DPIA Office 365 for the Web and Mobile Office Apps Data Protection
Total Page:16
File Type:pdf, Size:1020Kb
authe DPIA Office 365 for the Web and mobile Office apps Data protection impact assessment on the processing of diagnostic data Date 30 June 2020 DPIA Office for the Web and mobile Office apps SLM Microsoft Rijk 30 June 2020 Colophon DPIA by Ministry of Justice and Security Strategic Vendor Management Microsoft (SLM Microsoft Rijk) Turfmarkt 147 2511 DP The Hague PO Box 20301 2500 EH The Hague www.rijksoverheid.nl/jenv Contact Paul van den Berg E [email protected] T 070 370 79 11 Project name DPIA report diagnostic data processing in Microsoft Office 365 for the Web and mobile Office apps (report delivered March 2020, Update June 2020) Appendix Overview telemetry data observed in iOS and Office for the Web apps Authors Privacy Company Sjoera Nas and Floor Terra, senior advisors, with the help of work student Lotte aan de Stegge www.privacycompany.eu Page 3 of 138 DPIA Office for the Web and mobile Office apps SLM Microsoft Rijk 30 June 2020 CONTENTS Colophon 3 Summary 7 Introduction 17 Part A. Description of the data processing 24 1. The processing of diagnostic data 24 1.1 About Office for the Web, the mobile Office apps and the Connected Experiences 24 1.2 Difference between content, functional and diagnostic data 33 1.3 Different types of diagnostic data 34 2. Personal data and data subjects 35 2.1 Definitions of different types of personal data 36 2.2 Diagnostic data mobile Office apps 37 2.3 Outgoing traffic to third parties mobile Office apps 40 2.4 Results access request mobile Office apps 49 2.5 Diagnostic data Office for the Web 51 2.6 Outgoing traffic to third parties Office for the Web 52 2.7 Results access requests Office for the Web 55 2.8 Diagnostic data Connected Experiences 59 2.9 Analytical services based on the system-generated log files 60 2.10 Types of personal data and data subjects 62 3. Data processing 65 4. Purposes of the processing 71 4.1 Purposes Office for the Web, Processor Connected Experiences and the Connected Cloud Services 71 4.2 Purposes mobile Office apps and Controller Connected Experiences 72 5. (Joint) controller or processor 75 5.1 Definitions 75 5.2 Contractual arrangements between the Dutch government and Microsoft 75 5.3 Data processor 75 5.4 Data controller 76 5.5 Joint controllers 80 6. Interests in the data processing 81 6.1 Interests of the Dutch government organisations 81 6.2 Interests of Microsoft 82 6.3 Joint interests 84 7. Transfer of personal data outside of the EU 84 8. Techniques and methods of the data processing 88 8.1 Azure AD log files and usage data 88 8.2 Big Data Processing 89 9. Additional legal obligations: e-Privacy Directive 90 10. Retention periods 94 Part B. Lawfulness of the data processing 99 11. Legal Grounds 99 11.1 Diagnostic data Office for the Web, Connected Cloud Services and Processor Connected Experiences 99 11.2 Telemetry data and traffic to third parties from Office for the Web 101 11.3 Mobile Office apps and Controller Connected Experiences 102 Page 5 of 138 DPIA Office for the Web and mobile Office apps SLM Microsoft Rijk 30 June 2020 12. Special categories of data 103 12.1 Transfer of special, sensitive, secret and confidential data to the USA 104 13. Purpose limitation 105 14. Necessity and proportionality 107 14.1 The principle of proportionality 107 14.2 Assessment of the proportionality 107 14.3 Assessment of the subsidiarity 109 15. Data Subject Rights 111 Part C. Discussion and Assessment of the Risks 114 16. Risks 114 16.1 Identification of Risks 114 16.2 Assessment of Risks 117 16.3 Summary of risks 126 Part D. Description of risk mitigating measures 128 17. Risk mitigating measures 128 17.1 Measures against the six high risks 128 17.2 Measures against the three low risks 131 17.3 Agreed mitigating measures Microsoft 132 Conclusions 138 Page 6 of 138 DPIA Office for the Web and mobile Office apps SLM Microsoft Rijk 30 June 2020 Summary The Microsoft Office 365 Enterprise license includes the use of three different versions of the Office software. Office can be installed on the computers and laptops of employees (Office 365 ProPlus), installed on smartphones and tablets (mobile Office apps for iOS and Android) and as online applications running in a browser (Office for the Web, previously known as Office Online). This Data Protection Impact Assessment (DPIA) is a repeated assessment of the use of the last two versions of the software: Office for the Web and the mobile Office apps. The Dutch government’s department managing strategic vendor relations with Microsoft (SLM Microsoft Rijk) has published the earlier DPIA on 23 July 2019. This DPIA contains outcomes with respect to diagnostic data processing in Office for the Web and the mobile Office apps as at 31 March 2020. Since then, SLM Microsoft Rijk and