Microsoft 365 Privacy Notice

Through the University’s campus agreement with Microsoft, employees have access to Microsoft 365 apps, such as Teams, OneDrive and SharePoint. Beginning November 2021, faculty and staff email will also be provided through Microsoft 365. Student email has been powered by Microsoft 365 for several years already.

Data processed by these apps are stored in Microsoft’s data centres in Canada and the US. This data processing has been reviewed to ensure compliance with the University’s privacy obligations. Microsoft uses robust security measures to protect UWinnipeg’s data from unauthorized access and complies with ISO/IEC Standards 27001 and 27018 for protecting personal data in the cloud.

Two types of data are processed by Microsoft 365: customer data and diagnostic data.

  • Customer data includes all text, sound, video or image files processed through an app and often contain personal information. Almost all customer data are stored in Canada - see the link below for the latest residency information. However, data may flow outside of Canada when accessed by Microsoft personnel or contractors. Microsoft pledges not to use customer data other than to provide services to UWinnipeg. UWinnipeg determines how long these data are kept by Microsoft.
  • Diagnostic data are collected automatically and relate to how users engage with Microsoft 365. These data are not considered identifiable and are stored in the US. Microsoft uses diagnostic data for its purposes and determines how long these data are kept. UWinnipeg has taken measures to minimize the amount of diagnostic data collected by Microsoft.

General privacy risks associated with most cloud-based services include:

  • Unauthorized access, e.g., hacking,
  • Unauthorized processing,
  • Excessive retention,
  • Access from foreign government agencies, and
  • Unwanted commercial solicitation, i.e., spamming.

While the University has experienced no privacy issues with Microsoft's services, one option to mitigate these risks is to avoid using Microsoft 365 as a default means for storing files containing highly sensitive information, such as personal health information. Store highly sensitive information on the University’s network drives whenever possible. If stored in Microsoft 365, transfer the information to the University's network drives or delete the information whenever appropriate. Users may also encrypt or anonymize files containing personal information before uploading to Microsoft 365. Please note that the University is not able to assist you in decrypting your files should you lose access to your password or other key.

As Microsoft 365 can be used to provide non-UWinnipeg users with access to files, another important privacy measure is to periodically review access permissions along a need to know basis. Rights management can also be engaged at the file level. “Anyone” link sharing should be avoided.

Microsoft publishes additional information regarding Microsoft 365 data processing at: