Data Protection Policy - Security of Personal Data

The seventh Data Protection Principle requires that precautions should be taken against the physical loss or damage of personal data, and that access to and disclosure of personal data should be restricted. All staff, students and visitors who deal in any way with personal data have a responsibility under the Data Protection Act to take all possible precautions to protect data against unauthorised loss, destruction or disclosure. Data should only be held in accordance with the Data Protection Principles as laid out in the Data Protection Policy.

Information concerning individuals learned in the course of duties must not be shared with any other persons (unless required to do so by law or; for the purpose of University business or with the consent of the person concerned). Unauthorised disclosure however inadvertent would constitute an offence under the Act.

The Information Compliance Officer for Data Protection and Freedom of Information must notify the Information Commissioner of the description and purpose of all data held by the University, to comply with the Act. All members of staff / students dealing with personal data should undergo adequate instruction in the use of personal data and be told the purpose and disclosure which have been registered for the data. They should be reminded that the use of the data for any other purpose would be an offence. The Information Compliance Officer must be informed of any changes to the personal data that is handled, which may affect the University’s registration.

Electronic Data

Care must be taken to ensure that PCs and terminals on which personal data are processed are not visible to unauthorised persons, especially in public places. Screens on which personal data are displayed should not be left unattended. Particular care must be taken when transmitting personal data. Appropriate security precautions, such as the use of encryption and digital signatures, should be taken when sending personal data by email. Transmission of personal data by fax should generally be avoided.

Computers should not be shared between users unless password protection is available at least at user level. Unauthorised disclosure or use of a password may result in disciplinary action. Stored data and backups should be held in appropriately secure areas.

Emails referring to an individual are covered by the Act and need to be disclosed to an individual making a subject access request. Care must be taken over the contents of emails and over storing emails, which may be used for a specific purpose e.g. an appeal.

Manual Data

When not in use, files containing personal data should be kept in locked stores or cabinets to which only authorised staff have access. Procedures for booking files in and out of storage should be developed, so that file movements can be tracked. Files should be put away in secure storage at the end of the working day, and should not be left on desks overnight.

Sending Personal Data Securely

All staff, who have responsibilities for handling personal data should comply with the principles of the Data Protection Act 1998. Line managers are strongly encouraged to ensure staff members are fully aware of the Data Protection Act, the University Data Protection Policy, the Information Security Policy and complete the mandatory Data Protection training.

All staff are required to take particular care when sharing personal information – whether sharing personal information electronically or manually. Appropriate measures should be taken to prevent unauthorised or unlawful access to personal information, and to prevent accidental loss, destruction or damage to personal information.  In deciding the most appropriate way to share personal information and the level of security required, you must always take into consideration the sensitivity of the information and the urgency of the situation. As a general rule, the following procedures should be followed:-

Sharing personal information securely by email

Unencrypted email is not a safe or secure method of transferring personal information. To improve the security of sharing information by email, the following measures should be applied:-

  • Stop to consider whether it is strictly necessary to share the information (or the extent of the information being sent) and whether email is an appropriate way to achieve this;
  • Take special care if sending the information to an email address outside of @swansea.ac.uk and wherever possible only use official business email addresses;
  • Confirm the name, department and email address of the recipient. Verify with the recipient that their own policy allows for personal information to be received in this way;
  • Double check the ‘To’ field before pressing send and ensure all other address fields are empty or completed as intended;
  • Ask the recipient to confirm receipt e.g. use delivery and read request settings;
  • Include the personal information in a document to be attached to the email, not as part of the email text, save it as read only and use encryption or electronic document password protection;
  • Inform the recipient of the password via an alternative means of communication e.g. by telephone;
  • Clearly mark the email as ‘Confidential’;
  • Consider permanently deleting the message from your sent items folder.

