Privacy and compliance
Applies To
Microsoft FormsIs Microsoft Forms compliant?
Microsoft Forms has also met GDPR compliance requirements as of May 2018. Please refer to Microsoft 365 Data Subject Requests for the GDPR for more information.
What about privacy? Are FERPA and BAA protections in place?
Microsoft Forms meets FERPA and BAA protection standards.
How do I prevent my form from being flagged for phishing?
Don't ask for sensitive personal information such as passwords.
Office 365 Education and Microsoft 365 Apps for business users should create their forms in compliance with the terms your organization has in place with Microsoft. To update your password, contact preference, or to view your organizations Privacy statement, go to your new My account portal and sign in.
Microsoft personal account (Hotmail, Live, or Outlook.com) users should create their forms in compliance with Microsoft Terms of Use.
How do I report a violation I see in a form?
If you receive a form that is collecting anonymous responses and believe the form is trying to maliciously gather user information, click on the Report Abuse link at the bottom of the form. Select the phishing option and, if you wish, provide comments. When complete, click Submit.
What happens after I report a form?
For Office 365 Education and Microsoft 365 Apps for business users who report a form, the form flagged for phishing will be turned into an internal only form and only internal employees of the company will be able to access the form. Enterprise administrators will be notified about the status and action.
For Microsoft personal account (Hotmail, Live, or Outlook.com) users who report a form, the form flagged for phishing will be taken down. The form owner will not be able to access the form, the form link will be inaccessible, and future respondents will not be able to open the form link.
What kind of form can be reported and what classifies as phishing?
The Report Abuse button allows a respondent to report a form suspected of maliciously gathering user information. In general, all consumer forms and “public” enterprise forms can be reported.
For Microsoft personal account (Hotmail, Live, or Outlook.com) users, all forms will include the Report Abuse button on the response page.
For Office 365 Education and Microsoft 365 Apps for business users, only “public” forms will include the Report Abuse button on the response page.
Note: To make a form "public," the form owner selects More form settings > Settings > Who can fill out this form > Only people in my organization can respond.