• Information Management
  • ISO 27001 is coming...a two year project to securely and efficiently organise the University’s information.

    Information is a valuable asset for the University, so the way we organise it and manage its security should be a high priority. The Information Management team are beginning a two year project to achieve the globally recognised certification ISO 27001 - a series of standards that help to identify any risks to your information and to put in place appropriate controls to help reduce this risk.  
  • Information Management

    Oxford Brookes University recognises that information and its associated processes, systems and networks are valuable assets and that the management of personal data has important implications for individuals. Through its security policies, procedures and structures, the University will facilitate the secure and uninterrupted flow of information, both within the University and in external communications. The University believes that security is an integral part of the information sharing which is essential to academic and corporate endeavour.

    The University also believes that information security is the responsibility of all students and members of staff. Every person handling information or using University information systems is expected to observe the information security policies and procedures, both during and, where appropriate, after his or her time at the University.

  • IT Policies, Procedures and Regulations

    The policies and procedures in this section are intended to be used as working documents so please check from time to time to see if they have been updated. If you cannot find the policy or procedure you are looking for please contact the information compliance team for guidance at info.sec@brookes.ac.uk

  • Information Security Policy

    Download a pdf version

    1. Introduction 
    Oxford Brookes University recognises that information and the associated processes, systems and networks are valuable assets and that the management of personal data has important implications for individuals. Through its security policies, procedures and structures, the University will facilitate the secure and uninterrupted flow of information, both within the University and in external communications. The University believes that security is an integral part of the information sharing which is essential to academic and corporate endeavour and this Policy is intended to support information security measures throughout the University. 
    2. Definition 
    2.1 For the purposes of this document, information security is defined as the preservation of: 
    ● confidentiality: protecting information from unauthorised access and disclosure
    ● integrity: safeguarding the accuracy and completeness of information and processing methods
    ● availability: ensuring that information and associated services are available to authorised users when required. 
    2.2 Information exists in many forms. It may be printed or written on paper, stored electronically, transmitted by post or using electronic means, shown on films, or spoken in conversation. Appropriate protection is required for all forms of information to ensure business continuity and to avoid breaches of the law and statutory, regulatory or contractual obligations. 
    3. Protection of Personal Data 
    The University holds and processes information about employees, students, and other data subjects for academic, administrative and commercial purposes. When handling such information, the University, and all staff or others who process or use any personal information, must comply with the Data Protection Principles which are set out in the Data Protection Act 1998 (the 1998 Act). Responsibilities under the 1998 Act are set out in the Data Protection Policy. 
    4. Information Security Responsibilities 
    4.1 The University believes that information security is the responsibility of all students and members of staff. Every person handling information or using University information systems is expected to observe the information security policies and procedures, both during and, where appropriate, after his or her time at the University. 
    4.2 This Policy is the responsibility of the Executive Board; supervision of the Policy will be undertaken by the Senior Management Team. This policy may be supplemented by more detailed interpretation for specific sites, systems and services (see relevant policies and regulations). Implementation of information security policy is managed through the Information Security Working Group which reports to the Chief Information Officer. 
    4.3 The University’s IT directorate OBIS (Oxford Brookes Information Solutions) has operational responsibility for the University’s IT systems and will therefore take action wherever necessary to protect those systems. 
    5. Information Security Education and Training 
    The University recognises the need for all staff, students and other users of University systems to be aware of information security threats and concerns, and to be equipped to support University security policy in the course of their normal work. The Information Compliance team has implemented a training programme in data protection for all members of staff who process personal data and, at the behest of the University's Faculties and Directorates, will provide or arrange the provision of training in information security matters to answer particular requirements. 
    6. Compliance with Legal and Contractual Requirements 
    6.1 Authorised Use: University IT facilities must only be used for authorised purposes. The University may from time to time monitor or investigate usage of IT facilities; and any person found using IT facilities or systems for unauthorised purposes, or without authorised access, may be subject to disciplinary, and where appropriate, legal proceedings. 
    6.2 Monitoring of Operational Logs: The University shall only permit the inspection and monitoring of operational logs by the appropriate staff from the University’s IT directorate OBIS or where it has been otherwise authorised. Disclosure of information from such logs, to officers of the law or to support disciplinary proceedings, shall only occur (i) when required by or consistent with law; (ii) when there is reason to believe that a violation of law or of a University policy has taken place; or (iii) when there are compelling circumstances (circumstances where failure to act may result in significant bodily harm, significant property loss or damage, loss of significant evidence of one or more violations of law or of University policies). 
    6.3 Access to University Records: In general, the privacy of users' files will be respected but the University reserves the right to examine systems, directories, files and their contents, to ensure compliance with the law and with University policies and regulations, and to determine which records are essential for the University to function administratively or to meet its teaching obligations. Except in emergency circumstances, authorisation for access must be obtained from the Chief Information Officer or the Chief Information Officer’s nominee, and shall be limited to the least perusal of contents and the least action necessary to resolve the situation. 
    6.4 Protection of Software: To ensure that all software and licensed products used within the University comply with the Copyright, Designs and Patents Act 1988 and subsequent Acts, the University may carry out checks from time to time to ensure that only authorised products are being used. Unauthorised copying of software or use of unauthorised products by staff or students may be grounds for disciplinary, and where appropriate, legal proceedings. 
    6.5 Virus Control: The University will maintain detection and prevention controls to protect against malicious software and unauthorised external access to networks and systems. All users of electronic devices issued by the University or used for University business shall comply with best practice, as determined from time to time by the University’s IT directorate OBIS, in order to ensure that uptodate virus protection is maintained. 
    7. Asset Management 
    All University information assets (data, software, computer and communications equipment) shall be accounted for and have a designated owner. The owner shall be responsible for the maintenance and the protection of the asset/s concerned. 
    8. Physical and Environmental Security 
    Physical security and environmental conditions must be commensurate with the risks to the area concerned. In particular, critical or sensitive information processing facilities must be housed in secure areas protected by defined security perimeters with appropriate security barriers and/or entry controls. 
    9. Information Systems Acquisition, Development and Maintenance 
    9.1 Information security risks must be identified at the earliest stage in the development of business requirements for new information systems or enhancements to existing information systems. 
    9.2 Controls to mitigate the risks must be identified and implemented where appropriate. 
    10. Access Control 
    10.1 Access to information and information systems must be driven by business requirements and be commensurate and proportionate to the business need. 
    10.2 A formal access control procedure shall be required for access to all information systems and services. 
    11. Communications and Operations Management 
    Responsibilities and procedures for the management, operation and ongoing security and availability of all data and information processing facilities must be established. 
    12. Retention and Disposal of Information 
    All staff have a responsibility to consider security when disposing of information in the course of their work. Owners of information assets should establish procedures appropriate to the information held and processed and ensure that all staff are aware of those procedures. Retention periods should be set in consultation with the University Records Manager. 
    13. Reporting 
    All staff, students and other users should report immediately via the Servicedesk portal https://service.brookes.ac.uk, or by telephone to the Service Desk on tel. ext. 3311, any observed or suspected security incidents where a breach of the University's security policies has or may have occurred, and any security weaknesses in, or threats to, systems or services. 
    14. Business Continuity 
    The University will implement, and regularly update, a business continuity management process to counteract interruptions to normal University activity and to protect critical processes from the effects of failures or damage to vital services or facilities. A copy of the Oxford Brookes Business Continuity Policy can be found here

    Data Protection Policy

    Download a pdf version

    1. Introduction

    1.1 The University holds and processes information about employees, students, and other data subjects for academic, administrative and commercial purposes. When handling such information, the University, and all staff or others who process or use any personal information, must comply with the Data Protection Principles which are set out in the Data Protection Act 1998 (the Act).

