hong kong guidance on complying with...

of 50

HONG KONG

GUIDANCE ON COMPLYING WITH REGULATORY REQUIREMENTS APPLICABLE TO

INSURANCE COMPANIES USING MICROSOFT OFFICE 365

Last updated: 1 August 2017

1. WHAT DOES THIS MICROSOFT GUIDANCE CONTAIN?

This guidance document provides a guide to complying with the regulatory process and requirements applicable to insurance companies (“ICs”) using

Office 3651. Note that other financial service institutions are subject to separate regulation in Hong Kong. Microsoft has prepared a guidance document

for other financial service institutions which is available on request.

Sections 2 to 6 of this guidance sets out information about the regulatory process and the regulations that apply.

Section 7 sets out questions in relation to outsourcing to a cloud services solution based on the laws, regulations and guidance that are relevant to the use

of cloud services. Although there is no legal or regulatory requirement to complete a checklist like this one, we have received feedback from financial

service institutions that a checklist approach like this is very helpful. The checklist can be used:

(i) as a checklist for ensuring regulatory compliance with the requirements set out in the laws, regulations and guidelines (listed in Section 2); and

(ii) as a tool to aid discussions with the regulator(s) (listed in Section 3), should they wish to discuss your organization’s overall approach to compliance

with their requirements.

Annex One also contains a list of the points that ICs should “consider” when negotiating the contract for cloud computing services.

1 Note that this document is not intended as legal or regulatory advice and does not constitute any warranty or contractual commitment on the part of Microsoft or its affiliates. Instead, it is intended to streamline the regulatory process for you. You should seek independent legal advice on your technology outsourcing project and your legal and regulatory obligations. If you have any questions, please do not hesitate to get in touch with your Microsoft contact.

of 50

2. WHAT REGULATIONS AND GUIDANCE ARE RELEVANT?

The IA has developed a Guideline on Outsourcing (https://www.ia.org.hk/en/legislative_framework/files/GL14.pdf) (“Guideline on Outsourcing”) which

sets out the issues that the IA expects an IC to take into account in formulating and monitoring outsourcing arrangements generally. The IA has not

produced any specific guidance in relation to cloud services.

3. WHO IS/ARE THE RELEVANT REGULATOR(S)?

The Insurance Authority in Hong Kong (“IA”)

4. IS REGULATORY APPROVAL REQUIRED IN HONG KONG?

No.

Under the Guideline on Outsourcing, the IA does not require ICs to obtain prior approval before engaging service providers to provide cloud services.

However, prior notification should be made in the case of entering into a new material outsourcing arrangement, or significantly varying an existing one, as

provided under Section 6 of the guideline.

5. IS/ARE THERE (A) SPECIFIC FORM OR QUESTIONNAIRE(S) TO BE COMPLETED?

In the case of providing prior notification for entering into a new or significantly varying an existing material outsourcing arrangement, the Guideline on

Outsourcing requires, in Annexes 2 and 3 of the guideline respectively, checklists to be used for such purpose. Suggested response and guideline for

completing these checklists can be found throughout the contents of this guidance document. Otherwise, there are no specific forms or questionnaires that

an IC must complete when considering cloud computing solutions.

6. DOES THE REGULATOR MANDATE SPECIFIC CONTRACTUAL REQUIREMENTS THAT MUST BE ADOPTED?

No.

of 50

The IA does not specifically mandate contractual requirements that must be agreed by ICs with their service providers. However, the Guideline on

Outsourcing does contain a long list of matters that it says that ICs should “consider” when negotiating the contract. Appendix One contains a

comprehensive list and details of where in the Microsoft contractual documents these points are covered.

of 50

7. CHECKLIST

Key:

In blue text, Microsoft has included template responses that would demonstrate how your proposed use of Microsoft’s services would address the point

raised in the checklist. Some points are specific to your own internal operations and processes and you will need to complete these answers as well.

In red italics, Microsoft has provided guidance to assist you with the points in the checklist.

Ref. Question/requirement Template response and guidance

A. OVERVIEW

Section 6 of the Guideline on Outsourcing requires ICs to provide certain information regarding any ‘material outsourcing arrangement’2 within 30

days of entering into such an agreement or significantly varying an existing one. This section will assist you with this process as well as providing

background and context information to the rest of this document.

1. Who is the proposed Service

Provider?

The Service Provider is Microsoft Operations Pte Ltd, the regional licensing entity for Microsoft Corporation, a global

provider of information technology devices and services, which is publicly-listed in the USA (NASDAQ: MSFT). Microsoft’s

full company profile is available here: https://www.microsoft.com/en-us/news/inside_ms.aspx.

2. What service is being

outsourced?

Through adoption of Microsoft Office 365 product, which is described in more detail here: http://office.microsoft.com/en-

sg/business/what-is-office-365-for-business-FX102997580.aspx

2 For the IA’s definition of ‘material outsourcing arrangement’, see section 5 below.

https://www.microsoft.com/en-us/news/inside_ms.aspx

http://office.microsoft.com/en-sg/business/what-is-office-365-for-business-FX102997580.aspx

http://office.microsoft.com/en-sg/business/what-is-office-365-for-business-FX102997580.aspx

of 50


Amongst other things, the Office 365 service includes:

• Microsoft Office applications hosted in the “cloud”

• Hosted email

• Web conferencing, presence and instant messaging

• Data and application hosting

• Spam and malware protection

• IT support services.

3. Where will the outsourced

services be performed?

You may need to amend this depending on the final solution that you decide on.

Microsoft informs us that it takes a regional approach to hosting of Office 365 data. Microsoft is transparent in relation to

the location of our data. Microsoft data center locations are made public on the Microsoft Trust Center at

https://www.microsoft.com/en-us/trustcenter/default.aspx.

Microsoft enables customers to select the region that it is provisioned from. Under the OST, Microsoft commits that if a

customer provisions its tenant in the United States or EU, Microsoft will store the customer’s data at rest in the United

States or EU, as applicable.

The table below will need to be amended depending on the specific solution that you are taking up.

of 50


# Locations of Data Centre Classification of DC: Tier I, II, III or IV Storing your organization’s data (Y/N)

1.

2.

B. OUTSOURCING POLICY

4. Prior to the outsourcing of

services, an IC should

develop an outsourcing

policy, approved by the

Board of Directors. The IC

should have appropriate

documentation of its

outsourcing policy and

ensure that procedures are in

place such that all relevant

staff of the IC are fully aware

of and comply with the

outsourcing policy

IA Guideline on Outsourcing, Section 5.1. The IA requires that ICs have in place a comprehensive policy on outsourcing

duly approved by the board of directors of the IC. This will differ from one organization to another but the IA expects that

this will cover the following specific points:

(a) The objectives of the outsourcing and criteria for approving an outsourcing arrangement;

(b) The framework for evaluating the materiality of outsourcing arrangements;

(c) The framework for a comprehensive assessment of risks involved in outsourcing;

(d) The framework for monitoring and controlling outsourcing arrangements;

(e) The identities of the parties involved and their roles and responsibilities in approving, assessing and monitoring

the outsourcing arrangements and how those responsibilities may be delegated and details of any authority limits;

and

of 50


(f) The review mechanism to ensure the outsourcing policy and the monitoring and control procedures are capable

to accommodate changing circumstances of the IC and cater for market, legal and regulatory developments.

5. The IC should develop a

framework for assessing the

materiality of an outsourcing

arrangement. The

assessment of what is

material may involve

qualitative judgement and

depends on the

circumstances of the IC

concerned.

IA Guideline on Outsourcing, Section 5.4. The IA deems a “material outsourcing” to be “an outsourcing arrangement which

if disrupted or falls short of acceptable standards, would have the potential to significantly impact on an IC’s financial

position, business operation, reputation or its ability to meet obligations or provide adequate services to policy holders or

to conform with legal and regulatory requirements.” The IA expects you to be able to demonstrate that you have considered

the materiality of the outsourcing in relation to at least the following factors:

(a) Impact on financial position, business operation and reputation of the IC if the outsourced service is disrupted or

falls short of acceptable standards;

(b) Impact on the ability of the IC to maintain adequate internal controls and comply with legal and regulatory

requirements if the outsourced service is disrupted or falls short of acceptable standards;

(c) Cost of outsourcing as a proportion to the total operating costs of the IC; and

(d) Degree of difficulty and time required to find alternative Service Provider or to bring the outsourced service in-

house if necessary.

6. The IC should regularly

conduct reviews on the

materiality of its outsourcing

arrangements. If it is

reassessed to be material,

the IC should notify the IA

forthwith.

