Security of data is a natural concern when considering a move to a cloud-based service, but we have tested and reviewed Office 365 from all angles to ensure that it is as secure as the old on-site email server system. 

The contract

We consulted with Imperial College London's legal advisors concerning the contract with Microsoft. The contract itself has been developed by Microsoft and Jisc, the UK higher and further education and skills sectors’ not-for-profit organisation for digital services and solutions, to address the specific needs of higher education institutions (HEIs) like Imperial. Jisc coordinated the input from legal counsel and several HEIs who have decided to use the service, including University College London and Kings College London. We have signed the second iteration of this contract. The contract that we signed utilises all relevant agreements and, in particular, includes the European Union Model Clauses regarding data transfer and storage.

Technical implementation

The ICT Security team have studied the technical implementation of Office 365 closely and have, amongst other things, ensured both encryption in transit and secure processes to maintain the system. Microsoft have achieved a number of security qualifications for the Office 365 service and supply cloud-based services to both the Cabinet Office and the National Health Service (NHS).

Review process

ISSG, the Imperial advisory group on ICT security matters, which is chaired by Alan Boobis and includes representation from various parts of College, such as the Imperial College Union and the Security Institute, have reviewed the use of Office 365 from a security perspective. ISSG approved the use of Office 365 in December 2014 at the beginning of the project.

Project Board approval

A Project Steering Board has overseen the Office 365 project. The Steering Board is chaired by Susan Gibson and includes representatives from each faculty and central administration. One of the first questions posed by the board to the project team concerned security and the team were able to satisfy the board of the security measures in place.

Warning on the use of email

Email is never the place for confidential information. While it is easy to send the wrong information, it is hard to retrieve it afterwards. Your responsibility for adequate data management includes the type of storage you use for emails and information.