Records Management

Policy on taking sensitive information and personal data outside the secure computing environment

The storage, transmission and use of personal data and sensitive business information outside the University.

Purpose

This document sets out the University's policy on the storage, transmission and use of personal data and sensitive business information outside the University, including on mobile devices and portable storage media.

Its aim is to ensure that the University complies with the Data Protection Act 1998 and that sensitive business information is protected from unauthorised access, dissemination, alteration or deletion.

Audience

This policy applies to all University staff who store, transmit and use personal data and sensitive business information outside the University, including using mobile devices (e.g. laptops, blackberries), portable storage media (e.g. memory sticks or CDs) or other forms of communication (e.g. email).

Scope

The definition of "personal data" is complex, but for day-to-day purposes it is advisable to treat all information about living, identifiable individuals as "personal data";.

The definitions section below gives examples of high and medium risk personal data and sensitive business information.

For the purposes of this policy, personal data and sensitive business information might be in a variety of formats, including but not limited to email, word processed documents, spreadsheets and databases.

Information is considered "outside the University" if it is stored on a mobile device, transmitted by email or otherwise stored on a system that is not managed by or provided under contract to the University.

"A mobile device" is defined as any transportable device that is capable of storing data. This definition covers a very wide range of equipment, from the basic USB memory stick or memory card, pocket memo devices and laptops. It also includes i-Pods, MP3 players, digital cameras, camcorders, audio recorders, CD/DVD, PDA, tablets, Blackberries, smartphones, iPads, iPhones and other external hard drives and devices.

Policy statement

All medium and high risk personal data or sensitive business information must be encrypted if it leaves the University environment.

Key principles

The following key principles underpin the University's policy on the storage, transmission and use of personal data and sensitive business information outside the University. All staff must comply with these principles when using mobile devices and portable storage media or otherwise removing information outside the University.

i. Avoid using personal data wherever possible.

ii. If the use of personal data is unavoidable, consider partially or fully anonymising the information to obscure the identity of the individuals concerned.

iii. Use the University's secure shared drives to store and access personal data and sensitive business information, ensuring that only those who need to use this information have access to it.

iv. Use remote access facilities to access personal data and sensitive business information on the central server instead of transporting it on mobile devices or using third party hosting services.

v. If there is no option but to use mobile devices or email for high and medium risk personal data or sensitive business information, buy encrypted memory sticks, use encryption software, or encrypt the whole hard disk.

vi. Do not use personal equipment (such as home PCs or personal USB sticks) or third party hosting services (such as Google Mail) for high or medium risk personal data or sensitive business information.

vii. Avoid sending high or medium risk personal data or sensitive business information by email. If you must use email to send this sort of data outside the University, encrypt it. If you are sending unencrypted high or medium risk personal data or sensitive business information to another University email account, indicate in the email title that the email contains sensitive information so that the recipient can exercise caution when opening it.

viii. Do not use high or medium risk personal data or sensitive business information in public places. When accessing your email remotely, exercise caution to ensure that you do not download unencrypted high or medium risk personal data or sensitive business information sensitive data to an insecure device.

ix. Consider the physical security of high or medium risk personal data or sensitive business information, for example use locked filing cabinets/cupboards for storage.

x. Implement the University's retention and disposal policies so that you do not keep personal data and sensitive business information that you do not need. If there are no suitable retention and disposal policies in place for your area, arrange to put some in place.

High risk personal data or sensitive business information

The following are examples of high risk personal data or sensitive business information:

i. Any set of data relating to 1000 or more identifiable individuals, including, but not limited to students, staff, alumni and research participants

ii. Any set of data relating to more than 50 identifiable individuals that could be used for fraud or identity theft, including, but not limited to, bank account or credit card details, national insurance number, personal contact details, date of birth, salary.

iii. Information relating to more than 50 individuals' performance, grading, promotion or personal and family lives.

iv. Information relating to more than 50 alumni or students' programmes of study, grades, progression, or personal and family lives.

v. Any set of data relating to 10 or more identifiable individual's health, disability, ethnicity, sex life, trade union membership, political or religious affiliations, or the commission or alleged commission of an offence.

vi. Health records of any identifiable individual.

vii. Substantial reorganisation or restructuring proposals that will have a significant impact on more than 50 individuals before the decision is announced.

viii. Discussion papers and options relating to proposed changes to high profile University strategies, policies and procedures, such as the University's undergraduate admissions policy, before the changes are announced.

ix. Security arrangements for high profile or vulnerable visitors, students, events or buildings while the arrangements are still relevant. This includes door access codes and passwords for access to the University network or other key systems.

x. Exam questions before the exam takes place.

xi. Non-public data that has the potential to seriously affect any organisation's commercial interests or the University's corporate reputation, such as REF strategy or an external organisation's research information.

xii. Information obtained under a confidentiality agreement where disclosure of the information is likely to seriously affect the University's reputation or lead to an action against the University for breach of confidence.

xiii. Information that, if compromised, would substantially disadvantage the University in commercial or policy negotiations.

Medium risk personal data or sensitive business information

The following are examples of medium risk personal data or sensitive business information:

i. Any set of data relating to more than 50 but less than 1000 identifiable individuals, including but not limited to students, staff, alumni, research participants.

ii. Any set of data relating to 10-50 identifiable individuals that could be used for fraud or identity theft, including, but not limited to, bank account or credit card details, national insurance number, personal contact details, date of birth, salary.

iii. Information relating to 10-50 staff's performance, grading, promotion or personal and family lives.

iv. Information relating to 10-50 alumni or students' programmes of study, grades, progression, or personal and family lives.

v. Any set of data relating to five to nine identifiable individual's health, disability, ethnicity, sex life, trade union membership, political or religious affiliations, or the commission or alleged commission of an offence.

vi. Information relating to identifiable research participants, other than information in the public domain.

vii. Substantial reorganisation or restructuring proposals that will have a significant impact on 10-49 individuals before the decision is announced.

viii. Information that, if compromised, would disadvantage the University in commercial or policy negotiations.

ix. Non-public data that has the potential to affect any organisation's commercial interests or the University's corporate reputation, such as tender submissions prior to an award.

x. Information obtained under a confidentiality agreement even if disclosure of the information is unlikely to affect the University's reputation or lead to an action against the University for breach of confidence.

Consequences of non-compliance

Failure to comply with this policy could expose the University, its staff or students to risks including fraud, identity theft and distress, or damage the University's reputation and its relationship with its stakeholders, including research funders.

The Information Commissioner can also levy a fine on the University, which may be up to 10% of the University's turnover, or up to £500,000.

Background

The Data Protection Act 1998 sets out how organisations may use personal data. It states, "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data".

This requirement involves a judgement as to what measures are appropriate in particular circumstances. This policy provides guidance for University staff on how to make this judgement when using, transporting or storing personal data or highly sensitive information outside the University.

What help is available?

Guidance on how to encrypt your sensitive data is available via the Information security website.

The University Records Management Section provides advice, guidance and training on data protection, records management and freedom of information issues. Much information is available on our website, or you can contact the Section by email:

Your IT support service can advise on the options for the encryption of electronic information.

About this policy

Version: 5

Date: January 2015

Author: Susan Graham

Further help

If you need any further information, please get in touch.

Records Management Section

Contact details