IA Guideline on Outsourcing, Section 5.5. It would be usual to undertake such a reassessment whenever there is a change

in scope or otherwise, annual reviews may be appropriate.

of 50


C. ACCOUNTABILITY

7. In any outsourcing

arrangement, the Board of

Directors and management

of ICs should retain ultimate

accountability for the

outsourced activity.

IA Guideline on Outsourcing, Section 4.1. We would suggest including a list, setting out the position of the key people

involved in the selection and any decision-making and approvals processes used.

Management in our organization has been involved throughout to ensure that the project aligns with our organization’s

overall business and strategic objectives. At the center of our objectives are of course legal and regulatory compliance

and customer satisfaction and these were the key objectives that management had in mind when it considered this project.

We are satisfied that this solution will ensure legal and regulatory compliance because of the key features (including the

security and regulator’s audit rights) forming part of the Office 365 service. We are also satisfied that customer satisfaction

will be maintained because we believe that Office 365 will actually have some major benefits for our IT operations and,

accordingly, improve the overall service that we are able to provide to customers.

8. Outsourcing can allow

management to transfer their

day-to-day managerial

responsibility, but not

accountability, for an activity

or a function to a service

provider. ICs should

therefore continue to retain

ultimate control of the

outsourced activity.

IA Guideline on Outsourcing, Section 4.1.

The handing over of certain day to day responsibility to an outsourcing provider does present some challenges in relation

to control. Essential to us is that, despite the outsourcing, we retain control over our own business operations, including

control of who can access data and how they can use it. At a contractual level, we have dealt with this via our contract

with Microsoft, which provides us with legal mechanisms to manage the relationship including appropriate allocation of

responsibilities, oversight and remedies. At a practical level, we have selected the Office 365 product since it provides us

with control over data location, authentication and advanced encryption controls. We (not Microsoft) will continue to own

and retain all rights to our data and our data will not be used for any purpose other than to provide us with the Office 365

services.

of 50


D. RISK ASSESSMENT

9. The IC should ensure that the

proposed outsourcing

arrangement has been

subject to a comprehensive

risk assessment (in respect

of financial, operational, legal

and reputation risks and any

potential losses to the

customers in the event of a

failure by the SP to perform)

and that all the risks identified

have been adequately

addressed before launch.

IA Guideline on Outsourcing, Section 5.6. Clearly the IA expects that your organization would have carried out a risk

assessment. In summary, this would need to include:

• risk identification;

• analysis and quantification of the potential impact and consequences of these risks;

• risk mitigation and control strategy; and

• ongoing risk monitoring and reporting.

Ideally this should also include all of the items listed in the next section. If you have any questions when putting together

a risk assessment, please do not hesitate to get in touch with your Microsoft contact.

Yes, led by our management we have carried out a thorough risk assessment of the move to Office 365. This risk

assessment included:

• [ ];

• [ ]; and

• [ ].

[A copy of the risk assessment can be provided to the IA upon request.]

of 50


10. Specifically, the risk assessment

should cover inter alia the

following:

• the impact on the

IC’s risk profile (in

respect of

operational, legal

and reputation risks

and potential losses

to the customers in

the event of a failure)

of the outsourcing.

See IA Guideline on Outsourcing, Section 5.6.

Yes, the risk assessment covered this.

• Operational risk: We managed this through our choice of service provider (see for example, question 14), the

controls we have in place to manage our relationship with the service provider (for example, our contractual

agreement, service levels, access to a Microsoft technical account manager and the regulator rights of audit and

inspection that we have in place) and our own internal controls (for example, our business continuity and disaster

recovery plans).

• Legal risk: We have in place with Microsoft a legally-binding agreement regarding our respective roles and

responsibilities in respect of the outsourcing. We chose Microsoft for this project because we believe it can help

us to comply with our legal obligations – for example, the fact that Microsoft permits data audits by regulators was

a key advantage over other cloud solutions that we considered.

• Reputational risk: We chose Microsoft because of its reputation in this sector. It is an industry leader in cloud

computing. Office 365 is built based on ISO 27001, a rigorous set of global standards covering physical, logical,

process and management controls.

• Risk of loss to customers in the event of a failure: The outsourcing will not involve critical functions so the

risks are greatly minimized in this respect. In addition, Microsoft’s accredited systems and processes mean that

there are robust procedures in place to prevent, detect and quickly act in relation to any service issues that do

arise.

of 50


11. After ICs implement an

outsourcing arrangement (or

renew or vary one), they

should regularly re-perform

this assessment.

IA Guideline on Outsourcing, Section 5.7. The IA wants an assurance that you plan to re-perform the assessment (e.g.

annually).

Yes. We will conduct regular reviews of the outsourcing [at least annually].

E. ABILITY OF THE SERVICE PROVIDER

12. Before selecting a service

provider ICs should perform

due diligence on the Service

Provider (including

considering factors such as

aggregate exposure to the

Service Provider, possible

conflict of interests that may

arise and price vis a vis the

benefit gained in assessing

and selecting a Service

Provider).


We have undertaken a thorough due diligence of Microsoft’s processes and procedures in relation to Office 365 and no

concerns have arisen including as to aggregate exposure and conflicts of interest.

As part of Microsoft’s certification requirements, they are required to undergo regular independent third party auditing and

Microsoft shares with us the independent third party audit reports. Microsoft also agrees as part of the compliance program

to customer right to monitor and supervise. We are confident that such arrangements provide us with the appropriate level

of up-front and on-going assessment of Microsoft’s ability to meet our policy, procedural, security control and regulatory

requirements.

13. ICs should conduct an (at

least) annual assessment to

confirm the adequacy of the

Service Provider to ascertain

whether it can continue to

IA Guideline on Outsourcing, Section 5.9. The IA expects that you repeat your assessment of the adequacy of the Office

365 solution at least once a year. If you require any input from Microsoft, please do not hesitate to get in touch with your

Microsoft contact.

of 50


provide the expected level of

service.

14. In assessing a provider, apart

from the cost factor and

quality of services ICs should

take into account the

provider’s (a) financial

soundness (and ability to

continue to provide the

expected level of service), (b)

reputation, experience and

quality of service, (c)

managerial skills, (d)

technical capabilities, (e)

operational capability and

capacity, (f) any licence,

registration, permission or

authorization required by law

to perform the outsourced

service, (g) compatibility with

the IC's corporate culture and

future development

strategies, (h) familiarity with

the insurance industry and (i)


(a) Financial Soundness: Microsoft Corporation is publicly-listed in the United States and is amongst the world’s

largest companies by market capitalization. Microsoft’s audited financial statements indicate its strong financial

position. Accordingly, we have no concerns regarding its financial strength.

(b) Reputation: Microsoft is an industry leader in cloud computing. Office 365 is built based on ISO 27001, a rigorous

set of global standards covering physical, logical, process and management controls. Office 365 is used by many

of the world’s top brands. Some case studies are available on https://customers.microsoft.com/en-us.

(c) Managerial skills: The fact that Microsoft already manages these services for financial institutions in leading

markets around the world and that it has achieved an ISO 27001 accreditation (which, amongst other things,

assesses management controls) gives us confidence that it has the necessary managerial skills.

(d) Technical capabilities: Microsoft’s ISO 27001 accreditation confirms that it has the technical capability required

for the service.

(e) Operational capability and capacity: Microsoft has demonstrated its operational capability through its reputation

(see above) and its ISO 27001 accreditations and we have no concerns as to its operational capacity as it is one

of the largest providers of cloud computing services in the world.

(f) Licence, registration, permission or authorization required by law to perform the outsourced service: We

are not aware of any licence, registration, permission or authorization required by the service provider to perform

of 50


capacity to keep pace with

innovation in the market.

the services that it does not already have in place. The service provider is already providing such services to

numerous financial institutions around the world.

(g) Compatibility with the IC’s corporate culture and future development strategies: We are confident that the

use of Office 365 will align well with our corporate culture and the fact that the service is scalable (i.e. it can be

expanded or reduced to meet our demand) means that it is compatible with our future development strategy.

(h) Familiarity with the insurance industry: FSI including insurance company customers in leading markets,

including in the UK, France, Germany, Australia, Singapore, Canada, the United States and many other countries

have performed their due diligence and, working with their regulators, are satisfied that Office 365 meets their

respective regulatory requirements. This gives us confidence that the service provider is able to help meet the

high burden of financial services regulation and is experienced in meeting and understanding these requirements.

