Office 365 is one of the most widely-used suites of office productivity applications, in use by over a million organisations worldwide as of this year. The rate of adoption has only increased in light of the COVID-19 pandemic, with a rush to facilitate remote working and enhanced collaboration between distanced workers. With such a core piece of technology dependence being rolled out within an organisation, privacy teams may consider carrying out a data protection impact assessment (DPIA) on their specific implementation. The good news is that a useful baseline exists in the form of a DPIA carried out on Office 365 applications by the Dutch Government. In this article, we explore the context and findings of this DPIA, as well as discuss a number of steps that organisations can consider in order to enhance their data protection compliance when using this suite of applications.
Dutch Government Office 365 DPIA
In 2018, the Dutch Ministry of Justice and Security via SLM Rijk (an arm of the Dutch Government tasked with vendor management for Microsoft products) commissioned a Data Protection Impact Assessment to be carried out on a range of Microsoft products, including Office 365. They considered it necessary to undertake a DPIA because the data processing would involve personal data (be it content or metadata) that would take place on a large scale (used by 300,000 government employees), and would include data that could be potentially used to track the activities of employees. The aim of the exercise was to assess whether and how Office Online and the Mobile Office Apps could be deployed in a GDPR compliant manner by Dutch government organisations.
The DPIA (published in 2019) addresses the data protection risks of the processing of data using the five most commonly used Office 365 applications – Word, PowerPoint, Outlook, Excel and Microsoft Teams, in Office Online and the Mobile Office apps, in combination with the use of Connected Experiences and cloud storage services. Other Microsoft cloud services that integrate with Office 365 core applications were also considered, such as SharePoint Online, OneDrive for Business and Exchange Online. The report assesses the mitigating measures implemented by Microsoft to ensure that the processing of personal data by these online services can be done in accordance with the GDPR, what the available privacy options are for the organisations that use the software, and what the (remaining) risks for the privacy of the users may be once mitigating measures have been applied. The risks of storing data on cloud servers was not a focus of the report.
A primary finding of the assessment is that Microsoft collects data that includes email addresses and timestamp data of users performing activities with Office 365 applications. Importantly, when cloud-hosted applications, such as SharePoint, OneDrive for Business & Exchange Online are used, additional data is included in the diagnostic data, including filenames, file paths and email subjects. This data, commonly known as metadata, is referred to as diagnostic data in the report. When using Office 365 applications on Apple mobile devices, an analysis of network traffic showed that data was being sent to a third-party marketing company called Braze. Microsoft states that its diagnostic data is pseudonymised, however, this does not eliminate risk.
Metadata may also be made available to the data controller (in this case the Dutch government) via reporting applications that can be enabled in the Office 365 suite, such as the MyAnalytics application. This data could produce a privacy risk to employees, enabling their employer to profile their behaviour based on their interactions with applications.
Metadata poses a risk
By its nature, a government organisation is likely to be processing classified data, as well as the sensitive or high-risk personal data of individuals. Classified data is not a specific category of data in the GDPR, but organisations that apply such classifications to data that they hold should strive to apply similar safeguards to such data. The report highlights that diagnostic data that is shared with Microsoft about activities performed using Office 365 applications could pose a risk to the privacy of the individuals concerned, and potentially a risk to the organisation, in this case the government. If data that is shared via diagnostic reporting related to an individual within the government, with access to classified levels of information, was ultimately breached, this could pose a threat in the form of potential targeted attacks against that individual (e.g. social engineering, spear phishing or blackmailing) to exploit their level of access to information.
The DPIA concluded that the processing of diagnostic data relating to the use of the Office 365 mobile apps (of which Microsoft qualifies itself as a data controller in this instance), and Connected Experiences functionalities, leads to a number of data protection risks, which the report writers ranked as high, and that only Microsoft could effectively mitigate these risks. The five data protection risks highlighted were:
- Loss of control over the use of personal data
- Loss of confidentiality
- Inability to exercise rights
- Reidentification of pseudonymised data
- Unlawful (further) processing
Due to the lack of control that organisations have with respect to usage of Office 365 mobile applications, government organisations were advised to create policies for their employees stating that they were not to use mobile Office 365 apps. Indeed, if the mobile versions of Office Applications were avoided, the report notes that the organisation acting as the data controller, would be able to exercise greater control over the level of data collected for diagnostic purposes.
On foot of the DPIA performed by the Dutch government, in late 2019 Microsoft made adjustments to their offering to facilitate greater compliance with the GDPR. As well as rolling out enhanced privacy controls, the contractual terms negotiated by the government were also applied to Microsoft’s Online Services Terms for their commercial cloud contracts. Microsoft also changed its role and purpose for processing in relation to its Connected Experiences (changed to data processor for most Connected Experiences) and provided additional administrative controls for data controllers to restrict access to these functionalities where Microsoft qualifies itself as a data controller.
Configuring Office 365 for optimal compliance
Cloud-connected services such as Office 365 need to be configured for optimal compliance by data controllers and their system administrators. Microsoft provides a number of data protection compliance tools to aid in this, some of which were provided directly as a result of the DPIA commissioned by the Dutch government. Organisations looking to configure their Office 365 suite of applications for optimal compliance should consider the following, as highlighted in the DPIA report:
- Prohibit the use of Connected Experiences for which Microsoft qualifies itself as a data controller;
- Set the telemetry level (i.e. diagnostic data) to ‘Neither’;
- Disable the sending of data for the Customer Experience Improvement Program;
- Turn off Linked-In integration with Microsoft employee work accounts;
- Conduct a DPIA before using Workplace Analytics and Activity Reports in the Microsoft 365 admin centre, and before allowing employees to use MyAnalytics and Delve;
- Depending on the sensitivity of the content data: consider using Customer Lockbox and Customer Key; and
- Warn employees not to use Office Online and the mobile Office apps that are included in the Office 365 license until the five high risks identified in the DPIA have been mitigated.
Data controllers should make use of the Microsoft 365 Compliance Center, which enables configuration of privacy and security features within the Office 365 suite. Particularly at this time, with many companies adopting Microsoft Teams as their employee collaboration tool of choice to facilitate remote work, there are opportunities to enforce good data governance of the use of such applications from the start.
The DPIAs findings illustrate the difficulties that many companies face when there is a power imbalance with their service providers resulting in a lack of ‘negotiating clout’ or the realistic option to undertake auditing. It took the capability and authority of a national government to attempt to effect meaningful change to enhance data protection compliance of a third party the size of Microsoft. Indeed, the Dutch government ended up negotiating changes to Microsoft’s terms of service to facilitate more compliant processing, which all organisations benefit from as a result.
Need help configuring for optimal compliance?
The Trilateral DCS team regularly help our clients procure and configure information systems for optimal data protection compliance. If you could use help in this area, feel free to get in touch with one of our advisors today.