The NHSmail service gives access to a range of additional Microsoft applications which include Microsoft Teams for collaboration, SharePoint and OneDrive for file repositories alongside fully integrated security and access controls.
Local Administrators (LAs) must ensure they understand the options and ensure those that they are assigning team ownership to also understand them. You must also be aware of the consequences of changing the settings and the risks involved.
As a reminder:
- The Public setting allows anyone on NHSmail to join the team and any content loaded into that team, for example any files / documents, will be searchable and viewable in SharePoint by anyone on the NHSmail platform – this is not just restricted to your organisation
- The Private setting means that only team owners can add members to the team and all the content can only be viewed by those who have access to the team
Checking settings and your responsibility
Teams are created by Local Administrators with a default permission of private. This means only the owners, members and guests given permission to use that Teams site can access it. Both the Local Administrator (LA) and owner of a Team can change the privacy setting from private to public which gives access to all 1.6 million NHSmail users which includes the ability to view/edit any files placed in that Team.
To check your Team is set to private within Teams go to the team name and select More options > Edit team toward the bottom of the menu.
Under Privacy, ensure it is set to Private, unless you have a reason for anyone in NHSmail to have full access to it. Private setting should always be applied if you are working on documents containing personal data of patients, staff, or others.
Contact your data protection team if you are in any doubt about what you can publicly share. Such reason would never be appropriate if personal data of patients, staff or others is or may be made available. In such case the “Private” setting should always be applied.
Other Microsoft 365 Components
Some other Microsoft components also have a ‘Public’ setting. When set to public this will share to all 1.6 million NHSmail users who can then view and edit the content. It is very unlikely that you will ever want to share anything as ‘Public’. You should never allow personal data of patients, staff, or others to be made available through using the “Public” setting. If there is any potential risk, you should not share anything as “Public”.
If in doubt, do not add any additional permissions and speak to your data protection team for guidance.Contact your data protection team if you are in any doubt about what you can publicly share. Such reason would never be appropriate if personal data of patients, staff or others is or may be made available. In such case the “Private” setting should always be applied.