lolloj - Fotolia

Dutch audit finds Microsoft Office leaks confidential data

The diagnostics Microsoft Office collects from users should be a source of concern for any government CISO, according to a DPIA audit

A report commissioned by the Dutch government has recommended disabling any settings in Microsoft Office 2016 that sends data to Microsoft servers.

Dutch government users have also been advised to consider alternatives to Microsoft Office.

A Data Protection Impact Assessment (DPIA) conducted by Privacy Company for the Dutch Ministry of Security and Justice has found that Microsoft has been collecting vast amounts of personal data.

“Microsoft systematically collects data on a large scale about the individual use of Word, Excel, PowerPoint and Outlook.

“Covertly, without informing people, Microsoft does not offer any choice with regard to the amount of data, or possibility to switch off the collection, or ability to see what data are collected, because the data stream is encoded,” Privacy Company wrote in a blog post covering its findings.

While Microsoft is considered a data processor, the report warned that the way it collects data from users for diagnostics means it should be classified as a joint controller as defined in article 26 of the GDPR.

The DPIA report recommended IT administrators for Dutch government users configure the “zero exhaust” setting in Microsoft Office to prevent sensitive data from being leaked and centrally prohibit the use of Microsoft Connected Services for spell checking and language translation, as well as disabling access to SharePoint Online, OneDrive Online and the web version of Office 365 Live.

Read more about regulatory compliance

  • Chief information security officers are typically marginalised due to three factors, and de-coupling the technical and managerial aspects of the job will enable empowerment.
  • The National Audit Office is critical of the government’s project to centralise its security vetting process, as the IT system has been plagued by failures from the start and has led to serious delays.

It also recommended IT administrators periodically delete the Active Directory account of some VIP users, and create new accounts for them, to ensure Microsoft deletes the historical diagnostic data.

The DPIA also urged government users to consider using a standalone deployment without Microsoft account for confidential/sensitive data. However, Microsoft has been actively pushing its software as a service (SaaS) product over on-premise Office.

But, as Computer Weekly has previously reported, with Office 2019, government users are seeing a big price hike for the on-premise version compared to the SaaS product, which effectively means government users will have to pay more to keep their sensitive data private.

“We are committed to our customers’ privacy, putting them in control of their data and ensuring that Office ProPlus and other Microsoft products and services comply with GDPR and other applicable laws. We appreciate the opportunity to discuss our diagnostic data handling practices in Office ProPlus with the Dutch Ministry of Justice and look forward to a successful resolution of any concerns,” Microsoft said.

Read more on Regulatory compliance and standard requirements

Data Center
Data Management