All staff of the University are required to complete mandatory training in Data Protection and Information Security on joining the organization, available here: mandatory training courses
The University has a number of policies on Data Protection and Information Security which must be followed by all staff. More information can be found here.
Suppliers providing services to the University (as data processors) are assessed by teams within IT (including the Design Authority Group), Procurement, IMPS and Legal Services.
Due diligence checks are performed on suppliers to ensure they provide the necessary and appropriate levels of security for personal data.
Contractual terms with suppliers are also scrutinised to ensure that they meet the necessary requirements under Article 28 of the General Data Protection Regulation.
As required under Article 35 of the General Data Protection Regulation, a Data Protection Impact Assessment will be performed on any uses of data processing that is likely to result in a high risk to individuals. More information can be found here.
Suspected or actual compromises of University data must be reported to IMPS immediately, via the Information Security Incident Form or by phone to 0118 378 8981.
This is a requirement under the University's Information Security Incident Response Policy (PDF 210KB) and Information Security Incident Response Procedures (PDF 354KB).
On going assessments of technical security of the University’s IT infrastructure are performed by IT services and as part of the overall IT Strategy.
All staff of the University must follow the IT Rules and Regulations which include instructions for secure password management.
A number of User Guides are also available for remote systems access, mobile device management and user account management.
Staff using personal devices are required to follow the Bring Your Own Device Policy (PDF-359KB).
To ensure that all staff processing information remotely do so securely and in accordance with the Data Protection Act 2018, the University has developed its .
Staff working remotely must also adhere to the University Records Management Policy (PDF-98KB) and Records Management guidelines. The 'master copy' of information should be stored at the University, not at home, because:
- Information stored on University's corporate systems is secure
- Anyone who needs to refer to the information can be sure it is the most up to date
- Enables quick response to requests under DP, FOI or the EIRs
- Loss of this information could have serious repercussions for the University
- If the official University record is held somewhere other than at the University, ie at an employee's home, it may not be able to be recovered, and this could affect business continuity
Advice on naming files, electronic and paper, in a way that is meaningful to colleagues and easy to electronically order and retrieve is given in Naming Files and Folders in the Records Management section.
In order to ensure that it complies with the Data Protection Act 2018 and also that sensitive information is protected from unauthorised access, dissemination, alteration or deletion, the University has a policy on processing personal data and sensitive information off campus or on an external network, the Encryption Policy (PDF-369KB). It complements and supports the existing Data Protection Policy
The policy applies to all University staff who process sensitive information off campus or on external networks. It covers the use of mobile devices (e.g. laptops, tablet computers, smartphones), portable storage media (e.g. memory sticks or CDs), remote computers, or other forms of communication (e.g. email).
Failure to comply with this policy may expose the University, its staff or students to risks including fraud, identity theft and distress, or damage the University's reputation and its relationship with its stakeholders, including research funders. The Information Commissioner can also impose fines up to 20 Million Euros or 4% of global turnover on the University for breaches of the GDPR (2016) and Data Protection Act (2018).
'If medium and high risk personal data or sensitive information is to be processed off campus or on an external network then it must be stored and transmitted in encrypted form.'
These terms are defined in the policy, together with some examples of medium and high risk personal data and sensitive information.
Guidance for staff on how to adhere to the encryption policy is given below: