News Stay informed about the latest enterprise technology news and product updates.

Microsoft Office 365 cloud data privacy rules explained

Microsoft complies with a number of standards to reassure Office 365 customers that it doesn’t look at their data; though they certainly could.

One of the first questions people ask about cloud computing platforms surrounds cloud data privacy.

In the case of Office 365, customers own their own data and Microsoft complies with a number of international standards to reassure customers that it doesn't look at that data.

"Though they certainly can," said Carl Brooks, analyst with Tier1 Research, a technology analyst company based in New York.

By comparison, Google search-mines its customer data for the betterment of its product and for other purposes as laid out in Google's privacy policy. But Google Apps for Business customers who pay for their services can restrict Google's search-mining tactics.

"It is something negotiated individually with Google -- and of course doesn't remove the actual fact that Google is in full control of user data," Brooks said.

Microsoft, comparatively, has worked for some time to assure customers of the cloud data privacy protection and security standards that Office 365 can meet, while maintaining a generally multi-tenant cloud service, said Wes Miller, an analyst with Directions on Microsoft, an independent analyst firm based in Kirkland, Wash.

Microsoft Office 365 customers retain all rights, title and interest in the data they store. At any time, customers can remove their data or download a copy without any assistance from Microsoft. If a customer closes their account, Microsoft provides additional limited access for 90 days to export your data.

In addition, Microsoft also undergoes third-party audits each year to prove that it complies with policies and procedures for security, privacy, continuity and data handling, the company said in an email.

The ISO 27001 security benchmark that Office 365 abides by is an example of that.

Learn more about Microsoft cloud privacy

Windows Azure cloud data privacy

Office 365 also conforms to EU Model Clauses that address international transfer of data. For companies that need to comply with the Health Insurance Portability and Accountability Act (HIPAA), Microsoft will sign requirements for the HIPAA business associate agreement. The company also offers a standard data processing agreement (DPA) to all customers, which addresses privacy, security and handling of customer data. DPA allows customers to comply with their local regulations.

Microsoft's willingness to comply with ISO, European Union Model clauses and HIPAA may make potential customers more comfortable with using its cloud-based productivity offerings.

"I have not examined their liability in the event of violating the terms of these contracts, but it is a good first step for organizations that must remain compliant to the standards themselves," Miller said.

Microsoft may also attest to certain compliance standards that many organizations -- especially smaller ones – can't afford to, Miller said.

"In some ways, while people may wag their finger at the cloud in concern about compliance and security, it's a double-edged sword," he said. "If you host Exchange, Lync and SharePoint in your own data center -- or even more likely, in a data center where you're subletting rack space -- are you more or less cautious with your data and practical about your security than Microsoft or Google, for that matter, would be?"

Additional details on Office 365 privacy can be found in the Data Portability section of the Trust Center.

Dig Deeper on Exchange Server setup and troubleshooting

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What are your thoughts on Office 365?
Security is obviously a concern as is the inexorable rise in network traffic caused by the unnecessary use of cloud storage, tho' may be more of a general cloud issue than (MS Office 365). 

Use of cloud storage in the drop box model is one thing but the trend towards storing everything in the cloud is a terrific waste of electrical energy resources, teh internet si already using a sizeable proportion of the eelctrical energy produced by the planet and this is set to size over the coming decades (IET review) to become the dominant use of electricity (or would do if energy resources were not finite ;-) 

Even tho' MS may sign any number of agreements to implement and abide by standards etc. they are a large organisation with many thousand of employees (not all of whom will share MS altruistic motives and a few of which may see a way to a fast buck, by accident or design) and MS are a very high profile target for the unscrupulous making data theft by hackers that much more likely.
It goes down to much and they read your data
"if if can happen, It Will"
Like horsemeat in lasange, it is in a company's best interests to do what is right.

I believe that MS has grown up as a global corp and has enough safeguards to prevent breaches of these codes.
We need to be CJIS compliant
All it takes is a disgruntled MS staff member to take your data and sell it to the highest bidder...
in find cloud really Interesting to use especially that i have to store all my work in tge cloud hope i will get more space like a Terabite most probably in one way or another cloud is the In thing
If we don't save documents in the cloud... and save locally, does MS have access to my documents - Not sure.
Does MS have access to my Outlook data ? Is data stored on MS servers (am using POP3 ONLY) ? - not clear