• IT Policies, Procedures and Regulations

    The policies and procedures in this section are intended to be used as working documents so please check from time to time to see if they have been updated. If you cannot find the policy or procedure you are looking for please contact the information compliance team for guidance at  info.sec@brookes.ac.uk.

  • IT acceptable use policy

      IT Acceptable Use Policy

    1. Policy Objectives

    1.1 The principal aims of this policy are to secure the University’s compliance with its legal obligations, as an internet service provider, as a licensee and as a publisher, and to protect the value and integrity of the digital information held within or accessed through the University’s IT facilities.

    1.2 A further purpose of this policy is to provide authorised users of the University IT with a safe and acceptable working environment. The University does not intend to obstruct or limit the use of information without reason but makes rules to establish and maintain good practice and to deliver its policy objectives; this is done for the benefit of the University community as a whole.

    1.3 The University possesses and uses computer systems, networks and allied hardware and other peripherals as an integral and pervasive part of its operations. In addition to protecting the considerable investment that the University has made to secure these facilities, the University’s ability to function and its good reputation depends on the efficient and full operation of its IT capability;  the security and preservation of the University systems and of its digital data are of paramount importance. This policy is part of the governance framework which provides rules for managing the risks arising from complex systems and a large number of users.

    2. Scope

    The policy applies to Governors, staff, students and other users authorised by the University and taking legitimate access to the University’s systems. Examples of such authorised users include visiting academics, consultants whose work for the University requires access to the University’s systems, representatives of suppliers engaged in work under their employer’s contract with the University and associate staff engaged with the University’s higher education or research functions.

    3. Provision of service and basic service rules for the use of University IT including confidentiality

    3.1 The University provides IT facilities primarily for academic reasons and for the conduct of legitimate University business, not for the purposes of entertainment, shopping or other private use.

    3.2 Users must treat information that they access or see via the University’s IT systems as confidential, unless the information is clearly intended to be public or disclosable in the context in which it is made available.

    3.3 Users must contact the University’s IT Services for any change or modification to hardware and software; any such change should be made only by authorised members of the University’s staff.

    3.4 Users are required to respect the legitimate access to the IT facilities by other users and must not obstruct this or remove or interfere with output created by any other user.

    3.5 Users must be considerate when using the University’s IT facilities, including keeping noise to a minimum and keeping behaviour to that appropriate to an academic or business setting; in other words, conduct should be quiet and orderly.

    3.6 Although the University’s IT facilities are provided primarily for legitimate academic and business purposes, the University permits limited personal use of email and of the internet subject to the rules set out in this policy and provided that such use does not conflict with the University’s interests, such as the proper performance by staff of their work for the University.

    3.7 Access to another person’s emails will only be granted with the explicit consent of the University’s Chief Information Officer or Chief Operating Officer.

    3.8 The ownership of material created via the University’s IT facilities is treated in accordance with the University’s Intellectual Property Policy (see www.brookes.ac.uk/research/policies-and-codes-of-practice)

    3.9 Staff users are restricted in their access to the University’s staff-only information systems.  Each staff user is granted initial data access as determined by their line manager.  Additional access, as required by staff users on a case by case basis, will be subject to  the University’s Access Control Policy.

    4. Prohibitions and restrictions

    Password and identity integrity

    4.1 Revealing any account password (or associated secret authentication information) to others or allowing use by another person, including family and other household members.

    4.2 Circumventing user authentication or security of any host, network service or account.

    4.3 Impersonating another user.

    Hacking and similar misuse

    4.4 Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user's network session, via any means, locally or via the Internet/Intranet/Extranet.

    4.5 Gaining unauthorized access to, or intentionally damaging, other computer systems, network services or the information contained within them. This includes erasing, altering, corrupting or tampering with any information other than in the legitimate conduct either of University business for staff or for the proper furtherance of academic study for students.

    4.6 Executing any form of network monitoring that will intercept data not intended for the user’s host.

    4.7 Port scanning or security scanning unless being conducted by authorized members of the University’s IT Services (or third parties specifically authorized by IT Services.)

    4.8 Introducing malicious programs into the network or server (e.g viruses, worms, Trojan horses, email bombs etc.)

    4.9 Effecting security breaches or disruptions of network communication. Examples of security breaches are accessing data of which the user is not an intended recipient or logging into a server or account that the user is not expressly authorised to access. For purposes of this section, "disruption" includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes.


    4.10 Any unlawful activity not otherwise covered.  Examples of such unlawful activity include:

    a) infringement of intellectual property rights including distributing or obtaining illegally copied software, media or other material

    b) breaching another person’s privacy

    c) harassment or bullying

    d) defamation

    e) sending unsolicited advertising or promotional material

    f) conducting any corrupt practice

    g) fraud

    h) theft

    i) gambling.

    4.11 The creation, transmission, storage, downloading or display of any offensive, obscene, discriminatory (either on the grounds of sex, disability, colour, race, religion or belief, or sexual orientation), indecent, explicit or threatening data or other material (unless such access is necessary) for one or more of:

    a) authorized research activity

    b) investigatory or disciplinary process

    c) whistleblowing

    d) co-operation with the Police, Prevent or other official enquiry.

    Users should be aware that the University takes its responsibility under the Counter-Terrorism and Security legislation extremely seriously including those requirements detailed in law and referred to as the "Prevent Duty".  Consequently, users must not deliberately create, display, produce, store, circulate or transmit material related to terrorism or extremist ideology in any form or medium except where required for the purposes set out at 4.11 a) to d) above.  

    Confidentiality including email forwards

    4.12 Disclosing any information about, or providing lists of, University staff or students to any party not employed by the University (unless in the course of legitimate University business or authorised by a member of the senior management of the University.)

    4.13 Storing any confidential information on any system other than one provided by the University, unless formally approved by the University’s IT Services.

    4.14 Sending any confidential information online by any means, without utilising appropriate, approved, security methods. Online communications may be subject to interception by persons outside the University and such interception may not be detectable or perceptible by the user. Any encryption software used should be provided by or approved by the University’s IT Services. 

    4.15 Using an automatic forwarding facility for email which takes email from a University account to an outside network unless, in the case of staff, this has been approved by an appropriate manager. Automatic email forwarding may result in the inadvertent transmission of sensitive information to external email accounts and users should therefore exercise utmost caution when sending any email from a University account to an outside network.

    Miscellaneous prohibitions

    4.16 Private profit, except to any extent authorised in writing under a user’s conditions of employment or other express agreement with the University.

    4.17 Connecting any unsecured, internet enable-able device to the University’s IT systems.

    4.18 Failing to read or adhere to the terms and conditions of any licence agreements relating to the relevant IT facilities including software, equipment, consumables, services, databases, platforms, publications and goods.

    5. Monitoring, breach and enforcement

    5.1 Although the University respects and appreciates the value of personal privacy, its IT systems are provided for academic and business purposes and users should have no expectation of privacy when using the University’s IT facilities.  

    5.2 Any user becoming aware of any suspected, accidental, or intentional illegal action or misuse must report this immediately to the IT Service Desk or to an appropriate member of staff. 

    5.3 The University has the right to monitor all usage of the IT, communications and computer systems at any time and without notice. Examples of specific circumstances where the University may choose to monitor are:

    1. to ensure the proper working of the systems or to assist troubleshooting

    2. to ensure that all users comply with University policies, practices and procedures (including but not limited to this policy)

    3. to investigate or detect the unauthorised use of Oxford Brookes University's systems.

    5.4 The University may inspect, lock, block, scan, clone or remove any computer or drive or information at any time at its sole discretion.

    5.5 Users should be aware that breach of these rules may constitute a criminal offence or result in disciplinary action under either the Student Conduct Regulations or the Staff Conditions of Service.

    5.6 The University will cooperate with law enforcement authorities to prosecute offenders.

    6. Related policies

    Users accessing social media should refer to the Oxford Brookes University Social Media Guidelines (available at www.brookes.ac.uk/services/hr/handbook/terms_conditions/social_media_guidelines.html)

    6.2 Users should also refer to these related policies:

    a) security sensitive material ( www.brookes.ac.uk/research/policies-and-codes-of-practice)

    b) information security incident management Policy (see policies below)

    c) access control policy for staff (see policies below)

    d) intellectual property policy ( www.brookes.ac.uk/research/policies-and-codes-of-practice

    7. Change procedure and notice of changes

    7.1 This policy shall be reviewed at least annually by the Chief Information Officer or his nominee, currently the Head of Information Management.

    7.2 Where the Chief Information Officer considers that one or more material changes have been made to the policy, the policy shall be presented to the University’s Executive Board as a consultation document.

    7.3 The Chief Information Officer is responsible for keeping the policy accessible to users and for bringing changes of significance to the attention of users by whatever means he thinks appropriate.

    7.4 Changes to this policy are authorized with immediate effect by the Chief Operating Officer on the advice of the Chief Information Officer whether at a meeting of the University’s Executive Board or otherwise.

  • Key Information Security Policies

  • A key feature of GDPR is transparency, and privacy notices are the principle way of delivering this, letting individuals know what personal information Oxford Brookes collects and why, who we may share it with and what your rights under the legislation are.

    Personal data is any information that can be used to identify a single, living individual, whether it relates to private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.

    Student Privacy Notice

    Staff Privacy Notice

    Information Security Policy

    Download a pdf version

    1. Introduction

    Oxford Brookes University recognises that information and the associated processes, systems and networks are valuable assets and that the management of personal data has important implications for individuals. Through its security policies, procedures and structures, the University will facilitate the secure and uninterrupted flow of information, both within the University and in external communications. The University believes that security is an integral part of the information sharing which is essential to academic and corporate endeavour and this Policy is intended to support information security measures throughout the University.

    2. Definition

    2.1 For the purposes of this document, information security is defined as the preservation of:

    • confidentiality: protecting information from unauthorised access and disclosure
    • integrity: safeguarding the accuracy and completeness of information and processing methods
    • availability: ensuring that information and associated services are available to authorised users when required.

    2.2 Information exists in many forms. It may be printed or written on paper, stored electronically, transmitted by post or using electronic means, shown on films, or spoken in conversation. Appropriate protection is required for all forms of information to ensure business continuity and to avoid breaches of the law and statutory, regulatory or contractual obligations.