Where you have taken it up you may also add: [This is further evidenced by Microsoft’s Compliance Framework

Program which shows that Microsoft has given consideration to the unique requirements of the insurance industry

(see further details below).]

(i) Capacity to keep pace with innovation in the market: Microsoft has the financial, operational and managerial

capacity to lead innovation in the cloud computing market and it has demonstrated this to date.

F. OUTSOURCING AGREEMENT

15. An outsourcing arrangement

should be undertaken in the

form of a legally binding

written agreement.

IA Guideline on Outsourcing, Section 5.

We have in place a legally binding written agreement. This is in the form of Microsoft’s Service Level Agreement (“SLA”)

and its Business and Services Agreement (“MBSA”). Amongst other things, they provide details of the contractual liabilities

and obligations of Microsoft (one of which is a contractual 99.9% uptime guarantee for the Office 365 product).

of 50


Please find a copy of the SLA at: https://www.microsoft.com/en-us/Licensing/product-licensing/products.aspx

MBSA is available upon request.

16. The IC should consider the

following when negotiating

the contract:

(a) Scope of the

outsourced service;

(b) Location where the

outsourced service

will be performed;

(c) Effective period of

the outsourcing

arrangement;

(d) Contractual

obligations and

liabilities of the IC

and the Service

Provider;

(e) Performance

standards to be


Taking each of the points in turn:

(a) Scope of the outsourced service: See responses to questions 2 and 3 above. The contract pack

comprehensively sets out the scope of the arrangement, the respective commitments of the parties, the online

services ordered and relevant price level information. The core features of Office 365 Services are broadly

described in the Online Services Terms (“OST”), with contractual commitment from Microsoft that during the term

of the subscription, the Office 365 Services will substantially conform to any core features description provided,

subject to product restrictions or external factors. Microsoft may permanently eliminate a core feature only if it

provides a reasonable alternative functionality.

(b) Location where the outsourced service will be performed: See response to question 4 above.

(c) Effective period of the outsourcing arrangement: EAs have a [three] year term, and may be renewed for a

further [three] year term.

(d) Reporting or notification requirements that the IC may wish to impose on the Service Provider: See

response to (f) below.

(e) Performance standards: See in particular the detailed performance standards and commitments set out in the

SLA and the MBSA above. These specify clearly the performance standards of Microsoft (for example, a 99.9%

uptime) and other obligations of Microsoft (for example, its obligations to provide access in the event of an

https://www.microsoft.com/en-us/Licensing/product-licensing/products.aspx

of 50


attained in respect of

the outsourced

service. This is

particularly

appropriate when

the IC has

committed to a

service standard or

performance pledge

to its customers;

(f) Reporting or

notification

requirements that

the IC may wish to

impose on the

Service Provider;

(g) The way in which

the IC and the

Service Provider

should monitor the

performance under

the agreement (e.g.

evaluation of

performance through

service delivery

audit/inspection). They also cover clearly the issue of software and hardware ownership (the software and

hardware are both owned by Microsoft but use of the software and hardware are licensed to us as users of the

Office 365 service).

(f) Reporting or notification requirements: As detailed below, Microsoft actually provides real time information to

us via the administrative dashboard. In our agreement with Microsoft, it agrees that it will notify us if it becomes

aware of any security incident, and will take reasonable steps to mitigate the effects and minimize the damage

resulting from the security incident.

(g) Performance monitoring: The extent of the rights to monitor performance that Microsoft provides was a key

differentiator with other service providers and a reason why we selected Microsoft. We may monitor the

performance of the online services via the administrative dashboard, which includes information as to Microsoft

compliance with its SLA commitments. Pursuant to the terms of the OST which is incorporated into the contract,

we can review the manner in which Microsoft provides the online services. As set out in the OST, we are entitled

to access the Microsoft Online Services Information Security Policy, which is the document where Microsoft sets

out its information security management processes. Microsoft also commits to provide us with its audit report,

which is performed by an independent third party and measures compliance against Microsoft’s certifications.

(h) Information, security and protection of confidential information: The agreement ensures that we will retain

the rights in all of our intellectual property and data. The MBSA deals with confidentiality. The MBSA also states

that Microsoft and the customer each commit to comply with all applicable privacy and data protection laws and

regulations. We retain the ability to access our customer data at all times, and Microsoft will deal with customer

data in accordance with the requirements under the OST. In summary: following termination Microsoft will delete

the customer data after a 90 day retention period. Finally, from a technical perspective the wide availability and

usage of Microsoft’s products means that customer data can be extracted in a format that is readily reusable.

of 50


reports, periodic

self-certifications,

independent reviews

by the IC’s or the

service provider’s

auditors);

(h) Information and

asset ownership

rights, information

technology security

and protection of

confidential

information;

(i) Rules and

restrictions on sub-

contracting of the

outsourced service.

The IC should retain

the ability to

maintain similar

control over its

outsourcing risks

when a Service

Microsoft also makes specific commitments with respect to customer data in the OST. In summary Microsoft

commits that:

• Ownership of customer data remains at all times with us .

• Customer data will only be used to provide the online services to us. Customer data will not be used for any other

purposes, including for advertising or other commercial purposes.

• Microsoft will not disclose customer data to law enforcement unless it is legally obliged to do so, and only after

not being able to redirect the request to the customer.

• Microsoft will implement and maintain appropriate technical and organizational measures, internal controls, and

information security routines intended to protect customer data against accidental, unauthorized or unlawful

access, disclosure, alteration, loss, or destruction.

• Microsoft will notify us if it becomes aware of any security incident, and will take reasonable steps to mitigate the

effects and minimize the damage resulting from the security incident.

• Microsoft commits to reimburse our reasonable remediation costs incurred as a consequence of a security incident

involving customer data (see FSA under “Security Incident Notification”).

• See also the responses further on in this document in relation to security and confidentiality.

(i) Rules and restrictions on sub-contracting: Microsoft is permitted to hire subcontractors under the OST.

Microsoft maintains a list of authorized subcontractors for Office 365 that have access to customer data and

provides us with a mechanism to obtain notice of any updates to that list. The actual list can be accessed via

https://www.microsoft.com/en-us/trustcenter/Privacy/Who-can-access-your-data-and-on-what-

of 50


Provider uses a sub-

contractor;

(j) Remedial action and

escalation process

for dealing with

inadequate

performance;

(k) Contingency

planning of the

Service Provider to

provide business

continuity for the

outsourced service;

(l) Management and

approval process for

changes to the

outsourcing

arrangement;

(m) Conditions under

which the IC or

Service Provider can

terminate the

terms#subcontractors. Contractually, if we do not approve of a subcontractor that will be given access to our data

to be added to the list, we are entitled to terminate our subscription to the Office 365 services.

Microsoft commits that any subcontractors to whom Microsoft transfers our data will have entered into written

agreements with Microsoft that are no less protective than the data processing terms in the OST, and that Microsoft

remains contractually responsible (and therefore liable) for its subcontractors’ compliance with Microsoft’s

obligations in the OST. In addition, Microsoft’s commitment to ISO 27001 and ISO 27018 requires Microsoft to

ensure that its subcontractors are subject to the same security controls as Microsoft is subject to.

(j) Remedial action and escalation process: See our response below in relation to remedial action and escalation

processes for dealing with inadequate performance.

(k) Contingency planning and business continuity: Business Continuity Management forms part of the scope of

the accreditation that Microsoft remains in relation to the online services, and Microsoft commits to maintain a

data security policy that complies with these accreditations. Business Continuity Management also forms part of

the scope of Microsoft’s annual third party compliance audit. See also our response below in relation to

contingency planning.

(l) Management and approval of change: Changes to the MBSA have to be agreed by the parties in writing. You

may also wish to consider your own internal approval/sign-off processes for changes.

(m) Termination: The Enrollment under which online services are ordered are for an initial [three] year period. There

is no general exit right under the Enrollment; however in case of breach termination rights are provided under the

EA. There are also license subscription reduction provisions in the Enrollment which we may utilize to reduce the

number of online services subscriptions to a stated minimum number, which if exercised could substantially relieve

our subscription obligation. The OST and the FSA further set out situation-specific termination rights that we are

entitled to, e.g. where we do not approve the addition of a new subcontractor which has access to our customer

of 50


outsourcing

agreement;

(n) Termination

agreement, including

intellectual property

and information

rights and

clarification of the

process to ensure

the smooth transfer

of the outsourced

service either to

another Service

Provider or back to

the IC;

(o) Guarantee or

indemnity from the

Service Provider

(e.g. an indemnity to

the effect that any

sub-contracting by

the Service Provider

of the outsourced

service will be the

responsibility of the

data, or where the IA expressly directs, or where we are unable to comply with new laws or regulatory

requirements as a result of the use of the online services.

