1
Information Transfer Policy
Student Name
Institution Affiliation
Instructor
Date
2
ISO 27001 Annex: A.13.2 Information Transfer Policy
Synopsis
Within the University of Hertfordshire, tons of information is conveyed to other public bodies,
third-party service providers, other departments, and individuals, not to mention commercial
organizations. It is achieved by applying an assortment of media and methods in whichever way
the receiver prefers, whether on paper or electronic paper. In transferring data, there is a
heightened hazard of losing the information accidentally, or the information may be
misappropriated. It is the duty of The Council compelled to be careful when handling any form
of communication. Information transfer at the University of Hertfordshire must be executed in a
way that protects the data and maintains the expectations of the organization's users for data
protection and confidentiality.
Scope and aim of the report
University of Hertfordshire stockpiles an enormous amount of data in paper and electronic
forms. The information transfer policy provides guidelines on how to safeguard such information
and also describes how confidential and sensitive information should be handled inside and
outside of the school. The information transfer dogma applies to all parties who handle data
transfer which includes staff members, workers, contractors apprentices, placement students
documented in the university ICT Policy (Abhayaratna, et al., 2021). Storage and handling of
data is determined by the Data Protection Act of the UK.
. With regards to the aim of this report, data is both raw, unformatted data stored in backup
drives and is also textual information, for instance, reports, spreadsheets, word documents, PDFs,
and many more is transferred.
3
The information Transfer Policy cuts across all employees of the University of Hertfordshire, as
well as any other third party who can handle the campus' information.
Exclusions
The policy fails to protect information passed over the Hertfordshire internal network since it has
automated security controls. Similarly, since such platforms have independently implemented
security prerequisites, it does not encompass copyrighted secure transfers using structures such
as the BACS funding transferal.
The Policy Statement
The University of Hertfordshire identifies its roles in proper information handling that is
achieved through legal means, in line with home policy requisites, and Information transfer
policies and procedures (ISO: A.13.2.1) (CAF: B3.b). The sender is responsible for risk analysis
of their intentions and working to ensure that all the risks are recognized and covered to make
the transfer process seamless (Abhayaratna, et al., 2021). The primary safety requirements and
security protocols are identified hereafter. Policy compliance is strictly carried out by an IT
Auditor who will evaluate the systems. If an operator is seized with unquestionable evidence of
violating the policy, as mentioned earlier, they are prone to facing the Council's disciplinary
procedure (Concu, et al., 2020). If it is worse and they are found to have broken the law, there is
a possibility of prosecution. Before a user starts working with this policy, they should take their
time and read the terms and conditions and seek advice from their attorney or the Data Protection
Officer.
The policy's objective is to uphold the well-being of information distributed to whichever
exterior body is inside the institute.
4
A.21.3.2 Information Transfer Policy
Control: To safeguard the individuals transmitting information through every form of
communication, procedures, official transfer policies, and authorities have to be established.
Implementation management: Different entries shall be tackled, especially in the controls and
procedures needed when passing information from one facility to the other.

Systems created to prevent misrouting, altering, coping, destruction, and interception of
transferred files

Measures to identify and shield against malware from electronic forms of communication
such as email, WhatsApp, etc. (Concu, et al., 2020).

Other measures to safeguard information communicated electronically, especially
information that involves the use of an attachment.

The rules and guidelines determine the proper practice of communication facilities (turn
to 8.2.4) (Bossman,et al., 2022).

The ethical imperative of any user and external parties is not to misappropriate the
channel seen by unauthorized purchases, the transmission of chain letters, impersonation,
harassment, defamation, etc.

For instance, the application of encryption systems safeguards privacy, authenticity, and
information integrity following (clause 15) (Cook, & Overpeck, 2019).

We are disposing and retaining policies to comply with the state and legislative
requirements for the University, which cover the messages sent and the systems to be
used.
5

Controls and constraints concerned with appropriate use of communication amenities, for
example, electronic mail computerized dispatching to external third parties (Cook, &
Overpeck, 2019).

Operatives are advised not to give out information such as passwords and take significant
measures to protect against unauthorized access.

