Microsoft Office 365 · Microsoft Azure Cloud technology, which provides a secure collaborative platform in which FDIC employees and contractors can work with external stakeholders

1

Privacy Threshold Analysis (PTA)

and/or Privacy Impact Assessment (PIA)

for

Microsoft Office 365

Date Approved by Chief Privacy Officer (CPO)/Designee: 1/7/2019

PTA/PIA TEMPLATE VERSION 1.9 – August 2017

2

SECTION I – OUTSOURCED INFORMATION SERVICE DESCRIPTION

1. Describe the outsourced service and its purpose.

Microsoft (MS) Office 365 (O365) is an outsourced service provided by Microsoft, which has

been approved by FedRAMP. The MS O365 package includes Email to the Cloud, Exchange

Online, SharePoint Online, OneDrive, and MS Teams.

The SharePoint Online solution is similar to SharePoint 20131 except access is available via

Microsoft Azure Cloud technology, which provides a secure collaborative platform in which

FDIC employees and contractors can work with external stakeholders. Email to the Cloud and

Exchange Online is a solution where email is stored within a Microsoft Server and can be

accessed anywhere as long as the user has an active Internet connection. SharePoint Online is a

platform that is commonly used to share content and it can also be used to host a webpage.

OneDrive operates as a hard drive in the cloud similar to the email solution but where the user is

able to save and access files. MS Teams is a collaboration platform that provides a chat and

workspace environment tightly integrated with other MS O365 services, such as the cloud storage

(OneDrive) and document sharing services (SharePoint Online)

Currently, the FDIC works with external stakeholders, such as the Federal Reserve, Office of the

Comptroller of Currency (OCC), state and local bank exam groups, and others, to deliver on our

core mission of insuring deposits, providing for the safety and soundness of the financial system,

and protecting consumers.

MS O365 utilizes the Microsoft Azure environment, which provides an organized, intuitive and

searchable location where employees will find the systems, tools, information and collaboration

areas that they need. They will be able to realize greater efficiency accessing important business

processes, people, information, forms, news, calendars and other FDIC information. MS O365

will provide Enterprise Document Management (EDM) and workflow functionality that will

improve business processes, records management, and overall collaboration within the FDIC.

MS O365 can also be used for business analytics and reporting.

SECTION II – DATA TYPE, SOURCES, AND USE

2. Describe all information/data that will be collected, used, maintained or generated by the

Outsourced Provider (Vendor) as part of the services provided under the contract. If no

information/data is involved, select Not Applicable.

Within MS O365, in general, there are two primary categories of information:

1. User information (i.e., the information that is synchronized from FDIC’s on-

premises Active Directory to MS O365). This information is primarily the user's

full name, work e-mail address and other official contact information; and

2. MS O365 collaboration information (i.e., the actual data/documentation that will be

uploaded, generated, used or stored in various MS O365 services by internal and

1 The SharePoint 2013 PIA will be made available at https://www.fdic.gov/about/privacy/assessments.html

3

external users). MS O365 collaboration information may contain sensitive

personally identifiable information (PII). Some examples of the types of

collaboration sites and information that will be maintained in MS O365 include:

Email, calendar, contacts, and tasks in user mailboxes

Shared calendars and email in shared mailboxes

Document and other data in user file storage

Chat history, video and audio conference transcripts, and shared documents in MS

Teams

Division and team documentation in SharePoint Online

Training sites to share class materials with participants from other financial

regulatory agencies (federal, state and foreign agencies). These class materials do not

contain PII.

Research sites to facilitate the exchange of research and statistical information. The

FDIC Division of Insurance and Research (DIR) receives requests for information

from various external entities for research information that is publicly available (non-

sensitive, non-PII). This can range from commercial entities, members of the

academic community and other government agencies. Historically, these requests

were fulfilled via writing the information to removable media (DVD or hard drive)

and shipping it back to the requesting entity. With the adoption of FDIC’s policy

concerning removable media, this information will now be exchanged using MS

O365.

