ANGLIA RUSKIN UNIVERSITY
Information Security Guideline no. 109 – Data Security
The seventh principle of the Data Protection Act 1998 relates to the security of personal data and sets out how organisations should use personal data. It states,
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
The management and control of university data are typically centralised functions but access to data whether for creation, review or modification is granted to individuals. Responsibility for data confidentiality is not solely within the remit of central support staff but is shared with all individuals given access to the data.
Individual staff should recognise that responsibility and ensure that university information is not thoughtlessly or casually disclosed.
All university data (whether printed reports, screen displays, portable media - tapes, disks, cassettes, diskettes, CDs, memory cards/sticks) must be afforded protection, depending on the business criticality and sensitivity of the information.
Care should also be taken to maintain the confidentiality of data received from other organisations.
Anglia Ruskin University ’s procedures and standards exist to control and manage operations and to give effect to regulatory requirements. Some are in place to limit potential exposures to us. It is important that their purpose and function - possibly even their existence - are kept confidential and only disclosed when and as authorised.
The disposal of media on which very sensitive data resides must be conducted in a controlled manner (e.g. reports shredded, data files deleted, disks degaussed, or diskettes destroyed and i-Pads wiped).
Users should not store university information on the hard drive of their personal device.
Where university data is held on a work station or laptop computer, the person to whom the machine is assigned is personally responsible for the custodianship of that data.
All personal computers and iPads require user authentication via Active Directory credentials and are configured with a 4 digit passcode on issue.
Data users must inform themselves fully of the terms on which they are permitted access to university data and observe those terms conscientiously. Misuse of access rights, whether deliberate or the result of gross negligence, is a disciplinary offence.
Data users are responsible for maintaining the accuracy and completeness of the data which they are authorised to amend, create or delete.
ARU – version 0.6 March 2013
ANGLIA RUSKIN UNIVERSITY
Information Security Guideline no. 109 – Data Security
Users must never leave workstations logged in while unattended. At a minimum, utilization of a screen locking mechanism is mandatory.
Recipients of university data shared with them have specific responsibility to:
agree, with the Faculties/Services creating and supplying the shared data, a process by which access to it is to be authorised - rights will be commensurate with the confidentiality and sensitivity of the data
use the data only for the purposes and in the manner agreed
understand, interpret and verify information derived from shared data within the context of its intended use
confirm with the data provider the validity, at least in principle, of any reworking (summarising, segmenting or reformatting) of the data and the conclusions drawn from the information
All staff must strive to be aware of and adhere to data retention requirements which affect their work. The fifth principle of the Data Protection Act 1998 states that personal data processed for any purpose or purposes should not be kept for longer than is necessary for that purpose or purposes. It is therefore important to implement our retention and disposal policies so that personal data and sensitive business information is not kept for longer than necessary. If there is no suitable retention and disposal guideline in place, contact the University Records
Manager, Jackie Barlow to arrange for one to be put in place.
Work station users must never leave disks, tapes, or other storage devices containing university data on their desks or otherwise unsecured overnight.
Papers and media should be stored in cabinets or cupboards when not in use, and ideally sensitive or business critical material should be kept in lockable fireproofed cabinets or cupboards.
Members of staff who hold university data off-site on (for example) laptop computers are the custodians of that data and are personally responsible for its physical security.
Users of stand-alone laptops, iPads and workstations are personally responsible for ensuring their data files are properly backed up.
Storage of sensitive information should take place on centrally managed file server systems in preference to local storage (i.e., the workstation hard disk drive)
Computer users must not knowingly attempt to access data or systems which are outside the requirements of their duties or attempt to exceed the computer facilities and privileges granted to them.
ARU – version 0.6 March 2013
Online data protection training is available to all members of staff. If any member of staff would like to undertake this training or if they have any queries relating to data protection issues, they should contact Jackie Barlow, University Records
Manager at jackie.barlow@anglia.ac.uk
or on 0845 196 4215.
ANGLIA RUSKIN UNIVERSITY
Information Security Guideline no. 109 – Data Security
ARU – version 0.6 March 2013