Deloitte CE Rules of the Road for the Use of OneDrive for Business, MS Teams, SharePoint, other MS tools1 and shared drives
To be able to handle Deloitte data in a proper manner while using OneDrive, MS Teams, SharePoint, other MS tools and data stored on shared drives, each data user (individual who is authorised to access the data), data owner (individual who is accountable for data governance and oversight of data administration) and data administrator (individual having administrative and/or operational responsibility over the data) shall make sure to adhere to the below outlined rules
Whereas each of the collaboration tools has its own specifics related to access management settings, please note that the access should always be handled only on a need-to-know basis.
In practice this means that the data owner (in cooperation with the data administrator where applicable) shall
assure the following:
- Access shall be restricted only to those who have a need-to-know and only information that is needed is shared.
- Access shall be limited only to that which is necessary and type of access/permissions distributed appropriately (e.g. granting a read-only ability instead of ability to edit where applicable).
- Access rights of users which no longer need access to the data or no longer actively participate in the project shall be removed. Access permissions should also be periodically reviewed.
- Verification that the correct recipients have been chosen for access rights distribution shall be performed (where more than one recipient with the same name appear in the directory).
Please, pay special attention to the access permissions when using OneDrive for external sharing of client confidential information. Also note that it is recommended to use OneDrive rather for short term sharing such as a single file transfer or one-time co-authoring event.
If accepted by a Business Risk Leader (BRL), OneDrive is approved for external sharing of High Risk Confidential data, subject to additional encryption of the document and the password being shared in separate communication (e.g., phone call, instant message, e-mail).
Further details regarding collaboration tools for internal and external sharing can be found in Deloitte CE Tool Selection Guide.
The classification of data helps determine what baseline security measures are appropriate for safeguarding that data. Remember that each individual, who prepares, changes or updates documents, presentations or other materials, is responsible for appropriate labelling of the document.
As per Deloitte CE standards Confidential data must be labelled when shared with authorised recipients outside of Deloitte; no need for labelling applies when the data is only used/shared internally, In contrast, Deloitte High
Risk Confidential data must always be labelled.
Please do not forget to apply appropriate data classification and labelling when using OneDrive, MS Teams, Share Point, other MS Tools and shared drives or when handling recorded meetings in Skype
For further details about classes of data including examples or rules for labelling you can refer to policy 1603.11 Data Classification and Access or Privacy & Confidentiality intranet pages.
Data retention and deletion
OneDrive, MS Teams, other MS tools, SharePoint libraries created temporarily for the purposes of a particular project are not designed to be used as long-term storage solutions for documents. Thus, once the business need ceases to exist/apply or once the project has been closed the data shall no longer be retained there. Please note that the same rules shall also apply for data and documents shared by e-mail (no e-mails should sit in mailbox longer than necessary), reports generated in Power BI (if you choose to store data directly in the application) or shared drives unless stated otherwise in your respective Business policy (Level 3 policy).
In accordance with policy 1608.01 Data Retention - Regional and instructions of your respective Business policies (Level 3 policies), all documents that need to be stored in order to fulfil legal requirements for conducting business operations must be moved to a CE approved document management system dedicated per each Business (specified in Level 3 policies). All other data that are considered as no longer needed shall be deleted from OneDrive, MS Teams, SharePoint, Outlook mailbox, Calendar, To-Do List, Power BI repository and all other MS tools used in Deloitte CE or shared drives. Recorded Skype meetings shall be deleted from your laptop.
In cases of individual use of OneDrive, Outlook mailbox, Calendar, To-Do List and Power BI repository, each Deloitte practitioner individually is responsible for making sure that Deloitte CE archiving and deletion rules are followed. Similarly, in the cases where MS Teams, SharePoint and other MS tools are set-up for specific projects, the project leads are responsible for following these rules.
An overview of CE systems approved for archiving as per each Service Line can be found in the Deloitte CE data handling – approved systems and tools overview.
Please note that a specific retention period applies for MS Teams chats and meeting recordings, which are deleted after 30 days (further details about recording in MS Teams can be found here). OneDrive applies a 90-day retention period for content uploaded by a Deloitte practitioner who has left the firm and whose Active Directory account has been disabled. After the retention period expires the content is deleted with no option to recover the data2
1 Other MS tools that are in use in Deloitte CE – i.e. MS Whiteboard, MS Planner, MS To-Do, MS Forms, MS OneNote, MS Bookings, Skype for Business
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms, and their related entities (collectively, the “Deloitte organization”). DTTL (also referred to as “Deloitte Global”) and each of its member firms and related entities are legally separate and independent entities, which cannot obligate or bind each other in respect of third parties. DTTL and each DTTL member firm and related entity is liable only for its own acts and omissions, and not those of each other. DTTL does not provide services to clients. Please see www.deloitte.com/about to learn more.
Deloitte Central Europe is a regional organization of entities organized under the umbrella of Deloitte Central Europe Holdings Limited, the member firm in Central Europe of Deloitte Touche Tohmatsu Limited. Services are provided by the subsidiaries and affiliates of, and firms associated with Deloitte Central Europe Holdings Limited, which are separate and independent legal entities. The subsidiaries and affiliates of, and firms associated with Deloitte Central Europe Holdings Limited are among the region’s leading professional services firms, providing services through nearly 11,000 people in 39 offices in 19 countries.
Version October 2022
2 Data marked as being on Legal Hold is maintained regardless of the disposition schedule