Using Microsoft Forms to Collect Sensitive Data
Microsoft Forms are approved for use with sensitive data; however the Form owner must adhere to the following to ensure data is secure:
- Forms used to collect sensitive data must be associated with a OneDrive group not an individual account. This will prevent the storage of sensitive data within an individual Office 365 account, as well as prevent any data collected via the form from loss in the event an individual transfers roles, or departs the institution.
- The OneDrive Group associated with the creation of forms that collect sensitive data must be configured according to the Sensitive Data in OneDrive Standard.
- Forms must NOT be “Shared to Collaborate.”
- Results of Forms must only be shared with those who have a need to access such forms, thus adhering to the principle of least privilege.
Settings and Best Practice Guidance
Before using Forms, make sure you (and all your collaborators) understand the purpose of the data.
Once you have defined the purpose of data collection, the data can only be used in a manner consistent with that purpose. All collaborators should be clear on where the data is to be stored and how it is to be used before any responses are collected.
By default, Forms you create are tied to your personal account – sensitive data must never be stored in a personal OneDrive account and must be saved to the group’s or department’s SharePoint site in a secure folder. Move them to “Group” ownership using the following steps:
- Create your Form.
- Go to the main Forms page.
- Click on the " ⁞ " icon on the right side of your Form.
- Click on the “Move” option.
- A new panel will open showing you the full list of all O365 Groups and Teams of which you are a member. Click on one to make that group or team the owner of your form. Note: Everyone in that group or team will now be able to see the form and all responses it collects.
- Once complete, the Form will no longer be visible in the “My Forms” area. Instead, it will appear when you click the “Group Forms” option.
There is an option to share a Form to collaborate – but this will give all collaborators the ability to access response data. As such, the “Share a Form to Collaborate” option must not be used when collecting sensitive data.
When you click on the “Share” button in Forms, it gives you multiple pieces of information:
- Send and collect responses – This gives you a link that you can use to collect responses to your Form.
- Share as a template – This allows you to create a duplicate of your Form that you can save under a new name or share with someone else.
- Share to collaborate – This will give you a link you can share with other people who are working on the Form or the data it collects.
- Note: All collaborators have access to all response data. Therefore all individuals identified as collaborators must have a need to access the data to perform their job (principle of least privilege).
Share to collaborate links are not tied to individual accounts (they can be forwarded or shared).
The “Share to collaborate” link offers only two levels of privacy: sharing with everyone and sharing with people in your organization (all of OHIO, including students and guest accounts). The “Share to collaborate” link means that anyone you send this link to can forward that link to anyone else they think should have access, removing your ability to control who can see the data.
You can avoid this by making a group the owner of your Form (see above). When a group “owns” a Form, all group members can see and work on the Form and its data without needing to use the “Share to collaborate” link. You can even embed your Form or Form responses directly into SharePoint or Teams.
Forms you create should always include a statement of why you are collecting the data and what you will do with it.
This is good practice anytime you are collecting data and is a best practice requirement if you are collecting personal data. A privacy statement should include the following information:
- The purpose for which the information is being collected
- How the information collected will be used
- The contact information of someone who can answer questions about privacy
For additional guidance, visit Help and Resources: Microsoft Forms.