Data Protection Impact Assessment op Microsoft OneDrive, SharePoint en Teams

SURF together with the Ministry of Justice and Security (Strategic Supplier Management for the Central Government) has commissioned the Privacy Company to conduct a Data Protection Impact Assessment (DPIA) on Microsoft OneDrive, SharePoint and Teams.Open Outcomes of Data Protection Impact Assessment (DPIA) on Microsoft OneDrive, SharePoint and Teams configuration settingsOpen Outcomes of Data Protection Impact Assessment (DPIA) on Microsoft OneDrive, SharePoint and Teams configuration settings

Outcomes of Data Protection Impact Assessment (DPIA) on Microsoft OneDrive, SharePoint and Teams

Feb. 23, 2022 - SURF, together with the Ministry of Justice and Security (Strategic Supplier Management for the Central Government), has commissioned the Privacy Company to conduct a Data Protection Impact Assessment (DPIA) on Microsoft OneDrive, SharePoint and Teams.

The following emerge from the study

• 6 low risks
• 1 high risk 

The 6 low risks can only be classified as such after actions have been implemented by the institutions. SURF will come up with further information on this. The high risk concerns the use of Teams. It concerns the specific situation where special personal data is shared via pre-scheduled Teams meetings. These scheduled sessions are not end-to-end encrypted. Currently, Microsoft offers this encryption (end-to-end encryption, E2EE) only for spontaneous 1-to-1 exchanges.

Actions

Microsoft has agreed to start supporting E2EE for all scheduled Teams calls, but has not yet given an exact date for this. SURF and the Ministry of Justice and Security continue to have discussions with Microsoft about this. After Microsoft offers clarity on an implementation date, the risk that is currently high may be reconsidered.

If institutions want to use OneDrive and SharePoint to process sensitive or special personal data, they are advised to use Microsoft's Double Key Encryption service or third-party encryption solutions. This way, files can be stored encrypted.

Retrieval of personal data by investigative and intelligence agencies

Microsoft reported in November 2021 that it has never provided personal data of employees of public sector institutions to any government. Microsoft previously announced that it was working on a solution where personal data is processed exclusively in the EU (known as the EU Data Boundary).

Further Information

SURF also closely monitors developments regarding the use of cloud services outside the EEA and makes efforts to ensure that technical and contractual agreements with vendors are compliant and that risks are minimized.

Veelgestelde vragen op de DPIA Microsoft OneDrive, SharePoint & Teams (Dutch)