Go to the Students section
Go to the Staff section
Go to the Alumni section
Go to the Study here section
Go to the International section
Go to the About section
Go to the Research section
Go to the Business and Employers section
Go to the Support us section
The policies and procedures in this section are intended to be used as working documents so please check from time to time to see if they have been updated. If you cannot find the policy or procedure you are looking for please contact the information compliance team for guidance at firstname.lastname@example.org.
1. Policy Objectives
1.1 The principal aims of this policy are to secure the University’s compliance with its legal obligations, as an internet service provider, as a licensee and as a publisher, and to protect the value and integrity of the digital information held within or accessed through the University’s IT facilities.
1.2 A further purpose of this policy is to provide authorised users of the University IT with a safe and acceptable working environment. The University does not intend to obstruct or limit the use of information without reason but makes rules to establish and maintain good practice and to deliver its policy objectives; this is done for the benefit of the University community as a whole.
1.3 The University possesses and uses computer systems, networks and allied hardware and other peripherals as an integral and pervasive part of its operations. In addition to protecting the considerable investment that the University has made to secure these facilities, the University’s ability to function and its good reputation depends on the efficient and full operation of its IT capability; the security and preservation of the University systems and of its digital data are of paramount importance. This policy is part of the governance framework which provides rules for managing the risks arising from complex systems and a large number of users.
The policy applies to Governors, staff, students and other users authorised by the University and taking legitimate access to the University’s systems. Examples of such authorised users include visiting academics, consultants whose work for the University requires access to the University’s systems, representatives of suppliers engaged in work under their employer’s contract with the University and associate staff engaged with the University’s higher education or research functions.
3. Provision of service and basic service rules for the use of University IT including confidentiality
3.1 The University provides IT facilities primarily for academic reasons and for the conduct of legitimate University business, not for the purposes of entertainment, shopping or other private use.
3.2 Users must treat information that they access or see via the University’s IT systems as confidential, unless the information is clearly intended to be public or disclosable in the context in which it is made available.
3.3 Users must contact the University’s IT Services for any change or modification to hardware and software; any such change should be made only by authorised members of the University’s staff.
3.4 Users are required to respect the legitimate access to the IT facilities by other users and must not obstruct this or remove or interfere with output created by any other user.
3.5 Users must be considerate when using the University’s IT facilities, including keeping noise to a minimum and keeping behaviour to that appropriate to an academic or business setting; in other words, conduct should be quiet and orderly.
3.6 Although the University’s IT facilities are provided primarily for legitimate academic and business purposes, the University permits limited personal use of email and of the internet subject to the rules set out in this policy and provided that such use does not conflict with the University’s interests, such as the proper performance by staff of their work for the University.
3.7 Access to another person’s emails will only be granted with the explicit consent of the University’s Chief Information Officer or Chief Operating Officer.
3.8 The ownership of material created via the University’s IT facilities is treated in accordance with the University’s Intellectual Property Policy (see www.brookes.ac.uk/research/policies-and-codes-of-practice)
3.9 Staff users are restricted in their access to the University’s staff-only information systems. Each staff user is granted initial data access as determined by their line manager. Additional access, as required by staff users on a case by case basis, will be subject to the University’s Access Control Policy.
4. Prohibitions and restrictions
Password and identity integrity
4.1 Revealing any account password (or associated secret authentication information) to others or allowing use by another person, including family and other household members.
4.2 Circumventing user authentication or security of any host, network service or account.
4.3 Impersonating another user.
Hacking and similar misuse
4.4 Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user's network session, via any means, locally or via the Internet/Intranet/Extranet.
4.5 Gaining unauthorized access to, or intentionally damaging, other computer systems, network services or the information contained within them. This includes erasing, altering, corrupting or tampering with any information other than in the legitimate conduct either of University business for staff or for the proper furtherance of academic study for students.
4.6 Executing any form of network monitoring that will intercept data not intended for the user’s host.
4.7 Port scanning or security scanning unless being conducted by authorized members of the University’s IT Services (or third parties specifically authorized by IT Services.)
4.8 Introducing malicious programs into the network or server (e.g viruses, worms, Trojan horses, email bombs etc.)
4.9 Effecting security breaches or disruptions of network communication. Examples of security breaches are accessing data of which the user is not an intended recipient or logging into a server or account that the user is not expressly authorised to access. For purposes of this section, "disruption" includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes.
4.10 Any unlawful activity not otherwise covered. Examples of such unlawful activity include:
a) infringement of intellectual property rights including distributing or obtaining illegally copied software, media or other material
b) breaching another person’s privacy
c) harassment or bullying
e) sending unsolicited advertising or promotional material
f) conducting any corrupt practice
4.11 The creation, transmission, storage, downloading or display of any offensive, obscene, discriminatory (either on the grounds of sex, disability, colour, race, religion or belief, or sexual orientation), indecent, explicit or threatening data or other material (unless such access is necessary) for one or more of:
a) authorized research activity
b) investigatory or disciplinary process
d) co-operation with the Police, Prevent or other official enquiry.
Users should be aware that the University takes its responsibility under the Counter-Terrorism and Security Act 2015 extremely seriously including those requirements detailed in Section 29 of the Act and referred to as the "Prevent Duty". Consequently, users must not deliberately create, display, produce, store, circulate or transmit material related to terrorism or extremist ideology in any form or medium except where required for the purposes set out at 4.11 a) to d) above.
Confidentiality including email forwards
4.12 Disclosing any information about, or providing lists of, University staff or students to any party not employed by the University (unless in the course of legitimate University business or authorised by a member of the senior management of the University.)
4.13 Storing any confidential information on any system other than one provided by the University, unless formally approved by the University’s IT Services.
4.14 Sending any confidential information online by any means, without utilising appropriate, approved, security methods. Online communications may be subject to interception by persons outside the University and such interception may not be detectable or perceptible by the user. Any encryption software used should be provided by or approved by the University’s IT Services.
4.15 Using an automatic forwarding facility for email which takes email from a University account to an outside network unless, in the case of staff, this has been approved by an appropriate manager. Automatic email forwarding may result in the inadvertent transmission of sensitive information to external email accounts and users should therefore exercise utmost caution when sending any email from a University account to an outside network.
4.16 Private profit, except to any extent authorised in writing under a user’s conditions of employment or other express agreement with the University.
4.17 Connecting any unsecured, internet enable-able device to the University’s IT systems.
4.18 Failing to read or adhere to the terms and conditions of any licence agreements relating to the relevant IT facilities including software, equipment, consumables, services, databases, platforms, publications and goods.
5. Monitoring, breach and enforcement
5.1 Although the University respects and appreciates the value of personal privacy, its IT systems are provided for academic and business purposes and users should have no expectation of privacy when using the University’s IT facilities.
