Best practice of personal data management
There are a number of things you can do to manage personal data correctly. Please consider which of them apply to you, and act accordingly.
Get support to follow best practice
IS or your local computing officer fully encrypt all new University-procured laptops by default before use. The option to retrospectively encrypt University standard laptops for staff using sensitive data will also be available where the device hardware allows this.
Help and advice on encrypting personal devices can be provided by IS through clinics.
Storing sensitive data on non-University equipment should be avoided where possible.
Secure data storage for mobile devices should be considered as part of developing a data management plan for research projects.
The University provides users with storage facilities such as Datastore, Data Sync, and Office 365 Business One Drive; all of which can be accessed as cloud storage and are fully-supported technologies.
Using third party services like Google Drive or Dropbox could easily breach DPA.
Safe-Harbour policies are no longer valid and companies that store their data outside the EU should comply with the EU-US Privacy Shield.
Please be aware not to keep any sensitive data on third-party cloud-storage providers if you are not completely sure that they have an agreement with the University and comply with the aforementioned law.
Keep personal data on encrypted devices and systems
All portable USB memory sticks and hard disks procured within the College should be hardware-encrypted by default.
Staff should reduce, wherever possible, the amount of sensitive data taken outside of the University and its network, for example when making a copy of data to take offsite. Instead use of available remote access tools such as VPN and remote desktop should be promoted and enhanced.
Avoid forwarding University e-mails to any public service like Gmail, Outlook or Yahoo. These services do not fall under the protective scope of the University and as we have no control of what enters your mailbox, or the ability to back up or secure your emails, we cannot guarantee the safety of the content within, or prevent any DPA breach.
Any device (for example, smartphone, laptop) that is used outside of the University and its network to access sensitive data must be password- or PIN-protected. This protects against casual access by someone else if you lose the device.
Protect personal data with strong passwords
A lost or stolen mobile device which is synchronized with the Office365 email and calendar service and may contain sensitive data is immediately remotely wiped by the individual using tools provided via Outlook Web access and on which the IS Helpline can provide advice.
Use strong passwords and configure computers appropriately - for instance, if you habitually sleep your machine rather than shutting it down, so that if it were lost or stolen it might be in the sleep state, make sure it asks for the password on waking.
Above all, staff should be aware of the issues and risks, use common sense, complete the available training, and seek advice from appropriate staff whenever necessary.