(n) Termination issues and transfer: In the event of cessation, we can either move back on premise or to an

alternate Service Provider. Microsoft is contractually required to hold our data for an agreed period to enable such

transition to occur in an orderly manner. In relation to any data and assets of ours, post termination, Microsoft

uses best practice procedures and a wiping solution that is NIST 800-88 compliant. For hard drives that can’t be

wiped it uses a destruction process that destroys it (i.e. shredding) and renders the recovery of information

impossible (e.g., disintegrate, shred, pulverize, or incinerate). The appropriate means of disposal is determined

by the asset type. Records of the destruction are retained. All Microsoft Online Services utilize approved media

storage and disposal management services. Paper documents are destroyed by approved means at the pre-

determined end-of-life cycle. Secure disposal or re-use of equipment and disposal of media is also covered under

the ISO 27001 standard against which Microsoft is certified.

(o) Liability for sub-contracting: The MBSA deals with liability. Microsoft remains liable for the actions and inactions

of its sub-contractors.

(p) Insurance requirement: Microsoft maintains self-insurance arrangements for much of the areas where third party

insurance is typically obtained. Microsoft has taken the commercial decision to take this approach, and does not

believe that this detrimentally impacts upon its customers given that Microsoft is an extremely substantial entity.

(q) Disputes handling: The MBSA contains provisions that describe how a dispute under the contract is to be

conducted.

(r) Auditor access: Microsoft provides audit and examination rights for the IA under the FSA. The OST specifies the

audit and monitoring mechanisms that Microsoft puts in place in order to verify that the online services meet

appropriate security and compliance standards. In addition, the FSA details the examination and influence rights

of 50


Service provider

including liability for

any failure on the

part of the sub-

contractor;

(p) Requirement for the

Service Provider to

hold relevant

insurance;

(q) Mechanism to

resolve disputes that

might arise under

the outsourcing

arrangement;

(r) The Service

Provider’s

agreement to allow

the access by the

auditors and

actuaries of the IC

and the IA to any

books, records and

information which

facilitated them to

that are granted to us and IA. The “Regulator Right to Examine” sets out a process which can culminate in the

regulator’s examination of Microsoft’s premises. We also have the opportunity to participate in the Microsoft’s

Customer Compliance Program, which is a for-fee program that facilitates our ability to (a) assess the services’

controls and effectiveness, (b) access data related to service operations, (c) maintain insight into operational risks

of the services, (d) be provided with additional notification of changes that may materially impact Microsoft’s ability

to provide the services, and (e) provide feedback on areas for improvement in the services.

Microsoft also offers a Compliance Framework Program. If you take-up the Compliance Framework Program,

you may add this additional information about its key features: the regulator audit/inspection right, access to

Microsoft’s security policy, the right to participate at events to discuss Microsoft’s compliance program, the right

to receive audit reports and updates on significant events, including security incidents, risk-threat evaluations and

significant changes to the business resumption and contingency plans.

(s) Governing law: Our contract with Microsoft is subject to Washington State law [upon which we have obtained

separate legal advice to ensure that we are comfortable with the protection and control afforded to us].

of 50


discharge their

statutory duties and

obligations;

(s) Governing law of the

outsourcing

agreement. The

agreement should

preferably be

governed by Hong

Kong law.

G. SUB-CONTRACTING

17. The IC should put in place

adequate procedures to

control and monitor any sub-

contracting arrangements

and ensure that the Service

Provider will take into

account the essential issues

covered in this document as

if it was the IC concerned


Microsoft is permitted to hire subcontractors under the OST. Microsoft maintains a list of authorized subcontractors for

Office 365 that have access to our data and provides us with a mechanism to obtain notice of any updates to that list. The

actual list can be accessed via the Microsoft Trust Center at https://www.microsoft.com/en-us/trustcenter/default.aspx.

Contractually, if we do not approve of a subcontractor that will be given access to our data to be added to the list, we are

entitled to terminate our subscription to the Office 365 services.

of 50


when further contracting out

the service.

18. The IC should incorporate in

the outsourcing agreement

rules and restrictions on sub-

contracting e.g. requiring IC’s

prior consent for the sub-

contracting and making the

Service Provider liable for the

capability of the sub-

contractor.


Our contract with Microsoft, as detailed above, states that Microsoft remains responsible for its subcontractors’ compliance

with the contract. All subcontractors used have entered into written agreements with Microsoft requiring that the

subcontractor abide by terms no less protective than the relevant parts of the contract we have with Microsoft. The list of

all subcontractors is available for us to see.

19. The IC should ensure that its

Service Provider would not

engage in sub-contracting

arrangements which may

impede its ability to carry out

the provisions of the

outsourcing agreement with

the IC, in particular, the

requirements on information

confidentiality, contingency

planning and information

access right by the regulator.


Microsoft assures us that it would not engage in sub-contracting arrangements which would impede such ability. In

particular, it assures us that it contractually obligates its subcontractors to security and privacy standards equivalent to its

own and Microsoft subcontractors only handle our data when required to provide or maintain the services. Nothing in such

arrangements would prevent obligations that we may have in relation to contingency planning and information access

rights by the regulator. In particular, our contract with Microsoft states that subcontractors are prohibited from using

customer data other that for the purposes of delivering the specific services they have been retained to provide and that

any subcontractors to whom Microsoft transfers Customer Data, even those used for storage purposes, will have entered

into written agreements with Microsoft requiring that the subcontractor abide by terms no less protective than this data

and confidentiality provisions of our contract with Microsoft.

of 50


H. CUSTOMER DATA CONFIDENTIALITY

20. ICs should ensure that the

proposed outsourcing

arrangement complies with

relevant statutory

requirements (e.g. the

Personal Data (Privacy)

Ordinance (“PDPO”)) and

common law customer

confidentiality.


Microsoft recommends that you do seek legal advice on the use of cloud computing services in relation to

statutory/regulatory/common law requirements.

We are confident that the proposed use of Office 365 complies with relevant statutory requirements, including the PDPO

and common law confidentiality requirements.

Microsoft as an outsourcing partner is an industry leader in cloud security and implements policies and controls on par

with or better than on-premises data centers of even the most sophisticated organizations. In relation to the PDPO, Office

365 includes the following features and commitments from Microsoft to ensure compliance with the requirements of the

PDPO: (i) Microsoft will not use our data for other purposes other than providing the services; (ii) Microsoft has security

policies and controls and security measures which are verified by independent auditors. These measures include security

features on its hardware, software and physical data center, restricted physical data center access, Office 365 is ISO

27001 and ISO 27018 compliant and data is encrypted both at rest and via the network as it is transmitted between data

center and a user; (iii) Microsoft will inform us promptly if our data has been accessed improperly; (iv) there are specific

data retention and deletion commitments in the OST governing handling of our data at the end of the service term.

Microsoft commits to comply with ISO 27018. In February 2015, Microsoft became the first major cloud provider to adopt

the world’s first international standard for cloud privacy, ISO 27018. The standard was developed by the International

Organization for Standardization (ISO) to establish a uniform, international approach to protecting privacy for personal

data stored in the cloud. The British Standards Institute (BSI) has independently verified that Microsoft is aligned with the

standard’s code of practice for the protection of Personally Identifiable Information (PII) in the public cloud. The controls

of 50


set out in ISO 27018 match the protections required by the PDPO. For more information on this, please see

http://blogs.microsoft.com/on-the-issues/2015/02/16/microsoft-adopts-first-international-cloud-privacy-standard/.

In choosing Microsoft, we also took into account the fact that Microsoft offers access and audit rights, thereby allowing us

to comply with our regulatory obligations in this respect.

21. ICs should have controls in

place to ensure that the

requirements of customer

data confidentiality are

observed and proper

safeguards are established

to protect the integrity and

confidentiality of customer

information.


Microsoft recommends that you seek legal advice as to PDPO requirements

As above, Microsoft as an outsourcing partner is an industry leader in cloud security and implements policies and controls

on par with or better than on-premises data centers of even the most sophisticated organizations. Office 365 is built based

on ISO 27001 standards, a rigorous set of global standards covering physical, logical, process and management controls.

In particular:

• Undertakings by the service provider that the company and its staff will abide by confidentiality rules,

including taking account of the data protection principles set out in PDPO: Yes. We have contractual

confidentiality terms in our agreements with Microsoft.