5.2 Any user becoming aware of any suspected, accidental, or intentional illegal action or misuse must report this immediately to the IT Service Desk or to an appropriate member of staff.
5.3 The University has the right to monitor all usage of the IT, communications and computer systems at any time and without notice. Examples of specific circumstances where the University may choose to monitor are:
to ensure the proper working of the systems or to assist troubleshooting
to ensure that all users comply with University policies, practices and procedures (including but not limited to this policy)
to investigate or detect the unauthorised use of Oxford Brookes University's systems.
5.4 The University may inspect, lock, block, scan, clone or remove any computer or drive or information at any time at its sole discretion.
5.5 Users should be aware that breach of these rules may constitute a criminal offence or result in disciplinary action under either the Student Conduct Regulations or the Staff Conditions of Service.
5.6 The University will cooperate with law enforcement authorities to prosecute offenders.
6. Related policies
Users accessing social media should refer to the Oxford Brookes University Social Media Guidelines (available at www.brookes.ac.uk/services/hr/handbook/terms_conditions/social_media_guidelines.html)
6.2 Users should also refer to these related policies:
a) security sensitive material ( www.brookes.ac.uk/research/policies-and-codes-of-practice)
b) information security incident management Policy (see policies below)
c) access control policy for staff (see policies below)
d) intellectual property policy ( www.brookes.ac.uk/research/policies-and-codes-of-practice
7. Change procedure and notice of changes
7.1 This policy shall be reviewed at least annually by the Chief Information Officer or his nominee, currently the Head of Information Management.
7.2 Where the Chief Information Officer considers that one or more material changes have been made to the policy, the policy shall be presented to the University’s Executive Board as a consultation document.
7.3 The Chief Information Officer is responsible for keeping the policy accessible to users and for bringing changes of significance to the attention of users by whatever means he thinks appropriate.
7.4 Changes to this policy are authorized with immediate effect by the Chief Operating Officer on the advice of the Chief Information Officer whether at a meeting of the University’s Executive Board or otherwise.
A key feature of GDPR is transparency, and privacy notices are the principle way of delivering this, letting individuals know what personal information Oxford Brookes collects and why, who we may share it with and what your rights under the legislation are.
Personal data is any information that can be used to identify a single, living individual, whether it relates to private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.
Student Privacy Notice
Staff Privacy Notice
Download a pdf version
Oxford Brookes University recognises that information and the associated processes, systems and networks are valuable assets and that the management of personal data has important implications for individuals. Through its security policies, procedures and structures, the University will facilitate the secure and uninterrupted flow of information, both within the University and in external communications. The University believes that security is an integral part of the information sharing which is essential to academic and corporate endeavour and this Policy is intended to support information security measures throughout the University.
2.1 For the purposes of this document, information security is defined as the preservation of:
2.2 Information exists in many forms. It may be printed or written on paper, stored electronically, transmitted by post or using electronic means, shown on films, or spoken in conversation. Appropriate protection is required for all forms of information to ensure business continuity and to avoid breaches of the law and statutory, regulatory or contractual obligations.
The University holds and processes information about employees, students, and other data subjects for academic, administrative and commercial purposes. When handling such information, the University, and all staff or others who process or use any personal information, must comply with the Data Protection Principles which are set out in the Data Protection Act 1998 (the 1998 Act). Responsibilities under the 1998 Act are set out in the Data Protection Policy.
4.1 The University believes that information security is the responsibility of all students and members of staff. Every person handling information or using University information systems is expected to observe the information security policies and procedures, both during and, where appropriate, after his or her time at the University.
4.2 This Policy is the responsibility of the Executive Board; supervision of the Policy will be undertaken by the Senior Management Team. This policy may be supplemented by more detailed interpretation for specific sites, systems and services (see relevant policies and regulations). Implementation of information security policy is managed through the Information Security Working Group which reports to the Chief Information Officer.
4.3 The University’s IT Services directorate has operational responsibility for the University’s IT systems and will therefore take action wherever necessary to protect those systems.
The University recognises the need for all staff, students and other users of University systems to be aware of information security threats and concerns, and to be equipped to support University security policy in the course of their normal work. The Information Compliance team has implemented a training programme in data protection for all members of staff who process personal data and, at the behest of the University's Faculties and Directorates, will provide or arrange the provision of training in information security matters to answer particular requirements.
6.1 Authorised Use: University IT facilities must only be used for authorised purposes. The University may from time to time monitor or investigate usage of IT facilities; and any person found using IT facilities or systems for unauthorised purposes, or without authorised access, may be subject to disciplinary, and where appropriate, legal proceedings.
6.2 Monitoring of Operational Logs: The University shall only permit the inspection and monitoring of operational logs by the appropriate staff from the University’s IT Services directorate or where it has been otherwise authorised. Disclosure of information from such logs, to officers of the law or to support disciplinary proceedings, shall only occur (i) when required by or consistent with law; (ii) when there is reason to believe that a violation of law or of a University policy has taken place; or (iii) when there are compelling circumstances (circumstances where failure to act may result in significant bodily harm, significant property loss or damage, loss of significant evidence of one or more violations of law or of University policies).
6.3 Access to University Records: In general, the privacy of users' files will be respected but the University reserves the right to examine systems, directories, files and their contents, to ensure compliance with the law and with University policies and regulations, and to determine which records are essential for the University to function administratively or to meet its teaching obligations. Except in emergency circumstances, authorisation for access must be obtained from the Chief Information Officer or the Chief Information Officer’s nominee, and shall be limited to the least perusal of contents and the least action necessary to resolve the situation.
6.4 Protection of Software: To ensure that all software and licensed products used within the University comply with the Copyright, Designs and Patents Act 1988 and subsequent Acts, the University may carry out checks from time to time to ensure that only authorised products are being used. Unauthorised copying of software or use of unauthorised products by staff or students may be grounds for disciplinary, and where appropriate, legal proceedings.
6.5 Virus Control: The University will maintain detection and prevention controls to protect against malicious software and unauthorised external access to networks and systems. All users of electronic devices issued by the University or used for University business shall comply with best practice, as determined from time to time by the University’s IT Services, in order to ensure that up-to-date virus protection is maintained.
All University information assets (data, software, computer and communications equipment) shall be accounted for and have a designated owner. The owner shall be responsible for the maintenance and the protection of the asset/s concerned.
Physical security and environmental conditions must be commensurate with the risks to the area concerned. In particular, critical or sensitive information processing facilities must be housed in secure areas protected by defined security perimeters with appropriate security barriers and/or entry controls.
9.1 Information security risks must be identified at the earliest stage in the development of business requirements for new information systems or enhancements to existing information systems.
