What data needs to be encrypted?

Data which must be handled securely, using encryption where pertinent, includes:

  • Any personal data classed as "sensitive" by the Data Protection Act. See Key definitions of the Data Protection Act.
  • Any data, that is not in the public domain, about a significant number of identifiable individuals.
  • Personal data in any quantity where its protection is justified because of the nature of the individuals, source of the information, or extent of the information.

If you are not sure if encryption is necessary please contact the IT Service Desk for advice.

This data must be encrypted:

  • Where it is stored on a computing device or any computer storage medium which may be exposed to a significant risk of being lost or stolen. (Computers used to access remotely stored data or to process locally stored data may create cache files. Depending on the technology in use persistent and unencrypted cache files may be created.) Any such device when outside a secure University location is considered to be at significant risk, including home computers.
  • Where it is to be transmitted via a computer network using a mechanism that does not itself incorporate encryption. Depending on the specific technology being used this could refer to: sending data by email either within or outside the organisation, transferring files offsite, remotely accessing files or Web pages. The risk is that unencrypted data in transit may be intercepted.
  • Where the data is being sent using a postal service such that the data media could be lost, stolen or intercepted and read whilst in transit.

Share this page: