Sharing and storing data securely

Advice and options on storing, sharing, managing and requesting data.

Storing data

Storing data securely

It's recommended that you always store University data using one of our two assured and supported platforms:

This is because these two solutions have security and resilience in their design and are actively managed and monitored by IT Services.

For this reason and due to potential loss or theft, it is not recommended to store any University data locally on your devices, unless absolutely necessary.

Alternative online storage solutions such as Dropbox, Microsoft OneDrive, WeShare, etc. are not recommended, supported or endorsed by the University.

If you would like to obtain exemption for the use of an unsupported and unapproved tool for University business please contact your IT Services Business Relationship Manager its-brm@sheffield.ac.uk, who will discuss your requirements and ask you to complete a non-standard request form so your exemption request can be assessed accordingly.

Sharing data

Sharing university data securely

Sometimes we might need to collaborate with others in the University or with external parties such as suppliers and research partners. To collaborate we often need to share or send data to others, but we can accidentally share too much information.

The following section outlines how this can be done securely using the University's approved services.

Sharing principles

  • At all times data should only be shared with those necessary and who have a genuine business need
  • The use of data sharing tools, other than Google, Email and IT Services managed SFTP services, is not supported or endorsed by the University. This includes using USB drives and online sharing tools such as Dropbox, Microsoft OneDrive, WeShare, etc.
  • Care must be taken when sharing Restricted and Personal information that the correct recipient is identified
  • Care must be taken to ensure that the person you are sharing information with is who they say they are, particularly when receiving requests via the telephone or email
  • Sharing via email should only be performed if there is no secure alternative
  • Personal data should not be shared outside the University unless there is a clear and lawful purpose for doing so.
  • Further guidance on sharing data with third parties is available from the University Secretary’s Office
  • In most cases where sharing of data is regular, an ‘information sharing agreement’ between the parties is required. If this is needed please get in contact with the Data Protection team, email dataprotection@sheffield.ac.uk





Sharing data internally (anyone with a University of Sheffield account)

Google Drive

The Google Help Centre includes Google's guidance on file sharing.

The following security principles should be followed when sharing files internally using Google:

  • As data should only ever be shared with those necessary, files and folders should be shared directly with other individual accounts rather than turning on Link Sharing
  • The Get Link link sharing option should only be enabled for information classified as Public or Internal. When this option is changed to University of Sheffield the file or folder becomes accessible to anyone with a University account, with access to that link
  • The Get Link option should never be changed for information classified as Restricted or Highly Restricted (This includes Personal Information).
  • Care should be taken to ensure that only those necessary have access to files and folders; and that only the necessary permissions are granted (Editor, Commenter or Viewer access)


University Storage

The easiest way to share data on University Storage is to save the file or folder in question within your Departmental or your Research storage areas (e.g. X: Drive). This means others in your department or research project should be able to access this file.

Using Departmental Storage

Using Research Storage

Care should be taken to ensure that only those necessary have access to files and folders; and that only the necessary permissions are granted.

If you need access to a restricted part of your Departmental or Research storage (X: Drive) please put a request in through the shared area owner or administrator.



Email attachments

Data in transit is always encrypted (protected) when it’s sent between University email accounts. However, it’s recommended that Restricted & Highly Restricted attachments are encrypted using one of the recommended tools here:

Protecting files sent by email





Sharing data externally (to non-University accounts)




Sharing public data



Google 'Get Link' Option (For "Public” data only)

The Google Help Centre includes Google's guidance on file sharing.

The following security principles should be followed when sharing Public data using Google:

  • Only Public data should be shared externally using Google. Internal, Restricted & Highly Restricted data should never be shared externally using Google.
  • The Get Link option can be used. When this option is changed to Anyone with the link that file or folder becomes accessible to anyone with access to that link, including third parties.
  • The Get Link option should never be changed to Anyone with the link for information classified as Internal, Restricted or Highly Restricted (This includes Personal Information).
  • Ensure that only the necessary permissions are granted (Editor, Commenter or Viewer access).


Encrypted email attachments

Public data can be share outside the University using email.






Sharing Internal, Restricted or Highly Restricted data with external parties



Sharing with External University Accounts

If needed you can request to have an “External” University account created for an external research collaborator. This account provides third parties limited access to University services, such as University storage services.

This account can then be used to share information “internally”, as they have a valid University account.

Request an External University account

Secure FTP (File Transfer Protocol)

When large amounts of data is intended to be shared regularly with an external party, an IT Services secure FTP service can be set up to manage this. 

Using secure FTP



Encrypted email attachments

While data in transit is nearly always encrypted when sending emails externally, Restricted & Highly Restricted attachments should always be encrypted using one of the recommended tools here: 

Protecting files sent by email

Controlling access

Controlling data access

When you’ve already shared some data, you might want to confirm who has access and who can see it.

It's recommended that you routinely check the sharing settings of your data to confirm only those who need access have it.

Manager responsibilities

As outlined in the Access Control Policy, managers should routinely review the access settings of files and folders in their team’s shared drives, to confirm only those who need access have it.



Confirming who has access

University Storage Access Settings

  • Login to a University or YoYo desktop workstation and view This PC.
  • You'll find your U: or X: drives already mapped for you.
    If you're using a personal device you can map University Storage drives yourself.
  • Open up the location/folder where you want to check the access settings.
  • Right click on the folder and go to the Security tab.
  • This will show the University Groups that can access this folder, including the level of access they have (such as read only, write, full control). Group membership is controlled via the Storage Management web pages, and can only be managed by the shared area owner.
  • Remember: At all times data should only be shared with those necessary.

Google Access Settings

  • Click on the blue Share button in a Google Doc/Sheet/Slide, or right click on the file/folder in Google Drive and choose the Share option. This will display a window showing who has access to the document and the level of access (Editor, Commenter or Viewer access).
  • Remember: At all times data should only be shared with those necessary.
Requesting access

Requesting access to someone else’s data

Where there’s not already an IT Service Desk registration form in place to request access to a particular system, requests for data should follow the steps below:

1. First ask the data owner to share the data with you.

  • Data owners must only share data with those necessary and who have a genuine business need

2. If the data owner is not available, then you can ask your Head of Department to complete the Account Access Request Form with the following information:

  • Exactly what data you need to access
  • Who are you getting access from? (i.e. who is the account/data owner?)
  • Why can't you request access directly from the account/data owner?
  • Why do you need this access for your job/role?
  • Sponsorship from your access request from your Head of Department, through completing the request form.
  • Access requests will then be reviewed and approved or denied based on the justification and sponsorship.

Exceptional requests, including requests for access to data outside the University’s stated purpose for processing, will be escalated to the IT Services Executive for approval.