• ICs' contractual rights to take action against the service provider in the event of a breach of

confidentiality: Yes. Under our contractual terms with Microsoft, we would expect to have a breach of contract

claim in the event of a breach of confidentiality.

• Segregation or compartmentalization of ICs' customer data from those of the service provider and its

other clients: Yes. Data storage and processing is segregated through Active Directory structure and capabilities

specifically developed to help build, manage, and secure multi-tenant environments. Active Directory isolates

of 50


customers using security boundaries (also known as silos). This safeguards a customer’s data so that the data

cannot be accessed or compromised by other parties.

• Access rights to ICs' data delegated to authorize employees of the service provider on a need basis: Yes.

Microsoft applies strict controls over which personnel roles and personnel will be granted access to customer

data. Personnel access to the IT systems that store customer data is strictly controlled via role-based access

control (“RBAC”) and lock box processes. Access control is an automated process that follows the separation of

duties principle and the principle of granting least privilege. This process ensures that the engineer requesting

access to these IT systems has met the eligibility requirements, such as a background screen, fingerprinting,

required security training and access approvals. In addition, the access levels are reviewed on a periodic basis to

ensure that only users who have appropriate business justification have access to the systems.

22. ICs should notify their

customers in general terms

of the possibility that their

data may be outsourced and

the circumstances under

which their data may be

disclosed or lost.

IA Guideline on Outsourcing, Section 5.13. Where you have existing outsourcing arrangements in place you would already

have such notifications in place. If so, contracting for 0365 should not require additional notifications. Microsoft

recommends that you seek legal advice on your privacy policies and consent mechanisms to ensure that they do comply

with applicable law. If you require any information from Microsoft please do get in touch with your Microsoft contact.

23. In the event of a termination

of outsourcing agreement, for

whatever reason, ICs should

ensure that all customer data

is either retrieved from the


As detailed above, Microsoft uses best practice procedures and a wiping solution that is NIST 800-88 compliant. For hard

drives that can’t be wiped it uses a destruction process that destroys it (i.e. shredding) and renders the recovery of

information impossible (e.g., disintegrate, shred, pulverize, or incinerate). The appropriate means of disposal is determined

by the asset type. Records of the destruction are retained. All Microsoft Online Services utilize approved media storage

and disposal management services. Paper documents are destroyed by approved means at the pre-determined end-of-

of 50


service provider or

destroyed.

life cycle. Secure disposal or re-use of equipment and disposal of media is covered under the ISO 27001 standards

against which Microsoft is certified.

24. ICs should notify the IA

forthwith of any unauthorized

access or breach of

confidentiality by the Service

Provider or its sub-contractor

that affects the IC or its

customers.

IA Guideline on Outsourcing, Section 5.14. This is an internal process matter. However, please note that nothing in your

contractual arrangement with Microsoft would prevent or hinder your obligation to do so.

I. MONITORING AND CONTROL

25. ICs should have sufficient

and appropriate resources in

place to monitor and control

the outsourcing

arrangements at all times.

Such monitoring should

cover, inter alia, ensuring that

the service is being delivered

in the manner expected and

to ensure that the provisions

included in the outsourcing

IA Guideline on Outsourcing, Section 5.15. You may also in this context wish to refer to any internal monitoring procedures

you are putting in place.

Yes. Microsoft’s SLA applies to the Office 365 product. Our IT administrators also have access to the Office 365 Service

Health Dashboard, which provides real-time and continuous monitoring of the Office 365 service. The Service Health

Dashboard provides our IT administrators with information about the current availability of each service or tool (and history

of availability status) details about service disruption or outage, scheduled maintenance times. The information is provided

via an RSS feed.

Amongst other things, Microsoft provides a contractual 99.9% uptime guarantee for the Office 365 product and covers

performance monitoring and reporting requirements which enable us to monitor Microsoft’s performance on a continuous

basis against service levels.

of 50


agreement are properly

effected.

Please find a copy of the SLA at:


26. IC should maintain a central

list of the outsourcing

arrangements including the

name of the Service

Provider, service outsourced,

commencement date, expiry

or renewal date, contact

details or key Service

Provider personnel. The list

should also record similar

information relating to any

sub-contracting arrangement

of the outsourced service.

IA Guideline on Outsourcing, Section 5.15. The IA is looking for assurance that you have these records. The information

we have included at the top of this document will assist with this in conjunction with the information contained in our

contractual arrangements.

27. Responsibility for monitoring

the service provider and the

outsourced activity should be

assigned to staff with

appropriate expertise.

IA Guideline on Outsourcing, Section 5.15. If requested by IA, Microsoft would suggest that you provide details of the

relevant personnel and a brief summary of their experience.


of 50


28. The control procedures over

the outsourcing arrangement

should be subject to regular

audits by the IC (at least

annually).

IA Guideline on Outsourcing, Section 5.15. The IA expects that your internal audit function would regularly review the

outsourcing arrangement so you will need to confirm this. Nothing in your contract with Microsoft would hinder this.

29. ICs should establish

reporting procedures which

can promptly escalate

problems relating to the

outsourced activity to the

attention of the management

of the IC and their service

providers. The IC should then

take appropriate rectification

actions forthwith if

deficiencies are identified.

IA Guideline on Outsourcing, Section 5.16. Below are details of the escalation processes that Microsoft provides. You

should add to this your own escalation processes and any commitments to rectify issues that are identified.

Service Provider Escalation

As part of the support we receive from Microsoft we have access to a technical account manager who is responsible for

understanding our challenges and providing expertise, accelerated support and strategic advice tailored to our

organization. This includes both continuous hands-on assistance and immediate escalation of urgent issues to speed

resolution and keep mission-critical systems functioning. We are confident that such arrangements provide us with the

appropriate mechanisms for managing performance and problems.

Internal escalation

[ ] You will need to describe your process for how any issues will be escalated internally.

30. The IC should notify the IA

forthwith of any significant

problem that has the

potential to materially affect

its financial position,

business operation or

IA Guideline on Outsourcing, Section 5.16. The IA is looking for a commitment that you will do this. Nothing in your contract

with Microsoft would hinder you from complying with this.

of 50


compliance with legal and

regulatory requirements.

J. CONTINGENCY PLANNING

31. ICs should develop a

contingency plan to ensure

that its business would not be

disrupted as a result of

undesired contingencies

(e.g. systems failure) of the

service provider. This should

also include procedures to be

followed and the people

responsible for respective

activities if business

continuity problems arise.

IA Guideline on Outsourcing, Section5.17. The IA clearly expects you to have a contingency plan in place, covering

disaster recovery/business continuity. This would usually include:

• performing a business impact analysis of a disaster situation;

• considering the internal mechanisms to deal with such a situation; and

• considering Office 365’s own disaster recovery and business continuity safeguards.

The IA also requires that you specify your internal processes in the contingency plan and set out the people in your

business who will be responsible in the event of issues arising.

The following outlines Office 365’s own disaster recovery and business continuity safeguard which should be useful to

incorporate into your contingency plan:

Redundancy

• Physical redundancy at server, data center, and service levels.

• Data redundancy with robust failover capabilities.

• Functional redundancy with offline functionality.

of 50


Resiliency

• Active load balancing.

• Automated failover with human backup.

• Recovery testing across failure domains.

Distributed Services

• Distributed component services like Exchange Online, SharePoint Online, and Lync Online limit scope and impact

of any failures in a component.

• Directory data replicated across component services insulates one service from another in any failure events.

• Simplified operations and deployment.

Monitoring

• Internal monitoring built to drive automatic recovery.

• Outside-in monitoring raises alerts about incidents.

• Extensive diagnostics provide logging, auditing, and granular tracing.

http://office.microsoft.com/en-us/business/office-365-online-service-availability-FX104028266.aspx

of 50


Simplification

• Standardized hardware reduces issue isolation complexities.

• Fully automated deployment models.

• Standard built-in management mechanism.

Human backup

• Automated recovery actions with 24/7 on-call support.

• Team with diverse skills on the call provides rapid response and resolution.

• Continuous improvement by learning from the on-call teams.

Continuous learning

• If an incident occurs, Microsoft does a thorough post-incident review every time.

• Microsoft’s post-incident review consists of analysis of what happened, Microsoft’s response, and Microsoft’s plan

to prevent it in the future.

In the event the organization was affected by a service incident, Microsoft shares the post-incident review with the

organization.

http://office.microsoft.com/en-us/business/office-365-online-service-availability-FX104028266.aspx

of 50


32. Procedures should be in

place for regular reviews and

testing of the contingency

plan.


