ANGLIA RUSKIN UNIVERSITY
Information Security Guideline no. 117– Cryptography
Scope
1 The definition of “personal data” is complex, but for day-to-day purposes it
is advisable to treat all information about living, identifiable individuals as
“personal data”. It is also important to be aware that some personal data is
also classified as ‘Sensitive Personal Data’ in accordance with the Data
Protection Act 1998. This is personal data relating to racial or ethnic origin,
religion, political opinions, physical or mental health, trade union
membership, sexual life or criminal offences. Sensitive Personal Data
should be treated with even greater care than other personal data.
2 For the purposes of this guideline, personal data and business information
might be in a variety of formats, including but not limited to email, word
processed documents, spreadsheets and databases.
3 Failure to comply with this guideline could expose Anglia Ruskin University,
its staff or students to risks including fraud, identity theft and distress, or
damage our reputation and its relationship with its stakeholders, including
research funders. The Information Commissioner (ICO) can also levy fines
on public bodies including us, of up to £500,000. For example, in
November 2010 the ICO imposed a fine of £100,000 on a local authority for
sending a fax containing highly sensitive information to the wrong recipient
on two separate occasions.
4 The seventh principle of the Data Protection Act 1998 relates to the
security of personal data and sets out how organisations should use
personal data. It states, “Appropriate technical and organisational
measures shall be taken against unauthorised or unlawful processing of
personal data and against accidental loss or destruction of, or damage to,
personal data.”
5 This guideline provides guidance for staff on how to make a judgement as
to what measures are appropriate in particular circumstances when using,
transporting or storing personal data or highly sensitive information outside
our computing environment. The basic principle is that Anglia Ruskin
University data should not be taken off-site unless for university business
e.g. on a laptop. In this case, personal data or sensitive personal data
must be encrypted using our standard encryption software which is
available from our IT Services support desk. This guideline is mandated by
the Office of the Secretary and Clerk and implemented by IT Services.
6 Medium and high risk personal data or business information must be
encrypted if it leaves the university environment.
7 IT Services have licensed a file encryption software that will protect files
held on laptops and USB sticks. This is available on request.
Key principles
8. The following key principles underpin our guidelines on the storage,
transmission and use of personal data and sensitive business information
ARU - Version 05 -May 2012
1
ANGLIA RUSKIN UNIVERSITY
Information Security Guideline no. 117– Cryptography
out with our computing environment. All staff must comply with these
principles when using mobile devices and portable storage media or
otherwise removing information out with our computing environment.
a. Avoid using personal data wherever possible.
b. If the use of personal data is unavoidable, consider partially or fully
anonymising the information to obscure the identity of the
individuals concerned.
c. Use our secure shared drives to store and access personal data
and sensitive business information, ensuring that only those who
need to use this information have access to it.
d. Use remote access facilities to access personal data and sensitive
business information on the central server instead of transporting it
on mobile devices and portable media or using third party hosting
services.
e. If there is no option but to use mobile devices, portable media or
email for high and medium risk personal data or business
information, encryption software should be utilised. This is
available, on request, from IT Services.
f. Personal equipment (such as home PCs or personal USB sticks) or
third party hosting services (such as Google Mail) should not be
used for high or medium risk personal data or business information.
g. If email is used to send personal data or business information
outside the university environment, it should be encrypted. If you
are sending unencrypted personal data or business information to
another university email account, indicate in the email title that the
email contains sensitive information so that the recipient can
exercise caution about where they open it.
h. Do not use high or medium risk personal data or business
information in public places. When accessing email remotely,
exercise caution to ensure that you do not download unencrypted
high or medium risk personal data or business information to an
insecure device.
i. Consider the physical security of personal data or business
information, for example use locked filing cabinets/cupboards for
storage.
j. The fifth principle of the Data Protection Act 1998 states that
personal data processed for any purpose or purposes should not
be kept for longer than is necessary for that purpose or purposes.
It is therefore important to implement our retention and disposal
policies so that personal data and sensitive business information is
not kept for longer than necessary.
For information relating to the current Retention of Records
schedule please refer to Appendix G of the Financial Regulations
(on the Finance website). If there is no suitable retention and
disposal policy in place for a particular document, contact the
ARU - Version 05 -May 2012
2
ANGLIA RUSKIN UNIVERSITY
Information Security Guideline no. 117– Cryptography
University Records Manager, Jackie Barlow to arrange for one to
be put in place.
ARU - Version 05 -May 2012
3