    In summary these state that personal data shall:

    1. be processed fairly and lawfully,
    2. be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with the purpose,
    3. be adequate, relevant and not excessive for the purpose,
    4. be accurate and up-to-date,
    5. not be kept for longer than necessary for the purpose,
    6. be processed in accordance with the data subject's rights,
    7. be kept safe from unauthorised processing, and accidental loss, damage or destruction,
    8. not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data, except in specified circumstances.

    1.2 Definitions

    "Staff", "students" and "other data subjects" may include past, present and potential members of those groups.

    "Other data subjects" and "third parties" may include contractors, suppliers, contacts, referees, friends or family members.

    "Processing" refers to any action involving personal information, including obtaining, viewing, copying, amending, adding, deleting, extracting, storing, disclosing or destroying information.

    2. Notification of Data Held

    2.1 The University shall notify all staff and students and other relevant data subjects of the types of data held and processed by the University concerning them, and the reasons for which it is processed. The information which is currently held by the University and the purposes for which it is processed are set out in the Appendix 1 to this Policy. When processing for a new or different purpose is introduced the individuals affected by that change will be informed and the Appendix 1 will be amended.

    3. Staff Responsibilities

    3.1 All staff shall • ensure that all personal information which they provide to the University in connection with their employment is accurate and up-to-date; • inform the University of any changes to information, for example, changes of address; • check the information which the University shall make available from time to time, in written or automated form, and inform the University of any errors or, where appropriate, follow procedures for updating entries on computer forms. The University shall not be held responsible for errors of which it has not been informed.

    3.2 When staff hold or process information about students, colleagues or other data subjects (for example, students' course work, pastoral files, references to other academic institutions, or details of personal circumstances), they should comply with the Data Protection Guidelines for Academic Staff.

    3.3 Staff shall ensure that

    • all personal information is kept securely;
    • personal information is not disclosed either orally or in writing, accidentally or otherwise to any unauthorised third party. Unauthorised disclosure may be a disciplinary matter, and may be considered gross misconduct in some cases.

    3.4 When staff supervise students doing work which involves the processing of personal information, they must ensure that those students are aware of the Data Protection Principles, in particular, the requirement to obtain the data subject's consent where appropriate.

    4. Student Responsibilities

    4.1 All students shall

    • ensure that all personal information which they provide to the University is accurate and up-to-date;
    • inform the University of any changes to that information, for example, changes of address;
    • check the information which the University shall make available from time to time, in written or automated form, and inform the University of any errors or, where appropriate, follow procedures for updating entries on computer forms.

    The University shall not be held responsible for errors of which it has not been informed.

    4.2 Students who use the University computer facilities may, from time to time, process personal information (for example, in course work or research). In those circumstances, they must notify their course tutor or research supervisor in the relevant Faculty who will provide further information about their responsibilities in processing personal data.

    5. Rights to Access Information

    5.1 Staff, students and other data subjects in the University have the right to access any personal data that is being kept about them either on computer or in structured and accessible manual files. Any person may exercise this right by submitting a request in writing to the Information Compliance Officer.

    5.2 The University will make a charge of £10 for each official Subject Access Request, except for requests involving Health Records where the University may charge up to £50 for each request if those records are held either wholly or partly in non-electronic form.

    5.3 The University aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within 40 days unless there is good reason for delay. In such cases, the reason for the delay will be explained in writing by the Information Compliance Officer to the data subject making the request.

    6. Subject Consent

    6.1 In some cases, such as the handling of sensitive information or the processing of research data, the University is entitled to process personal data only with the consent of the individual. Agreement to the University processing some specified classes of personal data is a condition of acceptance of a student on to any course, and a condition of employment for staff. (See Appendix 1)

    7. Sensitive Information

    7.1 The University may process sensitive information about a person's health, disabilities, criminal convictions, race or ethnic origin, or trade union membership. For example, some jobs or courses will bring the applicants into contact with children, including young people between the ages of 16 and 18, and the University has a duty under the Children Act 1989 and other enactments to ensure that staff are suitable for the job, and students for the courses offered. The University may also require such information for the administration of the sick pay policy, the absence policy or the equal opportunities policy, or for academic assessment.

    7.2 The University also asks for information about particular health needs, such as allergies to particular forms of medication, or conditions such as asthma or diabetes. The University will only use such information to protect the health and safety of the individual, for example, in the event of a medical emergency.

    8. The Data Controller and the Designated Data Controllers

    8.1 The University is the data controller under the Act, and the Vice Chancellor is ultimately responsible for implementation. Responsibility for day-to-day matters will be delegated to the Heads of Faculties and Directors as designated data controllers. Information and advice about the holding and processing of personal information is available from the University's Information Compliance Officer.

    9. Assessment Marks

    9.1 Students shall be entitled to information about their marks for assessments, however this may take longer than other information to provide. The University may withhold enrolment, awards, certificates, accreditation or references in the event that monies are due to the University.

    10. Retention of Data

    10.1 The University will keep different types of information for differing lengths of time, depending on legal, academic and operational requirements. Information and advice about the recommended retention times are available from the University Records Manager.

    11. Compliance

    11.1 Compliance with the Act is the responsibility of all students and members of staff. Any deliberate or reckless breach of this Policy may lead to disciplinary, and where appropriate, legal proceedings. Any questions or concerns about the interpretation or operation of this policy should be taken up with the Information Compliance Officer by telephone on extension 4354 or by e-mail at info.sec@brookes.ac.uk.

    11.2 Any individual, who considers that the policy has not been followed in respect of personal data about him- or herself, should raise the matter with the designated data controller initially. If the matter is not resolved it should be referred to the University Information Compliance Officer and may be pursued through the staff grievance or student complaints procedure.

    Appendix 1 University Information Processing

    The University has notified the Information Commissioner that personal information may need to be processed for the following purposes:

    1. Staff, Agent and Contractor Administration
    2. Advertising, Marketing, Public Relations, General Advice Services
    3. Accounts & Records
    4. Education
    5. Student and Staff Support Services
    6. Research
    7. Other Commercial Services
    8. Publication of the University Magazine
    9. Crime Prevention and Prosecution of Offenders
    10.  Alumni Relations
    11.  Information and Databank Administration

    The Public Register of Data Controllers on the Information Commissioner's website contains full details of the University's current registration. The register entry provides:

    • a fuller explanation of the purposes for which personal information may be used
    • details of the types of data subjects about whom personal information may be held
    • details of the types of personal information that may be processed
    • details of the individuals and organisations that may be recipients of personal information collected by the University
    • information about transfers of personal information.

    For further information about these regulations, please contact the Information Compliance Officer. 

    Electronic Mail Policy

    1. Introduction

    This Policy defines policy and procedures where existing University policies do not specifically address issues particular to the use of electronic mail. Users of University electronic mail services are responsible for making themselves familiar with the "Guidelines for Use of the Internet", and other relevant laws and University policies (see policies.)

    The terms "electronic mail" and "email" are used interchangeably throughout this Policy.

