Outsourcing Privacy

Microsoft's new standard agreement for higher education clients would address privacy compliance by designating the company a "school official."

October 22, 2012

After several years of negotiating, a dozen colleges have reached an agreement with Microsoft that could inspire more institutions to outsource their internal communications and data storage systems to the company and its far-flung servers — even when those systems hold sensitive student and research data.

Since 2010 Microsoft had been in talks with a dozen universities about drawing up a standard contract that would address colleges universities’ obligations to federal privacy laws such at the Family Education Rights and Privacy Act (FERPA), and the Health Insurance Portability and Accountability Act (HIPAA). The idea was to eliminate the tedium and expense of negotiating around these compliance issues with each and every university client.

Now, after several years, those talks have finally born fruit, according to Tracy Futhey, the chief information officer at Duke University.

Microsoft on Friday announced that it had signed up Duke, Emory and Thomas Jefferson Universities and the Universities of Iowa and Washington for its new, cloud-based e-mail and work software, Office365. The deals will save the universities on infrastructure costs by migrating various internal communication and data systems to Microsoft’s servers — a move that would have been virtually impossible without resolving FERPA and HIPAA concerns.

Many colleges have preferred to keep these data on their own servers so as to oversee privacy compliance directly instead of entrusting that task to companies like Microsoft and Google, which also offers cloud services to higher-ed institutions. (Microsoft released Office365 earlier this year to compete with Google Apps for Education, and has been promoting its new product aggressively on campuses.)

Allowing a company like Microsoft to handle federally protected medical and education records on behalf of universities requires a bit of finagling. In this case, the company “agree[d] to be designated at a ‘School Official’ with ‘legitimate educational interests’ in the Institution Data,” said a Microsoft spokeswoman via e-mail. As such, the company agreed to abide by the same privacy rules as the colleges and universities.

With a number of exceptions, FERPA bans the release of education records without the permission of the student, while HIPAA does the same for medical information on students and research subjects. In the standard contract, Microsoft assures client universities that "it will only use the institutions data for very limited purposes related to the email and productivity services and specifically state[s] that it will not engage in 'data mining' of any institution data or communications," according to its attorneys.

The idea of adopting Microsoft as a “school official” might cause some college officials to wince. But Futhey says she believes having a standard agreement for FERPA and HIPAA compliance available to other universities could make more institutions comfortable with the idea of outsourcing the storage of sensitive data to companies.

“I think it opens up a discussion that many of us felt we couldn’t have before,” she said in an interview. Before this, “we couldn’t really even have a conversation about outsourcing faculty and staff e-mail. … You couldn’t even begin to imagine a full outsourcing scenario.”

For the latest technology news and opinion from Inside Higher Ed, follow @IHEtech on Twitter.

Share Article


Steve Kolowich

Back to Top