OneDrive policy update
An email sent to all colleagues from Jennifer Sewel, University Secretary, on 9 June.
I am writing to inform you of a substantial change to the University's OneDrive policy regarding personal usage and the continuation of our data quarantining process for Microsoft 365 (OneDrive and SharePoint).
Please ensure that you have made alternative arrangements for any data stored on OneDrive for personal usage before the quarantining process commences on 5 July 2023. Taking this action will help to ensure that your data is not inadvertently quarantined during this process.
OneDrive Policy Update:
In line with our ongoing commitment to uphold data protection standards, we are updating our OneDrive policy. This policy change affects the storage of personal usage data on University-owned OneDrive systems. Personal usage of University OneDrives has been permitted to date, however, in order to meet our data protection obligations and mitigate potential regulatory and compliance risks, this practice is no longer appropriate.
As our data protection obligations apply to all data on University One Drives, we advise all users to remove any personal usage data from their accounts and transfer it to alternative personal storage solutions. This step is crucial to ensuring the security of your personal usage data and to support the University's continued compliance with its data protection obligations.
Your understanding and co-operation in this matter are appreciated. For more information on this policy change and how it may affect you, please refer to the OneDrive FAQs ServiceNow article.
The University is currently undertaking an exercise to identify and quarantine data held on University file stores to meet our data protection obligations. These obligations include General Data Protection Regulations (UK GDPR), Payment Card Industry standards (PCI DSS), and University policy requirements. This process, which has already begun with the M: & N: drives, will be extended to include Microsoft 365 (OneDrive and SharePoint) starting from 5 July 2023. The criteria for quarantining are as follows:
• Any file of any age that appears to contain credit card account numbers (PCI DSS requirement).
• Any file of any age that appears to contain passwords. That is character strings containing a mixture of upper case, lower case, numbers, and/or special characters indicative of being a password (University requirement).
• Any file containing personally identifiable data that has not been modified in over seven years and not accessed in the last 120 days (UK GDPR requirement).
The data identification and quarantine process will be undertaken using Varonis software which detects for the presence of data that meets these criteria but does not actively read or access identified files.
Any file that meets the above criteria will be moved to a secure quarantine location. The file will be held there for three months to allow individual appeals to take place if required. All files will also be backed up for twelve months from initial quarantine as an additional safeguard. If the appeal is approved after the file has been deleted from the quarantine location, it can still be restored during this backup period.
For further information on what quarantining means for you, please refer to the following ServiceNow articles:
If you have any further questions or concerns about this process, please don't hesitate to contact the Information Governance team.
With best wishes,