Privacy in Office 365Published: August 15, 2016 2016 Microsoft Corporation. All rights reserved. This document is provided "as-is." Information and views expressed in this document, including URL and other Internet Web sitereferences, may change without notice. You bear the risk of using it. Some examples are for illustration only and are fictitious. No real association is intended or inferred. This document doesnot provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this docume nt for your internal, reference purposes.

Document Classification: PublicDocument Location: Feedback: [email protected] a g e 1IntroductionThe advances and increased adoption of cloud computing raise important policy considerations,including shared data storage, geographic location, transparency, access, and security. In addition,conflicting legal obligations and competing claims of governmental jurisdiction over data usage continueto limit cloud computing services and their adoption. Divergent rules on privacy, data retention, andother issues cause ambiguity and create significant legal challenges.Microsoft has been addressing privacy issues associated with cloud computing and online services sincethe launch of the Microsoft Network in 1994. Microsoft remains committed to protecting the privacy ofits customers. We understand that strong privacy protections are essential for building trust in the cloudand helping cloud computing reach its full potential. That’s why we built Office 365 with strong dataprotection in mind with a dedicated team of privacy professionals.Privacy at MicrosoftAs part of our long-term commitment to Trustworthy Computing, Microsoft strives to earn andstrengthen trust by building robust privacy and data protections into our products and services. TheTrustworthy Computing Group at Microsoft focuses on creating and delivering secure, private, andreliable computing experiences based on sound business practices. The privacy group withinTrustworthy Computing manages our privacy governance program, which includes ongoing employeetraining, identification of emerging privacy issues in the industry, and regular updates to our privacystandards. We work to responsibly manage and protect the data we store, to be transparent about ourprivacy practices, and to offer meaningful privacy choices. These three tenets—responsibility,transparency, and choice—are the foundation of Microsoft’s approach to privacy.Microsoft privacy principles and privacy standards guide the collection and use of customer and partnerinformation at Microsoft and give our employees a clear framework to help ensure that we manage dataresponsibly. To put our principles and standards into practice, we have invested heavily to build acomprehensive privacy governance program. Microsoft employs many full-time privacy professionals,with several hundred other employees helping to ensure that privacy policies, procedures, andtechnologies are applied across our products and services. In addition, Microsoft's global privacycommunity helps to ensure that the company's privacy policies, procedures, and technologies areapplied within our business units. This community includes a three-tiered group of privacy champs,leads, and managers who work with developers, marketers, lawyers, and business executives to reviewMicrosoft products and services and provide guidance on privacy-related issues.Microsoft Corporate Privacy Policy and Microsoft Privacy StandardThe Microsoft Corporate Privacy Policy comprises six key privacy principles for the protection andappropriate use of customer information, such as information submitted by customers, data obtainedfrom third parties, and data that is automatically collected. Microsoft’s six key privacy principles are:1. Control We will put you in control of your privacy with easy-to-use tools and clear choices.2. Transparency We will be transparent about data collection and use so you can make informeddecisions. Customer data is kept secure and private. Microsoft only uses customer data toprovide online services, including purposes compatible with providing those services. Access toOffice 365 data is strictly limited.

Document Classification: PublicDocument Location: Feedback: [email protected] a g e 23. Security We will protect the data you entrust to us through strong security and encryption. Weare committed to help protect the data you entrust to us through robust security policy andencryption.4. Strong legal protections We will respect your local privacy laws and fight for legal protection ofyour privacy as a fundamental human right.5. No content-based targeting We will not use your email, chat, files or other personal content totarget ads to you. Microsoft only uses customer data as required to provide services, includingpurposes compatible with providing those services. Microsoft will not use customer data orderive information from it for the purpose of advertising or similar commercial purposeswithout permission.6. Benefits to you When we do collect data, we will use it to benefit you and to make yourexperiences better. Microsoft is responsible for protecting customer data with the same careand precautions it uses to protect its own data. Microsoft only uses customer data as requiredto provide online services, and to troubleshoot, personalize, and improve online services.For more information about the implementation of these privacy principles in Office 365, see the Office365 Online Service Terms. These six principles form the foundation of Microsoft’s approach to privacyand will continue to shape the way we build our products and services. In-line with these principles,Microsoft’s privacy standards govern the privacy aspects of the development and deployment ofMicrosoft consumer and enterprise products and services, including Microsoft’s cloud services. Itinforms Microsoft employees and vendors about how to develop products and services with users'privacy in mind so that users are able to better understand and control the collection, storage,retention/destruction, and use of their data.Privacy ReviewsLike all of Microsoft’s products and services, Office 365 undergoes privacy reviews that are designed toidentify privacy requirements and help product teams follow Microsoft privacy policies and standardsand various national and international industry certification standards (e.g., ISO 27001/27018, SOC/SSAE16, FedRAMP, etc.). The privacy review process identifies privacy risks and remediation plans. Prior tothe release of any product or service, a final privacy review confirms that all implementations based onthe review findings have been completed and all requirements are met.Microsoft’s Policy Activities for PrivacyMicrosoft works with governments, businesses, technology leaders, and civil society to advise onlegislative proposals, help align laws across jurisdictions, develop responsible privacy practices, andstrengthen self-regulatory mechanisms that support privacy and data protection in the data age. Forexample, we have long supported baseline US privacy legislation, coupled with industry self -regulationthat facilitates the free flow of information, enhances privacy and trust, and encourages innovation. Wealso support the concept of accountability. Under an accountability model, privacy goals are establishedin law, but individual organizations are responsible for determining how best to meet those goals.Further, we have supported efforts to create greater interoperability among global privacy frameworksthat better allow differing data protection regimes to work together to support compliance, privacy, andinnovation. Together with privacy stakeholders from around the world, we are also thinking about howto evolve the frameworks that have governed aspects of the protection of personal data for the dataage.

