Description
Microsoft Forms are approved for use with unrestricted or sensitive data as defined in The University of Alabama’s Information Classification Policy; however, the Form owner must also adhere to the guidelines referenced in this article. Please seek guidance from OIT Security before using Forms for restricted data.
Environment
Mac, PC, web browser, mobile app
Solution
Guidelines for using Microsoft Forms with sensitive data
- Forms used to collect sensitive data must be associated with a OneDrive group, not an individual account. This will prevent the storage of sensitive data within an individual Office 365 account, as well as prevent any data collected via the form from loss in the event an individual transfers roles or departs the institution.
- Forms must NOT be “Shared to Collaborate.”
- Results of Forms must only be shared with those who have a need to access such forms, thus adhering to the principle of least privilege.
Understanding the purpose of your data
Before using Forms, make sure you (and all your collaborators) understand the purpose of the data.
- Once you have defined the purpose of data collection, the data can only be used in a manner consistent with that purpose. All collaborators should be clear on where the data is to be stored and how it is to be used before any responses are collected.
Moving forms to Group ownership
By default, the Forms you create are tied to your personal account – sensitive data must never be stored in a personal OneDrive account and must be saved to the group’s or department’s SharePoint site in a secure folder. Move them to Group ownership using the steps listed on support.microsoft.com.
Understanding collaboration options
There is an option to Share a Form to Collaborate – but this will give all collaborators the ability to access response data. As such, the Share a Form to Collaborate option must not be used when collecting sensitive data.
When you click on the Share button in Forms, it gives you multiple pieces of information:
- Send and collect responses – This gives you a link that you can use to collect responses to your Form.
- Share as a template – This allows you to create a duplicate of your Form that you can save under a new name or share with someone else.
- Share to collaborate – This will give you a link you can share with other people who are working on the Form or the data it collects.
- Note: All collaborators have access to all response data. Therefore all individuals identified as collaborators must have a need to access the data to perform their job (principle of least privilege).
“Share to collaborate” links are not tied to individual accounts (they can be forwarded or shared).
The “Share to collaborate” link offers only two levels of privacy: sharing with everyone and sharing with people in your organization (all of OHIO, including students and guest accounts). The “Share to collaborate” link means that anyone you send this link to can forward that link to anyone else they think should have access, removing your ability to control who can see the data.
You can avoid this by making a group the owner of your Form (see above). When a group “owns” a Form, all group members can see and work on the Form and its data without needing to use the “Share to collaborate” link. You can even embed your Form or Form responses directly into SharePoint or Teams.
Include data purpose statement
Forms you create should always include a statement of why you are collecting the data and what you will do with it.
This is good practice anytime you are collecting data and is a best practice requirement if you are collecting personal data. A privacy statement should include the following information:
- The purpose for which the information is being collected
- How the information collected will be used
- The contact information of someone who can answer questions about privacy