Employees are advised not to leave behind vital information on platforms such as
answering machines since others can easily access, replay, store, and take them due to
carelessness (Yue, et al., 2020) (Xia,et al., 2022).

Highlight the problems associated with using fax machines and, more specifically, from
unauthorized access and retrieval of data stored in such devices.

Address the unintended computerized programming to send messages and information to
different people.

The policy against sending data to the wrong unintended audience.
A.21.2.3 Agreements on Information Transfer
Control: Settlements should deal with the protected sharing of information interdepartmental or
outside to third parties.
Execution guidelines- The information transfer agreements as per 9ISO: A.13.2.2 includes the
following elements:
1. Control of notification responsibilities, dispatch, transmission as well, as receipt control
2. Policy against non-repudiation and ensuring traceability of information (Schumacher,
2022).
3. Required packaging as well as broadcasting procedural specifications
4. Escrowed deals
6
5. A criterion of courier recognition
6. In case of data loss, liabilities, responsibilities, and security incidents.
7. Proper labeling systems ensure priorities are identified and sensitive information is
protected against unauthorized access.
8. Exclusive mechanisms to cover things, especially cryptography and encryption, are
needed for special services.
9. Limiting the levels of control and access.
To safeguard data and physical resources that are in transit according to (cap 9.1.2) (Peregrino, et
al., 2022), protocols, procedures, policies, and guidelines should be established and
implemented, maintained, and appropriate follow-up should be conducted regularly to see the
reliability of the systems. The information presented in any agreement should be listed in order
of data sensitivity.
There are unique methods of signing agreements that are either manual or electronic. To protect
confidential data, the University of Hertfordshire's particular type of agreement shall be
consistent in all systems used to transfer information in line with Agreement on information
transfers 9ISO: A.13.2.2 (Varjú, 2022).
Risk assessment
Whenever a sender passes information and transfers data, there is countless risk, as seen in the
case where data may be lost, accidentally released, or misappropriated. Therefore, it is
mandatory for the sender to be liable for any damage caused and to ensure that adequate levels of
control are applied in line with the policy guidelines (Lee, & Ma, 2020). The following section
provides different procedures and rules to be put in place before transmitting any data. It
provides an assessment of appropriate security to the network. Whenever an employee is in
7
doubt, they must contact the Data Protection Officer and review the guidelines (Siarova, & van
der Graaf, 2022).
Is the transmission legal and necessary?
There is a lot of harm in supposing that since a person requests access to data, they are
personally entitled to have authorized access and legally permitted. If an employee working for
the University of Hertfordshire has any doubt, then they should consult the data manager. It is
only when the employee is guaranteed that the transfer is necessary and legal is when they will
determine which type of data they are allowed to disseminate (LaCroix, 2020). This is crucial
because it defines what security is appropriate for the context. Additionally, the organization
risks reputational damage when sending confidential or personal information without
implementing proper checks and balances (Scagliarini, et al., 2020). As mentioned above, the
employee responsible for the action is liable for disciplinary action.
Is it dealing with Personal information?
Personal information concerns a private person and it encompasses aspects of religious beliefs,
sexual life, court appearances, sentences, physical or mental health, ethnic or racial origins, the
commission of offenses, and any other sensitive information about an individual. It is considered
to be personal information. Any activity done to personal information should be in line with the
Data Protection Act of 1998 (Ling, et al., 2019). Some of the indispensable requirements of the
Act are listed in Appendix 1. If an employee is in doubt, they must contact the data protection
officer.
Before initiating any form of information transfer, the employee must:
Confirm that the communications department permits the transfers.
They have to obtain and file the authorization of the information owner before the transfer.
8
Make sure that the transmission is legal and follows provisions listed under the Data Protection
Act.
Have to ensure that the transmission is required and if there is a less intrusive way of sending
information.
