Privacy at Microsoft
Our customers own and control their data
We set and adhere to stringent privacy standards
Microsoft understands that when you, our customer, use our services, you entrust us with your most valuable asset—your data. You trust that its privacy will be protected and that it will be used only in a manner that is consistent with your expectations. We then back those protections with strong commitments to safeguard customer data.
We build privacy into our services
Governed by Microsoft privacy policies and the Microsoft Privacy Standard, privacy is built into the infrastructure of Microsoft cloud services.
The Microsoft Privacy Standard is the cornerstone of the privacy program at Microsoft. This authoritative document includes the business processes we follow to achieve privacy compliance, and it delineates the general privacy requirements for developing and deploying Microsoft products and services. It sets rules to help us keep your customer data secure, and handle and store it in a way that helps safeguard its privacy.
Microsoft Security Development Lifecycle (SDL). Privacy requirements are defined and integrated early in the SDL, the software development process that helps developers build products and services that are more secure. As part of this process, the SDL helps address data protection and privacy requirements, including effective privacy reviews of each release of a Microsoft product or service.
Microsoft Online Services Privacy Statement backs up and details Microsoft data protection policies and practices in clear, straightforward language.
Microsoft contractual commitments back our privacy best practices
Microsoft makes broad contractual commitments to business in our Online Services Terms. Microsoft will use customer data only to provide the services agreed upon, and for purposes compatible with providing those services. We do not use customer data or derive information from it for advertising.
Furthermore, we will not disclose customer data hosted in Microsoft business services to a government agency unless required by law. If law enforcement demands customer data, we will attempt to redirect the agency to request that data directly from the customer. If we are compelled to disclose customer data to law enforcement, we promptly notify the customer and provide a copy of the demand, unless legally prohibited from doing so.
In addition, we make specific, contractual, privacy-related commitments:
ISO/IEC 27018 was developed to establish a uniform international approach to protecting the privacy of personal data stored in the cloud by data processors. As part of the certification process for ISO/IEC 27001, accredited certification bodies independently verified that Azure, Microsoft Professional Services, Dynamics 365, Dynamics 365 U.S. Government, Intune, Office 365, Office 365 U.S. Government, Power BI, and Visual Studio Team Services in-scope services have incorporated ISO/IEC 27018 controls. (Microsoft was the first major cloud provider to adopt this first international code of practice for cloud privacy.) These include a prohibition on the use of customer data for advertising and marketing purposes without the customer’s express consent. Microsoft contractually commits to complying with ISO/IEC 27018.
European Union (EU) data protection law regulates the transfer of personal data from EU customers to countries outside the EU. Microsoft offers customers the EU Standard Contractual Clauses that provide specific guarantees around transfers of personal data for in-scope services. Europe’s privacy regulators have determined that the contractual privacy protections that Azure, Microsoft Professional Services, Dynamics 365, Intune, Office 365, Power BI, and Visual Studio Team Services deliver to their customers meet current EU standards for international transfers of data. Microsoft was the first cloud provider to receive this recognition.
The My Number Act (Japanese and English) was enacted in 2013, and took effect in January 2016. It assigns a unique number—My Number is also called the Social Benefits and Tax Number—to every resident of Japan, whether Japanese or foreign. The Personal Information Protection Commission has issued guidelines and Q&A (in Japanese) to ensure that companies properly handle and adequately protect My Number data as required by law.
While the responsibility and ownership of personal data is with our customers, per the Online Services Terms, Microsoft contractually commits that Azure, Dynamics 365, Intune, and Office 365 in-scope cloud services have implemented technical and organizational security safeguards to help our customers protect individuals’ privacy. These safeguards are based on established industry standards, such as ISO and Service Organization Controls (SOC).
Furthermore, Microsoft does not have standing access to My Number data stored in these in-scope cloud services, so companies do not need to supervise handling of data by Microsoft (as outlined in Q3-12). Nonetheless, companies are required to take appropriate safety measures to protect My Number data stored in the cloud (Q3-13).
In accordance with the Argentine National Constitution, the Argentina Personal Data Protection Act 25,326 aims to protect personal information recorded in data files, registers, banks, and elsewhere to help protect the privacy of individuals, and also provide a right of access to the information that may be recorded about them. In a data transfer agreement, we contractually commit that Azure, Dynamics 365, Intune, and Office 365 in-scope services have implemented the applicable technical and organizational security measures stated in Regulation 11/2006 of the Argentine Data Protection Authority. Moreover, we make important commitments regarding notifications, auditing of our facilities, and use of subcontractors
Canadian privacy laws—such as the Privacy Act, Personal Information Protection and Electronic Documents Act (PIPEDA), Alberta Personal Information Protection Act (PIPA), and British Columbia Freedom of Information and Protection of Privacy Act (BC FIPPA)—aim to protect the privacy of individuals, and give them the right to access information gathered about them. The laws require organizations to take reasonable steps to safeguard information in their custody or control, and cover personal information that is held and processed by governments and private organizations in data files, registers, and elsewhere.
Ultimately, the responsibility and ownership of personal data lies with our business customers, per the Online Services Terms. However, Microsoft contractually commits that Azure and Intune in-scope services have implemented security safeguards to help them protect the privacy of individuals, based on established industry standards such as ISO/IEC 27001 and the SOC framework. We have assessed our practices in risk, security, and incident management; access control; data integrity protection; and other areas relative to the recommendations from the Office of the Privacy Commissioner of Canada, and have determined that the in-scope services are capable of meeting those recommendations.