    3. Protection of Personal Data

    The University holds and processes information about employees, students, and other data subjects for academic, administrative and commercial purposes. When handling such information, the University, and all staff or others who process or use any personal information, must comply with the Data Protection Principles which are set out in the Data Protection Act 1998 (the 1998 Act). Responsibilities under the 1998 Act are set out in the Data Protection Policy.

    4. Information Security Responsibilities

    4.1 The University believes that information security is the responsibility of all students and members of staff. Every person handling information or using University information systems is expected to observe the information security policies and procedures, both during and, where appropriate, after his or her time at the University.

    4.2 This Policy is the responsibility of the Executive Board; supervision of the Policy will be undertaken by the Senior Management Team. This policy may be supplemented by more detailed interpretation for specific sites, systems and services (see relevant policies and regulations). Implementation of information security policy is managed through the Information Security Working Group which reports to the Chief Information Officer.

    4.3 The University’s IT Services directorate has operational responsibility for the University’s IT systems and will therefore take action wherever necessary to protect those systems.

    5. Information Security Education and Training

    The University recognises the need for all staff, students and other users of University systems to be aware of information security threats and concerns, and to be equipped to support University security policy in the course of their normal work. The Information Compliance team has implemented a training programme in data protection for all members of staff who process personal data and, at the behest of the University's Faculties and Directorates, will provide or arrange the provision of training in information security matters to answer particular requirements.

    6. Compliance with Legal and Contractual Requirements

    6.1 Authorised Use: University IT facilities must only be used for authorised purposes. The University may from time to time monitor or investigate usage of IT facilities; and any person found using IT facilities or systems for unauthorised purposes, or without authorised access, may be subject to disciplinary, and where appropriate, legal proceedings.

    6.2 Monitoring of Operational Logs: The University shall only permit the inspection and monitoring of operational logs by the appropriate staff from the University’s IT Services directorate or where it has been otherwise authorised. Disclosure of information from such logs, to officers of the law or to support disciplinary proceedings, shall only occur (i) when required by or consistent with law; (ii) when there is reason to believe that a violation of law or of a University policy has taken place; or (iii) when there are compelling circumstances (circumstances where failure to act may result in significant bodily harm, significant property loss or damage, loss of significant evidence of one or more violations of law or of University policies).

    6.3 Access to University Records: In general, the privacy of users' files will be respected but the University reserves the right to examine systems, directories, files and their contents, to ensure compliance with the law and with University policies and regulations, and to determine which records are essential for the University to function administratively or to meet its teaching obligations. Except in emergency circumstances, authorisation for access must be obtained from the Chief Information Officer or the Chief Information Officer’s nominee, and shall be limited to the least perusal of contents and the least action necessary to resolve the situation.

    6.4 Protection of Software: To ensure that all software and licensed products used within the University comply with the Copyright, Designs and Patents Act 1988 and subsequent Acts, the University may carry out checks from time to time to ensure that only authorised products are being used. Unauthorised copying of software or use of unauthorised products by staff or students may be grounds for disciplinary, and where appropriate, legal proceedings.

    6.5 Virus Control: The University will maintain detection and prevention controls to protect against malicious software and unauthorised external access to networks and systems. All users of electronic devices issued by the University or used for University business shall comply with best practice, as determined from time to time by the University’s IT Services, in order to ensure that up-to-date virus protection is maintained.

    7. Asset Management

    All University information assets (data, software, computer and communications equipment) shall be accounted for and have a designated owner. The owner shall be responsible for the maintenance and the protection of the asset/s concerned.

    8. Physical and Environmental Security

    Physical security and environmental conditions must be commensurate with the risks to the area concerned. In particular, critical or sensitive information processing facilities must be housed in secure areas protected by defined security perimeters with appropriate security barriers and/or entry controls.

    9. Information Systems Acquisition, Development and Maintenance

    9.1 Information security risks must be identified at the earliest stage in the development of business requirements for new information systems or enhancements to existing information systems.

    9.2 Controls to mitigate the risks must be identified and implemented where appropriate. 

    10. Access Control

    10.1 Access to information and information systems must be driven by business requirements and be commensurate and proportionate to the business need.

    10.2 A formal access control procedure shall be required for access to all information systems and services. 

    11. Communications and Operations Management

    Responsibilities and procedures for the management, operation and ongoing security and availability of all data and information processing facilities must be established. 

    12. Retention and Disposal of Information

    All staff have a responsibility to consider security when disposing of information in the course of their work. Owners of information assets should establish procedures appropriate to the information held and processed and ensure that all staff are aware of those procedures. Retention periods should be set in consultation with the University Records Manager.

    13. Reporting

    All staff, students and other users should report immediately via the Servicedesk portal https://service.brookes.ac.uk, or by telephone to the Service Desk on tel. ext. 3311, any observed or suspected security incidents where a breach of the University's security policies has or may have occurred, and any security weaknesses in, or threats to, systems or services.

    14. Business Continuity

    The University will implement, and regularly update, a business continuity management process to counteract interruptions to normal University activity and to protect critical processes from the effects of failures or damage to vital services or facilities. A copy of the Oxford Brookes Business Continuity Policy can be found on the Business Continuity page.

    Data Protection Policy

    Download a pdf version

    1. Introduction

    1.1 The University holds and processes information about employees, students, and other data subjects for academic, administrative and commercial purposes. When handling such information, the University, and all staff or others who process or use any personal information, must comply with the Data Protection Principles which are set out in the Data Protection Act 1998 (the Act).

    In summary these state that personal data shall:

    1. be processed fairly and lawfully,
    2. be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with the purpose,
    3. be adequate, relevant and not excessive for the purpose,
    4. be accurate and up-to-date,
    5. not be kept for longer than necessary for the purpose,
    6. be processed in accordance with the data subject's rights,
    7. be kept safe from unauthorised processing, and accidental loss, damage or destruction,
    8. not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data, except in specified circumstances.

    1.2 Definitions

    "Staff", "students" and "other data subjects" may include past, present and potential members of those groups.

    "Other data subjects" and "third parties" may include contractors, suppliers, contacts, referees, friends or family members.

    "Processing" refers to any action involving personal information, including obtaining, viewing, copying, amending, adding, deleting, extracting, storing, disclosing or destroying information.

    2. Notification of Data Held

    2.1 The University shall notify all staff and students and other relevant data subjects of the types of data held and processed by the University concerning them, and the reasons for which it is processed. The information which is currently held by the University and the purposes for which it is processed are set out in the Appendix 1 to this Policy. When processing for a new or different purpose is introduced the individuals affected by that change will be informed and the Appendix 1 will be amended.

    3. Staff Responsibilities

    3.1 All staff shall • ensure that all personal information which they provide to the University in connection with their employment is accurate and up-to-date; • inform the University of any changes to information, for example, changes of address; • check the information which the University shall make available from time to time, in written or automated form, and inform the University of any errors or, where appropriate, follow procedures for updating entries on computer forms. The University shall not be held responsible for errors of which it has not been informed.

    3.2 When staff hold or process information about students, colleagues or other data subjects (for example, students' course work, pastoral files, references to other academic institutions, or details of personal circumstances), they should comply with the Data Protection Guidelines for Academic Staff.

    3.3 Staff shall ensure that

    • all personal information is kept securely;
    • personal information is not disclosed either orally or in writing, accidentally or otherwise to any unauthorised third party. Unauthorised disclosure may be a disciplinary matter, and may be considered gross misconduct in some cases.

    3.4 When staff supervise students doing work which involves the processing of personal information, they must ensure that those students are aware of the Data Protection Principles, in particular, the requirement to obtain the data subject's consent where appropriate.

    4. Student Responsibilities

    4.1 All students shall

    • ensure that all personal information which they provide to the University is accurate and up-to-date;
    • inform the University of any changes to that information, for example, changes of address;
    • check the information which the University shall make available from time to time, in written or automated form, and inform the University of any errors or, where appropriate, follow procedures for updating entries on computer forms.

    The University shall not be held responsible for errors of which it has not been informed.

    4.2 Students who use the University computer facilities may, from time to time, process personal information (for example, in course work or research). In those circumstances, they must notify their course tutor or research supervisor in the relevant Faculty who will provide further information about their responsibilities in processing personal data.

    5. Rights to Access Information

    5.1 Staff, students and other data subjects in the University have the right to access any personal data that is being kept about them either on computer or in structured and accessible manual files. Any person may exercise this right by submitting a request in writing to the Information Compliance Officer.

    5.2 The University will make a charge of £10 for each official Subject Access Request, except for requests involving Health Records where the University may charge up to £50 for each request if those records are held either wholly or partly in non-electronic form.

    5.3 The University aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within 40 days unless there is good reason for delay. In such cases, the reason for the delay will be explained in writing by the Information Compliance Officer to the data subject making the request.

    6. Subject Consent

    6.1 In some cases, such as the handling of sensitive information or the processing of research data, the University is entitled to process personal data only with the consent of the individual. Agreement to the University processing some specified classes of personal data is a condition of acceptance of a student on to any course, and a condition of employment for staff. (See Appendix 1)

    7. Sensitive Information

    7.1 The University may process sensitive information about a person's health, disabilities, criminal convictions, race or ethnic origin, or trade union membership. For example, some jobs or courses will bring the applicants into contact with children, including young people between the ages of 16 and 18, and the University has a duty under the Children Act 1989 and other enactments to ensure that staff are suitable for the job, and students for the courses offered. The University may also require such information for the administration of the sick pay policy, the absence policy or the equal opportunities policy, or for academic assessment.

    7.2 The University also asks for information about particular health needs, such as allergies to particular forms of medication, or conditions such as asthma or diabetes. The University will only use such information to protect the health and safety of the individual, for example, in the event of a medical emergency.

    8. The Data Controller and the Designated Data Controllers

    8.1 The University is the data controller under the Act, and the Vice Chancellor is ultimately responsible for implementation. Responsibility for day-to-day matters will be delegated to the Heads of Faculties and Directors as designated data controllers. Information and advice about the holding and processing of personal information is available from the University's Information Compliance Officer.

    9. Assessment Marks

    9.1 Students shall be entitled to information about their marks for assessments, however this may take longer than other information to provide. The University may withhold enrolment, awards, certificates, accreditation or references in the event that monies are due to the University.

    10. Retention of Data

    10.1 The University will keep different types of information for differing lengths of time, depending on legal, academic and operational requirements. Information and advice about the recommended retention times are available from the University Records Manager.

