Accessibility statement

Information Security Policy

Related pages

This is the overarching policy which explains the key ways that the University ensures the secure handling of its information while providing appropriate access.

It applies to everyone - all staff, students, associates, and anyone else authorised to use University IT facilities and information.


1. Policy

1.1 It is the policy of the University of York that the information it manages will be appropriately secured to protect against the consequences of personal data breaches, breaches of confidentiality, failures of integrity, or interruptions to the availability of that information.

1.2 The University will aim to achieve a culture in which legal requirements and information security risks are considered whenever information is handled, through the provision of training, awareness campaigns and specialist guidance and advice.

1.3 The University will implement information security management practices which apply appropriate security while at the same time enabling staff, students and visitors to access and use the information they need.

1.4 The University will collect, store and process information in accordance with applicable privacy and information laws.

1.5 Information held in user accounts may be examined on behalf of the University by authorised persons for specific operational or legal reasons. In these cases access will be authorised and conducted in accordance with the University policy on Investigations.

1.6 This document, together with related information security policies and implementation documents at, defines the framework within which information security is managed across the University.


2. Scope

2.1 This policy is binding on all those who use University information such as staff, students, contractors, consultants, visitors and guests of the University whether accessing information from on or off-campus.

2.2 This policy supplements University Regulation 11 “Using University Information” and University policy on Records Management and Data Protection.


3. Oversight

3.1 Overall responsibility for information security in the University is delegated from the Vice Chancellor, via the Registrar, to the Director of Information Services. The Director of Information Services has the authority to define and implement University-wide information security policies.

3.2 Information Strategy Group is responsible for approval of information security policy and for overseeing policy implementation via the Information Security Board.

3.3 The Information Security Board, chaired by the Deputy Registrar, is responsible for regular policy reviews and monitors the effectiveness of the information security policy across the University. It also commissions and responds to independent audits of information security arrangements.



4. Responsibilities

4.1 All information users are responsible for protecting and ensuring the security of the information to which they have access.

4.2 University Officers, Heads of Departments and Section Heads are responsible for ensuring that all information in their area is managed in conformance with this policy.

4.3 Staff, students, contractors, consultants, visitors and guests who act in breach of this policy, or who do not act to implement it, may be subject to disciplinary procedures.

4.4 Any breach of information security or violation of this policy must be reported to the Director of Information who will take appropriate action and inform the relevant authorities.


5. Policy implementation documents

5.1 This document, together with related information security policies and implementation documents is available at:

Document history

Document history

14 May 2012 Approved by Director of Information, J Stephen Town
16 October 2015 Reviewed and approved by Information Security Board
31 July 2019 Reviewed and approved by Information Security Board


Review cycle: Three yearly

Date of next review: July 2022