How to collaborate securely
Collaboration is essential to creativity and innovation in the workplace. There are several ways staff can collaborate securely using UQ-provisioned Microsoft 365 tools. The following guidance contains tips which can be used for both internal and external collaboration.
Use UQ-approved collaboration tools
Cloud-based platforms support collaboration, allowing team members to share and work on documents in real-time. Cloud storage enables improved mobility and accessibility and reduces cybersecurity risks (e.g. broken hard drives and lost devices).
Some supported collaboration tools at UQ include:
Teams (file storage and sharing delivered by SharePoint)
Research staff also have access to Research Data Manager (RDM) and Digital Research Notebooks for collaboration (although this page predominantly focuses on M365 tools).
Learn more about the difference between SharePoint and OneDrive.
Unsupported collaboration tools do not meet UQ's security and privacy requirements and may not provide file backup or recovery after deletion. Some examples include:
non-encrypted USBs and hard drives
Personal cloud storage (e.g. Google Drive, Dropbox)
Important: Storing personal information in unsupported cloud storage poses a potential risk of breaching the Information Privacy Act as data may be stored outside of Australia. Learn more about where to store your files and information and using Microsoft 365 tools at UQ.
Manage access to files and collaboration spaces
When using Teams for collaboration, appoint at least two administrators (i.e. Team owners) who should set and review access periodically, including:
restricting or granting access to files and folders as appropriate,
removing staff/team member access when they leave the team or project, and
removing duplicate files.
Staff are responsible for managing access to files in their staff OneDrive account.
M365 access controls on shared content
In Teams, SharePoint and OneDrive, you can control who can see content by sharing files and folders via links to collaborators. You can also control whether recipients can edit, review or view the file. 'View only' access will restrict collaborators from downloading files.
Learn more about sharing documents in Microsoft 365.
Configure Teams permissions
Teams and its channel members and owners can restrict access to files and collaboration spaces, allowing you to control who can see and share your content.
If required, control who can share content by configuring Teams and its channels so that only site owners can share files:
Open the Teams channel in SharePoint (i.e. in the web browser).
Open settings (cog icon) and select ‘Site permissions’.
Select ‘Change how members can share’.
Staff can also set up a private Teams channel which will allow them to manage who has access to the channel, restricting access to files and content within the Team and private chat. Learn how to create a private Teams channel on Microsoft.
Review access periodically
Staff should review access to files and collaboration spaces periodically (including file sharing links), based on the security classification of the information (see below section "Classify and label files" for more):
Information security classification | Access review frequency |
|---|---|
PUBLIC & OFFICIAL | Review read and write access annually. |
SENSITIVE | Review read and write access every 6 months. |
PROTECTED | Review read and write access every 3 months. |
Classify and label files
Sensitivity labels are information security classifications we can utilise to protect the confidentiality of M365 files and documents. There are five sensitivity labels in use at UQ: UNOFFICIAL, PUBLIC, OFFICIAL, SENSITIVE and PROTECTED. The OFFICIAL label is applied by default and identifies the information as unlikely to cause harm to UQ, another organisation or individual if subject to a data breach.
The SENSITIVE and PROTECTED labels automatically apply security controls to protect the information further (e.g. encryption, restrictions on access).
Staff should apply and periodically review sensitivity labels to files and documents, as per UQ's Data Handling procedure. In collaboration spaces, the space administrators (e.g. Team owners) should ensure this occurs.
Information security classification | Review frequency |
|---|---|
PUBLIC and OFFICIAL | Review as information or requirements change, or at least every 36 months. |
SENSITIVE | Review as information or requirements change, or at least every 24 months. |
PROTECTED | Review as information or requirements change, or at least every 12 months. |
Secure SENSITIVE and PROTECTED information
Extra care must be taken when handling information classified as SENSITIVE or PROTECTED. Access to this information should be authorised based on strict academic, research or business need. Examples include:
SENSITIVE: staff HR information, student personal information, exam results, unpublished research data, financial data.
PROTECTED: medical data, children's personal information, commercially significant research, national security information.
To collaborate securely:
Restrict access using sensitivity labels and collaboration space access controls.
Set up a private Teams channel and add specific team members. Learn how on Microsoft.
Control who can access, download or share content. See manage access to files and collaboration spaces above for more details.
PROTECTED files: Do not use web-based file shares which synchronise files to local storage (e.g. OneDrive).
Important: Only share data (internally or externally) when required for a legitimate and defined University purpose or requirement – this will minimise the disclosure of personal information and SENSITIVE or PROTECTED information. Refer to the Data Handling Procedure for additional guidance.
Review M365 sharing links
Keep in mind that links do not expire even if access to the overarching folder or collaboration space is removed. This means file and folder sharing links must be reviewed periodically based on the security classification, and there are a few ways to do this depending on where the file is stored.
Microsoft Teams
To review shared files and folders, follow these steps below:
Right-click on the file or folder icon in Teams and choose “Manage access.” It will show you all the sharing links you have issued, and the recipients of these.
You can delete the links to revoke access to the files.
OneDrive
Opening OneDrive in the web browser view will show what files and folders have been shared or kept private.
Reviewing files
In OneDrive on the web browser, click on "Shared" on the left-hand menu.
From there you can view the files shared With you and By you, by file type.
Reviewing folders
In the web browser, click on "My files" on the left-hand menu. From the "Sharing" column you can view which folders are shared or private.
Right click on the folder and select "Manage access" to edit permissions.
Sharing report
A OneDrive sharing report can also be generated to provide a detailed list of files and folders currently being shared with others.
Learn more about how to manage file sharing in Microsoft 365 on the Systems Training Hub.
Collaborating with third parties
If you need to collaborate with third parties, before sharing any information you must consider:
Privacy: personal information held by UQ can only be shared outside of UQ in accordance with the Privacy Management Policy. Depending on the activity, you may be required to conduct a Privacy Impact Assessment to manage the risks effectively. Contact the Right to Information and Privacy Office for advice and information.
Data sharing agreement: sharing UQ corporate information with a third party may require a data sharing agreement to ensure the information is approved for sharing and remains secure. Learn more about data sharing agreements and contact Data Strategy and Governance for more information. Staff should also consider any other agreements and contracts that apply.
Access control: effectively restrict and maintain access using the tips above, such as sensitivity labels, restrictions on editing/downloading, and the creation of private channels. Note that UQ staff are unable to generate open sharing links using M365 tools (i.e. anyone with the link can access) due to the associated cyber security and privacy risks.
Research: consult your Research Partnerships Manager for guidance facilitating relationships between UQ researchers and external partners. Learn more about working with collaborators in the research space (both internal and external).
Report suspected breaches
Report actual or suspected data loss or cyber security breaches (including lost or stolen devices) as soon as possible via UQ’s cyber security website or by contacting IT support.
- Common data terms
- Data Modelling
- Data breaches: How they occur and how to prevent them
- Data ethics
- Data governance
- Data management
- Data privacy and your responsibilities
- Data quality
- How to collaborate securely
- Information security classifications
- Metadata
- PII and sharing confidential information
- The information lifecycle
- The six knows
- UQ Data Sharing Agreements
- Video conferencing and recording online meetings
- Why information protection is important