Information Access and Security Policy
1. Introduction
1.1
Information is an essential resource for teaching, research and administration
within the University. The Information Access and Security Policy describes
the University’s policy with regard to the creation, storage and dissemination
of information.
1.2
The policy aims to help the University carry out its core activities effectively,
to comply with legislation and good practice, to avoid breach of privacy or
confidence and to safeguard its information assets against theft, fraud,
malicious damage, and accidental damage or loss. The policy recognises that
these aims may sometimes be in competition with each other, and that a
balance needs to be struck between security requirements and an efficient
flow and effective exploitation of information.
1.3
This policy should be read in the context of other University policies,
including the policies on copyright and intellectual property, privacy and
confidentiality, and the provision of IT services and connection to the
network.
2. Scope of the policy
2.1
The policy applies to all University information. This term is understood to
cover all information owned by, held by or processed by, or on behalf of, the
University, regardless of its location (on or off the University’s premises) and
whether it is stored on paper, electronically or on any other medium.
2.2
The policy covers all phases of the handling of information, from its creation
or acquisition to processing, distribution, storage and ultimate disposal or
destruction.
2.3
The policy applies to all those who have access to University information.
These include

staff and students of the University

research partners and external contractors who have access to University
information as part of their collaboration with the University

visitors to the University who have access to University information
3. Principles
3.1
The Policy operates on the basis of the following principles:

relevant, accurate, up-to-date and timely information should be readily
and widely accessible where practicable

storage and dissemination of information should take place under levels
of security that are appropriate to the legal status of the information, its
value to the University and the risks attached to it

in the absence of any explicit statement to the contrary, any information
created or acquired through University funds is assumed to be owned by
the University
98879470
1

a responsible custodian should be designated for all information held by
the University, whether or not it is owned by the University

the University has regulations governing intellectual property
3.2
Are these principles, or anything like them, articulated in our Information
Strategy documents?
3.2
Rights of access to information imply responsibilities. The University will
provide a framework of policies and regulations, procedures and
mechanisms to ensure that information is handled within the appropriate
laws and codes of practice; individuals must operate within this framework
and are accountable for their actions.
4. Access
4.1
The University will provide easy access to University information and
appropriate external information in order to enable staff, students and others
operating on its behalf to undertake their duties effectively.
4.2
The University will provide external bodies and individuals with access to
University information where it is under a statutory or contractual obligation
to do so.
4.3
The University will protect the rights of individuals in relation to access to
personal or sensitive data held by the University, both under Data Protection
and Human Rights legislation and in compliance with the University’s
policy on privacy and confidentiality.
4.4
Physical and/or electronic access control systems will be provided to ensure
that access to personal or sensitive information is available only to authorised
individuals. The University will ensure that clear guidelines are provided on
the deployment of personal or sensitive information and will provide training
in their deployment.
5. Responsibilities
5.1
The loss, misuse or inappropriate exposure of information may have serious
implications for the University both in legal sanctions and in damage to the
University’s reputation. In some cases the individual processing the
information has a personal legal liability in addition to the liability of the
University.
5.2
Information should be handled within the laws and regulations in force. The
University will provide general guidelines on the relevant laws and
regulations, and will ensure that competent legal advice is available.
5.3
Whether or not legal sanctions apply in any given case the University expects
all those handling University information to do so in a responsible manner.
Each individual is responsible for his or her actions and should not take any
action which they know to be outside the law or in breach of University
policies, guidelines or codes of conduct. Where uncertainty exists as to the
legal or other constraints upon the dissemination of information, individuals
should exercise caution and seek competent advice.
5.4
There will be a designated custodian (normally the person who created or
commissioned the information or a nominee) for each item of University
98879470
2
information. The custodian is responsible for ensuring its integrity and
accuracy, for legal compliance, for determining access rights, and for carrying
out risk assessments on the value and security of the information.
5.5
Policies, guidelines, and codes of practice must be adhered to. These may be
issued by the University or by statuory or professional bodies with which the
University has an association, such as the Joint Information Systems
Committee (JISC), or the United Kingdom Education and Research
Networking Association (UKERNA).
5.6
Anyone introducing visitors to the University, or involved in collaboration
with external partners or entering into a contract on behalf of the University
must ensure, in any cases where access to University might be granted, that
the Policy is understood and complied with.
5.7
Heads of Schools and Units are responsible for the implementation and
monitoring of the Policy within their School or Unit and for ensuring that
their staff and students, and also any visitors and contractors, are aware of
the Policy and associated guidelines.
5.8
The use of computer systems and networks is central to many aspects of
information access and security. The Director of IT Services will ensure that
adequate levels of computer and network security are in place, and that
mechanisms are available for authorising appropriate access to University
information, and will provide guidelines, advice and training on security.
6. Copyright and Intellectual Property
6.1
The University can be seriously damaged by any breach of the laws and
agreements concerning copyright and intellectual property, whether by staff
or students or any other person acting on behalf of or within the University.
6.2
All information in the UK is governed by the laws of copyright and
regulations emanating from the European Union which bind all member
states. Copyright laws vary in other countries, notably in the United States,
and individuals must take appropriate steps to ensure compliance.
6.3
The University and the academic community of which the University is part,
have entered into agreements with various
6.4
The University has a Copyright Adviser who will provide guidelines on the
legal and other constraints on the handling of information.
7. Security
7.1
The University is committed to providing a secure environment in which
information can be accessed and processed. Subject to disclosure under court
order, data subjects have legal rights to confidentiality of information held
about them by the University, and personal or sensitive information will be
available only to those authorised. Also, the University has a duty to ensure
the accuracy and currency of personal data that it holds.
7.2
Computer and network security
7.2.1
The University will take reasonable steps to ensure the integrity of its
computer systems and data communications network. In particular, the
University will implement access controls to the University’s network from
98879470
3
the Internet via a firewall and will control external access from the campus
network.
7.2.2
The University will develop a policy together with associated mechanisms for
accessing University information from home or from other off-campus
locations.
7.2.3
Facilities and guidance will be provided for the detection and control of
viruses and other malware.
7.2.4
Access to individual servers will normally require authorisation and
authentication via passwords, but the University will, as far as is practicable,
implement a single sign-on for access to central servers. The University
requires all users of its computers and networks to have a strong password
and to keep it secret.
7.2.5
Heads of Schools and Units will be responsible for the security of
departmental systems. The University’s Network Connection policy requires
that all systems connected to the network are kept up-to-date with the latest
security patches. The University will provide guidance on best practice.
7.2.6
The University will continue to take advantage of appropriate technologies to
improve access control and ease of use, e.g. digital signatures, encryption,
and bio-authentication.
7.3
Security of data
7.3.1
Staff are required to take all reasonable steps to ensure the physical security
of data. These include locking offices, desks and cupboards, and ensuring
that visitors and unauthorised persons do not have access to offices where
data is routinely displayed on screens.
7.3.2
Particular care must be taken when data is removed from the secure
environment provided by a locked office and the secure network, for example
when information is

