links open in new tab

Introduction

Microsoft Office 365 (O365) provides students with access to online learning tools to support their education. This flyer provides information on the data collected during students’ use of O365 and Microsoft’s commitment to managing that data.

What data is collected?

Users control the information that is transferred to, and stored by, Microsoft in O365. This may include text, images, photographs, sound and multimedia.

Additionally, in the course of using the O365 service and in order to deliver the service, Microsoft’s systems will generate some information such as logs about user access to the O365 services.

How is the data used?

Office 365 services do not use this collected information to track users’ online activities or build profiles for behaviour analysis or other commercial purposes.

Microsoft does not use, access or collect this data for any reason other than to provide the O365 services to users - in particular, Microsoft will not use or disclose user data for advertising purposes.

NSW DoE has ensured through its contract with Microsoft governing the delivery of O365, that there are a number of express commitments relating to user data. These include:

  • Ownership of user data rests at all times with users, and not Microsoft.
  • Microsoft meets stringent international standards, generally acknowledged as the benchmark for online service providers.
  • Microsoft will demonstrate that it has met its user data commitments via an annual audit by an independent third party auditor.

Is the data secure?

Physical data centre access is restricted to authorised personnel and multiple layers of physical security are implemented.

Microsoft personnel are only able to access user data in extremely limited circumstances and subject to rigorous approval and oversight. Microsoft use subcontractors to perform a variety of support services for O365. Examples of these include, physical hardware maintenance, technical support and facilities services (eg, security guards at data centre locations).

Microsoft will only disclose data at the direction of the NSW DoE or if compelled to do so by law. The O365 service incorporates multiple privacy controls. These are enabled by default for all customers of O365, and schools are able to activate or deactivate these privacy controls so as to meet their needs.

When is data deleted?

Microsoft will remove all user and associated data from its systems when NSW DoE removes a user account from its system.

Where is the data?

For the O365 service, user data is stored in data centres located in Australia.

Microsoft privacy information:

Complaints regarding Microsoft’s management of this service should be directed to Microsoft or the Office of the Australian Information Commissioner. Access Microsoft’s approach to privacy, security and transparency with O365 at:

Further information:

NSW privacy information:

Feedback regarding the DoE’s management of this service can be made through the Department’s complaint handling process.


INFORMATION TECHNOLOGY DIRECTORATE - Fact Sheet v2_18/03/2019