3. Describe the intended purpose and use of the above information/data. If no information/data is

involved, select Not Applicable.

The MS O365 platform will provide Email to the Cloud, Exchange Online, SharePoint

Online, OneDrive, and MS Teams for all FDIC users. Some use cases are listed below:

FDIC user mailboxes to include email, calendar, contacts, and tasks

Training sites to share class materials with participants from other financial

regulatory agencies (federal, state and foreign)

Research sites to share publicly available non-sensitive, non-PII research information

with commercial entities, members of the academic community and other government

agencies

Divisional SharePoint sites

User data (documents, spreadsheets, etc.) stored in OneDrive

MS Teams collaboration files that may include audio and video conferencing, chat,

document sharing, and desktop sharing

4

4. What types of personally identifiable information (PII) are (or may be) included in the

information specified above? (This is not intended to be an all-inclusive list. Specify other

categories of PII, as needed.):

PII Element Yes No

Full Name

Date of Birth Place of Birth Social Security Number Employment Status, History or Information Mother’s Maiden Name Certificates (e.g., birth, death, naturalization, marriage, etc.) Medical Information (Medical Records Numbers, Medical Notes, or X-rays) Home Address Phone Number(s) (non-work) Email Address (non-work) Employee Identification Number (EIN) Financial Information (e.g., checking account #/PINs/passwords, credit report,

etc.)

Driver’s License/State Identification Number Vehicle Identifiers (e.g., license plates) Legal Documents, Records, or Notes (e.g., divorce decree, criminal records, etc.) Education Records Criminal Information Military Status and/or Records Investigation Report or Database Biometric Identifiers (e.g., fingerprint, voiceprint) Photographic Identifiers (e.g., image, x-ray, video) Other (Specify: Potential to include all PII elements necessary to conduct FDIC

business.)

5. If Social Security Number (SSN) is checked in question 4, please answer the following: a) Explain the business purpose requiring the collection of SSNs: MS O365 does not

collect SSNs. However SSNs may be stored by individual users as a part of documents or email.

b) Provide the legal authority which permits the collection of SSNs. (Legal Authority) MS O365 does not collect SSNs, however SSNs may be maintained within the system in the course of conducting FDIC business. 12 U.S.C. § 1819 provides the general authority for the Corporation to collect SSNs.

c) Identify whether the SSN is masked or otherwise truncated as part of the

outsourced service: SSNs may or may not be masked or truncated. The masking or truncation of data varies with the source and the method of collection.

5

6a. Please provide an estimate of the number of records maintained by the vendor for

this contract that contain PII:

Estimated Number of Records Containing PII

0

1-500

501-1,000

1,001 – 2,500

2,501 – 5,000

5,001 – 7,500

7,501 – 10,000

10,001 – 50,000

50,001 – 100,000

over 100,000

6b. If “0” was answered for 6a, please explain2: N/A

7. What are the sources of data (both PII and non-PII) for the outsourced service/project? How is

the data derived?

Data Source

3

(List all sources that the Outsourced

Provider collects, obtains or receives data from, as part of the services

provided under the contract.)

Type of Data Provided by Source & How It is Derived (Describe the type of PII and non-PII data provided by each source. If PII is included

in the data, list the specific PII elements, and explain how the PII is derived.)

Does Data

Include PII?

Manual Upload of Data by

Authorized FDIC

Staff/Contractors via email

communications

Authorized FDIC staff and contractors may collect or receive

business data from various sources, such as documents, reports,

training material created or provided by FDIC staff or contractors,

research information from various public and commercial sources,

and other applicable information obtained as part of their official

business functions and, as applicable, store this data in designated MS

O365 Online mailboxes.

Yes No

Manual or automatic upload of

data by authorized FDIC

staff/contractors via OneDrive







O365 Online OneDrive folders.

Yes No

Manual or automatic upload of


staff/contractors via MS Teams







O365 Online MS Teams sites/folders.

