Loss and Theft of Unencrypted Data

The University is asking staff to carefully consider what sensitive, personal or confidential data they hold, how it is held, and most importantly, whether they really need to hold it in case of loss or theft of unencrypted data.

Recent losses of laptops at other organisations have incurred fines of up to £100,000. This brings into focus the importance to the University of ensuring the data it holds is secure and that it complies with the Data Protection Act.

Contents

What type of data is considered sensitive or confidential?

Defining the type of data that is considered sensitive, personal or confidential is surprisingly difficult.

Typical categories are data that:

  • could disclose information about any person (not just staff and students), directly or indirectly, such as by identifying information on names, addresses, occupation, photographs?
  • could disclose sensitive information about any person, directly or indirectly, by identifying information such as a person's race, ethnic origin, political opinion, religious beliefs, trade union membership, physical or mental health, sexual orientation, criminal proceedings or convictions?
  • relates to children? (under 18)
  • was provided to you by an external organisation (including NHS) and is covered by a written or unwritten confidentiality agreement?
  • is otherwise governed by factors such as ethical guidelines, legal requirements or research-specific consent agreements?
  • if revealed without authority or lost might affect the University’s reputation or impact financially on the University?
  • could disclose personal information about any person, including staff, students, and individuals who are the subjects of University research.

As well as the type of data you should also consider the media as paper records, video, audio, x-rays etc. are also subject to the Data Protection Act.

If you’re at all unsure about whether data you hold is considered sensitive or confidential contact the Information Assurance Office.

How should sensitive or confidential data be held?

Consider whether it is necessary for you to hold this data and if not delete it, anonymise it or return it to someone who should hold it.

If you do need to hold the data make sure you do so on either:

With the Windows 7 service in 2012, IT Services will provide an encrypted laptop service but until that time our advice is to use the encrypted and approved USB drive/memory stick solution above.

Should you need to use an encrypted device you please contact the IT Service Desk, ext. 2253 or ithelp@le.ac.uk, who will be happy to assist you.

Never store sensitive or confidential data on a personally owned PC.

Email and sensitive or confidential data

  • On a personal laptop or home computer you should only use Webmail – Outlook Web Access.
  • On devices such as smart phones, iPads etc. you should be sure to protect the device with a password or equivalent.

If you’re at all unsure about the best way to store data contact the Information Assurance Office.

The consequences of not holding data securely

If sensitive data gets lost the repercussions may vary but could include: 

For the University

  • Huge inconvenience
  • Loss of University reputation
  • Loss of funding for the University
  • University is fined

For the Individual

  • Disciplinary action
  • Dismissal
  • Personal reputation

The University and its staff have an obligation to not only process data securely but also to report any breaches should they occur. 

Staff must report any loss of sensitive, personal or confidential data as soon as possible. How to Report an Information Security Incident

In the event of a loss the best way of minimising damage is to report immediately. A failure to report such losses is likely to result in more serious repercussions. 

 

Share this page:

Request Information

To make a Data Subject Access Request, or a Freedom of Information Request, please contact IAS directly.