Internal, open access

Information handling

All users of information systems should manage the creation, storage, amendment, copying, back-ups, deletion or destruction of information in a manner which protects the confidentiality, integrity and availability of such information.

Sensitive or business critical information should not rely upon the availability or integrity of (external) information over which the University may have little or no control. Key documents and reports should routinely be self-contained with all the necessary information contained within them.

Disposal and repair of equipment

  • When permanently disposing of equipment containing storage media all hard drives and storage devices must be securely disposed of using authorised procedures. (See the Procurement guidance for details). 
  • Damaged storage devices containing sensitive information should undergo an appropriate risk assessment to determine whether the device should be repaired or disposed of securely using authorised procedures. (See the Procurement guidance for details). 
  • Staff should follow the Disposal of Items set out in the Procurement guidance. Only authorised third parties should be used for the disposal of information or equipment, such as computers and photocopiers. Any equipment provided to a third party, for example under a lease, loan or selling arrangement, should have any digital software owned by or licensed to the University that is not part of the sale package and any data that are not part of the sale package removed from that equipment in such a way that it cannot be seen or restored by any user.

Avoiding unauthorised viewing

  • Staff should ensure that where sensitive or personal information is being processed, screens should be sited in such a way that they cannot be viewed by unauthorised persons.
  • Staff should consider the risks to confidentiality associated with the photocopying (or other duplication, eg scanning) of sensitive information.
  • Staff should ensure that web browsers are to be used in a secure manner by making use of the built-in security features.

Retention and destruction of information

Transfer and storage of information

  • Sensitive information should only be transferred or stored off campus or on an external network in accordance with the University's policies and guidance on remote working, sending encrypted email attachments and mobile device security.
  • Sensitive information and personal data must only be transferred or stored off campus or on an external network in line with the University's Encryption Policy (PDF-369KB).

Backup and recovery

Staff should ensure that appropriate and frequent back-up and system recovery procedures are in place. These procedures must have safeguards that protect the integrity of the information being backed up or recovered, especially where such files may replace files that are more recent. Particular care should be taken where the information may be the master copy of record, in order to ensure its fixity and authenticity. In identifying master copies of record, staff should seek advice from their  IMPS Contacts or refer to the 'Active Use' section of the JISC Infokit on Records Management. Where the master copy of record is held in an electronic form, it should be stored on University servers.

Using emails, faxes and telephones

  • Staff sending emails and faxes should check the recipients address and contact details carefully prior to dispatch to ensure they reach the correct recipient.
  • Staff should not disclose sensitive or confidential information over the telephone unless the identity of the third party has been verified and the disclosure complies with the University's .
  • Staff using email should comply with the email management policy (forthcoming).

Sending information to third parties

Prior to sending sensitive information or documents to third parties, staff should check that the intended recipients are authorised to receive such information and that the organisational and technical measures adopted by the third parties provide adequate security for the confidentiality and integrity of the information being transferred.




Things to do now


Contact IMPS


Page navigation


Search Form

A-Z lists