    11. Compliance

    11.1 Compliance with the Act is the responsibility of all students and members of staff. Any deliberate or reckless breach of this Policy may lead to disciplinary, and where appropriate, legal proceedings. Any questions or concerns about the interpretation or operation of this policy should be taken up with the Information Compliance Officer by telephone on extension 4354 or by e-mail at info.sec@brookes.ac.uk.

    11.2 Any individual, who considers that the policy has not been followed in respect of personal data about him- or herself, should raise the matter with the designated data controller initially. If the matter is not resolved it should be referred to the University Information Compliance Officer and may be pursued through the staff grievance or student complaints procedure.

    Appendix 1 University Information Processing

    The University has notified the Information Commissioner that personal information may need to be processed for the following purposes:

    1. Staff, Agent and Contractor Administration
    2. Advertising, Marketing, Public Relations, General Advice Services
    3. Accounts & Records
    4. Education
    5. Student and Staff Support Services
    6. Research
    7. Other Commercial Services
    8. Publication of the University Magazine
    9. Crime Prevention and Prosecution of Offenders
    10.  Alumni Relations
    11.  Information and Databank Administration

    The Public Register of Data Controllers on the Information Commissioner's website contains full details of the University's current registration. The register entry provides:

    • a fuller explanation of the purposes for which personal information may be used
    • details of the types of data subjects about whom personal information may be held
    • details of the types of personal information that may be processed
    • details of the individuals and organisations that may be recipients of personal information collected by the University
    • information about transfers of personal information.

    For further information about these regulations, please contact the Information Compliance Officer. 

    Administrator Rights Policy

    Policy statement

    By default the University grants colleagues administrator logon rights on new Windows and Mac-based computers. If you have an existing device and would like to request a local administrator account, please do so using this form. These rights allow you to:

    • install software

    • modify system settings

    • manage other users of the device.

    It is important that when using your local administrator account, you adhere to the following guidelines to protect the University’s systems, devices and network:

    • change your portal password every 90 days, ensuring that it is a strong password of at least 12 characters.

      maintain the integrity of your workstation by not taking excessive risk by installing software from the internet

    • always work whilst logged into your standard, non-administrative user account and only use the local administrator account to elevate privileges at the time when you need them

    • ensure you do not grant administrator privileges to your standard user account or any other person’s account or domainprovide IT Services with licensing information for any software personally installed, Brookes owned or otherwise, on your device


    • routinely check that your anti-virus software is updating, checking for and eliminating spyware, or any similar data gathering and reporting software, from your workstations

    • do not share your local administrator account details with others

    • report any system failures and security issues to IT Services at the earliest opportunity

    • keep up-to-date with, and adhere to, all IT policies including, but not limited to, the IT Acceptable Use Policy

    • do not interfere with any automatic updating/patching or enforced policies or services performed or provided by IT Services.

    The University recognises that by giving colleagues administrative rights and enabling you to manage your workstations, productivity and operational efficiency can be substantially increased. However, Administrator access to a computer can lead to unintended and unauthorised configurations that may cause both you and the IT support service difficulties operationally and potentially legally.

    Support for University devices

    All University-owned devices that have access to the network, either wired or wireless, are required to be configured to the following standards:

    • the device must be a member of a recognised university domain or management system

    • the device must have the current required management software installed including, but not limited to, power management, software compliance toolsets, configuration management toolsets. (Management software may vary by device type)

    • the device must have active, current and correctly configured anti-virus software

    • the device must be patched with operating system and third party vendor patches to a level required by IT Services.

    Any customisation of a device to a configuration other than that provided or supported by IT Services will be lost in the event of a computer failure. Its restoration will be to a standard pre-customisation configuration.

    Staff responsibilities

    The University reserves the right to restore a machine to a standard configuration if that machine is found to be a security risk. In such cases the University will not be responsible for any resultant data losses.

    The University reserves the right to decline requests for administrator rights on any device for which access must be restricted due to its function, location or use by multiple users.

    Misuse of administrator rights is defined as, but not limited to:

    • downloading software that is malicious, by intent or otherwise

    • downloading unlicensed/illegal software

    • downloading and/or distributing copyrighted material without permission

    • permitting public, or unauthorised, access to data that is restricted in nature

    • failure to adhere to the policies and procedures outlined above.

    Access Control Policy

    Download a pdf version

    1. Policy Objectives

    1.1 To define the requirements of Oxford Brookes University (OBU) to ensure that access to information assets is authorised and subject to identification and authentication controls

    1.2 To establish the requirements for controlling access to OBU information or information that it is responsible for, including computing and physical resources.  Computer systems, networks and allied hardware and other peripherals are an integral part of our operations and represent substantial investment.

    1.3 It is the purpose of the Access Control Policy to ensure that all access to information assets is properly authorised, maintained and reviewed.

    2. Policy Scope

    2.1 This Access Control Policy shall apply to all access to OBU's information assets.

    2.2 All Users provided with access to OBU's information systems shall comply with this Access Control Policy as indicated in the IT Acceptable Use Policy.  

    2.3 Access to physical and non-physical assets will be governed under the same principles.

    2.4 This Access Control Policy shall establish the Logical and Physical Access control requirements for protecting the entire university's information systems and hardcopy data.

    3. Policy Statement

    3.1 This Access Control Policy forms part of Oxford Brookes University’s information Security Management System (ISMS) Framework as defined in the information Security Policy.

    3.2 This policy should be read in conjunction with OBU’s IT Acceptable Use Policy, which summarises what OBU deems to be acceptable use of information systems

    3.4 OBU’s information systems are provided for business purposes only and this Access Control Policy is used to ensure that Users:

    • Comply fully with current legislation;
    • Comply with other relevant OBU policies.
    • Do not introduce unnecessary risk to OBU.

    3.5 Access allocation shall be monitored to ensure compliance with this Access Control Policy.

    3.6 All Users, who use the university's information assets and information systems, shall be responsible for safeguarding those resources and the information the information Owners hold, from disruption or destruction.

    3.7 The Access Control Policy shall apply to all Users who have access to the university's information assets, including remote access.

    3.8 Failure to comply may result in the offending employee being subject to disciplinary action up to and including termination of employment as per the Information Security Policy.

    3.9 The use of the university's information assets and information systems indicates acceptance of this Access Control Policy.

    4. Implementation Responsibilities

    4.1 Oxford Brookes University IT Services shall ensure that Users are provided with education and training to ensure compliance with this Access Control Policy.

    4.2 Oxford Brookes University IT Services shall develop, maintain and publish standards, processes, procedures and guidelines to achieve compliance with this Access Control Policy.

    4.3 Annually review the Access Control processes, standards and procedures, to achieve compliance with this Access Control Policy and shall support the Access Control Strategy and provide security specific input and guidance where required.

    4.4 IT asset owners and authorised users shall be assigned for each identified IT asset in order to approve or reject requests for access to their system.

    4.5 IT asset owners and authorised users shall check the validity of all user access requests to information assets owned by them before implementation.

    4.6 IT asset owners and authorised users shall authorise employees requiring access to information assets owned by them.

    4.7 Human Resources (HR) shall inform the IT department of users starting, moving and leaving the university.

    4.8 All appropriate managers shall authorise any requirement to changes to user's access rights on the information systems.

    4.9 Users shall not share access codes and/or passwords, if access to other information systems are required then a formal request shall be put forward for authorisation by an appropriate manager.

    4.10 Users shall not share their physical access cards; if physical access to restricted areas is required then a formal request shall be put forward for authorisation by the line manager.

    4.11 Users shall be responsible for the security (and secrecy) of their own secret authentication information.  In no circumstances is secret authentication information to be shared.

    4.12 Users shall ensure incidents are reported and escalated in-line with documented Information Security Incident Management Procedure.

    4.13 The University shall be responsible for ensuring all Users of OBU's information systems read and acknowledge the policy principles extracted from this Access Control Policy and included in the Acceptable Use Policy.

    5. Policy Principles

    5.1 All information assets shall be "owned" by a named individual within OBU.

    5.2 A process for user access requests, which mandates the steps to be taken when creating or modifying user access shall be defined, documented, annually reviewed and updated. The scope of this process must include network, application and database access and be applicable to any third party access.

    5.3 Access to information assets shall be restricted to authorised employees and shall be protected by appropriate physical and logical authentication and authorisation controls.

    5.4 Users shall be authenticated to information systems using accounts and passwords. See OBU’s Password Policy for further details.

    5.5 Users are required to satisfy the necessary personal security criteria, as defined by OBUs Recruitment Policy, before they can be authorised to access information assets of a corresponding classification.

    5.6 Users who have satisfied all necessary criteria may be granted access to information assets only on the basis that they have a specific need to know, or to "have-access-to", those information assets.

    5.7 The classification of an information asset does not, in itself, define who is entitled to have access to that information.  Access is further filtered by any applicable privacy restrictions as dictated by other OBU Policies (such as the Data Protection Policy)

    5.8 Access privileges shall be authorised by the appropriate information Owner and allocated to employee, based on the minimum privileges required to fulfil their job function.

    5.9 Administrator accounts shall only be granted to those users who require such access to perform their job function.  Administrator accounts shall be strictly controlled and their use shall be logged, monitored and regularly reviewed.

    5.10 Users with administrator access shall only access sensitive data if so required in the performance of a specific task.

    5.11 Users with administrator access shall also have an unprivileged account, which shall be used for all purposes not requiring administrator access, including but not limited to electronic mail.

    5.12 Line managers, information asset owners and authorised users shall ensure rights and privileges granted to Users of information assets are reviewed on at least every 6 months to ensure that they remain appropriate and to compare user functions with recorded accountability.  This shall include access to user accounts, which shall be revoked when they have been inactive for more than 90 days.

    5.13 Access shall be granted only to those systems or roles that are necessary for the job function of the user.  Regular maintenance will address the management of privilege creep.

    5.14 Detailed processes shall be developed and followed for terminating, modifying or revoking an employee's access, as part of the Movers/Leavers process.

    5.15 In certain instances, particular access may be required for emergency reasons, such as undertaking emergency system maintenance.  Requests for emergency access shall be directed to the OBU Chief Information Officer, or a member of the IT Services Executive, and shall be approved by the information asset owner or authorised user. Requests and approval should be documented, if possible, before the change is required stipulating an expiry period, which shall be enforced, for the access rights.  A request for change shall be documented retrospectively where it is not possible to do this in advance.

