O365's powerful collaboration suite is heavily guarded by protective measures that keep you and your data safe. Below you will find important information you can use to ensure the privacy and security of your institutional data.
Governing policies, procedures and guidelines
Office 365 and require proper security of institutional data including personal information of students, faculty and staff. Failure to comply may result, at a minimum, with suspension of service. In particular, please note the following documents:
• Computing and Information Technology Facilities Policy
• Information Security Classification Procedures
• Information Security Classification Standard
Risk Framework for Using the Information Security Classifications
High Risk
Data and systems are classified as High Risk if one or more of the following apply:
- The data is classified as Confidential or Regulated Information;
- Protection of the data is required by law or regulation;
- The University is required to notify the government or affected individuals if the data is inappropriately accessed; and/or
- The loss of confidentiality, integrity, or availability of the data or system could have a significant adverse impact on the University’s mission, safety, finances, or reputation
Medium Risk
Data and systems are classified as Medium or Moderate Risk if they are not considered to be High Risk, and one or more of the following apply:
- The data is classified as Information for Internal Use;
- The data is not generally available to the public; and/or
- The loss of confidentiality, integrity, or availability of the data or system could have a minor adverse impact on the University’s mission, safety, finance, or reputation
Low Risk
Data and systems are classified as Low Risk if one or more of the following apply:
- The data is classified as Public Information;
- The data is intended for public disclosure; and/or
- The loss of confidentiality, integrity, or availability of the data or system would have no adverse impact on the University’s mission, safety, finances, or reputation
In addition to being considered high-risk information, please note that Payment Card Industry (PCI) information and Personal Health Information (PHI) are each subject to special regulations, therefore a service that is approved for use with high-risk data may not necessarily also be approved for use with PCI or PHI data.
For assistance with handling such data, please contact Information Security
Approved Information Classifications for Office 365 Services
applications, members of the York community must classify data based on the level of sensitivity and value of that data. More information on data classification can be found in York’s Information Security Classification Standard.
The table below lists which information classifications can be used in different Office 365 applications:
Service |
Public
(Low risk) |
Internal
(Medium Risk) |
Confidential
Non-PCI/PHI (High Risk) |
Regulated
PCI or PHI (High Risk) |
Office 365:Email and Calendar(to internal @yorku.ca accounts) |
![]() |
![]() |
![]() |
|
Office 365:Email and Calendar(to external accounts) |
![]() |
![]() |
||
O365: Office Online
|
![]() |
![]() |
![]() |
|
O365: OneDrive for Business |
![]() |
![]() |
![]() |
|
O365: Groups |
![]() |
![]() |
||
O365: Skype for Business |
![]() |
![]() |
![]() |
|
O365: Teams |
![]() |
![]() |
![]() |
|
O365: SharePoint(default templates) |
![]() |
![]() |
![]() |
|
O365: SharePoint(custom templates) |
![]() |
![]() |
With approval | |
O365: Other Services |
![]() |
![]() |
Email and Calendar are approved for sending confidential and regulated information ( non-PCI/PHI) only to other @yorku.ca email accounts. Security cannot be ensured when sending to non-York systems such as gmail, etc. 2 Payment Card Industry (PCI) data and Personal Health Information (PHI) data each have special regulatory requirements that prohibit using these services for such data.
Sharing Documents and Information
properly maintained over time. Keep these tips in mind:
- Share files with specific individuals or groups, do not use ”share with everyone”;
- Use folders to share groups of files with others;
- Remember that once a file is shared with someone, they can download it to their device and share it with others; and remove access when individuals no longer require access to files or folders.
Copyright and Acceptable Use with Office 365
have been licensed by York University Libraries, may not be shared with students via Office 365 services such as OneDrive for Business, SharePoint or OneNote, Groups, Teams, etc. Online course materials should always be made available to students via York-supported Learning Management Systems, such as Moodle. York’s faculty and staff are responsible for using copyright-protected materials appropriately.
If you would like more information on the use of copyright-protected materials for your course contact York’s Copyright Support Office at copy@yorku.ca
Data Location
Service | Data Location |
Office 365: Email and Calendar | Canada |
Office 365: Office Online & OneNote | Canada |
Office 365: OneDrive for Business | Canada |
Office 365: Groups | North America |
Office 365: Skype for Business | Canada |
Office 365: Teams | Canada (Chat in North America) |
Office 365: SharePoint | Canada |
Office 365: Yammer | North America |
Office 365: All other services | North America |
How secure is the information contained in emails and attachments?
How is my privacy protected?
The Office 365 service for York University is governed by a formal agreement between the University and Microsoft that provides significant assurances concerning the security and privacy of the information stored or handled in Office 365.
The University has also done a risk-based Privacy Impact Assessment of the email service to ensure that potential risks have been identified. Steps were taken to mitigate those risks and the University meets its legal requirements with respect to privacy.
All of York University’s policies, including guidelines on emailing continue to apply to the Office 365 service.