Microsoft carries out disaster recovery testing at least once per year. Please see also above for a summary of the disaster

recovery/business continuity safeguards provided as part of the Office 365 service.

33. Contingency arrangements

in respect of daily operational

and systems problems would

normally be covered in the

service provider’s own

contingency plan. ICs should

ensure that they have an

adequate understanding of

their service provider’s

contingency plan and

consider the implications for

their own contingency

planning in the event that an

outsourced service is

interrupted due to failure of

the service provider’s

system.

IA Guideline on Outsourcing, Section 5.18. The IA requirements indicate the importance of you understanding the disaster

recovery/business continuity safeguards forming part of Office 365. As such, if you have any questions about these, please

do not hesitate to get in touch with your Microsoft contact.

Please see above for a summary of the disaster recovery/business continuity safeguards provided as part of the Office

365 service.

34. In establishing a viable

contingency plan, ICs should

consider, among other

things, the availability of

IA Guideline on Outsourcing, Section 5.17(a). The IA clearly expects you to have a plan in place if you did decide to stop

using the Office 365 service.

of 50


alternative service providers

or the possibility of bringing

the outsourced activity back

in-house in an emergency.

To ensure control, transparency and consistency, it is necessary for the applications and services forming part of Office

365 to be provided by one provider (i.e. Microsoft). Because of the due diligence and risk management processes we

have implemented we are of the view that use of Office 365 would not represent an excessive reliance on service provider.

The terms of our contract with Microsoft does not limit our right to move to another provider (or to revert to a local, non-

cloud based offering, such as Microsoft Office) should we choose to do so.

K. ACCESS TO OUTSOURCED DATA

35. ICs should ensure that

appropriate up-to-date

records are maintained in

their premises and kept

available for inspection by

the IA and that data retrieved

from the service providers

are accurate and available in

Hong Kong on a timely basis.

Access to data by the IA’s

examiners and the IC’s

internal and external auditors

should not be impeded by the

outsourcing. ICs should

ensure that the outsourcing

agreement with the service

provider contains a clause

which allows for supervisory

IA Guideline on Outsourcing, Section 4.

The terms of our contract with Microsoft provide that if a regulator requests, Microsoft will provide the regulator a direct

right to examine the relevant service, including the ability to conduct an on-premise examination; to meet with Microsoft

personnel and Microsoft’s external auditors; and to access related information, records, reports and documents. Customer

will at all times have access to its data using the standard features of Office 365, and may delegate its access to its data

to representatives of the IA.

of 50


inspection or review of the

operations and controls of

the service provider as they

relate to the outsourced

activity.

L. ADDITIONAL CONCERNS IN RELATION TO OVERSEAS OUTSOURCING

36. ICs should understand the

risks arising from overseas

outsourcing, taking into

account relevant aspects of

an overseas country (e.g.

legal system, regulatory

regime, sophistication of

technology, infrastructure

and the ability of the IC to

monitor the outsourced

service and the SP).

IA Guideline on Outsourcing, Section 5.19. The answer to this question will depend on the region you are in. You may

discuss this with your Microsoft contact. Microsoft enables customers to select the region that it is provisioned from.

Office 365 is hosted out of […..]. This/These location(s) has/have been vetted for geopolitical/socioeconomic risks as set

out in this checklist requirement. As part of our usual processes, we constantly monitor the countries in which we operate.

a. Political (i.e. cross-broader conflict, political unrest etc). Office 365 offers data-location transparency so that the

organizations and regulators are informed of the jurisdiction(s) in which data is hosted. We are confident that

Microsoft’s data center locations offer stable political environments.

b. Country/socioeconomic. Office 365 offers data-location transparency so that the organizations and regulators are

informed of the jurisdiction(s) in which data is hosted. The centers are strategically located around the world taking

into account country and socioeconomic factors. We are confident that Microsoft’s data center locations offer stable

socioeconomic environments.

c. Infrastructure/security/terrorism. Microsoft’s data centers are built to exacting standards, designed to protect

customer data from harm and unauthorized access. Data center access is restricted 24 hours per day by job function

so that only essential personnel have access. Physical access control uses multiple authentication and security

processes, including badges and smart cards, biometric scanners, on-premises security officers, continuous video

of 50


surveillance and two-factor authentication. The data centers are monitored using motion sensors, video surveillance

and security breach alarms.

d. Environmental (i.e. earthquakes, typhoons, floods). Environmental controls have been implemented to protect the

data centers including temperature control, heating, ventilation and air-conditioning, fire detection and suppression

systems and power management systems, 24-hour monitored physical hardware and seismically-braced racks.

Microsoft Data centers are built in seismically safe zones. These requirements are covered by Microsoft’s ISO 27001

accreditation for Office 365.

e. Legal and regulatory system. We will have in place a binding negotiated contractual agreement with Microsoft in

relation to the outsourced service, giving us direct contractual rights. We also took into account the fact that Office

365 is built based on ISO 27001 standards, a rigorous set of global standards covering physical, logical, process and

management controls. Finally, we took into account the fact that Microsoft offers access and regulator audit rights

thereby allowing us to comply with our regulatory obligations in this respect

f. Monitoring. Our contract with Microsoft provides extensive monitoring rights for us and for the IA.

37. Right of access to customers’

data by overseas authorities

such as the police and tax

authorities. ICs should, as

considered appropriate, seek

legal advice to clarify the

position. ICs should notify the

IA if overseas authorities

IA Guideline on Outsourcing, Section 5.19. The answer to this question will partly depend on the region you are in. You

may discuss this with your Microsoft contact. Microsoft enables customers to select the region that it is provisioned from,

and adopts strict processes in dealing with disclosure requests by third parties and authorities. Microsoft recommends

that you obtain a legal opinion from an international or other reputable legal firm in the country where your data will be

hosted on this matter.

Microsoft is transparent in relation to the location of our data. Office 365 is hosted out of […..]. This/These location(s)

has/have been thoroughly vetted and the circumstances in which the authorities may have rights to access customer

information are not considered unwarranted. Microsoft data center locations are made public on the Microsoft Trust Center.

http://azure.microsoft.com/en-us/support/trust-center/

of 50


seek access to their

customers’ data.

Microsoft also provides contractual commitment on how data disclosure requests from authorities will be handled.

Microsoft will not disclose our data to law enforcement unless required by law. If law enforcement contacts Microsoft with

a demand for our data, Microsoft will attempt to redirect the law enforcement agency to request that data directly from us.

If compelled to disclose our data to law enforcement, Microsoft will promptly notify us and provide a copy of the demand

unless legally prohibited from doing so. Over the past years, Microsoft has taken multiple court actions to challenge

different law enforcement data disclosure requests and has, through their action, established a track record and

demonstrated how they comply with their contractual commitment in this regard.

38. Notification to customers -

ICs should generally notify

their customers of the

country in which the service

provider is located (and of

any subsequent changes)

and the right of access, if any,

available to the overseas

authorities.

IA Guideline on Outsourcing, Section 5.19. Microsoft recommends that you confirm in this section that you have informed

customers where services will be provided from (according to the specification of your final solution with Microsoft).

Microsoft also recommends that you confirm in this section that you have informed customers of the right of access

available to overseas authorities (for example in Singapore, for the purpose of the Office 365 service, depending on the

specification of your final solution with Microsoft).

39. ICs should not outsource to a

jurisdiction that may hamper

access to data by the IA.

They should ensure that the

IA has right of access the

books and records and other


Office 365 is hosted out of […..]. This/These location(s) has/have been thoroughly vetted and as far as we are aware,

there are no secrecy laws which would hamper access to data in the appropriate circumstances.

of 50


information of the IC as

necessary for the IA to be

able to carry out its statutory

responsibilities.

We will have in place a binding negotiated contractual agreement with Microsoft in relation to the outsourced service,

giving us direct contractual rights. There are provisions in the contract that enable the IA to carry out inspection or

examination of Microsoft’s facilities, systems, processes and data relating to the services. This is set out in the FSA. This

is a key advantage of the Microsoft product over competitor products, which often provide only very limited (or no) audit

and inspection rights. Where the IA wishes to access the books and records of the IC, in the first instance the IA will be

directed to the IC by Microsoft. The IC should be able to provide the IA with access to all the books and records. Where

such books and records are hosted by Microsoft, the IC has access to these by using the services in the normal way.

