microsoft vendor privacy assurance program guide€¦ · a “microsoft business partner” is a...
TRANSCRIPT
Microsoft VPA Program Guide Version 1.2 Page 1 of 8 Microsoft Confidential
Microsoft Vendor Privacy Assurance Program Guide
January 2006
Microsoft VPA Program Guide Version 1.2 Page 2 of 8 Microsoft Confidential
1. Program Overview
The Vendor Privacy Assurance (“VPA”) Program is a joint effort of Microsoft Corporate Procurement, Corporate Privacy, and
Corporate IT Security to ensure that basic privacy and security principles are followed when vendors handle Microsoft
customer, employee or partner personal information.
The requirements of the VPA Program are minimum, baseline, requirements; specific business groups at Microsoft may
require vendors to implement additional security and privacy requirements.
Questions: Please send email to the appropriate regional support center:
North America: [email protected]
Europe, Middle East, Africa: [email protected]
Asia Pacific/Greater China Region: [email protected]
2. Definitions
A “Microsoft Business Partner” is a person (either individually or as part of a company) with whom Microsoft engages in
conducting its business, and whose personal information your company may handle as part of providing the services called
for by your purchase order or contract with Microsoft.
A “Microsoft Customer” is a person (either individually or as part of a company) who receives Microsoft products or
services, and whose personal information your company may handle as part of providing the Microsoft products or services
called for by your purchase order or contract with Microsoft.
A “Microsoft Employee” is a person who is employed by Microsoft, and whose personal information your company may
handle as part of providing the services called for by your purchase order or contract with Microsoft. Collection of Microsoft
employee contact information or credit card data from Microsoft employees with whom your company interacts directly as
part the initiation/implementation/conclusion of the provision of services or goods would generally fall outside the scope of
the VPA Program.
Processing personal information “on Microsoft's behalf" means doing so as part of the execution of services being provided
per the terms of your purchase order or contract with Microsoft.
3. Program Requirements
All vendors must complete the annual Microsoft Personal Information (MPI) Inventory and comply with all applicable
requirements of the VPA Program. Certification of compliance must be submitted by any vendor handling Microsoft
customer, employee or partner personal information.
Privacy and Security Requirements: The detailed requirements for handling Microsoft customer, employee and partner
personal information are outlined in the Microsoft Vendor Data Protection Requirements (hereafter “DPR”). The DPR
contains the requirements that must be followed by all vendors handling data classified as “Moderate Business Impact” or
“High Business Impact.”
Certification Requirement: Vendors handling data classified as “Moderate Business Impact” are required to certify
compliance to the DPR and must submit a self-certification of compliance within 90 days of submission of the MPI
Inventory.
Attestation Requirement: Vendors handling data classified as “High Business Impact” are required to submit an unqualified
letter of attestation from an approved third-party within 90 days of submission of the MPI Inventory. A list of approved third-
parties can be found by consulting the appropriate country listing provided by the International Federation of Accountants
(http://www.ifac.org).
Microsoft VPA Program Guide Version 1.2 Page 3 of 8 Microsoft Confidential
4. Proof of Compliance
The requirements for proof of compliance are determined by the compliance cycle and the data class:
Initial Compliance Cycle:
Submission of self-certification or unqualified letter of attestation of compliance is voluntary.
Second Compliance Cycle:
All vendors handling data classified as “Moderate Business Impact” or “High Business Impact” must submit a
self-certification of compliance to the DPR.
Third and subsequent Compliance Cycles:
All vendors handling data classified as “High Business Impact” must submit an unqualified letter of attestation,
self-certification will no longer be sufficient.
All vendors handling data classified as “Moderate Business Impact” will continue to submit a self-certification of
compliance to the DPR.
5. Annual Compliance Cycle
Vendors are assigned an anniversary date on which they will receive an email from Microsoft containing a
hyperlink to the MPI Inventory.
Vendors have 30 days in which to submit a completed MPI Inventory.
Upon submission of the inventory, a data classification is assigned to the vendor.
Vendors handling data classified as “No Personal Information” or “Low Business Impact” have no further action.
Vendors handling data classified as “Moderate Business Impact” or “High Business Impact” must submit a self-
certification or unqualified letter of attestation of compliance to the DPR.
