Data Protection and Security at UWE
Following the publication the Data Protection Act 1998, the University of the West of England’s staff and students must comply with the basic rules and regulations which the Act dictates.
Data Security in terms of Information Systems can be achieved by:-
Storing data securely by taking precautions against physical loss
Restricting access and disclosure of data.
Personal data must be treated with particular caution:-
Personal data in the Data Protection Act includes “any information from which a living individual can be identified.” This definition also covers expressions of opinion about individuals. Personal data therefore includes information such as telephone numbers, addresses, names, sound and image data such as photographs and videos.
With personal data come two important definitions:-
“sensitive personal data” which includes information relating to racial, gender, political religious origins and beliefs; physical and mental health conditions; as well as membership to trade unions or any such like organisations.
“processing” means obtaining, recording, holding, organising, adapting, altering, modifying, retrieving, consulting, disclosing, transmitting, blocking, deleting and destroying data.
Best practices for data security-
Staff must therefore ensure that the rules below are closely followed:-
- Any data stored on a computer belonging to the University or using the University’s network must comply with the University’s Data Protection policy.
- Save your files including personal data in the central file stores (also called network drives) i.e. H:/ and S:/ drives. These drives are backed up centrally by IT Services. It is not permitted to save UWE data on portable media or your laptop's hard drive (regardless whether the data is personal and/or sensitive). If you are saving your work onto any other drive such as the hard drive, or media such as CDs, memory sticks, and ZIP disks, you must consider your work as insecure. It may not be retrievable, but it may also be lost and/or in the hands of people who are not authorised to view your information.
- Your password must NEVER be passed onto anyone. If you give your password to IT Services for repair or maintenance purposes, please ensure that you change the password immediately afterwards. Sharing of passwords is a major breach of regulations. Please refer to Protecting your passwords.
- Ensure that you use strong and complex passwords.
- If you leave your computer unattended, temporarily lock it by pressing Ctrl-Alt-Del. Click on ‘Lock computer’. To unlock the computer, press Ctrl-Alt-Del again and type in your password.
Home (or external) Computers:
- Please do not save UWE data on your home computer's hard drive. Instead, please access the data via XA (Xternal Access) or SharePoint.
- Ensure that your home computer is firewall-enabled and updated.
- Your home computer should also be password-protected to ensure restricted access to information.
- Ensure that you have up-to-date anti-virus software running at all times on your home computer. Please note that all PC Labs and computers on the UWE campuses are protected by the MacAfee anti-virus software.
- Your laptop should be kept in a safe location (and not left unattended in a public place or a car)
Personal, confidential and/or commercially sensitive data:
Personal, confidential and/or commercially sensitive data must be treated as follows:-
- Unencrypted personal, confidential and/or commercially sensitive data must NEVER be saved on media such as memory sticks, CDs, DVDs etc…
- Personal, confidential and/or commercially sensitive data must NEVER be stored on a private PC, Laptop or transportable media. It must be saved on network drives.
- Transportation of encrypted personal data must be guided by IT Services. Please read the encryption policy and/or contact IT Services. They will be able to advise you on the safest way to transport your data.
- Personal, confidential and/or commercially sensitive data must NEVER be stored on Hard drive or Windows.
- Personal, confidential and/or commercially sensitive data must NEVER be emailed to a colleague or external contact.
- Personal, confidential and/or commercially sensitive data must be securely saved to ensure restricted and authorised access.
- Personal, confidential and commercially sensitive data can only be sent using secure mechanisms. For further details, please read the encryption policy and/or contact the IT Support Centre.
- Personal data cannot be passed onto a third party unless the third party Data Processing Agreement has been approved and signed on behalf of the University by Commercial Services and the Data Processor (i.e. the third party). If you need a Data Processing Agreement or any associated advice, please contact the Data Protection Officer.
- Personal data relating to UWE held by a contractor must be permanently deleted once the contract is completed.
Accessing personal data
To access your personal data held by the University, you must complete and submit an access to personal data form (PDF) and send it addressed to the Data Protection Officer, James Button, Frenchay Campus by post or by email to James2.Button@uwe.ac.uk. The University will respond to your request within the requisite legislative time scale.
What to do in the case of Loss of personal and confidential data:
Data users have a duty to ensure that they comply with the Data Protection Act and handle personal, confidential and commercially sensitive data in accordance with the data protection principles.
However, if as a data user or member of the University, you become aware that personal data is lost, misused, compromised or stolen, you must immediately contact the Data Protection Officer, James Button, and report the matter in order to recover the data and limit any damage.
In some cases, it may be necessary to report breaches to the
Information Commissioner’s Office.
Loss of personal data may be regarded as a criminal offence.