, including some involving the data infrastructure sector (which includes data centres). The questions in the following section (Part 2) look beyond investment security risks.

  • The Telecommunications Security) Act 2021 enables the UK government to use designated vendor directions for public communications providers. This can include data centres, as the powers can be used to issue directions to public communications providers not to use the services of a specific data centre. The questions in the following section (Part 2) will not focus on public communications providers’ use of data centres.

2.1: Existing security and resilience measures

In this section we will explore the effectiveness of measures currently in place that address the risks identified in the previous section for data centres. When answering, please consider each of the following outcomes that the government is particularly interested in preventing:

  • Unwanted access to large quantities of data (e.g. via physical or cyber attack).
  • Disruption to digital services hosted in data centre(s) (e.g. extreme weather events, fires or malicious attacks).

For questions 2 to 7, we are seeking views and evidence from data centre operators, organisations who purchase data centre services or partner with data centres (e.g. cloud platform providers, managed service providers, internet exchange points), and data centre contractors. We are aiming to investigate how risks to data centres are currently managed. If any risks are managed by your organisation’s third-party contractors, customers or partners, please provide details of this.

We are also grateful for views about the security and resilience practices of the data centre sector in general, so we have provided an opportunity for respondents to provide views on this at questions 8 and 9.

If you are not a data centre operator, customer, partner or contractor and do not work with any data centres, please only answer questions 8 and 9.

Guidance for questions 2 to 7

Data centre operators: answer about your organisation’s data centre(s).

If you work with data centres (e.g. cloud platform provider, MSP): answer about the data centre(s) you work with.

If you do not work with any data centres: skip to questions 8 and 9.

2. At present, to what extent do you think the following risks to the data centre(s) your organisation operates or works with are mitigated?

  1. The risk of access to large-scale or sensitive data, or sensitive systems becoming compromised or being abused (including both physical and cyber access).

  2. The risk of malicious actors accessing multiple datasets that can be aggregated to create valuable intelligence.

  3. Risks exacerbated by the concentration of infrastructure, operators, or the market (including sites located in close proximity, interconnection points and supply chains).

  4. Risks that involve state actors with high technical capability to access data or disrupt services.

  5. Risks involving newly created infrastructure (e.g. data centres, cloud platforms) whose owners are associated with state threat actors.

  6. Any risks that could result in both large-scale or sensitive data being accessed, as well as services becoming disrupted.

  7. Risks that will be worsened or increased in likelihood by future technological changes, market disruption or geopolitical changes.

  • Completely mitigated

  • Partly mitigated

  • Not at all mitigated

  • Not mitigated but it is managed (i.e. the risk is tolerated or accepted)

  • Don’t know

  • Not Applicable

3. Please explain why you chose your answers to the previous question about each risk. Please detail not only the measures in place (e.g. internal measures and industry initiatives), but your level of confidence in those measures and your reasoning (this might include the rates and scale of incidents). [OPEN QUESTION]

4. Over the previous 2-5 years, has the security and resilience of the data centre(s) your organisation operates or works with changed significantly? [OPEN QUESTION]

5. If so, what has been the cause of this change? Please explain any relevant risks (including how they may have changed over time), incidents, steps taken or attempted, challenges faced, and any outcomes achieved. [OPEN QUESTION]

6. If not, how, if at all, do you think the security and resilience practices should have changed? [OPEN QUESTION]

7. Over the next 2-5 years, in what ways, if at all, do you expect the security and resilience practices of the data centre(s) your organisation operates or works with to change significantly?

Please explain any motivating factors that you think will be more important in the next 2-5 years, steps that will be taken, challenges expected, and intended outcomes.

[OPEN QUESTION]

8. To what extent do you think that the security and resilience practices of the data centre sector in general are effective at managing risks?

Please consider the kinds of risks detailed in part 1 and the outcomes that the government is most interested in achieving.

