1) Please provide your organisation’s total spend on cloud infrastructure for the last three financial years. (please select)
|
<£1M
|
£1M – £2M
|
£2M-£5M
|
£5M-£10M
|
>£10M
|
|
| 2022/23 | X | ||||
| 2023/24 | X | ||||
| 2024/25 | X |
2) Please list all of the hyperscaler cloud providers your organization currently uses: (please select)
Amazon Web Services (AWS)
Google Cloud Platform (GCP)
Alibaba Cloud
Microsoft Azure
Oracle Cloud Infrastructure (OCI)
Other:
Microsoft Azure.
3) Is your organisation considering using more than one cloud provider? (please select)
Yes – already doing this
Yes – under consideration
No
No, considering switching fully
Other:
No
4.) Do you have any commercial agreements with any cloud providers? If yes, please provide contract details (e.g. start/end date, amount, where you found the provider)
This information is already publicly available via Supplying the South West Portal.
5.) Please list the internal departments with the highest utilisation of cloud services (please select)
Corporate Services
Finance and Resources
Adult Social Care and Health
Children’s Services and Education
Housing and Homelessness
Other:
Corporate Services
6) What percentage of your organisation’s data is currently hosted on cloud platforms versus on premises? (please select)
<10% hosted on cloud platforms
10-25% hosted on cloud platforms
25-50% hosted on cloud platforms
50-75% hosted on cloud platforms
75-100% hosted on cloud platforms
On-premise – 54%
Public cloud – 34%
Private cloud – 0%
Hybrid (a mix of on-premise and cloud) – 12%
7) Have you implemented any policies regarding data sovereignty and/or cloud security? (If yes, please upload a copy of any policies below)
Yes
No
Other:
8.) Please disclose any information your organisation holds relating to cyber incidents affecting your cloud systems.
In response to questions 7 and 8 we can advise that Devon County Council hold some or all of the information you have requested. However, we consider this is exempt from disclosure under Section 31(1)(a), the prevention or detection of crime, of the Freedom of Information Act 2000.
This is because the Council considers that this information constitutes valuable intelligence, that could be leveraged by a motivated cyber threat actor to inform a successful attack against our infrastructure. We feel that releasing this information would therefore increase the chances of DCC becoming the victim of a cyber-attack.
We have considered the public interest in releasing this information. While we recognise that there is an overriding public interest in openness and transparency, we feel that there is a stronger public interest in the Council maintaining the security and integrity of its IT systems. We feel that significant weight should be applied to this public interest consideration given the current elevated cyber threat landscape facing public sector organisations. For these reasons we feel that the balance of public interest weighs in favour of withholding this information from disclosure.
Ofcom/CMA Investigation
Ofcom has raised concerns that some of the largest cloud providers (like Amazon AWS and Microsoft Azure) make it difficult or expensive for organisations to switch providers. This led to a formal investigation by the CMA, which is expected to publish its final findings by 4 August 2025.
9.) Is your organisation aware of the CMA investigation into major cloud providers and the concerns around switching costs, contracts, and competition?
Yes – fully aware
Somewhat aware
Not aware
Other:
Somewhat aware.
10.) Has your organisation taken any steps in response to this (for example, discussing risks of lock-in, reviewing contracts, or exploring alternative providers)? (please select)
Yes – formal review or actions taken
Yes – informal discussions only
No steps taken
No steps taken.
11.) What concerns, if any, do you have with your current hyperscaler cloud provider?
Cost
Security
Reliability (e.g., SLAs/customer care)
Vendor Lock-in
Geopolitics
Environmental concerns (e.g., water usage, power consumption, emissions)
No concerns
Other:
No concerns.