The Government Strategic Vendor Management Office expresses concerns about privacy and security risks when using Microsoft products in government environments. These concerns should be considered when deciding whether or not to use Microsoft 365. Rather than abandoning technology products entirely, a differentiated approach is advisable, recognizing privacy risks while maintaining efficiency and productivity benefits. Through proper risk management and proactive security measures, governments can minimize risks and reap the benefits of technology, with the top priority of data privacy and security. At a minimum, when using Microsoft, organizations should prepare their own data protection impact assessment (DPIA) with guidelines to assess specific data protection risks based on their implementation, level of confidentiality and personal data processed. IT Services specialists can help the organization with this. SLM Empire’s DPIA includes recommendations¹ to address privacy issues. SLM Rijk’s checklist of recommendations, as well as some recommendations from our consultant Stéphanie Mellink, can be downloaded here.
AI software: What you can do with it?
A government organization has a large amount of data on citizens and businesses. Copilot can be used to identify trends and make connections between different data points. An official might instruct Copilot to look at what factors contribute to a higher crime rate in specific areas. The official has Copilot put together a slide presentation presenting four mitigating measures to reduce crime so that policy decisions can be made at the next meeting.
A government organization is developing a new app to apply for a passport. The team in charge uses Copilot to generate ideas for features in the app and has Copilot create a survey for the purpose of a user survey. Then the project manager has Copilot test the app against the results of the survey and has Copilot make suggestions for improvements.
A road needs to be opened in a neighborhood. The municipality wants to inform citizens about this and has Copilot make a plan of what is needed in terms of external communication and information provision. Following this, the municipality has Copilot write the letters to send to residents, and has the message worded in a way that is understandable to all citizens.
The privacy issues with Microsoft: a summary
An increasing number of municipalities, ministries and other government agencies have chosen to be supported by technology giant Microsoft. The Data Protection Survey² conducted by SLM Rijk³ and SURF⁴ resulted in different risks when using three versions of the software: the local software for on employees’ laptops (Office 365 ProPlus), the version for smartphones and tablets (mobile Office applications for iOS and Android) and the online version for in the browser (Office for the web). Following this investigation, SLM Rijk and SURF entered into negotiations with Microsoft regarding the measures Microsoft needed to take to ensure data protection when using the Office 365 license software. These negotiations resulted in some legal, technical and organizational steps by Microsoft to mitigate the risks to data subjects when processing personal data through Teams, OneDrive, SharePoint and Azure Active Directory. An example of one of these mitigating measures was the implementation of a Data-boundary solution⁵ that gives government agencies the assurance that important data is stored both within the EU and according to European Union AVG rules.
However, a report⁶ from the Department of Justice and Security (February 2022) found that Microsoft still needed to make four adjustments to mitigate the remaining risks. First, Microsoft must be clear about what data is collected and stored under the guise of Mandatory Service Data. Second, they must allow a third party to verify that Microsoft adheres to agreed standards and restrictions when collecting, storing and using data. Third, they must fully inform administrators of their analytics services about how they process data from those services and what the impact is. Finally, they must provide all Teams communications with end-to-end encryption (E2EE) so that only the sender and receiver can read the contents of the communication, preventing sensitive information from falling into the wrong hands.
Microsoft does not yet meet all of SLM Empire’s requirements to enable secure use of Office 365. This is why the report (February 2022) includes a number of recommendations that government agencies should take individually to prevent private data of citizens and employees from being misused, or, for example, to rule out the possibility of U.S. investigative and intelligence agencies gaining access to Dutch government data.
Privacy issues with Microsoft: What to do?
The Government Strategic Vendor Management Office expresses concerns about privacy and security risks when using Microsoft products in government environments. These concerns should be considered when deciding whether or not to use Microsoft 365. Rather than abandoning technology products entirely, a differentiated approach is advisable, recognizing privacy risks while maintaining efficiency and productivity benefits. Through proper risk management and proactive security measures, governments can minimize risks and reap the benefits of technology, with the top priority of data privacy and security. At a minimum, when using Microsoft, organizations should prepare their own DPIA with guidelines to assess specific data protection risks based on their implementation, level of confidentiality and personal data processed. IT Services specialists can help the organization with this. SLM Empire’s DPIA includes recommendations¹ to address privacy issues, the checklist with SLM Empire’s recommendations, and some recommendations from our specialists is available for download to the right.
