Accessibility statement

Information Security – Human Resources Policy

Related pages

This policy explains that all staff must abide by University information policies, undertake compulsory training and maintain their knowledge and skills. Failure to follow information policies may lead to disciplinary proceedings.

It applies to all staff, including those who are provided with access to University information and IT systems via an associate staff account.

Policy

Policy

1.1 It is the policy of the University that all staff, whether holding a casual, temporary, fixed-term or open contract, must comply with the Information Security Policy of the University.

1.2 All staff are informed that they are required to abide by the University’s policies relating to data protection and information security when they receive their terms and conditions of employment. By accepting their terms and conditions of employment, an employee makes a formal undertaking to abide by the policies. The undertaking applies both during and after their employment with the University.

1.3 If, after investigation, a member of staff is found to have violated the organisation’s data protection, records management or information security policy, they may be disciplined in line with the University’s disciplinary process.

1.4 Depending on the information security requirements, the University may make additional background checks or conduct additional tests during the recruitment process to assess the suitability of candidates for a role.

1.5 All staff must undertake information security, records management and data protection training during their induction to raise their awareness of the risks and issues associated with handling University information, and the appropriate safeguards. This training will be made available through the University’s Statutory and Compliance training programme.

1.6 All staff will be informed of the need to report information security incidents and data protection breaches quickly and of the appropriate method for doing so. Periodic reminders will be issued to all employees.

1.7 All staff must maintain their knowledge and skills in relation to information security throughout their employment at the University, undertaking training as required.

1.8 At the request of the Director of Human Resources (or equivalent senior manager), access to information or IT systems may be removed.

1.9 Any staff member who leaves the organisation will have their access privileges terminated in line with the Managing User Access Policy.

1.10 On leaving the University, a staff member must return all information assets and equipment belonging to the University.

Scope

2. Scope

2.1 This policy applies to all staff, including those who are provided with access to University information and IT systems via an ‘Associate Staff’ user account.

2.2 This policy supplements University Regulation 11 "Using University Information" and University policy on Records Management and Data Protection.

2.3 Responsibilities of individuals and others who are engaged to provide services to the University and who may have access to University information as part of that contract, are defined in the information security policy ‘Third Party Access to University Information and IT Services Policy’.

Oversight

3. Oversight

3.1 The Information Security Board, chaired by the Director of IT Services, will monitor the effectiveness of this policy and carry out regular reviews.

Responsibilities

4. Responsibilities

4.1 All information users are responsible for protecting and ensuring the security of the information to which they have access.

4.2 University Officers, Heads of Departments and Line Managers are responsible for ensuring that all information in their area is managed in conformance with this policy.

4.3 All Staff, students, contractors, consultants, visitors and guests who act in breach of this policy, or who do not act to implement it, may be subject to disciplinary procedures or other appropriate sanctions.

4.4 Any breach of information security or violation of this policy must be reported to the Head of Cyber Security  who will take appropriate actions and escalations and inform the relevant authorities where required.

 

Implementation

5. Policy implementation documents

5.1 This document, together with related information security policies and implementation documents is available at:

5.2 Terms and conditions of employment are available on the Human Resources department website at:

  • http://www.york.ac.uk/admin/hr/terms_conditions/

Document history

Document history

14 November 2012 Approved by Information Policy Executive
13 December 2012 Approved by Information Security Board
29 January 2016 Reviewed and approved by Information Security Board
31 July 2019 Reviewed and approved by Information Security Board
24 January 2023 Reviewed and approved by Information Security Board

Review

Review cycle: Annual 

Date of next review: Jan 2024

Support

For support in ensuring you are delivering to the requirement of this policy contact the Cyber Security Team.