    5.16 All third party access (Contractors, Business Partners, Consultants, Vendors) shall be authorised by an appropriate information Owner and, if necessary, monitored.

    5.17 Third Party Access to information assets shall be granted in increments according to business need and identified risks. Information asset owners shall specify access timeframes and be prepared to offer justification for such access.

    5.18 Remote access to OBU's networks shall be appropriately authorised on a least privilege basis, with access only granted to systems and resources where there is an explicit business requirement.  Only employees of the university or authorised third parties shall be able to connect to the university's corporate infrastructure remotely.

    5.19 Only authorised personnel shall be given access to secure areas at the university's premises and any third party premises where sensitive information is processed or maintained, or physical assets are held.

    5.20 All access to areas hosting systems that store, process, or transmit sensitive data (e.g. datacentres) shall be controlled, monitored by cameras and logged.  Logs shall be regularly audited, correlated with other logs and securely stored for at least three months, unless otherwise restricted by law.

    5.21 All visitors shall have authorisation prior to entering any of the university's sites where sensitive data is processed or maintained.  

    5.22 All visits shall be logged and details of logs retained for a minimum of one month, unless otherwise restricted by law.  Reception staff shall be made aware of their responsibility to log every visitor to OBU sites.

    5.23 Employees shall challenge and/or report any visitors found unsupervised or acting suspiciously at any site where sensitive OBU data is processed or maintained.

    5.24 User account names and actions performed shall be recorded using Audit logging capabilities.

    5.25 The IT Services Information Management Team shall maintain plans indicating time schedules of all information security access audits to be performed across OBU to ensure compliance with this Access Control Policy.

    5.26 Site management shall perform a formal review of physical access rights at least every 6 months to identify unauthorised or expired access.  Access controls shall be revoked in instances where access is no longer necessary for job function.

    Information Security Incident Management Policy

    Download a pdf version

    1. Introduction and Scope

    1.1 The University holds a large amount of information in a variety of media, physical and otherwise (including photos and videos). This includes personal and sensitive personal data, and also non-personal information which may be sensitive or commercially confidential (e.g. financial data) and may be subject to legal obligations of confidence, whether contractual or otherwise).

    1.2 The University has legal responsibilities both under the Data Protection Act and in respect of its own business (for example, under the common law of confidence) to safeguard information in its control. Care should be taken to protect information, to ensure its integrity and to protect it from loss, theft or unauthorised access.

    1.3 In the event of an information security incident (also referred to as a ‘data breach’), it is vital that appropriate action is taken to minimise associated risks.  A risk analysis should be performed, factors which need to be considered are:

    • The number of individuals affected
    • Type of data involved
    • Impact (on individuals, the University or its contractors)

    1.4 Any member of staff, student, contractor or pseudo-employee discovering or suspecting an information security incident must report it in accordance with this policy.

    2. What is an information security incident?

    2.1 An information security incident in an event whereby data held by the University, in any format, is compromised by being lost, destroyed, altered, copied, transmitted, stolen, used or accessed unlawfully or by unauthorised individuals whether accidentally or on purpose. Some examples:

    • Loss, or theft of equipment on which data is stored, e.g laptop or mobile phone

    • Unauthorised access to data

    • Human error, e.g. emails to wrong recipient; public posting of confidential material online; incorrect sharing of Google documents

    • Failure of equipment or power leading to loss of data

    • Hacking attack

    • Data maliciously obtained by way of social engineering (an attack in which a user is ‘tricked’ into giving a third party access, often by purporting to be someone other than they actually are)

    2.2 Information security incident reporting also includes instances of ‘near misses’ and identification of vulnerabilities where IT Services considers there is a high likelihood of an actual incident occurring.

    3. Reporting of the breach

    3.1 All Information security incidents should be reported immediately to The IT Service Desk (via phone on ext. no. 3311, or the ServiceNow Portal), as the primary point of contact.

    3.2 The report should include full and accurate details of the incident, including who is reporting the incident; what type of data is involved (not the data itself unless specifically requested); if the data relates to people and if so, how many people are involved.

    3.3. The IT Services Information Management team is responsible for maintaining a confidential log of all information security events..

    4. Investigation and Response

    4.1 The Information Management team will consider the report, and where appropriate, instigate a Response Team. IT Services will lead the Response team and membership will depend on the type and severity of the incident. The response team will be responsible for investigating the circumstances and effect of the information security incident. An investigation will be started into material breaches within 24 hours of the breach being discovered, where practicable.

    4.2 The investigation will establish the nature of the incident, the type of data involved, whether the data is personal data relating to individuals or otherwise confidential or valuable. If personal data is involved, associated individuals must be identified and, if confidential / valuable data is concerned, what the legal and commercial consequences of the breach may be.

    4.3 The investigation will consider the extent of the sensitivity of the data, and a risk assessment performed as to what might be the consequences of its loss.  This will include risk of damage and/or distress to individuals and the institution.

    4.4 The response team is responsible for formally documenting the incident and associated response. This information will (as a minimum) be subject to review by the Oxford Brookes University Information Security Working Group (ISWG) with serious incidents reviewed by the Chief Information Officer and other senior managers.

    5. Containment and Recovery

    5.1 The Response Team and IT Services Lead will determine the appropriate course of action and the required resources needed to limit the impact of the breach. For instance this may require isolating a compromised section of the network; alerting relevant staff or contractors; changing access codes/locks or shutting down critical equipment.

    5.2 Appropriate steps will be taken to recover data losses and resume normal business operation. This might entail attempting to recover any lost equipment, using backup mechanisms to restore compromised or stolen data and changing compromised passwords.

    5.3 For incidents that involve a suspected or actual criminal offence all efforts will be made to preserve evidence integrity.

    6. Escalation & Notification

    6.1 The details of the escalation and notification process are schematised in the appendix. A summary of this process is provided below.

    6.2 The information management team is responsible for initial assessment of an incidents severity based on the scope, scale and risk of the incident.

    6.3 This preliminary decision is then reviewed by the CIO and/or Director of IT Strategy, Information Management and Business Partnerships.

    6.4 If at this stage the incident is deemed serious then the University Senior Management Team will be notified.

    6.5 If a personal data breach has occurred of sufficient scale The Information Management team will notify the Information Commissioner’s Office (ICO) within the prescribed statutory time limits and manage all communications between the University and the ICO.

    6.6 If the breach is deemed of sufficient seriousness (in line with ICO guidance), and concerns personal data, notice of the breach will be made to affected individuals to enable them to take steps to protect themselves. This notice will include a description of the breach and the steps taken to mitigate the risks, and will be undertaken by the Response Team. Liaison with the Police or other authorities may be required for serious events.

    7. Review

    7.1 Once the incident is contained a thorough review of the event will be undertaken by the Response Team, to establish the cause of the incident, the effectiveness of the response and to identify areas that require improvement.

    7.2 Recommended changes to systems, policies and procedures will be documented and implemented as soon as possible thereafter.  Targeted training may be offered to the department affected.

    7.3 All information security incidents will be subject to summary review by the ISWG so that any weaknesses or vulnerabilities that may have contributed to the incident can be identified, documented and resolved.

    Password Policy

    Download a pdf version

    1. Statement of Policy

    1 Introduction and Policy Objectives

    1.1 The purpose of this Password Policy is to protect Oxford Brookes University (OBU) information assets from unauthorized use, and possible accidental or intentional misuse, through weak password security practice.

    1.2 The policy applies to all users (students, staff, consultants, contractors and visitors) who have been given access to OBU information and communication systems or who are using third-party systems or services which have been contracted for by OBU.

    1.3 On joining OBU staff shall be required as part of their terms and conditions that they will keep all personal secret authentication information private and keep any group secret authentication information solely within the members of the group.

    2 Password Creation

    2.1 All user-level and system-level passwords must conform to current best practice guidelines (so called, ‘strong’ passwords). For further information please contact the IT Service Desk, however in general ‘strong’ passwords have the following characteristics:

    • Contain both upper and lower case characters (e.g., a-z, A-Z)

    • Have digits and punctuation characters as well as letters e.g. 0-9,  -_.!~*()

    • Are at least twelve alphanumeric characters long

    • Are not based on personal information, names of family, etc.

    2.2 Users must not use the same password for OBU accounts as they do for personal / non-OBU accounts.

    2.3 Where possible, users must not use the same password for different accounts.

    2.4 User accounts that have system-level privileges granted through group memberships, or programs such as Sudo, must have a different password from all other accounts held by that user to access system-level privileges.

    3 Password Change

    3.1 Users must abide by local or application-specific guidelines on the frequency of password changes. Changing passwords in itself is not a guarantee of security.

    4. Password Protection

    4.1 Passwords must not be shared with anyone (including other OBU staff). All passwords are to be treated as sensitive and confidential OBU information.

    4.2 Do not write passwords down and store them in your office or place of work. Do not store passwords in a computer file unless the file itself is encrypted.

    4.3 The use of ‘remember my password’ in applications (e.g. browsers) is not recommended for OBU passwords.

    4.4 Any user that suspects their password may have been compromised must change it and inform the IT Service Desk immediately.

    4.5 The use of password manager (also known as password vault) applications is permitted. For further information please contact the IT Service Desk.

    5. Multi-Factor Authentication

    5.1 It is recommended that users enable multi-factor authentication functionality on all system accounts where available

    6. Application Development

    6.1 Application developers must ensure that their programs contain the following security precautions:

    Applications must support authentication of individual users, not groups

    Applications must not store passwords in a reversible form and use PBKDF2 where possible.

    All password hashes must be salted.

    Applications must not transmit passwords in cleartext over the OBU network.

    Network Security Policy

    Download a pdf version

    1. Introduction and Policy Aim

    1.1 This document defines the Network Security Policy for Oxford Brookes University (OBU).  The Network Security Policy applies to all network hardware, services on the network and network attached systems.

    1.2 For the purpose of this policy a network is defined as Oxford Brookes University’s connected (physically and wirelessly) data network that allows computing devices (including phones) to exchange data.

