Public vs. Private reminder when using Microsoft 365
Dear Primary / Local Administrator,
The NHSmail service includes access to an additional range of Microsoft applications known as Microsoft 365/N365 or previously Office 365. Microsoft 365/N365 provides you with access to many capabilities, including but not limited to Microsoft Teams for collaboration and SharePoint/OneDrive for file repositories.
Checking settings and your responsibility
It is important that you are aware of the privacy settings in the apps and how to use them to avoid any risk to the privacy of your documents. Default settings should always be private.
If you choose to change the settings and use the ‘allow everyone in your company’ setting you will publicly share content with all 1.5 million NHSmail users. There may be situations where that level of sharing is completely appropriate, however incorrectly specifying this may breach data protection, safety, and security protocols if you do.
We have included below some screen shots so you can see what the options look like as they may vary slightly between products.
Microsoft Teams
Microsoft Teams are initially created with a default permission of private. This means only the owners, members and guests given permission to use that Teams site can access it.
Creating a Microsoft Teams will automatically provision/create a SharePoint site and the privacy settings you have set will be reflected. This means if your Team is set to private, the SharePoint site will only allow access to those members added to the Team.
Both the Local Administrator (LA) and owner of a Team can change the privacy setting from private to public which gives access to all 1.5 million NHSmail users which includes the ability to view/edit any files placed in that Team.
To check your Team is set to private within Teams:
- Go to the Team name and select More options > Edit team toward the bottom of the menu
- Under Privacy, ensure it is set to private unless you have a reason for anyone in NHSmail to have full access to it
- Private setting should always be applied if you are working on documents containing personal data of patients, staff, or others
If in any doubt, do not add any additional permissions and speak to your data protection team about what you can publicly share.
For further information please read the guidance on Private vs. Public for Microsoft Teams on the NHSmail support pages.
Other Microsoft 365 Components
Some other Microsoft components also have a public setting. When set to public this will share to all 1.5 million NHSmail users who can then view and edit the content. It is highly unlikely that you will ever want to share anything as public. You should never allow personal data of patients, staff, or others to be made available through using the public setting. If there is any risk, you should not share any data as public.
Please note Stream is currently disabled. Teams’ meetings can be recorded but will not be uploaded to Stream at this time. For further information please visit Recording Teams Meetings guidance.
If in doubt, do not add any additional permissions and speak to your data protection team for further guidance.
What you need to do?
Please ensure that you understand the settings you are using and if you are an LA, ensure all your colleagues understand how to use the settings too. You must be aware of the consequences of changing the settings and risks involved in doing this.
There are ongoing discussions with Microsoft to restrict the ability to share NHSmail wide and provide a new setting of ‘My organisation permission’ that will allow sharing solely with the local organisation.
Further advice and guidance can be found on the NHSmail support pages.
Best wishes,
NHSmail Team
| Last Reviewed Date | 23/04/2021 |
