On November 7, 2018, the Ministry of Justice (through the Strategic Supplier Management section of Microsoft Rijk (SLMMicrosoft Rijk, the central point of contact for Microsoft within the Rijksoverheid), published a comprehensive report on how Microsoft, through its Office 2016 and Office 365 ProPlus products, collects and processes, in short, personal data and other data. This report is known as the "DPIA diagnostic data in Microsoft Office ProPlus" (DPIA).
The DPIA shows that Office does not meet all the requirements of the AVG and that Microsoft and the Rijksoverheid should take a number of measures to bring the collection and use of personal data in line with the requirements of the AVG.
SLM Microsoft Rijk agreed on an improvement plan with Microsoft prior to the publication of the DPIA. In this plan, Microsoft committed to modify its products in such a way that their use was possible for the Dutch government in compliance with the AVG. Microsoft has since made the most urgent changes in accordance with the improvement plan. These were tested by SLM Microsoft Empire in June 2019 and found to be in order.
SLM Microsoft Empire wished in parts to further restrict the collection and use of personal and other data to prevent further far-reaching processing (by third parties) on personal data.
In April and May 2019, negotiations were held with Microsoft to bind the necessary measures, give them the proper legal basis and obtain sufficient control resources and control rights.
Following questions from the House of Representatives, two House letters were written by Ministers Grapperhaus and Ollongren. The first letter dated December 20, 2018 informed about the improvement plan and its schedule. The second letter dated July 1, 2019 reported on the results of the improvement plan concluding:
"Given the results achieved as described above, from an AVG perspective, SLM Microsoft Empire sees no objections for SLM Microsoft member organizations to use Microsoft Office ProPlus, Windows 10 Enterprise and Azure. It always remains an organization's own consideration as a data controller to decide whether and which product or service is appropriate for a specific application. This should include weighing other factors such as information security concerns and laws and regulations specific to the organization."
SLM Microsoft Empire has eliminated or adequately mitigated the risks identified in the DPIA. In addition, SLM Microsoft Empire has eliminated or adequately mitigated similar risks related to other Microsoft products and services (this applies to all services covered by the Microsoft Online Service Terms) or there is sufficient visibility to eliminate or mitigate such risks (this applies to the remaining products and services, including Windows 10 Enterprise). Finally, SLM has negotiated Microsoft Empire adequate audit rights and all agreements are binding.
The conduct of data protection impact assessments (DPIAs) by the Services can now be much more uniform and efficient. This leads to better results and will save time and costs.
To be clear, while the technical product changes agreed upon by SLM Microsoft Empire with Microsoft have become available to all so-called Enterprise customers worldwide, this does not apply to the additional agreements governing the obligations of data controller and processor. The scope of SLM Microsoft does not extend beyond the Government Departments and their associated ZBOs and Agencies. These additional agreements therefore only apply to those government departments and ZBOs that are affiliated with the government-wide Microsoft Business and Services Agreement (MBSA) managed by SLM Microsoft Rijk. We are of course happy to help with information and advice.
For the avoidance of doubt, Microsoft Office Online and the Microsoft Office mobile apps, available through the Apple Store for iOS and through the Google store for Android, have since been examined and are not yet compliant. This will be explained in a second DPIA report published simultaneously with the DPIAs on Windows 10 and Office 365 ProPlus. SLM Microsoft Empire is still in discussions with Microsoft to clarify the terms of use. Thus, use of the mobile Office apps is discouraged for now. For Office Online, it is currently not possible - in defiance of agreements with Microsoft - to turn off Controller Connected Experiences. Therefore, for the time being, its use is also discouraged.
The DPIA identified eight risks with respect to Office. In particular, the negotiations in April and May were on risk 6 ("lack of purpose limitations" or "insufficient purpose limitation/base for authorized purposes"). This risk was eliminated by:
agree in great detail on the purposes for which Microsoft may use State data (both content data and all service usage data) covered by the scope of the agreements between the State and Microsoft;
prohibit use and transfer of data to third parties for data analytics, profiling, advertising, market research, unless permitted by written instructions from the State;
agree in detail how data should be anonymized, following WP29 Opinion 05/2014 on Anonymization Techniques (WP216);
provide a broad scope to the purpose limitation agreements by referring to both "Customer Data" (aka "Customer Data") and personal data generated by Microsoft in connection with the Rijksoverheid 's use of the Online Services; and
agree for the so-called Controller Connected Services that they can be centrally turned off and on by administrators.
