Shortcuts
A - Categorising the sensitivity of information
B - Information security & devices and storage
C - Approved Video Conferencing Software - University of Chichester Staff and Students
D - Video Conferencing Software - Other Organisations
E - Archiving and data disposal
A - Categorising the sensitivity of information
In the context of the University, there are four main classes of information which may affect some or all students, staff and visitors and partners:
This is data that is carefully considered to ensure that its disclosure causes no harm to individuals, the University, or its various suppliers and partners . This is typically general data / information that can appropriately be viewed by anyone, anywhere e.g. press releases, course information, publications, released research data, conference papers etc.
This is data that might cause (minor or significant) harm to the University or its partners if it were to be disclosed. Private information is data / information which is intended to be limited to specified members of the University of Chichester on a need to know basis e.g. reports, financial plans, guidance, collaborative documents, draft documents, teaching materials etc. Private may also include information bound by copyright, or which relates to the performance rights or intellectual property of its originator.
This is information that, if disclosed, would be a failure to protect an individual's statutory rights. Data Protection legislation identifies that statutory responsibilities apply where you (individually and / or as part of an organisation) have a copy of information relating to another person. This can be any data which identifies an individual, directly or by inference, either on its own or by reference to other information, and can include expressions of opinions about an individual or for example photographs of them. Such personal data requires the strongest possible technical safeguards and clearly defined processes to ensure it cannot be seen by anyone not authorised to do so. Additional measures may also be required when processing special category data. Examples of personal data include:
Personal Identification Information - PII
- Name and title
- Date of birth
- Address
- Telephone number
- Email address
- Social media pseudonyms
- Photographs (especially including those that can be reverse indexed)
Special category data includes:
- Racial or ethnic origin.
- Political opinions.
- Religious or philosophical beliefs.
- Trade union membership.
- Any data concerning physical or mental health.
- Biometric data
- Genetic data
- Sexual life
- Sexual orientation
Any piece of information which contains any of the above must be processed in compliance with data protection legislation. This would include for example, student assessments either because it identifies them or, where in conjunction with other information the student can be identified. [1]
Confidential information should only be stored in University case management systems or University network storage. Using removable media, or storing any private information on a laptop, personal device or using personal cloud storage is strictly prohibited
Any data/information which is personally owned, or which belongs to a 3rd party should not be accessed through, downloaded to, stored on or distributed using University equipment and services; this includes:
- Data that is no longer required, whose time or original purpose has elapsed or passed
- Data that could be considered inappropriate and potentially harmful to the University’s reputation
- Information that would be better protected by being stored in a case management system [2]
- Personally owned music files, video files and photographs,
- Using a University ID/log-in in software or services not provided by the University
- Using any system that involves processing personal data which is likely to result in a high risk to individuals for which there is not an approved University DPIA.
- Personally owned (whether free or licensed) software,
- University branded or owned information on (or linked from) Social Media
- Any information created or stored on counterfeit equipment, or in unlicensed software
- Unregistered personal information (see Data Protection Act, 2018 and UK GDPR)
- Any information (including music and video) that is not compliant with University policies, procedures or current legislation, and any information being accessed, viewed or used consciously or unconsciously in any illegal act, including their copyright conditions and licencing.
No unauthorised information should be accessed, acquired, stored or transferred using any device or storage that is used in relation to the University.
Information Labelling
In the context of files and folders, these are identified to who creates or stores them.
In the back-ground, all data is always treated as though it is highly confidential, and the maximum security mechanisms within the University's infrastructure design are applied.
You may wish to visibly identify that something is sensitive (confidential or private for example), to anyone you might share this information with. This might be through headers and footers in documents, watermarks,or by attaching a meta-tag.
You may additionally wish to make anything particularity sensitive 'read-only' when shared, and use password protection. NB, it is good practice to send the pass code separately to any sharing notification.
It is generally better not to include words such as confidential in folder or files names, as in a worst case scenario, this might signals to an unauthorised infiltrator what is of most value to steal.
[1] Further information is available on the University policy webpage.
[2] For example HR data, and photographs of staff or students and any other personal data for which a lawful basis for processing is required and has not been established should not be processed, including stored, in ad-hoc storage such as network drives, PC hard drives, USB sticks, mobile telephones. Such information should only be stored in case management systems.
B - Information security & devices and storage
For confidential information, case management systems with their inherent access controls and their data management facilities should be used wherever possible. Where this is not possible, network storage is the most secure ad-hoc storage.
