Free Newsletter Free Newsletter

Microsoft stunner – is Office 365 SRA compliant? UPDATED AGAIN!

Added on the 4th Dec 2014 at 11:30 am

Just had a message in from a top 200 UK law firm saying they have been informed that Microsoft Office 365 is not SRA compliant. One of the firm’s partners told the Insider “The Solicitors Regulation Authority tell us that it is our responsibility to use compliant software but they won’t comment on individual products.”

LATEST: Just been forwarded a commentary by SRA regulatory law specialists Guise Solicitors which sheds a little more light on this topic. 118 Case – The Brief 28 11 14

UPDATE: Opinions are split from a legalistic “the risk assessment issues suggest Office 365 isn’t there yet” in terms of UK compliance – through to “it’s all misleading misinformation” by people who don’t know what they are talking about! The most positive response we’ve had is the suggestion the issue centres on this provision…

Firms must be able to ensure that their provider
can agree to SRA access to inspect data in order to
meet Outcome 7.10 of the SRA Code of Conduct.

Microsoft doesn’t allow physical access to either its Dublin or Netherlands datacentres as they are secure, high security sites however this is a non-issue because the law firm can still provide the data to SRA because they can keep a local copy of data as required. Here’s a copy of the SRA guidance on Cloud Computing cloud-computing-law-firms-risk




  1. R says:

    So, good enough for the House of Commons, not good enough for SRA? Can we find out what they don’t like about it?

  2. Pundit says:

    Microsoft will not guarantee that the data will stay inside the EU – they replicate their data across datacentres.

  3. SABW says:

    Depends on what the firm want to use Office 365 for – doesn’t it?

    Are they talking about hosting files in Sharepoint? If so, they can just use a hybrid deployment of Sharepoint 2013 within the O365 model.

  4. Charles Christian says:

    We’ve also had another firm say that they are happy that cloud services like Office365 are Law Soc compliant

  5. R says:

    SLA agreement for Office365 & Azure states they will only replicate data between European Data Centres (North Europe/West Europe)

  6. Neil Cameron says:

    What data?! If you sign up for Microsoft-hosted Office (of any kind) then yes, some Outlook data will be stored on their servers – just like any other hoster of Office/Outlook or non-Microsoft CRM. In which case many commercial Cloud agreements will NOT allow any third party (such as SRA) access to it, and/or it will be out of jurisdiction. Thus many such arrangements will be non-compliant.
    BUT, if (as I do) you use Office 365 without any Microsoft hosting then your documents are wherever you want to put them, and your CRM data is on your Exchange server – wherever that may be…

  7. Eternal Worrier says:

    I thought part of the possible problem with using Office 365 if you are a UK firm, is the US Patriot Act makes it difficult to secure client data. It is this that may cause issues with complying with DPA principles and SRA obligations to mitigating against the risks of client data loss.
    “The Patriot Act gives US law enforcement authorities the right to access personal data held in the cloud, regardless of where in the world the data is stored. The Act also gives US law enforcers the right to prevent cloud suppliers from informing their customers that they have had to hand over personal data.”
    To my mind the SRA hasn’t really provided absolute clarity on this. Might well be wrong though.

  8. TC says:

    Microsoft will only replicate data across sub-regions for enhanced data durability in case of a major data centre disaster. In this case, Ireland and Netherlands!

  9. Charles Christian says:

    Here’s another comment we had in…

    It’s OK for the cabinet office?

    Microsoft Office 365 Receives G-Cloud IL2 Accreditation from Cabinet Office for Use Across the UK Public Sector – Microsoft UK Government Blog – Site Home – MSDN Blogs

    The Microsoft UK Government Blog provides news, views, customer stories and reflections on the role of technology in Government. We care about the following topics: business intelligence, environmental sustainability, cloud, operational efficiency, smarter government, open government, G-Cloud, flexible working (BYOD) and saving money.

    AND with regard to other legal tech vendors, will Clio allow access to their Dublin datacentre OR will NetDocuments allow access to their new/planned Netherlands datacentre??

    And as the SRA say in the doc-

    There may be practical difficulties in accessing the
    information if it is stored overseas, but the point
    of the outcome is to try to reduce the risk of such
    difficulties. As with all of the outcomes, whilst firms
    must achieve them, the manner in which they do
    so is for them to determine.

  10. Charles Christian says:

    And there is more… Apparently the SRA itself uses the Mimecast cloud email etc security service – and Mimecast have a strict rule (just like Microsoft) that says customers don’t get access to their secure data centres.

Any Comment?