    2. Scope

    2.1 This Policy applies to

    • all electronic mail systems and services provided or owned by the University; and
    • all users, holders, and uses of University email services; and
    • alll University email records in the possession of University staff or students or other email users of electronic mail services provided by the University.

    2.2 This Policy applies only to electronic mail in its electronic form. It does not apply to printed copies of electronic mail. Other University policies, however, do not distinguish among the media in which records are generated or stored. Electronic mail messages, in either their electronic or printed forms, are subject to those other policies, including provisions relating to secure handling and disclosure.

    3. General Provisions

    3.1 University Property

    Any electronic mail address or account associated with the University, or any sub-unit of the University, assigned by the University to individuals, sub-units or functions of the University, is the property of Oxford Brookes University.

    3.2 Service Restrictions.

    Those who use University electronic mail services must do so responsibly, that is, in compliance with United Kingdom and European laws, with this and other University policies

    and regulations (see policies), and with normal standards of professional and personal courtesy and conduct. Access to University electronic mail services may be wholly or partially restricted by the University, for good cause, without prior notice and without the consent of the email user. Such restriction is subject to the approval of the Chief Information Officer, or his nominee, or, in their absence, the approval of the University Registrar.

    3.3 Access to Email Records.

    The University shall only permit the inspection, monitoring, or disclosure of electronic mail without the consent of the holder of such email (i) when required by or consistent with law; (ii) when there is reason to believe that a violation of law or of a University policy has taken place; (iii) when there are compelling circumstances; or (iv) under time-dependent, critical operational circumstances.

    3.4 Authorisation.

    Except in emergency circumstances, authorisation for access must be obtained from the Chief Information Officer, or his nominee. Authorisation shall be limited to the least perusal of contents and the least action necessary to resolve the situation. In emergency circumstances the least perusal of contents and the least action necessary to resolve the emergency may be taken immediately without authorisation, but appropriate authorisation must then be sought without delay.

    4. Security and Confidentiality

    4.1 The University does not guarantee the confidentiality of electronic mail.

    4.2 Except as provided elsewhere in this Policy, computer operations personnel and system administrators are not permitted to see or read intentionally the contents of email messages, to read transactional information except where necessary to ensure proper functioning of University email services, or to disclose or otherwise use what they have seen.

    4.3 There is one exception: systems personnel, such as the "Postmaster", who may need to inspect the contents of email messages when re-routing or disposing of otherwise undeliverable email. This exception is limited to the least invasive level of inspection required to perform such duties.

    5. Archiving and Retention

    It is University policy to delete email stored on the University mail server at regular intervals and to inform users of impending deletions. Operators of University electronic mail services are not required by this Policy to retrieve email from back-up facilities upon the holder’s request, although on occasion they may do so as a courtesy.

    6. Policy Violations

    Violations of this policy may result in disciplinary action being taken, or access to University facilities being withdrawn, or a criminal prosecution. Any apparent violations of policy or law should be reported either to the Postmaster or to the Information Compliance Officer at info.sec@brookes.ac.uk.

    Appendix

    Definitions

    Computing Facilities: Computing resources, services, and network systems such as computers and computer time, data processing or storage functions, computer systems and services, servers, networks, input/output and connecting devices, and related computer records, programs, software and documentation.

    Email Systems or Services: Any messaging system which depends on computing facilities to create, send, forward, reply to, transmit, store, hold, copy, download, display, view, read, or print computer records for purposes of asynchronous communication across computer network systems between or among individuals or groups, which is either explicitly denoted as an email system or is implicitly used for such purposes, including services such as electronic bulletin boards, mailing lists and news groups.

    University Email Systems or Services: Electronic mail systems or services owned or operated by the University or any of its sub-units.

    Email Record: Any or several electronic computer records or messages created, sent, forwarded, replied to, transmitted, stored, held, copied, downloaded, displayed, viewed, read, or printed by one or several email systems or services. This definition applies equally to the contents of such records and to transactional information associated with such records, such as headers, summaries, addresses, and addressees.

    University Record: Any data recorded in any form, including paper files, computer files, audio- and videotapes, film and microfiche, which are maintained by University staff, or agents, in the course of their employment.

    University Email Record: A University record in the form of an email record regardless of whether any of the computing facilities utilised to create, send, forward, reply to, transmit, store, hold, copy, download, display, view, read, or print the email record are owned by the University. The location of the record, or the location of its creation or use, does not change its nature as: (i) a University email record for the purposes of this or other University policy, and (ii) having potential for disclosure under the Data Protection Act 1998 or other laws.
    Until determined otherwise or unless it is clear from the context, any email record residing on University-owned computing facilities, including personal email, may be deemed to be a University email record for the purposes of this Policy. Consistent, however, with the principles asserted in Section 3.4 of least perusal and least action necessary, the University shall, in good faith, make an initial effort to distinguish University email records from personal email where relevant to disclosures under the Data Protection Act and other laws, or for other applicable purposes of this policy.

    Use of Email Services: To create, send, forward, reply to, transmit, store, hold, copy, download, display, view, read, or print email. A (University) email user is an individual who makes use of (University) email services.

    Possession of Email: An individual is in "possession" of an email record, whether the original or a copy or modification of the original, when that individual has effective control over the location of its storage. Thus, an email record which resides on a computer server awaiting download to an addressee is deemed, for purposes of this Policy, to be in the possession of that addressee. Systems administrators and other operators of University email services are excluded from this definition with regard to email not specifically created by or addressed to them.
    Email users are not responsible for email in their possession when they have no knowledge of its existence or contents.

    Email Holder: An email user who is in possession of a particular email record, regardless of whether that email user is the original creator or a recipient of the content of the record.

    Compelling Circumstances: Circumstances where failure to act may result in significant bodily harm, significant property loss or damage, loss of significant evidence of one or more violations of law or of University policies, or significant liability to the University or to members of the University community.

    Emergency Circumstances: Circumstances where time is of the essence and where there is a high probability that delaying action would almost certainly result in compelling circumstances.

    Time-dependent and Critical Operational Circumstances: Circumstances where failure to act could seriously hamper the ability of the University to function administratively or to meet its teaching obligations, but excluding circumstances pertaining to personal or professional activities, or to research.

     

    Regulation for the use of IT facilities at Oxford Brookes University

    Users of IT facilities must behave reasonably towards other users and the facilities and in public areas they must behave appropriately. Users who do not behave reasonably and appropriately may be subject to disciplinary action in accordance with relevant procedures. Examples showing reasonable and appropriate behaviour are given in guidelines issued by the university from time to time. Users are responsible for making themselves familiar with this guidance. The guidelines give examples of reasonable and appropriate behaviour but are not exhaustive.

    Approved by Academic Board. 

    Guidelines for the use of IT facilities

    Note These guidelines describe the reasonable and appropriate behaviour required by the Regulation for the use of IT facilities at Oxford Brookes University. Other relevant guidelines include those for specific areas such as email, the web, the Internet etc (see www.brookes.ac.uk/infosec ). If you do not follow these guidelines, you may be breaking the criminal or civil law. Applicable laws include Data Protection Act 1998, Copyright, Designs & Patents Act 1988, and Computer Misuse Act 1990. An infringement of these guidelines may be a disciplinary offence under either the Student Conduct Regulations or Staff Conditions of Service. Advice and further information can be obtained from the Head of IT Services.

