This guidance aims to help you meet the User Commitments in the Policy for safe use of University information on all devices by describing how you must configure and manage your devices to ensure safe use of University information.
- Policy for safe use of University information on all devices
- Information Classification and Handling Scheme
- Data Protection
- Records management
- For researchers: Storing your data securely
- Information Commissioner’s Office: Online and electronic devices
Devices supplied by the University and which are managed by IT Services or an approved department system administrator (contact your Departmental Computing Officer in the first instance) will have security and management requirements pre-configured before the device is issued.
You must still act to meet all the User Commitments except:
Includes any devices which are not managed by IT Services or an approved department system administrator (so do not have security and management features pre-configured), including those which are supplied by the University, personally owned or provided by third parties.
You must act to meet all the User Commitments and ensure you configure your device with the required security features.
User commitment 2.1
Users must follow the actions specified in this policy in order to meet the University’s compliance requirements. Users must check whether there are additional legal and contractual requirements for their handling of University information and take action to meet them.
Everyone has a part to play in protecting information at the University and respecting duties of care. Loss or inappropriate use of information can harm others, damage our reputation and have legal and financial repercussions for the University and for you. You must protect your own information and devices, and safeguard other people's information.
If you act in breach of this policy, or do not act to implement it, you may be subject to disciplinary procedures or other appropriate sanctions.
In addition to meeting the University's requirements described in this policy you must also meet any other legal, ethical or contractual requirements which may be imposed on specific types of information, eg by bodies providing research funding or organisations with whom you have signed contracts.
It is your responsibility to check agreements and contracts and act on any requirements.
Advice is available from the Research Innovation Office.
User Commitment 2.2
Users must ensure that University regulations, policies and guidelines are followed when any device is used to create, store, transfer, process or destroy University information.
This commitment applies as soon as you enable automatic login to any service which might access University information. This includes access to your University Google account (email, Docs, etc); you cannot control receipt of emails or sharing of documents containing confidential University information so you must act to ensure security at all times.
Confidential University information is defined in the Information Classification and Handling Scheme.
Information Policy & You provides more information on the regulations and policies which apply to managing information safely.
User Commitment 2.3
Users must consider and address the risks of using any device to access University information in order to:
It is good practice to minimise the amount of University information stored on or accessed from non-University managed devices.
Remember that you need to ensure the security of all devices which hold University information, including mobile devices such as laptops, netbooks, smartphones, tablets, USB sticks, external or removable disc drives, voice recorders and flash/memory cards. The guidance for User Commitment 2.5 provides more information on how to configure your device.
Remember to consider the security of information on mobile devices where there are no device security features available (eg on many USB sticks, voice recorders, flash/memory cards it is not possible to set up passwords or encryption). You must not use these devices for confidential information (see the University Information Classification and Handling Scheme).
More detailed guidance on securing your data is provided by IT Services:
User commitment 2.4
Users must check the data protection and security requirements for University information stored on or accessed from their devices before travelling abroad, particularly if travelling outside the European Economic Area.
There are significant data protection and security issues relating to taking personal and other confidential information or encrypted devices and data abroad.
This is only a summary of the issues you need to consider.
Before taking University information or a device abroad you must read the more detailed guidance in Travelling abroad, which explains the key points to consider in relation to travelling with University information or an encrypted device or data.
If in doubt contact IT Support for advice.
Many countries do not meet the Data Protection principle VIII requirements. The Data Protection Act provides standard rights and protections for personal data within Europe and requires that "Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data."
Guidance on this principle is available from the University Data Protection website:
If you have encrypted the device and the data, you may be able to travel with personal data on your device. However, there are important exceptions to this so you must always carefully consider all the potential implications before taking your device and any personal data on it abroad. Some countries do not allow entry of encrypted devices without prior permission (or at all) and most countries can insist that the device and data is un-encrypted before entry (see below).
Similar considerations apply to personal data held in physical form.
The ICO provides the following example in its guidance: Sending personal data outside the European Economic Area (Principle 8): How do I assess adequacy?
"An employee travels outside the EEA with a laptop containing personal data connected with their employment. Their employer in the UK is still the data controller. As long as the information stays with the employee on the laptop, and the employer has an effective procedure to deal with security and the other risks of using laptops (including the extra risks of international travel), it is reasonable to decide that adequate protection exists."
