Document management in the University’s Office365 from a public safety perspective
Jönköping University uses the cloud service Office365 from Microsoft. Office365 contains such things as email, calendars, address books, document management, storage and Skype telephony. One of the functions of Office365 is cloud storage that is available to employees and students. This cloud storage primarily occurs via OneDrive for Business, but also includes other Office365 applications such as email, calendars, address books, tasks etc. The object of the storage solution is for the user to be able to create, manage, distribute and access work materials, information and data - with as few restrictions as possible. There are, however, a number of aspects that need to be highlighted, based on public safety aspects, when you use cloud storage. To spread information and knowledge of such things as these aspects, the following FAQ has been created.
Is it OK from an information safety and integrity perspective to store data in Office365?
The cloud services that Microsoft offers its customers has been reviewed from a safety aspect, in Sweden, by the Swedish Data Protection Authority and within the EU by comparable functions. Several other organisations and authorities that used Microsoft’s services have been reviewed by the Swedish Data Protection Authority and they fulfil the requirements related to Personal Data Act, on the condition that clear routines are documented on usage. It should be noted that the Swedish Data Protection Authority does not issue a general approval, but rather their review only covers handling of the actual reviewed items.
Jönköping University has, with the help of a consultant, executed a risk and vulnerability analysis according to the Swedish Data Protection Authority’s requirements. In summary, the risk and vulnerability analysis states, among other things:
“The conclusion is that despite there being risks with an outsourcing concerning Office 365, the delivered service is comparable to the requirements that JU imposes on the solution, which has been aimed at a modern, functional, future-proof and cost-effective solution. Furthermore, this risk and vulnerability analysis states that Jönköping University has a complete picture of the product and the risks associated with it. Ultimately, it is judged that Jönköping University fulfils both the external requirements associated with their operation and the requirements of the conducted risk and vulnerability analysis. What can be concluded from the identified risks, in this risk and vulnerability analysis, is that JU does not deviate from the industry’s other actors’ risks and/or threats, in any way. On the contrary, it is clear through this work that JU has a proactive approach to its security work, but should remain observant of red level risks and threats, as a natural part of their IT strategy, from here on out.”
Regardless of the general course of events, JU will not act as an individual on comprehensive issues surrounding cloud service, but rather, as such matters become actual, wait for decisions by the Swedish Data Protection Authority, and thereafter, follow the common approach within the academic sector.
What is the object of storing in Office365?
Office365, and primarily OneDrive for Business, is an alternative to storing your data on a home directory (G). You can access the data you store in Office365 via the Internet and you can even synchronise the library in OneDrive for Business with the storage of one or more computers, smartphones or tablets. All files you store in OneDrive for Business are personal, as standard. You can easily share files and collaborate on documents with other users at Jönköping University.
The object of the storage solution is for the user to be able to create, manage, distribute and access work materials, information and data - with as few restrictions as possible. Examples of restrictions include:
- Information that is covered by confidentiality according to the Secrecy Act or violates the law, and sensitive personal data that is covered by the Personal Data Act (see below)
- Certain applications require, for functional reasons, that storage occur on home directories, while working. Completed work can, however, be saved in Office365/OneDrive for Business if so desired.
What can’t I store in Office365?
Information that must not be stored in Office365 is information
- that is covered by confidentiality, according to the Secrecy Act
- or violates the law and sensitive personal data, according to the Personal Data Act
With the current conditions for Office365, there is a risk of information being given out in such a way that it is not protected to the extent required by Swedish law. If confidential information is made accessible in an improper way, the consequences are serious as the damages cannot be predicted nor repaired in retrospect, as the confidentiality has already been compromised.
As a user, you are responsible for ensuring that the information stored in Office365 does not break any rules, regulations or laws. If you are uncertain, you can first contact your manager and second the University’s legal counsel.
Secrecy and confidentiality issues (example):
Confidentiality for personnel and students
Health status, redeployment, protected addresses, separation issues
Confidentiality for protection of financial interests
Business and operating conditions, tenders/procurement
Confidentiality in research
Sensitive personal data (example):
Sensitive personal data is such that reveals race or ethnic origin, political opinions, religious or philosophical convictions, membership in unions as well as personal data that concerns a person’s health or sex life. Information on health can include, for example, sick leave, pregnancy and doctor visits.
Violations of law (examples): Personal data is in violation of the law if it contains criminal acts, judgements in criminal matters, coercive measures or administrative detention.
Can I really store personal data in Office365?
Jönköping University has, as a part of the licensing conditions, entered into a so-called personal data assistant contract with Microsoft that encompasses the Office365 cloud services. This means that you may store personal data in Office365 that does not violate confidentiality or the law, or reveal sensitive personal data, according to the above items.
Note that the right to store personal data in the cloud only applies to those services, e.g. Office365, where this is regulated in the personal data assistant contract, with the supplier. Personal data may never be stored in cloud solutions outside of the personal data assistant contract, such as, for example, Dropbox or Google Drive.
How secure is Office365?
Office365 is at least as secure and probably more secure than local home directories (G:). Based on Microsoft’s data centres, equipment, routines and revisions, more secure operation and greater accessibility of these systems is attained.
In this risk and vulnerability analysis that was conducted for JU, it was noted that the greatest functional risks of Office365 are tied to passwords winding up in the wrong hands and inadequate security awareness by the user. As the user, you are responsible for your user account and ensuring that it is used is in accordance with the University’s contingent liabilities for user accounts.
What is applicable for public documents and registration?
Handling of public documents and registration are not affected by Office365. Requirements for handling of public documents and registration remain unchanged for JU and are not affected, even if Office356 is an external cloud based storage site. Laws and legislation surrounding public documents and requests for distribution of public documents is handled for Office365 in the same way as for other storage solutions that JU uses. Office 365 / OneDrive may not be used for archiving, neither for short or long term storage. It can only be used for temporary storage of working materials and copies. For information on registration and archiving read here or ask the staff at Records Management and Archive.
What about deleting files?
It is not allowed to use the cloud for archiving documents. Therefore, you may freely delete files that you no longer need for your work. Clear your storage area occasionally by deleting files that are no longer relevant. This will make it easier to manage your documents, both for yourself and for colleagues who may need to access your files.
How do I access data remotely?
Data that is stored in Office365, and primarily in OneDrive for Business, is accessible from all locations where you have Internet access. You can access data on the local home directory by connecting a University computer to the University’s network via a secure VPN connection.
Remote access to home directories from non-University computers is not allowed, for security reasons. On the other hand, you can access Office365/OneDrive for Business from non-University computers. Data that may not be stored on OneDrive for Business is of such a nature that it should not be managed on a private computer, either.
What support can IT service provide for Office365?
IT service will strive to give you, the user, the best possible support. However, the possibilities will be somewhat limited during the transition to Office365.
- Microsoft governs updates and essentially, some form of change will occur daily, in the total Office365 services. Thus, quick references and manuals can, quickly and without forewarning, become obsolete. The number of quick references and manuals will, therefore, be limited and instead the user will be directed to Microsoft’s help functions.
- IT service does not have access to the servers, systems and user accounts in Office356. IT service’s ability to provide support disappears completely in regard to some functions such as, for example, backup restoration, anti-spam management and tracing emails, while for other cases, it is severely limited. The user account in Office365 will primarily be a management process for the user and Microsoft.
What happens when I quit?
When you quit, your account and your data are removed from Office365. Therefore, before you quit:
- Secure/procure all data you saved in Office365/OneDrive for Business. Notify your successor or your manager of any material that needs to remain in the organisation.
- If you own a shared mailbox, ensure that the ownership is transferred to a new owner.