Yes No

Manual or automatic upload of Authorized FDIC staff and contractors may collect or receive Yes No

2 If the vendor has not received work to date for this contract and “0” is checked in 6a, please explain approximately how many records may be maintained by the vendor if they are awarded work under this contract in the future. Additionally, the Division responsible for this vendor must update this PIA to reflect the accurate number of records containing PII that the vendor maintains if this changes in the future. 3 Examples of potential data sources include, but are not limited to: internal (FDIC) or external (non-FDIC) systems, websites, individual members of the public (e.g., customers, borrowers, etc.), FDIC employees, FDIC contractors, credit bureaus, commercial entities, public records, government agencies, etc.

6


staff/contractors via SharePoint

Online






O365 SharePoint Online sites/folders.

Manual upload of data by

authorized non-FDIC entities

via SharePoint Online and MS

Teams

Authorized non-FDIC individuals and entities may upload data

related to FDIC business functions. These may include other Federal

agencies, State Banking Regulators, Financial Institutions, vendors,

and non-FDIC Corporate University (CU) students. The data

uploaded may include bank examination information, failed bank

information, project management information, and CU coursework.

Data uploads occur through SharePoint Online and MS Teams.

Yes No

8. How will FDIC and/or the Outsourced Service Provider retrieve data or records as part of the outsourced service or project? Can data be retrieved using a personal identifier (e.g., name, address, SSN, EIN, or other unique identifier)?

Individual users may search and retrieve emails in their own mailboxes using the search functionality

within the FDIC’s email client. This functionality is intended to be used by individual users to search for

business emails in their own mailboxes based on keyword criteria, which could include any type of

personal identifier. In addition, the sorting functionality within the email client allows users to group and

retrieve business email messages in their mailboxes by date, size, sender, subject, address or other fields.

Authorized DIT administrators have access to a search utility that allows them to locate and extract email

messages from mailboxes in the FDIC’s email store using pre-defined criteria, such as date, time, subject

line, sender/recipient name, and attachment names. Administrators use this utility to (a) assist users with

recovering business email messages that users have deleted accidentally and (b) remediate viruses and

malware issues by extracting infected email messages.

The search functionality within SharePoint Online and OneDrive allows authorized users to search for

documents posted to the respective SharePoint sites to which they have been granted access. Users may

search by any term, including personal identifiers such as name, Social Security Number, address, etc.,

but they may only view documents to which they have been granted permission to access.

9. In the Federal Register, under which Privacy Act Systems of Record Notice (SORN) does this system operate? Provide number and name.

The FDIC MS O365 environment does not operate as a Privacy Act Systems of Records, nor does its use

require alteration to any existing system of records. The FDIC MS O365 environment may be used to

process and store Privacy Act Records from existing FDIC Privacy Act Systems of Records by authorized

contributors (FDIC staff and contractors) in connection with their various job responsibilities.

Contributors are responsible for ensuring there is coverage under an appropriate System of Records

Notice for the data collected/maintained and ensuring that appropriate procedures are followed. For a

listing of current FDIC Privacy Act Systems of Records, please visit:

http://www.fdic.gov/regulations/laws/rules/2000-4000.html.

7

10. In the table below, specify the systems/applications and parties (FDIC and non-FDIC) that will

access or receive PII data as part of the outsourced service/project. (Check “No” or “Yes” for each

category. For each category checked “Yes,” specify who will have access to, be provided with, or maintain the

PII, what PII elements will be accessed/shared/maintained by them, how the access or sharing will occur, and the

purpose and use of this PII.)

PII Will Be Accessed By

and/or Provided To:

Yes No If Yes, Explain How and Why the PII Will Be

Accessed/Shared

10a. FDIC Outsourced

Service Provider (OSP)

Staff; OSP

Subcontractors; and/or

OSP Systems

FDIC data, including PII, will be stored on Microsoft Cloud

servers. The data is encrypted in accord with FIPS 140-2 in transit

and at rest. Microsoft and its subcontractors will not have any

access to the stored data, encrypted or unencrypted.

10b. FDIC Personnel

and/or FDIC Systems/

Applications

Response:

FDIC Corporate may have

access to PII Data.