[OPEN QUESTION]

9. Overall, how would you rate the effectiveness of the security and resilience practices of the data centre sector in general at managing risks?

  • Very effective
  • Fairly effective
  • Not very effective
  • Not at all effective
  • Don’t know

2.2: Exploration of potential security and resilience measures

This section asks about government-led interventions that have been deployed in comparable or regulated sectors, or other countries. The UK government is seeking views and evidence to determine whether these types of measures would be suitable to manage risks to data centres. Possible options could include, for example:

1. Continuity of service requirements: Legal measures stating that organisations must have well-defined, explicit and tested service continuity assurances, and incident management plans in order to ensure continuity of essential functions in the event of systems or service failure.

2. Security and resilience requirements[footnote 6]: Legal measures stating that organisations must take appropriate and proportionate measures to identify and manage the risks associated with security and resilience. Alternatively, requirements may be more targeted, with the aim of identifying and reducing specific risks. Requirements are often supported by guidance.

3. Incident response information sharing and cooperation requirements: Legal measures stating that organisations must notify a relevant competent authority (e.g. a regulator) of any incident that impacts the provision of their services above a certain threshold, and coordinate with government, the sector or other groups to respond to and recover from an incident.

4. Accountability at board or security committee level: A legal requirement for organisations to have a suitable individual at board or security committee level who is fully accountable for security and resilience.

5. Security penetration testing: government or third-party competent authority powers to gain assurance in the security of a system by attempting to breach some, or all of that system’s security, using the same tools and techniques as an adversary might.

6. Government information gathering powers: Legal measures stating that organisations must provide information to government or a relevant competent authority when that information is needed for an investigation.

We wish to understand whether these types of intervention, and any others, would be effective and proportionate if they were used to manage risks to data centres. We are also interested in drawing on best practice from other sectors, particularly regulated sectors, or other countries. Responses will inform any potential evaluation of measures that the UK government could consider to support data centre operators, their partners, suppliers and customers to manage security and resilience risk.

10. Which government-implemented or coordinated measures, such as those listed above, currently in place in other sectors, or in countries outside the UK, could improve the security and resilience of UK data centres while remaining proportionate?

This can include measures relating to the data centre operators, their suppliers, partners or customers.

When using examples, please state which sector or country you are referring to.

If you have views or evidence that in some specific instances these measures would not be effective or proportionate, please share this.

[OPEN QUESTION]

11. If your organisation is subject to licensing or regulatory regimes with security and resilience measures in other countries (for example, in the USA, Republic of Ireland, Netherlands or Australia), because it operates outside the UK, do you think they are effective and proportionate?

Please explain why in your response and include evidence, where possible.

[OPEN QUESTION]

We are also seeking details of the necessary resources required by organisations to ensure compliance with existing government security and resilience regulations.

If your organisation has experience with any of the measures stated above, please provide details of this in your response. For example, if your organisation complies with regulations in any other countries that it operates in.

12. What proportion of the roles within data centre operators are dedicated to security and resilience? [OPEN QUESTION]

13. And what percentage of employee time for these roles is dedicated to ensuring compliance with legislative or regulatory requirements? [OPEN QUESTION]

14. Apart from employee time, are there other costs of complying with legislative or regulatory requirements (e.g. legal costs, operational costs)? Please provide figures, if available, or, if they are not, please specify the types of costs incurred. [OPEN QUESTION]

15. Do you think that the costs you have detailed in the previous question are proportionate to the security and resilience benefits they bring? Please specify why. [OPEN QUESTION]

The UK government is also seeking evidence and views on any areas where respondents think that additional stewardship or support from government could aid data centre operators, their partners, customers and suppliers to manage security and resilience risks.

16. How do you think the UK government might best steward or support data centre operators, their partners, customers and suppliers to manage security and resilience risks?

Please include any areas where you think industry is generally not aware, capable or incentivised to manage these risks.

