Today’s post was written by Arpan Shah, Senior Director, Microsoft Office Division.
I’ve worked in the Office Division for more than 11 years and have had the opportunity to experience the transformation of our business into a services culture first hand. We’ve gained a lot of valuable insights as part of that transformation which have in turn enabled us to deliver important capabilities to our customers more quickly. We know that the way in which we manage our customers’ data is a key driver in their decision to move to the cloud. That’s why we’re committed to partnering with our customers to understand and deliver on their unique security, privacy and compliance requirements.
In the 18 months since the service first launched, we’ve worked hard to ensure Office 365 offers the most robust set of certifications and standards options of any major cloud based productivity service. Our investments include but aren’t limited to:
Impact Level 2 accreditation. In the UK, Office 365 has been awarded Impact Level 2 (IL2) accreditation. The IL2 rating will benefit a broad range of UK public sector organizations, including local and regional government, National Health Service (NHS) trusts and some central government bodies, who require ‘protect’ level of security for data processing, storage and transmission.
Health Insurance Portability and Accountability Act (HIPAA). Microsoft offers the most comprehensive agreement available to HIPAA-covered entities that manage electronic-protected health information.
Although the federal HIPAA law in large part applies to health organizations that need to protect patient data, education institutions must also adhere to the same HIPAA regulations if school data systems store students’ records that include protected health information.
That’s why Duke University and Thomas Jefferson University choose Office 3665 and became part of a consortium of leading technology, legal and compliance experts from the academic, public and private sector that worked closely with Microsoft to develop a business associate agreement (BAA) to address HIPAA requirements.
European Union Model Clauses (EUMCs). In December 2011, we started to contractually commit to EU Model Clauses in agreements with customers before taking the additional step of vetting our approach to Model Clauses with European Data Protection Authorities last summer. As a result of our engagement with this community, we’ve made adjustments to our systems and contract language which better reflects their feedback.
We’re grateful that the privacy authorities from all 27 European Union member states (also known as the Article 29 Working Party) have reinforced the importance of Model Clauses and acknowledged our approach. Their actions have helped reinforce the importance of selecting a responsible vendor that will enable EU businesses to move to the cloud with confidence.
Criminal Justice Information Systems. Office 365 was recently selected by the Texas Department of Information Resources as the communication and collaboration platform for more than 100,000 state employees. Compliance was an important factor in the state’s selection of Office 365 since several agencies, including Texas’ Department of Criminal Justice, Alcoholic Beverage Commission, Department of Insurance, and Health and Human Services System, require access to data that is subject to complex security and privacy regulations.
Texas Department of Information Resources and Microsoft are working together to support the state’s requirements under the Health Insurance Portability and Accountability Act (HIPAA) and Criminal Justice Information Systems (CJIS), in order to maintain the state’s compliance posture and high standards for security and privacy. Microsoft has made a contractual commitment to the Texas Department of Information Resources by signing the CJIS Addendum in addition to a HIPAA Business Associate Agreement.
FISMA: Office 365 implements security processes that adhere to the standards required by U.S. federal agencies and has acquired FISMA Authority to Operate (ATO) from a few federal agencies. Office 365 is continually working on updating its controls and processes to meet the latest federal directives on FISMA compliance.
Family Education Rights & Privacy Act (FERPA): FERPA protects the privacy rights of students by safeguarding “education records” from use or disclosure without consent. Office 365 helps educational institutions meet FERPA compliance requirements. Microsoft agrees to abide by the limitations and requirements imposed by FERPA, including a commitment that it will not scan institution emails or documents for advertising purposes.
We created the Office 365 Trust Center to make it easier for our customers to get the most up to date information on our security, privacy and compliance investments. Please visit the site to learn more and try the service to see why so many businesses are moving to the cloud with Office 365.
- What is Office 365?
- Office 365 Trust Center
- Leading Universities meet HIPAA requirements on Office 365