Data security on campus
Any information you access when conducting University business that pertains to living individuals is covered by the Data Protection Act. More stringent rules apply to sensitive personal data containing information such as a person's race or ethnic origin, religious beliefs or health.
The Act applies to personal data processed on campus and remotely on mobile devices, even if the device is your personal property. If you use a mobile device or home computer to access or save your University emails, there is likely to be personal data within those emails which falls under the Act.
Keep personal data secure
- Paper files should be kept in locked cabinets or locked offices when not being used and stored securely at the end of the day - not left on desks.
- Offices should be locked when left unattended (during meetings and lunch breaks).
- Always ensure that you log off from your computer when away from it.
- Password protection should be used for any electronic files/documents containing sensitive personal data.
- Take particular care when transferring personal data onto a memory stick, laptop or any other mobile device -
- Use password protection and encryption where appropriate.
- If you ever need to include sensitive personal data in an email use password protection or encryption where appropriate.
- Change your password frequently and adhere to the University's IT Security Policy.
- Don't copy any personal data unless it is strictly necessary.
Restrict access to personal data
- Ensure the access to data is only granted to University staff who require it for legitimate purposes.
- Don't disclose personal data to other third parties.
- Avoid third parties seeing digital screens displaying personal data.
- If you need to share data with a third party for business purposes contact the Data Protection team so that a data sharing agreement can be entered into with them.
Storing personal data
- Where possible, store/save personal data on a computing services server.
- Never store personal data, especially sensitive personal data, on a mobile or home computer unless it is strictly necessary and the device has been encrypted where appropriate.
- Don't store or transfer personal data where it could be lost or exposed (on unencrypted USB drives, mobile devices and laptops).
Dispose of personal data carefully
- Shred paper files or dispose of them securely using the University's confidential waste sacks.
- If you store personal data on your own device you must securely erase all personal data on it before disposing of it.
Report data breaches
You must immediately report breaches or potential breaches as soon as you become aware of them. This includes lost or stolen laptops, memory sticks or other mobile devices, and accidental disclosures of information, for example sending an email to the wrong recipient.
Data security off campus
The Act applies to all personal data that you use for University business, wherever that data is held. It includes personal data kept on mobile devices (laptop, tablet, phone) whether the device is your own or the University's.
When working off-campus, follow the points below. Don't take any personal data off-campus without authority and having first considered security. You must adhere to the University's IT security policy.
Only use your computing services email account for University business.
Don't store data on mobile devices. Use remote access facilities (UniDesk), to access and store personal data, as it ensures that the data remains on a secure University server.
Taking data off-campus
Reduce risks of a breach of the Act through data loss by:
- limiting the amount of personal data taken off-campus - only take the data you really need
- making and using a copy of your data rather than taking the original
- anonymising data wherever possible to remove Sensitive Personal Data
Use encryption and passwords
If you store or transfer personal data onto a mobile device or pc outside of the University's IT systems, ensure that password protection and encryption where appropriate are used.
Contact Digital, Data and Technology (DDAT) for advice and assistance on keeping your data secure.
Take security measures
If you store personal data on a PC or device outside the University's IT systems, it should be as a short-term measure only. Keep a copy of the data on the University's IT system too, so that if a device is lost or stolen, you do not lose the only copy.
Store it on the University's IT system at the same time or transfer it there as soon as possible. In any event, the data should be deleted from the device/PC outside the University's IT system as soon as possible.
Make sure that any mobile device you use is adequately protected against viruses.
Take special care when transporting personal data to and from your home and when using public transport.
Avoid keeping sensitive data on mobile devices.