It is essential that all University of Oxford data held in the cloud-based Nexus365 is secure, and that users are reassured of this. The information below should give you that reassurance.
However, you also have an important role in keeping safe by being aware of what you are doing when sharing data, managing access permissions and so on.
Management and support
Microsoft is responsible for providing the infrastructure of Office 365, but the management and support of the users and data is done by the IT Services’ Nexus Team. The team can, if necessary, also escalate support issues to Microsoft.
If you are using OneDrive:
- Read the security guidelines for OneDrive for Business before starting to store data there
- Remember that no University data should be stored on a personal OneDrive (this is outside the JISC agreement).
If you are using Teams and Groups:
- Read the security guidelines for Teams and Groups before using this functionality.
How your data is managed in Nexus365
Your data held in Nexus365 includes standard exchange data (name, department, phone number etc).
Where it comes from: Your data is synchronised from authoritative University databases (card data, registrations, telecoms and Core User Directory). You can view your data by looking at the properties of your ‘contact card’ in Outlook).
What it is used for: The data is used only for service management. Microsoft states: ‘We use customer data for just what customers pay us for: to maintain and provide the Office 365 services. We make it our policy to not use customer data for other purposes. We think this use limitation is important because customer data could include personal information of staff, clients, patients, customers, or students. As part of our commercial cloud offerings Microsoft’s policy is not to use Office 365 customer data for other purposes, such as user profiling for advertising services.’
Retention of your data: This standard data, and any that you add to the service (such as emails or OneDrive documents) will exist for the life of your Nexus365 account. When you leave the University, your account will go through the de-provisioning process, be marked for deletion and finally deleted. Once deleted, your account and its contents cannot be retrieved. (This does not apply to data stored in Nexus365 Teams/Groups – this won’t be deleted as it stays with the Team/Group.)
You can see the current time frames for mailbox deletion in our guidance on finishing at Oxford.
The University’s agreements
The University has signed up to the JISC Office 365 agreement. JISC has negotiated some amendments to Microsoft’s standard agreement and under the Universities’ JISC agreement all email data remains in the UK. More information can be found on the JISC website.
The location of our data storage was one of the key factors (along with the payment model) in deciding what Office 365 functionality would or would not be made available at the University through Nexus365. See Microsoft’s Where is your data located? information.
Microsoft and ISO/IEC 27018 – a report on an independent audit for compliance with International Standard of Information Security Management Systems