Local Device Storage
- Storing any private or confidential data on a laptop, Mobile phone or PC's 'hard drive' (local, inbuilt, often referred to as C:) facilities, or any other in-built storage such as an SD card is very high risk, susceptible to loss, and may be easier for criminals to access if they gain access to your device - please use the network and cloud storage we have made available. The policy is that all private and confidential information should be stored in case management or University network and cloud storage.
- You should ensure a clean-desk approach in relation to any University information or activity whether working in a University location, or working at home or elsewhere.
- It is important, and polite not to leave any discarded papers in classrooms or other public spaces
- Clean Screen policies identify that you should not store any private or confidential data on the desktop screen of your computer - as this is especially high risk to covert unauthorised access and cyber criminal attack.
Network Storage
- Home drives: (H:) All students and staff have access to network storage known as their home drive or H: drive. This is secure network storage for personal University data attached to their network account, which can be securely accessed from any computer or device connected to the Internet.
- Shared drives: (S:) and the University's One Drive For Business (ODFB). There are additional network storage called shared drives (or S: drive). This network storage is linked to groups of network accounts enabling users to collaborate and share files.
- Advantages of using University Network Storage: The University’s network storage can be used for Private and (where not possible to be stored ina case management system), confidential information. Data is protected by University information security systems. Data is routinely backed up for business continuity purposes as well as to enable the recovery of data that is accidentally deleted.
Portable Devices
- University Issued Devices: Portable devices (such as laptops, tablets and smartphones) may be issued/loaned to enable access University resources whether at a desk, or on the move. Security measures are installed, and data is directed to network storage.
- Personal Devices: The University enables access to University systems and services through a staff, student or visitor’s own device. Access is controlled through authentication to each system or service. Users also have a responsibility to ensure their devices are protected, e.g. use a boot password, a screen saver with a password, disk encryption and anti-virus software, even if you only ever access public data. You must not download private or confidential data to a personal device.
- Working off campus: Please remember to exercise extra caution when connecting to 3rd party wireless networks (at home, in a coffee shop or hotel for example). Any WiFi which does not require authentication via a user ID and password should be regarded as risky and non-secure.
Portable Storage
- University Issued Storage Media: Portable storage media (CDs/DVDs, USB drives and external hard drives) are discouraged. Security measures (such as encryption software) are used to help reduce the risks, however due to the risks of their being lost, portable storage media are not suitable for storing confidential information.
- Personal Storage Media: The University does not currently restrict the use of personal storage media; however, their use for private and confidential University data is not permitted.
- Mobile Telephones: Data on mobile phones cannot be backed-up. Mobile phones can be lost or stolen, and have very little security. They must not be used to store private or confidential data
Considerations when using Portable Devices and/or Storage Media:
- Files stored only on portable devices and/or storage media have no provision for backup or recovery if they become lost, stolen or corrupted.
- It would be extremely high risk to reuse portable media, or to try recycle such media from a previous user.
- There is a significant risk of reputational damage and/or litigation and fines if data is stored inappropriately on portable devices, especially when it could have been stored in network storage.
- If it cannot be avoided, any data that has to be temporarily copied to portable media must be encrypted, using a storage devices obtained through the University's SIZ.
- Following such use, this media must be returned to SIZ for secure cleaning and disposal.
- Personal devices/storage media, including personal email accounts must not be used to store private and confidential data.
- NB USB sticks, and CDs etc can degrade over time
- Portable media should be handed in to SIZ for secure disposal
Cloud Storage
- University Cloud Storage: All staff and students have access to the University’s cloud storage system – OneDrive for Business. One Drive for Business (ODFB) provides cloud storage (in a data centre in the UK) which can be accessed on and off campus. ODFB should not be used for confidential data, (and networked H / S storage ideally should be used).
- MS Teams is the University's collaboration platform, and this is also a cloud storage facility, through which you can securely share documents with other colleagues and students
- Other Public Cloud Storage: Other cloud providers, such as Dropbox, iCloud, we-transfer Google docs etc should not be used. The services offered by these providers cannot be protected.
Considerations when using Cloud storage:
- University OneDrive for Business is protected by industry standard security systems, where if/what/when can be confirmed by the University and even files you delete are recoverable (for up to 90 days).
- Creating a shareable document (Single Version of the Truth) helps increase security, and accuracy of information.
- Private and confidential data must not be uploaded to any personal cloud storage service.
