Accessibility statement

Information Security Policy

Related pages

This is the overarching policy which explains the key ways that the University ensures the secure handling of its information while providing appropriate access.

It applies to everyone - all staff, students, associates, and anyone else authorised to use University IT facilities and information.


1. Policy

1.1 It is the policy of the University of York that the information it manages will be appropriately secured to protect against the consequences of personal data breaches, breaches of confidentiality, failures of integrity, or interruptions to the availability of that information.

1.2 The University will aim to achieve a culture in which legal requirements, information assurance and cyber security risks are considered whenever information is handled, through the provision of training, awareness campaigns and specialist guidance, advice and process.

1.3 The University will implement information security management practices which apply appropriate security while at the same time enabling staff, students and visitors to access, use and share the information they need.

1.4 The University will ensure that requirements and contracts that result in the collection, processing or storage of information are undertaken and protected in accordance with applicable legislation and standards.

1.5 Information held in user accounts may be examined on behalf of the University by authorised persons for specific operational or legal reasons. In these cases access will be authorised and conducted in accordance with the University policy on IT Investigations and Data Access Policy.

1.6 This document, together with related information security policies and implementation documents at, defines the framework within which information security is managed across the University.


2. Scope

2.1 This policy is applicable to all those who have access to University information; staff, students, contractors, consultants, visitors to the University, whether accessing information from on or off-campus.

2.2 If you are responsible for providing contractors, consultants or visitors with University information you must ensure they are engaged under appropriate terms that protect the University’s security and  privacy requirements. 

2.3 This policy supplements University Regulation 11 on Using University Information and University policy on Records Management and Data Protection.


3. Oversight

3.1 Overall responsibility for information security in the University is delegated from the Vice Chancellor, via the Chief Operating Officer, as Senior Information Risk Owner, to the Director of IT Services.

3.2 The Information Security Board, chaired by the Senior Information Risk Owner, is responsible for approval of primary Information Security Policy and sponsoring the information security framework.

3.3 The Director of IT Services has the authority to define and implement University-wide primary Information Security Policy and framework, and is responsible for defining, implementing and overseeing specific policy under the approved Information Security Policy.

3.4 The Information Security Board, is responsible for regular policy reviews and monitors the effectiveness of the information security framework across the University.


4. Responsibilities

4.1 All information users are responsible for protecting and ensuring the security of the information to which they have access.

4.2 University Officers, Heads of Departments and Section Heads are responsible for ensuring that all information in their area is managed in conformance with this policy.

4.3 Staff or students who act in breach of this policy, or who do not act to implement it, may be subject to disciplinary procedures.

4.4 Contractors, consultants or visitors who act in breach of this policy, or who do not observe the requirement of security and privacy may have access withdrawn.

4.5 Any breach of information security or violation of this policy must be reported to Cyber Security, via CERT (, who will take appropriate action and inform the relevant contacts within and outside the University.


5. Policy implementation documents

5.1 This document, together with related information security policies and implementation documents, is available at:

Document history

Document history

14 May 2012 Approved by Director of Information, J Stephen Town
16 October 2015 Reviewed and approved by Information Security Board
31 July 2019 Reviewed and approved by Information Security Board
31 August 2022 Reviewed and approved by Information Security Board
29 November 2023 Reviewed and approved by Information Security Board


For support in ensuring you are delivering to the requirement of this policy contact the Cyber Security Team.


Review cycle: Annual 

Date of next review: Nov 2024