9.2 Controls to mitigate the risks must be identified and implemented where appropriate.
10.1 Access to information and information systems must be driven by business requirements and be commensurate and proportionate to the business need.
10.2 A formal access control procedure shall be required for access to all information systems and services.
Responsibilities and procedures for the management, operation and ongoing security and availability of all data and information processing facilities must be established.
All staff have a responsibility to consider security when disposing of information in the course of their work. Owners of information assets should establish procedures appropriate to the information held and processed and ensure that all staff are aware of those procedures. Retention periods should be set in consultation with the University Records Manager.
All staff, students and other users should report immediately via the Servicedesk portal https://service.brookes.ac.uk, or by telephone to the Service Desk on tel. ext. 3311, any observed or suspected security incidents where a breach of the University's security policies has or may have occurred, and any security weaknesses in, or threats to, systems or services.
The University will implement, and regularly update, a business continuity management process to counteract interruptions to normal University activity and to protect critical processes from the effects of failures or damage to vital services or facilities. A copy of the Oxford Brookes Business Continuity Policy can be found on the Business Continuity page.
1.1 The University holds and processes information about employees, students, and other data subjects for academic, administrative and commercial purposes. When handling such information, the University, and all staff or others who process or use any personal information, must comply with the Data Protection Principles which are set out in the Data Protection Act 1998 (the Act).
In summary these state that personal data shall:
"Staff", "students" and "other data subjects" may include past, present and potential members of those groups.
"Other data subjects" and "third parties" may include contractors, suppliers, contacts, referees, friends or family members.
"Processing" refers to any action involving personal information, including obtaining, viewing, copying, amending, adding, deleting, extracting, storing, disclosing or destroying information.
2.1 The University shall notify all staff and students and other relevant data subjects of the types of data held and processed by the University concerning them, and the reasons for which it is processed. The information which is currently held by the University and the purposes for which it is processed are set out in the Appendix 1 to this Policy. When processing for a new or different purpose is introduced the individuals affected by that change will be informed and the Appendix 1 will
3.1 All staff shall • ensure that all personal information which they provide to the University in connection with their employment is accurate and up-to-date; • inform the University of any changes to information, for example, changes of address; • check the information which the University shall make available from time to time, in written or automated form, and inform the University of any errors or, where appropriate, follow procedures for updating entries on computer forms. The University
shall not be held responsible for errors of which it has not been informed.
3.2 When staff hold or process information about students, colleagues or other data subjects (for example, students' course work, pastoral files, references to other academic institutions, or details of personal circumstances), they should comply with the Data Protection Guidelines for Academic Staff.
3.3 Staff shall ensure that
3.4 When staff supervise students doing work which involves the processing of personal information, they must ensure that those students are aware of the Data Protection Principles, in particular, the requirement to obtain the data subject's consent where appropriate.
4.1 All students shall
The University shall not be held responsible for errors of which it has not been informed.
4.2 Students who use the University computer facilities may, from time to time, process personal information (for example, in course work or research). In those circumstances, they must notify their course tutor or research supervisor in the relevant Faculty who will provide further information about their responsibilities in processing personal data.
5.1 Staff, students and other data subjects in the University have the right to access any personal data that is being kept about them either on computer or in structured and accessible manual files. Any person may exercise this right by submitting a request in writing to the Information Compliance Officer.
5.2 The University will make a charge of £10 for each official Subject Access Request, except for requests involving Health Records where the University may charge up to £50 for each request if those records are held either wholly or partly in non-electronic form.
5.3 The University aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within 40 days unless there is good reason for delay. In such cases, the reason for the delay will be explained in writing by the Information Compliance Officer to the data subject making the request.
6.1 In some cases, such as the handling of sensitive information or the processing of research data, the University is entitled to process personal data only with the consent of the individual. Agreement to the University processing some specified classes of personal data is a condition of acceptance of a student on to any course, and a condition of employment for staff. (See Appendix 1)
7.1 The University may process sensitive information about a person's health, disabilities, criminal convictions, race or ethnic origin, or trade union membership. For example, some jobs or courses will bring the applicants into contact with children, including young people between the ages of 16 and 18, and the University has a duty under the Children Act 1989 and other enactments to ensure that staff are suitable for the job, and students for the courses offered. The University may
also require such information for the administration of the sick pay policy, the absence policy or the equal opportunities policy, or for academic assessment.
7.2 The University also asks for information about particular health needs, such as allergies to particular forms of medication, or conditions such as asthma or diabetes. The University will only use such information to protect the health and safety of the individual, for example, in the event of a medical emergency.
8.1 The University is the data controller under the Act, and the Vice Chancellor is ultimately responsible for implementation. Responsibility for day-to-day matters will be delegated to the Heads of Faculties and Directors as designated data controllers. Information and advice about the holding and processing of personal information is available from the University's Information Compliance Officer.
9.1 Students shall be entitled to information about their marks for assessments, however this may take longer than other information to provide. The University may withhold enrolment, awards, certificates, accreditation or references in the event that monies are due to the University.
10.1 The University will keep different types of information for differing lengths of time, depending on legal, academic and operational requirements. Information and advice about the recommended retention times are available from the University Records Manager.
11.1 Compliance with the Act is the responsibility of all students and members of staff. Any deliberate or reckless breach of this Policy may lead to disciplinary, and where appropriate, legal proceedings. Any questions or concerns about the interpretation or operation of this policy should be taken up with the Information Compliance Officer by telephone on extension 4354 or by e-mail at email@example.com.
11.2 Any individual, who considers that the policy has not been followed in respect of personal data about him- or herself, should raise the matter with the designated data controller initially. If the matter is not resolved it should be referred to the University Information Compliance Officer and may be pursued through the staff grievance or student complaints procedure.
The University has notified the Information Commissioner that personal information may need to be processed for the following purposes:
The Public Register of Data Controllers on the Information Commissioner's website contains full details of the University's current registration. The register entry provides:
For further information about these regulations, please contact the Information Compliance Officer.
By default the University grants colleagues administrator logon rights on new Windows and Mac-based computers. If you have an existing device and would like to request a local administrator account, please do so using this form. These rights allow you to:
modify system settings
manage other users of the device.
It is important that when using your local administrator account, you adhere to the following guidelines to protect the University’s systems, devices and network:
change your portal password every 90 days, ensuring that it is a strong password of at least 12 characters.
maintain the integrity of your workstation by not taking excessive risk by installing software from the internet
always work whilst logged into your standard, non-administrative user account and only use the local administrator account to elevate privileges at the time when you need them
routinely check that your anti-virus software is updating, checking for and eliminating spyware, or any similar data gathering and reporting software, from your workstations
do not share your local administrator account details with others
report any system failures and security issues to IT Services at the earliest opportunity
keep up-to-date with, and adhere to, all IT policies including, but not limited to, the IT Acceptable Use Policy
do not interfere with any automatic updating/patching or enforced policies or services performed or provided by IT Services.
