Well Intended Guidance Leaves more Questions than Answers The UK Government Digital Services – part of the Department for Science, Innovation and Technology – has recently published guidance for how the public sector should adopt a multi-region approach to cloud technology. At first sight this appears encouraging. Any unnecessary constraints on hosting arrangements (or any other non-functional requirements) reduce the available market of providers, constrain competition, and therefore inevitably reduce value for money. If parts of Government, whether central, regional or local, have felt that everything must be hosted in the UK then it makes sense to produce guidance that clarifies this perception and helps to open their options up. But for guidance to be useful it should guide. It should make it easier for people to take actions that they previously would have discounted. The guidance in this case, which at 1420 words is almost as short as this article, probably leaves the reader with more questions than answers. It may reveal some unknowns, but without increasing certainty. The Guidance in a Nutshell A summary of the guidance is as follows: Look wider than UK: Many cloud solutions may not offer UK hosting, particularly new innovative solutions that haven’t scaled up yet. Irrespective, their staff are likely to be distributed around the world if the service is supported 24/7. There may also be other benefits in looking wider than UK hosting, such as enabling better business continuity and disaster recovery options if the vendor only has one UK site. Get legal advice: Before you even consider a non-UK option you need to seek advice from your own legal advisors and your Data Protection Officer (DPO). Ensure compliance with ICO guidance: Before you even consider a non-UK option you need to check and make sure that any international transfer of personal data will be compliant with the Information Commissioner’s Office (ICO) guidance, and you should get further guidance from your own legal advice and DPO. Do a full review of vendor security: Before you even consider a non-UK option you need to make sure the vendor and solution are compliant with your own security policies. In a nutshell, it says: 'you should consider options outside of the UK but only if you have checked everything is legal and secure'. This seems to be verging on a statement of the obvious; the real difficulty in going offshore is covering all of the legal, regulatory and security compliance aspects. Adequacy is a Moment in Time On point 3, the guidance points out data protection compliance is easier if the country in question is considered by the ICO to be adequate – having equivalent regulations for data protection to the UK. Sound advice. But even this is not that simple. For instance, the USA is not considered adequate unless it is under an extension of the EU-US Data Privacy Framework. This framework is dependent on an Executive Order that the Biden administration put in place, and it is entirely possible that it will be revoked by the current administration. If such an action was taken, or if for any other reason the EU decides that adequacy is no longer met (also not unlikely given Herr Schrems has achieved this twice already and has stated he plans to challenge the DPF), then the vendor will no longer be considered compliant. Consideration is Far Wider than Residency Security is far wider than data residency though. This is where point 4 both states the obvious and understates the complexity. Managing risk in the supply chain is inherently difficult. Cloud providers, and particularly SaaS solutions, aggravate this challenge by an order of magnitude. By their nature they are solutions designed for a broad and varied range of customers. This means they will always involve compromise. If they tried to meet the most demanding requirements, they would price themselves out of the scale marketplace. If they went for the lowest common denominator, they would be unable to meet the requirements of the majority. An individual customer can rarely dictate a specific security requirement for themselves. They are also highly opaque. The vendor presents their service as a black box. The features delivered to the customer are defined, but much of the underlying design and the means the vendor uses to manage it in operation are hidden. This makes assessing the risk far more of a judgement call than when the design and delivery is conducted under your control. Depending on the supplier, and the leverage that the customer has over them, it may be possible to get some information and assurances; but the right questions need to be asked, and the answers need to be interpreted correctly. Third party certifications and audits, such as the ISO27000 series of standards or the SOC1, SOC2 and SOC3 reports, can also provide some additional assurances. But only the customer will be able to decide the extent to which they can mitigate the risk, and the confidence they have in the supplier to manage their own. This is a business decision informed by the specifics and nuances of the risks being considered. Summary It is important to minimise the non-functional requirements and keep an open mind about potential solutions and vendors. This includes looking wider than just the UK when national security requirements are not paramount. But this is not something that can be distilled onto a single sheet of A4 in any meaningful way. Yes, there are legal and regulatory issues that need to be reviewed. And geopolitical risk needs to be factored in, considering how you would respond to future external changes that are outside of the UK’s control. But from experience, the greatest challenge is getting comfortable that the vendor’s organisation and their solution have adequate security – this applies equally whether the solution is hosted in the UK or overseas. The SaaS world is opaque, and balances priorities across a broad and varied customer base. The public sector needs to increase its adoption of cloud and SaaS solutions to remain efficient and relevant, in the same way that the private sector has had to. But the route to responsible adoption is more nuanced, requiring candid conversations with suppliers, and ultimately an informed but subjective judgement by the customer’s leadership. Sources/Links: DSIT Guidance for Multi-region cloud and software-as-a-service ↩︎ ICO Guide to International Transfers ↩︎ Executive Order (E.O.)14086 of October 7, 2022, on Enhancing Safeguards for United States Signals Intelligence Activities ↩︎ Note: This article originally appeared on Tom Burton's personal blog at https://digility.net/insights/

