On behalf of the Ministry of Justice and Security, Privacy Company analysed the data protection risks of the use of Microsoft's Intune service. This service enables system administrators to encrypt information on end-users' mobile devices, for example. Privacy Company also assessed the risks of the use of the Microsoft Office 365 for the Web and the Office apps for iOS and Android mobile phones. With the Ministry's permission, we are publishing two blogs about our findings, this blog about Intune and the second blog about Office 365 for the Web and the mobile Office apps.
For questions about these reports, please contact SLM Microsoft Rijk (Strategic Vendor Management Microsoft Rijk), via the press spokesperson of the Ministry of Justice, + 31 70 370 73 45.
Worldwide improvement data protection conditions Microsoft
In May 2019, SLM Microsoft Rijk concluded new data protection terms and conditions with Microsoft for the 300,000 digital workplaces of the central Dutch government. These workplaces at the ministries, Tax and Customs Administration, the police, the judiciary, and independent administrative bodies are equiped with the corporate (Enterprise) versions of Microsoft’s online services, such as Office 365.
In January 2020, Microsoft has implemented some of these improvements worldwide in the data protection conditions for its volume licensed online services for businesses and Enterprises. See the Online Service Terms with separate Data protection Addendum of June and January 2020 respectively.
As a result of this Data Protection Impact Assesment (DPIA), Microsoft has committed to mitigate two of the five low risks. These commitments are described at the end of this blog. Additionally, also as a result of the other DPIA on Office for the Web and the mobile Office apps, per 1 August 2020 Microsoft will once again implement worldwide improvements in its data protection conditions.
What is Intune?
Intune is an online management and security service for all kinds of end-user devices. Not only for Windows and macOS desktops and laptops, but also for mobile phones and tablets with the iOS and Android operating system. Government organisations can use Intune to centrally register personal and business mobile devices, and to encrypt the personal data on the devices. Organisations can also use Intune to prevent users from setting their devices to an insecure mode, and completely or selectively wipe the device if it is lost.
Governmentorganisations can use Intune for two different security purposes, namely (1) tocontrol access of apps on the devices to the (personal) data and (2) to enforceinformation security policies when using the devices. Intune's two managementoptions are referred to below as MAM (Mobile Access Management) and MDM (MobileDevice Management).
The DPIA describes two different ways to enroll devices in Intune: (1) by employees themselves, as personal devices, or (2) by system administrators, as corporate devices. Intune also offers the possibility to have devices fully managed (supervised mode), but this type of management falls outside the scope of this report. Employees cannot install personal apps on such devices.
The report covers two types of data processing: the processing of diagnostic data on Microsoft's Intune cloud servers, and data processing via the Intune Company Portal app. Users of self-managed devices must install this app in order to have their devices managed through Intune. Only users of devices running Windows 10 can log in to Intune without the app, using a browser. This DPIA also addresses the use of the Microsoft Azure Active Directory, as its use is mandatory for both types of Intune management: Mobile Device Management (MDM) and Mobile Application Management (MAM).
Result: five low data protection risks
The result of this DPIA is that there are five low risks for data subjects (the users of the terminal equipment). These data protection risks result from the following circumstances:
The fivelow data protection risks are:
The low assessment of the risks is mainly due to the relatively innocent nature of the diagnostic data: no content or otherwise sensitive data, and no detailed records of individual behaviour. In addition, government organisations can take effective measures to prevent the collection of sensitive data from the devices.
If the system administrators of the government organisations follow the advice in the report, there are no known high data protection risks when they use Intune.
Recommended measures for government organisations
This report was completed on 31 March 2020. As a result of negotiations between SLM Microsoft Rijk and Microsoft between April and June 2020, Microsoft committed to implement measures to mitigate two of the five low protection risks. These measures are:
These measures will have to be implemented at the latest in the fall of 2020. SLM Microsoft Rijk will publish an update about the implementation progress in early 2021, together with an update about the agreed measures in connection with the recent DPIA about processing through Office 365 for the Web and the mobile Office apps.
The how and why of these recommendations are explained in the new DPIA report for SLM Microsoft Rijk. Also see the second new DPIA report on data processing via Office 365 for the Web and the mobile Office apps.