    Users should note in particular that it is illegal to store or publish obscene or unlicensed copyright material and that user ids and passwords are not transferable.

    Prevent Duty

    Users should note that the University takes its responsibility under the Counter-Terrorism and Security Act 2015 extremely seriously including those requirements detailed in Section 29 of the Act and referred to as the "Prevent Duty".  Users must not deliberately create, display, produce, store, circulate or transmit material related to terrorism or extremist ideology in any form or medium except where required for academic purposes and for which prior agreement has been obtained from the Chief Information Officer. 

    1. Do not use another user's user id and password, nor allow the password of any account issued to you to become known to any other person. If you allow another person to use your account, it must be in your presence, under your supervision and only for the purpose of assistance or collaboration. You remain responsible for that person's use of your account and must identify that person to the university authorities if any breach of university regulations is suspected in connection with that use. This guideline does not apply where another's account is used by a member of staff as part of their duties.

    2. Do not use or adopt any name or alias or user reference whether real or fictitious other than your own.

    3. Do not request resources or access rights that you do not need.

    4. Do not, having logged in, leave IT facilities unattended in an unlocked room. You must log out at the end of each logged in session unless prevented by system failure. Failure to do so may leave the account open for others to use. The institution accepts no responsibility for any loss to a user consequent upon a failure to log out correctly at the end of a session.

    5. Do not remove, borrow, connect or disconnect equipment without permission.

    6. Do not deliberately introduce any virus, worm, Trojan horse or other harmful or nuisance program or file into any IT facility, nor take deliberate action to circumvent any precautions taken or prescribed by the institution to prevent this.

    7. Do not in any way cause any form of damage to the institution's IT facilities, nor to any of the accommodation or services associated with them.

    8. Do not hack, access, copy, delete or amend or attempt so to do the computer account, information or resources of another user or of a system administrator without that person's permission.

    9. Do not initiate or perpetuate any chain email message. Do report immediately to 'postmaster' the receipt of chain email messages forwarding the email message wherever possible.

    10. Do not deliberately create, display, produce, store, circulate or transmit defamatory or libellous material.

    11. Do not transmit unsolicited commercial or advertising material.

    12. Do not deliberately create, display, produce, store, circulate or transmit obscene material in any form or medium except where required for academic purposes and for which prior agreement has been obtained from the Head of IT Services.

    13. Do not monitor network traffic unless authorised to do so.

    14. Do not make deliberate unauthorised access to facilities or services accessible via the Joint Academic Network (JANET).

    15. Do not waste staff effort or networked resources, including time on end systems accessible via JANET and the effort of staff involved in the support of those systems.

    16. Do not deny service to other users including deliberately or recklessly overloading access links or switching equipment.

    17. You must adhere to the terms and conditions of all licence agreements relating to IT facilities which you use including software, equipment, services, documentation and other goods. You are deemed to have agreed to the Copyright Acknowledgement included in the CHEST Code of Conduct for the Use of Software or Datasets

    http://www.eduserv.org.uk/services/Chest-Agreements/about-our-licences/user-obligations

    18. You must use the IT facilities only for academic, research and administrative purposes together with limited personal use. Such personal use is allowed as a privilege not a right, must conform to these guidelines, and should not incur unreasonable costs or have an adverse impact on resources or services.

    19. You must obtain permission from your head of school or director or Head of IT Services as appropriate to use computers for commercial or outside work including the use of IT facilities to the substantial advantage of other bodies such as employers of placement students.

    Student behaviour

    20. Do not interfere with or change any hardware or software; if you do, you may be charged for having it put right.

    21. Do not interfere with the legitimate use by others of the IT facilities; do not remove or interfere with output belonging to others.

    22. Do not load games software onto, or play games software on, the IT facilities unless required for academic purposes.

    23. Do not admit any other person to 24 hour computer facilities or other university premises when those facilities or premises are locked and do not yourself enter unless authorised to do so.

    24. Do not smoke, eat or drink, and do ensure that consumable products including food and drink are stowed away at all times, in any computer room or near any public access IT facilities.

    25. You must respect the rights of others and should conduct yourself in a quiet and orderly manner when using IT facilities.

    26. You must immediately vacate any IT room when asked to do so by any person who has legitimately booked that room and must not leave processes running or files printing or otherwise interfere with the work of that person. Failure to cooperate gives that person the right to switch off the work station that you are using.