    1.3 The aim of this policy is to ensure the security of the network. To facilitate this, the university shall:

    • Protect assets against unauthorised access or disclosure (Confidentiality)

    • Protect the network from unauthorized or accidental modification and ensure the accuracy and completeness of data assets (Integrity)

    • Ensure the network is accessible how and when users need it (Availability)

    2. Policy Objectives

    2.1 To protect all hardware, software and information assets under its control.  This will be achieved by implementing a set of well-balanced technical and non-technical measures.

    2.2 To provide effective protection that is commensurate with the risks to OBU network assets.

    2.3 To implement the policy and associated procedures in a consistent, timely and cost-effective manner.

    2.4 To ensure OBU is compliant with all relevant legislation, including (but not limited to:

    • The Data Protection Act 1998

    • Computer Misuse Act 1990

    • Human Rights Act 1998

    • Freedom of Information Act 2000

    • Electronics Communications Act 2000

    • Copyright, Designs & Patents Act 1988

    3. Physical & Environmental Security

    3.1 Network equipment (principally routers, switches and servers) shall be housed in a controlled and secure environment.  Critical or sensitive network equipment will be housed in an environment that is monitored for temperature, humidity and power supply quality.

    3.2 Critical or sensitive network equipment will be housed in secure areas, protected by a secure perimeter, with appropriate security barriers and entry controls.

    3.3 Critical or sensitive network equipment will be protected from power supply failures and protected by intruder alarms and fire suppression systems.

    3.4 Smoking, eating and drinking is forbidden in areas housing critical or sensitive network equipment.

    3.5 All visitors to secure network areas must be authorised by an appropriate manager.

    3.6 All visitors to secure network areas must be made aware of network security requirements.

    3.7 The movement of visitors to secure network areas must be recorded.  The log will contain name, organisation, purpose of visit, date, and time in and out.

    3.8 The Network Manager, or appropriate deputy, shall ensure that all relevant staff are made aware of procedures for visitors and that visitors are escorted when necessary.

    4. Access Control to the Network

    4.1 Access to limited-access network services shall be via a secure log-on procedure, designed to minimise the opportunity for unauthorised access.  Remote access to the network will be via the University’s remote access software.

    4.2 Departmental business managers will approve user access to systems including network access via standard staff joiner/leaver processes.  

    4.3 Access rights to network services will be allocated on the requirements of the user's role, rather than on a status basis.

    4.4 All users users of network services will have their own individual user identification and password.

    4.5 Users are responsible for ensuring their password is kept secret (please see OBU’s Password Policy for further details).

    4.6 User access rights shall be removed or reviewed for those users who have left the University or changed roles as soon practically possible.

    5. Third Party Access Control to the Network

    5.1 Third party access to network systems, services, hardware and network attached systems shall be based on a formal contract that satisfies all necessary security conditions.

    5.2 All third party access to network systems, services, hardware and network attached systems must be logged.  

    5.3 For further information please refer to the University Third Party & Supply Chain Management Policy

    6. Maintenance and Fault Management

    6.1 The Network Manager will ensure that adequate maintenance contracts are maintained and periodically reviewed for all network equipment.

    6.2 The Network Manager is responsible for ensuring that a log of all faults on network systems and equipment is maintained and reviewed.

    6.3 OBU shall ensure that timely information regarding the technical vulnerabilities of information systems is obtained. Any vulnerability will be assessed and any risks will be appropriately controlled.

    6.4 The use of privileged utility programs that may be capable of overriding system and application controls shall be controlled and restricted.

    6.5 Operational software shall only be installed by authorised system administrators and authorised third-parties (see section 5).

    7. Network Operating Procedures

    7.1 Documented operating procedures should be prepared for the operation of network services and systems, to ensure their correct, secure operation.

    7.2 Changes to operating procedures must be authorised by the Network Manager.

    8. Data Backup and Restoration

    8.1 The Network Manager is responsible for ensuring that backup copies of network configuration data are taken regularly.

    8.2 Documented procedures for backup processes and storage will be produced and communicated to all relevant staff.

    9. User Responsibilities, Awareness and Training

    9.1 The University will ensure that all users of network systems, services, hardware and network attached systems are provided with the necessary security guidance, awareness and where appropriate training to discharge their security responsibilities.

    9.2 All users of network services and systems must be made aware of the contents and implications of the Network Security Policy.

    9.3 All users must ensure that they protect the network from unauthorised access.  They must log off the network when finished working.  

    9.4 Irresponsible or improper actions by users may result in disciplinary action

    10. Protection against Malware

    10.1 Software to protect against malware should be installed on all client devices including mobile computing assets.

    10.2 Software used to protect University systems against malware shall be regularly reviewed and updated.

    10.3 Procedures on dealing with malware protection and attacks shall be developed and documented together with appropriate business continuity plans.

    11. Clock Synchronisation

    11.1 All network systems and services shall be synchronised using ntp.brookes.ac.uk

    12. Logging & Monitoring

    12.1 Adequate event logs recording network activity, exceptions, faults and information security events shall be produced, kept and regularly reviewed.

    12.2 Logging facilities and log information shall be protected against tampering and unauthorised access.

    12.3 The activity of privileged users shall be logged and the logs protected and regularly reviewed.

    Information Sharing & Transfer Policy 

    1 Introduction

    1.1 The University holds a large amount of information, both in hard and soft copy. This includes personal and sensitive personal data (as defined by the UK Data Protection Act, 1998), and also non-personal information, which could be sensitive or commercially confidential (e.g. financial data).

    1.2 It is sometimes necessary when we are working with partner organisations or other institutions or on collaborative projects, to share personal data or information with those institutions or partners. This might entail:

    • The University may receive personal information from the institution or partner

    • The University may send personal information to the institution or partner

    • A request for personal information held by one or both of us

    1.3 These partners might be our partner colleges or universities, or other institutions with whom we have a relationship. We may or may not have a formal contract with these institutions or partners. We must also consider the legislative implications that this might have on us at the university.

    2. Information Sharing

    2.1 Disclosures of information should be relevant, proportionate and lawful.

    2.2 All regular sharing of information to the same source should be governed by a data sharing agreement which sets out the protocols for:

    • What data is to be shared

    • For what purpose

    • Legal justifications for sharing

    • Benefits and risks of sharing

    • Information lifecycle (retention and disposal)

    • Responsibilities and liabilities in the event of information security incidents

    • Agreed methods of transfer  

    • Appropriate audit trails and governance

    • Appropriate ID and background checks (where applicable)

    3 Methods of Transfer

    3.1 Electronic Documents

    3.1.1 Sufficiently secure methods must be used when transferring personal data.

    3.1.2 In the case of confidential and/or sensitive data it is recommended that data is encrypted to an acceptable standard (i.e. compliant with FIPS 140-2 (cryptographic modules, software and hardware) and FIPS 19) prior to transfer and protectively marked.

    3.1.3 Encryption passwords must not be relayed using the same communication channel as the data.

    3.1.4 An audit trail of all transfers must be maintained in line with the retention policy.

    3.1.5 If transfer is by email, information must be sent to named persons where possible, the use of group mailboxes is to be avoided.

    3.1.6 Information no longer in use by either party must be securely deleted.

    3.2 Hardcopy Documents

    3.2.1 All hardcopy data must be posted using the University's approved mail delivery company.

    3.2.2 All confidential and/or sensitive data must be identified and sent with the appropriate level of tracking via University’s approved mail delivery company.

    3.2.3 Personal information must be labelled ‘private and confidential’ and ‘addressee only’ where appropriate.

    Bring Your Own Device Policy 

    1. Introduction

    1.1 This policy covers the use of non-University owned electronic devices to access corporate systems and process University information. Such devices include, but are not limited to, smartphones, tablets, laptops and similar technologies. This is commonly known as ‘Bring Your Own Device’ or BYOD.

    1.2 If you wish to BYOD to access University systems, data and information, you may do so provided that you follow the provisions of this policy and the advice and guidance provided through the IT Services Service Desk.

    1.3 The University is keen to have an agile, flexible and responsive workforce.  Therefore the University has actively encouraged BYOD, enforcing as few technical and procedural constraints as possible whilst still satisfying its legal compliance obligations.

    2. What is ‘BYOD’?

    2.1 BYOD – Bring Your Own Device refers to Users using their own device (which is not owned or provided to them by the University) to process University information, whether at the place of work or remotely, typically connecting to the University or other Wi-Fi Service.

    2.2 As the device is not owned by the University there is no guarantee that support will be provided for the device and any faults of software, hardware or peripherals must be rectified by the owner at their cost.

    3. Risk Awareness and Mitigation

    3.1 The University takes Information and Systems Security very seriously and invests significant resources to protect its data.  The University’s data, irrespective of what device is used to process it, remains an asset of the University.  

    3.2 When using the device to process University data the user must adhere to policies of the university including the IT Acceptable Use Policy

    3.3. If a personal device is used for work purposes, the user must take all reasonable steps to secure the device from risks such as:

    • Loss or theft of device

    • Unauthorized access of the device or University data

    • Malicious software attacks

    • Inadvertent disclosure

    Such steps may include:

    • Encryption of the device

    • PIN, passphrase or biometric access control

    • Not retaining any data locally on the device

    • Regular and timely security updates

    • Ensuring that the device manufacturer’s security mechanisms are not bypassed (Jailbreaking, rooting, etc.)

    • Activating any tracking or locating software available on the device

    • Ensure all University data is removed from the device when it is sold, recycled or transferred to a third-party.

    4. Monitoring

    4.1 Although the University will not monitor personal devices, in some cases the University may monitor the flow of University data between a device and its systems.

    5. Roles and Responsibilities

    5.1 Where the processing of sensitive personal data (as defined by the UK Data Protection Act, 1998) is deemed necessary for operational purposes an appropriate manager should assess the risks and decide if this is appropriate.

    6. Data Ownership

    6.1 Data must be handled in accordance with the University’s Intellectual Property Policy.  On termination of employment the user may be required to return or delete data as instructed by Oxford Brookes University

    6.2 The User must take reasonable steps to ensure that personal data is sufficiently segregated from Oxford Brookes University data on the device.  Such steps must ensure that University data will not be merged with an employee's personal data.  This must be done to a degree that that non-employees, such as family members who use the device, do not have the ability to access University data

  • Other Relevant Policies, Procedures & Guidance

  • Electronic Mail Policy

    1. Introduction

    This Policy defines policy and procedures where existing University policies do not specifically address issues particular to the use of electronic mail. Users of University electronic mail services are responsible for making themselves familiar with the " Guidelines for Use of the Internet", and other relevant laws and University policies (see  policies.)