Microsoft also offers a Compliance Framework Program. If you take-up the Compliance Framework Program, you may

add this additional information about its key features: the regulator audit/inspection right, access to Microsoft’s security

policy, the right to participate at events to discuss Microsoft’s compliance program, the right to receive audit reports and

updates on significant events, including security incidents, risk-threat evaluations and significant changes to the business

resumption and contingency plans.

40. §33 of the PDPO in respect of

transfer of personal data

outside Hong Kong –

although §33 has not yet

come into operation, ICs are

advised to take account of

the provisions therein and the

potential impact on their

plans in respect of overseas

outsourcing.


Section 33 of the PDPO, assuming it is in force, prohibits organizations from transferring data outside of Hong Kong except

in certain circumstances e.g. if the organization has taken all reasonable precaution and exercised due diligence that

personal data will not be handled in a manner in contravention of the PDPO requirements (commonly referred to as the

“Due Diligence Exception”). Putting in place an enforceable contract between all parties to the transfer is a way to satisfy

the Due Diligence Exception and the Office of the Privacy Commission for Personal Data, Hong Kong (PCPD) has

proposed a set of recommended model clauses to include in such contract. Microsoft's OST has in principle covered the

core areas of the recommended model clauses and should therefore satisfy the Due Diligence Exception.

41. Governing law of the

outsourcing agreement – the


of 50


agreement should preferably

be governed by Hong Kong

law.

The MBSA deals with what countries laws apply if there is a legal dispute.

The governing law is that of the State of Washington, U.S., however the parties have the ability to bring proceedings in

the locations as follows:

• If Microsoft brings the action, the jurisdiction will be where our contracting entity is located;

• If we bring the action, the jurisdiction will be the state of Washington; and

Both parties can seek injunctive relief with respect to a violation of intellectual property rights or confidentiality obligations

in any appropriate jurisdiction.

of 50

ANNEX ONE

MANDATORY CONTRACTUAL REQUIREMENTS

The IA does not specifically mandate contractual requirements that must be agreed by ICs with their service providers. However, the Guideline on Outsourcing

does contain a long list of matters that it says that ICs should “consider” when negotiating the contract. The Annex contains a comprehensive list and details of

where in the Microsoft contractual documents these points are covered.

Key:

Where relevant, a cross-reference is included in red italics to the underlying regulation that sets out the contractual requirement.

In blue text, Microsoft has provided you with a reference to where in the agreement the contractual requirement is covered for ease of reference.

Terms used below as follows:

OST = Online Services Terms

EA = Enterprise Agreement

Enrolment = Enterprise Enrolment

FSA = Financial Services Amendment

MBSA = Microsoft Business and Services Agreement

PT = Product Terms

SLA = Online Services Service Level Agreement

of 50

Ref. Requirement Microsoft agreement reference

1. Scope of the outsourced service. Section 5.10(a) of the Guideline on Outsourcing.

Yes.

The contract pack comprehensively sets out the scope of the arrangement and the

respective commitments of the parties.

The services are broadly described, along with the applicable usage rights, in the PT and

the OST. The services are described in more detail in the OST, which includes a list of

service functionality in the Data Processing Terms section and core features of the Office

365 services in the Online Service Specific Terms section. The MBSA addressed liability

and rights of action.

2. Location where the outsourced service will be performed. Section 5.10(b) of the Guideline on Outsourcing.

Yes.

The OST contain general commitments around data location. Microsoft will ensure that

Customer Data will always be stored and processed in accordance with the EU and Swiss

Safe Harbour Frameworks as maintained by the US Government. Microsoft data center

locations are made public on the Microsoft Trust Center at http://blogs.microsoft.com/on-

the-issues/2015/02/16/microsoft-adopts-first-international-cloud-privacy-standard/.

Microsoft also commits that Customer Data transfers out of the EU will be governed by the

EU in the OST. Also, as noted in the OST, any subcontractors to whom Microsoft transfers

Customer Data, even those used for storage purposes, will have entered into written

agreements with Microsoft that are no less protective than the DPT section of the OST.

of 50


Commitments on the location of data at rest is discussed in the OST, and may depend on

where a customer provisions its service tenancy or specify as a Geo for the online service.

More details are set out, non-contractually, at the Trust Centers for each applicable online

service.

3. Effective period of the outsourcing arrangement. Section 5.10(c) of the Guideline on Outsourcing.

EAs have a [three] year term, and may be renewed for a further [three] year term.

Please insert the proposed start date of the outsourcing service.

4. Contractual obligations and liabilities of the IC and the

Service Provider.

Section 5.10(d) of the Guideline on Outsourcing

Yes.

The contract pack comprehensively sets out the scope of the arrangement and the

respective commitments of the parties.

The services are broadly described, along with the applicable usage rights, in the PT and

the OST. The services are described in more detail in the OST, which includes a list of

service functionality in OST and core features of the Office 365 services.

The MBSA deals with liability and the rights of action.

5. Performance standards to be attained in respect of the

outsourced service. This is particularly appropriate when the

Section 5.10(e) of the Guideline on Outsourcing.

of 50


IC has committed to a service standard or performance

pledge to its customers.

Yes.

See in particular the detailed performance standards and commitments set out in the SLA

and the MBSA above. These specify clearly the performance standards of Microsoft (for

example, a 99.9% uptime) and other obligations of Microsoft (for example, its obligations

to provide access in the event of an audit/inspection).

6. Reporting or notification requirements that the IC may wish

to impose on the Service Provider.

Section 5.10(f) of the Guideline on Outsourcing.

Yes.

The customer may monitor the performance of the online services via the administrative

dashboard, which includes information as to Microsoft compliance with its SLA

commitments.

In addition, Customers can review the manner in which Microsoft provides the online

services. As set out in the OST, the customer is entitled to access the Microsoft Online

Services Information Security Policy, which is the document where Microsoft sets out its

information security management processes. Microsoft also commits to providing the

customer with a summary of Microsoft’s annual audit report, which is performed by an

independent third party and measures compliance against Microsoft’s certifications.

The OST specifies the audit and monitoring mechanisms that Microsoft puts in place in

order to verify that the online services meet appropriate security and compliance

standards. This commitment is reiterated in the FSA.

of 50


In Addition, the FSA gives us the opportunity to participate in the Microsoft Online Services

Customer Compliance Program, which is a for-fee program that facilitates our ability to (a)

assess the services’ controls and effectiveness, (b) access data related to service

operations, (c) maintain insight into operational risks of the services, (d) be provided with

additional notification of changes that may materially impact Microsoft’s ability to provide

the services, and (e) provide feedback on areas for improvement in the services.

7. The way in which the IC and the Service Provider should

monitor the performance under the agreement (e.g.

evaluation of performance through service delivery reports,

periodic self-certifications, independent reviews by the IC’s

or the service provider’s auditors).

Section 5.10(g) of the Guideline on Outsourcing.

Yes.

Customers can review the manner in which Microsoft provides the online services.



standards. This commitment is reiterated in the FSA.

In addition, the FSA gives us the opportunity to participate in the Microsoft Online Services

Customer Compliance Program, which is a for-fee program that facilitates our ability to (a)

assess the services’ controls and effectiveness, (b) access data related to service

operations, (c) maintain insight into operational risks of the services, (d) be provided with

additional notification of changes that may materially impact Microsoft’s ability to provide

the services, and (e) provide feedback on areas for improvement in the services.

In addition, as part of Microsoft’s certification requirements, they are required to undergo

regular independent third party auditing and Microsoft shares with us the independent third

of 50


party audit reports. Under the FSA, Microsoft will provide to us copies of its audit reports

so that we can verify Microsoft’s compliance with its obligations.

Finally, as set out in the OST, the customer is entitled to access the Microsoft Online

Services Information Security Policy, which is the document where Microsoft sets out its

information security management processes. Microsoft also commits to provide us with

its audit report, which is performed by an independent third party and measures

compliance against Microsoft’s certifications.

8. Information and asset ownership rights, information

technology security and protection of confidential

information.

Section 5.10(h) of the Guideline on Outsourcing.

The Microsoft makes specific commitments with respect to our data in the OST. In

summary Microsoft commits that:

1. Ownership of our data remains at all times with us.

2. Our data will only be used to provide the online services to us. Our data will not be

used for any other purposes, including for advertising or other commercial purposes.

3. Microsoft will not disclose our data to law enforcement unless it is legally obliged to do

so, and only after not being able to redirect the request to us.