    Portable Devices and Removable Media Acceptable Use Policy

    Download a pdf version

    1. Statement of Policy
    Oxford Brookes University aspires to the highest standards of corporate behaviour, professional competence and best practice in its approach to computing and data security. The University has policies relating to Information Security[link] and Data Protection[link]. These policies require staff and students and all who have access to, and process, the University’s data to keep information secure and to protect personal data. This policy relates specifically to the movement of University data from the University’s systems to portable devices and other removable media and the processing of University data on such devices and media. The policy of the University is that information must continue to be kept secure and personal data must continue to be protected when it is transferred on to, or processed on, portable devices and other removable media and during any process of transfer to and from such devices or media.
    2. Definitions
    2.1 Portable devices and removable media are any devices which can easily be carried by hand and be used for mobile computing either in their own right or by being connected to and removed from other computing devices. They include laptop and notebook computers, tablet computers mobile phones, digital cameras, digital audio devices, portable hard drives, CDs, DVDs, SD cards, memory “sticks” and flash drives.
    2.2 For the purpose of this policy data can be divided into two categories:nonsensitive data, which is data not containing either personal information or information of a confidential nature, and; sensitive data, the default category, which comprises all other data, the loss of which would, would be likely to, cause damage or distress to the University or to individuals. Data is assumed to be sensitive unless proven otherwise. This policy relates to sensitive data.
    3. Policy Principles
    3.1 The dominant principle governing the use of portable devices and removable media is:
    Do not transfer the University’s sensitive data on to or store such sensitive data on portable devices or removable media unless it is necessary for a University business purpose and you have the explicit authority of your Head of Department. If it is necessary for sensitive data to be transferred on to or for such data to be stored on portable devices or removable media then the data should be minimised as much as possible, and the portable device or removable media containing the sensitive data should be an Oxford Brookes device and be protected by encryption software in line with the advice and th assistance of the University’s IT department (Oxford Brookes Information Solutions OBIS) to the appropriate current standard. Data minimisation means minimising the quantity and breadth of data and, where possible, anonymising personal data.
    3.2 All portable devices and removable media provided by the University to its staff shall be protected by encryption software.
    3.3 Staff will ensure that all such devices are protected by a secure password and that the password-protected auto-locking feature (where present) is enabled. Advice on secure passwords can be obtained from the University’s IT department OBIS.
    3.4 The University will abide by legislation and regulations relating to obtaining, using, storing, protecting and disclosing data required in the pursuance of University business.
    3.5 The University will provide appropriate organisational and technical measures to help keep data secure and to prevent loss, damage and destruction, assisting staff to implement such measures by producing relevant guidance.
    3.6 Individuals processing University data have a responsibility to protect the data from unauthorised use, disclosure, access, loss, corruption, damage or destruction and to adopt all proper and sensible precautions in their handling of sensitive and personal data.
    3.7 Any individual using portable devices and removable media must ensure that sensitive or personal data are not compromised by inappropriate use of insecure facilities and storage.
    3.8 Individuals transferring data on to or storing such data on portable or removable devices shall ensure they have the appropriate authority and approval to do so.
    3.9 Sensitive data shall not be processed, opened, read or loaded on public access computers.
    3.10 The University’s sensitive data will not be transferred to, stored or processed on portable devices or removable media where those data are to be used or accessed by third parties unless such parties have a business relationship with the University and appropriate contractual arrangements are in place.
    3.11 Antivirus precautions should be maintained in all use of removable media devices.
    4. Authorisation Process
    4.1 For sensitive University data to be transferred on to or stored on a portable device or
    removable media for use by a member of staff appropriate authorisation shall be obtained from
    that member of staff’s Head of Department.
    4.2 The risks associated with transferring data onto a portable device or storing data on it must be assessed and controls to mitigate the risks must be identified and implemented where appropriate.
    4.3 The member of staff will complete the appropriate authorisation request and secure the necessary authorisation prior to the data being placed on the portable device or removable media.
    4.4 The appropriate authorisation form can be accessed here [link].
    5. Guidelines
    5.1 Make sure that you understand what your responsibilities are by consulting the University’s Information Security and Data Protection policies. If you need further training on data protection matters, get in touch with the University’s Information Compliance Officer to arrange a session.
    5.2 Before using mobile computing devices to process University data, consider whether such processing is necessary. Can it be done without using a mobile device? If it can and the mobile processing is not necessary, then adopt a more appropriate and secure alternative.
    5.3 If processing data on a mobile device is necessary, consider whether the data can be minimised, or personal data anonymised, in any way.
    5.4 Avoid using removable media devices for permanent or indefinite storage. Make sure data are transferred as soon as possible to a secure, permanent data store and securely removed from all intermediate media. Do not put yourself in a position where sensitive data may be lost irretrievably without a backed u copy held in a secure University data store.
    5.5 Consult your manager to ensure that you have appropriate approval to transfer data on to or to store such data on a mobile device. In order to authorise the transfer of sensitive data on to a mobile device, the Head of Department will need to know that it is necessary and that OBI guidance has been followed on the appropriate technical measures to keep the data secure.
    5.6 If you are a manager, make sure you are aware of any mobile processing carried out by your staff and that the policy is being applied. If you identify that the policy is not being applied despite appropriate briefing and training, then you will need to escalate the matter through your own senior manager, involving HR if necessary.
    5.7 Consult the University’s IT department OBIS (email: obissecurity@brookes.ac.uk; tel. ext.3311) for advice on defensive computing and managing any risks. OBIS will help to identify and implement any appropriate technical measures, including encryption, to ensure the security of the data and/or the device. Specific measures will depend upon the nature of the device.
    5.8 Take appropriate physical precautions against the theft or loss of portable devices and removable media. If it is necessary to travel by car with such devices, as well as making sure technical measures such as encryption have been applied, make sure the devices are locked out of sight in the boot of the vehicle. If kept at home, devices still need to be kept secure to protect from opportunistic theft or access.
    5.9 If a mobile computing device is disposed of, make sure that the data are properly purged and destroyed. Seek advice from the University’s IT department OBIS to ensure that the data are destroyed. Guidance is available in the university’s Policy on Secure Disposal of IT Equipment and Information.
    5.10 Software on portable devices and removable media are subject to the same audit procedures as other computer systems. Make sure you have appropriate authority and licence for use.
    6. Reporting Data Security Breaches and Lost or Stolen Portable Devices or Removable Media
    6.1 All staff should report lost or stolen devices immediately to their line manager and to the University’s Information Compliance Officer. This will enable an assessment to be made of any loss of data held on the device.
    6.2 Any security breach of data (or suspected breaches), including those involving portable devices or removable media, should be reported immediately by email to obissecurity@brookes.ac.uk or to the OBIS Service Desk at https://service.brookes.ac.uk or by telephone on ext. 3311.
    6.3 A data security breach occurs when there is unauthorised or unlawful processing of sensitive data, including personal data, or there is accidental loss, or destruction of, or damage to such data.
    6.4 In reporting the loss or theft of a device and data you are required to identify in writing the type of device the nature and extent of the data, and the security measures which were taken to protect the device and the data.

