Word, PowerPoint, Excel, Outlook and Teams – Microsoft’s applications have increasingly moved to the cloud in recent years. The resulting “Microsoft 365” now offers practical collaboration options in addition to many other advantages of the cloud. At the same time, however, numerous data protection issues arise, especially when used by public agencies, because personal data is processed in all applications. However, data protection-compliant use of Microsoft 365 is also possible for public agencies and institutions, such as schools, universities and public authorities, as examples from real world practice show: For example, in a recently published data protection impact assessment for universities, the Dutch Ministry of Justice concluded that there are no “great risks to data processing” after implementing certain measures. And the Bavarian Justice Administration also relies on Microsoft Teams to conduct video hearings (only in German).
Hence, the focus of a data protection-compliant use of Microsoft 365 is less on the “if” and more on the “how”. Below, we would like to provide you with five tips for data protection-compliant use of Microsoft 365 by public authorities, which we have gained in numerous implementation projects and in close exchange with Microsoft and the data protection supervisory authorities:
1. Conducting a data protection impact assessment
Data protection-compliant use of Microsoft 365 by public authorities generally requires a data protection impact assessment pursuant to Article 35 GDPR. This is intended to further investigate processing operations that are likely to present a high risk to the personal rights and freedoms of natural persons prior to implementation and to reduce such risks through mitigation measures.
2. Identifying processing operations and the respective purposes of processing
The respective purposes of use of Microsoft 365 within a public body should be determined via the definition of “usage scenarios”. For example, in the context of teaching at a university or school, different scenarios can be distinguished, such as lectures or classes, seminars, group work, exams, and many more. Here, it is necessary to identify the groups of people affected in the context of the respective scenarios (for example, students, employees, teachers) and to determine the specific personal data affected in each case via data categories. In addition to practical usage scenarios, an overview of the contracts and licenses with Microsoft should also be obtained, and it should also be checked whether it is necessary to conclude additional (data protection) agreements.
3. Identifying the legal bases for the processing purposes
Building on the previous step, identify the respective legal bases for the specific purposes of the processing. This is because processing of personal data is only lawful if at least one of the conditions of Article 6(1), Sentence 1, Literi a) – f) GDPR is met. When allocating legal bases, care should be taken to differentiate as precisely as possible between the specific purposes.
4. Assessing the risks to the rights and freedoms of data subjects
Based on the purposes of use, the risks to data subjects should also be weighed. Risks in public institutions may include, for example, the (accidental) disclosure of personal data or unlawful access to personal data by third parties. In this context, special attention must also be paid to the specific groups of people affected: For example, personal data of minors is processed at schools, which is a group of people that requires special protection. A special risk assessment must also be carried out for judicial authorities with regard to the processing of personal data on criminal convictions and criminal offenses.
5. Remedial measures to address risks
Once the respective risks have been identified, the task is to implement suitable remedial measures. These can be both technical and organisational in nature. One technical workaround is the use of special functions provided by Microsoft such as “Customer Lockbox” or “Hold Your Own Key”. An authorisation concept that controls the access rights of all users to data within an institution can also be technically implemented in Microsoft 365. In addition to other organisational measures, such as guidelines for using Microsoft 365 and employee training, an erasure concept should also be created to minimise data and limit storage.
Due to its technical structure and numerous legal requirements, using Microsoft 365 in a manner that complies with data protection regulations is complex. However, with a data protection impact assessment and suitable technical and organisational measures to reduce risks within the framework of the intended usage scenarios, compliant use is ultimately possible for public bodies too.back