As with other Higher and Further education establishments, Loughborough University have signed up to the Jisc Collections and Janet Ltd framework which has exclusive amendments and due diligence on around 100 pages of contractual documents for Microsoft Office 365. This provides reassurance in relation to: security; resilience; legal and data compliance; and functionality.
Loughborough University staff email will be stored in the Microsoft cloud, which is located within the European Economic Area (EEA); currently within datacentres located in Dublin and Amsterdam with access from on campus being provided directly from the Janet and GEANT network backbone.
Microsoft have provided assurance that primary and backup storage should be located within the EU and will advise Loughborough University if data needs to be moved outside of the EU. A Safe Harbour and EU Data Protection equivalency agreement for the processing of data within the Microsoft cloud are included in the agreement.
The storage of email in the Microsoft cloud, also includes calendars, person contact lists, task lists and Exchange notes. Desktop, Laptop, Tablet and Mobile devices will continue to retain local 'cached' copies of some elements of this data; therefore the same care should be afforded to these devices as is now.
As staff members, you will be able to continue to make the decision if confidential information should be encrypted before being sent by email. IT Services already provide advice on encryption and have worked with numerous research projects, academic schools and professional service departments to advise on best practice. It is important to remember that internal to internal emails within the University will now be stored in the Microsoft cloud and not on servers within the University. This includes a document scanned to email on a University MFD (Multi Function Device).
Loughborough University emails will be stored on Microsoft servers in an encrypted form. Access is therefore restricted to the customer, to Microsoft and to those whom Microsoft must disclose data to, such as law enforcement agencies.
Currently law enforcement agencies, such as the Police, may approach the University to request data from the email system; this will remain the same and Microsoft may also receive these requests for data instead of or in addition to the University. Microsoft do state that they will attempt to direct all lawful request for data from law enforcement agencies to the customer, or failing that to inform the customer that such requests have been made.
Data which could be provided subject to a valid request may include: email contents, sender and receiptant details, time based information or access information including IP addresses.
Microsoft should not be using any metadata gathered through the provision of the Office 365 email service for advertising, marketing or any other purpose than providing the email service. This is defined in the contract agreements.
The University currently provides IT Services in the spirit of the ISO 27000 series standards, Microsoft states:
"We have established and agree to maintain a data security policy that complies with the ISO/IEC 27000 series of standards, the ISO/IEC 27002 code of best practices for information security management, and ISO 27001 standards for the establishment, implementation, control, and improvement of the Information Security Management System ("Microsoft Online Information Security Policy")."
Further details are available on the Office 365 for Staff Email webpages located here.
If you have any questions, concerns or comments, please do not hesitate to get in touch with IT Services via telephone on 01509 222 333 or via email firstname.lastname@example.org.
 GEANT is the international education and research network