    Policy on Secure Disposal of IT Equipment and Information

    Download a pdf version

    1. Introduction
    The University holds and processes a large amount of information and is required to protect that information in line with relevant legislation and in conformity with University regulations and policies such as the Information Security Policy[link], the Data Protection Policy[link] and the Records Management Policy. This policy sets out the requirements for staff on the secure disposal of the University’s IT equipment and information.
    2. Definitions
    2.1 Secure Disposal
    Secure disposal means the process and outcome by which information including information held on IT equipment is irretrievably destroyed in a manner which maintains the security of the equipment and information during the process and up to the point of irretrievable destruction.
    2.2 IT Equipment
    IT equipment means all equipment purchased by or provided by the University to store or process information including but not necessarily limited to desktop computers, servers, printers, copiers, laptops, tablet computers, electronic notebooks, mobile telephones, digital recorders, cameras, USB sticks, DVDs, CDs and other portable devices and removable media.
    2.3 Information
    2.3.1 Information means all information and data held or recorded electronically on IT equipment or manually held or recorded on paper.
    2.3.2 For the purpose of this policy, the information held by the University can be divided into two categories: nonsensitive; and sensitive information. Sensitive information comprises: all personal information and all confidential information, the loss of which would, or would be likely to, cause damage or distress to individuals or to the University.
    2.3.3 The default category is that all information is deemed to be sensitive unless specifically identified as otherwise.
    3. Responsibilities
    3.1 It is the responsibility of all University staff to ensure that the information held by the University is disposed of appropriately and that all sensitive information is disposed of securely.
    3.2 Responsibility for this policy resides with the University’s Executive Board. Implementation of this policy is managed through the University’s Information Security Working Group which reports to the Chief Information Officer.
    4. Statement of Policy
    4.1 This policy on disposal covers all data or information held by the University whether held digitally or electronically on IT equipment or as manual records held on paper or in hard copy.
    4.2 It is the University’s policy to ensure that all information held by the University is disposed of appropriately, in conformity with the University’s legal obligations and in accordance with the University’s regulations[link] and Records Management policy.
    4.3 In particular it is the University’s policy to ensure that all sensitive information which requires disposal is disposed of securely.
    4.4 Where information is held on IT equipment, it is the policy of the University that such equipment will be assumed to hold sensitive information and that all information residing on such equipment must be disposed of securely.
    4.5 The University supports policies which promote sustainability and take account of environmental impact. The University will therefore support recycling or sustainable redeployment in the disposal of IT equipment as long as information held on the equipment is irretrievably and securely destroyed prior to the the disposal of the equipment.
    4.6 WEEE: IT equipment must also be disposed of in line with the EU Waste Electrical and Electronic Equipment (WEEE) Directive and the UK Waste Electrical and Electronic Equipment Regulations 2006.
    [Link www.brookes.ac.uk/Documents/About/Sustainability/en103w2/]
    4.7 Copyright: software must be disposed of in line with copyright legislation and software licensing provisions.
    5. Policy Principles
    5.1 Hard copy
    5.1.1 Information and data held in paper or hard copy which contain sensitive information shall be irretrievably destroyed in a way in which the information cannot be reconstituted, by shredding, pulping or incineration.
    5.1.2 The process leading to and the process of shredding, pulping or incinerating such information shall be carried out securely.
    5.1.3 Where the shredding or incineration are carried out on behalf of the University by a third party, there shall be a contract with that third party which appropriately evidences:
    a) that party’s obligations to keep that data confidential and;
    b) that party’s responsibility under the Data Protection Act 1998 for the secure disposal of the data.
    5.1.4 Where hard copy information is stored externally by a third party data storage contractor, the contract shall ensure secure disposal of the data at a time which conforms with the University’s Retention Schedule[link].
    5.2 IT Equipment
    5.2.1 Since the policy default is that all IT equipment which stores or processes data will be deemed to hold sensitive data, then all such IT equipment will undergo appropriate physical destruction or an appropriate data overwrite procedure which irretrievably destroys any data or information held on that equipment.
    5.2.2 Where an overwrite procedure fails to destroy the information irretrievably, the equipment shall be physically destroyed to the extent that the information contained in it is also irretrievably destroyed.
    5.2.3 For the avoidance of doubt, removable digital media including but not limited to CDs, DVDs, USB drives, where the default is that they contain sensitive data, shall, if not successfully overwritten, be physically destroyed to the extent that all data contained in the media are irretrievable.
    5.2.4 All IT equipment awaiting disposal must be stored and handled securely.
    5.2.5 Where the overwriting procedure and/or physical destruction of IT equipment are carried out on behalf of the University by a third party, there shall be a contract with that third party which appropriately evidences: that party’s obligations to keep that data confidential and; that party’s responsibility under the Data Protection Act 1998 for the secure disposal of the data.
    5.2.6 In any case where IT equipment is to be passed on by the University for reuse,those staff involved in the sale or transfer of the equipment shall ensure that any information on the equipment has been irretrievably destroyed and that any other appropriate issues, including, but not limited to, the safety of the equipment are satisfactorily addressed.
    5.2.7 Photocopiers and printers used or owned by the University may have a data storage capacity. Where such IT equipment contains information or data, the disposal of such equipment must have due regard to this policy.
    5.3 Online Data
    5.3.1 The University has a contract with Google for the use of its Google Apps for Education. This enables University staff to take advantage of the features provided for data storage of emails and documents. The University does not sanction the use of external online (cloud) services for University data where there is no contract in place.
    5.3.2 Data held in the University’s Google applications or other authorised online storage applications should be destroyed to the extent possible by using the delete facilities provided.
    6 Record of Destruction
    6.1 Any third party contracted to dispose of sensitive hard copy information shall certify the irretrievable destruction of the information.
    6.2 University staff who have responsibility for the information which is disposed of shall ensure that the disposal conforms with the University’s Records Management policy[link] and Retention Schedule and that, where necessary, a record is kept documenting the disposal.
    6.3 Where the disposal involves the disposal of IT equipment, the University shall keep a record of the asset number of the equipment which has been disposed of along with a record of the process by which the information stored on the equipment has been irretrievably destroyed.
    7 Reporting
    7.1 All staff, students and other users of information should report immediately to the Service Desk via the Servicedesk portal https://service.brookes.ac.uk or by telephone (tel. ext. 3311) any observed or suspected incidents where sensitive information has or may have been insecurely disposed of.
    8 Advice and Assistance
    8.1 Advice on the implementation of this policy can be obtained from the University Information Compliance Officer (tel. ext. 4354: email address info.sec.@brookes.ac.uk) and the University Records Manager (tel. ext.  )
    8. 2 Advice on the disposal of IT equipment can be obtained from the University’s IT department, OBIS, by contacting the Service Desk on tel. ext 3311 or via the Servicedesk portal https://service.brookes.ac.uk
    9 Guidelines
    9.1 Hard Copy
    9.1.1 Staff holding University data in hard copy should routinely dispose of the data when it is no longer required to be held for legal or contractual purposes or is no longer necessary for the business purpose for which it was originally created or held. In determining whether and when
    the data should be disposed of, staff should consult the University’s Retention Schedule obis.brookes.ac.uk/records/Retention%20Schedule%201c.doc  Further information can be obtained from the University Records Manager.
    9.1.2 It is good practice to shred, pulp or incinerate all University data which requires destruction. Where hard copy waste is sensitive data (as defined in 2.3.2) it should always be securely and irretrievably destroyed by shredding, pulping or incineration. In order to ensure the secure and
    irretrievable destruction of hard copy, staff are required to use the service provided by the University’s selected contractor for the destruction of confidential waste.
    9.1.3 Confidential waste bags for information requiring secure destruction can be obtained from Campus Services which will collect the bags when they are ready for disposal. Bags which contain confidential waste should be sealed and kept secure until collected by Campus Services.
    9.1.4 Confidential waste bags awaiting collection or further processing should not be left in public areas or areas where they can be accessed by unauthorised staff.
    9.1.5 Where sensitive data are stored under contract externally, staff responsible for the contract should ensure the contract includes secure, certificated destruction of the data in accordance with the appropriate retention period. External storage and destruction of University data should not be arranged without reference to the University Records Manager.
    9.1.6 Where staff consider a document is of sufficient historic importance to be retained by the University, they should consult the University Archivist.
    9.2 IT Equipment
    9.2.1 Staff holding University data on IT equipment should routinely dispose of the data when it is no longer required to be held for legal or contractual purposes or is no longer necessary for the business purpose for which it was originally created or held. In determining whether and whenthe data should be disposed of, staff should consult the University’s Retention Schedule [link obis.brookes.ac.uk/records/Retention%20Schedule%201c.doc].
    Further information can be obtained from the University Records Manager (tel. ext. 4046: )
    9.2.2 Where a decision has been made that data held on IT devices or media should not be retained, the files containing the data should be deleted from those devices. Deletion involves putting the information “beyond use” by the user of the device or media. Data held in a recycling “bin” on the device or data which can easily be recovered by the user are not regarded as being “beyond use” and may still be subject to discovery and disclosure under information law (Freedom of Information, Subject Access Request) or litigation.
    9.2.3 Staff shall never dispose of University IT equipment (devices or media) without taking steps to ensure the irretrievable deletion of data held on the equipment.
    9.2.4 Electronic or digital data which have been put “beyond use” by users may still be reconstituted by IT specialists or by forensic computer analysts. This means that when IT equipment (devices or media) are disposed of, the data should be irretrievably destroyed by being overwritten in accordance with the appropriate industry standard, or the hard disc containing the data within the equipment or the media containing the data (e.g. CD, USB stick) should be physically destroyed. The University has some shredding machines available which can destroy CDs and DVDs as well as shred hard copy.
    9.2.5 Staff requiring the disposal of IT equipment which holds or may hold University data should contact the Service Desk via the Servicedesk portal https://service.brookes.ac.uk (tel ext. 3311) to arrange for the disposal.
    9.2.6 Staff should also be mindful that University mobile telephones contain data which will need to be extracted or deleted from the device before the device is disposed of. The telephone should be returned to the Service Desk should be contacted to initiate the secure return and disposal of the device.
    9.2.7 While the University supports the recycling or sustainable redeployment of IT equipment, University staff shall not arrange for such a process without consulting the OBIS Client Device Support Manager contacted via the service desk via the Servicedesk portal https://service.brookes.ac.uk (tel. ext. 3311), obtaining appropriate authority from OBIS for the proposed recycling and ensuring that any data held on the equipment are securely and irretrievably destroyed.
    9.2.8 Where University staff are leasing equipment (such as multifunctional copiers), staff responsible for the contracts should ensure that the leasing contract certifies the secure disposal of any University data held on the devices during the period of lease.
    9.2.9 When disposing of IT equipment, staff must be mindful of the WEEE regulations.  http://www.brookes.ac.uk/about/sustainability/docs/en103w2.pdf]
    9.3 Online data
    9.3.1 Staff using the delete facility provided by Google in the University’s online Google applications should be aware that the deleted material will be held for 30 days in their online “bin”. Such data will not be regarded as “beyond use” until it has been further deleted from the “bin”.
    9.3.2 Online data held in Google accounts provided to staff by the University for the purpose of their employment are not automatically deleted when staff leave the University. These accounts are deactivated and access to the data retained for any necessary business purpose. Prior to leaving the University, staff should, wherever possible, ensure the appropriate management and handover of the University data in their accounts, deleting from their accounts data which are no longer required by the University.