To meet this requirement you must read and act on the guidance Travelling abroad, which explains the key points to consider in relation to travelling with University information or an encrypted device or data
Other confidential information
The University Information Classification and Handling Scheme classifies other types of information as Confidential (eg some financial transactions, internal reports, commercial contracts, research data), which might be at risk if held insecurely. You must consider the security of all confidential information before travelling abroad as there may be consequences for the University if encrypted devices and data are not allowed into the country (and may be confiscated) or are required to be un-encrypted before entry is permitted (see below).
Encrypted devices and data
Check whether your device is encrypted. University managed devices may have been encrypted when set up. On some non-University managed devices setting up password protected auto-locks and screensavers automatically encrypts the device and you might have encrypted other devices or your data yourself. You might think this means it is safe for you to travel with personal and other confidential information on your device.
However, issues arise because some countries do not allow encrypted devices and data to enter the country without prior permission, or at all. In some circumstances you may be required to un-encrypt your device or data before entry, even when you have prior permission or permission is not needed. These issues will impact on whether you can take your encrypted device or personal data and other confidential information abroad.
User Commitment 2.5
Users must encrypt, manage and configure their devices to ensure that University information is kept secure.
This is a summary of the actions you need to take to secure your devices and the information on them. These actions must be taken before accessing or storing University information on the device. Please read this page carefully to ensure you do not miss any required actions for your device.
Accessing any service such as email or Google Drive has the potential to give access to confidential University information as you can't know when someone will send or share with you confidential information.
You must assess the risk to University data whenever you access any service and secure the device if there is a chance of confidential information being accessible.
If you do not take these actions then your device is considered insecure and you must not directly access or store confidential University information on that device. Instead, you should use the Virtual Desktop Service (VDS) to access the data through a secure virtual machine.
Devices supplied by the University and which are managed by IT Services or an approved department system administrator will have security and management requirements pre-configured before the device is issued.
You must not store or transport confidential information on removable or external media (eg USB sticks, external or removable disc drives, voice recorders and flash/memory cards) which do not support passwords or encryption (as mandated in the University Information Classification and Handling Scheme).
For clarity we have broken down the actions into six categories:
Please note: Some devices will not be able to meet all the requirements detailed here. If your device does not meet all the requirements detailed here it must not be used to access confidential University information, except through the VDS.
Accounts, passwords and screen lock features
Security patches and software updates
For further guidance, including recommended software, see:
Network settings and firewalls
For further guidance, see:
Remote security features
Some devices offer remote lock/erase/locate features for extra security in the event your device is lost or stolen. If your device offers these features it is recommended these are enabled.
User Commitment 2.6
Users must encrypt confidential University information before sharing it and use University supported services to transmit and store it.
Accessing confidential University data
As standard good practice, if you are using a non-University managed device, whenever possible you should access confidential University information via the University's remote access facilities rather than directly.
If your device is not secure:
If your device is secure:
Your device is considered secure if it meets all the requirements of User Commitment 2.5.
Storing confidential University data
Confidential University data should be stored on a University managed filestore whenever possible. You must ensure that any confidential University information is only accessible to those that need it. We do not require you to encrypt data stored on a University managed filestore.
Google Drive qualifies as a University supported service, meaning you may also store confidential University data on Google Drive. You must ensure that any confidential University information is only shared with those that need it.
Google provide guidance on managing the sharing settings for files and folders stored on Google Drive:
We do not require you to encrypt all confidential data stored on Google Drive. However, if you are sharing confidential data with external users then it must be encrypted first:
You should contact IT Support if you require assistance storing or managing access to confidential data.
Use of other cloud services
You must not transfer or store confidential University information using any non-University supported cloud service which does not meet information security and Data Protection requirements.
Most cloud services (eg Dropbox, OneDrive) are not supported by the University and do not meet Data Protection requirements.
Be aware that for unsupported services:
Transmitting confidential University data
If it becomes absolutely necessary to store or transmit confidential data outside of a shared filestore or Google Drive (eg via email, the DropOff Service) then the data must be encrypted beforehand:
It is vital you do not transmit the encryption password via the same method as the encrypted data. You should use another method to provide the password to the recipient. For example, if you are sending an encrypted file via email, you can send the password in a paper-based letter, or tell it to the recipient on the phone.
The DropOff Service is the preferred method of transmitting any data in and out of the University.
If you are sending encrypted data to someone external to the University, they must ensure that the device they use to access the data also meets the requirements of User Commitment 2.5.
User Commitment 2.7
Users must minimise the risk of inadvertently giving away their private information and access to their devices by checking that the online services and web sites they access have appropriate security features for the intended task
It is vital you perform these checks before entering any private information into a webpage, otherwise this data may be intercepted and used for malicious purposes. This would put University information at risk.
