Acceptable Use Guidelines for OneDrive
Learn about acceptable use guidelines for OneDrive for Business.
OneDrive for Business is a convenient cloud based storage system for your work related files. Although OneDrive for Business is the endorsed cloud file sharing solution for the campus, there are security practices that still must be followed to ensure the service is being used properly.
If you have any questions, check with the data owner or your local department policy for acceptable use.
Note: Sharing the contents of the stored files on OneDrive with foreign nationals could result in violation of US export control regulations. While Microsoft is committed to storing data on US soil (export control compliance), you are responsible for knowing who you are sharing files with. Please consult your export control officer for guidance.
Confidential Data
Confidential data includes data which, if accessed by unauthorized entities could cause personal or institutional financial loss or constitute a violation of statute, act or law. Examples of confidential data include but are not limited to:
- Social Security Numbers
- Bank account or credit card numbers
- Data covered by the Federal Educational Rights and Privacy Act (FERPA)
- Data covered by the Health Insurance Portability and Accountability ACT (HIPAA)
- Trade secrets or information that may be purchased for the creation of a patent
- Login/password credentials
The University of California system has an agreement in place with Microsoft that OneDrive for Business complies with FERPA, and HIPAA guidelines. Although that is in place, it is up to you to ensure you are abiding by HIPAA standards when using the service. Again, check with the data owner or local department policy before moving confidential data to OneDrive for Business.
Read more about Securing Personal Information before storing that data in OneDrive.
Sensitive Data
Sensitive data is information generally used internally at the university or with its authorized partners. If released to unauthorized individuals would not result in any financial loss or legal compliance issues but would negatively impact the privacy of the individuals named or the integrity or reputation of the University. This includes but is not limited to the following:
- Employees who have chosen to suppress their directory information.
- Identities of donors or other third party partner information maintained by the University not specifically designated for public release.
- Proprietary financial, budgetary or personnel information not explicitly approved by authorized parties for public release.
- Emails and other communications regarding internal matters which have not been specifically approved for public release.
Sensitive data may be stored and shared in OneDrive, but must be stored and shared in a secure manner.
Unclassified Data
Data that does not meet the criteria as confidential, sensitive or private as defined above shall be considered non-classified data. Please note that this classification does not imply that the data does not need to be properly managed. Such data may be subject to open records requests.
Unclassified data may be stored and shared in OneDrive, but must be stored and shared in a secure manner.
How to Use OneDrive Securely
Secure the workstation or device you are using to access OneDrive.
- Ensure virus/malware detection software is installed with the latest definitions.
- Do not log into your workstation or device as an administrator (unless absolutely necessary).
- Keep your operating system and software up-to-date.
- Password-protect your workstation or device and use idle-time screen saver passwords where possible.
- Don't sync files to a machine or device that is not issued and secured by the university.
- Don't store personal files in OneDrive.
Talk to your departmental IT support for help securing your computers and other devices. For a full list of minimum standards, please reference the Network Security Policy.
Best Practices for Sharing Files
- Use folders to share groups of files with others online.
- Share files with specific individuals, never with “everyone” or the “public”.
- Be careful sending links to shared folders because they can often be forwarded to others who you did not provide access to.
- Remember that once a file is shared with someone and they download it to their device, they can share it with others.
-
Remove individuals when they no longer require access to files or folders.