Microsoft agreed upon measures to mitigate the six high data protection risks set out in the table below, as further described in the paragraph ‘Mitigating measures Microsoft’ of this summary and in Section 17.3 of this report. Once these measures have been implemented by Microsoft, and provided that government administrators apply the recommended measures in this DPIA, the high data protection risks for data subjects related to the collection of data about the use of Office for the Web and the mobile Office apps identified in this DPIA will be mitigated. Outcome: six high data protection risks The outcome of this DPIA is that there are six high data protection risks and three low data protection risks in spite of the contractual, legal and organisational measures that Microsoft has taken in the spring of 2019, and since the fall of 2019 to mitigate the data protection risks. These high risks are due to the following seven circumstances: 1. When using Office for the Web, Microsoft sends personal data to two American companies that are not processors: Optimizely and Giphy. From mobile Office apps, Microsoft sends traffic to six companies, of which four are not processors. 2. Microsoft behaves as independent data controller for the processing of telemetry data about the use of the mobile Office apps and the processing of personal data in connection with the Controller Connected Experiences in the mobile Office apps and Office for the Web. Microsoft may process personal data from and about the use of the use of these services for all 17 purposes mentioned in its general privacy statement. 3. Some telemetry events from Office for the Web contain content data, such as file-, pad- and usernames. It is not clear whether Microsoft is processor for these telemetry events. 4. Administrators are not able to minimise the telemetry level in the Office for the Web services. The new central telemetry choice for the mobile Office apps has not yet been created for the Teams, Outlook and OneDrive mobile Office apps on iOS and Android. 5. The possibility to centrally turn off the Controller Connected Experiences in Office for the Web and the mobile Office apps does not yet work in the OneDrive, Outlook and Teams apps on iOS and Android and not in the Teams and OneDrive browser versions of Office for the Web. 6. Microsoft does not publish information about the telemetry that it collects via Office for the Web and the mobile Office apps. Microsoft has now made the Data Viewer Tool suitable for decoding events from three mobile Office apps Page 7 of 138 DPIA Office for the Web and mobile Office apps SLM Microsoft Rijk 30 June 2020 on iOS and Android, namely Word, PowerPoint and Excel, but not for the Outlook, Teams and OneDrive apps. 7. Microsoft, when acting as controller, has not given access to the personal data that it processes via the mobile Office apps, the Controller Connected Experiences and the telemetry of Office for the Web. The high risks and the possible countermeasures of Microsoft and of government organisations are listed below in a table. Umbrella DPIA versus individual DPIAs This DPIA was conducted by SLM Microsoft Rijk, the central negotiator for Microsoft products and services for Dutch central government organisations. However, the individual government organisations buy the licenses and determine the settings and scope of the processing by Microsoft. Therefore, this general DPIA can help the different government organisations with the DPIAs they must conduct, but this document does not replace the specific risk assessments the different government organisations must make. Only the organisations themselves can assess the specific data protection risks, based on their specific deployment, the level of confidentiality of their work and the types of personal data they process. Scope: diagnostic data, not content or functional data This report addresses the data protection risks of the storing by Microsoft of data about the use of the five most commonly used applications (Word, PowerPoint, Outlook, Excel and Teams) in Office for the Web and the mobile Office apps, in combination with the use of Connected Experiences and the cloud services SharePoint, OneDrive for Business, Exchange Online and the Azure Active Directory. These metadata (about the use of the services and software) are called ‘diagnostic data’ in this report. Technically, Microsoft Corporation collects diagnostic data in different ways, via system-generated event logs on its own cloud servers and via the telemetry client in the mobile Office apps and -since recently- also via Office for the Web. Similar to the telemetry client in Windows 10 and Office 365 ProPlus, Microsoft has programmed the mobile Office apps and Office for the Web to systematically collect telemetry data on the device, and regularly send these to Microsoft’s servers in the USA.