Blackout and remove all the ideologies regarded as non-essential for the recipient.
Is it confidential information?
Additionally, they have to determine if the information is confidential and one which the council
has labeled as private. It may encompass data that affects the interest of the University of
Hertfordshire or the interests of the third party. In other forms of communication, the sender does
not hold the copyright of the information. Thus it can leave private details at risk, including
salary details, agreements, contracts, and bank details (Shugurov, 2018). In the unauthorized
dispatch of personal data, the person responsible for the action is liable for legal sanction and
litigation (Katsinas, et al., 2019). At the same time, dispatching confidential information can
break the trust of the public and the partners of the business. Thus, before initiating any transfer,
a person has to ensure that the transfer is approved by obtaining a copy of the approval of the
transfer.
Data transfer considerations
After complete data preparations have been established, one should countercheck on appropriate
ways of channeling the information to the correct recipient. This report section outlines the
proper channels, principles, and restrictions to maintain data privacy. Legal authorization should
be obtained from the client by the sender. The following tracks are available;
Electronic Mail
9
Whenever any information is sent via email, it must be approved by the appropriate council.
After that, the data is locked in encryption, such as AEC (262-bit).WINZIP (Hwang, & Song,
2019). The passwords must be a mixture of numbers and signs and agreed upon by the
organization. All emails transferred should have the required specific data to o ensure specificity
of reaching the correct client without any messages leaking and must guide on what to do if they
land with untargeted recipients. The system should ensure accessible communication with
recipients on whether the message channeling was successful.
Fax transmission
This is not applied in many circumstances except on demand due to poor information security. It
requires a ton of work to check fax and telephone numbers to ensure the correct client gets the
required information. The information must be terminated once the right client gets information,
and clear responsibility should be stated on the way forward if landing on an inappropriate
recipient (Kolisnyk, 2021). Time must be recorded on the time the target client attains the
message, and if there are any issues, inform the manager.
Text messaging (SMS), Instant Messaging (IM)
This is a fast data transmission mode, but the information should be private as it may land to
inappropriate recipients. Proper checking of clients' contacts is encouraged, as any inaccuracy
May lead to sharing confidential information with a stranger. Therefore, it must contain
guidelines on how to respond to whether the client got the data, and if it lands on the unintended
client, policies should be made on retrieving it.
Telephone/Mobile Phone
The information in calls may be shared or overheard accidentally, but the information channeling
should be minimum. Formal confirmation of the recipient should be considered before sharing
10
any information in a phone call to ensure confidentiality. Private and personal information
should not be channeled in the phone conversation except when the client allows it legally and
gives a cozener identified appropriately in collaborative internet sites that are restricted from
personal information sharing.
Electronic memory
The data must be stored in products agreeable to the company setting; the preferential
encryption in many organizations is the AES (256bit) WINZIP 11.1 with an appropriate
password for the various numbers and letters (Adam, 2020). The passwords should be
transmitted in another form rather than email to reach the recipient without any leakages in the
file information. The information should remain untouched until it comes to appropriate
recipients, with measures kept on what to do if the content lands on any other person.
Delivery by post or hand
Paperwork or files must be secured on transmission and effectively tracked until reaching the
target individual. The paperwork should be securely packaged and sealed with appropriate
labeling without any breaks in the seal (Zhang, & Yu, 2021). The package should have the
recipient's name, address, and place to sign after the delivery with the correct time indicated and
should contain the return address and the contacts to ensure the right client gets the required
information.
11
References
Abhayaratna, T., Carter, A., & Johnson, S. (2021). The ATO Longitudinal Information Files
(ALife): Individuals-a new dataset for public policy research.
Adam, A. M. (2020). Susceptibility of stock market returns to international economic policy:
evidence from effective transfer entropy of Africa with the implication for open
