Handling Information Safely

If you (as part of your work, research or study) are handling information for (or belonging to) the University then you have a responsibility to protect the safety of that information.

Your responsibilities

  1. You may only use the information for the purposes that the University has agreed.
    • You role in the University will define what information you can use, and how
  2. Do not provide access to the information to anyone else, unless as part of an approved Univeristy process.
  3. Do follow any instructions, guidelines or procedures for protecting that information
    • You should be given or made aware of these
  4. Be aware of when you are handling confidential information
  5. Ensure you take appropriate measures to prevent unauthorised access to the information you use and have access to.
  6. Report when you know information is put at risk (Loss, theft, unauthroised access)

How to identify and classify confidential data

The data you are given access to should have been assessed, to identify if access to it needs to be restricted for any purpose. If restrictions on access are required, then this should be communicated anyone who could have an impact on access, such as business process owners, users and service providers, so they can ensure any risks are controlled.

Restrictions may be required for the following reasons

  • Legal obligations (such as data protection)
  • Contractual obligations (such as applying to externally provided data)
  • University business requirements

Personal information (Data protection)

Any data about identifiable living persons is classified as personal data under the Data Protection Act, which requires that it is handled according to the provisions set out in the act, and the recommendations of the data commissioner.

How to protect confidential data

The easiest way is to keep the information in University provided systems and filestores.

If you choose to put information on devices you own, you become responsible for its safety, and should ensure that, where the information is confidential, that it is properly protectedm by encrypting it (See encryption

Mobile data security

Mobile working provides great flexibility as to when and when individuals make use of information, but this also brings greater risks when information passes into environments where the University does not have direct control. This applies to all offsite and remote working and use of any portable devices such as laptops, phones, PDA’s, and removable storage such as USB devices.

Users of such data have a personal responsibility for the security of data on such devices and ensure they follow guidelines on protecting it (See secure mobile working)