Confidential data

Confidential data

Best practice in brief

  • Confidential data stored in central filestores is on secure servers maintained in secure physical environments
  • Confidential data should not be held on local disk storage (e.g. C:drive of a desktop machine)
  • Confidential data should not be stored or accessed on mobile phones or tablets unless appropriate security measures are in place

Confidential data must be encrypted when:

  • Stored on a laptop
  • Stored on a memory stick
  • Stored or exchanged on portable media such as CDs, DVDs
  • Exchanged with external organisations or individuals

Detailed guidelines

Central systems

Data is stored on secure machines maintained in secure physical environments

The key business systems of the University are designed and managed with a high level of security in mind.

Access to these systems is managed so that only those who need specific information as part of their work can get access to it.

Such access is provided on an individual basis and must not be shared with others.

  • The owners of data on central systems are responsible for defining and authorising which particular University groups (or individuals) get access to the data and what they are permitted to do with it.
  • A risk assessment and measures to mitigate risk should be defined and enforced.
  • Exporting data  from these systems should be approved by data owners and the required risk assesment and mitigation measures are strictly adhered to.

Confidential data should not be held on local disk storage (e.g. C: drive of a desktop machine)


Desktop computers

Confidential data should not be held on local disk storage (e.g. C: drive) of a desktop machine.

Confidential data should be held only on an appropriately managed fileserver. Relevant College and Central IT support will manage a system or configure a secure area for this purpose, as appropriate to the circumstances.

Desktop security

As desktop computers may be used to access confidential data via the network, they should be configured with a high level of system security.

This can be achieved with one of the following methods:

1) Install Standard Staff Desktop (SSD). Please contact your local IT support for advice on how to obtain SSD.

or:

2) Use a Desktop configured to security standards equivalent to that of SSD. Ensure the system is configured in accordance with all system security recommendations, including those relating to:

  • Antivirus software
  • Up-to-date operating system and application patch levels

Laptops

Confidential data MUST NOT be stored unencrypted on a laptop.

Laptops carry a significant risk of being lost or stolen. Therefore, confidential data should only be stored on such devices if it is necessary to do so.

It is relatively easy to gain access to data held on computers even if passwords are used, unless encryption has been specifically set up to ensure that this is not possible. Therefore, if there is a requirement to store confidential data on a laptop, it must be appropriately encrypted.  A suitably trained member of IT staff should install and configure University-approved full disk encryption software to protect the data. 

Laptop encryption

Windows laptop running the University Standard Staff Desktop environment (SSD) have full disk encryption enabled automatically as part of the SSD build process. Contact your local IT support for advice on how to obtain SSD.

All other laptops need to be configured in accordance with University system security recommendations, including those relating to:

  • Antivirus software
  • Keeping the operating system and applications uptodate
  • Full disk encryption

To this end, users should take University-owned laptops to their local IT support, and request that full disk encryption is enabled. Alternatively, contact IT Services for help and advice. IT Services provides information on how to configure full disk encryption for multiple platforms:

Data backup

Where it is necessary to hold confidential data on laptops, it should be seen only as a working copy and be backed up or synchronised with a master copy on an appropriately managed fileserver. Relevant College or Central IT support can configure a shared secure area for this purpose and advise on appropriate procedures. Contact your local IT support.


Smartphones and tablets

Confidential data should not be stored on mobile devices unless necessary

Mobile devices carry a significant risk of being lost or stolen. Therefore, confidential data should only be sent, received or stored on such devices if it is necessary to do so.

The use of a strong password or PIN is essential to maintain privacy on such devices, but may not by itself provide sufficient levels of security.

Related link


Memory sticks

Confidential data MUST NOT be stored unencrypted on a memory stick

Memory sticks carry a significant risk of being lost or stolen. Therefore, confidential data should only be stored on such devices if it is necessary to do so, in which case it must be encrypted.

Encryption

Use one of the following methods:

1) Use secure memory sticks with built-in encryption.  

IT Services recommends a device certified to the CESG CAPS or FIPS140-2 cryptographic standards such as the Kingston DataTraveller (available from University approved suppliers Insight and Misco). This is in line with requirements of the NHS e-Health directive.

or:

2) Windows Only - use standard memory sticks, with Microsoft BitLocker.‌

or:

3) Cross Platform - use standard memory sticks, with VeraCrypt encryption software, or other equivalent strong encryption software.  Note VeraCrypt was formerly known as "TrueCrypt".

The passwords used to protect data in all of these environments should conform to University password guidelines.

Notes on encryption methods

The advantage of (1) is in simplicity of use, but these devices are more expensive than ordinary memory sticks.  (2) is simple to use and free, but for Windows only.  (3) is free and also works on macOS and Linux, however it's necessary to become familiar with the software and use it correctly at all times. 


Other mobile storage media

Confidential data should not be stored or exchanged on portable media such as:  CDs, DVDs, unless individual files are appropriately encrypted

Encryption tool

IT Services recommends 7-Zip, which provides suitable strong encryption.  This tool is installed by default on University Standard Staff Desktop (SSD), and can easily be downloaded for free anywhere else.

The passwords used to protect data in either of these environments should conform to University password guidelines.

Note that:

  • Most older Zip tools only provide weak encryption, and should not be used.
  • Password protection features in applications including older versions of  Word and Excel provide very little protection, and should not be used.

Data exchange with external organisations

Confidential data exchanged with external organisations (or individuals) should be appropriately encrypted.

Exchange of confidential data with other external organisations or individuals must be part of a protocol agreed in advance of the exchange. This agreement should include:

  • A thorough risk assessment
  • Transmission to be via encrypted communications
  • The encryption password must be communicated to the intended recipient via independent and secure means (in most cases it would be appropriate to phone the recipient, and provide the password after checking they are the right person)
  • Equivalent security measures in place at the receiving organisation

Where any exchange of personal data is planned, the DP & FOI Office should be consulted.

Encryption tool

7-Zip provides strong encryption suitable for encrypting a file before sending via web-based file transfer, or email (if small in size), or writing to CD or DVD. This tool is installed by default on University Standard Staff Desktop (SSD), and can easily be downloaded for free anywhere else.

The passwords used to protect data in either of these environments should conform to University password guidelines.

Note that:

  • Most older Zip tools only provide weak encryption, and should not be used.
  • Password protection features in applications including older versions of  Word and Excel provide very little protection, and should not be used.

Email

Carefully check you're about to email the right people. This is especially important where confidential data are involved.

  • Use your University email account for University business
  • When emailing confidential data, always take good care to check the recipient details are correct
    Email apps often automatically take "guesses" at likely recipients, but this can very easily select an incorrect address
  • When replying, consider whether 'reply' or 'reply-all' is appropriate
  • Avoid placing multiple addresses in the 'To' or 'Cc' fields if the recipients may not know each other, especially where the number of recipients is large. Failure to observe this will disclose every individual recipient's identity to all the other recipients, resulting in a breach of confidentially. Instead, place the recipients' addresses in the 'Bcc' (blind carbon copy) field.
  • Where exchanging confidential data with external organisations by email, see section on data exchange with external organisations
  • Some email apps appear to offer a "recall" option; however in most circumstances this does not work and so cannot be relied upon. Once an email is sent, it's sent, so always check the recipient details are correct before hitting send.

Tools that can help

  • Where emailing multiple recipients on a regular basis, then rather than 'Bcc', consider using a dedicated mailing list which prevents disclosing recipients' identity and also offers a number of other useful features
  • If secure email communications are needed on a regular basis, consider using PGP

In this cases, please contact your local IT support for advice.