    Guidelines for using the internet

    A. Introduction

    This document sets out provisions for the use of University Internet facilities (including email). You are required to familiarise yourself with these and other University policies and guidelines, and with the relevant laws, click here for more information.

    The University has software and systems in place to monitor and record all Internet usage, and only those servers which have been registered with the Internetworking Manager will be enabled at the Internet firewall (a security device which is used to control access to University systems).

    If you install your own software or IT products (e.g., a Web server) on your Brookes computer, then you should be aware of any potential security problems which might arise as a consequence, and take appropriate action to safeguard Brookes systems. It is essential that all updates for software are installed as soon as they become available. If in doubt, consult your IT Support Officer.

    B. Cautions

    Users should be aware of the following:

    1. It is not safe to assume that email is either confidential or secure.
      For example, email intended for one person may sometimes be widely distributed because of the ease with which recipients can forward it to others. A reply to an email message, intended only for the originator of the message, which is posted on an electronic bulletin board or through a mailing list may be distributed to all subscribers to the service. Also, even after you delete an email record, it may persist on backup facilities and thus be subject to disclosure under section 3 of the Electronic Mail Policy.
    2. Email, whether or not created or stored on University's equipment, may constitute a University email record (see definition in Appendix A of the Electronic Mail Policy.html and be subject to disclosure under the Data Protection Act 1998 or other laws, or as a result of litigation.
    3. There is no guarantee, unless "authenticated" mail systems are used, that email received was in fact sent by the purported sender, since it is relatively straightforward, although a violation of the Regulations for Use of IT Facilities, for senders to disguise their identity. Also, email that is forwarded may also be modified. As authentication technology is not widely used within the University at present, you should check with the purported sender to validate authorship or authenticity, if there is any doubt.
    4. Encryption technology enables the encoding of email so that for all practical purposes it cannot be read by anyone who does not possess the right key. You should not send confidential or sensitive personal information by email unless you use encryption or password protection.
    5. The University does not currently use email for the conclusion of contracts. You should be aware, however, that email messages may form legally binding contracts particularly if signed by means of certified digital signatures.
    6. You should not rely on email for record-keeping purposes. (Most back-up files are currently overwritten every four weeks.) Also, in the absence of authentication systems, it is difficult to guarantee that email documents have not been altered, intentionally or inadvertently. Where long-term accessibility is an issue, you should transfer email records to a more lasting medium or format.

    C. Specific Guidelines

    Representation
    You should not give the impression that you are representing, giving opinions, or otherwise making statements on behalf of the University, or any unit of the University, unless appropriately authorised to do so. Where appropriate, an explicit disclaimer should be included unless it is clear from the context that you are not representing the University. An appropriate disclaimer is: "These statements are my own, not those of Oxford Brookes University."

    Confidential Information
    Do not release confidential information via a mailing list, on-line discussion group or electronic noticeboard. All disclosures of personal information, including via the Internet must comply with the Data Protection Act 1998.

    Virus Checking
    Any file, which is downloaded from the Internet or attached to an email, should be scanned for viruses before it is run or accessed. If you are in doubt about the safety of opening an email attachment, consult your IT support officer. (There is a product called WordViewer which enables you to view an attached document without opening it. For more information about this product, consult the OBIS IT Services Help Desk.)

    Termination of Affiliation
    When you leave the University, permanently or for periods of leave, you should make arrangements which ensure continuity of University business. These may include the handing over, or forwarding, of relevant University email records (see definition in Appendix A of the Electronic Mail Policy) or messages, to an appropriate member of staff, or directing regular contacts to address future messages to another member of staff. You must not give your password to another member of staff so that they can access your account.

    Mail Forwarding
    The email accounts of persons no longer associated with the University will be cancelled and no personal forwarding services will be provided. When including your email address in published materials, such as journal articles, it may be more effective to use an external email address (e.g., Hotmail or Yahoo) which is not tied to your place of work. In exceptional circumstances, and at the discretion of your head of school or directorate, forwarding services may be provided after termination for a period normally not to exceed six months. In such cases, you must agree in writing that any mail which pertains to the University's business will be forwarded back to the school or directorate. (A head of school or directorate may require that all mail forwarded from the University email address also be forwarded to a school or departmental account.) Before forwarding can begin, you must remove your name from any mailing lists, internal or external.

    Copyright and Other Relevant Law
    The laws applying to copyright, data protection, libel, sexual harassment and other offences are applicable to email messages and attachments. You should make yourself familiar with all the relevant laws and University policies. 

    Guidelines for Publishing on the World Wide Web

    1. Introduction

    You are responsible for the content of any personal Web page to the school or directorate head who supervises your employment or relationship to the University. You must observe publication and other standards that project the appropriate image of the University.

    The contents of all electronic pages on University servers must comply with the law and with University policies and regulations. This document outlines relevant information to guide you in the creation of your Web pages.

    2. Permitted Use

    You should note especially that pages on University servers may not be used to promote personal business or to provide personal financial gain, except as may be permitted by University policy or regulation, or by contract.

    3. Disclaimer

    Personal pages should not give the impression that they are representing, giving opinions or otherwise making statements on behalf of the University, or any unit of the University, unless appropriately authorised to do so. Where appropriate, an explicit disclaimer should be included unless it is clear from the context that you are not representing the University. An appropriate disclaimer is:

    "The views and opinions expressed within these pages are personal and should not be construed as reflecting the views and opinions of Oxford Brookes University."

    4. Identification

    All Web sites under University jurisdiction must display information on the ownership of sites, including a contact name (or job title, where appropriate) and the date of the last update. If the site consists of more than one page, the ownership information must appear on at least one page (preferably the first).

    5. Relevant Law and University Policy

    1. Use of University Name, Logo and Corporate Colours
      The University name, official logo, design and colour scheme must not be used on personal Web pages. This regulation applies to Web pages resident on University or non-University servers. Links from an Oxford Brookes University page to any non-University site must not imply University endorsement of that site’s products or services, unless endorsement has been officially approved by the Vice Chancellor or the Deputy Vice Chancellor and Registrar. In the absence of such approval, a disclaimer should be displayed if non-endorsement is not evident from the context. An appropriate disclaimer is:

      "Links on these pages to commercial sites do not represent endorsement by Oxford Brookes University."

