M365’s security controls and features are being implemented at the University to provide security appropriate to the classification of the data. Whilst some security controls will not be noticeable from a user perspective, others will, such as the ability to simply add security classification labels to documents, as the functionality becomes available. 

The University has four levels of security classification: Unrestricted, Restricted, Highly Restricted, Very Sensitive. These are explained in the Information Security Classification, Ownerships and Secure Information Handling SOP.

Information classified as Very Sensitive must not be processed or stored on M365 and advice must be sought from the Information Governance Office if you handle this type of information.

If you’re processing/storing information or data classified as Highly Restricted in M365, follow the information handling minimum controls set out in the Information security classification examples and handling guidance for confidential information, in particular:

• Highly Restricted information should only be accessed using a UoM managed device or a trusted device (eg a mobile device managed with software such as Intune)
• Links to Highly Restricted files should be used rather than attaching copies to emails and the links must specify ‘Specific people’ who are allowed access and downloads must be blocked
• Files containing Highly Restricted information must be protectively marked with ‘Highly Restricted’ noted in the email subject, filenames, or document headings (until the M365 sensitivity label functionality becomes available). Additional handling requirements may also be specified eg ‘Do not distribute this document further’; ‘For named recipients only’

Sharing and providing access to files

M365 is a multi-featured collaboration tool that allows users to share and collaborate on files with groups, host conversations, video conference, meet online and chat with anyone. It’s essential that users are aware and understand the sharing and access features of M365. You must ensure that the people you are sharing information with have the right to access the data. It is best practice to provide people with revocable links to files or folders, so that you can control who it is shared with and for how long (rather than emailing files as attachments). This helps to reduce the risk of a data breach and data sprawl (see sections below on sharing files in OneDrive and SharePoint Online).

Users are responsible for ensuring that the ownership of any shared data they manage is transferred to another appropriate internal user if they leave the University or move roles. The new data owner should be granted the relevant permissions needed to manage that data prior to the original owner leaving the relevant post.

Work not personal use

Your University of Manchester Microsoft account is for work purposes and content only. If you have a personal Microsoft account make sure you’re not inadvertently using that one. Under certain circumstances the University may be required to access information for lawful purposes and has the authority to pass such data to third parties, as required by law, including for the prevention and detection of crime, the purposes of litigation, and compliance with statutory obligations, such as data protection and freedom of information laws.

The University accepts no liability for any personal loss or damage suffered by a member of staff through personal use of University IT facilities (see the Acceptable Use of IT Facilities and Services – procedure for staff).

Email is the main communication method used at the University; much formal University business is conducted by email and may form part of an audit trail.

Sharing a link to a document in OneDrive or SharePoint Online rather than attaching a document to an email helps to cut down on the proliferation of documents being circulated. It also aides the sharing of large files.

Where a link to content is not appropriate, email containing personal, sensitive and confidential information must be managed in accordance with the Records Retention Schedule and must not be auto-redirected to non-UoM email accounts. Email is used to store work-related information and to retain a record of discussions that an individual regards as useful to them. Email should not however be used as the main storage medium for important University information or for information that requires collaborative work.

Many emails are intended to be very short-term and do not need to be retained and in some cases doing so may be unlawful. See further advice on managing your in-box.

Email over 3 years old is automatically moved to an archive folder.  This is to act as a reminder that the retention of email should be reviewed and periodically deleted.

SharePoint Online provides useful features for collaboration and document management such as version control and metadata on documents; it is an appropriate place to store University information that must be managed in accordance with the Records Retention Schedule

It’s important to plan what sort of information you want to store in SharePoint Online, who will own the site, who you want to share it with, how you want to organise and manage the information, how you will ensure that you remain within University and legal requirements and how long you want to keep information for.

Sharing files and folders in SharePoint Online

Information classified as Very Sensitive must not be processed or stored on M365 and advice must be sought from the Information Governance Office if you handle this type of information.

