Internal, open access

Data Security

 
Page Contents:
General information
Remote working
Processing personal data off campus or an external network 

 

General information

All staff of the University are required to complete mandatory training in Data Protection and Information Security on joining the organisation.

The University has a number of policies on Data Protection and Information Security which must be followed by all staff. More information can be found here.

Suppliers providing services to the University (as data processors) are assessed by teams within IT (including the Design Authority Group), Procurement, IMPS and Legal Services.

Due diligence checks are performed on suppliers to ensure they provide the necessary and appropriate levels of security for personal data.

Contractual terms with suppliers are also scrutinised to ensure that they meet the necessary requirements under Article 28 of the General Data Protection Regulation.

As required under Article 35 of the General Data Protection Regulation, a Data Protection Impact Assessment will be performed on any uses of data processing that is likely to result in a high risk to individuals. More information can be found here.

Suspected or actual compromises of University data must be reported to IMPS immediately, via the Information Security Incident Form or by phone to 0118 378 8981.

This is a requirement under the University's Information Security Incident Response Policy (PDF 210KB) and Information Security Incident Response Procedures (PDF 354KB).

On going assessments of technical security of the University’s IT infrastructure are performed by IT services and as part of the overall IT Strategy.

All staff of the University must follow the IT Rules and Regulations which include instructions for secure password management.

A number of User Guides are also available for remote systems access, mobile device management and user account management.

Staff using personal devices are required to follow the Bring Your Own Device Policy (PDF-359KB).

Remote working

 To ensure that all staff processing information remotely do so securely and in accordance with the Data Protection Act 2018, the University has developed its Remote Working Policy (PDF-160KB).

This policy has been written to ensure that staff are aware of their individual responsibilities around information security when working remotely. It applies to all staff who use or access University systems or information remotely either occasionally or as part of their contract. It applies to information in all formats, including manual records and electronic data.

'Remote working' means working off campus or outside of the secure University computing environment; this includes working while connected to the University Wi-Fi networks.

'Staff' includes anyone working on behalf of the University or given access to University data, eg visitors, students and subcontractors.

Remote working presents both significant risks and benefits for the University. Staff may have remote access to information held on secure campus servers, but without the physical protections available on campus and the network protections provided by firewalls and access controls there are much greater risks of unauthorised access to, and loss or destruction of, data. There are also greater risks posed by information 'in transit'.

Staff working remotely must also adhere to the University Records Management Policy (PDF-98KB) and Records Management guidelines. The 'master copy' of information should be stored at the University, not at home, because:

  • Information stored on University's corporate systems is secure
  • Anyone who needs to refer to the information can be sure it is the most up to date
  • Enables quick response to requests under DP, FOI or the EIRs
  • Loss of this information could have serious repercussions for the University
  • If the official University record is held somewhere other than at the University, ie at an employee's home, it may not be able to be recovered, and this could affect business continuity

Advice on naming files, electronic and paper, in a way that is meaningful to colleagues and easy to electronically order and retrieve is given in Naming Files and Folders in the Records Management section.

Processing personal data and sensitive information off campus or on an external network

In order to ensure that it complies with the Data Protection Act 2018 and also that sensitive information is protected from unauthorised access, dissemination, alteration or deletion, the University has a policy on processing personal data and sensitive information off campus or on an external network, the Encryption Policy (PDF-369KB). It complements and supports the existing Data Protection Policy and Data Protection Requirements.

The policy applies to all University staff who process sensitive information off campus or on external networks. It covers the use of mobile devices (e.g. laptops, tablet computers, smartphones), portable storage media (e.g. memory sticks or CDs), remote computers, or other forms of communication (e.g. email).

Failure to comply with this policy may expose the University, its staff or students to risks including fraud, identity theft and distress, or damage the University's reputation and its relationship with its stakeholders, including research funders. The Information Commissioner can also impose fines up to 20 Million Euros or 4% of global turnover on the University for breaches of the GDPR (2016) and Data Protection Act (2018).

Policy statement

'If medium and high risk personal data or sensitive information is to be processed off campus or on an external network then it must be stored and transmitted in encrypted form.'

These terms are defined in the policy, together with some examples of medium and high risk personal data and sensitive information.

Guidance

Guidance to staff on how to adhere to this policy is given in the following sections:

Encryption:

Mobile device security

Information handling

Remote working

Information security training course

Things to do now

Contact IMPS:

Report an

Page navigation

See also

 

Search Form

A-Z lists