The Federal Chancellery's CEBA project
The FDPIC accompanies the ‹Cloud Enabling Büroautomation› (CEBA) project from a supervisory perspective. The focus is currently on the data protection impact assessment carried out by the administration and the implementation of the measure to introduce confidentiality labels for federal administration documents (so-called labelling).
The ‹Cloud Enabling Büroautomation (CEBA)› project, which was launched in 2019, is managed by the Digital Transformation and ICT Steering Sector (DTI) of the Federal Chancellery (FCh). The aim of the project is to replace the Office product suite currently used in the Federal Administration's workplace systems, ‹Microsoft Office LTSC Professional Plus 2021›, with the cloud-based solution ‹Microsoft Office 365› (M365). The DTI division involved the FDPIC in the project at an early stage, and he provided regular updates on the outsourcing project in the federal administration (see short message dated 7 March 2023; 30th Annual Report 2022/2023; 31st Annual Report 2023/2024).
Since the project was launched, the FDPIC has successfully pushed for the DTI to examine medium-term alternatives to Microsoft Office 365 (see also the Federal Council's press release of 15 February 2023: Bund führt Microsoft 365 ein), the focus of his supervisory advice is now on the adaptation and clarification of the data protection impact assessment (DPIA) drawn up by the DTI and the initial training of federal staff.
The FDPIC demanded that the proportionality of a cloud-based federal solution be examined and that risks relevant to data protection law – in particular with regard to access by foreign authorities and dependencies on market-dominant cloud providers – be analysed and assessed. In his comments on the continually updated versions of the DPIA, the FDPIC aims to ensure that significant risks are described more precisely and that the necessary measures to minimise risk are clearly defined. The DTI is currently working on making the necessary clarifications and additions. At the same time, independent audits are being carried out, the results of which will also be taken into account in the next version of the DPIA.
One important measure for minimising the risks of the CEBA project is the confidentiality-designation of documents, so-called labelling. This is to prevent documents containing particularly sensitive personal data and those with classified, i.e. confidential data, from being stored in the cloud, because such data should continue to be processed only in the data centres of the federal administration. To this end, federal staff must be trained accordingly. Individual staff members of the FDPIC attended the first training sessions, with the aim of ensuring that data protection and security requirements are met.