Microsoft Cloud Adopts Global Privacy Standard

Earlier this week, Microsoft announced that it was the first major cloud provider to adopt the international standard for cloud privacy - ISO/IEC 27018.

ISO/IEC 27018 was developed by the International Organization for Standardization (ISO) to establish a uniform approach to protecting personal data stored in the cloud.

The British Standards Institute (BSI) has independently verified that in addition to Microsoft Azure - which we announced late in 2014 - both Office 365 and Dynamics CRM Online are aligned with the standard’s code of practice for the protection of Personally Identifiable Information (PII) in the public cloud. Another independent assessor - Bureau Veritas - has undertaken the same verification for Microsoft Intune.

So what does this mean for customers of Microsoft cloud services:

  • ISO 27018 verified services are “advertising-free”: CSPs complying with ISO 27018 cannot use customer data for such purposes as advertising and marketing without the customer’s express consent. Moreover, the provider must not require customer consent to advertising as a condition of the customer’s use of the service. Microsoft has a longstanding commitment not to use data processed by its commercial cloud services for advertising purposes.
  • ISO 27018 verified services have clear policies for the return, transfer, and/or secure disposal of personal information: As a best practice under ISO 27018, the CSP should establish a retention period after which customer data will be permanently returned or deleted and removed from all services. After a customer subscription ends, Microsoft retains customer data for 90 days and deletes them within 180 days.
  • ISO 27018 verified services disclose sub-processors: ISO 27018 guides CSPs to disclose the identities of any sub-processor they engage who process personal data. And, if anything changes, the CSP should inform customers promptly to give them an opportunity to object and terminate their agreement.

The importance of standards in cloud and the significance of ISO/IEC 27018 was called out recently in a blog post by the former Australian Privacy Commissioner and Managing Director of IIS, Malcolm Crompton.

To quote Malcolm on ISO/IEC 27018: “It serves as a useful reference point that will promote confidence and trust for the increasing number of organisations seeking to apply cloud solutions to their personal information assets.”

ISO/IEC 27018 was also referenced by the Office of the Australian Information Commissioner (OAIC) in its recent Guide to securing personal information. This guide, published earlier this year, helps organisations to meet their requirements under the Privacy Act and understand what reasonable steps they can take to protect personal information. It features a section specifically on third party services (including cloud computing) and calls out compliance with international standards as one way of helping to verify the security and privacy claims of cloud service providers.