It is essential that all University of Oxford data held in the cloud-based Nexus365 is secure, and that users are reassured of this. However, as users you have an important role in keeping safe by being aware of what you are doing when sharing data, managing access permissions etc.
The Nexus365 FAQ section provides answers to a number of key questions, but the information below provides more detailed guidance:
- Microsoft is responsible for providing the infrastructure of Office 365, but the management and support of the users and data is done so by the IT Services' Nexus Team. The team can, if required, also escalate support issues to Microsoft who are able to access the data within the 'follow the sun*' support model that they provide across the globe.
- Specific guidance on the use of OneDrive for Business has been provided which it is important for users to read before starting to store data there. No University data should be stored on a personal OneDrive (this is outside the JISC agreement).
- It is important that you read the Code of conduct for Nexus365 Teams/Groups before using this functionality.
- The data held in Nexus365 includes standard exchange data (name, department, phone number etc which are synchronised from the authoritative University databases (card data, registrations, telecoms, and CUD) – you can view this by looking at the properties of your ‘contact card’ in Outlook). The data is used only for service management. Microsoft states; “We use customer data for just what customers pay us for: to maintain and provide the Office 365 services. We make it our policy to not use customer data for other purposes. We think this use limitation is important because customer data could include personal information of staff, clients, patients, customers, or students. As part of our commercial cloud offerings Microsoft’s policy is not to use Office 365 customer data for other purposes, such as user profiling for advertising services.”
- The standard data held, and any that you add to the service (Emails, OneDrive Documents etc) will exist for the life of your Nexus365 account. When you leave the University, your account will go through the de-provisioning process, be marked for deletion and finally deleted. Once deleted, your account and its contents cannot be retrieved. You can see the current time frames for mailbox deletion here: https://help.it.ox.ac.uk/iam/registration/finishing_at_oxford/email. NB. This excludes any data that is stored in Nexus365 Teams/Groups which will not be deleted as it stays with the Team/Group.
- The University of Oxford has signed up to the JISC Office 365 agreement which has negotiated amendments in areas related to standard liability and jurisdiction. More info on this can be found here: https://www.jisc.ac.uk/microsoft-365.
- Location of data storage and payment model have been key factors in the decision of what Office 365 functionality is being made available (and not being made available) at the University through Nexus365.
- The information security baseline controls are articulated in this document: https://sharepoint.nexus.ox.ac.uk/sites/itservices/security/Public/Baseline_Security_Assessment.xlsx, Microsoft also has a comprehensive Trust Center https://www.microsoft.com/en-us/trustcenter which provides independent assurance regarding its information security controls through an ISO27001 (International Standard of Information Security Management Systems) certificate, and SOC 2 (independent audit) report. https://www.microsoft.com/en-us/trustcenter/Compliance/ISO-IEC-27018
- Microsoft’s response to the Information Commissioner’s Office, provides some useful further information.
* Follow the sun is a service desk system which involves global work-flow being passed between offices in different time zones around the world.