Data Protection and Information Security. Data Security - Guidelines for the use of Personal Data

Transcription

1 Data Protection and Information Data - Guidelines for the use of Personal Data Page 1 of 10 Created on: 21/06/2013

2 Contents 1. Introduction Definitions Physical Electronic Transferring data securely within the University Transferring data securely to eternal third parties... 9 Page 2 of 10 Created on: 21/06/2013

3 1. Introduction Data is not managed solely through control the use of electronic information systems. Everyone processing personal data needs to be aware of the environment they are working in and take consistent appropriate action to protect against accidental damage or disclosure, unauthorised access or theft. Failure to secure data could result in a 500, 000 fine from the Information Commissioners Office and/or bad publicity for the University. Appropriate action means taking sensible approaches to security relative to the nature and sensitivity of the information for example: More caution should be taken when protecting sensitive personal data than is perhaps necessary with personal data (that does not mean that obligations towards personal data can be ignored) or The transfer of data in paper format may require a different approach to the transfer of data on an encrypted memory stick. This document provides some best practice advice on the security of data and should be implemented locally or individually as appropriate. 2. Definitions For definitions of terms used in the guidance, please see the Data Protection section of the University website 3. Third Party Access Temporary Staff working with personal data are no different to permanent staff. They need to be made aware of their responsibilities towards Data Protection. External contractors such as maintenance engineers may require access to areas or systems in the University containing personal data. Staff should not allow them unattended access to any more than they require in order to complete their work. Page 3 of 10 Created on: 21/06/2013

4 4. Physical 4.1 Working in the Office Most University buildings require large areas to be open access so as to allow students, staff, visitors and contractors to go about their legitimate business. The University takes steps to maintain general security to ensure that most office areas have a level of restricted access, but that does not mean that individuals handling personal data can relax or fail to be mindful of their actions in relation to the information they are handling. Faculties and departments should ensure that access to rooms in which they store personal data is restricted to authorised personnel only (this can include supervised guests ). Unauthorised personnel should not be allowed unattended access into areas where they may be able to access personal data, including where it is stored and accessed electronically. Members of staff should be aware that they are responsible for maintaining the integrity of information security. For physical records this can be achieved through simple common sense actions such as: Where possible, locking the door to an empty office/room when they leave which helps prevent unauthorised access, even if only for a few minutes. Challenging (politely) anyone in a secure area whom they do not recognise. Not leaving files containing personal data lying on a desk for anyone to pick up. Not leaving printed documents sitting on top of the printer for someone else to pick up. Locking sensitive data in secure cabinets, draws or other containers where they are provided. Not placing paper documents next to hazards such as liquids that could damage them. Page 4 of 10 Created on: 21/06/2013

5 Committee or board papers where personal data has been discussed (for example exam boards) should be disposed of securely by the meeting secretary and not taken away to be forgotten about. Disposing of physical records securely using the confidential waste sacks and not in the normal bins. 4.2 Working Off-Site No personal data should be collected or taken off-site without a legitimate and approved (by Faculty Registrar or Head of Service) purpose. Staff who are not required to work on personal data offsite should never transfer it away from the University. There may be times when members of staff may have a genuine reason for doing so, for example researchers may gather information offsite or Academics may from time to time work from home to mark papers. Processing information away from the University increases the risk of accidental loss, damage or theft, therefore staff should take the following precautions to minimise the risk when transferring and storing data. No personal data should be taken offsite without a clear understanding as to why it needs to be taken outside of the University and only with the permission of the appropriate senior manager. A record of what information is being taken offsite should be logged, if possible by type and the details of the individuals to whom it relates e.g. exam papers for module xyz, year 2. This way if they are lost, the University knows what information is missing. A record of when the information is returned to the University should also be kept. When using public transport it is important to ensure that bags containing portable devices are not left unattended or out of sight. This includes ensuring that they are not checked in as baggage on flights or left at the other end of a train carriage in the luggage compartment. Personal data should not be left in unattended cars. If there is a need to leave a car whilst transferring personal information, it must be locked out of sight securely in the boot not left on display on the front seat. Page 5 of 10 Created on: 21/06/2013

6 4.3 Loss of Personal Data Offsite In the event of loss or theft of a physical document containing personal data, notify the Police as soon as possible and make a record of the crime number. Notify the University as to what has been lost and the circumstances of the loss, including any precautions taken prior to the incident. Notices should be sent to the University office, the Records and Information Manager and the relevant Faculty/Department office. 5 Electronic 5.1 Working in the Office The University IT systems have inbuilt levels of security, such as logging on to the University Network or logging on additionally to other systems, but staff should still be aware of the threats posed to the integrity of personal data they access when using their computer. VDU screens should be positioned/angled in a way so that people walking by cannot view the detail displayed on them - not face on to an external window or within the office where visitors might walk past and view them. When leaving the computer unattended, even if it s only for a minute, you should remember to press Ctrl, Alt and Delete and lock the computer. This will prevent anyone accessing the computer without a password. Passwords should not be shared with other users unless there is an absolute emergency, they should then be changed at the earliest opportunity. No member of staff should allow another person, including other staff to use their log on details. Generic team accounts should not be created for accessing personal data Data should not be downloaded from University systems without a documented, legitimate purpose for doing so. Page 6 of 10 Created on: 21/06/2013