[OPEN QUESTION]

Part 3: Mapping the impacts of risks

We wish to understand the impact of risks to UK data storage and processing infrastructure. We therefore are seeking views and evidence specifically from data centre operators, cloud platform providers and managed services providers because we have identified these organisations as most critical to the provision of data storage and processing in the UK. We wish to model who is impacted when data centres and the digital services that run from within them are compromised, and the extent to which they are impacted.

These customers may be other storage and processing infrastructure operators or providers, such as:

  • Content delivery network providers (CDNs)
  • Internet exchange point operators (IXPs)

Alternatively, they may be from other sectors who purchase these services, such as:

  • Communications providers (i.e. telecommunications, internet, postal services and broadcast)
  • Financial service providers
  • The emergency services
  • Energy providers
  • Government departments or agencies
  • Health and social work organisations

We will use this information to inform a mapping of UK data storage and processing infrastructure, and the consequences of the risks that can manifest within it. We appreciate the need for discretion and we are not asking respondents to share commercially sensitive information about specific customers or sites. We also recognise that this information will be a snapshot of an organisation’s current customers which will change over time.

Responses could include, but are not limited to, a breakdown of the sectors that organisations primarily serve. We have provided an example response after the questions below.

Questions 17-18 are intended for data centre operators, cloud platform providers and managed service providers which provide data storage and processing services

17. Please provide a breakdown of the types of organisation that purchase services from your organisation within the UK, and the proportions represented by each type of customer. Please provide the SIC code, if known.

When providing your response please be clear which measure you are using. For example:

  • Data centre operators - might find it most appropriate to provide contracted load (megawatts (MW))
  • Cloud providers and MSPs - might find it most appropriate to provide contracted maximum storage space (i.e. volume of data) (gigabyte (GB) or terabyte (TB))

This can be broken down further by groupings of types of services purchased (i.e. nature of the customer), if available.

If you rank your customers (e.g. by size, power use), please include the detail and proportions of this also.

If you do not have the data to provide accurate response information, please provide a rough estimate if possible and caveat accordingly.

[OPEN QUESTION]

18. What is the total size of your organisation’s UK customer base?

This could be measured by the total number of customers that your organisation serves, or by the amount of megawatts (MW) your UK sites consume.

[OPEN QUESTION]

Example Response:

  • Cloud platform providers (35%)

  • Content delivery network providers (CDNs) (20%)

  • Financial and insurance organisations (20%)

  • Government departments or agencies (15%)

  • Health and social work organisations (10%)

We would also like to ask respondents if they have any further comments in relation to the security and resilience of UK data storage and processing infrastructure that they have not covered elsewhere in their response.

19. Do you have any other comments on the areas covered on this call for views? [OPEN QUESTION]

Full questionnaire

Part 1: Risks to UK data storage and processing infrastructure

1. Are these risks to data storage and processing infrastructure the most appropriate risks for the government to address? If not, why not? [OPEN QUESTION]

Part 2: Security and resilience of data centres

Guidance for questions 2 to 7

Data centre operators: answer about your organisation’s data centre(s).

If you work with data centres (e.g. cloud platform provider, MSP): answer about the data centre(s) you work with.

If you do not work with any data centres: skip to questions 8 and 9.

2. At present, to what extent do you think the following risks to the data centre(s) your organisation operates or works with are mitigated?

  1. The risk of access to large-scale or sensitive data, or sensitive systems becoming compromised or being abused (including both physical and cyber access).

  2. The risk of malicious actors accessing multiple datasets that can be aggregated to create valuable intelligence.

  3. Risks exacerbated by the concentration of infrastructure, operators, or the market (including sites located in close proximity, interconnection points and supply chains).

  4. Risks that involve state actors with high technical capability to access data or disrupt services.

  5. Risks involving newly created infrastructure (e.g. data centres, cloud platforms) whose owners are associated with state threat actors.

  6. Any risks that could result in both large-scale or sensitive data being accessed, as well as services becoming disrupted.