If you’re processing/storing information classified as Highly Restricted in M365, follow the information handling minimum controls set out in the Information security classification examples and handling guidance for confidential information, in particular:

• Highly Restricted information should only be accessed using a UoM managed device or a trusted device (eg a mobile device managed with software such as Intune)
• Links to Highly Restricted files should be used rather than attaching copies to emails and the links must specify ‘Specific people’ who are allowed access and downloads must be blocked
• Files containing Highly Restricted information must be protectively marked with ‘Highly Restricted’ noted in the email subject, filenames, or document headings (until the M365 sensitivity label functionality becomes available). Additional handling requirements may also be specified eg ‘Do not distribute this document further’; ‘For named recipients only’
• Access permissions on the site must be reviewed at least quarterly

To share files or folders, hover over the document listed in SharePoint Online, click on the ellipsis and click on either ‘Share’ or ‘Copy link’. Using ‘Share’ you can send a link to a file from within SharePoint Online; the user will be notified by email and will be able to click on the link in their email to open the file. The ‘Share’ link settings are as follows:

• People in the University of Manchester gives anyone at the UoM who has the link, access to the file, whether they receive it directly from you or forwarded from someone else.

• People with existing access can be used by people who already have access to the document or folder. It does not change the permissions on the item. Use this if you just want to send a link to somebody who already has access.

• Specific people gives access only to the people you specify, although other people may already have access. If people forward the sharing invitation, only people who already have access to the item will be able to use the link. Take care to select the correct people, especially if there are more than one person with the same name.

• Allow editing - when you share items with this type of link, people can edit files, can add files in a shared folder, and can delete files in a shared folder if they're signed in. Recipients can forward the link, change the list of people sharing the files or folder, and change permissions for recipients. If you're sharing a folder, people with Edit permissions can copy, move, edit, rename, share, and delete anything in the folder.

• By default, Allow editing is turned off. If you want people to only view your files, check this box. This can be further restricted by selecting the option to Block download, which means they cannot save a local copy. For Word files, you can also select ‘Open in review mode only’ to limit people to leaving comments and making suggestions in the file. Note that if someone already has editing permissions for the item, selecting ‘Open in review mode only’, will not prevent them from making edits. For them, the document will open in edit mode.

Once you’ve selected all the options you require, you can then select who you’re going to send the link to.

Alternatively, you can hover over the document listed in SharePoint Online, click on the ellipsis and click on ‘Copy link’. This enables you to manage access to the file as outlined above but copies the link to your clipboard so you can paste it into an email yourself or wherever else you want to share the link.

Chat

Teams offers the ability to chat with other users and share files (ie view, update and if appropriate, download). You don’t need to create a Team site or a meeting to have a chat with people - you are just using the Teams platform to have a chat.  You can have a chat directly with one colleague or as part of a group, such as during meetings. All messages can be searched and/or recovered in response to Freedom of Information and Subject Access requests.

Your conversation history and any files associated with the Chats are retained after you close the Teams application and are available when you next open it. All participants in a Teams chat can view the entire content of the chat. This includes participants who declined meeting invitations or disconnected from the meeting before it ended.

If you invite individuals to a Chat, ensure that the discussion and any files are appropriate for them to view, update and if appropriate, download. As a meeting organiser, consider who you are inviting to a meeting and if you want them to have full or temporary participation in meeting chat. People who are to have temporary access to the chat for the duration of the meeting must either be added manually after the meeting has started or join meetings without a meeting invitation addressed to them ie by a shared link, not via a calendar invite.

Be aware that it’s easy to write a message in the wrong Chat, causing you to inadvertently share information with the wrong individual or group.

While you can't delete an entire chat, you can hide a Chat from your chat list if it's not relevant to you anymore. Hover over the chat you want to hide from the list, then More options > Hide.

If you need to backtrack and delete something you just sent, go to the message and select More options … > Delete.

Sharing files in Chat (one-to-one or with several people)

You can share a file in chat conversation by clicking on the paperclip at the bottom of a message, you can either upload from OneDrive or from your computer (eg from a shared drive or P drive). The file is automatically uploaded to the Files tab of the chat and a message is automatically created in the Chat notifying other participants in the chat that a file has been shared.

