About 18 months ago, Microsoft SA announced that Office 365 will be available to local customers. The company recently launched a second iteration of the platform, and it is clear that Microsoft is "all in" the cloud.
South African customers are, however, still concerned about the impact of the service location and how that affects usage, particularly from a legal perspective. The Protection of Personal Information (POPI) Bill is submitted for approval, and in it, seeking to protect the rights of consumers, it places certain limitations on where companies may store customer data. In conjunction, SARS has recently placed a notice about the availability of tax documents, and the accurate safekeeping of such documents. Will customers be able to access their data when needed?
At the recent TechEd Africa 2013, Microsoft presented a talk outlaying its view of data privacy and sovereignty issues and how these concepts play out in the Office 365 service. Microsoft clearly spells out that the service is hosted from Ireland (with a secondary capacity in the Netherlands), but in its view, it does not change the usage much. Microsoft points to its Microsoft Online Services Agreement (MOSA) terms and conditions document, which, first of all, spells out the approach Microsoft takes on privacy.
"Microsoft will only process such customer data for the purpose of providing the online services and performing its obligations in accordance with the agreement."
"At Microsoft, we are very focused on data privacy," says James Avenant, Office 365 product marketing manager SA. "These principles were established early in the company's history, and we have remained true to them, even with the advent of our advertising services such as Bing. Microsoft will not use your data for advertising - privacy is top of mind during engineering of our new products and services, as outlaid in our Privacy, Security and Transparency online guides."
Microsoft derives its revenue stream from the sale of products and services, while keeping advertising revenue separate.
Cloud privacy concerns are not new. Consumer services are plagued by issues on the rights of the individual, and free services are accused of turning the customer into the product. For commercial services, or where an institution manages the data of a customer, the privacy concerns deepen. Academic institutions have a special concern, too, in how they expose potentially sensitive data on minors to large advertising machines.
South African companies are further concerned with the impact the POPI Bill may have on the use of cloud services. According to Microsoft, its service fits the description as currently stipulated in the draft Bill. According to Avenant: "POPI regulates the flow of personal information across borders, but does not stop it. In setting standards on the data flow, POPI aims to protect South African citizens from services that may compromise their security, and that of their customers. Microsoft subscribes to the EU model clauses to regulate our service in Europe - these sets of legislation have the same aim in mind, and the POPI Bill provides for scenarios where the data resides in locations with equal or stronger regulations (stated as point 72.1 (a) - 'it is subject to a law, which provides an adequate level of protection'."
Microsoft points to its Office 365 Trust Center for more details on standards and legislation.
From a tax document perspective, SARS highlights the Tax Administration Act (Sections 29 and 30) that regulates the keeping of records for tax purposes. Microsoft says it does not alter the documents in any way or form - a huge benefit against the competition that need to re-interpret Word and Excel documents when rendered in their viewers and occasionally leading to data loss.
"We own the Office document format and can ensure that documents stay intact while edited across the different modules in the Office 365 suite," says Avenant. "When you open a document in Word that is stored in SharePoint and has been edited in Word Web App before, all your data will be exactly where you left it. SARS is further concerned about companies that may not be able to access their documents once their contracts with the data host expire. Office 365 has a very clear data policy - your data belongs to you and we will not prevent access to it. We take great care in providing service uptime and redundancy. In the case of the customer terminating the service, data enters a read-only state and the customer may remove it from the platform within 90 days."
The advent of cloud services certainly adds new complexities that the IT department needs to consider!
Share