Encryption of Personal and Confidential Data
Encryption, when used properly, is a tool which can help the University comply more fully with data protection legislation.
The Records Management Team and the IT Help desk will provide you with advice on encryption on a Case by Case basis. This is to avoid the potential loss of personal or confidential information through the inappropriate encryption of University data.
Key Principles
Staff and students must abide by the following key principles relating to the proper use of encryption:
Using Encryption Within The University
1. The University's IT security procedures and the access controls within each School and Department should normally be enough to keep personal and confidential data secure without having to encrypt the data.
Encryption of data stored on the University's secure network must only be used if there is a legitimate business requirement to have another level of security and if staff are properly trained in the encryption process. Critical business files will be lost if staff forget the encryption key or password.
2. If it is necessary to store personal or confidential data on removable storage devices, these must be kept in a locked drawer, cabinet or safe, appropriately encrypted and access-controlled.
3. Never encrypt the master copy of files unless you have a robust encryption key or password management procedure in place.
4. Staff must ensure that encryption keys or passwords are not lost in the event of people leaving the University. Critical business files will be lost or rendered useless if the University can no longer access them.
Leaving the University ? Please click the link below for information about the procedure for dealing with your Business Records when you leave.
5. If it is necessary to email personal or confidential data to other members of staff within the University, you must not send the encryption key or password in the same email. Instead, it is recommended that you disclose the key or password by telephone to the authorised individual.
Using Encryption When Working From Home
1. Ordinarily, personal or confidential data must never be stored at staff members’ homes. However, if there is a legitimate business requirement to take such data home, the files should be copies of the orginals, fully encrypted and kept physically secure.
2. Authorisation for taking home personal or confidential files must be sought from the Head of School or Department.
Using Encryption When Transferring Personal Or Confidential Information
1. The transfer of personal or confidential information to external third-parties must comply with the principles of the Data Protection Act 1998. Consent from the data subject must always be sought and the transfer must only be for a legitimate University purpose.
2. Personal or confidential information must be encrypted when it is sent to external parties by email. For example, this will help to prevent the recipient accidentally forwarding the information onto someone who should not have access to it.
Contact Information
Please contact Records Management for further information and advice about Encrypting personal and confidential data.
Please contact the ITS Help Desk for advice about Password protecting documents, and also about the various forms of Encryption which are available.
Last updated 10.09.12(KGF)