All of FDIC employees and contractors will have access to the

data they are authorized to view. Access to MS O365 services is

contingent upon FDIC network access and falls under the

corporate network access requirements.

10c. Individual Members

of the Public (e.g., bidders,

investors, borrowers,

customers, etc.)

Non-FDIC CU Students: State and International non-FDIC

students who take courses at CU upload coursework using

SharePoint Online and receive feedback from instructors. PII

shared may include name, work email, and employment title.

10d. Other Non-FDIC

Entities/ Parties and/or

Non-FDIC

Systems/Applications

Vendors: FDIC employees may share information related to FDIC

business on MS Teams and SharePoint Online with vendors as

necessary. PII shared may include name, work email, and

employment title.

CU Effective Writers: FDIC employees and non-FDIC CU

students may share coursework on SharePoint Online with CU

contractors known as Effective Writers, who grade and provide

feedback on the coursework. PII shared may include name, work

email, and employment title.

Financial Institutions: FDIC employees and contractors may share

relevant information with FIs as needed as part of the bank

examination process through MS Teams. PII of bank employees

and/or bank customers may be included.

10e. Federal, State, and/or

Local Agencies

Federal Financial Institutions Examination Council (FFIEC)

Members: FDIC users involved with the Central Data Repository

(CDR) project may use SharePoint Online to share release

information, use case testing, project plans, and similar documents

with other Federal Banking agencies that are members of the

FFIEC. PII elements shared may include names, titles and work

contact information.

OCC, Federal Reserve, and State and Local Banking regulators:

SECTION III – DATA ACCESS AND SHARING

8

These agencies may be provided information relating to bank

examinations, which may include PII of bank employees and/or

bank customers, through MS Teams.

10f. Other If Yes, list any other destinations that the Outsourced Service

Provider (OSP) will share or provide data to as part of the

outsourced service/project. Specify the data destinations; what

PII will be shared; how the sharing will occur; and the purpose

for the sharing.

11. If data will be provided to, shared with, or maintained by non-FDIC entities (such as

government agencies, contractors, or Outsourced Information Service Providers), have any of the

following agreements been issued? N/A : authorized FDIC access and business use only.

Data Protection and/or Sharing Agreements Yes No

FDIC Confidentiality Agreement (Corporation)

FDIC Confidentiality Agreement (Individual)

Non-Disclosure Agreement (NDA)

Memoranda of Understanding (MOU)

Information Sharing Agreements (ISA)

Authentication Risk Assessment

Other Applicable Agreement(s)

(Specify: privacy and confidentiality contract clauses)

If you answered NO to any item above, please provide additional information if available:

The protection and sharing of information is addressed within the privacy and confidentiality

clauses incorporated within the contract between the vendor and FDIC.

9

SECTION IV – NOTICE AND CONSENT

12. Do individuals have the opportunity to decline to provide information or to consent to

particular uses of their information (other than required or authorized uses)?

No. Individuals do not have the opportunity to “opt out” of providing their data and/or

consenting to particular uses of their information. (Explain why individuals are not able to opt

out (either for specific data elements or specific uses of their data.): The individuals whose PII

is contained in MS O365 may or may not have been offered an opportunity to opt out of

providing this personal information. In general, the specific circumstances under which

individuals are offered an opt out is dependent on the source of the data and consistent with the

provisions outlined in the FDIC System of Records Notices (SORNs) and Privacy Act Notices

governing the original data collection.

Yes. Individuals have the opportunity to decline to provide their personal data or to consent

to particular uses of their information. (Explain how individuals may decline or consent to the

use of their information.):

13. If PII is being collected via a public-facing website and/or application as part of this outsourced

service, has the Outsourced Information Service Provider posted any of the following types of

privacy policies or Privacy Act notices?

No

Yes (If yes, check applicable box(es) below.)