7 5.2 Working off Site No personal data should be collected or taken off-site without a legitimate and approved purpose. Staff who are not required to work on personal data offsite should never transfer it away from the University. Where staff have been authorised to work offsite, the following guidance should be adhered to: Portable Devices Portable devices include (but not limited to) Laptops, ipads, USB memory sticks, external hard drives, smart phones. Where possible, use remote access through DesktopANYWHERE (See 5.3) rather than transferring information on a portable device. Only use University supplied encrypted Laptops. If using a laptop/ipad in a public area (coffee shops, trains etc.) it is important to limit the view other people may have of the screen. Do not allow anyone else to use the device whilst personal information may be accessible from it. Do not use a public computer to access University systems containing personal data. Make sure that electronic data is backed up to the University network before you copy it to the device. Never transfer original files. Portable devices must be password protected or encrypted, or in the case of USB drives, disks or other storage devices, each stored file must as a minimum be protected by a password. All personal data should be transferred onto the university network and deleted from portable devices immediately upon return to the office, even if the same information will be taken away again the same day. Where the device synchronises with the University account, s containing personal data should be deleted from the device at the earliest opportunity before leaving the University or upon receipt if already away from the University. Page 7 of 10 Created on: 21/06/2013

8 5.2.2 Remote Access through DesktopANYWHERE Ensure that virus scanning software is up to date on all home computers or other devices used to remote access via DesktopANYWHERE. Do not allow other people (family, friends) to use computers whilst they are connected through DesktopANYWHERE. Documents should not be saved to the computer unless absolutely necessary. Any University Documents stored on the home computer should be saved back onto the University network and then deleted from the home PC. Recycle bins should be emptied immediately upon deletion. 5.3 Loss of Personal Data Offsite Portable devices are susceptible to loss or theft. In the event of loss or theft of an electronic portable device, notify the Police as soon as possible and make a record of the crime number. Notify the University as to what has been lost and the circumstances of the loss, including any precautions taken prior to the incident. Notices should be sent to the University office, the Records and Information Manager and the relevant Faculty/Department office. If the device is a University ipad, notify IT Services so that the data can be remotely wiped. 6 Transferring data securely within the University Should you be asked to provide sensitive personal data to a member of University staff, you should always confirm the identity of the person making the request and the purpose for which it is required. If you are unsure as to whether or not the data should be supplied, contact the Records and Information Manager who will advise. 6.1 Hard Copy Information or portable Electronic Devices Personal data may be transferred internally using the internal mail Records containing sensitive personal data may be transferred via the internal mail system; however, there might be some instances (e.g. Page 8 of 10 Created on: 21/06/2013

9 medical reports) where it is more appropriate to hand deliver the information. Any transfer of personal information should be marked Confidential The decision on the most appropriate method should be based upon the sensitivity of the particular data and the urgency in which it is required s Personal data may be transferred internally using the internal but check to ensure that the recipients in the To, CC or BCC fields are members of staff and not students with the same name. Sensitive personal data may, with prior approval, also be transferred internally using the internal but check the recipients in the To, CC or BCC to ensure that they: o Are members of staff and not students with the same name. o Are entitled to view the information you are sharing (i.e. have a documented legitimate business need) o Have checked that any Delegates on their inbox are authorised to view the information or that they have removed anyone who should not access the data. o Attached documents are password protected. o Subject includes the word **Confidential** 7 Transferring data securely to external third parties For advice on which third parties can received personal data, see the guidance document Guidelines for the use of Personal Data Third Party Access Where the University is the Data Controller, do not use FTP, Dropbox or any other online service (see Guidelines for the use of cloud based storage for storing and sharing University Information ) Where the University is a Data Processor on behalf of an external Data Controller, staff should follow the requirements of the Data Controller. If there are any concerns about the requested method of transfer, raise them with the University Records and Information Manager. Page 9 of 10 Created on: 21/06/2013

10 If personal data is to be transferred externally via or on a disk, password protects the document(s) and telephone the recipient with the password. Never send the documents and the passwords together. Where sending documents (or disks, memory sticks etc.) by post, consider send it via registered delivery, especially where the data included sensitive personal information. Mark all correspondence, whatever the media of transfer as confidential and for the recipient only. If the information is to be faxed, check the number and then check it again before sending. For further guidance or advice, please contact: Duncan James duncan.james@northumbria.ac.uk Records and Information Manager Vice Chancellor s Office Ellison Building Telephone: x7357. Page 10 of 10 Created on: 21/06/2013