4. Microsoft will implement and maintain appropriate technical and organizational

measures, internal controls, and information security routines intended to protect

Customer Data against accidental, unauthorized or unlawful access, disclosure,

alteration, loss, or destruction.

of 50


5. Microsoft will notify the customer if it becomes aware of any security incident, and will

take reasonable steps to mitigate the effects and minimize the damage resulting from

the security incident.

The MBSA deals with confidentiality.Microsoft commits not to disclose our confidential

information (which includes our data) to third parties and to only use our confidential

information for the purposes of Microsoft’s business relationship with us. If there is a

breach of confidentiality by Microsoft, we are able to bring a claim for breach of contract

against Microsoft.

9. Rules and restrictions on sub-contracting of the outsourced

service. The IC should retain the ability to maintain similar

control over its outsourcing risks when a Service Provider

uses a sub-contractor.

Section 5.10(i) of the Guideline on Outsourcing.

Yes.

Under the term of OST, Microsoft is permitted to hire subcontractors.

Microsoft maintains a list of authorized subcontractors for the online services that have

access to our data and provides us with a mechanism to obtain notice of any updates to

that list. The actual list is published on the applicable Microsoft Trust Center, and it sets

out the identity of such subcontractors, their respective location and the function(s) that

they perform. If we do not approve of a subcontractor that is added to the list, then we are

entitled to terminate the affected online services.

The confidentiality of our data is protected when Microsoft uses subcontractors because

Microsoft commits that its subcontractors will be permitted to obtain our data only to deliver

of 50


the services Microsoft has retained them to provide and will be prohibited from using our

data for any other purpose.

Microsoft also commits that any subcontractors to whom Microsoft transfers our data will

have entered into written agreements with Microsoft that are no less protective than the

data processing terms in the OST.

Under the terms of the OST, Microsoft remains contractually responsible (and therefore

liable) for its subcontractors’ compliance with Microsoft’s obligations in the OST. In

addition, Microsoft’s commitment to ISO 27018, requires Microsoft to ensure that its

subcontractors are subject to the same security controls as Microsoft is subject to. Finally,

the EU Model Clauses, which are included in the OST, require Microsoft to ensure that its

subcontractors outside of Europe comply with the same requirements as Microsoft and set

out in detail how Microsoft must achieve this.

10. Remedial action and escalation process for dealing with

inadequate performance.

Section 5.10(j) of the Guideline on Outsourcing.

Under the service credits mechanism in the SLA, we may be entitled to a service credit of

up to 100% of the service charges. If a failure by Microsoft also constitutes a breach of

contract to which the service credits regime does not apply, we would of course have

ordinary contractual claims available to us too under the contract.

The MBSA deals with liability and rights of action. The MBSA deals with how a dispute

under the contract is to be conducted.

of 50


11. Contingency planning of the Service Provider to provide

business continuity for the outsourced service.

Section 5.10(k) of the Guideline on Outsourcing.

Yes.

Business Continuity Management forms part of the scope of the accreditation that

Microsoft remains in relation to the online services, and Microsoft commits to maintain a

data security policy that complies with these accreditations. Business Continuity

Management also forms part of the scope of Microsoft’s annual third party compliance

audit.

12. Management and approval process for changes to the

outsourcing arrangement.

Section 5.10(l) of the Guideline on Outsourcing.

Yes.

The MBSA states that the contract may be amended only by a formal written agreement

signed by both parties. However, there is minimal requirement (if any) for change

management provisions for the Microsoft Office 365 services. These online services are

“commodity” services and are designed to be delivered as a standardized offering, thereby

removing the requirement or need for changes or alterations to be made at an organization

level. Microsoft will manage upgrades and patches to its services and testing for these will

be carried out by Microsoft. Microsoft has its own operational change control procedure in

place. The operational change control procedure includes an assessment process of

possible changes and their impact. The testing of changes takes place in an approved

non-production environment.

of 50


13. Conditions under which the IC or Service Provider can

terminate the outsourcing agreement.

Section 5.10(m) of the Guideline on Outsourcing.

Yes.

The Enrollment under which online services are ordered are for an initial [three] year

period. There is no general exit right under the Enrollment; however in case of breach

termination rights are provided under the EA. There are also license subscription reduction

provisions in the Enrollment which we may utilize to reduce the number of online services

subscriptions to a stated minimum number, which if exercised could substantially relieve

our subscription obligation. The OST and the FSA further set out situation-specific

termination rights that we are entitled to, e.g. where we do not approve the addition of a

new subcontractor which has access to our customer data, or where the IA expressly

directs, or where we are unable to comply with new laws or regulatory requirements as a

result of the use of the online services.

14. Termination agreement, including intellectual property and

information rights and clarification of the process to ensure

the smooth transfer of the outsourced service either to

another Service Provider or back to the IC.

Section 5.10(n) of the Guideline on Outsourcing.

Yes.

Microsoft contractually commits to retain our data stored in the Online Service in a limited

function account for 90 days after expiration or termination of our subscription so that we

may extract the data. After the 90 day retention period ends, Microsoft will disable our

account and delete our data. The MBSA deals with confidentiality. The OST states, in the

General Terms section, that Microsoft will comply with all laws and regulations applicable

to its provision of Office 365 services, including security breach notification law. Microsoft

is not responsible for compliance with any laws or regulations applicable to us, or the

of 50


financial services industry, that are not generally applicable to information technology

service providers.

Note that ownership of documents, records and other data remain with the customer

organization and at no point transfer to Microsoft or anyone else, so this does not need to

be addressed through transition. As set out in the OST, we retain the ability to access and

extract our data at all material times. Upon expiration or termination, Microsoft will delete

our data.

See the response above for more information about the termination rights.

15. Guarantee or indemnity from the Service Provider, e.g. an

indemnity to the effect that any sub-contracting by the

Service Provider of the outsourced service will be the

responsibility of the Service provider including liability for any

failure on the part of the sub-contractor.

Section 5.10(o) of the Guideline on Outsourcing

Yes.

Under the terms of the OST, Microsoft remains contractually responsible (and therefore

liable) for its subcontractors’ compliance with Microsoft’s obligations in the OST.

The MBSA deals with liability.

16. Requirement for the Service Provide to hold relevant

insurance.

Section 5.10(p) of the Guideline on Outsourcing.

Yes.

In practice, Microsoft maintains self-insurance arrangements for much of the areas where

third party insurance is typically obtained. Microsoft has taken the commercial decision to

of 50


take this approach, and does not believe that this detrimentally impacts upon its customers

given that Microsoft is an extremely substantial entity.

17. Mechanism to resolve disputes that might arise under the

outsourcing arrangement.

Section 5.10(q) of the Guideline on Outsourcing.

Yes.

The MBSA contains provisions that describe how a dispute under the contract is to be

conducted.

The MBSA sets out the jurisdictions in which parties should bring their actions. Microsoft

must bring actions against the customer in the countries where the customer’s contracting

party is headquartered. The customer must bring actions against: (a) in Ireland if the action

is against a Microsoft affiliates in Europe; (b) in the State of Washington, if the action is

against a Microsoft affiliate outside of Europe; or (c) in the country where the Microsoft

affiliate delivering the services has its headquarters if the action is to enforce a Statement

of Services.

18. The Service Provider’s agreement to allow the access by the

auditors and actuaries of the IC and the IA to any books,

records and information which facilitated them to discharge

their statutory duties and obligations.

Section 5.10(r) of the Guideline on Outsourcing.



standards.

The FSA detail the examination and influence rights that are granted to us and IA. The

FSA sets out a process which can culminate in the IA’s examination of Microsoft’s premises

and gives us the opportunity to participate in the Microsoft Online Services Customer

of 50


Compliance Program, which is a for-fee program that facilitates our ability to (a) assess

the services’ controls and effectiveness, (b) access data related to service operations, (c)

maintain insight into operational risks of the services, (d) be provided with additional

notification of changes that may materially impact Microsoft’s ability to provide the services,

and (e) provide feedback on areas for improvement in the services.

19. Governing law of the outsourcing agreement. The agreement

should preferably be governed by Hong Kong law.

Section 5.10(s) of the Guideline on Outsourcing.

The MBSA deals with what countries laws apply if there is a legal dispute.

The governing law is that of the State of Washington, U.S., however the parties have the

ability to bring proceedings in the locations as follows:

• If Microsoft brings the action, the jurisdiction will be where our contracting entity is

located;

• If we bring the action, the jurisdiction will be the state of Washington; and

• Both parties can seek injunctive relief with respect to a violation of intellectual property

rights or confidentiality obligations in any appropriate jurisdiction.

hong kong guidance on complying with...

Documents