Results of Data Protection Impact Assessment (DPIA) on Microsoft OneDrive, SharePoint and Teams

Studenten achter laptop

SURF, together with the Ministry of Justice and Security (Strategic Supplier Management for the Central Government), has commissioned the Privacy Company to carry out a Data Protection Impact Assessment (DPIA) on Microsoft OneDrive, SharePoint and Teams.  

The study revealed the following: 

  • 6 low risks 
  • 1 high risk 

The six low risks can only be classified as such after the institutions have taken action. SURF will provide further information on this. The high risk concerns the use of Teams. This concerns the specific situation in which special personal data is shared via pre-planned Teams meetings. These planned sessions are not end-to-end encrypted. At this time, Microsoft only offers end-to-end encryption (E2EE) for spontaneous one-to-one exchanges. 

Measures 

Microsoft has promised to support E2EE for all scheduled Teams conversations, but has not yet given an exact date for this. SURF and the Ministry of Justice and Security are continuing to discuss this with Microsoft. Once Microsoft provides clarity about an implementation date, the risk that is currently high can be reconsidered. 

If institutions wish to use OneDrive and SharePoint to process sensitive or special personal data, they are advised to make use of Microsoft's Double Key Encryption service or third-party encryption solutions. This allows files to be stored encrypted.  

Retrieval of personal data by investigative and intelligence services 

Microsoft reported in November 2021 that it has never provided personal data of employees of public sector institutions to any government. Microsoft has previously announced that it is working on a solution where personal data is processed exclusively in the EU (the so-called EU Data Boundary).  

Further information 

SURF also closely monitors developments regarding the use of cloud services outside the EER and endeavours to ensure that technical and contractual arrangements with suppliers are compliant and that risks are minimised. 

Q&A - general

What is a DPIA?

A DPIA, Data Protection Impact Assessment, is an instrument to map out privacy risks for data subjects. According to the General Data Protection Regulation (AVG), a DPIA is necessary if there is large-scale processing of personal data or sensitive personal data.

Why does SURF have DPIAs carried out?

Within SURF, the members make joint arrangements with ICT and content suppliers regarding the supply and purchase of products and services. In this way, the members jointly ensure economies of scale and an efficient point of contact for suppliers. DPIAs are part of this. In many cases, suppliers process personal data belonging to SURF members. It is therefore important that those concerned comply with legislation and regulations. SURF collaborates with the government on this. Several DPIAs have already been carried out in collaboration with the government. 

For whom is the DPIA applicable?

Each institution must decide for itself to what extent the results are applicable to its own organisation. The DPIAs produced can therefore be used by everyone, including organisations outside education and research, but must always be interpreted in relation to their own situation and environment. 

Q&A - about the DPIA of Microsoft OneDrive, SharePoint and Teams

What was the scope of this DPIA?

The DPIA that was carried out on behalf of SURF and the Ministry of Justice and Security concerned the online versions of Microsoft Teams, Microsoft SharePoint and Microsoft OneDrive. The results of this study therefore relate only to these solutions and do not say anything about other Microsoft solutions or the 'on-premises' solutions of these applications.

Can my institution continue to use these solutions?

Yes, but measures will have to be taken by the administrators of your institution. SURF will provide a detailed explanation of these measures and put them online.

Does my institution have to do anything?

The DPIA identified six low risks and one high risk. The six low risks are only 'low' after implementing the measures recommended in the DPIA. The high risk cannot be resolved technically at present. For this, the institution's administrator should instruct the users/employees concerned.

What exactly is the high risk?

The high risk occurs in limited cases within Teams. If people have a scheduled appointment in Teams, that call will not be end-to-end encrypted (E2EE). Because of the theoretical possibility that (US) investigative and intelligence services will request access to these conversations, it is relatively easy for them to analyse them. Only if these conversations concern special personal data (as described in Article 9 of the AVG) does a high risk arise due to the sensitivity of these personal data. It is therefore strongly discouraged to have these kinds of conversations via a scheduled meeting. This risk does not arise in spontaneous one-to-one conversations via Teams. In that case, the conversations can be end-to-end encrypted. 

What is Microsoft doing about this high risk?

Microsoft has indicated that it will make efforts to also apply end-to-end encryption in planned Teams conversations. Microsoft cannot yet give a date when this will be implemented. That is partly why this risk is on high, and will remain so until there is more clarity on this.

Is my institution at risk now?

Not as far as we have been able to establish. The high risk relates to the theoretical possibility that US investigative and intelligence agencies will request access to data of Dutch citizens. Microsoft has stated that it has not received any requests involving people in the Dutch public sector. 

For more information (page 4)

Are the results of the Schrems II verdict and the new EDPB guidelines included in this study?

Yes, they are included. A Data Transfer Impact Assessment (DTIA) was also carried out in this study. A decision by the European Data Protection Board (EDPB) is also expected at the end of 2022, which may affect the results of this DPIA, among other things. SURF will naturally continue to keep a close eye on this.

What do the risks found relate to?

Both the high and low risks relate to the transfer of personal data to the US and the level of transparency offered by Microsoft in the processing of personal data as a processor.

Welke lage risico’s zijn er gevonden?

