News

Results of Data Protection Impact Assessment (DPIA) on Microsoft OneDrive, SharePoint and Teams

SURF, together with the Ministry of Justice and Security (Strategic Supplier Management for the Central Government), has commissioned the Privacy Company to carry out a Data Protection Impact Assessment (DPIA) on Microsoft OneDrive, SharePoint and Teams.
Studenten achter laptop

SURF, together with the Ministry of Justice and Security (Strategic Supplier Management for the Central Government), has commissioned the Privacy Company to carry out a Data Protection Impact Assessment (DPIA) on Microsoft OneDrive, SharePoint and Teams.  

The study revealed the following: 

  • 6 low risks 
  • 1 high risk 

The six low risks can only be classified as such after the institutions have taken action. SURF will provide further information on this. The high risk concerns the use of Teams. This concerns the specific situation in which special personal data is shared via pre-planned Teams meetings. These planned sessions are not end-to-end encrypted. At this time, Microsoft only offers end-to-end encryption (E2EE) for spontaneous one-to-one exchanges. 

Measures 

Microsoft has promised to support E2EE for all scheduled Teams conversations but has not yet given an exact date for this. SURF and the Ministry of Justice and Security are continuing to discuss this with Microsoft. Once Microsoft provides clarity about an implementation date, the risk that is currently high can be reconsidered. 

If institutions wish to use OneDrive and SharePoint to process sensitive or special personal data, they are advised to make use of Microsoft's Double Key Encryption service or third-party encryption solutions. This allows files to be stored encrypted.  

Retrieval of personal data by investigative and intelligence services 

Microsoft reported in November 2021 that it has never provided personal data of employees of public sector institutions to any government. Microsoft has previously announced that it is working on a solution where personal data is processed exclusively in the EU (the so-called EU Data Boundary).  

Further information 

SURF provides further information on this page to explain the DPIA and also describes the measures that can be used to mitigate the risks.

SURF also closely monitors developments regarding the use of cloud services outside the EER and endeavours to ensure that technical and contractual arrangements with suppliers are compliant and that risks are minimised.