  7. Risks that will be worsened or increased in likelihood by future technological changes, market disruption or geopolitical changes.

  • Completely mitigated

  • Partly mitigated

  • Not at all mitigated

  • Not mitigated but it is managed (i.e. the risk is tolerated or accepted)

  • Don’t know

  • Not Applicable

3. Please explain why you chose your answers to the previous question about each risk. Please detail not only the measures in place (e.g. internal measures and industry initiatives), but your level of confidence in those measures and your reasoning (this might include the rates and scale of incidents). [OPEN QUESTION]

4. Over the previous 2-5 years, has the security and resilience of the data centre(s) your organisation operates or works with changed significantly? [OPEN QUESTION]

5. If so, what has been the cause of this change? Please explain any relevant risks (including how they may have changed over time), incidents, steps taken or attempted, challenges faced, and any outcomes achieved. [OPEN QUESTION]

6. If not, how, if at all, do you think the security and resilience practices should have changed? [OPEN QUESTION]

7. Over the next 2-5 years, in what ways, if at all, do you expect the security and resilience practices of the data centre(s) your organisation operates or works with to change significantly?

Please explain any motivating factors that you think will be more important in the next 2-5 years, steps that will be taken, challenges expected, and intended outcomes.

[OPEN QUESTION]

8. To what extent do you think that the security and resilience practices of the data centre sector in general are effective at managing risks?

Please consider the kinds of risks detailed in part 1 and the outcomes that the government is most interested in achieving.

[OPEN QUESTION]

9. Overall, how would you rate the effectiveness of the security and resilience practices of the data centre sector in general at managing risks?

  • Very effective
  • Fairly effective
  • Not very effective
  • Not at all effective
  • Don’t know

10. Which government-implemented or coordinated measures, such as those listed above, currently in place in other sectors, or in countries outside the UK, could improve the security and resilience of UK data centres while remaining proportionate?

This can include measures relating to the data centre operators, their suppliers, partners or customers.

When using examples, please state which sector or country you are referring to.

If you have views or evidence that in some specific instances these measures would not be effective or proportionate, please share this.

[OPEN QUESTION]

11. If your organisation is subject to licensing or regulatory regimes with security and resilience measures in other countries (for example, in the USA, Republic of Ireland, Netherlands or Australia), because it operates outside the UK, do you think they are effective and proportionate?

Please explain why in your response and include evidence, where possible.

[OPEN QUESTION]

12. What proportion of the roles within data centre operators are dedicated to security and resilience? [OPEN QUESTION]

13. And what percentage of employee time for these roles is dedicated to ensuring compliance with legislative or regulatory requirements? [OPEN QUESTION]

14. Apart from employee time, are there other costs of complying with legislative or regulatory requirements (e.g. legal costs, operational costs)? Please provide figures, if available, or, if they are not, please specify the types of costs incurred. [OPEN QUESTION]

15. Do you think that the costs you have detailed in the previous question are proportionate to the security and resilience benefits they bring? Please specify why. [OPEN QUESTION]

16. How do you think the UK government might best steward or support data centre operators, their partners, customers and suppliers to manage security and resilience risks?

Please include any areas where you think industry is generally not aware, capable or incentivised to manage these risks.

[OPEN QUESTION]

Part 3: Mapping the impacts of risks

Questions 17-18 are intended for data centre operators, cloud platform providers and managed service providers which provide data storage and processing services

17. Please provide a breakdown of the types of organisation that purchase services from your organisation within the UK, and the proportions represented by each type of customer. Please provide the SIC code, if known.

When providing your response please be clear which measure you are using. For example:

  • Data centre operators - might find it most appropriate to provide contracted load (megawatts (MW))
  • Cloud providers and MSPs - might find it most appropriate to provide contracted maximum storage space (i.e. volume of data) (gigabyte (GB) or terabyte (TB))

This can be broken down further by groupings of types of services purchased (i.e. nature of the customer), if available.

