York University’s information management policies, guidelines and procedures apply to the use of Microsoft Office 365 and require proper security of institutional data including personal information of students, faculty and staff. Failure to comply may result, at a minimum, with suspension of service. In particular, please note the following documents: • Computing and Information Technology Facilities Policy • Information Security Classification Procedures • Information Security Classification Standard

The following risk-based framework is designed to facilitate the use of the information security classifications, as well as the criteria, stated below:

High Risk

Data and systems are classified as High Risk if one or more of the following apply:

1. The data is classified as Confidential or Regulated Information;
2. Protection of the data is required by law or regulation;
3. The University is required to notify the government or affected individuals if the data is inappropriately accessed; and/or
4. The loss of confidentiality, integrity, or availability of the data or system could have a significant adverse impact on the University’s mission, safety, finances, or reputation

Medium Risk

Data and systems are classified as Medium or Moderate Risk if they are not considered to be High Risk, and one or more of the following apply:

1. The data is classified as Information for Internal Use;
2. The data is not generally available to the public; and/or
3. The loss of confidentiality, integrity, or availability of the data or system could have a minor adverse impact on the University’s mission, safety, finance, or reputation

Low Risk

Data and systems are classified as Low Risk if one or more of the following apply:

1. The data is classified as Public Information;
2. The data is intended for public disclosure; and/or
3. The loss of confidentiality, integrity, or availability of the data or system would have no adverse impact on the University’s mission, safety, finances, or reputation

In addition to being considered high-risk information, please note that Payment Card Industry (PCI) information and Personal Health Information (PHI) are each subject to special regulations, therefore a service that is approved for use with high-risk data may not necessarily also be approved for use with PCI or PHI data. For assistance with handling such data, please contact Information Security

To ensure the appropriate level of information protection and privacy for the data stored in these applications, members of the York community must classify data based on the level of sensitivity and value of that data. More information on data classification can be found in York’s Information Security Classification Standard. The table below lists which information classifications can be used in different Office 365 applications:

Service	Public (Low risk)	Internal (Medium Risk)	Confidential Non-PCI/PHI (High Risk)	Regulated PCI or PHI (High Risk)
Office 365: Email and Calendar (to internal @yorku.ca accounts)
Office 365: Email and Calendar (to external accounts)
O365: Office Online
O365: OneDrive for Business
O365: Groups
O365: Skype for Business
O365: Teams
O365: SharePoint (default templates)
O365: SharePoint (custom templates)			With approval
O365: Microsoft Forms
O365: Other Services

Email and Calendar are approved for sending confidential and regulated information ( non-PCI/PHI) only to other @yorku.ca email accounts. Security cannot be ensured when sending to non-York systems such as gmail, etc. 2 Payment Card Industry (PCI) data and Personal Health Information (PHI) data each have special regulatory requirements that prohibit using these services for such data.

Office 365 contains several useful sharing features that enable access to multiple people of the same information. When using these features, you are responsible for ensuring the access is appropriate and properly maintained over time. Keep these tips in mind:

• Share files with specific individuals or groups, do not use ”share with everyone”;
• Use folders to share groups of files with others;
• Remember that once a file is shared with someone, they can download it to their device and share it with others; and remove access when individuals no longer require access to files or folders.

Third party copyrighted materials, such as book chapters, journal articles, music, videos, etc. or materials that have been licensed by York University Libraries, may not be shared with students via Office 365 services such as OneDrive for Business, SharePoint or OneNote, Groups, Teams, etc. Online course materials should always be made available to students via York-supported Learning Management Systems, such as Moodle. York’s faculty and staff are responsible for using copyright-protected materials appropriately. If you would like more information on the use of copyright-protected materials for your course contact York’s Copyright Support Office at copy@yorku.ca

All data for York University’s Office 365 instance is stored securely in Microsoft facilities located in North America (Canada and/or the United States). For some services, the data is located exclusively in Canada, as listed below:

Service	Data Location
Office 365: Email and Calendar	Canada
Office 365: Office Online & OneNote	Canada
Office 365: OneDrive for Business	Canada
Office 365: Groups	North America
Office 365: Skype for Business	Canada
Office 365: Teams	Canada (Chat in North America)
Office 365: SharePoint	Canada
Office 365: Yammer	North America
Office 365: All other services	North America

Office 365 Outlook maintains the latest defenses against viruses and spam with ForeFront Online Protection for Exchange, a service that handles over 150 million messages from 8.5 million users around the world every day and is updated to protect against new virus and spam threats as soon as they appear. Microsoft helps to safeguard your data by hosting it in Canadian data centers with continuous data backup and a premier disaster recovery plan. Email is vulnerable to access by unauthorized parties in transmission and in storage; it is recommended that electronic communication, including email not to be used for sensitive data.

The Office 365 service for York University is governed by a formal agreement between the University and Microsoft that provides significant assurances concerning the security and privacy of the information stored or handled in Office 365. The University has also done a risk-based Privacy Impact Assessment of the email service to ensure that potential risks have been identified. Steps were taken to mitigate those risks and the University meets its legal requirements with respect to privacy. All of York University’s policies, including guidelines on emailing continue to apply to the Office 365 service.

No. It is clearly addressed in the Microsoft online services agreement that they can not.

Yes!

Microsoft’s contractual commitment restricts any use of information in or about YU accounts to use required to deliver the service. For example, Microsoft's automated services will scan incoming mail information in order to implement mail filters.

No. The terms and conditions include provisions that allow York to move our accounts elsewhere if we so wish.

The new spam filters in O365 have different rules for catching spam than our previous environment; as a result, some emails that previously went to your inbox may go into your junk mail folder after the migration. Learn more about junk mail with O365.