Link to FDIC Privacy Policy

FDIC Privacy Act Statement

Contractor Privacy Policy or Statement

No Privacy Policy has been posted

Not applicable

SECTION V – DATA SECURITY AND ACCURACY

14. Please assert what administrative procedures and technical safeguards are in place to protect

sensitive PII data in the Outsourced Information Service Provider’s care. [Provide the name of the

Outsourced Service Provider and check all applicable box(es).]

MS O365 has undergone a Cloud Security Assessment through the FDIC’s Independent

Verification and Validation agent to determine whether the FDIC has adequately implemented the

controls for which it is responsible in order to protect the information to be stored within the

system. Control weaknesses were identified during the assessment, and the project team is in the

process of developing appropriate mitigation strategies.

If it has gone through an assessment, has it been approved? NO YES N/A

The FDIC conducts background investigations (BIs) on key Microsoft personnel and other

applicable personnel prior to their beginning work on the contract.

10

The [Microsoft, the Vendor] is subject to periodic compliance reviews by FDIC. Per the

contract, scheduled and unannounced inspections and assessments of the Outsource Service

Provider’s facilities, personnel, hardware, software and its security and privacy practices by either

the FDIC information technology staff, the FDIC Inspector General, or the U.S. General

Accountability Office (GAO). These inspections may be conducted either by phone,

electronically or in-person, on both a pre-award basis and throughout the term of the contract or

task order, to ensure and verify compliance with FDIC IT security and privacy requirements.

Other (Explain any other administrative and/or technical safeguards in place to protect PII

data in the Outsourced Information Service Provider’s care.) Attach the Contract Clause

Verification Checklist to the back of this form.

15. What are the procedure(s) for ensuring that the information maintained is accurate, complete

and up-to-date? [Check all applicable box(es) and insert the appropriate response and System/Project

name.]

Data is collected directly from individuals and/or from the failed financial institutions. As

such, the FDIC and its vendors rely on the individuals and/or financial institutions to provide

accurate data.

The vendor/contractor works with FDIC to verify the integrity of the data [before, in

conjunction with, and/or after] inputting it into the system or using it to support the project.

As necessary, an [authorized user or administrator] of the [System/Project Name] checks the

data for completeness by reviewing the information, verifying whether or not certain documents

or data is missing, and as feasible, updating this data when required.

Other (Please explain.)

16. In terms of assuring proper use of the data, please assert whether the following statements are

true for the Outsourced Information Service Provider. (Check all applicable box(es) and insert the

name of the Outsourced Information Service Provider and title of the firm’s senior management

official.)

Within FDIC, the MS O365 Program Manager/Data Owner, Technical Monitors, Oversight

Manager, and Information Security Manager are collectively responsible for assuring proper use

of the data. In addition, it is every FDIC user’s responsibility to abide by FDIC data protection

rules which are outlined in the FDIC’s Information Security and Privacy Awareness training

course which all employees/contractors are required to take annually and certify that they will

abide by the corporation’s Rules of Behavior for data protection. In addition, MS O365

administrators are required to take additional server administrator role based training annually.

Additionally, the Outsourced Information Service Provider is responsible for assuring proper

use of the data. Policies and procedures have been established to delineate this responsibility, and

the vendor has designated [title of senior management official] to have overall accountability for

ensuring the proper handling of data by vendor personnel who have access to the data. All

vendor personnel with access to the data are responsible for protecting privacy and abiding by the

terms of their FDIC Confidentiality and Non-Disclosure Agreements, as well as the vendor’s

corporate policies for data protection. Access to certain data may be limited, depending on the

11

nature and type of data. (Refer to Section III of this Privacy Impact Assessment for more

information on data access criteria.)

The Outsourced Provider must comply with the Incident Response and Incident Monitoring

contractual requirement.

None of the above. (Explain why no FDIC staff or Outsourced Information Service Provider

personnel have been designated responsibility for assuring proper use of the data.)

SECTION VI – DATA RETENTION AND DISPOSAL

17. Where will the Outsourced Service Provider store or maintain the PII data identified in

question 5? Describe both electronic and physical storage repositories, as applicable.