Document Classification: PublicDocument Location: Feedback: [email protected] a g e 3Privacy in Office 365Microsoft understands that strong privacy protections are essential for building trust in cloudcomputing, and implements them in Office 365 as follows: Data use Microsoft details how it manages and uses customer data, and provides explicitstatements that Microsoft uses customer data only for maintaining and securing Office 365services. Office 365 does not use customer data to create advertisements.Shared data storage To enable cost savings and efficiencies for data storage, Microsoft storescustomer data from multiple customers on the same equipment (known as a multi-tenantarchitecture). However, the company goes to great lengths to help ensure that multi-tenantdeployments of Office 365 1 logically separate the data (and processing) of different accountsand support the privacy and security of the data stored.Data portability Microsoft enables Office 365 customers to export any or all of their data atany time and for any reason, without any assistance from Microsoft. Even after an Office 365account expires or is closed, customers by default have limited access for an additional 90 daysto export data.Transparency The Office 365 Trust Center and the Microsoft Trust Center detail the policiesand practices that Microsoft uses to protect customer data. The Microsoft Transparency Hubprovides customers with direct access to several reports regarding law enforcement andgovernment access to customer data.Access Microsoft identifies who can access customer data and the circumstances under whichthey can access it. Microsoft also logs and reports all access to customer data and other criticaldata. Additionally, Microsoft and its third-party auditors conduct sample audits to help ensurethat the customer’s data is accessed only for appropriate business purposes.Geographic location of data For customers interested in knowing where their data is stored,including the assignment of private storage locations, Microsoft tells customers where its majordatacenters are located, and how it determines where data is stored at rest. Office 365administrators can also choose to receive updates to changes in datacenter locations. Microsoftdoes not control or limit the regions from which a customer it’s users may access or movecustomer data.Microsoft recognizes that cloud services often raise unique security and privacy questions for business,education, and government customers, so we have adapted our Office 365 policies and governanceprograms to address customer concerns, facilitate regulatory compliance, and to build greater trust inOffice 365 and cloud computing. For example, we contractually commit to specific data handlingprocesses as part of our agreements for Exchange Online, SharePoint Online, Skype for Business, andother cloud services. We also provide customers with flexible management tools that help protectsensitive data and support compliance with government privacy and security guidelines. Suchtransparent policies and strong tools are essential for our customers as they deal with the privacy andsecurity questions that arise from their use of cloud services.1This link points to a document available on the Microsoft Cloud Service Trust Portal (STP). For information on how to access the STP, see Getstarted with the Service Trust Portal for Office 365 for business, Azure, and Dynamics CRM Online subscriptions.

