Main Page Content

​The Office 365 (O365) UHN Privacy and Information Security Best Practices​ provide guidelines for using the suite of O365 services, such as Outlook and Skype for Business, are used in a manner that ensures that protection of personal health information (PHI) and other sensitive information owned or observed by UHN.


Always:
  • Comply with all UHN policies when using O365 on or off UHN premises. This includes UHN's Email Policy and the Privacy Policy.
  • Log out of Office 365 and close the browser (e.g., Google Chrome, Internet Explorer, Firefox, etc.) to complete the sign-out process when accessing Office 365 from a shared UHN device, or any non-UHN device.
Remember:
  • UHN may monitor, log, and audit access to any aspects of UHN's O365 environment to ensure compliance with its policies. 
  • You should clear your browser's temporary files when accessing your email from a non-UHN device.
    For instructions on clearing your browser's temporary folders, please review this online tutorial.
    Never:
  • Allow another person to use your credentials (e.g. Your ID and password)
    • Save your password on any public or shared device (e.g., by selecting "Keep me signed in" or saving the password in the browser).
Remember:
  • Be aware of “shoulder surfing” - people looking over your shoulder - as this could lead to a breach of PHI or other sensitive information.                 
Avoid:
  • Accessing the O365 Dashboard from a publicly-shared device (eg. hotel or library computer) or public Wi-Fi network (eg. Starbucks, mall, hotel Wi-Fi).
  • If it is necessary for you to do so, change your login password the next time you log into a UHN device on a private network, such as your personal Wi-Fi or on the UHN network.
  • To learn more about resetting your password, please visit our Email Resources page.
Never:
  • Leave a device remotely connected to any O365 applications unattended in a public place, or in any private area in which unauthorized individuals could access to the device.
OneDrive for Business should be used in a manner that ensures your privacy and protection of your UHN work files. Please note the following guidelines when uploading and sharing files through OneDrive.
  • Remember, you can upload PHI and corporate confidential information (CCI) to OneDrive. If you do use OneDrive to store PHI and CCI, remember to use the "Confidential - Do Not Sync" folder.
  • You can sync OneDrive files directly on your computer using the OneDrive Sync App. This means a copy of the file will be available on your computer and accessible without logging into the O365 Portal. However, you cannot sync PHI or corporate confidential information (CCI) to a non-UHN computer.
  • If you use the OneDrive Sync App, remember to selectively sync your folders to your computer. This will conserve disk space and optimize your computer's performance.
  • If you install the OneDrive Sync App to your personal computer, please ensure your computer is password protected
  • After moving your files to OneDrive, delete the duplicate files to optimize storage space.
  • Only share files with individuals or teams that are authorized to access the files.
  • Avoid accessing the O365 Dashboard from a publicly shared device (e.g. hotel or library computer) or public Wi-Fi network.
  • Never leave your device unattended in a public place while connected to any apps from the O365 Dashboard.
  • Ensure your use of OneDrive complies with UHN Privacy and Security requirements.
SharePoint Online should be used in a manner that ensures the protection of personal information (PI), personal health information (PHI) and other sensitive information owned or observed by UHN.

You and your entire team should be following the below best practices and guidelines while saving and sharing files through SharePoint Online:
  • Do not store personal information, such as login and password credentials, to a SharePoint Online site.
  • Share files only with those who are authorized to access or edit the file.
  • Comply with UHN policies when using all O365 applications, such as SharePoint Online. Compliance for all UHN staff members is required whether on, or off, UHN premises.
  • For data protection, avoid accessing the O365 Dashboard from a publicly shared device (e.g. hotel or library computer) or public Wi-Fi network (e.g. Starbucks, mall, and hotel Wi-Fi).
  • Never leave a device remotely connected to any O365 applications/tools or unattended in a public place, or in any private area in which unauthorized individuals could access the device.
Remember:
  • When interacting with a non-UHN User, the UHN User should initiate the contact. Schedule and initiate the call using Outlook, where the Skype web link was sent, rather than making impromptu calls with Skype.
  • Inform all participants if the call is being recorded, even if Skype displays a message that the call is being recorded.
  • If another user is recording the call and should not be, either request and confirm the record functionality be turned off. If you are unsure in any way, you may disconnect the call.
  • Add non-UHN contacts to your External Contacts list to reduce the information they can see about you.
  •     To learn how to do this, follow this link: Adding an External Contact in Skype for Business.
    Never:
  • Use Skype for conversations with patients or discussing PHI unless you have received approval from the Enterprise Privacy Office. This includes using Skype to talk, share your screen or instant message.
  • NOTE: If approved to use Skype for discussing PHI, be sure to following existing clinical documentation procedures to note clinically relevant conversations in EPR.
Always
  • Delete emails when no longer needed.
  • If necessary, only send emails containing PHI to addresses found in the Global Address List (GAL).
  • Follow the UHN Email Usage Policy (1.40.014).
Never:
  • Provide your password or Multi-Factor Authentication codes to others.
  • Use your Outlook mailbox as a way to store information containing PHI.
  • Open or download files or attachments that you reasonably believe to contain PHI or other sensitive information onto an unencrypted device, public device, or shared non-UHN device.
         NOTE: In some browsers, opening an attachment will cause it to automatically download.
  • Save emails or attachments containing PHI to your hard drive, even if it is encrypted. 
As part Office 365 (O365), you now have the ability to a profile picture to your email and Skype for Business accounts. While this is not mandatory, we do encourage staff to upload photos as it can be useful to see who you are collaborating with.
When selecting a photo, please be mindful that this is a professional, workplace environment, and profile pictures should reflect that.

See below for guidelines to keep in mind when uploading your profile picture:

  • Use a recent photo from the past 2-3 years.
  • Headshots only, looking straight into the camera, similar to a passport photo.
  • Photos must be in colour, in focus and of good quality.
  • No props (i.e. no hats, sunglasses, etc.)
  • Ensure that backgrounds are uncluttered and there is no one else in the photo. (i.e. do not include other people or animals)
  • Patients and patient-related material cannot appear anywhere in the photo. If your photo is taken on UHN premises, please check for patient-related material in the background, on computer screens, and on lab materials such as scans or test tubes.

 

Examples of privacy breaches and security incidents include:
  • Unauthorized access or disclosure of PHI or other sensitive information through O365 applications.
  • Attempts (either failed or successful) to gain unauthorized access to a UHN account through O365 applications. 
  • Virus or malware infection on a mobile or computing device used to access O365 applications.
  • Compromised credentials (i.e., another individual knows your password).
Always:
  • Immediately report suspected or confirmed privacy breaches or security incidents to your manager/supervisor, or using the Incident eForm.
  • Keep your Multi-Factor Authentication codes to yourself when verifying using the text message or mobile app option.
  • Provide your full cooperation with any privacy or information security incident investigation.
  • Ask the Privacy or Security Office if you’re not sure!