Vendors have 90 days in which to submit their self-certification or unqualified letter of attestation.
A new anniversary date will be assigned, based on the date of completion of (a) the MPI Inventory or (b)
submission of the self-certification or attestation letter, whichever is later.
Annual Compliance Cycle
Microsoft E-mails
link to PI inventory
to vendor
Vendor submits
PI inventory;
data class = LBI or
No PII
1
2
30 days1 year
Annual Compliance Cycle
Microsoft E-mails
link to PI inventory
to vendor
Vendor submits
self-certification or
attestation
Vendor submits
PI inventory;
data class = HBI or
MBI
1
2
3
90 days
30 days
1 year
Data Class = No Personal Information or LBI Data Class = HBI or MBI
Microsoft VPA Program Guide Version 1.2 Page 4 of 8 Microsoft Confidential
6. Data Classification
Responses to the MPI Inventory are used classify the Microsoft Personal Information handled by vendors. To assist with
completion of the inventory, a list of commonly-collected types of personally identifiable information (PII) and the
corresponding Microsoft data class has been compiled and is provided below. These classifications apply regardless of
whether the PII pertains to a Microsoft employee, a Microsoft customer or a Microsoft business partner.
High Business Impact (HBI): Access to this data should be limited to those with a direct business need to know.
Authentication/authorization credentials (i.e., username/password pairs, private cryptographic keys or numeric
identification sequences such as PIN’s, and hardware or software tokens).
Highly-sensitive personally identifiable information (PII) which includes:
o Government-provisioned identification credentials (e.g., passport, social security, or driver’s license
numbers)
o Financial transaction authorization data (e.g., credit card number, expiration date, and card ID)
o Financial profiles (e.g., consumer credit reports or personal income statements)
o Medical profiles (e.g., medical record numbers or biometric identifiers)
Moderate Business Impact (MBI): Access must be strictly monitored and controlled at all times.
All Personally Identifiable Information (PII) that is not listed as highly-sensitive PII (above), such as:
Information that can be used to contact an individual such as name, address, e-mail address, fax number, phone
number, IP address, etc.
Also includes, but is not limited to, information regarding an individual’s race, ethnic origin, political opinions,
religious beliefs, trade union membership, physical or mental health, sexual orientation, commission or alleged
commission of offenses and court proceedings.
7. Data Class Upgrade Process
Vendors handling data classified as “No PII” or “LBI” may choose to submit a self-certification or unqualified letter of
attestation of compliance to the DPR in order to document in advance their ability to properly handle Microsoft customer,
partner and employee personal information in either the “Moderate Business Impact” or “High Business Impact” data
classes.
After submitting the appropriate self-certification or unqualified letter of attestation, the vendor record will be updated
accordingly to reflect the vendor’s ability to handle “Moderate Business Impact” or “High Business Impact” data. Vendors
will need to pursue these “upgrades” annually if there has been no change in their assigned data class.
8. Exception Process
To request an exception to compliance with a requirement, vendors should email [email protected]. The maximum
exception period is one year.
9. Privacy Escalation Response Framework
Should a privacy event occur, vendors must e-mail [email protected]. Privacy events include, but are not limited to,
the following:
Inappropriate exposure of personal information
Theft or loss of personal information
Discovery of privacy policy non-compliance
Discovery of a flawed privacy policy or standard
Microsoft VPA Program Guide Version 1.2 Page 5 of 8 Microsoft Confidential
Glossary
This glossary references terms and concepts used in the VPA Program Guide, the Microsoft Vendor Data Protection
Requirements and other VPA Program materials.
A access
With respect to privacy, an individual's ability to view, modify, and contest the accuracy and completeness of personally
identifiable information (PII) collected about him or her. Access is an element of the Fair Information Practices Fair
Information Practices. With respect to vendor operations, access is defined as both logical (i.e., connection of one
device or system to another) and physical access to electronic or paper data sources.
accessible
Able to be (readily) understood.
anonymity
A condition in which an individual's true identity is unknown or cannot be ascertained.
anonymize
To render personal data sufficiently anonymous that an individual’s true identity cannot be ascertained.
antivirus software
Software specifically designed for the detection and prevention of known viruses.
authentication
The process for verifying that someone or something is who or what it claims to be. In private and public computer
networks (including the Internet), authentication is commonly performed through the use of logon passwords.
authorization
The process of giving someone permission to do or have something. It provides established controls that give specific
users access to information and prevents others from accessing the same information, often based upon an
authentication process. In reference to computing, especially remote computers on a network, the right granted an
individual or process to use a system and the data stored on it. Authorization is typically set up by a system
administrator and verified by the computer based on some form of user identification, such as a code number or
password.
