The use of Microsoft Office 365 in schools is illegal under data protection law, as far as schools store personal data in the European cloud. This is the conclusion of the Hesse Commissioner for Data Protection and Freedom of Information published in a statement.
Data protection compliant use was possible
For years, there has been a discussion in Germany about whether schools can use Microsoft Office 365 in compliance with data protection. In August 2017, the Hesse Commissioner for Data Protection and Freedom of Information (HBDI) commented after extensive examination of Microsoft's Germany cloud as the only German supervisory authority for data protection. In its statement at the time, the HBDI has determined that Office 365 can be applied by schools in compliance with data protection in the Germany cloud, as far as the tools provided by Microsoft (eg role and authorization concept, logging, etc.) are properly used by the schools ,
Without Germany cloud no Office 365 more in schools
Microsoft announced to the public in August 2018 that contracts will no longer be available for the Germany cloud and the distribution of this product will cease. Since then, HBDI has asked a large number of teachers and school administrators, as well as school authorities, for the use of Office 365 in the European cloud, according to the data protection officer. In addition, Office 365 has been promoted massively into the school landscape by individual school authorities in recent months, irrespective of the unresolved data protection issues.
Therefore, Office 365 is not allowed
The use of cloud applications by schools is generally not a data protection problem. Schools can use privacy-compliant digital applications, as far as the security of the data processing and the participation of the pupils is guaranteed. The legal situation is different for Office 365 as a cloud solution. The crucial aspect is whether the school, as a public institution, can store personal data (of children) in a (European) cloud exposed to possible access by US authorities , Public institutions in Germany have a special responsibility regarding the admissibility and traceability of the processing of personal data. Also the digital sovereignty of state data processing must be guaranteed.
What data Microsoft still gets is unclear
In addition, there is another issue that the Federal Office for Information Security has pointed out to the public in autumn 2018. With the use of the Windows 10 operating system, a wealth of telemetry data is transmitted to Microsoft, whose content has not been finally clarified despite repeated inquiries at Microsoft. Such data is also transmitted when using Office 365.
Consent no solution
Schools have so far relied on the consent of those affected, as far as a digital, personal data processing takes place in or through them. In connection with the use of Office 365 in the cloud, however, the consent does not provide a solution because the security and traceability of the data processing processes are not guaranteed. Therefore the data processing is inadmissible. The attempt to achieve this by consent of the parents, the special property rights of children, for example, under Article 8 of the Basic Data Protection Regulation (DS-GVO) would not sufficiently take into account, said the Hessian Data Protection Commissioner.
Microsoft needs to work out solution
The HBDI wants to reach with Microsoft a solution of this problem, because one knows the meaning of Office. Here, however, above all Microsoft is required. As soon as the possible access of third parties to the data in the cloud as well as the topic of the telemetry data are comprehensible and compliant with data protection, Office 365 can be used as a cloud solution by schools. Until then, only Office packages without a cloud are possible.
Even Clouds affected by Apple and Google
What applies to Microsoft is also true for the cloud solutions from Apple and Google. So far, the cloud solutions of these providers have also not been presented in a transparent and comprehensible manner, says the Hessian data protection officer, which is why he also advises against using these solutions in schools.