Information management in Microsoft 365

FAQ Image

What can you store in Microsoft 365?

When you are working in H: and L: on your computer, you are in the university server. When you are working in OneDrive, Outlook, Teams, SharePoint or another Microsoft 365 application, your document is instead saved in the university’s Microsoft 365 cloud storage. 

You can use the cloud for working material and documents that do not contain protected or confidential information. As a rule, information must be managed in the systems that are in place for each respective area. 

This document is in line with the university policy document entitled Regler för lagring av Högskolans Dalarnas digitala information (in Swedish)

What is an official document (allmän handling)

According to the Freedom of the Press Act (Tryckfrihetsförordningen), a document is official if it is stored by the authority, has been sent to the authority or has been drawn up by the authority. Official documents can be either public (offentlig) or secret (hemlig). It makes no difference if the document is digital or analogue. Documents that are not sent (dispatched) from the authority but that have been drawn up and finalised there are also official: for example, documents relating to an official matter than has been finalised.  

Not all documents at an authority are official: for example, working material that is not yet complete, trade union matters and private messages.  

Confidential and Sensitive Information, or Extra Protected Personal Data 

Confidential and sensitive information, or extra protected personal data must first and foremost be stored in one of the university systems. If this is not possible, they must be stored in official folders on the university server in L: or H:.   

Confidential and sensitive information, or extra protected personal data must not be managed or stored in Microsoft 365. If you are unsure about whether your information is confidential, contact support@du.se.  

What information is classed as confidential, sensitive or extra protected? 

Below you can find a description of different types of information and personal data. These can require a higher level of security than more harmless information and personal data. They must always be processed with caution. 

Matters of Confidentiality 

  • Staff and students: 
    Health matters, work transfer, protected addresses, severance. 
  • Financial matters: 
    Business relationships and operational conditions, quotes/tenders. 
  • Research: 
    Commissioned work, patents, collaboration, statistics, transferral. 

Sensitive Personal Data 

  • Sensitive personal data, such as concerns race or ethnicity, political conviction, religious or philosophical beliefs, trade union membership status, health or sex life. 
  • Information about health can be, for example, sick leave, pregnancy and doctor appointments. 

Violations of the Law 

  • Personal data about violations of the law that concern crimes, criminal convictions and administrative deprivation of liberty.   

Extra Protected Personal Data 

Extra protected personal data is also sometimes called sensitive personal data. This includes the following: 

  • information about violations of the law
    • crimes, criminal convictions, imposed restrictions due to criminal prosecution or administrative deprivation of liberty. 
  • such data as concerns performance reviews, results from personal tests or personality profiles.
  • information that is about an individual’s personal sphere.
  • information about social relationships. 
  • a person’s personnummer is also considered to require extra protection.  

 Work documents that do not contain protected or classified information can be stored in the cloud. This way, they are more readily accessible.  

Documents that contain internal harmless personal data (the work-related personal data about an employee – for example, name, email address, telephone number, position, but not personnummer) – can be managed in the cloud. However, in the case of long lists, registers or similar, these should first and foremost be managed in a university system. 

Destruction of Redundant Documents, Cleaning Out and Archiving 

Destruction is when official documents are destroyed; this must be done according to the university rules on this. Destruction may only be carried out in consultation with the archive function at the university. 

Cleaning out is when you remove documents that are not official. This may be, for example, notes that were taken during the processing of a matter but that do not add any substance to the matter and that are not deemed to have any lasting value after the matter has been finalised.  

Archiving is when information is preserved in a structured manner over a period of time. Teams is not an archive, and Microsoft 365 is not a system to preserve documents. Material in Teams is to be viewed as living and current. For information to be preserved, it must be transferred to one of the university’s systems or to the archive. 

Filing (Diariet) 

Official documents must be registered in accordance with Chapter 5 of the Public Access to Information and Secrecy Act (Offentlighets- och sekretesslagen). The purpose of filing in the diariet is to keep university documents in order: we must be able to locate documents when we need them. This makes it easier for us to meet the demands placed on us as a public authority.  

Related documents

Informationshantering i Office365.pdf (du.se)

Policy document Högskolan Dalarna storage of information: Regler för lagring av Högskolan Dalarnas digitala information - 2019-11-18 (du.se) (in Swedish)

Questions

If you have any questions about this subject, please contact support@du.se

This article helped me!