This data could produce a privacy risk to employees, enabling their employer to profile their behaviour based on their interactions with applications.īy its nature, a government organisation is likely to be processing classified data, as well as the sensitive or high-risk personal data of individuals. Metadata may also be made available to the data controller (in this case the Dutch government) via reporting applications that can be enabled in the Office 365 suite, such as the MyAnalytics application.
Microsoft states that its diagnostic data is pseudonymised, however, this does not eliminate risk. When using Office 365 applications on Apple mobile devices, an analysis of network traffic showed that data was being sent to a third-party marketing company called Braze. This data, commonly known as metadata, is referred to as diagnostic data in the report. Importantly, when cloud-hosted applications, such as SharePoint, OneDrive for Business & Exchange Online are used, additional data is included in the diagnostic data, including filenames, file paths and email subjects. The risks of storing data on cloud servers was not a focus of the report.Ī primary finding of the assessment is that Microsoft collects data that includes email addresses and timestamp data of users performing activities with Office 365 applications.
The report assesses the mitigating measures implemented by Microsoft to ensure that the processing of personal data by these online services can be done in accordance with the GDPR, what the available privacy options are for the organisations that use the software, and what the (remaining) risks for the privacy of the users may be once mitigating measures have been applied. Other Microsoft cloud services that integrate with Office 365 core applications were also considered, such as SharePoint Online, OneDrive for Business and Exchange Online. The DPIA (published in 2019) addresses the data protection risks of the processing of data using the five most commonly used Office 365 applications – Word, PowerPoint, Outlook, Excel and Microsoft Teams, in Office Online and the Mobile Office apps, in combination with the use of Connected Experiences and cloud storage services. The aim of the exercise was to assess whether and how Office Online and the Mobile Office Apps could be deployed in a GDPR compliant manner by Dutch government organisations. They considered it necessary to undertake a DPIA because the data processing would involve personal data (be it content or metadata) that would take place on a large scale (used by 300,000 government employees), and would include data that could be potentially used to track the activities of employees. In 2018, the Dutch Ministry of Justice and Security via SLM Rijk (an arm of the Dutch Government tasked with vendor management for Microsoft products) commissioned a Data Protection Impact Assessment to be carried out on a range of Microsoft products, including Office 365. In this article, we explore the context and findings of this DPIA, as well as discuss a number of steps that organisations can consider in order to enhance their data protection compliance when using this suite of applications. The good news is that a useful baseline exists in the form of a DPIA carried out on Office 365 applications by the Dutch Government. With such a core piece of technology dependence being rolled out within an organisation, privacy teams may consider carrying out a data protection impact assessment (DPIA) on their specific implementation. The rate of adoption has only increased in light of the COVID-19 pandemic, with a rush to facilitate remote working and enhanced collaboration between distanced workers. Office 365 is one of the most widely-used suites of office productivity applications, in use by over a million organisations worldwide as of this year.
0 kommentar(er)
