5 tips for the use of Micro­soft 365 by public bodies in com­pli­ance with data pro­tec­tion laws

Word, Power­Point, Excel, Out­look and Teams – Microsoft’s appli­ca­ti­ons have incre­asing­ly moved to the cloud in recent years. The resul­ting “Micro­soft 365” now offers prac­ti­cal col­la­bo­ra­ti­on opti­ons in addi­ti­on to many other advan­ta­ges of the cloud. At the same time, howe­ver, num­e­rous data pro­tec­tion issues ari­se, espe­ci­al­ly when used by public agen­ci­es, becau­se per­so­nal data is pro­ces­sed in all appli­ca­ti­ons. Howe­ver, data protection-compliant use of Micro­soft 365 is also pos­si­ble for public agen­ci­es and insti­tu­ti­ons, such as schools, uni­ver­si­ties and public aut­ho­ri­ties, as examp­les from real world prac­ti­ce show: For exam­p­le, in a recent­ly published data pro­tec­tion impact assess­ment for uni­ver­si­ties, the Dutch Minis­try of Jus­ti­ce con­cluded that the­re are no “gre­at risks to data pro­ces­sing” after imple­men­ting cer­tain mea­su­res. And the Bava­ri­an Jus­ti­ce Admi­nis­tra­ti­on also reli­es on Micro­soft Teams to con­duct video hea­rings (only in Ger­man).

Hence, the focus of a data protection-compliant use of Micro­soft 365 is less on the “if” and more on the “how”. Below, we would like to pro­vi­de you with five tips for data protection-compliant use of Micro­soft 365 by public aut­ho­ri­ties, which we have gai­ned in num­e­rous imple­men­ta­ti­on pro­jects and in clo­se exch­an­ge with Micro­soft and the data pro­tec­tion super­vi­so­ry authorities:

1.    Con­duc­ting a data pro­tec­tion impact assessment

Data protection-compliant use of Micro­soft 365 by public aut­ho­ri­ties gene­ral­ly requi­res a data pro­tec­tion impact assess­ment pur­su­ant to Artic­le 35 GDPR. This is inten­ded to fur­ther inves­ti­ga­te pro­ces­sing ope­ra­ti­ons that are likely to pre­sent a high risk to the per­so­nal rights and free­doms of natu­ral per­sons pri­or to imple­men­ta­ti­on and to redu­ce such risks through miti­ga­ti­on measures.

2.    Iden­ti­fy­ing pro­ces­sing ope­ra­ti­ons and the respec­ti­ve pur­po­ses of processing

The respec­ti­ve pur­po­ses of use of Micro­soft 365 within a public body should be deter­mi­ned via the defi­ni­ti­on of “usa­ge sce­na­ri­os”. For exam­p­le, in the con­text of tea­ching at a uni­ver­si­ty or school, dif­fe­rent sce­na­ri­os can be distin­gu­is­hed, such as lec­tures or clas­ses, semi­nars, group work, exams, and many more. Here, it is neces­sa­ry to iden­ti­fy the groups of peo­p­le affec­ted in the con­text of the respec­ti­ve sce­na­ri­os (for exam­p­le, stu­dents, employees, tea­chers) and to deter­mi­ne the spe­ci­fic per­so­nal data affec­ted in each case via data cate­go­ries. In addi­ti­on to prac­ti­cal usa­ge sce­na­ri­os, an over­view of the con­tracts and licen­ses with Micro­soft should also be obtai­ned, and it should also be che­cked whe­ther it is neces­sa­ry to con­clude addi­tio­nal (data pro­tec­tion) agreements.

3.    Iden­ti­fy­ing the legal bases for the pro­ces­sing purposes

Buil­ding on the pre­vious step, iden­ti­fy the respec­ti­ve legal bases for the spe­ci­fic pur­po­ses of the pro­ces­sing. This is becau­se pro­ces­sing of per­so­nal data is only lawful if at least one of the con­di­ti­ons of Artic­le 6(1), Sen­tence 1, Lite­ri a) – f) GDPR is met. When allo­ca­ting legal bases, care should be taken to dif­fe­ren­tia­te as pre­cis­e­ly as pos­si­ble bet­ween the spe­ci­fic purposes.

4.    Asses­sing the risks to the rights and free­doms of data subjects

Based on the pur­po­ses of use, the risks to data sub­jects should also be weig­hed. Risks in public insti­tu­ti­ons may include, for exam­p­le, the (acci­den­tal) dis­clo­sure of per­so­nal data or unlawful access to per­so­nal data by third par­ties. In this con­text, spe­cial atten­ti­on must also be paid to the spe­ci­fic groups of peo­p­le affec­ted: For exam­p­le, per­so­nal data of minors is pro­ces­sed at schools, which is a group of peo­p­le that requi­res spe­cial pro­tec­tion. A spe­cial risk assess­ment must also be car­ri­ed out for judi­cial aut­ho­ri­ties with regard to the pro­ces­sing of per­so­nal data on cri­mi­nal con­vic­tions and cri­mi­nal offenses.

5.    Reme­di­al mea­su­res to address risks

Once the respec­ti­ve risks have been iden­ti­fied, the task is to imple­ment sui­ta­ble reme­di­al mea­su­res. The­se can be both tech­ni­cal and orga­ni­sa­tio­nal in natu­re. One tech­ni­cal work­around is the use of spe­cial func­tions pro­vi­ded by Micro­soft such as “Cus­to­mer Lock­box” or “Hold Your Own Key”. An aut­ho­ri­sa­ti­on con­cept that con­trols the access rights of all users to data within an insti­tu­ti­on can also be tech­ni­cal­ly imple­men­ted in Micro­soft 365. In addi­ti­on to other orga­ni­sa­tio­nal mea­su­res, such as gui­de­lines for using Micro­soft 365 and employee trai­ning, an era­su­re con­cept should also be crea­ted to mini­mi­se data and limit storage.

Sum­ma­ry

Due to its tech­ni­cal struc­tu­re and num­e­rous legal requi­re­ments, using Micro­soft 365 in a man­ner that com­pli­es with data pro­tec­tion regu­la­ti­ons is com­plex. Howe­ver, with a data pro­tec­tion impact assess­ment and sui­ta­ble tech­ni­cal and orga­ni­sa­tio­nal mea­su­res to redu­ce risks within the frame­work of the inten­ded usa­ge sce­na­ri­os, com­pli­ant use is ulti­m­ate­ly pos­si­ble for public bodies too.