    2. Copyright
      Contents of all electronic publications must follow University standards regarding copyright, and the Copyright, Designs and Patents Act 1988 and associated acts and regulations. You must secure permission when including copyright or trademark material, such as, text, photographic images, video, or graphic illustrations. You should be aware that publishing material on a Web page will put that material into the international domain. It would be prudent to include an assertion of any relevant intellectual property rights, such as a claim to copyright or moral rights. Further information on intellectual property rights is available on the Library web pages.
    3. Personal Information
      The collection, handling or disclosure of personal information about any individual(s) is must be done in line with the Data Protection Act 1998 and the University’s Data Protection Policy. Sensitive Personal data, that is information relating to health, race, religion, sexual life, criminal record and trade union or political affiliation, must not be collected or processed in any way without the consent of the individual. You may wish to refer to the University’s Information Compliance Officer for information or advice on handling personal data which are displayed or collected on a Web page.
    4. Computer Use
      Regulations for the Use of IT Facilities governs all University computing and networking activities.

    Unlawful Activities
    University web pages, both corporate and personal, shall not be used for unlawful activities, including:

    - the making of libellous or defamatory statements
    - the display of pornographic material
    - the incitement of racial hatred

    1. Other Laws and University Policies
      You must familiarise yourself with the relevant University Policies, Guidelines, and any laws which apply to electronic publishing.

    E14 Data Protection Guidelines for Academic Staff

    Download a pdf version

    1. Introduction
    The Data Protection Act is concerned with the handling of personal information, covers both manual and electronic records and stipulates the setting of security standards. As part of the University's compliance with the legislation it has published an Information Security Policy and E13 Data Protection Policy and it is important that you make yourself familiar with them. These guidelines are intended as a supplement to those policies. Further information and advice are available from the Information Compliance Team on ext 4354 or by email at info.sec@brookes.ac.uk
    2. Standard Information
    All staff process information about students on a regular basis, when marking registers, writing reports or references, or as part of a pastoral or academic supervisory role. The University will ensure through
    registration procedures that all students are notified of such processing, as required by the Act, and give their consent where necessary. The information that staff deal with on a day-to-day basis is "standard" and covers categories such as:
    • General personal details such as name and address;
    • Details about class attendance, course work marks and grades and associated comments;
    • Notes of personal supervision, including matters about behaviour and discipline;
    • Sponsorship details.
    3. Sensitive Information
    Information about a student’s physical or mental health, ethnicity or race, political or religious views, trade union membership, sexual life, or criminal record is classified as sensitive information under the Data Protection Act. Such information can only be collected and processed when permitted or required by law or with the student’s express (written) consent. Examples would include:
    • keeping of sick notes;
    • recording information about dietary needs, for religious or health reasons, prior to taking students on a field trip;
    • recording information that a student is pregnant, as part of pastoral duties.
    Disclosure of such information without explicit consent is permitted only in exceptional circumstances, for example if the University is under a statutory obligation to make the disclosure or if the disclosure is in the vital interests of the student (information about a medical condition may be disclosed in "life or death" circumstances). Sensitive information must be protected with a higher level of security. It is recommended that sensitive records are kept separately in a locked drawer or filing cabinet, or in a password protected computer file, or, if held on a mobile device, protected by encryption. If you (or one of your students) are
    holding, or intending to hold, sensitive personal information which is outside routine University processing, you should notify your manager or, if for research purposes, your research supervisor and your Faculty Research Ethics Team. Every application to the University's Research Ethics Committee must include details of the measures to be taken to ensure the security of personal data.
    4. Processing of Personal Information
    Processing refers to any action involving personal information, including obtaining, viewing, copying, amending, adding, deleting, extracting, storing, disclosing or destroying information. When processing personal information, you must comply with the data protection principles, which are set out in the Data Protection Policy (regulation E13). In particular, you should ensure that records are:
    • accurate
    • up-to-date
    • fairly and legally obtained
    • kept and disposed of safely
    For further details please refer to the University’s record retention schedule.
    5. Project and Research Supervisors

    If you supervise students doing work that involves the processing of personal information, you should ensure that those students are aware of the Data Protection Principles, in particular, the requirements to notify and to obtain the data subject’s consent where appropriate. Students should be referred to the Faculty Research Ethics Team or the Information Compliance Team for further information.
    6. Handling Enquiries
    When students ask to see information about themselves, you should, where possible, deal with these enquiries informally. If an informal response is not appropriate, you should advise the student to make a formal Subject Access Request under the Data Protection Act. Such requests should be directed to the Information Compliance Team. For all requests, both formal and informal, the information has to be provided within the 40 calendar days permitted by the Data Protection Act. You should not disclose personal information over the telephone unless you are able to validate the identity of the person making the request. You may disclose personal information to other staff members who require the information in order to carry out their normal duties. You should not disclose personal information to any third party, e.g., to a parent or sponsor, except with the consent of the student or where this is permitted or required by legislation. In exceptional and urgent circumstances (e.g. cases where there are reasonable grounds for believing that an individual has become a danger to him/herself or others, or has committed / is about to commit a serious crime), you may release personal information directly to a law Team. Be sure to establish the identity of the law Team before releasing the information, and keep a record of the incident including name, date, circumstances and information disclosed. The details of any such disclosures should be reported to the Information Compliance Team.
    7. Examination Marks
    You should be aware that students are entitled to see preliminary marks and comments, which contribute to final assessments. SEC and MEC minutes will also be subject to access requests unless they are anonymised. Similarly, when writing an academic reference, you should keep in mind that it may be subject to an access request by the student to the recipient. The Academic Registry publish E11. Procedures for the preparation of student references and the Supporting Students Handbook provides a template that you can work from.
    8. Private Files
    It is essential that relevant information is available to all University staff, so the case for holding "private", separate files has to be justified as being in the interest of the student (e.g., where the data is particularly sensitive). The information contained in them will still be subject to the student’s right of access and you must ensure compliance with the notification requirements of the Act. Wherever possible, you should avoid duplication or fragmentation of student files.
    9. Home Working
    When working from home or on a laptop or tablet computer, you must maintain appropriate levels of security, including anti-virus (also known as anti-malware) software. It is recommended that you ensure personal information is not stored on your domestic PC or computing device if this is used by other members of your family or household. University data containing personal information should not be placed on portable devices unless it is necessary for a University business purpose and such processing has been authorised and the information is protected by encryption software. If it is found necessary to work off site with University personal data then, in addition to encryption if held electronically, you must take sensible precautions to keep the data physically secure, for example, by using a lockable briefcase, storing data in the locked boot of a car while travelling, keeping the data in a secure location if held off site. If you have concerns about the security of data, please consult the University Information Compliance Team for further guidance.
    10. Exemption for Research Records
    There is an exemption from some parts of the Data Protection Act where data is being processed for research and statistics. Information collected for the purpose of one piece of research can be used for other research, without breaching the "specified processing" principle (see the E13. Data Protection Policy), and can be kept indefinitely. For example, staff and students involved in academic research can keep records of questionnaires and contacts, so that the research can be re-visited at a later date, or so that, in support of a research project looking at an associated area, they can re-analyse the information. Researchers must ensure that the final results of the research do not identify the individual, or they will be subject to access requests under the 1998 Act. This exemption is only applicable to academic research and cannot be relied on to prevent access to information about a particular individual, following research carried out for a redundancy or efficiency exercise, for example.

    For further information about these regulations, please contact the Information Compliance Team.