The University recognises that by giving colleagues administrative rights and enabling you to manage your workstations, productivity and operational efficiency can be substantially increased. However, Administrator access to a computer can lead to unintended and unauthorised configurations that may cause both you and the IT support service difficulties operationally and potentially legally.
All University-owned devices that have access to the network, either wired or wireless, are required to be configured to the following standards:
the device must be a member of a recognised university domain or management system
the device must have the current required management software installed including, but not limited to, power management, software compliance toolsets, configuration management toolsets. (Management software may vary by device type)
the device must have active, current and correctly configured anti-virus software
the device must be patched with operating system and third party vendor patches to a level required by IT Services.
Any customisation of a device to a configuration other than that provided or supported by IT Services will be lost in the event of a computer failure. Its restoration will be to a standard pre-customisation configuration.
The University reserves the right to restore a machine to a standard configuration if that machine is found to be a security risk. In such cases the University will not be responsible for any resultant data losses.
The University reserves the right to decline requests for administrator rights on any device for which access must be restricted due to its function, location or use by multiple users.
Misuse of administrator rights is defined as, but not limited to:
downloading software that is malicious, by intent or otherwise
downloading unlicensed/illegal software
downloading and/or distributing copyrighted material without permission
permitting public, or unauthorised, access to data that is restricted in nature
failure to adhere to the policies and procedures outlined above.
1.1 To define the requirements of Oxford Brookes University (OBU) to ensure that access to information assets is authorised and subject to identification and authentication controls
1.2 To establish the requirements for controlling access to OBU information or information that it is responsible for, including computing and physical resources. Computer systems, networks and allied hardware and other peripherals are an integral part of our operations and represent substantial investment.
1.3 It is the purpose of the Access Control Policy to ensure that all access to information assets is properly authorised, maintained and reviewed.
2.1 This Access Control Policy shall apply to all access to OBU's information assets.
2.2 All Users provided with access to OBU's information systems shall comply with this Access Control Policy as indicated in the IT Acceptable Use Policy.
2.3 Access to physical and non-physical assets will be governed under the same principles.
2.4 This Access Control Policy shall establish the Logical and Physical Access control requirements for protecting the entire university's information systems and hardcopy data.
3.1 This Access Control Policy forms part of Oxford Brookes University’s information Security Management System (ISMS) Framework as defined in the information Security Policy.
3.2 This policy should be read in conjunction with OBU’s IT Acceptable Use Policy, which summarises what OBU deems to be acceptable use of information systems
3.4 OBU’s information systems are provided for business purposes only and this Access Control Policy is used to ensure that Users:
3.5 Access allocation shall be monitored to ensure compliance with this Access Control Policy.
3.6 All Users, who use the university's information assets and information systems, shall be responsible for safeguarding those resources and the information the information Owners hold, from disruption or destruction.
3.7 The Access Control Policy shall apply to all Users who have access to the university's information assets, including remote access.
3.8 Failure to comply may result in the offending employee being subject to disciplinary action up to and including termination of employment as per the Information Security Policy.
3.9 The use of the university's information assets and information systems indicates acceptance of this Access Control Policy.
4.1 Oxford Brookes University IT Services shall ensure that Users are provided with education and training to ensure compliance with this Access Control Policy.
4.2 Oxford Brookes University IT Services shall develop, maintain and publish standards, processes, procedures and guidelines to achieve compliance with this Access Control Policy.
4.3 Annually review the Access Control processes, standards and procedures, to achieve compliance with this Access Control Policy and shall support the Access Control Strategy and provide security specific input and guidance where required.
4.4 IT asset owners and authorised users shall be assigned for each identified IT asset in order to approve or reject requests for access to their system.
4.5 IT asset owners and authorised users shall check the validity of all user access requests to information assets owned by them before implementation.
4.6 IT asset owners and authorised users shall authorise employees requiring access to information assets owned by them.
4.7 Human Resources (HR) shall inform the IT department of users starting, moving and leaving the university.
4.8 All appropriate managers shall authorise any requirement to changes to user's access rights on the information systems.
4.9 Users shall not share access codes and/or passwords, if access to other information systems are required then a formal request shall be put forward for authorisation by an appropriate manager.
4.10 Users shall not share their physical access cards; if physical access to restricted areas is required then a formal request shall be put forward for authorisation by the line manager.
4.11 Users shall be responsible for the security (and secrecy) of their own secret authentication information. In no circumstances is secret authentication information to be shared.
4.12 Users shall ensure incidents are reported and escalated in-line with documented Information Security Incident Management Procedure.
4.13 The University shall be responsible for ensuring all Users of OBU's information systems read and acknowledge the policy principles extracted from this Access Control Policy and included in the Acceptable Use Policy.
5.1 All information assets shall be "owned" by a named individual within OBU.
5.2 A process for user access requests, which mandates the steps to be taken when creating or modifying user access shall be defined, documented, annually reviewed and updated. The scope of this process must include network, application and database access and be applicable to any third party access.
5.3 Access to information assets shall be restricted to authorised employees and shall be protected by appropriate physical and logical authentication and authorisation controls.
5.4 Users shall be authenticated to information systems using accounts and passwords. See OBU’s Password Policy for further details.
5.5 Users are required to satisfy the necessary personal security criteria, as defined by OBUs Recruitment Policy, before they can be authorised to access information assets of a corresponding classification.
5.6 Users who have satisfied all necessary criteria may be granted access to information assets only on the basis that they have a specific need to know, or to "have-access-to", those information assets.
5.7 The classification of an information asset does not, in itself, define who is entitled to have access to that information. Access is further filtered by any applicable privacy restrictions as dictated by other OBU Policies (such as the Data Protection Policy)
5.8 Access privileges shall be authorised by the appropriate information Owner and allocated to employee, based on the minimum privileges required to fulfil their job function.
5.9 Administrator accounts shall only be granted to those users who require such access to perform their job function. Administrator accounts shall be strictly controlled and their use shall be logged, monitored and regularly reviewed.
5.10 Users with administrator access shall only access sensitive data if so required in the performance of a specific task.
5.11 Users with administrator access shall also have an unprivileged account, which shall be used for all purposes not requiring administrator access, including but not limited to electronic mail.
5.12 Line managers, information asset owners and authorised users shall ensure rights and privileges granted to Users of information assets are reviewed on at least every 6 months to ensure that they remain appropriate and to compare user functions with recorded accountability. This shall include access to user accounts, which shall be revoked when they have been inactive for more than 90 days.
5.13 Access shall be granted only to those systems or roles that are necessary for the job function of the user. Regular maintenance will address the management of privilege creep.