The FDIC’s MS O365 is comprised of the following key components where PII data may be stored

or maintained:

a. Directory Services – The Directory Services portion for MS O365 provides a

Corporation-wide Global Address List (GAL). The GAL is an electronic directory of the

official, business contact information for authorized users with active FDIC email

accounts. Users, at their option, may include their personal cell phone numbers within

the Directory/GAL.

b. Calendar and Collaboration Services – The Calendar and Collaboration Services

component of MS O365 provides a calendar that is fully integrated with a user’s email

and contacts, and offers a variety of scheduling and collaboration functionalities. The

Calendar and Collaboration Services component allows users to create appointments and

events, organize meetings, view group schedules, and manage other user’s calendars. It

also allows users to create shared mailboxes and public folders4 to collect, organize, and

share business information with other users.

c. MS Exchange Online – Exchange online refers to an email-based collaborative

communications service hosted on the MS cloud. Exchange online facilitates electronic

mail communications, calendaring, contacts and tasks; supports mobile and web-based

access to information; and supports mailbox data storage. Inbound and outbound emails

are stored by the MS O365 cloud. A user is able to read and delete their sent and received

emails by logging into the Exchange client (i.e., Microsoft Outlook Email Exchange)

which connects to the service.

d. Email Cache/Archive Repositories – MS O365 features the following repositories

where electronic messages may be cached or archived for business purposes:

Cached Exchange Mode (Offline Storage Folder/.OST) – A copy of a user’s

mailbox is stored in an encrypted file on his/her local computer. This copy

4 Public folders can contain any Outlook item type, such as business messages, appointments, contacts, tasks, journal entries, notes, forms, files,

and posts. Security permissions are associated with each public folder, allowing only specific groups or people to have access. The owner of a public folder can grant user permissions, assign rules, and set default views.

12

provides quick access to business data and is frequently synchronized with the

mail server.

AutoArchive/online archive mailbox – Access is online only. There is no local

cache.

e. SharePoint Online - SharePoint Online is a cloud-based service that helps FDIC users

share and collaborate with each other. With SharePoint, FDIC users can have a central

repository for information and documents that need to be shared within or across

divisions.

f. OneDrive – OneDrive is a cloud-based service that provides FDIC users with secure

storage space for personal files, documents and data.

g. MS Teams – MS Teams is a cloud-based collaboration platform and central hub for

teamwork in MS O365 that integrates FDIC’s content, and tools such as emails,

calendaring, SharePoint, chat, and video conferencing, as needed, to be more engaged

and effective.

18. Specify the period of time that data is retained by the Outsourced Service Provider and the

specific procedures for disposing of or returning the data at the end of the retention period or

contract, whichever is first.

Microsoft has a Data Handling Standard policy for MS O365 that specifies how long customer

data will be retained after being deleted. There are generally two scenarios in which customer

data is deleted:

Active Deletion - The tenant (FDIC) has an active subscription and a user deletes data, or

data provided by a user is deleted by the administrator.

Passive Deletion - The tenant (FDIC) subscription ends.

For each deletion scenario (Active or Passive), the following table shows the maximum data

retention period, by data category and classification:

At all times during the term of an active subscription, a subscriber (FDIC) can access, extract, or

delete customer data stored in MS O365. If a paid subscription ends or is terminated, Microsoft will

retain customer data stored in MS O365 in a limited-function account for 90 days to enable the

subscriber (FDIC) to extract the data. After the 90-day retention period ends, Microsoft will disable

13

the account and delete the customer data. No more than 180 days after expiration or termination of a

subscription to MS O365, Microsoft will disable the account and delete all customer data from the

account. Once the maximum retention period for any data has elapsed, the data is rendered

commercially unrecoverable.

At all times during the term of any subscription, a subscriber (FDIC) can contact Microsoft Support

and request expedited subscription de-provisioning. In this process, all user data, including data in

SharePoint Online, Exchange Online that may be under hold or stored in inactive mailboxes, is

deleted three days after the administrator enters the lockout code provided by Microsoft.