Privacy risks Microsoft 365 Copilot to orange

Restrained use and conditions

Over the past few months, SURF and SLM (Strategic Supplier Management) of the Dutch government have held intensive discussions with Microsoft to address the risks. Due to the privacy improvements in Microsoft 365 Copilot, from which all users benefit, SURF no longer advises against its use entirely. However, given the remaining risks, we recommend that educational and research institutions adopt a cautious approach to using Copilot and carefully weigh the risks for each type of use. In doing so, we advise, at the very least, to make clear agreements within the institution about the use of AI and to implement an AI usage policy.

Conclusions of risk assessment

In December 2024, SURF published the first DPIA on Microsoft 365 Copilot, which revealed four high risks. Of the four high risks previously found, two remain that are now rated as 'medium' or 'orange'. These two remaining risks relate to inaccurate (personal) data and the retention period of diagnostic (personal) data on the use of the service. SURF is keeping a close watch on Microsoft’s commitments to address these medium risks and will make a new assessment in six months.

Managing deployment of artificial intelligence

As a cooperative, SURF safeguards that the sector maintains control over the deployment of AI and that this is done responsibly. With DPIAs like this one and other initiatives, we inform our members about the opportunities and risks of AI. SURF takes into account the balance between different providers and the current geopolitical situation in order to avoid vulnerability due to dependencies within operations. For this, we use the Cloud Sourcing Strategy as a starting point.