Skip to content

Search the site

Home Office may put child abuse database on the cloud

"... it is now considered that removing these restrictions can be compliant with data protection requirements."

A highly sensitive Home Office database that includes footage of child sexual abuse could be moved from police data centres to the public cloud.

The “Child Abuse Image Database (CAID)” is used to identify child abuse victims and their offenders. A contract to host it expires in early 2026. 

The UK government is now months from contracting a new service provider to host and secure the critical law enforcement database, it said.

See also: Ministry of Defence’s ERP headache is Deloitte’s uncontested millions

The Home Office describes the database as the “the central image, video and hash store and associated applications that supports the identification of victims, depicted in Indecent Images of Children, and offenders that possess, distribute, and produce such imagery.”

CAID could previously only be hosted in (and currently is hosted in) police-owned data centres, the Home Office said in a market notice

But confidence in “Tier 1” cloud providers among law enforcement and the Home Office has clearly grown significantly over the past 48 months.

“Previously legal opinion, last updated in 2020, was that due to considerable data protection and other legal concerns, CAID data should not be held on cloud hosted infrastructure and should remain within Police owned data centres,” the market notice, published on May 21, said.

See also: 8 years in, £2 billion spent, and nothing to show bar a big fat interoperability hole

“Since this advice was given there has been considerable development in both cloud hosting technology and the needs and approaches of law enforcement efforts to combat child sexual abuse and exploitation. 

“As such, this opinion had been revisited and it is now considered that removing these restrictions can be compliant with data protection requirements” the notice said, saying it plans to go to market by October.

It is not, it clarified, about to put this database in a shared tenancy bucket in any location: The provider will need to ensure that CAID is hosted in UK-based data centres, separated from other tenants “so that underlying infrastructure providers have no access to the CAID applications or data”, encrypt data at rest with customer-managed keys and ensure “strong RBAC [role-based access control]” along with other security measures. 

Some readers would be forgiven for hoping the Home Office doesn’t contract Fujitsu for the work. The UK public sector IT favourite spilled private AWS keys, client data and plaintext passwords out into the open, unnoticed, for nearly a year after exposing a Microsoft Azure storage bucket to anyone who found it – before being notified by a security researcher. See The Stack’s exclusive here