Deleting files shared in Chat

If the file that you shared was not stored in OneDrive, it will appear in your 'Microsoft Teams chat files' folder in OneDrive. You can delete the file here and that will prevent any further access to it.

If the file that you shared was stored in OneDrive you will need to locate the file in OneDrive under ‘My Files’ and manage the access settings for it. Click on the 3 dots next to the file followed by ‘Manage access’, here you can remove the link to the file. 

Meetings and calls

Each meeting has a Chat feature visible to anyone who receives an invitation to the session regardless of whether they attend. Meeting organisers can allow or deny the Chat feature.

Screen sharing and privacy

Always be mindful of what information you display on your screen when presenting and/or sharing your desktop or particular application. If you are sharing your desktop (and need to flick between different screens/applications) but don't want to share everything that you might have open, click [Windows Key] + [Tab] + D to get a new virtual desktop. Clicking on [Windows] + [Tab] will show you the different desktops, so you can return to your normal one. 

Think about your own privacy and physical surroundings. If you have your camera on and someone starts presenting (and you are watching in full-screen mode), you might forget that your camera is on.

Recording/transcribing sessions

If you want to record and/or transcribe a meeting you should usually seek agreement from each of the meeting participants before you turn the recording and transcribing feature on.  Please refer to the privacy guidance for recording online meetings.

An exception to this rule may apply where a formal record of the meeting needs to be made in order to produce a transcript. This would generally only apply in circumstances where a meeting is being held as part of a formal University process (e.g. at the request of HR). Where this is the case the participants will be informed about the intention to record the meeting and the purpose of doing so in advance by the meeting organiser.

Setting up a Team Site

If you want to create a Team Site for collaboration purposes, you will need ask IT Services to set it up. A Team Site requires more administration, document management and access management; it may be the case that you can achieve what you need just by using the Teams platform eg having meetings and using Chat.

A Team Site has extended functionality, eg the ability to have structured conversations using threads. Team Site owners are responsible for managing the files, folders and posts within the Team Site. Further guidance, including providing guest access to external individuals, is available:

https://documents.manchester.ac.uk/display.aspx?DocID=53167

Managing files in a Team Site

When a Team Site is created, a Sharepoint Online site is automatically generated; each Channel that you create within your Team corresponds to an automatically generated SharePoint Online document folder. The folders representing the channels are in a single document library. Note that folders or document libraries that you create in Sharepoint Online do not become Channels in Teams.

Renaming channels

Channels and SharePoint Online folders can get out of sync eg if you try to rename folders or channels or add folders in SharePoint. It is important NOT to rename Channels in a Teams Site as the folder name is not updated in SharePoint Online.  Channel names should be updated by deleting the Channel and creating a new one. If files have been uploaded to the channel these need to be moved elsewhere first, then moved back when the new renamed channel has been created. Posts to the Channel will be lost.

Any files shared within a Team Site are automatically added to the Files tab in the corresponding Team Channel and are also available within the corresponding SharePoint Online site. To view the files in Sharepoint Online click on ‘Open in SharePoint’.

Microsoft provide guidance on specific characters that can’t be used in Channel names https://docs.microsoft.com/en-us/microsoftteams/limits-specifications-teams

Posts in Teams

Posts in a Team Site are equivalent to a Chat in the Teams platform but conversations are threaded so that you can reply directly to someone’s specific post. 

Once a user is added to a Team they can see all the Post conversations and files shared within the Team channels to which they have access.

When working in Microsoft Teams, you might frequently and quickly switch between different Teams and Channels. Posting a message in the wrong Team could be embarrassing and problematic; take care to check where you’re writing your conversation post. If you realise that you have made a mistake and posted a message in the wrong team, you can delete your message (hover over the message and click on the ellipsis and select delete. Note that if someone has channel notifications turned on for that channel, they will have seen the post in their pop-up banner or it will be available in their Activity Feed – even if you have deleted the message.

