Privacy & Security

O365's powerful collaboration suite is heavily guarded by protective measures that keep you and your data safe. Below you will find important information you can use to ensure the privacy and security of your institutional data.

Governing policies, procedures and guidelines

York University’s information management policies, guidelines and procedures apply to the use of Microsoft
Office 365 and require proper security of institutional data including personal information of students, faculty and staff. Failure to comply may result, at a minimum, with suspension of service. In particular, please note the following documents:

Computing and Information Technology Facilities Policy
• Information Security Classification Procedures
• Information Security Classification Standard

Risk Framework for Using the Information Security Classifications

The following risk-based framework is designed to facilitate the use of the information security classifications, as well as the criteria, stated below:

High Risk

Data and systems are classified as High Risk if one or more of the following apply:

  1. The data is classified as Confidential or Regulated Information;
  2. Protection of the data is required by law or regulation;
  3. The University is required to notify the government or affected individuals if the data is inappropriately accessed; and/or
  4. The loss of confidentiality, integrity, or availability of the data or system could have a significant adverse impact on the University’s mission, safety, finances, or reputation

Medium Risk

Data and systems are classified as Medium or Moderate Risk if they are not considered to be High Risk, and one or more of the following apply:

  1. The data is classified as Information for Internal Use;
  2. The data is not generally available to the public; and/or
  3. The loss of confidentiality, integrity, or availability of the data or system could have a minor adverse impact on the University’s mission, safety, finance, or reputation

Low Risk

Data and systems are classified as Low Risk if one or more of the following apply:

  1. The data is classified as Public Information;
  2. The data is intended for public disclosure; and/or
  3. The loss of confidentiality, integrity, or availability of the data or system would have no adverse impact on the University’s mission, safety, finances, or reputation

In addition to being considered high-risk information, please note that Payment Card Industry (PCI) information and Personal Health Information (PHI) are each subject to special regulations, therefore a service that is approved for use with high-risk data may not necessarily also be approved for use with PCI or PHI data.
For assistance with handling such data, please contact Information Security

Approved Information Classifications for Office 365 Services

To ensure the appropriate level of information protection and privacy for the data stored in these
applications, members of the York community must classify data based on the level of sensitivity and value of that data. More information on data classification can be found in York’s Information Security Classification Standard.

The table below lists which information classifications can be used in different Office 365 applications:

Email and Calendar are approved for sending confidential and regulated information ( non-PCI/PHI) only to other email accounts. Security cannot be ensured when sending to non-York systems such as gmail, etc. 2 Payment Card Industry (PCI) data and Personal Health Information (PHI) data each have special regulatory requirements that prohibit using these services for such data.

Sharing Documents and Information

Office 365 contains several useful sharing features that enable access to multiple people of the same information. When using these features, you are responsible for ensuring the access is appropriate and
properly maintained over time. Keep these tips in mind:

  • Share files with specific individuals or groups, do not use ”share with everyone”;
  • Use folders to share groups of files with others;
  • Remember that once a file is shared with someone, they can download it to their device and share it with others; and remove access when individuals no longer require access to files or folders.

Copyright and Acceptable Use with Office 365

Third party copyrighted materials, such as book chapters, journal articles, music, videos, etc. or materials that
have been licensed by York University Libraries, may not be shared with students via Office 365 services such as OneDrive for Business, SharePoint or OneNote, Groups, Teams, etc. Online course materials should always be made available to students via York-supported Learning Management Systems, such as Moodle. York’s faculty and staff are responsible for using copyright-protected materials appropriately.

If you would like more information on the use of copyright-protected materials for your course contact York’s Copyright Support Office at

Data Location

All data for York University’s Office 365 instance is stored securely in Microsoft facilities located in North America (Canada and/or the United States). For some services, the data is located exclusively in Canada, as listed below:

Service Data Location 
Office 365: Email and Calendar Canada
Office 365: Office Online & OneNote Canada
Office 365: OneDrive for Business Canada
Office 365: Groups North America
Office 365: Skype for Business Canada
Office 365: Teams North America
Office 365: SharePoint Canada
Office 365: Yammer North America
Office 365: All other services North America

How secure is the information contained in emails and attachments?

Office 365 Outlook maintains the latest defenses against viruses and spam with ForeFront Online Protection for Exchange, a service that handles over 150 million messages from 8.5 million users around the world every day and is updated to protect against new virus and spam threats as soon as they appear. Microsoft helps to safeguard your data by hosting it in Canadian data centers with continuous data backup and a premier disaster recovery plan. Email is vulnerable to access by unauthorized parties in transmission and in storage; it is recommended that electronic communication, including email not to be used for sensitive data.

How is my privacy protected?

The Office 365 service for York University is governed by a formal agreement between the University and Microsoft that provides significant assurances concerning the security and privacy of the information stored or handled in Office 365.

The University has also done a risk-based Privacy Impact Assessment of the email service to ensure that potential risks have been identified. Steps were taken to mitigate those risks and the University meets its legal requirements with respect to privacy.

All of York University’s policies, including guidelines on emailing continue to apply to the Office 365 service.

Could Microsoft make a data ownership claim on data stored in the York O365 accounts?

No. It is clearly addressed in the Microsoft online services agreement that they can not.

Will I still use my Passport York login ID and Password to login to O365?


Will Microsoft somehow use the information in our accounts or metadata about our accounts (data mine) for commercial purposes?

Microsoft’s contractual commitment restricts any use of information in or about YU accounts to use required to deliver the service. For example, Microsoft's automated services will scan incoming mail information in order to implement mail filters.

Is moving York's email systems to O365 effectively ceding control of future terms and email addresses to Microsoft?

No. The terms and conditions include provisions that allow York to move our accounts elsewhere if we so wish.

Will O365 change YorkU's spam filtering?

The new spam filters in O365 have different rules for catching spam than our previous environment; as a result, some emails that previously went to your inbox may go into your junk mail folder after the migration. <a href="">Learn more about junk mail with O365.</a>