Policy on the Use of Collaboration Tools
This document is the web-based version of the Policy on the Use of Collaboration Tools Provided by the EUI ICT Service, such as Microsoft Teams and Microsoft SharePoint.
- This document aims to implement the policy for governance requirements of existing and new collaboration tools such as Microsoft Teams and SharePoint part of the Microsoft Cloud services, which the EUI makes available to its staff members and academic community.
- Modern collaboration tools provide an integrated platform to share posts, documents, photos, videos and video conferencing for peers or groups consisting of both EUI members and externals upon invitation.
- The Requestor of access to Teams and/or SharePoint site – as well as to other collaboration tools made available by the EUI - has to be an EUI member such as Academic andAdministrative staff, PhD and LLM Researchers, Research assistants, Research fellows, and Post docs. The Requestor shall belong to a Service or Academic, through which the request of access should be made.
- The Data Controller (or the Delegated Data controller) of the Service or Academic Unit to which the Requestor belongs is the one that can authorise the access requested.
- In case of Professors, Researchers, Research assistants, Post docs requesting access to use the collaboration tools in the scope of a research project, although the access should be authorised by the Data Controller - DC (or the Delegated Data controller -DCC) of the Service or Academic Unit to which the Requestor belongs, the Data Controller for the purposes of ensuring compliance with the EUI Data Protection Policy (President Decision nº 10/2019) will be the Principal Investigator of the project concerned (See EUI Guide on Good Data Protection Practice in Research), who should also be the Requestor of access to the respective collaboration tools.
- According to the EUI Data Protection Policy (art. 21 (2)(c)), Data Controllers should “keep a record of processing activities under their responsibility”, that also implies an obligation for Data Controllers to submit a Notification form and a privacy statement regarding all data processing activities under their responsibility which involve personal data to the Office ofthe EUI Data Protection Officer for inclusion in the Data Protection Registry. Such obligation, however, only applies to Data Controllers who are heads of Services or Academic Units and not to Principal Investigators, which are bound by the EUI Code of Ethics in Academic Research and can submit their projects to the Ethics Committee for an assessment of the ethical dimensions, which also includes an assessment of the data processing activities envisioned in the projects carried out by the EUI Data Protection Officer.
- Once the authorisation of access is sent to the Data Controller of ICT Service (Director of ICTService) or to the respective Delegated Data Controller (DSO), he/she authorises the creation of Teams or SharePoint sites – as well as of other collaboration tools available - and grants access to the Requestor. With his/her authorisation IT technical staff creates, supports and assigns the Team owner role to Requestor.
- The Requestor is responsible for coordinating and managing the access to the assigned Teams and/or SharePoint sites – as well as to other collaboration tools. This includes inviting/removing members, granting and removing access rights, customising the presentation of the sites. The type of data and the processing of data are performed under the responsibility of the respective Requestor as well as of the DC/DDC of respective Service orAcademic Unit to which the Requestor belongs, being the only exception Requestors who are Principal Investigators (e.g. Professors, Jean Monnet Fellows, Max Weber Fellows) of research projects carried out under an EUI affiliation and have requested access to the collaboration tools in the framework of their research projects as explained in item 5 above.
- Security, compliance, and privacy in Office 365 have two equally important dimensions; the first dimension includes Microsoft-managed service-level capabilities that include security defence-in depth technologies, operational procedures, and policies that are enabled by default. The second dimension includes EUI managed controls that allow us the flexibility to customise our Office 365 environment based on the specific needs of EUI, while still maintaining security and compliance.
- Advanced Threat Protection provides protection against unknown malware and viruses and real time, time-of-click protection against malicious URLs is also considered. The secure authentication requires the use of multi-factor authentication (MFA). The traceability of actions (who has done what) is ensured by automate logging of all activities performed withinthe site with 90 days of data retention. The conversations in the Chat are not deleted by enforced EUI policy.
- Teams or SharePoint sites may be deleted at the end of work-related activities or research project. The request of deletion is submitted by the Teams owner (initial requestor) upon written authorisation of Data Controller/Delegated data controller of Service or Academic Unit to which he or she belongs, unless the Requestor is a Principal Investigator and acts as Data Controller of the data protection activities carried out within his/her project.
The EUI ICT Service does not retain any backup copy of data stored in this collaboration tools.
The Requestor submits the request to Teams or SharePoint sites – or to other collaboration tools available at the EUI - to the DC/DDC of Service or Academic Unit to which he/she belongs, providing the following information:
- Requestor details including Name, Surname, Email address, Service or Academic Unit
- Subject of the request: Microsoft Teams or SharePoint Sites (or other collaboration tools if applicable)
- Purpose of request such as Research project, File sharing, Administrative project, working group.
- Declare the potential members to grant access: “EUI members” or ”EUI and not EUI members”
- Type of data intended to be shared via the collaborative tool (e.g. non personal data, personal data, sensitive data, health data).
Depending on the type of data, the EUI Data Protection Policy may apply and the DC could be required to submit a Notification Form and a Privacy Statement for the envisioned data processing activity (See item 6 above). The DC is responsible for ensuring compliance with the EUI Data Protection Policy (President Decision nº 10/2019) as well as with other EUI Regulations and Policies, including the EUI ICT Policy on Acceptable UsePolicy (AUP).
The approval workflow is designed to comply with the EUI Data Protection Policy, and to ensure accountability, confidentiality, integrity and availability of data as well as to enforce access controls.
- The Requestor needs the approval of the Data Controller and/or Delegated Data controller of Service or Academic Unit to which he/she belongs, who should ensure compliance with the EUI Data Protection Policy when applicable;
- The Ethics Committee should be consulted in case of Research Projects that deal with the processing of sensitive data (not compulsory);
- The DC/DDC of ICT Service provides authorisation to proceed with technical deployment;
- The Requestor is granted access and DC/DDC of Service or Academic Unit is informed.
