Shared Services Canada’s technology assessment for privacy implications: Microsoft 365 E5 software-as-a-service suite

Description

This technology assessment for privacy implications (TAPI) examines privacy considerations related to the implementation of the Microsoft 365 (M365) suite from an enterprise perspective. While it does not replace the need for departments and agencies to conduct program-level privacy impact assessments, it identifies overarching privacy risks associated with M365’s use. It does not address specific program uses or include personal information collected or managed by individual departments. Instead, this document serves as a resource to inform and support program-level privacy assessments.

The M365 suite introduces privacy and security enhancing technologies, but implementing organizations need to ensure they review data collection and user tracking; data residency and sovereignty; Microsoft’s integration with third-party applications; Microsoft’s access to customer data; and end-user privacy controls.

With features such as recording capabilities in MS Teams and complex privacy settings across M365 applications, end-user privacy and control can be challenging to manage. Proper user training and administrative oversight are essential. Best practices include regular audits, reviewing privacy settings, encrypting personal information, deploying Microsoft’s data loss prevention (DLP) tools, and leveraging the forthcoming M365 security playbook. By prioritizing transparency, robust configurations and adherence to privacy standards, organizations can mitigate the privacy risks associated with M365.

Why a privacy impact assessment was completed

In early 2020, Shared Services Canada (SSC) completed an enterprise privacy impact assessment (PIA) for the implementation of M365, focusing on the exchange aspect of its rollout. The COVID-19 pandemic accelerated the need for digital collaboration tools like MS Teams and SharePoint, alongside enhanced security tools such as MS Defender. In October 2024, the Treasury Board of Canada Secretariat updated its privacy policy suite, replacing the Directive on Privacy Impact Assessment with the Standard on Privacy Impact Assessment, which clarifies that PIAs are intended for program activities, not technologies. In response, SSC developed a template to assess the privacy implications of specific enterprise technologies, and this document marks its first application.

Additional information

To effectively mitigate privacy concerns when using Microsoft E5 tools, organizations should adopt several best practices. First, providing employee training is essential to ensure staff understand the privacy risks associated with these tools and how to use them responsibly. Regularly conducting a privacy configuration review is also vital—adjusting privacy settings in M365 and other services to align with departmental policies, including reviewing the M365 security playbook and deployment manual. Employing DLP tools can help monitor and limit the sharing of sensitive information. Additionally, organizations should prioritize encrypting personal information both during storage and transmission to safeguard data. Finally, performing regular audits of permissions, data access and third-party integration ensures continued compliance with privacy and security standards, reinforcing a robust privacy framework.

Adopting these practices can significantly strengthen an organization’s privacy posture.

For more information about this technology assessment for privacy implications

Access to Information and Privacy Coordinator
Shared Services Canada
308-99 Metcalfe Street
P.O. Box 9808, Station T CSC
Ottawa, Ontario K1G 4A8

Email : ATIP-AIPRP@ssc-spc.gc.ca