This policy was last reviewed by the Information Security Working Group in August 2022.
This policy was last approved by Information Security Working Group in September 2022.
Purpose and scope
The Information Security and Data policies provide everyone (e.g. students, staff, third parties) with clear and consistent instructions on how to protect themselves, others and College IT assets (e.g. data and services). The policies, associated processes and procedures are designed to reduce information-related risk to tolerable levels. All staff, students and third party users must adhere to these policies to keep the College and its people secure from Information Security risks, such as ever-evolving cyber-threats or non-compliance with the Data Protection Act 2018.
The College has various information assets (meaningful data that has value to the College, e.g. a student record). Information assets can take both physical and digital forms such as a paper file, documents, and system databases. Everyone must take adequate steps to prevent accidental or deliberate disclosure and unauthorised access of these assets. The level of protection required is proportional to its classification (more sensitive data requires additional security measures; for example, sensitive personal data such as ethnicity or religion must be encrypted and strict permissions maintained at all times - see below for more information on classifications).
This policy sets out the responsibilities and required behaviours for anyone granted permission to use College IT services (e.g. software, computers and network).
Non-compliance of policies puts people and the College at risk. . A breach of information security may result in damage to you, our students, or your colleagues through the loss of control over personal data or confidential data, identity theft, fraud or financial loss. Breaches to this policy also put the College at risk of cyber-threats, legal action and regulatory penalties. Additionally, sometimes damages are irreparable and have serious reputational consequences.
Therefore non-compliances may lead to the removal of IT equipment, services and account privileges. In some cases, disciplinary measures might be pursued, which may also lead to legal action
Anyone using College services has a responsibility to protect data and systems in their control. Those responsibilities are defined in the Information Security and Data policies. The full set of policies is listed below.
Managers must ensure staff are aware of and comply with information policies, complete mandatory training (including any additional training required for certain roles e.g. Finance), report non-compliance and maintain the confidentiality, integrity and availability of College information assets.
Information Asset Owners/Data Owners
Schools and Professional Services must have one named individual (information asset owner) to take accountability for information assets. This Information Asset Owner will be responsible for ensuring data managed by their team or service is processed (e.g. used, stored, shared and destroyed) in compliance with the Data Protection Act 2018, including maintaining data integrity and quality, maintaining retention periods and keeping confidential information assets secure.
Information Asset Owners must periodically audit and assess the risk to information assets to determine the sensitivity in order to apply appropriate security measures. The use of classification labels against documents is encouraged in order convey the confidential nature of a document. The College defines its information assets as one of the following classification types:
Available to anyone (including members of the public). Such information should be stored on College systems where possible to maintain availability and appropriate management of data.
Impact of disclosure
Little to no damage.
Access is restricted and limited to an authorised group. Information in this class may include but is not limited to:
● commercially or financially valuable information;
● student coursework and exam scripts;
● internal reports;
● general research data held;
● Protected Personal Information (information that links an identifiable individual with information that, if released, would put them at significant risk of harm or distress);
● any source of information relating to a substantial number of individuals.
Impact of disclosure
Moderate to significant reputational and financial damage.
Strictly Confidential information
Access is restricted to a small, named group, regularly reviewed and requires additional protection. Information in this class may include but is not limited to:
● Highly sensitive/special category data, as defined by UK GDPR (special category data);
● Research data covered explicitly by patent or legal agreement;
● Information protected by clauses in commercial contracts;
● Evidence of criminal activity;
● Highly sensitive financial information.
Impact of disclosure
Significant to substantial reputational and financial damage.
Information assets should be regularly reviewed to ensure their quality and to maintain appropriate retention schedules. All personal data should be managed in compliance with the Data Protection Act 2018, and users should refer to the College’s Data Protection Policy. In addition you should consider:
- Confidential and Strictly Confidential information should only be shared with authorised individuals;
- Only College approved storage should be used (e.g. Google Drive) to share and manage data;
- Before sharing data with third parties, the College shall ensure that the third party has adequate information security policies in place. A data processing agreement may be required or authorisation Data Protection Officer;
- The method of sharing should be considered as not all systems are considered secure (e.g. sending confidential information by email can be intercepted, and easily sent to the wrong person);
- Consider the type and volume of data and the impact of improper disclosure;
- Confidential information must be protected (e.g. encrypted) when sent outside the organisation or transferred to external media (e.g. a memory stick).
- When new data processors are engaged and external data sharing is required, the College will choose processors with sufficient guarantees as to their technical and organisational measures. If advice is needed in relation to the engagement of data processors, please contact the Data Protection Officer (email@example.com) or Information Security Manager.
- Do not keep information on local computer drives (e.g. 'C drive' or local 'My Documents' folder). Use College approved storage such as Google Drive or the network file share
- Keep confidential paper records secure (e.g. a locked cabinet)
- Do not use a USB drive as a permanent storage solution. They should only be used to store non-confidential data for short periods
- Do not keep personal information for longer than necessary
- Securely erase (shred paper copies or use confidential waste bins) confidential information according to retention periods or when no longer needed.
The College, each student and member of staff have an obligation to abide by all relevant legislation. Particularly:
● Computer Misuse Act 1990
● Copyright, Designs and Patents Act 1988
● Data Protection Act 2018
● UK General Data Protection Regulation (GDPR) 2018
● Human Rights Act 1998
● Regulation of Investigatory Powers Act 2000
● Terrorism Act 2006
● Privacy and Electronic Communication Regulations 2003
● Counter-Terrorism and Security Act 2015.
This policy will be reviewed as it is deemed appropriate, but no less frequently than every three years.
Information security guidance