The IT firm Microsoft reports that it has adopted an international standard for cloud privacy. The standard in question may seem technical, but it has important practical benefits for enterprise customers, writes Brad Smith is Microsoft’s General Counsel and Executive Vice President of Legal and Corporate Affairs. ISO/IEC 27018 was developed by the International Organization for Standardization (ISO) as a uniform, international approach to protecting privacy for personal data stored in the cloud.
The British Standards Institute (BSI) has now independently verified that Microsoft Azure, Office 365 and Dynamics CRM Online are aligned with the standard’s code of practice for the protection of Personally Identifiable Information (PII) in the public cloud. And similarly, Bureau Veritas has done the same for Microsoft Intune.
About the standard: visit the BSI website.
As BSI points out, liability for breach of data protection rules rests with the data controller – in other words, the user of the cloud service. Hence an auditable standard for cloud service providers, to show the supplier’s resilience – to provide the service and keep data confidential, available and intact.
As for the US government looking at personal data, as revealed by the whistle-blower Edward Snowden, Microsoft says that the standard requires that law enforcement requests for disclosure of personally identifiable data must be disclosed to you as an enterprise customer, unless this disclosure is prohibited by law.
Smith said: “We’re optimistic that ISO 27018 can serve as a template for regulators and customers alike as they seek to ensure strong privacy protection across geographies and vertical industry sectors.
“Adherence to ISO 27018 assures enterprise customers that privacy will be protected in several distinct ways:
You are in control of your data. Our adherence to the standard ensures that we only process personally identifiable information according to the instructions that you provide to us as our customer.
You know what’s happening with your data. Adherence to the standard ensures transparency about our policies regarding the return, transfer, and deletion of personal information you store in our data centres. We’ll not only let you know where your data is, but if we work with other companies who need to access your data, we’ll let you know who we’re working with. In addition, if there is unauthorised access to personally identifiable information or processing equipment or facilities resulting in the loss, disclosure or alteration of this information, we’ll let you know about this.
We provide strong security protection for your data. Adherence to ISO 27018 provides a number of important security safeguards. It ensures that there are defined restrictions on how we handle personally identifiable information, including restrictions on its transmission over public networks, storage on transportable media, and proper processes for data recovery and restoration efforts. In addition, the standard ensures that all of the people, including our own employees, who process personally identifiable information must be subject to a confidentiality obligation.
Your data won’t be used for advertising. Enterprise customers are increasingly expressing concerns about cloud service providers using their data for advertising purposes without consent. The adoption of this standard reaffirms our longstanding commitment not to use enterprise customer data for advertising purposes.”
