Office365 Cloud Services Instructions at HKR
University Kristianstad uses Office365 Microsoft cloud services that encompass what Office365 calls Online Services, including Outlook Online, OneDrive for Business, SharePoint, OneNote, Teams, Word, Excel, PowerPoint, and others. One of the main features of Office365 is the possibility to store information in the Cloud.
The purpose of cloud storage solutions is to enable users to create, manage, share, and access information from anywhere, and with as few restrictions as possible. However, there are a number of rules of conduct guidelines from a security perspective that the user must adhere when storing information in the Cloud. The guidelines are for the purpose of making it clear to the user what provisions and restrictions apply when using Office365 Online Services at Kristianstad University.
Definitions of abbreviations:
HKR = Kristianstad University
DPA = Data Processing Agreement
AD = Active Directory
EU = European Union
GDPR = General Data Protection Regulation, applicable within the EU
OSL = Swedish Public Access to Information and Secrecy Act
VPN = Virtual Private Network – a secure connection, or “tunnel” between two points a non-secure data network
Recycle Bin = A place for trash, i.e. temporary storage for files that have been deleted
Background
The Cloud services that Microsoft offers its customers have been audited from a security perspective within Sweden by the Swedish Data Protection Authority and within the EU (GDPR) by similar units. Several other organisations and authorities that use Microsoft’s Online Services have been reviewed by the Swedish Data Protection Authority and they meet the requirements related to the Swedish Personal Data Act, provided that clear procedures and guidelines are documented about the use.
General personal responsibility
The user has the ultimate responsibility for their user account and how this is used. This means that you are expected to secure your password and keeping it inaccessible to those in your surroundings. A computer, tablet or smartphone may not be left accessible to others without an access protection being activated. The user is responsible for the information stored on the University’s storage services, i.e. where documents and information are efficiently and systematically created, received, used and preserved or deleted according to the currently-applicable document management plan. Read more under Terms of service.
Specifically for these Online Services is that information containing sensitive personal data or confidential data under the General Data Protection Regulation should not be stored in cloud services, unless it is approved for the purpose based on a risk and vulnerability analysis conducted via Kristianstad University. More information on this can be found under the chapter “Storage of digital information” in the University’s Policy on Information Security.
Permissions and logging
To use Microsoft’s Online Services, a personal and unique user account for Kristianstad University’s IT services is required. When the user logs on to the computer with a user account and password, Microsoft online services (Office365) also log on. The following applies to login to the University’s cloud services:
- The user must have an HKR ID/account.
- The user must have an account in HKR’s AD.
- The user must have a password for their account in HKR’s AD.
- The user’s password should be kept secret and inaccessible to others!
All logins to the services are logged. If the user suspects that services have been used by unauthorised persons, this should be immediately reported to Support 3030 and the matter case added to the Information Security Officer. The user’s first action is to change the password yourself.
The log and use of the account may also be reviewed by the University, in case of suspicion of a crime or abuse of Kristianstad University’s services provided.
What gets stored in cloud services?
Microsoft’s online file storage service OneDrive is a very useful alternative to storing data on a home directory (H:) directly on one’s computer. The data stored in Office365’s online file storage service can be accessed via the Internet and it is also possible synchronise files in OneDrive vis-à-vis one or more computers, smartphones and tablets, however not vis-à-vis the University’s computer lab/data centre computers; here data is written to device O: i.e. a direct write to the Cloud. All files stored in OneDrive are personal by default. It is easy to share files and collaborate on documents with other users at the University. The storage solution is primarily designed to enable the user to create, manage, share, and access work-related materials, information, and data –with as few restrictions as possible.
Data protection regulations
According to the EU General Data Protection Regulation and the Swedish Public Access to Information and Secrecy Act (2009:400) OSL, information:
- that is encompassed within the confidentiality provisions of the Swedish Public Access to Information and Secrecy Act
- concerning violations of the law and sensitive personal data as defined by the Swedish Personal Data Act
may not be stored in cloud services, unless doing so has been approved for the purpose based on a risk and vulnerability analysis that has been conducted via Kristianstad University!
If confidential information has been disclosed in an improper manner, the consequences are serious, considering that the damage can neither be foreseen nor subsequently remedied when the confidentiality of the information has already been breached.
Therefore the user has the responsibility to ensure that the information stored in the University’s cloud services does not violate the applicable legislation and regulations; if in doubt, it is important to contact the Student Centre (student@hkr.se) and if not resolved, then the University’s Information Security Manager.
The below examples illustrate information containing sensitive personal data, confidential information, or protected details.
Cases or matters that are confidential
- Confidentiality of staff and student information:
Health and medical conditions, staff transfer or reassignment, special protected information including addresses, removal cases - Confidentiality for the protection of financial interests:
Business circumstances and operating conditions, business secrets, tenders/procurements - Confidentiality in research being conducted: Assignments, designated responsibilities, patents, collaboration activities, statistics, transfer of data
Sensitive personal data
- Sensitive personal data of that type that could reveal racial background/ethnicity classification, political opinions, religious or philosophical beliefs, membership in a trade union, and personal data relating to health or sexual orientation.
- Information about health may include, for example, sick leave, pregnancy and doctor’s appointments.
Violations of the law
- Personal data relating to offences involving criminal acts, convictions in a criminal case, pre-trial coercive measures or administrative deprivation of liberty.