This article outlines the O365 privacy monitoring and alerting service across the nhs.net tenant. The functionality aims to support organisations, Microsoft component owners and Local Administrators (LAs) with the necessary tooling for the proactive management of content permissions. The automated service scans the following native O365 applications for changes in privacy settings:
- SharePoint Online
- Teams Sites
- Stream
There are two areas of functionality to be aware of as part of the privacy monitoring service. Alert Notifications and Reporting.
Any Microsoft component configured as Public means the content is available to all NHS organisations using the NHSmail tenant.
It is rare that content should be set to public. There may be situations where that level of sharing is completely appropriate, however, incorrectly specifying this may breach data protection, safety, and security protocols. Owners should never allow personal data of patients, staff, or others to be made available through using the public setting.
If there is any risk, you should not share any data as public.
Alert notifications
An emailed alert notification is triggered should the tooling identify one or more settings being updated away from the default Private configuration to Public. The alert will be sent to the site/team owner(s) as well as all Local Administrators/Primary Local Administrators assigned to the owner’s organisation (Teams example below).
Content owners are responsible for locally assessing the appropriateness of the configuration change AND taking the necessary action to ensure the correct privacy setting has been applied.
The alert notification is for awareness only. The NHSmail Team will not overwrite privacy settings configured by Users , Primary Local Administrators or Local Administrators.
Alerts are triggered once, following a change from the default setting of private to public. Changing site/team settings from public to private will not generate an alert as this is the default setting for the NHSmail tenant.
For application specific guidance on how to set and update privacy settings across Teams and SharePoint please visit the ‘Private Vs public settings in O365 guidance’.
Reporting
Local Administrators can access a full list of all private/publicly configured sites across the organisations to which they have appropriate rights via the NHSmail Portal. Please follow the steps below to generate the report:
1. Sign into the NHSmail Portal with your nhs.net credentials
2. Navigate to Reports > Admin Reports
3. Select the specific organisation for which you require the information or select All my Organisations
4. Select the O365 Privacy Report from the Reports dropdown
5. Select Generate Report
6. Please open the report from your downloads, or via the notification bar at the bottom of your screen
The report will contain detailed information for all the publicly and privately configured Microsoft components identified across the selected organisation(s).
Where can I get support?
If you are experiencing any issues or errors when resetting the privacy configuration, please raise a ticket with the NHSmail Helpdesk.
| Last Reviewed Date | 08/09/2021 |
