Security and policies for Teams

What this information covers

• Who can access the content in a Team?
• Where is the data stored? 
• Is data in Teams encrypted?
• Are there audit records?
• How long is data kept for?
• What kinds of data is it OK to put in Teams? 

Who can access the content in a Team?

• Teams have named owners, members and guests. Only they can see content in that Team.

• Everyone in a Team can see the contents of a standard Channel.  

• A private Channel has its own set of owners, members and guests, who must be drawn from the Team's membership. Only they can see the contents of the Channel. Only a Team's owner can create a private Channel in that team. 

• The platform administrators (UIS staff) can access content in a Team, in the same way that they can access mailboxes and file stores on systems they administer.  

• Under normal circumstances, only Team or Channel owners, members and guests can see the content. Team owners decide who is allowed to join the Team or Channel.   

Where is the data stored? 

• Data within the University of Cambridge Teams tenancy  is stored in Microsoft data centres in the UK (London and Cardiff) and in the EU (Dublin and Amsterdam). When we say Teams data is stored "in the cloud", we mean it is stored in these data centres.

  Other organisations that use Teams may have their data stored in other Microsoft data centres.  

• You can choose to have some Team content synced to your computer. This means that there will also be a local copy on your hard drive.  

Is data in Teams encrypted? 

• Data stored in the cloud is encrypted.

• When it's transmitted between your computer and the cloud, data is encrypted. 

• If it's copied to your computer or device, it is encrypted if and only if your device's storage is encrypted.

• Certain files might be encrypted by the program that created them. Examples include encrypted PDFs and some Word, Excel files and ZIP files. Typically, if it’s encrypted,  such a file will ask for a password when you try and open it. We call this "file-level encryption", and it's independent of the encryption that Teams provides. It's also independent of whether your computer's storage is encrypted. If all your files are file-level encrypted you may not need your computer’s storage to be encrypted as well. Typically, however, not all files are file-level encrypted and some kinds of content cannot be file-level encrypted at all.  

Are there audit records? 

• Yes. Users' (Team owners, members and guests) activity and administrator activity in Teams is all logged in the cloud. The audit logs are accessible to selected platform administrators only.  

How long is data kept for?

• The retention policy for Teams Channel messages is set to 1 year, this is the same for both Standard and Private Channels. This includes messages within Channel Meeting chats. It is a retain-only policy so it does not delete any content once the retention period has lapsed until it is marked explicitly for deletion by a member of the Team site.
• The retention policy for Shared Channels is inherited from their parent Team (so those created under University of Cambridge Teams will be for 1 year.)
• The retention policy for Teams SharePoint sites is set to 1 year and is retain-only.
• Teams Chat is not under a retention policy
• Emails and files that you use with Teams are not included in retention policies for Teams. These items have their own retention policies. For example emails will be under the mailbox retention policy, and files will be under the SharePoint or OneDrive retention policy depending on their host location.

What kinds of data is it ok to put in Teams? 

Teams is ok for:

• University data at levels 0, 1, and 2

  This can be stored on Teams, provided always that the owners of the relevant Team understand and accept responsibility for managing owners, members and guests of the Team. You can learn about the different University data levels and what they mean. 

Depending on circumstances, Teams might be ok for:

• University data at level 3

  This can be stored on Teams, but the owner of that data should satisfy themselves that they have full and ongoing control over who can join the relevant team, and that they are comfortable with the possibility that platform administrators have the ability to access the data. 

• Data you've acquired under a data-sharing agreement

  You have to consider your obligations under those agreements.

• Data that the owner or controller has shared with you under certain conditions

  You have to consider your obligations to comply with those conditions. 

• Research participant data

  For researchers in the School of Clinical Medicine - your participant data should not be stored on Teams. For researchers elsewhere - you should consider any commitments made as part of grant funding, by ethics committees, or during the collection of the data.

Teams should not be used for:

• NHS patient data

  This should not be put in Teams.

Deciding what to store in Teams

The following may help you decide if Teams meets common requirements for storing data:

• If it's personal data and the University is the Data Controller, Teams is a suitable platform to store personal data. This is provided that only appropriate people have access to that data, now and in the future. You need to consider who are the Owners of a Team, and who are (or could become) owners, members, and guests. 

• The data stored in a Team is encrypted in the cloud, and in transmission. 

• Teams user activity and administrator activity audit logs are generated and maintained in the cloud. This includes Team Owners', Members' and Guests' activity.