5.14 Detailed processes shall be developed and followed for terminating, modifying or revoking an employee's access, as part of the Movers/Leavers process.
5.15 In certain instances, particular access may be required for emergency reasons, such as undertaking emergency system maintenance. Requests for emergency access shall be directed to the OBU Chief Information Officer, or a member of the IT Services Executive, and shall be approved by the information asset owner or authorised user. Requests and approval should be documented, if possible, before the change is required stipulating an expiry period, which shall be enforced, for the access rights. A request for change shall be documented retrospectively where it is not possible to do this in advance.
5.16 All third party access (Contractors, Business Partners, Consultants, Vendors) shall be authorised by an appropriate information Owner and, if necessary, monitored.
5.17 Third Party Access to information assets shall be granted in increments according to business need and identified risks. Information asset owners shall specify access timeframes and be prepared to offer justification for such access.
5.18 Remote access to OBU's networks shall be appropriately authorised on a least privilege basis, with access only granted to systems and resources where there is an explicit business requirement. Only employees of the university or authorised third parties shall be able to connect to the university's corporate infrastructure remotely.
5.19 Only authorised personnel shall be given access to secure areas at the university's premises and any third party premises where sensitive information is processed or maintained, or physical assets are held.
5.20 All access to areas hosting systems that store, process, or transmit sensitive data (e.g. datacentres) shall be controlled, monitored by cameras and logged. Logs shall be regularly audited, correlated with other logs and securely stored for at least three months, unless otherwise restricted by law.
5.21 All visitors shall have authorisation prior to entering any of the university's sites where sensitive data is processed or maintained.
5.22 All visits shall be logged and details of logs retained for a minimum of one month, unless otherwise restricted by law. Reception staff shall be made aware of their responsibility to log every visitor to OBU sites.
5.23 Employees shall challenge and/or report any visitors found unsupervised or acting suspiciously at any site where sensitive OBU data is processed or maintained.
5.24 User account names and actions performed shall be recorded using Audit logging capabilities.
5.25 The IT Services Information Management Team shall maintain plans indicating time schedules of all information security access audits to be performed across OBU to ensure compliance with this Access Control Policy.
5.26 Site management shall perform a formal review of physical access rights at least every 6 months to identify unauthorised or expired access. Access controls shall be revoked in instances where access is no longer necessary for job function.
1.1 The University holds a large amount of information in a variety of media, physical and otherwise (including photos and videos). This includes personal and sensitive personal data, and also non-personal information which may be sensitive or commercially confidential (e.g. financial data) and may be subject to legal obligations of confidence, whether contractual or otherwise).
1.2 The University has legal responsibilities both under the Data Protection Act and in respect of its own business (for example, under the common law of confidence) to safeguard information in its control. Care should be taken to protect information, to ensure its integrity and to protect it from loss, theft or unauthorised access.
1.3 In the event of an information security incident (also referred to as a ‘data breach’), it is vital that appropriate action is taken to minimise associated risks. A risk analysis should be performed, factors which need to be considered are:
1.4 Any member of staff, student, contractor or pseudo-employee discovering or suspecting an information security incident must report it in accordance with this policy.
2.1 An information security incident in an event whereby data held by the University, in any format, is compromised by being lost, destroyed, altered, copied, transmitted, stolen, used or accessed unlawfully or by unauthorised individuals whether accidentally or on purpose. Some examples:
Loss, or theft of equipment on which data is stored, e.g laptop or mobile phone
Unauthorised access to data
Human error, e.g. emails to wrong recipient; public posting of confidential material online; incorrect sharing of Google documents
Failure of equipment or power leading to loss of data
Data maliciously obtained by way of social engineering (an attack in which a user is ‘tricked’ into giving a third party access, often by purporting to be someone other than they actually are)
2.2 Information security incident reporting also includes instances of ‘near misses’ and identification of vulnerabilities where IT Services considers there is a high likelihood of an actual incident occurring.
3.1 All Information security incidents should be reported immediately to The IT Service Desk (via phone on ext. no. 3311, or the ServiceNow Portal), as the primary point of contact.
3.2 The report should include full and accurate details of the incident, including who is reporting the incident; what type of data is involved (not the data itself unless specifically requested); if the data relates to people and if so, how many people are involved.
3.3. The IT Services Information Management team is responsible for maintaining a confidential log of all information security events..
4.1 The Information Management team will consider the report, and where appropriate, instigate a Response Team. IT Services will lead the Response team and membership will depend on the type and severity of the incident. The response team will be responsible for investigating the circumstances and effect of the information security incident. An investigation will be started into material breaches within 24 hours of the breach being discovered, where practicable.
4.2 The investigation will establish the nature of the incident, the type of data involved, whether the data is personal data relating to individuals or otherwise confidential or valuable. If personal data is involved, associated individuals must be identified and, if confidential / valuable data is concerned, what the legal and commercial consequences of the breach may be.
4.3 The investigation will consider the extent of the sensitivity of the data, and a risk assessment performed as to what might be the consequences of its loss. This will include risk of damage and/or distress to individuals and the institution.
4.4 The response team is responsible for formally documenting the incident and associated response. This information will (as a minimum) be subject to review by the Oxford Brookes University Information Security Working Group (ISWG) with serious incidents reviewed by the Chief Information Officer and other senior managers.
5.1 The Response Team and IT Services Lead will determine the appropriate course of action and the required resources needed to limit the impact of the breach. For instance this may require isolating a compromised section of the network; alerting relevant staff or contractors; changing access codes/locks or shutting down critical equipment.
5.2 Appropriate steps will be taken to recover data losses and resume normal business operation. This might entail attempting to recover any lost equipment, using backup mechanisms to restore compromised or stolen data and changing compromised passwords.
5.3 For incidents that involve a suspected or actual criminal offence all efforts will be made to preserve evidence integrity.
6.1 The details of the escalation and notification process are schematised in the appendix. A summary of this process is provided below.
6.2 The information management team is responsible for initial assessment of an incidents severity based on the scope, scale and risk of the incident.
6.3 This preliminary decision is then reviewed by the CIO and/or Director of IT Strategy, Information Management and Business Partnerships.
6.4 If at this stage the incident is deemed serious then the University Senior Management Team will be notified.
6.5 If a personal data breach has occurred of sufficient scale The Information Management team will notify the Information Commissioner’s Office (ICO) within the prescribed statutory time limits and manage all communications between the University and the ICO.
6.6 If the breach is deemed of sufficient seriousness (in line with ICO guidance), and concerns personal data, notice of the breach will be made to affected individuals to enable them to take steps to protect themselves. This notice will include a description of the breach and the steps taken to mitigate the risks, and will be undertaken by the Response Team. Liaison with the Police or other authorities may be required for serious events.
