Protecting Confidential Information

It is University policy and mandatory for confidential information in digital form to be protected using encryption where it is taken or sent out of a physically secure University location. Within the University environment all reasonable physical security precautions must also be taken.

In recent years the press has been highlighting incidents where large quantities of confidential data has been lost by, or stolen from, government and other large organisations. The Government has tightened its information security procedures to require that confidential information is encrypted when taken out of secure locations. Organisations processing information supplied by Government departments, including Universities, are now required to agree to follow similar procedures.

Contents

Protecting Confidential Information

It is now University policy that confidential University information in digital form is protected using encryption where it is taken or sent out of a physically secure University location. IT Services is recommending and supporting a range of encryption solutions that will meet the majority of current requirements.

In many parts of the University basic physical security of offices and the information stored therein is determined by the staff who work in those offices. Staff are therefore expected to take reasonable steps to physically secure confidential information held within offices.

Information that must be protected

Personal data as defined by the Data Protection Act must be protected from unauthorised access.

It must also be encrypted:

  • Where it is stored on a computer or any computer storage medium (CD, DVD, USB drive etc.) which may be exposed to a significant risk of being lost or stolen. (Any such device when outside a secure University location is considered to be at significant risk, including home computers.)
  • Where it is to be transmitted via a computer network. This refers to sending data by email either within or outside the organisation, transferring files offsite, remotely accessing files or Web pages. The risk is that unencrypted data in transit may be intercepted.
  • Where the data is being sent using a postal service such that the data media could be lost, stolen or intercepted and read whilst in transit.

Where data being handled by the University is subject to an agreement with an external organisation specifying use of encryption, the agreed handling procedures, encryption technologies and standards must be used.

Protecting other confidential information using encryption

The confidentiality insurance afforded by encryption might also be considered appropriate for other types of information such as:

  • Sensitive research information that is not personal data.
  • Sensitive University financial and business information.
  • Exam questions (refer to the Examinations Office instructions).
  • Confidential internal documents.

Authorisation to remove confidential information is required

Individuals must be authorised, by the Head of Department, to remove confidential or valuable University information offsite or to insecure locations.

Optionally the Head of Department may elect to authorise specific individuals to routinely undertake a particular activity involving a specific type of data.

A departmental record of such authorisations must be established and maintained.

The University does not require staff or students to store or access confidential information using computing devices that it does not own or manage. Should the University require one of its members to use a mobile or home computing device to store or access confidential data, then a suitably configured University owned device must be provided.

Using encryption

There are various ways to use encryption:

  • Laptop and desktop computers can be fitted with hard drives that automatically encrypt all data held. Once booted these systems operate exactly the same as computers with ordinary drives; however, if lost or stolen the information stored will remain confidential.
  • Self-encrypting USB memory sticks and external drives are available and easy to use.
  • Software utilities will create encrypted archives of files and folders. These encrypted archives can be written onto CDs, emailed as attachments etc.
  • It is easy to encrypt Office 2007 documents using built in functionality.

IT Services Second Line Support team offer support to departmental staff in their installation and use of encryption - see Data Encryption (links to IT Services).

Physical security of information

This applies to offices and other rooms which may house confidential information whether in paper or electronic form:

  • During normal building opening hours staff must keep the doors and windows of unattended offices locked.
  • Outside normal building opening hours building entrances and office doors and windows must be kept locked when unattended.
  • Confidential documents should also be locked away when not in use.

Where very highly confidential information is held in unencrypted form then additional physical protection is required. This may be implemented using some combination of: an access control system, a burglar alarm, a safe or strong room, out-of-hours security support.

Posting paper documents

Where it is essential to post confidential paper documents then the Royal Mail Special Delivery service or another reputable courier service is recommended.

If confidential information must be sent via the University internal post system it should be in a sealed and taped envelope and marked personal and confidential and for addressee only. For particularly sensitive information delivery by hand should be considered.

University Policy

This communication is based on the Information Security Policy documents:
Mobile Computing Policy (ISP-S14)
Cryptography Policy (ISP-S16)
Building Security (ISP-I1)
Information Handling Policy (ISP-S7) 

Share this page:

Request Information

To make a Data Subject Access Request, or a Freedom of Information Request, please contact IAS directly.