Document Classification: PublicDocument Location: Feedback: [email protected] a g e 4Office 365 is built with an emphasis on strong data protection. Reflecting Microsoft’s approach toprivacy by design, a team of privacy professionals has been dedicated to Office 365 since the beginningof the development cycle and has worked and continues to work in close partnership with engineers,business planners, and marketers. Consequently, privacy has been an integral part of Office 365 fromthe beginning, not an afterthought. In addition, employees throughout the organization are accountablefor managing the service’s privacy and security risks. The result is an enterprise cloud service with robustdata protections that reflect Microsoft’s core privacy tenets of responsibility, transparency, and choice.Microsoft understands that managing customer information is a responsibility that includes importantsecurity and privacy obligations. This is particularly true for cloud-based services such as Office 365. Wehave a broad network of people and processes that implement our privacy standards and provideprivacy guidance and training. If a privacy incident occurs, we have rigorous procedures to address theproblem, diagnose the cause, and update customers in a timely manner.Criteria for determining appropriate levels of privacy and security in the cloud are changing rapidly.What matters most today may be a low priority tomorrow. As a result, when evaluating a cloudprovider, organizations would be wise to consider the depth and breadth of the provider’s governancemodel and its ability to quickly adapt to changing privacy priorities.With Office 365, we have employed a variety of risk management mechanisms to appropriately manageregulatory change, organizational change, personnel change, and technological change. Before any ofthe services that are part of Office 365 launch to the public, subject-matter experts conduct privacy,security, and business continuity risk assessments on each service and work closely with the serviceowners to remediate any identified risks. After launch, we use a process of continuous monitoring toensure that our data protection systems are functioning properly. We test required functionalityannually, semi-annually, quarterly, monthly, or at the time of each new release, depending on the levelof risk associated with the particular privacy or security control. We also conduct regular riskassessments to refresh the control framework and, if necessary, to reset priorities if new aspects of theservice emerge as high-risk. This multi-layered and continuous approach to monitoring the Office 365data protection environment helps us quickly diagnose and remedy problems that occur and helps ourcustomers respond quickly to shifting regulatory or industry requirements.Microsoft’s Approach to Regulatory ComplianceJust as Microsoft has a responsibility to process our enterprise customers’ information in a trustworthymanner, many of our customers have a responsibility to comply with national, regional, and industryspecific requirements governing the collection and use of individuals’ data. As a provider of global cloudservices, we must run our services with common operational practices and features that span multiplecustomers and jurisdictions. To fulfill our privacy responsibility to our customers as well as help ourdiverse customer base fulfill its regulatory obligations, we set the bar high and then build our services tomeet that bar using common privacy and security controls. While it is ultimately up to our customers todetermine whether our services satisfy their specific regulatory needs, we are committed to providingdetailed information about our cloud services to help them in their assessments.One tool we have developed to facilitate customers’ assessments of Office 365 is the Microsoft TrustCenter, an online repository of detailed information about Office 365 privacy and security practices. Forexample, on the Regulatory Compliance page of the Trust Center, we explain how we believe Office 365

Document Classification: PublicDocument Location: Feedback: [email protected] a g e 5helps facilitate compliance with a range of major statutes, from European Union data protection laws tothe U.S. Gramm-Leach-Bliley Act, which includes provisions on the protection of consumers’ financialinformation.Another resource we offer to help customers evaluate Office 365 is detailed information about the wellrecognized certifications that the service has attained. On the Security, Audits, and Certifications page ofthe Trust Center, customers can locate information about the certifications held by both Of fice 365 andthe Microsoft datacenters that host the service. On the Microsoft Cloud Service Trust Portal and withinthe Service Assurance dashboard, we also enable customers to download third-party audit reports forOffice 365, Azure, and more. By making this information readily available, we empower customers tovalidate that what we say about our security and privacy practices has been affirmed by an accreditedthird party.Support for EU-U.S. Privacy ShieldMicrosoft supports the recently announced EU-U.S. Privacy Shield, which sets a new high standard forthe protection of Europeans’ personal data. The Privacy Shield secures Europeans’ right to legal redress,strengthens the role of data protection authorities, introduces an independent oversight body, and itclarifies data collection practices by U.S. security agencies. In addition, it introduces new rules for dataretention and onward transfer of data. Key Privacy Shield provisions will also be extended to alternativedata transfer mechanisms, such as EU Model Clauses. Microsoft has begun the process of implementingthe Privacy Shield requirements, which it previously announced it would sign up for in April 2016.On August 1, 2016, Microsoft signed up for the EU-U.S. Privacy Shield and submitted its Privacy Shieldcertification to the U.S. Department of Commerce. Going forward, any data which we will transfer fromEurope to the United States will be protected by the Privacy Shield’s safeguards. 2Using Customer Data Only for Providing ServicesResponsible cloud providers must have strong internal policies in place that clearly delineate what theprovider and its partners can and cannot do with customer information. In Office 365, we use ourcustomers’ data only for what they pay us for—to maintain and provide Office 365 services. As part ofproviding a quality service, we will troubleshoot in order to prevent, identify, or repair problems and toimprove features that protect our customers. Microsoft does not build advertising products out of ourcustomers’ data. We also don’t scan our customers’ email or documents for the purpose of buildinganalytics, data mining, advertising, or improving the service without our customers’ permission.Government Access to Customer DataMicrosoft does not provide any government with direct and unfettered access to its customers’ data,and Microsoft does not provide any government with its encryption keys or the ability to break itsencryption. If a government entity approaches Microsoft directly with a request related to a MicrosoftOnline Services customer, Microsoft will first try to redirect the entity to the customer to respond. IfMicrosoft is required to respond to the demand, Microsoft will promptly notify the customer andprovide a copy of the demand (unless legally prohibited).Microsoft publishes its law enforcement requests report to identify the number and types of requests itreceives and its compliance with those requests. Microsoft recently received permission from the U.S.2See 1/microsoft-signs-privacy-shield/ for the official announcement.

