Nexus365 security and privacy

The information below should give you that reassurance that Oxford data held in the cloud-based Nexus365 is secure.  However, you also have an important role in keeping safe by being aware of what you are doing when sharing data, managing access permissions and so on.

Management and support

Microsoft is responsible for providing the infrastructure of Office 365, but the management and support of the users and data is done by the IT Services’ Nexus Team.  The team can, if necessary, also escalate support issues to Microsoft.

Your responsibilities

If you are using OneDrive:

• Read the security guidelines for OneDrive for Business before starting to store data there
• Remember that no University data should be stored on a personal OneDrive (this is outside the JISC agreement).

If you are using Teams and Groups:

• Read the security guidelines for Teams and Groups before using this functionality.

How your data is managed in Nexus365

Your data held in Nexus365 includes standard exchange data (such as name, department and phone number).

• Where your data comes from

Your data is synchronised from the authoritative University databases for card data, registrations, telecoms and Core User Directory.  You can view your data by looking at the properties of your ‘contact card’ in Outlook.

• What your data is used for

The data is used only for service management.  Microsoft states:

‘We use customer data for just what customers pay us for: to maintain and provide the Office 365 services.  We make it our policy to not use customer data for other purposes.  We think this use limitation is important because customer data could include personal information of staff, clients, patients, customers, or students.  As part of our commercial cloud offerings Microsoft’s policy is not to use Office 365 customer data for other purposes, such as user profiling for advertising services.’

• Retention of your data

This standard data, and any that you add to the service (such as emails or OneDrive documents), will exist for the life of your Nexus365 account.  When you leave the University, your account will go through the deprovisioning process, be marked for deletion and finally deleted.  Once deleted, your account and its contents cannot be retrieved.  This does not apply to data stored in Nexus365 Teams/Groups – this won’t be deleted as it stays with the Team/Group.

You can see the current time frames for mailbox deletion in our guidance on finishing IT use at Oxford.

The location of our data storage was one of the key factors (along with the payment model) in deciding what Office 365 functionality would or would not be made available at the University through Nexus365.  See Microsoft’s page on Where is your data located?.

Further information

• Use Cloud Services safely
• Microsoft Trust Center
• Microsoft and ISO/IEC 27018 – a report on an independent audit for compliance with International Standard of Information Security Management Systems