Sharing personal information securely using removable electronic devices e.g. USB memory sticks, Blackberrys, iPhones, tablets etc…

These devices are particularly vulnerable to loss or theft.  When using removable devices, the following procedures should be applied:-

  • Removable media such as USB keys, should be kept secure at all times and suitable encryption software used for personal information;
  • Ensure any loss or suspected loss is reported immediately to the ISS Director, or Deputy Director of ISS who will initiate the appropriate action as per Information Security Policy and University Data Protection Policy;
  • After use, the personal information must be securely deleted off the device. It is unacceptable to carry personal information on a portable electronic device beyond the required or necessary time.

Sharing personal information securely by post (internally)

  • Confirm the name and department of the recipient;
  • Seal the information in a double envelope, ensuring the packaging is sufficient to protect the contents during transit;
  • Mark the inner envelope ‘Private and Confidential’ and ensure the name and department of the sender is visible so that the information can be returned if it cannot be delivered;
  • Make sure there is nothing on the outer envelope that would indicate that it contains personal information;
  • When necessary, ask the recipient to confirm receipt;
  • Should information not reach its destination then this should be reported to the Estates Helpdesk on 01792 295240 or email wshelpdesk@swansea.ac.uk.

Sharing personal information securely by post (externally)

  • Confirm the name and address of the recipient;
  • Seal the information in a double envelope, ensuring the packaging is sufficient to protect the contents during transit;
  • Mark the inner envelope ‘Private and Confidential’ ;
  • Make sure there is nothing on the outer envelope that would indicate that it contains personal information;
  • Ensure that a return address is included on both the inner and outer envelopes in case it has to be returned for some reason;
  • When appropriate send the information by recorded/special delivery;
  • When necessary, ask the recipient to confirm receipt.

Retention and Destruction of Personal Data

As well as preventing unauthorised access, it is equally important to avoid the accidental or premature destruction of personal data which could prejudice the interests of data subjects. Personal data in both manual and electronic formats should only be destroyed in accordance with agreed retention schedules. Care must be taken to ensure that appropriate security measures are in place for the disposal of personal data. Manual data should be shredded or disposed of as confidential waste, while hard drives, disks and other media containing personal data should be wiped clean.

All computer equipment or media to be sold or scrapped will have all personal data completely destroyed, by reformatting, over writing or degaussing. This also extends to personal computers, such as laptops or computers at home, where authorisation has been granted by the University for work to be carried out offsite.

Data Processors

The Data Protection Act lays particular obligations on data controllers to ensure that there are adequate safeguards for processing which is carried out on their behalf by data processors. Whenever personal data is to be processed by an external body acting on Swansea University's behalf, the University must:

  • Choose a data processor which provides sufficient guarantees in regard to its technical and organisational security measures;
  • Take reasonable steps to ensure that the data processor complies with these measures, and
  • Ensure that the processing takes place under a written contract which stipulates that the processor will act only on instructions from Swansea University, and that the processor will have security measures in place that ensure compliance with the seventh Data Protection Principle.

Working off Campus/Password Advice/Malware Advice/Backup Advice

Staff and student records should not be taken off campus unless necessary to carry out University business. Staff / students are not permitted to remove any other personal data with the intention of processing the data elsewhere, unless such use is recognised and authorised. Data should always be processed in accordance with the University’s Data Protection Policy. For specific advice in relation to working off campus as well as advice in relation to passwords, malware and backup of data, please see the guidance issued by ISS - Link to ISS Information Security Advice.

Use of Equipment

Equipment supplied by the University for the purpose of processing data must be used for University business only and not for private use. Family members or other persons not employed by the University are not authorised to use the equipment supplied by the University. Staff and Students will ensure adequate security for equipment at all times. Portable equipment or documentation must not be left unattended in a place where it is accessible to the public or in any vehicle unless the vehicle is locked and the equipment/ documentation is not in public view. Equipment left in a vehicle must only be a last resort where it is not possible to carry the equipment.

Termination of Employment

In the event that staff or students cease to be an employee or to study at the University, all equipment owned by the University must be returned or destroyed/ deleted in accordance with the guidelines. This includes all manual and electronic documents, disks or any other media containing personal data.