The most common situation where this applies is when inputting your University (or personal) username and password into a webpage or other online service.
If you have a secure connection to a webpage, the web address will begin https:// - the 's' stands for 'secure'. If the web address begins http:// then the connection is not secure.
Most web browsers will also display a padlock symbol in the address bar. This means the website has been issued an Extended Validation (EV) certificate, which normally indicates that the website is more trustworthy. Clicking on the padlock icon will display more information about the certificate, including the name of the Certificate Authority that issued it.
If in doubt, do not input any private information until you have double checked that the web page is secure. You should contact IT Support if you are unsure.
If you are using a shared device, remember to logout of the website when you have completed your transaction, and before you close the browser. Closing the browser will not necessarily log you out.
User Commitment 2.8
Users must minimise the risk of infection from malicious software by assessing whether to install a new piece of software, accept a download, or similar.
You must stop and assess whether to accept pop-ups asking to install a new piece of software, accept a download, or similar to avoid infecting your device with malicious software. Many kinds of malicious software will put the information on your device at risk.
If you say no at the time the pop-up appears, you can always change your mind later when you have checked that the software or download is legitimate.You should contact IT Support if you are unsure.
User Commitment 2.9
Users must not leave their device unattended and unsecured where there is a risk of theft or unauthorised access.
Your devices can be considered secure from unauthorised access if you have configured them to go to a secure (password protected) auto-lock or screensaver after a period of inactivity of no more than 10 minutes (as required under User Commitment 2.5).
Any device that you have not secured from unauthorised access (eg if it's a mobile device that does not have security features available) is a high risk and must be locked in a secure place such as a drawer, cupboard or safe. You should not consider locked offices as being secure as they may be unlocked for various reasons such as cleaning.
Mobile devices are at higher risk of theft even if secured from unauthorised access and you should lock them in a secure place if there is a risk that University information will be lost. It is good practice to make sure you have a copy of the information securely stored on a University approved system.
You must carry your devices as hand luggage when travelling.
You must ensure that any company you use for hardware repair is subject to a contractual agreement which guarantees the secure handling of your device and any information stored on it.
Similar considerations apply to information in physical formats.
User Commitment 2.10
Users must not allow non-members of the University to make any use of University supplied devices (including family and friends).
University supplied devices are the property of the University and are provided to you on the understanding that you use them appropriately.
If you choose to provide non-members of the University access to University supplied devices you are putting the security of University information at risk and are therefore in violation of this Policy. It may lead to you being subject to disciplinary procedures or other appropriate sanctions (see Policy for safe use of University information on all devices: Sections 5.3 and 5.4 - Responsibilities).
User commitment 2.11
Users must control access to University information accessed from or stored on their devices.
You must ensure that University information is protected on all your devices.
Remember User commitment 2.10: Users must not allow non-members of the University to make any use of University supplied devices (including family and friends).
Non-University supplied devices
If University information can be accessed from non-University supplied devices:
|User Commitment 2.12
Users must search their devices and provide University information if required to do so by the University.
User Commitment 2.13
Users must securely delete University information from non-University managed devices when they have finished using the information.
As general good practice you should minimise the amount of University information stored on or accessed directly from a non-University managed device as this reduces the risk of inadvertently breaching this policy.
Whenever possible you should access confidential University information via the University's remote access facilities rather than directly.For more information, see the guidance for User Commitment 2.6, above.
Remember that University information includes all emails (including those in the Sent folder) and attachments saved to the device.
The Information Commissioner's Office provides guidance:
You can contact IT Support for help.
User Commitment 2.14
Users must inform the University if any device holding or providing access to University information is lost or stolen, or is subject to a security incident which might have compromised the information (such as unauthorised access). This includes University and non-University supplied devices.
Remember that this includes all devices where you have an automatic login set up for access to University services (eg Google Apps, SITS).
You must contact the Computer Emergency Response Team as soon as possible.
For more information see the University Information security incident management policy.
User Commitment 2.15
Users must return University supplied devices to the University on request or when they are no longer being used for the purpose for which they were provided, and in any case before leaving the University.
University supplied devices are the property of the University and are provided to you on the understanding that you use and return them appropriately.
If you do not return the device you are putting the security of University information at risk and are therefore in violation of this Policy. You are also keeping University property inappropriately. This may lead to you being subject to disciplinary procedures or other appropriate sanctions (see Policy for safe use of University information on all devices: Sections 5.3 and 5.4 - Responsibilities).