The NHSmail service gives access to a range of additional Microsoft applications which include Microsoft Teams for collaboration, SharePoint and OneDrive for file repositories alongside fully integrated security and access controls.
Local Administrators (LAs) must ensure they understand the options and ensure those that they are assigning team ownership to also understand them. You must also be aware of the consequences of changing the settings and the risks involved.
As a reminder:
- The Public setting allows anyone on the NHSmail tenant to view any content within the selected team/site. Any files / documents, will be searchable and viewable across the NHSmail platform – this is not just restricted to your organisation
- The Private setting means only the team/site owners can control access and add members to view and interact with the content as appropriate. A private setting limits content accessibility
To support content owners with protecting their data the NHSmail service offers Privacy monitoring and Reporting functionality across Teams and SharePoint Online. Please visit the O365 Privacy Monitoring article for more information about the tooling in place
Checking settings and your responsibility
This section of the article outlines how you can check privacy settings across Microsoft Teams, and SharePoint Online.
Content should always be set to private unless you have a reason for anyone in NHSmail to have full access to it. The private setting should always be applied if you are working on documents containing personal data of patients, staff, or others.
Contact your data protection team if you are in any doubt about O365 privacy settings. It would never be appropriate to publicly share such information as personal data of patients, staff or others.
Teams are created by Local Administrators (LAs) with a default permission of private. This means only the owners, members and guests given permission to use that Teams site can access it. Both the LA and owner of a Team can change the privacy setting from private to public which gives access to all NHSmail users which includes the ability to view/edit any files placed in that Team.
To check your Team is set to private within Teams go to the Team name and select More options > Edit team toward the bottom of the menu.
You can also set and amend the privacy setting of a Team via the NHSmail Portal. You must select your preferred privacy setting as part of the create process for new Teams or amend the privacy setting for an existing Team via the edit process. Please sign in using your NHSmail credentials and visit Admin > Teams to administer.
SharePoint site owners are in control of privacy settings for their content. To administer your site’s privacy settings please sign in to O365 using your NHSmail credentials and visit SharePoint Online. Navigate to the site for which a change is required.
Once within the site, please select site contents and then site settings as shown below:
Under Site settings, select the site permissions option:
Click on the grant permission option in the top left corner of the screen:
You can control access to the site using the options from the pop out window. To check your site has a private setting, only the owner’s credentials should appear within the shared with field.
To amend the site settings to public select invite people search everyone except external users and click share. This site is now shared with all users across the nhs.net tenant.
To revert to private, remove everyone except external users from the list below:
Some SharePoint site templates provide a more seamless experience to navigate to the sharing permission menu. If you see a Share option on your site homepage, selecting it will provide you immediate access to manage your content:
General Microsoft 365 Components Guidance
Other Microsoft components also have a public setting. When set to public this will share to all NHSmail users who can then view and edit the content. It is very unlikely that you will ever want to share anything as public. You should never allow personal data of patients, staff, or others to be made available through using the public setting. If there is any potential risk, you should not share anything as public.
If in doubt, do not add any additional permissions and speak to your data protection team for guidance. It would never be appropriate to publicly share such information as personal data of patients, staff or others.