These 6 low risks have been found:  

  1. The current structural transfer of limited diagnostic data and the occasional transfer of security data to the US both pose data protection risks. 
  2. Microsoft is not fully transparent about the browser-based collection of telemetry data and the telemetry events about the use of the connected experiences. 
  3. Microsoft has pledged to improve the program that retrieves the diagnostic data. This is to help administrators with any requests to access data from individual employees. This tool is currently still difficult to use. 
  4. There is one exception to Microsoft's guarantee that the 'required service data' does not include directly identifiable (readable) user names/email addresses or document names. Microsoft may collect an employee's username and/or e-mail address, along with the tenant name and file path with the full name of the document. This is necessary, for example, for the operation of OneDrive. This data is kept for no longer than 30 days.  
  5. Microsoft offers two different analytics services for Teams: Teams Analytics and Reporting and Viva Insights. These tools provide insight into the behaviour of employees to the employees themselves as well as to the administrators of the institution. Teams Analytics and Reporting is enabled by default. This option must be turned off by the institution's administrator. Viva Insights is off by default. If the administrator turns this functionality on, the user can opt-out of it. 
  6. Microsoft is working to ensure that no traffic is sent from SharePoint to its search engine Bing, in situations where an Enterprise or Education customer has disabled the Controller Connected Experiences. Currently, Microsoft allows itself to process this data as a controller for the 17 purposes listed in their standard privacy statement. The removal of traffic from SharePoint to Bing must be completed by July 2022.  
What measures does my institution need to take?

Regarding the high risk of content data being processed in the EU but accessed from the US because such data is not encrypted:  

  • Provide instructions to users not to share special personal data via scheduled Teams calls, as such scheduled sessions are not end-to-end encrypted. Scheduled calls mean Teams meetings set up via the calendar. Spontaneous calls via Teams can be encrypted. 
  • Use Double Key Encryption for documents with sensitive or special categories of personal data stored in SharePoint and OneDrive. This includes recordings of Teams meetings.  
  • Use Customer Lockbox for other stored personal data.  
  • Turn on end-to-end encryption by default for 1-on-1 calls and instruct users to turn on end-to-end encryption as well. Microsoft describes here how this can be enabled
    A short description: After the administrator has activated the feature, an end user should do the following: Go to 'Settings' and then choose the 'Privacy' options. Select the button next to 'End-to-end encrypted calls' to activate it. 
  • Create a privacy policy for Teams and OneDrive for users and guest users. Set up rules for sharing files and images. Make sure employees and guest users accept these rules via the Azure AD Terms and Conditions.  

On the low risk side: 

  • Microsoft is developing an EU Data Boundary. With this, all EU personal data will be stored in the EU (including diagnostic and service data) from the end of 2022. Until then, the risk of the current structural transfer of limited diagnostic data and occasional transfer of security data to the US should be accepted.  
  • Do not use an SMS code for authentication, in order to prevent the transfer of unencrypted mobile phone numbers to countries outside the EEA. Instead, use the Microsoft Authenticator app or a hardware token. 
  • Establish policies for the use of OneDrive and SharePoint that specify that no personal data may be included in file names and file paths.  
  • Consider creating pseudonymous accounts for employees whose identities must remain confidential (within their own AD environment or within Azure AD if used for Single Sign On.  
  • Regularly use the Data Viewer Tool and compare the results with public documentation.
  • Inform employees about the possibility of using the Data Viewer Tool and inform them about the possibility of making a data subject access request to their own institution.  
  • When the Data Subject Access Request (DSAR) tool is used to access diagnostic data, compare it with an in-house technical analysis performed on the network traffic.   
  • Disable the functionality of Teams Analytics and Reporting and use pseudonymisation. Do not enable Viva Insights. Should a decision be made to use these tools, carry out a DPIA. Especially when they are used in combination with other Microsoft Windows & Office analytical services.  
  • Make policy to prevent the use of Teams Analytics & Reports as an employee monitoring tool.  
  • To mitigate the risk of Microsoft passing on data to third parties with Microsoft in the role of controller, it is recommended to turn off the controller Connected Experiences and the third party apps in Teams.  
  • Instruct end users not to search for images online via SharePoint in the Bing search engine until the functionality is disabled in July 2022.  
What conclusion was made in the DPIA?

Microsoft has already taken many legal, technical and organisational measures in response to the negotiations by SLM Rijk and SURF. Shortcomings have been corrected and guarantees have been given regarding the data processing by Microsoft. This has mitigated a large part of the risks for data subjects in the processing of personal data by the use of Teams, OneDrive and SharePoint. However, Microsoft still has several steps to take to mitigate the high risks and low risks identified. If institutions follow and implement the aforementioned recommended measures, there are currently no high risks for the processing of (special) personal data.  

The risks will be reassessed at the end of 2022 after more clarity has been provided by the European Data Protection Board (EDPB) regarding data transfers outside the EEA. SURF closely monitors these developments and makes every effort to ensure that technical and contractual agreements with suppliers are compliant and that risks are minimised. 

What about business critical data?

When using an application, the person responsible within the institution must consider the processing of personal data as well as other data that may be confidential. A DPIA focuses solely on personal data and compliance with the AVG. Therefore, other forms of confidential and/or business-critical information are not included.

Is the high risk only associated with Teams?

Files within Onedrive and SharePoint can be stored encrypted. This is also the mitigating measure: use Double Key Encryption for files with sensitive or special personal data stored in SharePoint/OneDrive. This includes recordings of Team conversations. Use Customer Lockbox to protect other stored personal data.  

Live conversations in Teams cannot/have not yet been recorded, with the exception of spontaneous one-to-one calls. Here you can turn on the E2EE measure by default. This is the reason why scheduled Teams meetings are classified as high risk. There is currently no mitigating measure available, other than instructing employees not to process special personal data.  

How can I use E2EE (end-to-end encryption) in one-to-one conversations?

It is first up to the administrator of the institution to activate the E2EE function. After that, every user will turn on E2EE, in their Teams application. 

In Teams, select the 'More options' option next to your profile picture. Select 'Settings' and then select the 'Privacy' options on the left. Select the button next to 'End-to-end encrypted calls' to activate it.