Document Classification: PublicDocument Location: Feedback: [email protected] a g e 6government to publish information about Foreign Intelligence Surveillance Act orders and NationalSecurity Letters.Trust with TransparencyAlthough many organizations cite privacy and security concerns as major obstacles to their adoption ofcloud services, information on the privacy and security practices of many cloud providers is eitherdifficult to find or indecipherable to all but the most astute IT professionals. To help our customers findanswers to their privacy and security questions about Office 365, we strive to be as transparent aspossible about our data protection policies and procedures.The centerpiece of our transparency efforts is the Microsoft Trust Center, which includes several serviceTrust Centers: Office 365Microsoft AzureMicrosoft Commercial SupportMicrosoft Dynamics AXMicrosoft Dynamics CRM OnlineMicrosoft IntuneMicrosoft National CloudsPower BIThe Microsoft Trust Center is designed to provide answers to questions that customers have about ourcloud services, such as who can access their data, where their data is stored, and how they can verifythat Microsoft is doing what it says. Our compliance is independently audited, and we’re transparent onmany levels—from how we handle legal demands for your customer data to the security of our code.We offer detailed trust information on each of our cloud services. For example, on the Office 365 TrustCenter, we describe our approach to security, privacy, compliance, and transparency. We state clearlythat customers own their data and that we are the custodian or processor of your data. And thatbecause it is your data, if you ever choose to leave the service, you can take your data with you.Regulatory Compliance in Office 365To help organizations comply with national, regional, and industry-specific requirements governing thecollection and use of individuals’ data, Microsoft offers the most comprehensive set of certifications andattestations of any cloud service provider. To demonstrate that these controls deliver compliance youcan rely on, Microsoft enterprise cloud services are independently validated through certifications andattestations, as well as third-party audits. In-scope services within the Microsoft Cloud meet keyinternational and industry-specific compliance standards, as well as regional and country-specificstandards and contractual commitments. In addition, rigorous third-party audits validate the adherenceof our cloud services to the strict requirements these standards mandate.Customers can view by service, location, and industry, all of the global standards to which Office 365and other Microsoft cloud services conform on the Compliance page of the Microsoft Trust Center.

Document Classification: PublicDocument Location: Feedback: [email protected] a g e 7Microsoft Privacy ResourcesListed below is a sampling of the privacy resources from Microsoft that are available to customers andprospective customers. Microsoft Privacy PracticesPrivacy Guidelines for Developing Software Products and ServicesMicrosoft Trustworthy ComputingPrivacy ModelsMicrosoft Online Services Privacy StatementCloud Privacy at MicrosoftMicrosoft Transparency Hub - Law Enforcement RequestsBrad Smith blog post - Responding to government legal demands for customer dataBrad Smith blog post - Our search warrant case: An important decision for people everywhereJohn Frank blog post - EU-U.S. Privacy Shield: Progress for privacy rightsEU Policy blogs from Microsoft on PrivacyMicrosoft has also created a guide called Building Global Trust Online, 4th Edition: MicrosoftPerspectives for Policymakers, which was compiled from extensive work and ongoing research byMicrosoft teams, as well as consultation with external subject-matter experts to provide ongoingeducation about policy topics related to privacy, security, safety, and accessibility.SummarySince Microsoft recognizes that privacy and security are major concerns for cloud customers, wedeveloped Office 365 from the ground up with strong data protection in mind. Microsoft’s privacyprinciples and privacy standards guide the collection and use of customer and partner information atMicrosoft and give our employees a clear framework to help ensure that we manage data responsibly.The Microsoft Corporate Privacy Policy comprises six key privacy principles for the protection andappropriate use of customer information, such as information submitted by customers, data obtainedfrom third parties, and data that is automatically collected.Microsoft recognizes that cloud services often raise unique security and privacy questions for business,education, and government customers, so we have adapted our Office 365 policies and governanceprograms to address customer concerns, facilitate regulatory compliance, and to build greater trust inOffice 365 and cloud computing. Reflecting Microsoft’s approach to privacy by design, a team of privacyprofessionals was dedicated to the product early in the development cycle and worked in closepartnership with engineers, business planners, and marketers. Consequently, privacy has been anintegral part of Office 365 from the beginning, not an afterthought. In addition, employees distributedthroughout the organization are accountable for managing the service’s privacy and security risks. Theresult is an enterprise cloud service with robust data protections that reflect Microsoft’s core privacytenets of responsibility, transparency, and choice.

Aug 15, 2016 · Office 365 is built with an emphasis on strong data protection. Reflecting Microsoft’s approach to privacy by design, a team of privacy professionals has been ded