Using Microsoft Forms with sensitive data

Description

Microsoft Forms are approved for use with sensitive data; however, the Form owner must adhere to the guidelines referenced in this article.

Environment

Mac, PC, web browser, mobile app

Solution 

Guidelines for using Microsoft Forms with sensitive data

  • Forms used to collect sensitive data must be associated with a OneDrive group, not an individual account. This will prevent the storage of sensitive data within an individual Microsoft 365 account, as well as prevent any data collected via the form from loss in the event an individual transfers roles or departs the institution.  

  • The OneDrive Group associated with the creation of forms that collect sensitive data must be configured according to the Sensitive Data in OneDrive Standard.

  • Forms must NOT be “Shared to Collaborate.” 

  • Results of Forms must only be shared with those who have a need to access such forms, thus adhering to the principle of least privilege.  

Understanding the purpose of your data

Before using Forms, make sure you (and all your collaborators) understand the purpose of the data.  

  • Once you have defined the purpose of data collection, the data can only be used in a manner consistent with that purpose. All collaborators should  be clear on where the data is to be stored and how it is to be used before any responses are collected.

Moving forms to Group ownership

By default, the Forms you create are tied to your personal account – sensitive data must never be stored in a personal OneDrive account and must be saved to the group’s or department’s SharePoint site in a secure folder. Move them to Group ownership using the following steps:

  1. Create your Form.

  2. Go to the main Forms page.

  3. Select the " ⁞ " icon on the right side of your Form.

  4. Select the Move option.  

  5. A new panel will open showing you the full list of all O365 Groups and Teams of which you are a member. Click on one to make that group or team the owner of your form.

    • Note: Everyone in that group or team will now be able to see the form and all responses it collects.   

  6. Once complete, the Form will no longer be visible in the My Forms area. Instead, it will appear when you click the Group Forms option.

Understanding collaboration options

There is an option to Share a Form to Collaborate – but this will give all collaborators the ability to access response data. As such, the Share a Form to Collaborate option must not be used when collecting sensitive data.

When you click on the Share button in Forms, it gives you multiple pieces of information:

  1. Send and collect responses – This gives you a link that you can use to collect responses to your Form.  

  2. Share as a template – This allows you to create a duplicate of your Form that you can save under a new name or share with someone else.  

  3. Share to collaborate – This will give you a link you can share with other people who are working on the Form or the data it collects.  

  • Note: All collaborators have access to all response data. Therefore all individuals identified as collaborators must have a need to access the data to perform their job (principle of least privilege). forms share options: send and collect responses, share as a template, share to collaborate

Share to collaborate links are not tied to individual accounts (they can be forwarded or shared).  

The “Share to collaborate” link offers only two levels of privacy: sharing with everyone and sharing with people in your organization (all of OHIO, including students and guest accounts). The “Share to collaborate” link means that anyone you send this link to can forward that link to anyone else they think should have access, removing your ability to control who can see the data.    

You can avoid this by making a group the owner of your Form (see above). When a group “owns” a Form, all group members can see and work on the Form and its data without needing to use the “Share to collaborate” link. You can even embed your Form or Form responses directly into SharePoint or Teams.   

Include data purpose statement

Forms you create should always include a statement of why you are collecting the data and what you will do with it.  

This is good practice anytime you are collecting data and is a best practice requirement if you are collecting personal data. A privacy statement should include the following information:  

  • The purpose for which the information is being collected   

  • How the information collected will be used  

  • The contact information of someone who can answer questions about privacy

 

Outcome: You should now know how to use Microsoft Forms with sensitive data.

Get help from OIT

Was this helpful?
100% helpful - 1 review

Details

Article ID: 333
Created
Tue 4/26/22 3:39 PM
Modified
Wed 11/22/23 12:14 PM

Related Services / Offerings (1)

Electronic Forms: Microsoft Forms
Electronic forms replace physical form copies that require manual work and processes. Using electronic forms, we can automate submission and approval processes in order to create efficiencies and maintain data integrity.