''By engaging and staying in dialogue with vendors, we secure the best privacy and security conditions for research and teaching.''
Microsoft OneDrive, SharePoint and Teams
Outcomes of Data Protection Impact Assessment (DPIA) on Microsoft OneDrive, SharePoint and Teams
23 February 2022 - SURF, together with the Ministry of Justice and Security (Strategic Vendor Management for the Central Government), has commissioned the Privacy Company to conduct a Data Protection Impact Assessment (DPIA) on Microsoft OneDrive, SharePoint and Teams.
The study revealed the following:
- 6 low risks
- 1 high risk
The 6 low risks can only be classified as such after actions have been carried out by the institutions. SURF will come up with further information for this. The high risk concerns the use of Teams. It concerns the specific situation where special personal data is shared via pre-scheduled Teams meetings. These scheduled sessions are not end-to-end encrypted. Currently, Microsoft offers this encryption (end-to-end encryption, E2EE) only for spontaneous 1-to-1 exchanges.
Measures
Microsoft has committed to start supporting E2EE for all scheduled Teams conversations, but has not yet given an exact date for this. SURF and the Ministry of Justice and Security remain in discussions with Microsoft on this matter. After Microsoft offers clarity on an implementation date, the currently high risk may be reconsidered.
If institutions want to use OneDrive and SharePoint to process sensitive or special personal data, they are advised to use Microsoft's Double Key Encryption service or third-party encryption solutions. This way, files can be stored encrypted.
Retrieval of personal data by investigative and intelligence agencies
Microsoft reported in November 2021 that it has never provided personal data of employees of public sector institutions to any government. Microsoft previously announced it was working on a solution where personal data is processed exclusively in the EU (known as the EU Data Boundary).
Further information
SURF is also closely monitoring developments regarding the use of cloud services outside the EEA and is making efforts to ensure that technical and contractual agreements with vendors are compliant and that risks are minimised.