    The terms "electronic mail" and "email" are used interchangeably throughout this Policy.

    2. Scope

    2.1 This Policy applies to

    • all electronic mail systems and services provided or owned by the University; and
    • all users, holders, and uses of University email services; and
    • alll University email records in the possession of University staff or students or other email users of electronic mail services provided by the University.

    2.2 This Policy applies only to electronic mail in its electronic form. It does not apply to printed copies of electronic mail. Other University policies, however, do not distinguish among the media in which records are generated or stored. Electronic mail messages, in either their electronic or printed forms, are subject to those other policies, including provisions relating to secure handling and disclosure.

    3. General Provisions

    3.1 University Property

    Any electronic mail address or account associated with the University, or any sub-unit of the University, assigned by the University to individuals, sub-units or functions of the University, is the property of Oxford Brookes University.

    3.2 Service Restrictions.

    Those who use University electronic mail services must do so responsibly, that is, in compliance with United Kingdom and European laws, with this and other University policies

    and regulations (see  policies), and with normal standards of professional and personal courtesy and conduct. Access to University electronic mail servicesmay be wholly or partially restricted by the University, for good cause, without prior notice and without the consent of the email user. Such restriction is subject to the approval of the Chief Information Officer, or his nominee, or, in theirabsence, the approval of the University Registrar.

    3.3 Access to Email Records.

    The University shall only permit the inspection, monitoring, or disclosure of electronic mail without the consent of the holder of such email (i) when required by or consistent with law; (ii) when there is reason to believe that a violation of law or of a University policy has taken place; (iii) when there are compelling circumstances; or (iv) under time-dependent, critical operational circumstances.

    3.4 Authorisation.

    Except in emergency circumstances, authorisation for access must be obtained from the Chief Information Officer, or his nominee. Authorisation shall be limited to the least perusal of contents and the least action necessary to resolve the situation. In emergency circumstances the least perusal of contents and the least action necessary to resolve the emergency may be taken immediately without authorisation, but appropriate authorisation must then be sought without delay.

    4. Security and Confidentiality

    4.1 The University does not guarantee the confidentiality of electronic mail.

    4.2 Except as provided elsewhere in this Policy, computer operations personnel and system administrators are not permitted to see or read intentionally the contents of email messages, to read transactional information except where necessary to ensure proper functioning of University email services, or to disclose or otherwise use what they have seen.

    4.3 There is one exception: systems personnel, such as the "Postmaster", who may need to inspect the contents of email messages when re-routing or disposing of otherwise undeliverable email. This exception is limited to the least invasive level of inspection required to perform such duties.

    5. Archiving and Retention

    It is University policy to delete email stored on the University mail server at regular intervals and to inform users of impending deletions. Operators of University electronic mail services are not required by this Policy to retrieve email from back-up facilities upon the holder’s request, although on occasion they may do so as a courtesy.

    6. Policy Violations

    Violations of this policy may result in disciplinary action being taken, or access to University facilities being withdrawn, or a criminal prosecution. Any apparent violations of policy or law should be reported either to the Postmaster or to the Information Compliance Officer at  info.sec@brookes.ac.uk.



    Computing Facilities: Computing resources, services, and network systems such as computers and computer time, data processing or storage functions, computer systems and services, servers, networks, input/output and connecting devices, and related computer records, programs, software and documentation.

    Email Systems or Services: Any messaging system which depends on computing facilities to create, send, forward, reply to, transmit, store, hold, copy, download, display, view, read, or print computer records for purposes of asynchronous communication across computer network systems between or among individuals or groups, which is either explicitly denoted as an email system or is implicitly used for such purposes, including services such as electronic bulletin boards, mailing lists and news groups.

    University Email Systems or Services: Electronic mail systems or services owned or operated by the University or any of its sub-units.

    Email Record: Any or several electronic computer records or messages created, sent, forwarded, replied to, transmitted, stored, held, copied, downloaded, displayed, viewed, read, or printed by one or several email systems or services. This definition applies equally to the contents of such records and to transactional information associated with such records, such as headers, summaries, addresses, and addressees.

    University Record: Any data recorded in any form, including paper files, computer files, audio- and videotapes, film and microfiche, which are maintained by University staff, or agents, in the course of their employment.

    University Email Record: A University record in the form of an email record regardless of whether any of the computing facilities utilised to create, send, forward, reply to, transmit, store, hold, copy, download, display, view, read, or print the email record are owned by the University. The location of the record, or the location of its creation or use, does not change its nature as: (i) a University email record for the purposes of this or other University policy, and (ii) having potential for disclosure under the Data Protection Act 1998 or other laws.
    Until determined otherwise or unless it is clear from the context, any email record residing on University-owned computing facilities, including personal email, may be deemed to be a University email record for the purposes of this Policy. Consistent, however, with the principles asserted in Section 3.4 of least perusal and least action necessary, the University shall, in good faith, make an initial effort to distinguish University email records from personal email where relevant to disclosures under the Data Protection Act and other laws, or for other applicable purposes of this policy.

    Use of Email Services: To create, send, forward, reply to, transmit, store, hold, copy, download, display, view, read, or print email. A (University) email user is an individual who makes use of (University) email services.

    Possession of Email: An individual is in "possession" of an email record, whether the original or a copy or modification of the original, when that individual has effective control over the location of its storage. Thus, an email record which resides on a computer server awaiting download to an addressee is deemed, for purposes of this Policy, to be in the possession of that addressee. Systems administrators and other operators of University email services are excluded from this definition with regard to email not specifically created by or addressed to them.
    Email users are not responsible for email in their possession when they have no knowledge of its existence or contents.

    Email Holder: An email user who is in possession of a particular email record, regardless of whether that email user is the original creator or a recipient of the content of the record.

    Compelling Circumstances: Circumstances where failure to act may result in significant bodily harm, significant property loss or damage, loss of significant evidence of one or more violations of law or of University policies, or significant liability to the University or to members of the University community.

    Emergency Circumstances: Circumstances where time is of the essence and where there is a high probability that delaying action would almost certainly result in compelling circumstances.

    Time-dependent and Critical Operational Circumstances: Circumstances where failure to act could seriously hamper the ability of the University to function administratively or to meet its teaching obligations, but excluding circumstances pertaining to personal or professional activities, or to research.


    Portable Devices and Removable Media Acceptable Use Policy

    Download a pdf version

    1. Statement of Policy
    Oxford Brookes University aspires to the highest standards of corporate behaviour, professional competence and best practice in its approach to computing and data security. The University has policies relating to Information Security[link] and Data Protection[link]. These policies require staff and students and all who have access to, and process, the University’s data to keep information secure and to protect personal data. This policy relates specifically to the movement of University data from the University’s systems to portable devices and other removable media and the processing of University data on such devices and media. The policy of the University is that information must continue to be kept secure and personal data must continue to be protected when it is transferred on to, or processed on, portable devices and other removable media and during any process of transfer to and from such devices or media.
    2. Definitions
    2.1 Portable devices and removable media are any devices which can easily be carried by hand and be used for mobile computing either in their own right or by being connected to and removed from other computing devices. They include laptop and notebook computers, tablet computers mobile phones, digital cameras, digital audio devices, portable hard drives, CDs, DVDs, SD cards, memory “sticks” and flash drives.
    2.2 For the purpose of this policy data can be divided into two categories:nonsensitive data, which is data not containing either personal information or information of a confidential nature, and; sensitive data, the default category, which comprises all other data, the loss of which would, would be likely to, cause damage or distress to the University or to individuals. Data is assumed to be sensitive unless proven otherwise. This policy relates to sensitive data.
    3. Policy Principles
    3.1 The dominant principle governing the use of portable devices and removable media is:
    Do not transfer the University’s sensitive data on to or store such sensitive data on portable devices or removable media unless it is necessary for a University business purpose and you have the explicit authority of your Head of Department. If it is necessary for sensitive data to be transferred on to or for such data to be stored on portable devices or removable media then the data should be minimised as much as possible, and the portable device or removable media containing the sensitive data should be an Oxford Brookes device and be protected by encryption software in line with the advice and th assistance of the University’s IT department (Oxford Brookes Information Solutions OBIS) to the appropriate current standard. Data minimisation means minimising the quantity and breadth of data and, where possible, anonymising personal data.
    3.2 All portable devices and removable media provided by the University to its staff shall be protected by encryption software.
    3.3 Staff will ensure that all such devices are protected by a secure password and that the password-protected auto-locking feature (where present) is enabled. Advice on secure passwords can be obtained from the University’s IT department OBIS.
    3.4 The University will abide by legislation and regulations relating to obtaining, using, storing, protecting and disclosing data required in the pursuance of University business.
    3.5 The University will provide appropriate organisational and technical measures to help keep data secure and to prevent loss, damage and destruction, assisting staff to implement such measures by producing relevant guidance.
    3.6 Individuals processing University data have a responsibility to protect the data from unauthorised use, disclosure, access, loss, corruption, damage or destruction and to adopt all proper and sensible precautions in their handling of sensitive and personal data.
    3.7 Any individual using portable devices and removable media must ensure that sensitive or personal data are not compromised by inappropriate use of insecure facilities and storage.
    3.8 Individuals transferring data on to or storing such data on portable or removable devices shall ensure they have the appropriate authority and approval to do so.
    3.9 Sensitive data shall not be processed, opened, read or loaded on public access computers.
    3.10 The University’s sensitive data will not be transferred to, stored or processed on portable devices or removable media where those data are to be used or accessed by third parties unless such parties have a business relationship with the University and appropriate contractual arrangements are in place.
    3.11 Antivirus precautions should be maintained in all use of removable media devices.
    4. Authorisation Process
    4.1 For sensitive University data to be transferred on to or stored on a portable device or
    removable media for use by a member of staff appropriate authorisation shall be obtained from
    that member of staff’s Head of Department.
    4.2 The risks associated with transferring data onto a portable device or storing data on it must be assessed and controls to mitigate the risks must be identified and implemented where appropriate.
    4.3 The member of staff will complete the appropriate authorisation request and secure the necessary authorisation prior to the data being placed on the portable device or removable media.
    4.4 The appropriate authorisation form can be accessed here [link].
    5. Guidelines
    5.1 Make sure that you understand what your responsibilities are by consulting the University’s Information Security and Data Protection policies. If you need further training on data protection matters, get in touch with the University’s Information Compliance Officer to arrange a session.
    5.2 Before using mobile computing devices to process University data, consider whether such processing is necessary. Can it be done without using a mobile device? If it can and the mobile processing is not necessary, then adopt a more appropriate and secure alternative.
    5.3 If processing data on a mobile device is necessary, consider whether the data can be minimised, or personal data anonymised, in any way.
    5.4 Avoid using removable media devices for permanent or indefinite storage. Make sure data are transferred as soon as possible to a secure, permanent data store and securely removed from all intermediate media. Do not put yourself in a position where sensitive data may be lost irretrievably without a backed u copy held in a secure University data store.
    5.5 Consult your manager to ensure that you have appropriate approval to transfer data on to or to store such data on a mobile device. In order to authorise the transfer of sensitive data on to a mobile device, the Head of Department will need to know that it is necessary and that OBI guidance has been followed on the appropriate technical measures to keep the data secure.
    5.6 If you are a manager, make sure you are aware of any mobile processing carried out by your staff and that the policy is being applied. If you identify that the policy is not being applied despite appropriate briefing and training, then you will need to escalate the matter through your own senior manager, involving HR if necessary.
    5.7 Consult the University’s IT department OBIS (email: obissecurity@brookes.ac.uk; tel. ext.3311) for advice on defensive computing and managing any risks. OBIS will help to identify and implement any appropriate technical measures, including encryption, to ensure the security of the data and/or the device. Specific measures will depend upon the nature of the device.
    5.8 Take appropriate physical precautions against the theft or loss of portable devices and removable media. If it is necessary to travel by car with such devices, as well as making sure technical measures such as encryption have been applied, make sure the devices are locked out of sight in the boot of the vehicle. If kept at home, devices still need to be kept secure to protect from opportunistic theft or access.
    5.9 If a mobile computing device is disposed of, make sure that the data are properly purged and destroyed. Seek advice from the University’s IT department OBIS to ensure that the data are destroyed. Guidance is available in the university’s Policy on Secure Disposal of IT Equipment and Information.
    5.10 Software on portable devices and removable media are subject to the same audit procedures as other computer systems. Make sure you have appropriate authority and licence for use.
    6. Reporting Data Security Breaches and Lost or Stolen Portable Devices or Removable Media
    6.1 All staff should report lost or stolen devices immediately to their line manager and to the University’s Information Compliance Officer. This will enable an assessment to be made of any loss of data held on the device.
    6.2 Any security breach of data (or suspected breaches), including those involving portable devices or removable media, should be reported immediately by email to obissecurity@brookes.ac.uk or to the OBIS Service Desk at https://service.brookes.ac.uk or by telephone on ext. 3311.
    6.3 A data security breach occurs when there is unauthorised or unlawful processing of sensitive data, including personal data, or there is accidental loss, or destruction of, or damage to such data.
    6.4 In reporting the loss or theft of a device and data you are required to identify in writing the type of device the nature and extent of the data, and the security measures which were taken to protect the device and the data.

