Microsoft Office 365 cloud data privacy rules explained

Microsoft complies with a number of standards to reassure Office 365 customers that it doesn’t look at their data; though they certainly could.

One of the first questions people ask about cloud computing platforms surrounds cloud data privacy.

In the case of Office 365, customers own their own data and Microsoft complies with a number of international standards to reassure customers that it doesn't look at that data.

"Though they certainly can," said Carl Brooks, analyst with Tier1 Research, a technology analyst company based in New York.

By comparison, Google search-mines its customer data for the betterment of its product and for other purposes as laid out in Google's privacy policy. But Google Apps for Business customers who pay for their services can restrict Google's search-mining tactics.

"It is something negotiated individually with Google -- and of course doesn't remove the actual fact that Google is in full control of user data," Brooks said.

Microsoft, comparatively, has worked for some time to assure customers of the cloud data privacy protection and security standards that Office 365 can meet, while maintaining a generally multi-tenant cloud service, said Wes Miller, an analyst with Directions on Microsoft, an independent analyst firm based in Kirkland, Wash.

Microsoft Office 365 customers retain all rights, title and interest in the data they store. At any time, customers can remove their data or download a copy without any assistance from Microsoft. If a customer closes their account, Microsoft provides additional limited access for 90 days to export your data.

In addition, Microsoft also undergoes third-party audits each year to prove that it complies with policies and procedures for security, privacy, continuity and data handling, the company said in an email.

The ISO 27001 security benchmark that Office 365 abides by is an example of that.

Learn more about Microsoft cloud privacy

Windows Azure cloud data privacy

Office 365 also conforms to EU Model Clauses that address international transfer of data. For companies that need to comply with the Health Insurance Portability and Accountability Act (HIPAA), Microsoft will sign requirements for the HIPAA business associate agreement. The company also offers a standard data processing agreement (DPA) to all customers, which addresses privacy, security and handling of customer data. DPA allows customers to comply with their local regulations.

Microsoft's willingness to comply with ISO, European Union Model clauses and HIPAA may make potential customers more comfortable with using its cloud-based productivity offerings.

"I have not examined their liability in the event of violating the terms of these contracts, but it is a good first step for organizations that must remain compliant to the standards themselves," Miller said.

Microsoft may also attest to certain compliance standards that many organizations -- especially smaller ones – can't afford to, Miller said.

"In some ways, while people may wag their finger at the cloud in concern about compliance and security, it's a double-edged sword," he said. "If you host Exchange, Lync and SharePoint in your own data center -- or even more likely, in a data center where you're subletting rack space -- are you more or less cautious with your data and practical about your security than Microsoft or Google, for that matter, would be?"

Additional details on Office 365 privacy can be found in the Data Portability section of the Trust Center.

Dig Deeper on Exchange Server Deployment and Migration Advice



Find more PRO+ content and other member only offers, here.

Related Discussions

Bridget Botelho asks:

What are your thoughts on Office 365?

3  Responses So Far

Join the Discussion



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: