Data protection information on the usage of Microsoft 365 for employees

MS365 scope

The services and applications of the Microsoft 365 Cloud (MS365) are a collection of extensive and diverse tools that are intended to facilitate work processes, especially in daily collaboration. At the same time, however, the services always process personal data of the users, as well as of the persons registered and mentioned in the services. Personal data is information that relates to an identified or identifiable natural person based on information available to Leuphana. Examples of personal data are: Name, date of birth, religion, address, telephone number, diseases, memberships and much more.

Data protection principles must therefore always be taken into account when working with the system. Therefore, please use the systems only for their intended purpose and only for official purposes. 

Familiarise yourself with the data protection legal framework and legal bases that must be observed for your activities.

The services are provided to Leuphana employees as a collaboration platform. Therefore, please do not use the online services, for example, as a permanent data storage or archive, but to plan projects together with other employees in parallel, to edit documents, or to exchange information more efficiently. The network and group drives provided by Leuphana are to be used as storage locations, of which – in contrast to the Microsoft services – backups are created regularly. Further information on the MIZ storage options can be found in the MIZ Instructions Wiki.

In addition, all data protection law objectives of data economy, purpose limitation, and the need for a legal basis for processing must be observed. In case of doubt, please contact data protection management (datenschutz@leuphana.de) before using the data in a specific project.

General requirements

  • For data requiring special protection (see below), data subject to special secrecy or data with a generally very high protection requirement (e.g., information on sick leave, disadvantage compensation, pregnancy or research contracts with a non-disclosure agreement), the services are generally not prepared and should not be used for this purpose.

  • The Services cannot be used in all countries, including, but not limited to, the Democratic People's Republic of Korea, Iran, as well as Cuba, Sudan, and Syria, due to restrictions under US export laws, which Microsoft's customers are also required to comply with [1].

  • Social data (§ 67 para. 2 sentence 1 SGB X; § 80 SGB X, e.g., data from or for health insurance companies, employment offices, pension insurance or similar) may not be processed with the Microsoft services.

  • The use of university (official) accounts on private devices is not permitted (see Leuphana's IT policy).

Art. 9 GDPR, "special categories of personal data": Data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data uniquely identifying a natural person, health data or data concerning a natural person's sex life or sexual orientation.

Below, we provide some guidance on how to implement these requirements in detail when dealing with MS365 services.

Connected experiences – internet services within MS365

MS365 services and software use so-called "connected experiences". These are features that only work with an active Internet connection because they need to retrieve information or content from the Internet, or send content you have entered to the MS365 servers. Some of these connected experiences analyse the content you enter, for example, to translate or read aloud text, to convert images or dictation into text, or to provide you with design recommendations and editing suggestions. For more information about the analysing services, please visit docs.microsoft.com/en-gb/deployoffice/privacy/connected-experiences. Please keep this in mind if you plan to use data from specifically identifiable individuals with these features and consider opting out.  

In addition, optional connected experiences (docs.microsoft.com/en-gb/deployoffice/privacy/optional-connected-experiences) are administratively turned off because these features would also share data with external companies outside of Microsoft and thus be subject to further regulation and individual contracts. 

OneDrive

Purpose and scope

The OneDrive service is a storage service that allows you to upload files from your computer to the cloud and edit or share them there, or use them in other MS365 services together with other users. 

The data is not stored at Leuphana, but at an external Microsoft data centre. Leuphana does not back up the data stored there. Theoretically, access to the data by Microsoft or support service providers cannot be completely ruled out in certain cases. Therefore, do not use the service as an archive file storage; for this purpose, you can use personal network drives or group drives that are centrally managed, backed up and stored at Leuphana. Thus, only use OneDrive for the duration of the collaboration.

Encryptes storage

If data is stored in encrypted form, the password required for this purpose must comply with the password requirements of Leuphana University Lüneburg's IT policy or be of equivalent security. The password may only be accessible to persons who are employees of Leuphana. The password may only be transmitted or stored via communication channels outside of MS365. The encryption method used must comply with the technical guideline BSI TR-02102-1 of the German Federal Office for Information Security, e.g., AES with a key length of at least 128 bits (symmetric, or RSA with a key length of at least 2000 bits). A graphical overview of encryption methods for orientation can be found, for example, at the Institute for Internet Security of the Westfälische Hochschule here: www.internet-sicherheit.de/downloads/infografiken/verschluesselungsverfahren.html

Synchronisation

Keep in mind that the data stored in OneDrive is synchronised with all devices on which you set up your Microsoft account and OneDrive, e.g., within Windows. Especially mobile devices must therefore be transported access-protected and secured against loss (activation of BitLocker drive encryption) and must not be made accessible to external persons.

Sharing

Share files with restraint. Consider who should view and edit the data and assign the rights accordingly when sharing. Remember to cancel any approvals after they have been completed. 

This applies in particular to the involvement of persons who are not employees of Leuphana (students, external contractors, etc.). File shares that last longer than necessary pose risks to the individuals mentioned therein. Always ask yourself how you would like other organisations to handle your personal data.

Avoid holding large collections of third-party personal data (lists of event registrations, address directories, research data directly related to individuals, etc.) on the service or sharing them with a larger number of individuals (>10). 

Sharing with external people is possible via guest accounts of the external people. Sharing of links is not possible because this would give access to the content to any person who knows the link. Intended or unintended sharing would then be possible in an uncontrolled manner. 

Offer alternative Leuphana services (e.g., Academic Cloud, myShare, CryptPad (Drive)) at an early stage to external persons who do not wish to use Microsoft services.

Teams

Purpose and scope

The Teams communication tool is used for collaborative work. It can be used to coordinate various means of collaboration, such as chat, video conferencing, collaborative writing, collaborative work organisation, and file sharing with version history and personalised change tracking. 

Teams does not yet offer end-to-end encryption for video conferencing (with the exception of optional 1-to-1 meetings). Teams is therefore essentially unusable as a video conferencing tool for conducting confidential conversations or sharing sensitive video content (assessment content, grade reviews, authentication checks, exchanges on sensitive subject matter).
For this, end-to-end encrypted meetings via Zoom are to be used, or the video conference application (BigBlueButton) of Academic Cloud.

Sharing

The guidelines for OneDrive apply.

[1] See www.microsoft.com/en-us/exporting and www.microsoft.com/en-gb/microsoft-365/business/international-availability.