- Synchronisation between ODFB and non University devices must be turned off for all categories of data.
Summary view of methods of storage
C - Approved Conferencing Software - used by the University of Chichester
Video Conferencing Software is often used in the delivery of on-line blended and hybrid learning, to engage with University staff and students and meet with internal and external colleagues and partners. The University's secure and approved conferencing solution is Microsoft Teams. and alternative conferencing software may not be secure.
The decision to use MS Teams by the University includes that it has better functionality and integrations with other HE products, and that it is the most widely used conferencing software, worldwide, especially in education, government and commercial organisations.
All software used by the University undergoes a Data Protection Impact Assessment to ensure it supports the University's statutory and institutional commitment to safeguarding and privacy.
The advantages of MS Teams over others, include that Microsoft does not profile data, sell on your contacts, or sell on any interpretation of your usage, locations or interests. In MS Teams this not data remains private, is stored in the UK and is made accessible to the University, where, (in line with specific circumstances set out in the University's privacy policy) should there be a safeguarding need to prevent, detect or help support anyone who becomes the victim of grooming. stalking or bullying, or who becomes targetted with, or becomes involved in radicalism.
There are other popular conferencing domestic and commercial software, however in addition to the wish to provide a coherent, customer experience across all University activities, and to add to the experience many students have had in School, many of these products have security issues. The reason that the University does not support these software products includes that in Zoom for example, in addition to actively selling profiling data that may subsequently be used to attack students and staff, Zoom does not provide safeguarding logs, and therefore the University cannot detect, assist or assess where a student has been bullied, groomed or radicalised. Other products such as Discord, Dropbox, We-transfer, Kik, Telegram have been reported as having risks, in some cases with an architecture that may create ungovernable openings in the secure perimeter of an organisation, allowing other threats to ‘tail-gate’.
D - Conferencing Software - used by other people
Other organisations may use alternative video conferencing software (Zoom for example). This is more common in for example in the United States of America, where privacy and safeguarding legislation is different to that in the UK. For a member of staff who wishes to attend some sort of seminar or meeting via for example Zoom, you can use the browser based version, however, you should consider what you are doing and take precautions. As set out in the Electronic Information Security Policy, you should protect the ID and password provided to you by the University. Most seminars that you might be invited to, and most conferencing software do not require you to enter anything other than a one-off identifier (your name), and this does not require you to identify yourself in relation to the University, or in fact your own out-of-work details. It is worth reflecting that everything you say, do or share could be covertly being profiled for sale, and the conferencing software may have unsecured channels (especially when screen sharing) that allow criminals to tail-gate some kind of covert hacking software, that can then compromises your commitment to protecting your own, and the data of others.
E - Archiving and data disposal
All of the University’s systems are secured using the latest and best methods and technologies. The technologies and polices seek to help us avoid unauthorised access and failure to achieve the Prevent Duty of Care, but the legislation expects that organisations should not unnecessarily acquire, or retain confidential data.
Data disposal includes the integrity of the right to be forgotten, and the oversight facilities needed in any system approved for use in the University to ensure that; if, what, when and who of any access can be established, across all data acquisition, use, and disposal.
University Systems
- The most secure location for confidential information is a case management system (for example the University’s Student Information System, or HR Systems), specifically designed with approved access controls, and with agreed data management (retention / disposal) mechanisms.
- Where possible, any ad-hoc confidential data (especially including emails) should be transferred to and stored in a suitable case management system.
- Where someone leaves the University, in addition to their access to all University systems being concluded, all data in their personal folders is deleted
Email and Instant Messaging Folders
In order to reduce the risks of data being compromised through unauthorised access, or overly long retention, certain folders in the University’s email and instant messaging systems are automatically deleted on their anniversaries.
- Automatic, annual deletion of “Deleted Items”
When you delete an email from your inbox this is actually just removed into your Deleted Items folder. Any items older than 12 months in the Deleted Items folder will be automatically deleted. - Automatic, annual deletion of historic “Sent Items” and Calendar appointments
Copies of sent emails, and of past calendar appointments that are than 24 months old will be automatically deleted. - Automatic, annual deletion of historic “Instant Messages”
Instant messages you sent and receive using the University’s Teams instant messaging (Chat), are recorded in your email account, in an email folder called ‘Conversation History’. Any items older than 12 months in the Conversation History folder will be automatically deleted.
For anything that must be kept for a longer period, these can be transferred to a case management system (student record for example) to a different folder, and or to your H:\ storage.