What data needs to be encrypted

Loss, theft, or unauthorised disclosure of certain information could be detrimental to the University, its staff or students. Such information includes that defined as personal data by the Data Protection Act 1998. Where the University is handling digital personal data that cannot be sufficiently secured by physical controls, the data must be encrypted.

Data which must be handled securely, using encryption where pertinent, includes:

• Any personal data classed as "sensitive" by the Data Protection Act.
• Any data, that is not in the public domain, about a significant number of identifiable individuals.
• Personal data in any quantity where its protection is justified because of the nature of the individuals, source of the information, or extent of the information.

Data as described above must be encrypted:

• Where it is stored on a computing device or any computer storage medium which may be exposed to a significant risk of being lost or stolen. (Computers used to access remotely stored data or to process locally stored data may create cache files. Depending on the technology in use persistent and unencrypted cache files may be created.) Any such device when outside a secure University location is considered to be at significant risk, including home computers.
• Where it is to be transmitted via a computer network using a mechanism that does not itself incorporate encryption. Depending on the specific technology being used this could refer to: sending data by email either within or outside the organisation, transferring files offsite, remotely accessing files or Web pages. The risk is that unencrypted data in transit may be intercepted.
• Where the data is being sent using a postal service such that the data media could be lost, stolen or intercepted and read whilst in transit.

If you are not sure if encryption is necessary please contact the IT Service Desk  for advice.

What we provide

The data encryption service aims to provide advice, product recommendations and support to University staff and students who have a requirement to secure data.

IT Services will  offer staff and students or their technical representatives:

• consultation and advice on standards and products
• purchase and support for recommended products

See details and indicative costs of the recommended encryption products, all of which comply with the FIPS 140-2 security standard.

IT Services will also provide a secure storage facility for relevant passwords connected with encrypted device. This insures against the individual forgetting their password, and therefore, loss of access to their data.

What you can expect

We aim to advise you of a recommended encryption solution within five days of receiving your initial request. Because it can be daunting choosing the best encryption option, we offer advice and help in finding a solution suitable for your needs.

What we expect

Customers should initially contact the IT Service Desk with their encryption requirements. Please supply as much information as possible. As a minimum, provide answer to the following questions:

• What data do you need to encrypt and why?
• What is the source of the data you need to encrypt?
• Has an external orgnaisation specified any specific security requirements you must comply with?

Service availability

This service is offered to all University staff and students and is supported during normal working hours.

Service charges

There is no charge for consultation and advice. Customers will have to pay for encryption products.

FAQs and related information

Q. How do I know if I need to encrypt my data ?
A. The University's cryptography policy provides guidance on this. If you are in any doubt please contact the IT Service Desk

Q. Where can I find a description of the FIPS 140-2 standard ?
A. See more information on FIPS 140-2.

Q. Who do I contact to notify IT Services that I've changed my encryption password ?
A. Initially contact the IT Service Desk who will  take your contact details. A member of Second Line Support will then be in touch to record the new information.

Need further help?

Please contact the IT Service Desk in the first instance.