7.1 Once the incident is contained a thorough review of the event will be undertaken by the Response Team, to establish the cause of the incident, the effectiveness of the response and to identify areas that require improvement.
7.2 Recommended changes to systems, policies and procedures will be documented and implemented as soon as possible thereafter. Targeted training may be offered to the department affected.
7.3 All information security incidents will be subject to summary review by the ISWG so that any weaknesses or vulnerabilities that may have contributed to the incident can be identified, documented and resolved.
Download a pdf version
1 Introduction and Policy Objectives
1.1 The purpose of this Password Policy is to protect Oxford Brookes University (OBU) information assets from unauthorized use, and possible accidental or intentional misuse, through weak password security practice.
1.2 The policy applies to all users (students, staff, consultants, contractors and visitors) who have been given access to OBU information and communication systems or who are using third-party systems or services which have been contracted for by OBU.
1.3 On joining OBU staff shall be required as part of their terms and conditions that they will keep all personal secret authentication information private and keep any group secret authentication information solely within the members of the group.
2.1 All user-level and system-level passwords must conform to current best practice guidelines (so called, ‘strong’ passwords). For further information please contact the IT Service Desk, however in general ‘strong’ passwords have the following characteristics:
Contain both upper and lower case characters (e.g., a-z, A-Z)
Have digits and punctuation characters as well as letters e.g. 0-9, -_.!~*()
Are at least twelve alphanumeric characters long
Are not based on personal information, names of family, etc.
2.2 Users must not use the same password for OBU accounts as they do for personal / non-OBU accounts.
2.3 Where possible, users must not use the same password for different accounts.
2.4 User accounts that have system-level privileges granted through group memberships, or programs such as Sudo, must have a different password from all other accounts held by that user to access system-level privileges.
3.1 Users must abide by local or application-specific guidelines on the frequency of password changes. Changing passwords in itself is not a guarantee of security.
4.1 Passwords must not be shared with anyone (including other OBU staff). All passwords are to be treated as sensitive and confidential OBU information.
4.2 Do not write passwords down and store them in your office or place of work. Do not store passwords in a computer file unless the file itself is encrypted.
4.3 The use of ‘remember my password’ in applications (e.g. browsers) is not recommended for OBU passwords.
4.4 Any user that suspects their password may have been compromised must change it and inform the IT Service Desk immediately.
4.5 The use of password manager (also known as password vault) applications is permitted. For further information please contact the IT Service Desk.
5.1 It is recommended that users enable multi-factor authentication functionality on all system accounts where available
6. Application Development
6.1 Application developers must ensure that their programs contain the following security precautions:
Applications must support authentication of individual users, not groups
Applications must not store passwords in a reversible form and use PBKDF2 where possible.
All password hashes must be salted.
Applications must not transmit passwords in cleartext over the OBU network.
1.1 This document defines the Network Security Policy for Oxford Brookes University (OBU). The Network Security Policy applies to all network hardware, services on the network and network attached systems.
1.2 For the purpose of this policy a network is defined as Oxford Brookes University’s connected (physically and wirelessly) data network that allows computing devices (including phones) to exchange data.
1.3 The aim of this policy is to ensure the security of the network. To facilitate this, the university shall:
Protect assets against unauthorised access or disclosure (Confidentiality)
Protect the network from unauthorized or accidental modification and ensure the accuracy and completeness of data assets (Integrity)
Ensure the network is accessible how and when users need it (Availability)
2.1 To protect all hardware, software and information assets under its control. This will be achieved by implementing a set of well-balanced technical and non-technical measures.
2.2 To provide effective protection that is commensurate with the risks to OBU network assets.
2.3 To implement the policy and associated procedures in a consistent, timely and cost-effective manner.
2.4 To ensure OBU is compliant with all relevant legislation, including (but not limited to:
The Data Protection Act 1998
Computer Misuse Act 1990
Human Rights Act 1998
Freedom of Information Act 2000
Electronics Communications Act 2000
Copyright, Designs & Patents Act 1988
3.1 Network equipment (principally routers, switches and servers) shall be housed in a controlled and secure environment. Critical or sensitive network equipment will be housed in an environment that is monitored for temperature, humidity and power supply quality.
3.2 Critical or sensitive network equipment will be housed in secure areas, protected by a secure perimeter, with appropriate security barriers and entry controls.
3.3 Critical or sensitive network equipment will be protected from power supply failures and protected by intruder alarms and fire suppression systems.
3.4 Smoking, eating and drinking is forbidden in areas housing critical or sensitive network equipment.
3.5 All visitors to secure network areas must be authorised by an appropriate manager.
3.6 All visitors to secure network areas must be made aware of network security requirements.
3.7 The movement of visitors to secure network areas must be recorded. The log will contain name, organisation, purpose of visit, date, and time in and out.
3.8 The Network Manager, or appropriate deputy, shall ensure that all relevant staff are made aware of procedures for visitors and that visitors are escorted when necessary.
4.1 Access to limited-access network services shall be via a secure log-on procedure, designed to minimise the opportunity for unauthorised access. Remote access to the network will be via the University’s remote access software.
4.2 Departmental business managers will approve user access to systems including network access via standard staff joiner/leaver processes.
4.3 Access rights to network services will be allocated on the requirements of the user's role, rather than on a status basis.
4.4 All users users of network services will have their own individual user identification and password.
4.5 Users are responsible for ensuring their password is kept secret (please see OBU’s Password Policy for further details).
4.6 User access rights shall be removed or reviewed for those users who have left the University or changed roles as soon practically possible.
5.1 Third party access to network systems, services, hardware and network attached systems shall be based on a formal contract that satisfies all necessary security conditions.
5.2 All third party access to network systems, services, hardware and network attached systems must be logged.
5.3 For further information please refer to the University Third Party & Supply Chain Management Policy
6.1 The Network Manager will ensure that adequate maintenance contracts are maintained and periodically reviewed for all network equipment.
6.2 The Network Manager is responsible for ensuring that a log of all faults on network systems and equipment is maintained and reviewed.
6.3 OBU shall ensure that timely information regarding the technical vulnerabilities of information systems is obtained. Any vulnerability will be assessed and any risks will be appropriately controlled.
6.4 The use of privileged utility programs that may be capable of overriding system and application controls shall be controlled and restricted.
6.5 Operational software shall only be installed by authorised system administrators and authorised third-parties (see section 5).
7.1 Documented operating procedures should be prepared for the operation of network services and systems, to ensure their correct, secure operation.
7.2 Changes to operating procedures must be authorised by the Network Manager.
8.1 The Network Manager is responsible for ensuring that backup copies of network configuration data are taken regularly.
8.2 Documented procedures for backup processes and storage will be produced and communicated to all relevant staff.
9.1 The University will ensure that all users of network systems, services, hardware and network attached systems are provided with the necessary security guidance, awareness and where appropriate training to discharge their security responsibilities.