The Digital Communities All-Party Parliamentary Group (APPG) shared the ‘Care to connect: Public Switched Telephone Network (PSTN) Migration’ report with key parliamentarians on Monday at a launch meeting on Parliament Street. This report highlights key recommendations for managing the ongoing Public Switched Telephone Network (PSTN) migration, focusing on protecting vulnerable residents and ensuring effective solutions. Here are the major takeaways for local government and communication providers: Data-Sharing Agreements (DSAs) DSAs between communication providers (CPs), local authorities, and telecare providers are crucial for identifying vulnerable residents during the migration. Challenges include inconsistent responses from local authorities and fragmented approaches across CPs. The APPG recommends all local authorities and housing associations sign DSAs, regardless of progress in digital switchover, to promote uniformity and resident safety. Telecare Devices The sale of analogue telecare devices must end, as these can leave residents unsupported during the transition. The government, in collaboration with the TEC Services Association (TSA), should enforce higher standards (TEC Quality’s Quality Standards Framework) across the telecare industry to achieve robust digital migration practices. Financial support for local councils is critical to replace outdated telecare devices and prevent double costs. Battery Backup Solutions Existing guidance from Ofcom, requiring one-hour resilience for power cuts, is insufficient. The APPG recommends increasing power backup requirements to at least 4 hours in homes and 6 hours for fixed networks. Communication and energy providers must jointly create resilient power solutions, particularly for vulnerable residents reliant on telecare devices. A multi-sector priority service register should integrate communications and energy service protection for those at risk. Sunset of 2G and 3G Networks UK mobile network operators plan to stop supporting 2G and 3G networks by 2033, with some networks already switched off. There are cases where local authorities and residents have purchased telecare devices using 2G/3G SIM cards, as a lower-cost, interim solution — these devices will need to be replaced again, posing double replacement costs for local authorities and additional risks to residents. The government should stop the sale of analogue devices and accelerate efforts to prevent the redeployment of outdated telecare alarms. Summary We welcome these recommendations alongside the December 2023 PSTN Charter, the Telecare National Action Plan and the PSTN Non-voluntary Migration Checklist. The conclusions make it clear that coordination between local and central government, industry regulators (such as Ofcom and Ofgem), and communication providers (CPs), as well as significant investment in digital teams at a local level, are essential goals to ensure a safe and inclusive digital switchover for all vulnerable residents and telecare users. Read the full report here: https://digitalcommunities.inparliament.uk/care-to-connect-public-switch-telephone-network-migration-report About the APPG The Digital Communities APPG is a cross-party group of parliamentarians, with the aim to promote the delivery of digitally equipped places that support and foster a connected, healthy, and productive community. This includes the creation and maintenance of sustainable digital infrastructure, as well as providing residents with equal opportunity to thrive in a digital world. The LGA provides the secretariat to the APPG. Cambridge Management Consulting Our Public Sector and PSTN teams can help local councils and other public bodies by providing strategy, financial planning, procurement, and project management services to ensure that you have a comprehensive transition strategy and accurate financial costing for the PSTN switch-off. We can help you follow the recommendations in this report by completing a full audit, signing DSAs with CPs and most importantly, protecting vulnerable service users. Get in touch with Craig Cheney, Managing Partner and lead for Public & Education, to discuss a range of services which might suit your needs: ccheney@cambridgemc.com (or use the form below). Act now, before time and resources run out.

What Do Your Scope 3 Emissions Have to Do with Inflation? Scope 3 emissions cover everything outside your direct operations —the carbon footprint of your supply chain, purchased goods, logistics, business travel, and more. The higher your Scope 3 emissions, the more energy-intensive your supply chain is. And the more energy-intensive your supply chain, the more vulnerable you are to rising costs. Think of it this way: High Production Costs- If your suppliers are heavily dependent on fossil fuels, their production costs are rising fast Price Volatility- If your supply chain lacks efficiency and resilience, price volatility will hit you harder Locking in High Costs- If you’re not actively engaging with suppliers to reduce emissions, you’re locking in long-term cost increases that could have been avoided Without accurate Scope 3 data and a clear engagement strategy , businesses are leaving themselves open to higher prices, lower margins, and greater financial risk . Why Businesses Struggle with Scope 3 A major challenge is that Procurement and Sustainability teams often operate in silos: Procurement teams focus on cost and supplier relationships but often lack deep sustainability expertise Sustainability teams focus on compliance and decarbonisation but aren’t typically measured on financial performance This disconnect means emissions reduction is rarely treated as a financial opportunity —when in reality, cutting carbon from your supply chain is also one of the most effective ways to reduce exposure to cost inflation. The Businesses That Get This Right Will Lower their Costs Leading organisations are already taking action. They are: Gathering detailed Scope 3 emissions data to map out cost risks in their supply chain Engaging suppliers to drive efficiency, reduce emissions, and lower costs Building resilience by shifting towards lower-carbon, more cost-stable alternatives The result? Lower long-term costs, reduced financial risk, and a competitive edge over those stuck with inefficient supply chains. This is not just about sustainability compliance —it’s about smart financial decision-making. If You’re Not Taking Action, You’re Losing Money Every business will feel the impact of rising supply chain costs—but not every business will be prepared for them. If you don’t have accurate Scope 3 emissions data and an effective engagement strategy, you are: Paying more than you need to for essential goods and services Exposing your business to long-term cost inflation Missing out on opportunities to build a stronger, more resilient supply chain The sooner you act, the better the outcome for your bottom line and the planet. Is your business ready to take control of its costs? Get in touch with Cambridge Management Consulting and edenseven today. About edenseven edenseven is the sustainability-focussed sister-company of Cambridge Management Consulting. We work with businesses across all sectors in multiple regions to deliver robust and deliverable net-zero strategies. The success of any strategy relies on its awareness of how changes in policy and subsidies can create both risks and opportunities for a business. If you are a business trying to enter a new market or evolving in an existing market and would like to learn more about how edenseven can support you, please get in touch with the team at edenseven at info@edenseven.co.uk or use the contact form below. Find out more about edenseven on their website: edenseven.co.uk