Microsoft Teams: Best Practices for Safeguarding Personal or Sensitive Information During Remote Instruction

While the University of Vermont does have some HIPAA covered components, as a whole, UVM is not a covered entity under HIPAA. HOWEVER, UVM is bound by FERPA, GLBA, GDPR and other privacy regulations. In addition, there may be various contractual obligations or other signed agreements related to data security and privacy. Regardless of whether the instruction is in-person or online, our responsibility to safeguard personally identifiable information either under the law or under signed contract or agreement remains.

For Faculty:

• Do not ask students to print documents that contain personally identifiable student record, health or other sensitive information unless there is no other option. If you do require that it be printed, expressly communicate to your students that it must be safeguarded at all times from print to destruction.
• Electronic documents containing sensitive information can be shown to students through Teams' Screen Sharing. If the document contains personal or sensitive information, refrain from using the upload feature unless there is no other option. If Screen Sharing is not an option and you do need to upload, DELETE IT immediately after use. Do not store it or otherwise keep it in Teams.
• UVM's subscription to Teams is approved for the handling and storage of all Protected University Information including FERPA-protected student record data. To access UVM's subscription of Microsoft Teams, start the login process here: https://www.uvm.edu/it/kb/article/teams/. You'll know you're using the right version if you are logging in with your NetID credentials. Using other versions of Teams may not have the required level of security.
• Using the Screen Sharing option to show videos via Teams has some limitations - test it before use. If it is not working and you must upload videos containing personal or sensitive information to Teams, DELETE IT immediately after use.
• Do not put personal or sensitive information in meeting invites. This information may be visible by others within Outlook and Teams. If needed, use initials or some other type of code that does not include individually identifiable or otherwise personal/sensitive information.

For Faculty & Students:

• If it must be printed, secure it throughout its lifecycle. Promptly retrieve documents from the printer that contain personal or sensitive information and do not leave them lying around or otherwise allow it to be viewed by unauthorized individuals.
• Make sure that you shred paper documents when they are no longer needed. DO NOT THROW printed materials that contain personally identifiable or sensitive information in the regular trash.
• Be aware of your surroundings. To reduce the risk of unauthorized individuals overhearing discussions that include personal or sensitive information, join Teams sessions from a private location. Do not allow unauthorized individuals to listen in to these discussions. Verbal disclosures are violations.
• If you do not have a private location from which you can access Teams, utilize privacy screens and headphones and keep others at a reasonable distance away from your device.
• DO NOT SHARE LOGIN CREDENTIALS! This is nothing new - it has been University Policy for quite some time now. You are responsible for activity that occurs under your user name and password.
• Completely logout when you are done - this will prevent unauthorized individuals from accessing information if you are no longer sitting at your device.
• Do not store files on your device unless authorized to do so. And, if you are authorized, completely delete files from your device and from your trash as soon as the file is no longer needed.
• If you must store documents that contain personal or sensitive information, make sure it is locked and that only authorized individuals have access.