Handling sensitive data in OneDrive for employees

Description

Employees who need to store sensitive information must take extra precautions to protect University data.

Environment

Employee OneDrive accounts

Solution 

  1. Never store any University data, sensitive or non-sensitive, in a personal OneDrive account that was not obtained through Ohio University.

  2. Store non-sensitive University data in individual OHIO OneDrive accounts or OHIO-issued Microsoft Groups

  3. Store sensitive data in OHIO-issued Microsoft Groups only. Sensitive data includes FERPA, HIPAA, and PHI data. Individual OneDrive accounts are not approved for storing sensitive data. 

  4. Use online editing to make updates to documents.

    • Data is only as secure as the system it resides on. Instead of downloading documents to edit them locally just to re-upload them once complete, utilize the online editing tools available with your Microsoft Group. This is especially important for devices that are easily stolen, such as mobile phones and laptops. The online editing allows you to open the document within your browser for quick changes, or through your locally installed client for Word, Excel, etc., without saving the document to your computer. Using the online editing function also allows for multiple people to collaborate simultaneously.

  5. Actively manage sharing to prevent unauthorized disclosure.

    • One of the best functions of Microsoft Groups is fast and secure sharing of files and folders for collaboration. It provides some granularity of how the share is handled, which will be important for the data owner to understand to limit the access to only what is necessary. When sharing a file or folder, you will be prompted with the option to select who you want to be able to view it, and whether they should have access to edit it. We recommend sharing files and folders with specific individuals to prevent unauthorized people from accessing it if the link is forwarded to others.

    • Be sure to regularly check what content is being shared at the folder level and remove people when their access to the sensitive data is no longer necessary. Take note that even if you deny someone access to edit a shared file, it does not prevent them from copying or downloading it. 

  6.  For additional details, visit the Information Security Office's sensitive data guidelines

 

Outcome: You should be able to safely store sensitive University data in the proper account.

Get help from OIT

Additional resources