9.2 All users of network services and systems must be made aware of the contents and implications of the Network Security Policy.
9.3 All users must ensure that they protect the network from unauthorised access. They must log off the network when finished working.
9.4 Irresponsible or improper actions by users may result in disciplinary action
10.1 Software to protect against malware should be installed on all client devices including mobile computing assets.
10.2 Software used to protect University systems against malware shall be regularly reviewed and updated.
10.3 Procedures on dealing with malware protection and attacks shall be developed and documented together with appropriate business continuity plans.
11.1 All network systems and services shall be synchronised using ntp.brookes.ac.uk
12.1 Adequate event logs recording network activity, exceptions, faults and information security events shall be produced, kept and regularly reviewed.
12.2 Logging facilities and log information shall be protected against tampering and unauthorised access.
12.3 The activity of privileged users shall be logged and the logs protected and regularly reviewed.
1.1 The University holds a large amount of information, both in hard and soft copy. This includes personal and sensitive personal data (as defined by the UK Data Protection Act, 1998), and also non-personal information, which could be sensitive or commercially confidential (e.g. financial data).
1.2 It is sometimes necessary when we are working with partner organisations or other institutions or on collaborative projects, to share personal data or information with those institutions or partners. This might entail:
The University may receive personal information from the institution or partner
The University may send personal information to the institution or partner
A request for personal information held by one or both of us
1.3 These partners might be our partner colleges or universities, or other institutions with whom we have a relationship. We may or may not have a formal contract with these institutions or partners. We must also consider the legislative implications that this might have on us at the university.
2.1 Disclosures of information should be relevant, proportionate and lawful.
2.2 All regular sharing of information to the same source should be governed by a data sharing agreement which sets out the protocols for:
What data is to be shared
For what purpose
Legal justifications for sharing
Benefits and risks of sharing
Information lifecycle (retention and disposal)
Responsibilities and liabilities in the event of information security incidents
Agreed methods of transfer
Appropriate audit trails and governance
Appropriate ID and background checks (where applicable)
3.1 Electronic Documents
3.1.1 Sufficiently secure methods must be used when transferring personal data.
3.1.2 In the case of confidential and/or sensitive data it is recommended that data is encrypted to an acceptable standard (i.e. compliant with FIPS 140-2 (cryptographic modules, software and hardware) and FIPS 19) prior to transfer and protectively marked.
3.1.3 Encryption passwords must not be relayed using the same communication channel as the data.
3.1.4 An audit trail of all transfers must be maintained in line with the retention policy.
3.1.5 If transfer is by email, information must be sent to named persons where possible, the use of group mailboxes is to be avoided.
3.1.6 Information no longer in use by either party must be securely deleted.
3.2 Hardcopy Documents
3.2.1 All hardcopy data must be posted using the University's approved mail delivery company.
3.2.2 All confidential and/or sensitive data must be identified and sent with the appropriate level of tracking via University’s approved mail delivery company.
3.2.3 Personal information must be labelled ‘private and confidential’ and ‘addressee only’ where appropriate.
1.1 This policy covers the use of non-University owned electronic devices to access corporate systems and process University information. Such devices include, but are not limited to, smartphones, tablets, laptops and similar technologies. This is commonly known as ‘Bring Your Own Device’ or BYOD.
1.2 If you wish to BYOD to access University systems, data and information, you may do so provided that you follow the provisions of this policy and the advice and guidance provided through the IT Services Service Desk.
1.3 The University is keen to have an agile, flexible and responsive workforce. Therefore the University has actively encouraged BYOD, enforcing as few technical and procedural constraints as possible whilst still satisfying its legal compliance obligations.
2.1 BYOD – Bring Your Own Device refers to Users using their own device (which is not owned or provided to them by the University) to process University information, whether at the place of work or remotely, typically connecting to the University or other Wi-Fi Service.
2.2 As the device is not owned by the University there is no guarantee that support will be provided for the device and any faults of software, hardware or peripherals must be rectified by the owner at their cost.
3.1 The University takes Information and Systems Security very seriously and invests significant resources to protect its data. The University’s data, irrespective of what device is used to process it, remains an asset of the University.
3.2 When using the device to process University data the user must adhere to policies of the university including the IT Acceptable Use Policy
3.3. If a personal device is used for work purposes, the user must take all reasonable steps to secure the device from risks such as:
Loss or theft of device
Unauthorized access of the device or University data
Malicious software attacks
Such steps may include:
Encryption of the device
PIN, passphrase or biometric access control
Not retaining any data locally on the device
Regular and timely security updates
Ensuring that the device manufacturer’s security mechanisms are not bypassed (Jailbreaking, rooting, etc.)
Activating any tracking or locating software available on the device
Ensure all University data is removed from the device when it is sold, recycled or transferred to a third-party.
4.1 Although the University will not monitor personal devices, in some cases the University may monitor the flow of University data between a device and its systems.
5.1 Where the processing of sensitive personal data (as defined by the UK Data Protection Act, 1998) is deemed necessary for operational purposes an appropriate manager should assess the risks and decide if this is appropriate.
6.1 Data must be handled in accordance with the University’s Intellectual Property Policy. On termination of employment the user may be required to return or delete data as instructed by Oxford Brookes University
6.2 The User must take reasonable steps to ensure that personal data is sufficiently segregated from Oxford Brookes University data on the device. Such steps must ensure that University data will not be merged with an employee's personal data. This must be done to a degree that that non-employees, such as family members who use the device, do not have the ability to access University data
This Policy defines policy and procedures where existing University policies do not specifically address issues particular to the use of electronic mail. Users of University electronic mail services are responsible for making themselves familiar with the " Guidelines for Use of the Internet", and other relevant laws and University policies (see policies.)
The terms "electronic mail" and "email" are used interchangeably throughout this Policy.
2.1 This Policy applies to
2.2 This Policy applies only to electronic mail in its electronic form. It does not apply to printed copies of electronic mail. Other University policies, however, do not distinguish among the media in which records are generated or stored. Electronic mail messages, in either their electronic or printed forms, are subject to those other policies, including provisions relating to secure handling and disclosure.
3. General Provisions
3.1 University Property
Any electronic mail address or account associated with the University, or any sub-unit of the University, assigned by the University to individuals, sub-units or functions of the University, is the property of Oxford Brookes University.
3.2 Service Restrictions.
Those who use University electronic mail services must do so responsibly, that is, in compliance with United Kingdom and European laws, with this and other University policies
and regulations (see policies), and with normal standards of professional and personal courtesy and conduct. Access to University electronic mail servicesmay be wholly or partially restricted by the University, for good cause, without prior notice and without the consent of the email user. Such restriction is subject to the approval of the Chief Information Officer, or his nominee, or, in theirabsence, the approval of the University Registrar.
