Get your own house in order

M365 Copilot can be thought of as a ‘clone’ of its user. M365 Copilot has the same access and rights as its user. This means that all documents, emails, chats and other things the user has access to are available to M365 Copilot. Although M365 Copilot does not give the user access to new information, the tool makes it possible to quickly retrieve information that has previously been difficult to access. This could be information the user should not have access to and probably did not realise they had access to. This increases the risk of unintended or unauthorised use of data. Access control must therefore be closely linked to the user’s role and needs in the organisation.

The Norwegian Digitalisation Agency has prepared a guide for getting your own house in order (in Norwegian only), including a maturity model that helps public organisations map and improve information management, focusing on establishing an overview of their own data sets. This is a resource we recommend all public entities familiarise themselves with.

NTNU must first get an overview of and control over

1. the system of agreements and settings for the actual cloud service that M365 Copilot sits on top of
2. information management in general, including classification, categorisation and access control
3. processing of personal data, including an updated and exhaustive record of processing activities

This is a challenging task, both for large organisations with a lot of data and many different systems, such as NTNU, but also for smaller organisations that may not have the expertise required.

Information management

Good information management helps to achieve several goals:

1. Information quality: Ensures that the information is accurate, up to date and reliable.
2. Security: Protects sensitive information against unauthorised access and security breaches.
3. Compliance: Helps the organisation comply with legal requirements such as the GDPR and the Freedom of Information Act.
4. Efficiency: Improves workflow and decision-making by making information readily available and understandable.
5. Reduced risk: Minimises the risk of data loss, legal sanctions and reputational damage.

Good information management is contingent on basic guidelines being established for how information is to be handled within the organisation. Information mapping to identify what information is available, where it is stored, and who has access is an important step and also lays the groundwork for access control. Relevant training of employees is an important responsibility for the organisation.

The success of this is contingent on robust procedures that continuously classify information based on sensitivity and legal requirements, including the GDPR. Access to the different categories of information must be limited based on objective needs. Lifecycle management from creation to archiving or deletion is also part of this process.

Modern information management requires automation and the use of tools that ensure efficient, simple and consistent processes. They must also be able to handle the need to regularly evaluate and update practices to adapt to changing needs and regulations, as well as support the need to conduct internal and external audits to ensure compliance with laws and internal guidelines.

Modern information management requirements can also trigger the need for organisational changes, if roles have not been established with clear mandates to support these processes.

As emphasised in the findings from the NTNU report, a tool such as M365 Copilot can affect the organisation and should primarily be considered an organisational change project and an information management project rather than an IT project.

Organisations should consider whether any processes should be adapted or changed to be able to integrate M365 Copilot effectively, as well as adapting the product to the organisation’s existing processes. This type of tool can be configured to a certain extent to meet specific needs, but it is important to understand the tool’s limitations and strengths. This will require awareness and knowledge of which measures best support the need to generate gains, as well as ensuring compliance with the requirements for accountability and legality.

Records of processing activities

All entities that process personal data must keep a record of their processing activities (Article 30). The record of processing activities must show the purpose of each processing activity, a description of whose and which personal data are processed, recipients of personal data (if applicable) and whether personal data are transferred to countries outside the EEA. They should also, where possible, include a general description of the technical and organisational security measures referred to in Article 32(1).

Before considering whether M365 Copilot can be implemented, and in order to assess whether and how it could be implemented, an exhaustive and up-to-date record of processing activities must be in place, as already mentioned above. Then the organisation can, as a first step, assess whether M365 Copilot is suitable to be taken into use for each processing operation and, if so, how.

Using M365 Copilot will inevitably give rise to several new processing operations. This includes, as mentioned, storing each user’s log of interactions with M365 Copilot (content of interactions log). This is a new processing operation, and particular consideration must be given to its purpose, when the log should be deleted and who in the organisation should have access to it. We will also discuss the application of the Norwegian e-mail regulation below. Administrators have access to the user’s content of interactions log and have the ability to search it using eDiscovery. Other new processing operations may arise from M365 Copilot generating information when it responds to prompts, which could be personal data. It is also unclear to NTNU whether user profiling occurs, but it considers it highly likely that profiling occurs. Which new processing operations are triggered by using M365 Copilot will vary somewhat based on which settings are on or off, and these new processing operations must also be included in the records of processing activities.

Access control

In the following, we discuss access control as a security measure under Article 32 GDPR.

The general requirement pursuant to Article 32(1) GDPR is that the controller implements ‘appropriate technical and organisational measures to achieve a level of security appropriate to the risk’ in the processing of personal data. The purpose is to ensure the security measures are appropriate and proportionate to the specific risk linked to the processing operation.

The GDPR does not set out specific requirements for the content of the security measures. However, public authorities are obliged to use established standards when procuring, developing, setting up, operating and using IT solutions (Section 14 of Regulation No 959 of 5 April 2013 on IT standards in public administration). There are a number of such standards for personal data security, which all require that measures such as access control, logging and log control are in place, see, for example, ISO/IEC 27002:2022 chapters 5 and 8. Access control is a necessary element in the measures required under Article 32.

What is actually meant by access?

We have noted that the term ‘access’ is used in slightly different ways in practice when people talk about M365 Copilot. We will therefore explain in more detail what we mean by access control as a security measure.

In its findings report, NTNU emphasises the importance of ‘actively deciding which data M365 Copilot should have access to’.[3] In order to prevent the tool from being used on incorrect data, measures to control end-users’ access to data will be useful. Access control can support efforts to ensure that personal data are only used within the framework of a defined legal basis pursuant to Articles 6 and 9 GDPR. However, this does not form the core of access control as a security measure. As a security measure, the goal of access control is primarily to ensure that personal data have an appropriate level of confidentiality (Article 5(1)(f) and Article 32 (1)(b) GDPR).

Example from UiO

The significance of this can be illustrated by an example from real life. On 27 June 2024, Khrono referred to a personal data breach at the University of Oslo (UiO) where job applicants’ CVs and the appointment committee’s assessments were openly available to all employees at the university.[4] As a mitigating factor, it was highlighted that the information was difficult to access. In the breach report that was sent to the Norwegian Data Protection Authority, reproduced in Khrono’s article, UiO wrote:

Such arguments usually have some validity with respect to the assessment of whether a security breach is likely to have affected the data subject. However, this will be different for organisations using M365 Copilot. M365 Copilot retrieves information from obscure sources to which the user may not realise they have access to. This increases the likelihood of personal data being exposed unlawfully.

The Norwegian Data Protection Authority’s experience is that this type of breach – where personal data are stored in places where they are available to unauthorised persons – is very common. Access control and classification of information should therefore be a priority security measure for organisations considering introducing M365 Copilot.