Staff News

Ten steps to better data security

  posted by campus | 05/04/2018

The new General Data Protection Regulation (GDPR) becomes law in the UK on 25th May 2018.

This new legislation is intended to give individuals more rights and control over uses of their personal data, placing greater emphasis on accountability for organisations, including universities, that process this type of information.

Many staff members at the University will come into contact with personal data in their work. Under GDPR, personal data can be as simple as a student’s name, course title and email address.

We already have a legal responsibility to maintain good data security practices. Many of us are entrusted to look after information belonging to colleagues, students and other stakeholders on a daily basis.

Here are ten (fairly) simple steps to better data security that staff can adopt without extra cost or impact on working practices:

 

1.      Keep Your Desk Organised and Sensitive Documents Locked Away

Papers, mobile devices and USB flash drives can contain lots of sensitive data and are easily misplaced in an office environment. Ensure personal data is protected against loss or theft by keeping your desk organised. Lock sensitive documents or devices away overnight or whenever your desk is unattended, and store the key somewhere safe. Lock your PC workstation when you’re away from your desk too. This takes just a few seconds on a PC by using the keys Control-Alt-Delete and then Return.

2.      Use Suitable Software

Look to the University’s enterprise software suite, Microsoft Office 365, for an application that will do what you need before considering other third party software. If you use other software to do anything with personal data, you will most likely need a Data Processing Agreement in place with the provider. If in doubt, please contact the University’s Information Compliance team or ICT. Be particularly careful with services such as Dropbox, Google Forms and Survey Monkey, which are not approved University platforms and should never be used to process personal data from University activities. Equivalent functions are offered by Office 365 (eg. OneDrive and Forms).

3.      Avoid Storing Personal Data on Your Own Devices

Avoid storing personal data relating to University activities directly on your own device (ie. on the physical memory of a laptop, tablet or smartphone). Use Microsoft Office (eg. Outlook, OneDrive) or the remote desktop Citrix to access work files through the cloud. Make sure you have security features enabled for your devices, such as ‘Find my iPhone’ and a passcode / fingerprint lock, just in case you misplace it. You can ask ICT for advice on how to encrypt devices, such as USB flash drives, if you intend to use them for work. Any machine using the Citrix remote desktop is encrypted.

4.      Keep Software and Antivirus Up-to-Date

If you use your own PC, laptop or mobile device (or a non-ICT managed University device) for University work on campus, while travelling or at home, keep the operating system and drivers (firmware) updated and install a good antivirus package where required. Drivers, software and anti-virus are automatically maintained for ICT managed devices. Check your device manufacturer’s website to see if you have the latest drivers installed. All members of University staff can install Sophos antivirus for free. Keep other third party software and apps updated regularly too and uninstall software you no longer use.

5.      Password Protect and Encrypt Sensitive Files

Encrypt and password protect files containing sensitive information or personal data to minimise the risks of unauthorised access. To do this for Microsoft Office files (eg. Word, Excel) open the file and follow the options File/Info/Protect/Encrypt with Password. Similar functions are available in Adobe for PDF files. Remember you will need the password to open a protected file, as will other users or recipients! Strong encryption is vital if you intend to send a file containing highly sensitive or significant personal data outside of the University’s network.

6.      Do Not Send Personal Data By Email Attachment

If you must send a file containing personal data by email, do not send it as an attachment, even to colleagues within the University. Try adding the file to Microsoft OneDrive and send a link to that file instead. You can then manage permissions, restrict editing and delete the file as necessary. To do this, upload the file to OneDrive, select it and click ‘Share’. Use the drop-down menu to adjust permissions (eg. restrict it to the University’s network or named recipients) before creating a link you can share by email. If you can only send a file as an attachment (eg. due to the file type or size), use password and encryption tools in the 7-Zip file compression software available in the Software Centre. Speak to ICT if you’re unsure. Never send the password in the same message as a protected file or link. It’s good practice to relay it by phone instead. Don’t use email clients other than Microsoft Outlook for sending personal or sensitive data arising from your University work.

7.      Pay Attention to the To and CC Lines in Email

When using email for any correspondence on sensitive subjects or where personal information might be concerned, pay particular attention to the address line and watch out for Outlook’s autocomplete function which by default suggests both internal and external recipients. If you prefer, you can turn off autocomplete in Outlook by going to File / Options / Mail and unticking the relevant box under ‘Send messages’. You can also delete suggested email addresses as they pop up manually in the ‘To’ field by tapping ‘Delete’ or the cross icon when the name is highlighted in the drop-down menu. If you know the recipients are internal only, search for them in the Global Address List instead. That way, you can be sure to find the right recipient by matching the name and job title.

8.      Set Strong Passwords and Protect Them

Choose a strong password for your University network account and never use this same password to register with any other website, online service or subscription. A strong password should be unique (never a lone dictionary word or common name) with a mix of capital and lower case letters, numbers and special characters (such as quote marks, underscores or exclamation marks). Do not store or send your password in an email. You can set a memorable password by using combinations of meaningful words or phrases that other people would not easily guess, replacing certain letters with special characters, like @ for a, and including some numbers.

9.      Dispose of Old Files and Emails Securely

Don’t keep sensitive or personal data any longer than it’s needed. GDPR includes a principle of ‘data minimisation’ – meaning we should only collect and store personal data we really need, and dispose of it securely and promptly once it’s no longer required. This could include clearing out your email folders and H-Drive or shredding paper documents. It’s perfectly acceptable to retain personal data for contractual, regulatory, research or archiving purposes, provided it’s stored securely and with a lawful basis under GDPR. Different types of ‘information assets’ have different lifespans, set out in the University’s Data Retention Schedule. Speak to the Information Compliance team for advice on data retention if needed.

10. Refresh Your Knowledge of Relevant Policies and Guidance

The University’s policies relating to ICT use, data protection and privacy are updated as new technologies emerge, legal frameworks change and new guidance is issued. GDPR is the biggest change to data privacy laws in a generation, so it’s important all staff refresh their understanding of relevant policies and guidance and think about how this applies to their role and working practices. Key University policies like the ICT Acceptable Use Policy and Data Protection Policy are located on The Portal.

 

If you would like further information on GDPR preparation or data security, please contact:

You can also find useful guidance from governmental organisations like the ICO and industry bodies or membership organisations such as Jisc. Some links are included below:

Viewing Message: 1 of 1.
 Notice

We use cookies to understand how visitors use our website and to improve the user experience. To find out more, see our Cookies Policy.