If you rank your customers (e.g. by size, power use), please include the detail and proportions of this also.

If you do not have the data to provide accurate response information, please provide a rough estimate if possible and caveat accordingly.

[OPEN QUESTION]

18. What is the total size of your organisation’s UK customer base?

This could be measured by the total number of customers that your organisation serves, or by the amount of megawatts (MW) your UK sites consume.

[OPEN QUESTION]

Example response:

  • Cloud platform providers (35%)

  • Content delivery network providers (CDNs) (20%)

  • Financial and insurance organisations (20%)

  • Government departments or agencies (15%)

  • Health and social work organisations (10%)

We would also like to ask respondents if they have any further comments in relation to the security and resilience of UK data storage and processing infrastructure that they have not covered elsewhere in their response.

Other comments

19. Do you have any other comments on the areas covered on this call for views? [OPEN QUESTION]

Demographic questions

1. Are you responding as an individual or on behalf of an organisation?

  • Individual

  • Organisation

2. [If individual] Which one of the following statements best describes you? [Select all that apply]

  • Security professional

  • Data professional (e.g. data scientist, data analyst, etc.)

  • SysOps administrator

  • DevOps professional

  • Professional in another sector

  • Academic

  • Student

  • Interested member of the general public

  • Other [please specify]

3. [If organisation] Which of the following describes your organisation? [Select all that apply]

  • Data centre operator

  • Cloud platform provider (i.e. infrastructure-as-a-service (IaaS) or platform-as-a-service provider (PaaS))

  • Other cloud computing providers (e.g. Software-as-a-Service (SaaS))

  • Managed service provider (MSP) which provides data storage and processing services

  • Managed service provider (MSP) which does not provide data storage and processing services

  • Internet exchange point operator

  • Content delivery network provider

  • Telecommunications operator

  • Financial services organisation

  • Trade body

  • Research institution (e.g. academic organisation, think tank, etc.)

  • Data centre supplier or service provider

  • Consultancy (e.g. security consultancy)

  • Real estate

  • Other [please specify] It may help to refer to SIC codes

4. [If organisation] Which of the following best describes what your organisation mainly does?

  • Data centre operator

  • Cloud platform provider (i.e. infrastructure-as-a-service (IaaS) or platform-as-a-service provider (PaaS))

  • Other cloud computing providers (e.g. Software-as-a-Service (SaaS))

  • Managed service provider (MSP) which provides data storage and processing services

  • Managed service provider (MSP) which does not provide data storage and processing services

  • Internet exchange point operator

  • Content delivery network provider

  • Telecommunications operator

  • Financial services organisation

  • Trade body

  • Research institution (e.g. academic organisation, think tank, etc.)

  • Data centre supplier or service provider

  • Consultancy (e.g. security consultancy)

  • Real estate

  • Other [please specify] It may help to refer to SIC codes

5. [If organisation] What approximate range does your organisation’s annual turnover fall into?

  • Less than £100,000

  • £100,000 - £249,999

  • £250,000 - £499,999

  • £500,000 - £999,999

  • £1m - £4,999,999

  • £5m - £9,999,999

  • £10m+

  • Don’t know

6. [If organisation] Which of the following regions does your organisation operate in? [Select all that apply]

  • The UK

  • The European Union (EU)

  • Outside the EU (i.e. the rest of the world)

  • Don’t know

7. [If organisation operates in the UK] Including yourself, how many people work for your organisation across the UK as a whole? Please estimate if you are unsure.

  • Under 10

  • 10–49

  • 50–249

  • 250–999

  • 1,000 or more

  • Don’t know

8. [If organisation operates outside the UK] Including yourself, how many people work for your organisation globally? Please estimate if you are unsure.

  • Under 10

  • 10–49

  • 50–249

  • 250–999

  • 1,000–1,999

  • 2,000–4,999

  • 5000 or more

  • Don’t know

9. [If organisation operates in the UK] Is your organisation headquartered in the UK?

