The University recognises several levels of sensitive data and information in its Information Classification Framework. If you are working with sensitive data, such as those relating to individuals or commercial companies, you need to take extra precautions to ensure they can only be viewed by those with permission to do so.
Encryption is the process of obfuscating data so that only those with the correct decryption key or password are able to read them. The strength of encryption refers to how difficult it would be for an attacker to decrypt the data without knowing the key in advance, and this depends on both the method and the key used.
The tool you use for encryption should inform you of the method it will use and may give you a choice. The Information Commissioner's Office currently recommends using the AES-128 or AES-256 encryption methods, of which the latter is stronger.
Whenever setting the key to be used by an encryption method, be sure to use a strong password.
More information
Using external storage providers
While external services such as Dropbox, Google Drive and OneDrive are convenient, they do not comply fully with the University's data policies due to the following issues:
Such solutions should therefore be avoided for sensitive data. If you are considering using external storage providers nevertheless, perhaps because of conditions imposed by external collaborators, only consider those which will allow you to take the following security measures:
Securing computer equipment
Even if the data are stored securely, there is a risk that unauthorised persons might access the data using the credentials and equipment of authorised users. There are steps that can be taken to mitigate this risk:
For more information about securing computer equipment, please contact Project Leader: IT Security.(intranet link log in to access)
More information
Transmission over standard HTTP or email is not secure, and may be intercepted and read by third parties. Extra precautions need to be taken when transferring sensitive data between collaborators:
You should ensure that you dispose of sensitive data securely. For example, If you have collected personal data, you should ensure that your methods of disposal provide adequate protection for the identity of participants.
Furthermore, you might be required to demonstrate that you have complied with any requirements to destroy third-party data in accordance with their terms of use.
Digital data
Removal of old IT equipment should always be arranged via CCSS and the Dell Managed Service. It must never be handed onto staff for their personal use or disposed of in any other way without the express permission of CCSS Desktop Devices / Logistics Manager.
Please use the links below for more information:
Non-digital data
Paper-based sensitive data can be disposed of using the University's confidential waste secure facilities which are provided on all campuses for the disposal of confidential information in line with BS EN 15713:2009
More information
A researcher in the school of management needed to write a data management plan for a research project. The project involved the analysis of highly sensitive commercial data from a consortium of industrial collaborators, which would be transmitted to the University by encrypted email in the first instance.
The plan identified nine types of data that would be collected by the project, and specified which of these would contain confidential data. It further specified different handling protocols for each type according to the anticipated level of confidentiality. For example, for the most confidential data, the researcher decided to use a dedicated computer with full-disk encryption, backed up to an encrypted directory on the University X Drive.
In addition, the plan set out the process that would need to be followed if access were requested to the confidential data, a process that respected the non-disclosure agreements reached with the collaborators. It also set out when and how the confidential data would undergo secure disposal.