Vendor compliance
On behalf of institutions, we perform privacy and security risk analyses on vendors. In this way, we jointly fulfil statutory obligations. By combining expertise, we achieve cost savings, knowledge sharing and, on behalf of the education and research sector, we have a stronger negotiating position towards vendors.
Handen met computer met groen op de achtergrond reflecterend in het scherm

Microsoft OneDrive, SharePoint and Teams

SURF, together with the Ministry of Justice and Security (Strategic Vendor Management for the Central Government), commissioned the Privacy Company to conduct a Data Protection Impact Assessment (DPIA) on Microsoft OneDrive, SharePoint and Teams.

Outcomes of Data Protection Impact Assessment (DPIA) on Microsoft OneDrive, SharePoint and Teams

23 February 2022 - SURF, together with the Ministry of Justice and Security (Strategic Vendor Management for the Central Government), has commissioned the Privacy Company to conduct a Data Protection Impact Assessment (DPIA) on Microsoft OneDrive, SharePoint and Teams.

The study revealed the following:

  • 6 low risks
  • 1 high risk

The 6 low risks can only be classified as such after actions have been carried out by the institutions. SURF will come up with further information for this. The high risk concerns the use of Teams. It concerns the specific situation where special personal data is shared via pre-scheduled Teams meetings. These scheduled sessions are not end-to-end encrypted. Currently, Microsoft offers this encryption (end-to-end encryption, E2EE) only for spontaneous 1-to-1 exchanges.

Measures

Microsoft has committed to start supporting E2EE for all scheduled Teams conversations, but has not yet given an exact date for this. SURF and the Ministry of Justice and Security remain in discussions with Microsoft on this matter. After Microsoft offers clarity on an implementation date, the currently high risk may be reconsidered.

If institutions want to use OneDrive and SharePoint to process sensitive or special personal data, they are advised to use Microsoft's Double Key Encryption service or third-party encryption solutions. This way, files can be stored encrypted.

Retrieval of personal data by investigative and intelligence agencies

Microsoft reported in November 2021 that it has never provided personal data of employees of public sector institutions to any government. Microsoft previously announced it was working on a solution where personal data is processed exclusively in the EU (known as the EU Data Boundary).

Further information

SURF is also closely monitoring developments regarding the use of cloud services outside the EEA and is making efforts to ensure that technical and contractual agreements with vendors are compliant and that risks are minimised.