OneDrive for Business enables you to interact easily with M365 files (eg Word, Excel, Powerpoint) and collaborate on them with others, including non-University staff. You can securely share information and control levels of access via links for editing or viewing files. It should be used for your working drafts and to collaborate on documents before they are finalised and stored elsewhere, such as a SharePoint Online site, where they should be managed in accordance with the Records Retention Schedule.

It should not be used, as a place to store your own personal/private documents, photographs etc. that are not work related. The University accepts no liability for any personal loss or damage suffered by a member of staff through personal use of University IT facilities (see the Acceptable Use of IT Facilities and Services – procedure for staff).

Sharing a link to a document or folder, rather than attaching a document to email, helps to cut down on the proliferation of documents being circulated. It also aides the sharing of large files.

Under certain circumstances the University may be required to access information for lawful purposes and has the authority to pass such data to third parties, as required by law, including for the prevention and detection of crime, the purposes of litigation, and compliance with statutory obligations, such as data protection and freedom of information.

Sharing folders and files using OneDrive

Information classified as Very Sensitive must not be processed or stored on M365 and advice must be sought from the Information Governance Office if you handle this type of information.

You can share folders and files within OneDrive both internally and with individuals outside the University. When sharing any data/information you must ensure that the people you are sharing with have the right to access it.

If you’re processing/storing information classified as Highly Restricted in M365, follow the information handling minimum controls set out in the Information security classification examples and handling guidance for confidential information, in particular:

• Highly Restricted information should only be accessed using a UoM managed device or a trusted device (eg a mobile device managed with software such as Intune)
• Links to Highly Restricted files should be used rather than attaching copies to emails and the links must specify ‘Specific people’ who are allowed access and downloads must be blocked
• Files containing Highly Restricted information must be protectively marked with ‘Highly Restricted’ noted in the email subject, filenames, or document headings (until the M365 sensitivity label functionality becomes available). Additional handling requirements may also be specified eg ‘Do not distribute this document further’; ‘For named recipients only’
• Access permissions must be reviewed at least quarterly

To share an individual file or a folder, click on the ‘share’ icon next to the name of the file or folder in OneDrive. Choose the level of access you wish to grant, the default is set to ‘People in The University of Manchester’, to change that click on the arrow to the right for more options.

Choose whether to ‘Allow editing’ or leave it blank if you only want them to ‘view’ the file or folder.

Once the sharing or collaboration needs to end, you must update the access controls and remove the link(s).

Click on the 3 dots next to the item in OneDrive and select ‘Manage access’. Here you can remove the link altogether or remove the link for individual people. Click on the 3 dots for more options: click on the cross to completely remove the link or click on the cross next to an individual’s name to remove their specific access.

Shared drives are appropriate places to store important University information and typically are used for documents shared within an office (eg a unit within the University’s organisation structure). Shared drives are regularly backed up, they are secure – provided that access and permissions are being actively managed to ensure only the intended people can access the relevant information. Records should be stored in distinct filing systems that take account of different processes within an office (eg People & OD records separate from financial records) to enable correct access management and easier application of the Records Retention Schedule.

The P drive is provided to staff as a place to store your working draft documents prior to them being stored elsewhere. It should not be used as a place to store final versions of important University information, or to store your own personal/private documents, photographs etc. that are not work related. The University accepts no liability for any personal loss or damage suffered by a member of staff through personal use of University IT facilities (see the Acceptable Use of IT Facilities and Services – procedure for staff).

Note that OneDrive for Business introduces new features to help you manage your documents; it is envisaged that staff may prefer to use OneDrive rather than the P drive.

Dropbox for Business is useful for one-off sharing of information with non-University staff. If the data is Highly Restricted it must be encrypted before it is uploaded to Dropbox for Business. It must not be used as a storage medium; information should remain on Dropbox for Business for the minimum amount of time. Access and permissions to folders and documents should be actively managed to ensure only the intended people can access the relevant information.

Free software, or software that is not managed by IT Services, should not be used to process personal data or Highly Restricted information. Alternative, approved software tools, may be available that suit your requirements. Please contact the IGO to check if an Information Governance Risk Review (IGRR) has been completed before you purchase or use any new software; if not you may be required to complete a risk review.