C choice
An individual's ability to determine whether and how personally identifiable information (PII) collected from him or her
may be used, especially for purposes beyond those for which the information was originally provided. Choice is an
element of the personal relationship.
collect
The gathering of personal information; collection may be direct, through means such as online forms or mail-in
registration cards, or indirect, through third parties.
computer security
The discipline, techniques, and tools designed to help protect the confidentiality, integrity, and availability of data and
systems.
consent
Permission given to use or share PII in specified ways. Consent can be implicit or explicit.
contact preference
Data collected about an individual’s preferred means of making contact such as by e-mail, phone, or mail.
cookie
A small data file that is stored on a user's local computer for record-keeping purposes and which contains information
about the user that is pertinent to a Web site, such as user preferences.
credentials
Information that includes identification and proof of identification that is used to gain access to local and network
resources. Examples of credentials are user names and passwords, smart cards, and certificates.
D data integrity / data quality
A key principle of privacy, data integrity / data quality refers to the requirement to organizations to ensure that PII is
accurate, complete and current.
data transfer
As a key principle of privacy, the movement of personally identifiable information (PII) between entities, such as a
customer list being shared between two different companies.
Microsoft VPA Program Guide Version 1.2 Page 6 of 8 Microsoft Confidential
destruction
Items must be physically destroyed in a manner that eliminates any possibility for the recovery of information from the
destroyed remnants.
digital asset
An electronic object that has value for some purpose. It may have been created digitally or it may have been digitized
from a non-digital original source.
disclosure
A component of the notice principle, wherein a company should make available its data handling practices including
notices on how it collects, uses and shares personally identifiable information (PII).
distribute
The transfer from one party to another party, who then assumes possession or control of the information.
E encryption
In basic terms, encryption is the process of converting plaintext into cipher text by using a cryptographic algorithm and
key.
enforcement
A privacy principle which provides mechanisms for assuring compliance with the Fair Information Practices, recourse for
individuals affected by non-compliance, and consequences for the non-compliant organization. Such methods for
enforcement may include a review by independent third parties, such as TRUSTe.
F Fair Information Practices
The basis for privacy best practices, both online and offline. The Practices originated in the Privacy Act of 1974, the
legislation that protects personal information collected and maintained by the U.S. government. In 1980, these
principles were adopted by the Organization for Economic Cooperation and Development and incorporated in its
Guidelines for the Protection of Personal Data and Trans-border Data Flows. They were adopted later in the EU Data
Protection Directive of 1995, with modifications. The Fair Information Practices include notice, PUID, choice, access,
onward transfer, data integrity, and remedy.
financial information
Data collected by a site or service provider on an individual’s finances, including account status, account balances,
payment history and credit information. This information should generally be treated as High Business Impact.
H health information
Data concerning an individual’s physical or mental health, including inquiries into healthcare services and information,
and purchases of healthcare products. This information should be treated as High Business Impact.
I integrity
The principle of Fair Information Practices that reasonable steps should be taken to ensure that PII is relevant and
reliable (i.e., accurate, complete, and current) for its intended use.
IP address
A number used to uniquely identify the sender and receiver of information packets that are sent over the Internet. IP
addresses can either be static (unchanging) or dynamic.
M Microsoft Personal Information
Any information provided by Microsoft or collected by vendors on behalf of Microsoft: (i) that identifies or can be used to
identify, contact, or locate the person to whom such information pertains, or (ii) from which identification or contact
information of an individual person can be derived. Microsoft Personal Information includes but is not limited to: name,
address, phone number, fax number, email address, social security number or other government-issued identifier, and
credit card information. Additionally, to the extent any other information (such as, a personal profile, unique identifier,
biometric information, or IP address) is associated or combined with Personal Information, then such information also
will also be considered Personal Information.