    Policy on Secure Disposal of IT Equipment and Information

    Download a pdf version

    1. Introduction
    The University holds and processes a large amount of information and is required to protect that information in line with relevant legislation and in conformity with University regulations and policies such as the Information Security Policy[link], the Data Protection Policy[link] and the Records Management Policy. This policy sets out the requirements for staff on the secure disposal of the University’s IT equipment and information.
    2. Definitions
    2.1 Secure Disposal
    Secure disposal means the process and outcome by which information including information held on IT equipment is irretrievably destroyed in a manner which maintains the security of the equipment and information during the process and up to the point of irretrievable destruction.
    2.2 IT Equipment
    IT equipment means all equipment purchased by or provided by the University to store or process information including but not necessarily limited to desktop computers, servers, printers, copiers, laptops, tablet computers, electronic notebooks, mobile telephones, digital recorders, cameras, USB sticks, DVDs, CDs and other portable devices and removable media.
    2.3 Information
    2.3.1 Information means all information and data held or recorded electronically on IT equipment or manually held or recorded on paper.
    2.3.2 For the purpose of this policy, the information held by the University can be divided into two categories: nonsensitive; and sensitive information. Sensitive information comprises: all personal information and all confidential information, the loss of which would, or would be likely to, cause damage or distress to individuals or to the University.
    2.3.3 The default category is that all information is deemed to be sensitive unless specifically identified as otherwise.
    3. Responsibilities
    3.1 It is the responsibility of all University staff to ensure that the information held by the University is disposed of appropriately and that all sensitive information is disposed of securely.
    3.2 Responsibility for this policy resides with the University’s Executive Board. Implementation of this policy is managed through the University’s Information Security Working Group which reports to the Chief Information Officer.
    4. Statement of Policy
    4.1 This policy on disposal covers all data or information held by the University whether held digitally or electronically on IT equipment or as manual records held on paper or in hard copy.
    4.2 It is the University’s policy to ensure that all information held by the University is disposed of appropriately, in conformity with the University’s legal obligations and in accordance with the University’s regulations[link] and Records Management policy.
    4.3 In particular it is the University’s policy to ensure that all sensitive information which requires disposal is disposed of securely.
    4.4 Where information is held on IT equipment, it is the policy of the University that such equipment will be assumed to hold sensitive information and that all information residing on such equipment must be disposed of securely.
    4.5 The University supports policies which promote sustainability and take account of environmental impact. The University will therefore support recycling or sustainable redeployment in the disposal of IT equipment as long as information held on the equipment is irretrievably and securely destroyed prior to the the disposal of the equipment.
    4.6 WEEE: IT equipment must also be disposed of in line with the EU Waste Electrical and Electronic Equipment (WEEE) Directive and the UK Waste Electrical and Electronic Equipment Regulations 2006.
    [Link www.brookes.ac.uk/Documents/About/Sustainability/en103w2/]
    4.7 Copyright: software must be disposed of in line with copyright legislation and software licensing provisions.
    5. Policy Principles
    5.1 Hard copy
    5.1.1 Information and data held in paper or hard copy which contain sensitive information shall be irretrievably destroyed in a way in which the information cannot be reconstituted, by shredding, pulping or incineration.
    5.1.2 The process leading to and the process of shredding, pulping or incinerating such information shall be carried out securely.
    5.1.3 Where the shredding or incineration are carried out on behalf of the University by a third party, there shall be a contract with that third party which appropriately evidences:
    a) that party’s obligations to keep that data confidential and;
    b) that party’s responsibility under the Data Protection Act 1998 for the secure disposal of the data.
    5.1.4 Where hard copy information is stored externally by a third party data storage contractor, the contract shall ensure secure disposal of the data at a time which conforms with the University’s Retention Schedule[link].
    5.2 IT Equipment
    5.2.1 Since the policy default is that all IT equipment which stores or processes data will be deemed to hold sensitive data, then all such IT equipment will undergo appropriate physical destruction or an appropriate data overwrite procedure which irretrievably destroys any data or information held on that equipment.
    5.2.2 Where an overwrite procedure fails to destroy the information irretrievably, the equipment shall be physically destroyed to the extent that the information contained in it is also irretrievably destroyed.
    5.2.3 For the avoidance of doubt, removable digital media including but not limited to CDs, DVDs, USB drives, where the default is that they contain sensitive data, shall, if not successfully overwritten, be physically destroyed to the extent that all data contained in the media are irretrievable.
    5.2.4 All IT equipment awaiting disposal must be stored and handled securely.
    5.2.5 Where the overwriting procedure and/or physical destruction of IT equipment are carried out on behalf of the University by a third party, there shall be a contract with that third party which appropriately evidences: that party’s obligations to keep that data confidential and; that party’s responsibility under the Data Protection Act 1998 for the secure disposal of the data.
    5.2.6 In any case where IT equipment is to be passed on by the University for reuse,those staff involved in the sale or transfer of the equipment shall ensure that any information on the equipment has been irretrievably destroyed and that any other appropriate issues, including, but not limited to, the safety of the equipment are satisfactorily addressed.
    5.2.7 Photocopiers and printers used or owned by the University may have a data storage capacity. Where such IT equipment contains information or data, the disposal of such equipment must have due regard to this policy.
    5.3 Online Data
    5.3.1 The University has a contract with Google for the use of its Google Apps for Education. This enables University staff to take advantage of the features provided for data storage of emails and documents. The University does not sanction the use of external online (cloud) services for University data where there is no contract in place.
    5.3.2 Data held in the University’s Google applications or other authorised online storage applications should be destroyed to the extent possible by using the delete facilities provided.
    6 Record of Destruction
    6.1 Any third party contracted to dispose of sensitive hard copy information shall certify the irretrievable destruction of the information.
    6.2 University staff who have responsibility for the information which is disposed of shall ensure that the disposal conforms with the University’s Records Management policy[link] and Retention Schedule and that, where necessary, a record is kept documenting the disposal.
    6.3 Where the disposal involves the disposal of IT equipment, the University shall keep a record of the asset number of the equipment which has been disposed of along with a record of the process by which the information stored on the equipment has been irretrievably destroyed.
    7 Reporting
    7.1 All staff, students and other users of information should report immediately to the Service Desk via the Servicedesk portal https://service.brookes.ac.uk or by telephone (tel. ext. 3311) any observed or suspected incidents where sensitive information has or may have been insecurely disposed of.
    8 Advice and Assistance
    8.1 Advice on the implementation of this policy can be obtained from the University Information Compliance Officer (tel. ext. 4354: email address info.sec.@brookes.ac.uk) and the University Records Manager (tel. ext.  )
    8. 2 Advice on the disposal of IT equipment can be obtained from the University’s IT department, OBIS, by contacting the Service Desk on tel. ext 3311 or via the Servicedesk portal https://service.brookes.ac.uk
    9 Guidelines
    9.1 Hard Copy
    9.1.1 Staff holding University data in hard copy should routinely dispose of the data when it is no longer required to be held for legal or contractual purposes or is no longer necessary for the business purpose for which it was originally created or held. In determining whether and when
    the data should be disposed of, staff should consult the University’s Retention Schedule obis.brookes.ac.uk/records/Retention%20Schedule%201c.doc  Further information can be obtained from the University Records Manager.
    9.1.2 It is good practice to shred, pulp or incinerate all University data which requires destruction. Where hard copy waste is sensitive data (as defined in 2.3.2) it should always be securely and irretrievably destroyed by shredding, pulping or incineration. In order to ensure the secure and
    irretrievable destruction of hard copy, staff are required to use the service provided by the University’s selected contractor for the destruction of confidential waste.
    9.1.3 Confidential waste bags for information requiring secure destruction can be obtained from Campus Services which will collect the bags when they are ready for disposal. Bags which contain confidential waste should be sealed and kept secure until collected by Campus Services.
    9.1.4 Confidential waste bags awaiting collection or further processing should not be left in public areas or areas where they can be accessed by unauthorised staff.
    9.1.5 Where sensitive data are stored under contract externally, staff responsible for the contract should ensure the contract includes secure, certificated destruction of the data in accordance with the appropriate retention period. External storage and destruction of University data should not be arranged without reference to the University Records Manager.
    9.1.6 Where staff consider a document is of sufficient historic importance to be retained by the University, they should consult the University Archivist.
    9.2 IT Equipment
    9.2.1 Staff holding University data on IT equipment should routinely dispose of the data when it is no longer required to be held for legal or contractual purposes or is no longer necessary for the business purpose for which it was originally created or held. In determining whether and whenthe data should be disposed of, staff should consult the University’s Retention Schedule [link obis.brookes.ac.uk/records/Retention%20Schedule%201c.doc].
    Further information can be obtained from the University Records Manager (tel. ext. 4046: )
    9.2.2 Where a decision has been made that data held on IT devices or media should not be retained, the files containing the data should be deleted from those devices. Deletion involves putting the information “beyond use” by the user of the device or media. Data held in a recycling “bin” on the device or data which can easily be recovered by the user are not regarded as being “beyond use” and may still be subject to discovery and disclosure under information law (Freedom of Information, Subject Access Request) or litigation.
    9.2.3 Staff shall never dispose of University IT equipment (devices or media) without taking steps to ensure the irretrievable deletion of data held on the equipment.
    9.2.4 Electronic or digital data which have been put “beyond use” by users may still be reconstituted by IT specialists or by forensic computer analysts. This means that when IT equipment (devices or media) are disposed of, the data should be irretrievably destroyed by being overwritten in accordance with the appropriate industry standard, or the hard disc containing the data within the equipment or the media containing the data (e.g. CD, USB stick) should be physically destroyed. The University has some shredding machines available which can destroy CDs and DVDs as well as shred hard copy.
    9.2.5 Staff requiring the disposal of IT equipment which holds or may hold University data should contact the Service Desk via the Servicedesk portal https://service.brookes.ac.uk (tel ext. 3311) to arrange for the disposal.
    9.2.6 Staff should also be mindful that University mobile telephones contain data which will need to be extracted or deleted from the device before the device is disposed of. The telephone should be returned to the Service Desk should be contacted to initiate the secure return and disposal of the device.
    9.2.7 While the University supports the recycling or sustainable redeployment of IT equipment, University staff shall not arrange for such a process without consulting the OBIS Client Device Support Manager contacted via the service desk via the Servicedesk portal https://service.brookes.ac.uk (tel. ext. 3311), obtaining appropriate authority from OBIS for the proposed recycling and ensuring that any data held on the equipment are securely and irretrievably destroyed.
    9.2.8 Where University staff are leasing equipment (such as multifunctional copiers), staff responsible for the contracts should ensure that the leasing contract certifies the secure disposal of any University data held on the devices during the period of lease.
    9.2.9 When disposing of IT equipment, staff must be mindful of the WEEE regulations.  /about/sustainability/docs/en103w2.pdf]
    9.3 Online data
    9.3.1 Staff using the delete facility provided by Google in the University’s online Google applications should be aware that the deleted material will be held for 30 days in their online “bin”. Such data will not be regarded as “beyond use” until it has been further deleted from the “bin”.
    9.3.2 Online data held in Google accounts provided to staff by the University for the purpose of their employment are not automatically deleted when staff leave the University. These accounts are deactivated and access to the data retained for any necessary business purpose. Prior to leaving the University, staff should, wherever possible, ensure the appropriate management and handover of the University data in their accounts, deleting from their accounts data which are no longer required by the University.

