Data Protection Policy - Security of Personal Data
The seventh Data Protection Principle requires that precautions should be taken against the physical loss or damage of personal data, and that access to and disclosure of personal data should be restricted. All staff, students and visitors who deal in any way with personal data have a responsibility under the Data Protection Act to take all possible precautions to protect data against unauthorised loss, destruction or disclosure. Data should only be held in accordance with the Data Protection Principles as laid out in the Data Protection Policy.
Information concerning individuals learned in the course of duties must not be shared with any other persons (unless required to do so by law or; for the purpose of University business or with the consent of the person concerned). Unauthorised disclosure however inadvertent would constitute an offence under the Act.
The Information Compliance Officer for Data Protection and Freedom of Information must notify the Information Commissioner of the description and purpose of all data held by the University, to comply with the Act. All members of staff / students dealing with personal data should undergo adequate instruction in the use of personal data and be told the purpose and disclosure which have been registered for the data. They should be reminded that the use of the data for any other purpose would be an offence. The Information Compliance Officer must be informed of any changes to the personal data that is handled, which may affect the University’s registration.
Care must be taken to ensure that PCs and terminals on which personal data are processed are not visible to unauthorised persons, especially in public places. Screens on which personal data are displayed should not be left unattended. Particular care must be taken when transmitting personal data. Appropriate security precautions, such as the use of encryption and digital signatures, should be taken when sending personal data by email. Transmission of personal data by fax should generally be avoided.
Computers should not be shared between users unless password protection is available at least at user level. Unauthorised disclosure or use of a password may result in disciplinary action. Stored data and backups should be held in appropriately secure areas.
Emails referring to an individual are covered by the Act and need to be disclosed to an individual making a subject access request. Care must be taken over the contents of emails and over storing emails, which may be used for a specific purpose e.g. an appeal.
When not in use, files containing personal data should be kept in locked stores or cabinets to which only authorised staff have access. Procedures for booking files in and out of storage should be developed, so that file movements can be tracked. Files should be put away in secure storage at the end of the working day, and should not be left on desks overnight.
Retention and Destruction of Personal Data
As well as preventing unauthorised access, it is equally important to avoid the accidental or premature destruction of personal data which could prejudice the interests of data subjects. Personal data in both manual and electronic formats should only be destroyed in accordance with agreed retention schedules. Care must be taken to ensure that appropriate security measures are in place for the disposal of personal data. Manual data should be shredded or disposed of as confidential waste, while hard drives, disks and other media containing personal data should be wiped clean.
All computer equipment or media to be sold or scrapped will have all personal data completely destroyed, by reformatting, over writing or degaussing. This also extends to personal computers, such as laptops or computers at home, where authorisation has been granted by the University for work to be carried out offsite.
The Data Protection Act lays particular obligations on data controllers to ensure that there are adequate safeguards for processing which is carried out on their behalf by data processors. Whenever personal data is to be processed by an external body acting on Swansea University's behalf, the University must:
- Choose a data processor which provides sufficient guarantees in regard to its technical and organisational security measures;
- Take reasonable steps to ensure that the data processor complies with these measures, and
- Ensure that the processing takes place under a written contract which stipulates that the processor will act only on instructions from Swansea University, and that the processor will have security measures in place that ensure compliance with the seventh Data Protection Principle.
Working off Campus/Password Advice/Malware Advice/Backup Advice
Staff and student records should not be taken off campus unless necessary to carry out University business. Staff / students are not permitted to remove any other personal data with the intention of processing the data elsewhere, unless such use is recognised and authorised. Data should always be processed in accordance with the University’s Data Protection Policy. For specific advice in relation to working off campus as well as advice in relation to passwords, malware and backup of data, please see the guidance issued by ISS - Link to ISS Information Security Advice.
Use of Equipment
Equipment supplied by the University for the purpose of processing data must be used for University business only and not for private use. Family members or other persons not employed by the University are not authorised to use the equipment supplied by the University. Staff and Students will ensure adequate security for equipment at all times. Portable equipment or documentation must not be left unattended in a place where it is accessible to the public or in any vehicle unless the vehicle is locked and the equipment/ documentation is not in public view. Equipment left in a vehicle must only be a last resort where it is not possible to carry the equipment.
Termination of Employment
In the event that staff or students cease to be an employee or to study at the University, all equipment owned by the University must be returned or destroyed/ deleted in accordance with the guidelines. This includes all manual and electronic documents, disks or any other media containing personal data.