Creating a Microsoft Teams or SharePoint Site and assign ownership
The Requestor opens a ticket to the EUI Helpdesk asking for the creation of a new Teams or SharePoint site attaching the respective DC/DDC authorisation. Once created the Teams/SharePoint site, the Requestor will be able to invite new members, both EUI and not EUI, to join, and will have the possibility to assign to each of them different access rights, which should be communicated to the respective DC/DDC, unless the Requestor is acting as DC in his/her quality of Principal Investigator (see Responsibilities - item 5).
Assignment/change of a Teams Owner
The Requestor with the approval of the DC/DDC may decide to declare one or more Teams Owners.
In the case the Requestors are Principal Investigators, the additional Teams Owners will be acting as their processors (see article 2(1)(e) of the EUI Data Protection Policy).
The Authentication is compulsory for all members in order to get access to the collaboration tool; the access to data is granted using valid credentials; EUI members use their own personal EUI emailaddress; externals (not EUI members) must have an Office 365 work or school account or they need to create a new one (for free). The Multi-factor authentication is required to ensure a secure authentication for all members.
The data are held solely in the Microsoft Cloud. The data retention policy is the same applied for all Microsoft cloud services were data are held and is available in the Microsoft Privacy Statement.Deleted items are retained for 93 days from the time of deletion. The member may restore his or her own deleted files within the data retention limit.
The ICT Service does not hold a backup copy of data within EUI storage/backup facilities. Special needs have to be communicated and authorised.
Invite new member(s) – for EUI Members
The Teams owner sends an invitation to new member(s). A new member is compulsory required to have an EUI Microsoft account to join.
Invite new Guest(s) – for non‐EUI Members
In the case of external users (non-EUI member), a new member is compulsory required to have awork or student Microsoft account to join or to create a new one upon registration (for free).
The Teams owner should consider to request the new member to sign a Declaration of Confidentiality (see the text in Appendix 2).
The Teams owner decides to grant access rights to folder(s) (SharePoint sites) and channel(s) (Teams site).
The Teams owner is able to remove access to a member to the whole site or to folder(s) and/or channel(s).
Every year and upon request, the EUI Data Security Officer (EUI DSO) may conduct an annual review of compliance requirements and may perform account certification revising membership ofthe Teams/SharePoint Sites. The result of account certification is provided to DC/DDC of Service or Academic Unit to which the Requestor belongs as well as to the Requestor himself/herself.
Data breach communication
The EUI Data Protection Policy requires Data Controllers to “notify any personal data breach to theEUI’s Data Protection Officer, no later than 72 hours after having become aware of it” (article13(1)). In the case of data breach, the Requestor (Teams Owner) shall inform immediately the DC/DDC concerned who should promptly report to the EUI DSO, so that he/she can conduct a proper incident analysis and ensure the EUI DPO is notified within 72 hours.
De‐provisioning of a Teams or a SharePoint site
The Requestor (Teams Owner) with the approval of the DC/DDC or the DC/DDC himself/herself may request deletion of a Teams/SharePoint Site by opening a ticket via the EUI Helpdesk attaching the requested authorisation (not applicable to requests submitted by DC/DCC). The EUI DSO has to be informed in case a transfer or export of data is envisioned before the deletion.
The activities performed on Teams and SharePoint on documents/folders by Teams owner(s) are registered with two distinct logs:
- The Audit log activity traces the activities performed on folder(s) and document(s) - i.e. create/modify/delete). The data retention is 90 days.
- The Log of activities performed by Teams owner(s) - eg. sending invitations, granting access rights, creating a channel(s)/folder(s) and removing access. In that case the log is deleted when the Teams/SharePoint site is deleted; The logs may only be accessed, following the necessary safeguards and in accordance with the EUI Data Protection Policy, for the following purposes:
Operational activities and troubleshooting
Security incident analysis
In the case of security incidents, the access to logs may be done to determine the number of users impacted, the severity of attack and to put in place remediation actions. The analysis is conducted according to Article 9 paragraph 3 and Article 5 (2) of the EUI DP Policy - “personal data collectedexclusively for ensuring the security or the control of the processing systems or operations are notused for any other purpose, with the exception of the prevention, investigation, detection andprosecution of serious criminal offences.” The access to logs are automatically recorded by Microsoft Azure services in Audit logs, and recorded in the EUI ticketing system as part of the Security incident documentation. Among others, the security incident analysis must be conducted to promptly inform Data Controller and DPO in compliance with Article 13 “Notification of personal data breach” and Article 14 “Communication of a personal data breach to the data subject” of the EUI DP Policy.
Administrative inquiry or disciplinary action by the EUI
The identification of a user connected to a log entry may be done in compliance with Article 9 paragraph 2 of the EUI DP Policy, “Processing of data logs, e-mails and data traffic data” requiring the prior-authorisation of the Secretary General after consulting DPO and (if deemed necessary) the Data Protection Committee.
Requests for the creation of a Microsoft Teams or sharePoint Site should be filed via EUI Helpdesk ticket taking care of attaching the below Request Form for the Creation of a Teams or SharePoint Site, duly filled, signed and dated.
The text contained in the below Word document may be copied onto the sponsoring Unit/Project's letterhead, printed and signed by all non-EUI members who have been granted access to any collaboration tool (Microsoft Teams or SharePoint Site) provided by the EUI ICT Service.
The declaration does NOT need to be sent to the ICT Service with the request for the creation of the collaboration tool but needs to be kept by the relevant Unit's Data Controller or Delegated Data Controller for future reference.
Page last updated on 04 March 2020