University home > University Secretary's … > Data Protection > Advice for Departments > Guidance on processing personal …

Guidance on processing personal data off campus

(This guidance should be read in conjunction with the University's Mobile and Remote Working Policy)

Many data security breaches occur when personal data is being taken off work premises, when working from home for example. While it is permitted to take personal data off University premises for work purposes, staff must take appropriate security measures to protect against the loss or theft of that data.

Staff Responsibilities

Under the Data Protection Act, personal data can only be processed off campus if all of the following conditions are met:

the personal data is used or processed to carry out the duties of the member of staff and for no other purpose;
the processing is carried out only for legitimate purposes related to University business;
the Data Protection Principles are followed strictly;
adequate security is maintained to protect against the loss or theft of the personal data.

Any breach of these responsibilities could lead to disciplinary action and the University receiving a fine of up to Ł500,000 from the Information Commissioner.

Use of non-University owned computing equipment

Staff should not store or process personal data on personally owned computing equipment. The University should provide adequate computing facilities for your role at the University. Please speak to your line manager or zonal IT team if you need additional IT hardware to be able to work effectively. Accessing the Staff Desktop from a personally owned computer/device is acceptable as this is simply accessing the University network remotely and no data should be retained on your computer/device. When using the Staff Desktop, it is important to ensure that no data is copied or saved to any end user computer/device.

Do not send documents including personal data to a private, non-University email address to access these documents remotely – storing personal data with an unauthorised third party (without consent) is likely to be a breach of the Data Protection Act. Similarly, storing personal data with third party cloud storage providers that do not meet security standards acceptable to the University is not permitted.

For further guidance on the use of cloud storage providers, please see the Cloud Storage Wiki.

Also ensure any backup devices used to store personal data are fully encrypted and physically secure at all times.

In very exceptional circumstances that create a need to use non University-owned computing equipment, permission must be obtained in writing from the Head of School/Department with the agreement of the University Secretary. In this circumstance, it may also be necessary for the member of staff to register with the Information Commissioner’s Office as a data controller.

Alternatives

Always consider how necessary it is to take personal data off University premises, taking the following into account:

Rather than storing personal data on a mobile storage device, could you use the Staff Desktop to access the information remotely? This would remove the need for any personal data to be carried off premises and reduce the risk to the University. If you have trouble accessing Staff Desktop remotely, please speak to IT Services.
If you need to use hard copy documents containing personal data, do you need a whole file or could you limit the personal data you take off premises?
Could the personal data be anonymised before being taken off premises?
Can you ensure that no sensitive personal data is taken off premises? A breach of the Data Protection Act will be deemed more serious if it involves sensitive personal data.

Security measures

If taking personal data off University premises, it is the responsibility of individual members of staff to ensure that they have adequate security measures in place to protect against loss or theft.

For guidance on secure mobile storage devices for electronic personal data, please see the Information Security website.

For hard copy personal data, you should consider -

Security of data when in transit:

Are you using public transport? If so, there is a greater risk of loss or theft
If working on bus/train, do other passengers have sight of your work?
If driving, is the data safe if your car were to be stolen or broken in to?
If you are hand delivering personal data, ensure it is handed to the recipient or put through the letterbox - do not leave a package in a porch or similar.

Security of data at home:

Where are you working at home?
Have you taken precautions against burglary and unauthorised access by family members?
Do you have a “safe space” for storing personal data?
Can you lock sensitive data away?

Personal data overseas

For guidance about the processing of personal data overseas, please see the University’s advice regarding personal data and the European Economic Area/USA or contact the Information Rights Officer for advice.