    E14 Data Protection Guidelines for Academic Staff

    Download a pdf version

    1. Introduction
    The Data Protection Act is concerned with the handling of personal information, covers both manual and electronic records and stipulates the setting of security standards. As part of the University's compliance with the legislation it has published an Information Security Policy and E13 Data Protection Policy and it is important that you make yourself familiar with them. These guidelines are intended as a supplement to those policies. Further information and advice are available from the Information Compliance Team on ext 4354 or by email at info.sec@brookes.ac.uk
    2. Standard Information
    All staff process information about students on a regular basis, when marking registers, writing reports or references, or as part of a pastoral or academic supervisory role. The University will ensure through
    registration procedures that all students are notified of such processing, as required by the Act, and give their consent where necessary. The information that staff deal with on a day-to-day basis is "standard" and covers categories such as:
    • General personal details such as name and address;
    • Details about class attendance, course work marks and grades and associated comments;
    • Notes of personal supervision, including matters about behaviour and discipline;
    • Sponsorship details.
    3. Sensitive Information
    Information about a student’s physical or mental health, ethnicity or race, political or religious views, trade union membership, sexual life, or criminal record is classified as sensitive information under the Data Protection Act. Such information can only be collected and processed when permitted or required by law or with the student’s express (written) consent. Examples would include:
    • keeping of sick notes;
    • recording information about dietary needs, for religious or health reasons, prior to taking students on a field trip;
    • recording information that a student is pregnant, as part of pastoral duties.
    Disclosure of such information without explicit consent is permitted only in exceptional circumstances, for example if the University is under a statutory obligation to make the disclosure or if the disclosure is in the vital interests of the student (information about a medical condition may be disclosed in "life or death" circumstances). Sensitive information must be protected with a higher level of security. It is recommended that sensitive records are kept separately in a locked drawer or filing cabinet, or in a password protected computer file, or, if held on a mobile device, protected by encryption. If you (or one of your students) are
    holding, or intending to hold, sensitive personal information which is outside routine University processing, you should notify your manager or, if for research purposes, your research supervisor and your Faculty Research Ethics Team. Every application to the University's Research Ethics Committee must include details of the measures to be taken to ensure the security of personal data.
    4. Processing of Personal Information
    Processing refers to any action involving personal information, including obtaining, viewing, copying, amending, adding, deleting, extracting, storing, disclosing or destroying information. When processing personal information, you must comply with the data protection principles, which are set out in the Data Protection Policy (regulation E13). In particular, you should ensure that records are:
    • accurate
    • up-to-date
    • fairly and legally obtained
    • kept and disposed of safely
    For further details please refer to the University’s record retention schedule.
    5. Project and Research Supervisors

    If you supervise students doing work that involves the processing of personal information, you should ensure that those students are aware of the Data Protection Principles, in particular, the requirements to notify and to obtain the data subject’s consent where appropriate. Students should be referred to the Faculty Research Ethics Team or the Information Compliance Team for further information.
    6. Handling Enquiries
    When students ask to see information about themselves, you should, where possible, deal with these enquiries informally. If an informal response is not appropriate, you should advise the student to make a formal Subject Access Request under the Data Protection Act. Such requests should be directed to the Information Compliance Team. For all requests, both formal and informal, the information has to be provided within the 40 calendar days permitted by the Data Protection Act. You should not disclose personal information over the telephone unless you are able to validate the identity of the person making the request. You may disclose personal information to other staff members who require the information in order to carry out their normal duties. You should not disclose personal information to any third party, e.g., to a parent or sponsor, except with the consent of the student or where this is permitted or required by legislation. In exceptional and urgent circumstances (e.g. cases where there are reasonable grounds for believing that an individual has become a danger to him/herself or others, or has committed / is about to commit a serious crime), you may release personal information directly to a law Team. Be sure to establish the identity of the law Team before releasing the information, and keep a record of the incident including name, date, circumstances and information disclosed. The details of any such disclosures should be reported to the Information Compliance Team.
    7. Examination Marks
    You should be aware that students are entitled to see preliminary marks and comments, which contribute to final assessments. SEC and MEC minutes will also be subject to access requests unless they are anonymised. Similarly, when writing an academic reference, you should keep in mind that it may be subject to an access request by the student to the recipient. The Academic Registry publish E11. Procedures for the preparation of student references and the Supporting Students Handbook provides a template that you can work from.
    8. Private Files
    It is essential that relevant information is available to all University staff, so the case for holding "private", separate files has to be justified as being in the interest of the student (e.g., where the data is particularly sensitive). The information contained in them will still be subject to the student’s right of access and you must ensure compliance with the notification requirements of the Act. Wherever possible, you should avoid duplication or fragmentation of student files.
    9. Home Working
    When working from home or on a laptop or tablet computer, you must maintain appropriate levels of security, including anti-virus (also known as anti-malware) software. It is recommended that you ensure personal information is not stored on your domestic PC or computing device if this is used by other members of your family or household. University data containing personal information should not be placed on portable devices unless it is necessary for a University business purpose and such processing has been authorised and the information is protected by encryption software. If it is found necessary to work off site with University personal data then, in addition to encryption if held electronically, you must take sensible precautions to keep the data physically secure, for example, by using a lockable briefcase, storing data in the locked boot of a car while travelling, keeping the data in a secure location if held off site. If you have concerns about the security of data, please consult the University Information Compliance Team for further guidance.
    10. Exemption for Research Records
    There is an exemption from some parts of the Data Protection Act where data is being processed for research and statistics. Information collected for the purpose of one piece of research can be used for other research, without breaching the "specified processing" principle (see the E13. Data Protection Policy), and can be kept indefinitely. For example, staff and students involved in academic research can keep records of questionnaires and contacts, so that the research can be re-visited at a later date, or so that, in support of a research project looking at an associated area, they can re-analyse the information. Researchers must ensure that the final results of the research do not identify the individual, or they will be subject to access requests under the 1998 Act. This exemption is only applicable to academic research and cannot be relied on to prevent access to information about a particular individual, following research carried out for a redundancy or efficiency exercise, for example.

    For further information about these regulations, please contact the Information Compliance Team.