...
...
...
👋 Introduction
Whilst most TRE Users have their own unique log in and TRE workspace, to complete their project data analyses, as of 2024, we have introduced a ‘view-only’ option. View-only users have approvals in place to see the proejct data solely through screen sharing online or in person, with a standard user. View-only Users will not have dedicated TRE accounts for login, and interactions with the data by sharing login details with other Users are strictly prohibited. We expect both types of users to uphold best practices to ensure the security and confidentiality of the sensitive data.
This How-to article provides best practices to safely conduct screen sharing sessions using Microsoft Teams. It outlines potential risks and the necessary steps to mitigate them, ensuring the security and confidentiality of sensitive data.
\uD83D\uDCD8 Objective
This article provides Trusted Research Environment (TRE) users with guidelines and best practices to safely conduct screen sharing sessions using Microsoft Teams. It Teams is the approved video conferencing platform of the University of Dundee, whilst we appreciate our Users may use alternative software, our guidance sits within the University of Dundee’s recommendations.
This article outlines potential risks and the necessary steps to mitigate them, ensuring the security and confidentiality of sensitive data.
🤷♀️ Why Screen Sharing Security Matters
Screen sharing is a valuable tool for collaboration within TREs, allowing users to discuss data and analysis in real-time. However, it also introduces risks such as unauthorised access, data leakage, and breaches, particularly when users are in insecure environments or high-risk jurisdictions. This guide helps users understand these risks and outlines steps to mitigate them.
Role and Responsibilities
...
Role
...
Responsibility
TRE Users
...
As a TRE User, this is your responsibility and you need to make sure that people viewing the data are authorised, using secure connections,
...
and not completing any unauthorised recording. You also need to consider where you and your collaborator are physically, public places are not considered a Safe Setting. You also need to consider high-risk countries, the University of Dundee’s policies can be found here.
Add in Risk Table Once Approved
...
User Responsibilities Under the TRE User Agreement
All TRE users are bound by the TRE User Agreement, which outlines their responsibilities to maintain data security during screen sharing sessions. Key obligations include:
...
Secure Access: Ensuring that only approved individuals participate in meetings and that secure, encrypted connections are used.
...
...
Screen Capture Prohibition: Users must not take screenshots or using screen capture tools during sessions.
...
Secure Environment: Users must be in a secure environment when participating in screen sharing, especially if located in a public place or traveling through high risk countries.
Best Practices for Secure Screen Sharing
Preparation:
Verify that all participants are approved TRE users.
Close all non-essential applications and documents before the session begins.
Use application-specific sharing rather than full-screen sharing.
During the Session:
Ensure recording and transcription features are stopped/disabled.
Monitor the session for any unauthorised activities, such as screen capturing.
Keep discussions focused on the approved scope of the data.
Post-Session:
Review the session to ensure no breaches occurred.
Follow up with participants to reinforce best practices.
🖊️ TRE User Agreement - User Responsibilities
In line with HIC processes, all of our TRE Users are considered Safe People. Part of these credentials is the signing of our TRE User Agreement which includes key responsibilities that Users are bound by to maintain data security, including:
...
Safe People: whether TRE Users are standard or view-only, all Users are expected to have the same responsibilities. Only approved Users should be in meetings that will include screen sharing, and secure, encrypted connections should be used. This ensures secure access and compliance with upholding the security and confidentiality of HIC data and the TRE. More generally, all Users are expected to comply with applicable laws such as the Data Protection Act 2018. TRE UA 1.4.4, 7.2.1
Safe People, Safe Setting, Safe Data:You are responsible for ensuring that the data is not read, viewed, or handled by anyone not named in the relevant approvals. When screen sharing, there must be no unauthorised recordings or transcriptions of sessions to prevent data leakage. During screen sharing meetings (or at any time), you must not leave your screen unattended or disclose/share the data with people not named on the relevant approvals. TRE UA 2.1.1, 3.1.4, 3.2.2
...
Safe Data: you cannot work on the TRE in a public place, i.e. anywhere where anyone not named in the relevant approvals may be present. You must be in a secure environment when participating in screen sharing, e.g. if you are in a public place such as a library, you should be located in a booth where no one can look over your shoulder for example. TRE UA 5.1.6
Safe Output: Users are prohibited to take screenshots or use screen capture tools whilst working in the TRE. There is no movement of data in or out of the TRE without the approval of HIC disclosure control processes. TRE UA 5.2.1
Info |
---|
As set out in the Agreement, if you are aware of accidental or deliberate breaches, you must legally report this to HICSupport@dundee.ac.uk |