  • Yes

  • No

10. [If organisation operates in the UK] Where in the UK does your organisation mainly operate?

  • North East

  • North West

  • Yorkshire and The Humber

  • East Midlands

  • West Midlands

  • East

  • London

  • South East

  • South West

  • Wales

  • Scotland

  • Northern Ireland

11. [If organisation] What is the name of the organisation you are responding on behalf of? [OPEN QUESTION]

12. What is your job title? [OPEN QUESTION]

13. Are you happy to be contacted to discuss your response?

  • Yes

  • No

14. [If YES to previous question] Please provide a contact name and email address below. [OPEN QUESTION]

Glossary

1. Cloud computing services: A digital service that enables access to a scalable and elastic pool of shareable computing resources.* Service models include but are not limited to:

  • Infrastructure-as-a-service (IaaS): A cloud service model involving the provision of processing, storage, networks, and other fundamental computing resources. Consumers can then underpin their own applications and services with these resources.
  • Platform-as-a-Service (PaaS): A cloud service model involving the provision of an application-hosting environment, within which applications can be created using programming languages, libraries, services, and tools supported by the cloud provider.
  • Software-as-a-Service (SaaS): A cloud service model where a consumer uses pre-built applications running on a provider’s cloud infrastructure. The applications are accessible through interfaces such as a web browser (e.g. web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even application capabilities.

2. Data centre: For the purposes of this report, when we say, ‘data centres’, we are referring to colocation data centres i.e. a type of data centre in which one or more users rent space in the same site from a third-party operator. The operator is responsible for powering, cooling, securing and connecting their customers’ IT and networking infrastructure.

3. Hazard: Hazards are non-malicious risks such as extreme weather events, accidents or errors or the natural outbreak of disease.

4. Impact: Impacts are the magnitude of harm that can be expected to result from the consequences of a risk.

5. Managed Service Providers (MSPs): Providers of a business to business (B2B) service involving regular and ongoing service management of data, IT infrastructure, IT networks and/or IT systems who are supplied to a client by an external supplier.

6. Mitigation: Mitigations reduce the likelihood and/or impact of a risk.

7. Resilience: Resilience is the ability of a system, community or society exposed to hazard or threats to resist, absorb, accommodate and recover from the effects of a hazard or threat in a timely and efficient manner, including through the preservation and restoration of its essential basic structures and functions.

8. Security and resilience practices: Measures an organisation takes to reduce the likelihood, or mitigate the impact, of risks. These could be security risks, such as physical or cyber security risks, or they could be resilience risks, such as risks posed by extreme weather or fires within facilities.

9. Sensitive data: This could include personal and non-personal data that, if accessed, provides opportunities to hostile actors to undermine the UK’s national security, economy, essential services or way of life. These risks are exacerbated when data is collected and aggregated at scale.

10. Threat: A threat is any circumstance or event led by a malicious actor with the potential to adversely impact operations, assets, national security, essential services or the economy of the UK.

11. Interconnection services: Infrastructure that facilitates transfer of data from one digital device or piece of infrastructure to another.

12. Vulnerability: Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.

Privacy notice

The Department for Digital, Culture, Media & Sport (DCMS) helps to drive growth, enrich lives and promote Britain abroad.

DCMS is conducting a call for views, which invites any person or organisation to provide their views on UK data storage and processing infrastructure; such as data centre, cloud platform and managed service provider infrastructure.

The identity of the data controller and contact details of our Data Protection Officer

DCMS is the Data Controller for the purposes of the personal data collected as part of this call for views. The Data Protection Officer can be contacted at dcmsdataprotection@dcms.gov.uk

Purpose of this Privacy Notice

This notice is provided to explain your rights and give you the information you are entitled to under the Data Protection Act 2018 and the UK General Data Protection Regulation (“the Data Protection Legislation”). This notice only refers to your personal data (e.g. your name, email address, and anything that could be used to identify you personally) not the content of your response to the survey.

