General principles

  1. Wherever possible, always aim to keep 'restricted' and 'highly restricted' information within the University's secure environment/systems.
  2. Where this is not possible, consider whether the restricted information can be redacted or anonymised. If this is not possible, appropriate security measures should be implemented (for example agents on mobile devices containing personal data and appropriate physical security measures for paper records). For the most confidential data (and where a funder requires) discuss with DDaT about encryption.
  3. Any potential loss or unauthorised disclosure of personal data and or sensitive personal data must be reported to the University's Data Protection Officer (the Senior Legal Adviser).
Location/format of information Highly restricted Restricted Internal use
Shared file storage areas on University's network (e.g. shared windows folders) Strictly restricted access on a need to know basis Limit number of, and identify individuals who have access to folders No internal restrictions
Departmental/local based server No storage or created permitted unless server environment is equivalent to DDaT server security environment. Advice must be sought from local IT support concerning access rights, physical security and back-up No storage or creation permitted unless the server environment is equivalent to DDaT server security environment. Advice must be sought from local IT support concerning access rights, physical security and back-up If a local server is required, advice must be sought from local IT support concerning access rights, physical security and back-up
University desktop PCs hard drive (C drive) Avoid storing data here. Use remote drives Avoid storing data here. Use remote drives Manual back up required
Specialist MI systems (e.g. SAMIS, I Trent, Pure etc) Administrators to ensure access rights are appropriately controlled. All managers to ensure access is removed when a staff member leaves. Appropriate security measures must be taken if data is extracted from the system Administrators to ensure access rights appropriately controlled. All managers to ensure access removed when a staff member leaves. Appropriate security measures must be taken if data extracted from the system No restrictions (MIS information will principally fall in the other categories)
University-owned laptop or mobile devices (e.g. IPad, smartphones, or portable storage devices) Devices must have wiping agents installed. For the most sensitive data encryption should be considered (contact DDaT for advice). Use a secure remote connection. Never use public wifi. If in doubt about the use of public wifi, consult DDaT. Do not leave logged on and unattended. Do not work on files in public areas. Do not share the use of laptop/device with non-University staff. Anti-malware software should be kept up to date Devices should have wiping agents installed where possible Use secure remote connection. Avoid the use of public wifi as far as possible. Do not leave logged on and unattended. Take great care if working on files in public areas. Do not share the use of laptop/device with non-University staff. Anti-malware software should be kept up to date Use secure remote connection wherever possible. Do not leave logged on and unattended. Do not share the use of laptop/device with non-University staff. Anti-malware software should be kept up to date
Personally owned desktop PC, laptop or mobile device (e.g. IPad or smartphone, portable storage devices) May be used via secure remote connection if used in a private environment. Mobile devices must have wiping agent installed. Never use public wifi. If in doubt about the use of public wifi, consult DDaT. Do not save files to local storage areas/non-University owned unencrypted device. Do not leave logged in and unattended May be used via secure remote connection if used in a private environment. Avoid the use of public wifi as far as possible. If you need to save files to local storage area/non-University owned device ensure they are deleted at the earlier opportunity. Consider secure erasing most sensitive files (please contact DDaT for more advice about this). Do not leave logged in and unattended May be used via secure remote connection if used in a private environment. Do no leave logged in and unattended
External 'cloud' storage outside of University agreed contract e.g. individually set up Dropbox accounts Avoid using - consider University solutions/seek advice from DDaT Avoid using where possible - consider University solutions/seek advice from DDaT Use University solutions wherever possible
Sending emails from a University hosted account to another Check recipient(s) are correct Check recipient(s) are correct No restrictions
Sending emails from a University account to an external account Double check recipient(s) are correct. Auto-forwarding to external account should be avoided. Consider secure alternatives to using e-mail (seek advice from DDaT) For the most sensitive information, consider password encryption of file with a strong password (8+ character, mixed character) Check recipient(s) are correct. Auto-forwarding to external account should be avoided Check recipient(s) are correct
Sending emails from externally provided personal account (e.g. Gmail) Avoid (please be aware that any data in sent items or your inbox will be stored outside of University's secure system) Avoid (please be aware that any data in sent items or your inbox will be stored outside of University's secure system) Use University or other organisations' email accounts wherever possible (please be aware that any data in sent items or your inbox will be stored outside of the University's secure systems)
Paper copies Must be stored in a secure environment e.g. locked cabinet/drawer. Must not be left unattended in an insecure environment. Must be disposed of securely (e.g. confidential shredder) Should be stored in a secure environment e.g. locked cabinet/drawer. Should not be left unattended in an insecure environment. Should be disposed of securely (e.g. confidential shredder)
Internal post service Avoid where possible (e.g. deliver in person by hand). If internal post must be used please ensure the sealed envelope is used and marked 'highly restricted' with sender details Sealed envelopes marked 'restricted' with sender details No restrictions
External post service Tracked and delivery recorded service, marked 'highly restricted' Consider tracked and delivery recorded service where appropriate and marked 'restricted' No restrictions
Fax machine Only use if the recipient has verified the security of receiving the machine and is at the machine awaiting receipt. Double-check number. Use a cover sheet Only use if the recipient has verified the security of receiving the machine No restrictions