The University has a legal obligation under the Data Protection Act to ensure that all personal information is kept secure. This means that information must be protected against unauthorised or unlawful use and against accidental loss, damage or destruction.
Personal information can be held in personal computers, organizers, laptops, tablets, smart phones, paper and other forms. When working away from University premises, information must still be kept secure.
The level of security used to protect information will depend upon an assessment of the security risks. Risk assessment is a consideration of the harm that would result from a security failure (taking into account the potential consequences of a loss of confidentiality, integrity or availability of information) and the realistic likelihood of such a failure. Having considered the risk, appropriate controls can be then be identified and used.
You should consider the following:
- Equipment or media should not be left unattended in public places. If feasible, portable computers should be carried as hand luggage and information carried on separate media from the computer when in transit (e.g. on USB sticks or similar).
- Manufacturer's instructions for protecting equipment should be followed (e.g. protection against exposure to strong electromagnetic fields).
- Computers and other hardware used for processing personal information must have appropriate virus protection.
- Access must be controlled to prevent unauthorised access (e.g. password on start up or secure file encryption).
- Data must be regularly backed up in case of loss or failure.
- All personal data must be removed from equipment before disposal.
Please bear in mind the following technical points:
- Operating system passwords can be bypassed. If the sensitivity of the data merits it, users should consider hard drives with their own password protection or an encrypted file system.
- Leaving wireless access enabled may permit network attacks on laptops, tablets and smartphones.
- Secure deletion means overwriting or reformatting of the media on which the data is stored, not simply pressing 'Delete'.
Technical advice is available from UIS and local Computer Officers.