DCMS’s personal information charter (opens in a new tab) explains how we deal with your information. It also explains how you can ask to view, change or remove your information from our records.

Why we are collecting your personal data

Your personal data is being collected as an essential part of the call for views process, so that we can contact you to discuss your response in greater detail and to ensure individuals cannot complete the survey more than once.

Our lawful basis for processing your personal data is:

Article 6 (1) (e) of the UK GDPR: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller i.e. a call for views.

We will not:

Sell or rent your data to third parties

Share your data with third parties for marketing purposes

Use your data in analytics

We will share your data if we are required to do so by law - for example, by court order, or to prevent fraud or other crime.

With whom we will be sharing your personal data

We may publish responses to the call for views. If we do this, these responses will be anonymised. We will take all reasonable measures to ensure that neither you nor the organisation you represent are identifiable, and any responses used to illustrate findings will be anonymised.

DCMS has commissioned a third party, Qualtrics, to host this survey via their online platform. Qualtrics will process your data in accordance with DCMS instructions and their privacy policy.

If you want the information that you provide to be treated as confidential, please be aware that, under the Freedom of Information Act 2000 (FOIA), there is a statutory Code of Practice with which public authorities must comply and which deals, amongst other things, with obligations of confidence. In view of this, it would be helpful if you could explain to us why you regard the information you have provided as confidential. If we receive a request for disclosure of the information, we will take full account of your explanation, but we cannot give an assurance that confidentiality can be maintained in all circumstances. An automatic confidentiality disclaimer generated by your IT system will not, of itself, be regarded as binding on the Department.

For how long we will keep your personal data, or criteria used to determine the retention period

Your personal data will be held for two years after the survey is closed. This is so that the Department is able to contact you regarding the result of the survey following analysis of the responses.

Your rights, e.g. access, rectification, erasure

What are your data protection rights?

You have rights over your personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). The Information Commissioner’s Office (ICO) is the supervisory authority for UK data protection legislation, and maintains a full explanation of these rights on their website.

  • DCMS will ensure that we uphold your rights when processing your personal data

  • Your personal data will not be sent overseas

  • Your personal data will not be used for any automated decision making

  • Your personal data will be stored in a secure government IT system

How do I complain?

The contact details for the data controller’s Data Protection Officer (DPO) are:

Data Protection Officer

The Department for Digital, Culture, Media & Sport

100 Parliament Street

London

SW1A 2BQ

Email: DCMSdataprotection@dcms.gov.uk

If you’re unhappy with the way we have handled your personal data and want to make a complaint, please write to the department’s Data Protection Officer or the Data Protection Manager at the relevant agency. You can contact the department’s Data Protection Officer using the details above.

Changes to this policy

We may change this privacy policy. In that case, the ‘last updated’ date at the bottom of this page will also change. Any changes to this privacy policy will apply to you and your data immediately.

If these changes affect how your personal data is processed, DCMS will take reasonable steps to let you know.

This notice was last updated on 14/04/2022

  1. This call for views asks about infrastructure and organisations which store or process data for multiple other organisations. It is not focused on enterprise-owned storage and processing infrastructure used by a single organisation. 

  2. This includes interconnection and peering infrastructure within data centres. 

  3. This call for views asks about infrastructure and organisations which store or process data for multiple other organisations. It is not focused on enterprise-owned storage and processing infrastructure used by a single organisation. 

  4. While we welcome responses from relevant trade bodies, we would also particularly like individual responses from organisations, as opposed to collective responses, as we are seeking a spectrum of views. 

  5. This could include personal and non-personal data that, if accessed, provides opportunities to hostile actors to undermine the UK’s national security, economy, essential services or way of life. These risks are exacerbated when data is collected and aggregated at scale. 

  6. This includes supply chain management requirements. 

Back to top