N notice
A privacy principle that requires reasonable disclosure to a consumer of an entity's personally identifiable information
(PII) collection and use practices. Whenever PII is collected from an individual, that individual must be given notice as to
what information is being collected and how that information will be used. This disclosure information is typically
conveyed in a privacy notice or privacy policy. Notice is addressed in Fair Information Practices.
Microsoft VPA Program Guide Version 1.2 Page 7 of 8 Microsoft Confidential
O onward transfer
The transfer of personally identifiable information (PII) by the recipient of the original data to a second recipient (i.e., the
recipient of the onward transfer). For example, the transfer of PII from an entity in Germany to an entity in the United
States constitutes onward transfer of that data. Onward transfer is addressed in Fair Information Practices.
opt in
A method of obtaining an individual’s explicit consent for the use of PII beyond the primary purpose for which it was
originally provided. Opt-in requires the user to take an explicit additional action (such as checking a box) in order to
provide consent. Typically used in marketing programs and offerings, whereby an action (such as the use of personal
information beyond the original, primary purpose for which it was collected) is not undertaken unless an individual
explicitly consents.
opt out
A method of obtaining an individual’s consent for the use of PII beyond the primary purpose for which it was originally
provided. Opt-out infers consent based on a users failure to take an explicit action (such as un-checking a box) to
withhold the consent. Typically used in marketing programs and offerings, whereby an action (such as the use of
personal information beyond the original, primary purpose for which it was collected) is undertaken unless an individual
explicitly declines.
P personally identifiable information (PII)
Any information relating to an identified or identifiable individual. Such information may include name, country, street
address, e-mail address, credit card number, Social Security number, government ID number, IP address, or any unique
identifier that is associated with PII in another system. Also known as personal information or personal data.
policy
A written statement that communicates management’s intent, objectives, requirements, responsibilities, and/or
standards.
primary use
Purpose for which the information was originally provided; for example, collecting shipping information to send a
product or processing registration for an event.
privacy
The control customers have over the collection, use, and distribution of their personal information.
privacy policy
An organization's requirements for complying with privacy regulations and directives.
privacy statement
An externally-facing document that describes, among other things, what information the product, site or service
collects; with whom the data is shared; and how users can control the use of their personal information.
privileges
The permission granted to a user to perform a specific task, usually one that affects an entire computer system rather
than a particular object. Privileges are assigned by administrators to individual users or groups of users as part of the
security settings for a computer.
R relevancy
The collection of PII should be limited to that which is relevant to the provision of the requested service.
S secondary use
Use of personal information for purposes other than those for which the information was collected. The Fair Information
Practices state that a person can provide personal information for a specific purpose without the fear that it may later
be used for an unrelated purpose without that person's knowledge or consent.
security
Security is a principle of the Fair Information Practices which provides that organizations should take reasonable steps
to protect the confidentiality, integrity and availability of PII.
sensitive data / sensitive information
From the European Union perspective, personally identifiable information (PII) regarding race or ethnic origin, political
opinions, religious or philosophical beliefs, sexual preference, or trade union membership. Within the United States,
sensitive information also includes information about health, finances, and children.
system
A system consists of multiple components organized to achieve a specified objective. These components can
include infrastructure (facilities, equipment, and networks), software (systems, applications, and utilities), people
(developers, operators, users, and managers), procedures (automated and manual), and data (transaction streams,
files, databases, and tables).
Microsoft VPA Program Guide Version 1.2 Page 8 of 8 Microsoft Confidential
subcontractor
An individual, or an entity, hired by a vendor to perform subcontracting services to fulfill the vendor’s contract with
Microsoft.
T transfer
The hand off of customer data to a Third Party who can internally store and use this information to contact customers
regarding its own products and services.
U unqualified letter of attestation
An unqualified letter of attestation is distinguished by the phrase “In our opinion, management’s assertion [assertion
identified] is fairly stated in all material respects.” An unqualified report does not include the phrase “except for.”
use
The use of Microsoft Personal Information in fulfillment of the procured services.
user profile
Settings that define customization preferences for a particular user, such as desktop settings, persistent network
connections personally identifiable information (PII), web site use, or other behaviors and demographics data.
V vendor
An individual, or an entity, hired to provide products or perform a service to or on behalf of Microsoft. A vendor is not
considered an independent third-party to Microsoft.