Information Security – Human Resources Policy

Related pages

This policy explains that all employees must abide by University information policies, undertake compulsory training and maintain their knowledge and skills. Failure to follow information policies may lead to disciplinary proceedings.

It applies to all employees, including those who are provided with access to University information and IT systems via an associate staff account.

Policy

Policy

1.1 It is the policy of the University that all employees, whether holding a temporary, fixed-term or open contract, must comply with the information security policy of the University.

1.2 All employees are informed that they are required to abide by the University’s policies relating to data protection and information security when they receive their terms and conditions of employment. By accepting their terms and conditions of employment, an employee makes a formal undertaking to abide by the policies. The undertaking applies both during and after their employment with the University.

1.3 If, after investigation, an employee is found to have violated the organisation’s data protection or information security policy, they may be disciplined in line with the University’s disciplinary process.

1.4 Depending on the information security requirements, the University may make additional background checks or conduct additional tests during the recruitment process to assess the suitability of candidates for a role.

1.5 All employees must undertake information security and data protection training during their induction to raise their awareness of the risks and issues associated with handling University information, and the appropriate safeguards. This training will be made available through the University’s Statutory and Compliance training programme.

1.6 All employees will be informed of the need to report information security and data protection incidents quickly and of the appropriate method for doing so. Periodic reminders will be issued to all employees.

1.7 All employees must maintain their knowledge and skills in relation to information security throughout their employment at the University, undertaking training as required.

1.8 At the request of the Director of Human Resources (or equivalent senior manager), access to information or IT systems may be removed.

1.9 Employees who leave the organisation will have their access privileges terminated in line with the Managing User Access Policy.

1.10 On leaving the University, employees must return all information assets and equipment belonging to the University.

Scope

2. Scope

2.1 This policy applies to all employees, including those who are provided with access to University information and IT systems via an ‘Associate Staff’ user account.

2.2 This policy supplements University Regulation 11 "Using University Information" and University policy on Records Management and Data Protection.

2.3 Responsibilities of individuals and others who are engaged to provide services to the University and who may have access to University information as part of that contract, are defined in the information security policy ‘Third Party Access to University Information and IT Services Policy’.

Oversight

3. Oversight

3.1 The Information Security Board, chaired by the Deputy Registrar, will monitor the effectiveness of this policy and carry out regular reviews.

Responsibilities

4. Responsibilities

4.1 All information users are responsible for protecting and ensuring the security of the information to which they have access.

4.2 University Officers, Heads of Departments and Line Managers are responsible for ensuring that all information in their area is managed in conformance with this policy.

4.3 Employees, students, contractors, consultants, visitors and guests who act in breach of this policy, or who do not act to implement it, may be subject to disciplinary procedures or other appropriate sanctions.

4.4 Any breach of information security or violation of this policy must be reported to the Deputy Registrar who will take appropriate action and inform the relevant authorities.

Implementation

5. Policy implementation documents

5.1 This document, together with related information security policies and implementation documents is available at: http://www.york.ac.uk/.

5.2 Terms and conditions of employment are available on the Human Resources department website at: http://www.york.ac.uk/admin/hr/terms_conditions/

Document history

Document history

14 November 2012 Approved by Information Policy Executive
13 December 2012 Approved by Information Security Board
29 January 2016 Reviewed and approved by Information Security Board
31 July 2019 Reviewed and approved by Information Security Board

Review

Review cycle: Three yearly

Date of next review: July 2022