innovation. Journal of Open Innovation: Technology, Market, and Complexity, 6(3), 71.
Bossman, A., Umar, Z., Agyei, S. K., & Junior, P. O. (2022). A new ICEEMDAN-based transfer
entropy quantifying information flow between real estate and policy
uncertainty. Research in Economics, 76(3), 189-205.
Concu, G. B., Atzeni, G., Meleddu, M., & Vannini, M. (2020). Policy design for climate change
mitigation and adaptation in sheep farming: Insights from a study of the knowledge
transfer chain. Environmental Science & Policy, 107, 99-113.
Cook, B. R., & Overpeck, J. T. (2019). Relationship‐building between climate scientists and
publics as an alternative to information transfer. Wiley Interdisciplinary Reviews: Climate
Change, 10(2), e570.
Hwang, S., & Song, H. (2019). Policy transfer and role of policy entrepreneur in international
aid: exploring international development cases of Korea and Vietnam. Policy
Studies, 40(1), 1-20.
Kolisnyk, M. (2021). Vulnerability analysis and method of selection of communication protocols
for information transfer in Internet of Things systems. Radioelectronic and computer
systems, (1), 133-149.
12
Katsinas, S., Bray, N., Hagedorn, L., Dotherow, S., & Malley, M. (2019). From vertical to
dynamic transfer: Recognizing continuous swirl in American higher education. Change:
The Magazine of Higher Learning, 51(3), 44-51.
LaCroix, T. (2020). Communicative bottlenecks lead to maximal information transfer. Journal of
Experimental & Theoretical Artificial Intelligence, 32(6), 997-1014.
Ling, H., Mclvor, G. E., Westley, J., Van der Vaart, K., Yin, J., Vaughan, R. T., ... & Ouellette,
N. T. (2019). Collective turns in jackdaw flocks: kinematics and information
transfer. Journal of the Royal Society Interface, 16(159), 20190450.
Lee, C., & Ma, L. (2020). The role of policy labs in policy experiment and knowledge transfer:
A comparison across the UK, Denmark, and Singapore. Journal of Comparative Policy
Analysis: Research and Practice, 22(4), 281-297.
Peregrino, P. F. M., Bonetti, T. C. D. S., Gomes, A. P., Martin, H. D., Soares Júnior, J. M.,
Baracat, E. C., & Monteleone, P. A. A. (2022). One Plus One is Better than Two: An
Approach Towards a Single Blastocyst Transfer Policy for All IVF Patients. Revista
Brasileira de Ginecologia e Obstetrícia, 44, 578-585.
Shugurov, M. V. (2018). Promising policy efforts on development and transfer of
environmentally sound technologies. Environmental Policy and Law, 48(6), 403-410.
Scagliarini, T., Faes, L., Marinazzo, D., Stramaglia, S., & Mantegna, R. N. (2020). Synergistic
information transfer in the global system of financial markets. Entropy, 22(9), 1000.
13
Siarova, H., & van der Graaf, L. (2022). Multi-stakeholder approach for better integration of
refugee students: Stakeholder engagement in the practice-research-policy transfer in
refugee education policy.
Schumacher, C. (2022). Effectiveness of hospital transfer payments under a prospective payment
system: An analysis of a policy change in New Zealand. Health Economics.
Varjú, V. (2022). The policy transfer of environmental policy integration: path dependency,
route flexibility, or the Hungarian way?. Policy Studies, 43(5), 943-961.
Yue, P., Fan, Y., Batten, J. A., & Zhou, W. X. (2020). Information transfer between stock market
sectors: A comparison between the USA and China. Entropy, 22(2), 194.
Xia, L., Yang, D., Zhang, J., Yang, H., & Chen, J. (2022). Enhanced Semantic Information
Transfer of Multi-Domain Samples: An Adversarial Edge Detection Method Using Few
High-Resolution Remote Sensing Images. Sensors, 22(15), 5678.
Zhang, Y., & Yu, X. (2021). Policy transfer: the case of European Union–China cooperation in
public administration reform. International Review of Administrative Sciences, 87(1), 320.
14
Appendix 1
The Data Protection Act of 1998
The guidelines of information protection are covered by The Data Protection Act of 1998, which
states that people who may be processing personal data have to be in line with Eight codes of
appropriate practice. The law covers the guidelines. The following is required when dealing with
confidential data:

It will be dealt with lawfully and somewhat and, more particularly, shall not be processed
without proper administrative approval.

Data shall be obtained for specific lawful purposes and shall not be altered or handled in
any manner deemed incompatible.

Shall be relevant, adequate, and not excessive concerning the purpose for which it is
intended.

Shall be accurate and reliable and to be kept up to date

Shall not be stored for a period longer than necessary and should be in line with the rights
of the subject listed in the ACT.

Shall be stored securely with the expected degree of security.

Shall not be sent or transferred in a state outside of the UK except when adequate levels
of data protection are guaranteed.