Microsoft Copilot: Benefits and potential applications
Microsoft Copilot offers promising opportunities for government agencies. One of the most obvious benefits is the increased efficiency it can bring. By automating repetitive tasks, officials have the opportunity to focus on more complex and valuable tasks, which can ultimately improve government productivity and effectiveness. A second key benefit of Copilot is its ability to improve government services. This system can contribute to faster and more effective communication with citizens and businesses, as well as better access to government information. This promotes citizen and business satisfaction and strengthens trust in government (provided it is presented correctly, completely, consistently and in appropriate context and language). In addition, Copilot provides valuable data analysis capabilities. In an era where data-driven decision-making is vital, Copilot can help analyze large amounts of data, which in turn can improve government decision-making. Last but not least, the deployment of Copilot can lead to cost savings. The efficiency gains from automation and improved service delivery can yield significant financial benefits, which is critical in light of budget constraints facing many government agencies.
Considerations for implementation in government environments
The decision for governments to implement Microsoft Copilot is a complex issue that requires careful consideration, with some crucial concerns in mind. First, privacy and security are paramount. Ensuring the privacy of citizens must remain a top priority. Other important aspects are transparency, accountability and oversight. Government agencies must be able to understand and explain how AI software works, especially when it impacts citizens. This includes designating responsible officials and developing oversight mechanisms. Data quality and data ethics of the software should also be considered; the most recent and accurate data should be used, such as recent changes in laws and regulations, scientific findings and local ordinances. In addition, there must be a mechanism to ensure ethical and contextual decisions. This includes preventing the use of data obtained through illegal or unethical practices and avoiding discrimination, bias and unfair treatment of citizens.
The five pieces of advice: strategic management for Microsoft Copilot
1. Privacy-First Approach
Implement a privacy-first approach to ensure citizen privacy. Microsoft 365 Copilot gets access to your exclusive organizational data and presents the data to the individual users who have the rights to this data. So it is important to have a good overview of what each individual official should have access to, as sensitive data can be retrieved at the touch of a button. As with the use of other Microsoft products, make sure that all advice from SLM Rijk’s DPIA is addressed and followed, and create your own DPIA with associated policies.
2. Transparency and explainability
Set clear guidelines for transparency and explainability of AI decisions. Make sure officials understand how Microsoft Copilot works, who is responsible for inputs and outputs, and ensure they are able to explain decisions to the public. Consider hiring an outside independent specialist to help set up the mechanisms; this emphasizes commitment to proper use and can help build trust among stakeholders.
3. Ethics and non-discrimination
Develop and implement ethical standards for the use of Microsoft Copilot. Ensure that the system does not allow discrimination, bias or unfair treatment of citizens. Conduct regular audits to identify and correct possible biases in the results.
4. Data quality and updating
Guarantee the data quality and updating of Microsoft Copilot. Ensure that the data used is current and accurate, taking into account recent changes in laws and regulations, scientific findings and local ordinances. Implement a mechanism to update data ethically and contextually.
5. Engagement and education
Involve the public and stakeholders in the Microsoft Copilot implementation process. Organize public consultations and information sessions to gather feedback and identify any concerns. Invest in educating and training officials and staff in the responsible use of AI within government environments to ensure they can achieve maximum efficiency and productivity benefits with minimal risk. The National Academy for Digitalization and Informatization Government (RADIO) offers a course, but you can also sign up for training with outside providers such as Supply Value.
Summary
The introduction of Microsoft Copilot in European government agencies promises a more efficient, data-driven approach, but also raises privacy and security issues. The findings highlight the need for a balanced approach. The five strategic recommendations for managing Copilot highlight the importance of privacy, transparency, ethics, data quality and commitment to implementation. It is essential for government agencies to embrace the benefits of Copilot with strong attention to data privacy and security while striving for efficiency. Strict adherence to these guidelines is crucial to deploying Copilot responsibly and effectively in government environments, maximizing benefits while maintaining ethics and privacy for citizens.
¹Rapport: DPIA on Microsoft Teams, OneDrive, Sharepoint and Azure AD, February 2022, h.17.2.1.
²Rapport: DPIA Office 365 Online and mobile Office apps, July 2019.
³Microsoft Strategisch Leveranciersbeheerkantoor Rijk.
⁴Central IT Procurement Organisation for Dutch Universities.
⁵Rapport: Understanding the Microsoft EU Data Boundary Roadmap, February 2022.
⁶Rapport: DPIA on Microsoft Teams, OneDrive, Sharepoint and Azure AD, February 2022.
