skip to content
Home

IT Help and Support

University Information Services
 

Security guidance for OneDrive

This guidance for Microsoft OneDrive for Business ("OneDrive") is to help you understand what data can be stored within this public cloud service, and what classifications of data OneDrive can hold on the basis of the current University Guidance on Data Security Classification.

Similar guidance may apply to other devices you use to store this data and appropriate protections may be necessary on those devices. You should seek out and become familiar with such guidance. It is assumed here that you are already familiar with that guidance.

We have also taken into account the current UK Government Classification system in order to provide additional information and assurance for you to ascertain what data will be appropriate for storage within this Public Cloud Service. Both sets of Classification and Guidance are being provided because of the broad usefulness of the current UK Government Guidelines, which are in use throughout the UK public sector and which have established and considered application in the use of Public Cloud Services.

It is important to note, in all levels of security classification, the principal factor in good data management is the 'need to know’ principle (Information is only shared to people who need to know the information).

University data security classifications and guidelines

The University Guidance defines the following classifications.

  • Level 0: Unclassified or public information Unclassified or public information is the largest class containing the majority of information.
  • Level 1: Cambridge Only This covers information that is only available to students and staff within the Cambridge domain. It includes memoranda, minutes of meetings (not otherwise marked), and site-licensed software.
  • Level 2: Confidential information This covers certain minutes of meetings, general personal information, financial information, or other information designated as confidential but that may be dealt with by any staff with delegated responsibility from the recipient (i.e. it is not, in a strict sense, information 'for your eyes only').
  • Level 3: Personal and strictly confidential information This covers documents that contain highly sensitive information or personal details that are for the eyes of the recipient only where delegated authority is not appropriate.

Application to OneDrive

The Microsoft EES Agreement includes Terms and Conditions that are compliant with UK/EU Data Protection Law and the University Statutes and Ordinances. Microsoft provide EU Model clauses in agreements, hold ISO 27001 and ISO 27018 certifications and operate their data centres within the European Economic Area. The Services offered are integrated with authentication processes entirely within the control of the University of Cambridge.

Staff should note that specific contractual obligations applying to aspects of their work may supersede this guidance and those obligations should be treated as exceptions. Staff should ensure they are aware of any contractual obligations and treat those as having precedence; if in doubt, staff should seek guidance from local Data Protection Officers.

Hence the current policy on the use of OneDrive is:

Subject only to the exclusions below, data under Data Classification Levels 0, 1 and 2 above CAN be stored in OneDrive.

Data excluded from the above includes:

  • data classified as Level 3 above
  • patient identifiable data (including other identifiable data which is subject to the Clinical School’s mandatory data security policy which can be found at http://www.medschl.cam.ac.uk/research/information-governance/)
  • data that is subject to a specific contractual agreement that specifies a particular storage method (that is not OneDrive)
  • data that is subject to a specific contractual agreement that prohibits storage in a public cloud service.

Such data MUST NOT be stored in OneDrive.

Incident reporting

Any breach (loss of data, unauthorised access, 'over-sharing' or any other security incident) must be reported to:

Further information

For further information on classification of data or if you are unsure if your data may fall into an excluded category please contact: .

UIS Service Desk

Website  Self-service portal
  
Phone padded  01223 332999

Phone padded  Service status line: (01223 7)67999
Website  Sign up for SMS/email status alerts
Website  Read major IT incident reports

UIS bITe-size bulletin

A regular newsletter aimed at the University's IT community, highlighting service and project news from UIS.

Sign up >

You can read previous editions of bITe-size.

Latest news

Delivering network connectivity for the Cambridge Half Marathon

9 March 2023

Richard Davies from the Granta Backbone Network (GBN) team and Craig Faux from the Networks team, worked together to help deliver network connectivity for the Cambridge Half Marathon that took place this past weekend. The University has been assisting the Council with delivering network connectivity for the Cambridge Half...

Changes to Google Workspace accounts from March

23 February 2023

15 February 2023 We are preparing to delete UIS managed Google Workspace accounts for users that have left the University to maintain system performance and security and reclaim file space ahead of Google introducing file space quotas. When a user leaves the University, their account is flagged as cancelled in Lookup and...

Wireless Service maintenance in March and April 2023

21 February 2023

We’ll be carrying out essential maintenance on the University Wireless Service in March and April 2023 to pave the way for its continued growth. Three phases of work in March and April 1. Tuesday 21 March, 8:00 to 9:00 You might experience interruptions to the UniOfCam-IoT service during the maintenance period. You might...

View all news

Contact us

UIS facilities

Resources

UIS websites

Study at Cambridge

About the University

Research at Cambridge