Accessibility statement

Working from home: Data Protection Guidance

Data protection is not a barrier to homeworking. It does, however, require us to think carefully about how best to keep personal data and special category data secure. The FAQs below provide some top tips on staying compliant when working outside of the office. 


Does data protection legislation apply to homeworking?

Yes. The General Data Protection Regulation (GDPR) and Data Protection Act 2018 applies to homeworking. For further information on the key requirements of the GDPR and Data Protection Act 2018 see the University’s Data Protection web pages.

How do I keep personal data and special category data secure?

Use University of York approved systems only, these are recorded on the Systems Register. If you think an entry is missing let us know. Remember to follow the University’s Policy for safe use of University information on all devicesIn addition, make sure you understand and comply with the University’s IT Security Guidance. For a condensed version see, IT security - a condensed guide.


Are you introducing a new system to support remote working arrangements?

Our Data Protection responsibilities extend to the suppliers that we appoint and entrust with data. The University must be able to demonstrate that data protection has been appropriately assessed as part of system procurement and implementation. If you’re looking to introduce a new system notify the University’s Data Protection Officer via email at Working with IT Services, we can support you to introduce secure and compliant services.

How do I keep my workspace secure?

Try to maintain a similar level of privacy when working from home as you do when on campus. For example, consider carefully where you position your computer equipment to ensure your screen is not visible to others. Lock your device when stepping away from work and log out of University of York applications at the end of the day. In addition, be mindful you may be sharing your workspace with individuals not employed by the University so consider carefully the appropriateness of having certain conversations in front of them.

How can I share data securely?

Try to avoid emailing documents back and forth. Instead, use GSuite to share documents with colleagues. Where data is to be transferred by email, use the University’s Staff and Student Directory to find contact details and double check address details before clicking send. For guidance on when to encrypt data sent by email, see IT Services Information classification & handling Scheme

What should I do in the event of a data breach?

Notify the University’s Data Protection Officer immediately via email at For further information on recognising data breaches, see the University’s Data Breach Notification Procedure


Where can I find out more about data protection?

For further information on data protection best practice, including guidance on undertaking data protection compliant research see the University’s Data Protection web pages. Specific questions can be directed to

Is there anything else I can do?

Yes. Ensure you have completed the mandatory online data protection training module. The module can be accessed via HR’s statutory and compliance training page. Casual workers, temporary staff and individuals with associate account status should complete the training package available at HR’s mandatory training for temporary staff page.