Part 1: The Office 365 approach to privacy in the public cloud – Responsibility

  • Article

Stephen Bury writes on the Office 365 Blog:

Microsoft Office 365 is an online business service that was purposely built to optimize the flexibility, responsiveness, and efficiency of the cloud. It was also created with a strong emphasis on data protection and with Microsoft's three tenets of privacy - responsibility, transparency, and choice - at its core. This week we'll explore each principle as explained in the Microsoft whitepaper "Privacy in the Public Cloud: The Office 365 Approach" and on the Office 365 Trust Center, which provides a comprehensive overview of Microsoft's privacy and security practices.

Our commitment to responsibility is supported by our broad network of people that implement our privacy standards and provide guidance and training. For instance, if there is a privacy incident we have rigorous procedures to address the problem, diagnose the cause, and update our customers in a timely manner.  Examples of how we approach privacy governance in Office 365 are outlined below.

  • Standing the test of time. The ability to respond to the rapidly changing priorities for privacy and security in the cloud is something every organization should look for from their service provider. Office 365 has a variety of risk management mechanisms to appropriately respond to regulatory change, organizational change, personnel change, and technological change.
  • Enabling regulatory compliance. Customers are responsible for complying with national, regional, and industry-specific requirements governing the collection of personal data. To support our global customer base, we run our services with common operational practices and features that span multiple customers and jurisdictions. We're also committed to providing our customers with detailed information about our cloud services to help their assessments. The Office 365 Trust Center was built specifically to support customers and includes detailed information about things like regulatory compliance and security, audits, and certifications.
  • Support for EU Model Clauses. Office 365 offers companies with European users the opportunity to sign data processing agreements with the standard contractual clauses published by the European Commission.
  • Using customer data only for the customers' purposes. We have strong internal policies that delineate what we and our partners can and can't do with customer information. With Office 365, we use our customers' data only for what they pay us to do - maintain and provide Office 365 services. This means we don't use customer data for building advertising products or analytics, data mining, or improving service without our customers' permission.
  • Controlling access to customer data. There are strict controls over who will be granted access to customer data. There must be a legitimate business justification and the request must but approved by the person's manager. Accountability of customer data is enforced through a set of system controls like the use of unique user names, data access controls, and auditing.
  • Securing customer information and Office 365 systems. Office 365 is designed specifically for secure access over the Internet. We provide anti-spam and anti-malware technologies that are automatically updated against the latest security threats. The security features and services for Office 365 are built-in, which reduces customer time and cost associated with securing their IT systems.

In our next post we'll review transparency and how we strive to make information about our data protection policies and procedures readily available and easy to understand.

Additional resources:

______________________________________________________________________________

--Stephen Bury