printed or photocopied

copied onto portable media, such as CD/DVD, portable hard drives or
memory-sticks

sent by email

carried on a portable computer
7.3.3
The custodian of information should decide the appropriate level of security
for specific items. For example, in some cases it will be inappropriate for the
information to be removed from a secure office, and in some it may be
inappropriate for information to be stored on a networked computer. Those
handling University information should consult the custodian in cases where
there is any doubt about the level of security required.
7.3.4
The custodian of information must ensure, insofar as is possible, the accuracy
and currency of information, and must take reasonable steps to maintain data
integrity for information held in physical or in electronic form. In order to
prevent corruption or loss of data, the custodian must ensure that reliable
backup procedures are instituted. Restoration procedures following backup
98879470
4
must be tried and tested, in accordance with the University’s Business
Continuation strategy.
7.3.5
Arrangements will be made for archiving material as needed (within the Data
Protection Act), with attention given to retention schedules and secure
storage.
7.3.6
The University has a policy and procedures for secure disposal which must
be used for the disposal of sensitive material, include information relating to
personnel, University committee papers or financial documents. Computing
equipment holding University data or licensed software must be disposed of
responsibly, ensuring that hard disks are wiped or reformatted, so that no
data can subsequently be retrieved.
7.3.7
Guidance on matters relating to data security will be given by the Data
Protection Officer; guidance on technical issues to do with the security of
electronic data will be given by the Director of IT Services.
8. General
8.1
Standards
8.1.1
The University will adhere to appropriate national and international
standards in deploying technology, consistent with the requirements of a
teaching and research environment. In addition, the University will comply
with appropriate codes of conduct and good practice developed by the higher
education community, appropriate professional bodies, or by those bodies
with which it collaborates.
8.1.2
The University will have regard to the British Standard: Code of Practice for
Information Security Management, BS7799 in defining information management
procedures and guidelines.
8.1.3
At any given time the University’s current strategy document for Information
Technology should identify the major standards to be followed with regard to
information security.
8.2
Audit
8.2.1
Heads of Schools and Units required to show what steps have been taken to
ensure that appropriate strategies and procedures relating to the security,
integrity, resilience and confidentiality of information are in place at
departmental level.
8.2.2
Policies and procedures relating to information held or managed within the
University will be audited and reviewed regularly by the Information
Committee or other appropriate body.
8.3
Funding
8.3.1
The University will devote central or departmental funding as appropriate
for the implementation and operation of the Policy, and will monitor
implementation by reporting through central and departmental plans.
98879470
5
8.4
Complaints Procedures
8.4.1
Alleged contraventions of the legislation and the University’s policies,
guidelines or codes of practice, or alleged breaches of security should be
submitted via the appropriate University complaints or grievance procedure.
8.4.2
Alternatively, specific points of contact may be identified to obtain more
detailed guidance or to carry out a preliminary investigation. In particular,
where a technical investigation is required or where it is suspected that there
has been a breach of computer or network security, the Director of IT Services
must be contacted without delay.
8.4.3
The University will publish a point of contact for use by external individuals
or bodies who wish to make a complaint relating to the behaviour of the
University or any member of staff or student, for example in connection with
breach of copyright or any illegal or inappropriate use of IT.
8.5
Disciplinary Procedures
8.5.1
In addition to any possible legal sanctions attaching to particular elements of
this policy, breach of the policy and failure to follow the guidelines for
computer and data security are internal disciplinary offences.
8.5.2
The Director of IT Services can authorise any reasonable steps to be taken to
investigate suspected breaches of the policy, and can either impose sanctions
as laid down in the Policy on the provision of IT services, or refer the matter
to the appropriate disciplinary body.
98879470
6