The diagnostics Microsoft Office collects from users should be a source of concern for any government CISO, according to a DPIA audit
ComputerWeekly reported: "A report commissioned by the Dutch government has recommended disabling any settings in Microsoft Office 2016 that sends data to Microsoft servers. Dutch government users have also been advised to consider alternatives to Microsoft Office.
A Data Protection Impact Assessment (DPIA) conducted by Privacy Company for the Dutch Ministry of Security and Justice has found that Microsoft has been collecting vast amounts of personal data.
“Microsoft systematically collects data on a large scale about the individual use of Word, Excel, PowerPoint and Outlook.
“Covertly, without informing people, Microsoft does not offer any choice with regard to the amount of data, or possibility to switch off the collection, or ability to see what data are collected, because the data stream is encoded,” Privacy Company wrote in a blog post covering its findings.
While Microsoft is considered a data processor, the report warned that the way it collects data from users for diagnostics means it should be classified as a joint controller as defined in article 26 of the GDPR.
The DPIA report recommended IT administrators for Dutch government users configure the “zero exhaust” setting in Microsoft Office to prevent sensitive data from being leaked and centrally prohibit the use of Microsoft Connected Services for spell checking and language translation, as well as disabling access to SharePoint Online, OneDrive Online and the web version of Office 365 Live.
It also recommended IT administrators periodically delete the Active Directory account of some VIP users, and create new accounts for them, to ensure Microsoft deletes the historical diagnostic data.
The DPIA also urged government users to consider using a standalone deployment without Microsoft account for confidential/sensitive data. However, Microsoft has been actively pushing its software as a service (SaaS) product over on-premise Office.
But, as Computer Weekly has previously reported, with Office 2019, government users are seeing a big price hike for the on-premise version compared to the SaaS product, which effectively means government users will have to pay more to keep their sensitive data private.
Cross-posted with grateful acknowledgment to ComputerWeekly.