In addition, it is agreed that SLM Microsoft Empire may verify compliance with the agreements made through audits by an independent third party appointed by the SLM Microsoft Empire. Microsoft has committed to cooperate with such audits by making available the systems through which it processes data, facilities and supporting documentation relevant to the processing of data and personal data of SLM Microsoft Empire member organizations and by providing access to the auditors.
The negotiations in April and May 2019, as mentioned above, saw risk six in particular. Some of the other risks had previously been covered or adequately mitigated. The remaining risks were included in the negotiations last April and May and then eliminated or adequately mitigated.
All agreements are contained in an amendment to the highest level agreement with Microsoft (the MBSA). This amendment cannot be changed at a lower level.
As of May 1, all enrollments that refer to the SLM Microsoft Rijk central MBSA are automatically subject to all additional agreements as explained in this memo. Thus, the government units using the central MBSA do not need to take separate actions to make the enhanced agreements applicable.
For the data transfers from the EU to the US involved in the use of the OST services, an appendix has been developed that meets the level of detail required by the AVG. Through this appendix, the types of data being processed by Microsoft Corp., the importer of this data, and for which Microsoft Corp. commits to all necessary safeguards, are made clear. This appendix must be completed by the government component for each enrollment.
SLM Microsoft Empire is approaching the already-connected government units in the coming weeks to add this appendix to the enrollement.
A data protection impact assessment (DPIA) should be conducted when there are high risks to the data protection of data subjects. A DPIA should assess the effects of the intended processing activities on the data protection of relevant data subjects.
Currently, all State data controllers (read in this case the Services) must each conduct their own DPIAs because they process personal data for a variety of purposes, as a result of the statutory duties they perform. The protective measures and contractual agreements that SLM Microsoft Empire has agreed with Microsoft are an important part of these DPIAs.
In order to prevent that the controllers will each make their own assessment of the agreements with Microsoft, SLM Microsoft Empire has commissioned a modified DPIA for Windows 10 Enterprise and Microsoft Office ProPlus (including Office online and the mobile Office apps) based on the agreements made with Microsoft. This DPIA then counts as a "technical model DPIA" that considers Microsoft's role as a data processor and the agreement with Microsoft. All services can then refer to this technical model DPIA when conducting their DPIA. In addition to the technical model DPIA, data controllers then only need to assess their own use of the Microsoft services (read: the risks associated with the processing of the specific personal data they process using Microsoft's Online Services). This will benefit uniformity in risk assessment and save a lot of time and costs.
In summary, the advice for components of Rijksoverheid is as follows:
Join SLM Microsoft Empire to access the necessary contractual terms.
Use Windows 10 Enterprise from version 1903 with Timeline Sync off and set telemetry to the lowest level Security (or telemetry traffic blocked).
Regarding Microsoft Office 365 products and services the following: a. Prohibit the use of Controller Connected Experiences by centrally disabling them. b. Use version 1905 or higher of Office 365 ProPlus and set the telemetry level to 'Neither'. c. Disable sending data for the Customer Experience Improvement Program. d. Disable Linked-In integration with Microsoft employee work accounts. e. No DPIA has been done for Workplace Analytics and Activity Reports in the Microsoft 365 admin center. Nor has a DPIA been done for user access to MyAnalytics and Delve. If organizations want to use these tools, they should conduct a DPIA. For this, an organization can contact SLM Microsoft Empire.
Depending on the specific situation in each organization, the use of Customer Lockbox and Customer Key can be considered to further protect the contents of files.
Do not use Office Online and the mobile Office apps that are part of the Office 365 license until the five high risks described in the DPIA addendum are mitigated.
Paul van den Berg
Strategic Supplier Manager Microsoft Empire
Publications: Data protection impact assessments DPIAs Office 365 ProPlus, Windows 10 Enterprise, Office 365 online and mobile apps
This memo can also be found in the Information Security file