3.3 Access to Email Records.
The University shall only permit the inspection, monitoring, or disclosure of electronic mail without the consent of the holder of such email (i) when required by or consistent with law; (ii) when there is reason to believe that a violation of law or of a University policy has taken place; (iii) when there are compelling circumstances; or (iv) under time-dependent, critical operational circumstances.
Except in emergency circumstances, authorisation for access must be obtained from the Chief Information Officer, or his nominee. Authorisation shall be limited to the least perusal of contents and the least action necessary to resolve the situation. In emergency circumstances the least perusal of contents and the least action necessary to resolve the emergency may be taken immediately without authorisation, but appropriate authorisation must then be sought without delay.
4. Security and Confidentiality
4.1 The University does not guarantee the confidentiality of electronic mail.
4.2 Except as provided elsewhere in this Policy, computer operations personnel and system administrators are not permitted to see or read intentionally the contents of email messages, to read transactional information except where necessary to ensure proper functioning of University email services, or to disclose or otherwise use what they have seen.
4.3 There is one exception: systems personnel, such as the "Postmaster", who may need to inspect the contents of email messages when re-routing or disposing of otherwise undeliverable email. This exception is limited to the least invasive level of inspection required to perform such duties.
5. Archiving and Retention
It is University policy to delete email stored on the University mail server at regular intervals and to inform users of impending deletions. Operators of University electronic mail services are not required by this Policy to retrieve email from back-up facilities upon the holder’s request, although on occasion they may do so as a courtesy.
6. Policy Violations
Violations of this policy may result in disciplinary action being taken, or access to University facilities being withdrawn, or a criminal prosecution. Any apparent violations of policy or law should be reported either to the Postmaster or to the Information Compliance Officer at firstname.lastname@example.org.
Definitions Computing Facilities: Computing resources, services, and network systems such as computers and computer time, data processing or storage functions, computer systems and services, servers, networks, input/output and connecting devices, and related computer records, programs, software and documentation.
Email Systems or Services: Any messaging system which depends on computing facilities to create, send, forward, reply to, transmit, store, hold, copy, download, display, view, read, or print computer records for purposes of asynchronous communication across computer network systems between or among individuals or groups, which is either explicitly denoted as an email system or is implicitly used for such purposes, including services such as electronic bulletin boards, mailing lists and news groups.
University Email Systems or Services: Electronic mail systems or services owned or operated by the University or any of its sub-units.
Email Record: Any or several electronic computer records or messages created, sent, forwarded, replied to, transmitted, stored, held, copied, downloaded, displayed, viewed, read, or printed by one or several email systems or services. This definition applies equally to the contents of such records and to transactional information associated with such records, such as headers, summaries, addresses, and addressees.
University Record: Any data recorded in any form, including paper files, computer files, audio- and videotapes, film and microfiche, which are maintained by University staff, or agents, in the course of their employment.
University Email Record: A University record in the form of an email record regardless of whether any of the computing facilities utilised to create, send, forward, reply to, transmit, store, hold, copy, download, display, view, read, or print the email record are owned by the University. The location of the record, or the location of its creation or use, does not change its nature as: (i) a University email record for the purposes of this or other University policy, and (ii) having potential for disclosure under the Data Protection Act 1998 or other laws. Until determined otherwise or unless it is clear from the context, any email record residing on University-owned computing facilities, including personal email, may be deemed to be a University email record for the purposes of this Policy. Consistent, however, with the principles asserted in Section 3.4 of least perusal and least action necessary, the University shall, in good faith, make an initial effort to distinguish University email records from personal email where relevant to disclosures under the Data Protection Act and other laws, or for other applicable purposes of this policy.
Use of Email Services: To create, send, forward, reply to, transmit, store, hold, copy, download, display, view, read, or print email. A (University) email user is an individual who makes use of (University) email services.
Possession of Email: An individual is in "possession" of an email record, whether the original or a copy or modification of the original, when that individual has effective control over the location of its storage. Thus, an email record which resides on a computer server awaiting download to an addressee is deemed, for purposes of this Policy, to be in the possession of that addressee. Systems administrators and other operators of University email services are excluded from this definition with regard to email not specifically created by or addressed to them. Email users are not responsible for email in their possession when they have no knowledge of its existence or contents.
Email Holder: An email user who is in possession of a particular email record, regardless of whether that email user is the original creator or a recipient of the content of the record.
Compelling Circumstances: Circumstances where failure to act may result in significant bodily harm, significant property loss or damage, loss of significant evidence of one or more violations of law or of University policies, or significant liability to the University or to members of the University community.
Emergency Circumstances: Circumstances where time is of the essence and where there is a high probability that delaying action would almost certainly result in compelling circumstances.
Time-dependent and Critical Operational Circumstances: Circumstances where failure to act could seriously hamper the ability of the University to function administratively or to meet its teaching obligations, but excluding circumstances pertaining to personal or professional activities, or to research.
1. Statement of PolicyOxford Brookes University aspires to the highest standards of corporate behaviour, professional competence and best practice in its approach to computing and data security. The University has policies
relating to Information Security[link] and Data Protection[link]. These policies require staff and students and all who have access to, and process, the University’s data to keep information secure and to protect personal data. This policy relates
specifically to the movement of University data from the University’s systems to portable devices and other removable media and the processing of University data on such devices and media. The policy of the University is that information must
continue to be kept secure and personal data must continue to be protected when it is transferred on to, or processed on, portable devices and other removable media and during any process of transfer to and from such devices or media.2. Definitions2.1 Portable devices and removable media are any devices which can easily be carried by hand and be used for mobile computing either in their own right or by being connected to and removed from other computing
devices. They include laptop and notebook computers, tablet computers mobile phones, digital cameras, digital audio devices, portable hard drives, CDs, DVDs, SD cards, memory “sticks” and flash drives.2.2
For the purpose of this policy data can be divided into two categories:nonsensitive data, which is data not containing either personal information or information of a confidential nature, and; sensitive data, the default category, which comprises all
other data, the loss of which would, would be likely to, cause damage or distress to the University or to individuals. Data is assumed to be sensitive unless proven otherwise. This policy relates to sensitive data.3. Policy Principles3.1 The dominant principle governing the use of portable devices and removable media is:Do not transfer the University’s sensitive data on to or store such sensitive data on portable devices or removable
media unless it is necessary for a University business purpose and you have the explicit authority of your Head of Department. If it is necessary for sensitive data to be transferred on to or for such data to be stored on portable devices or
removable media then the data should be minimised as much as possible, and the portable device or removable media containing the sensitive data should be an Oxford Brookes device and be protected by encryption software in line with the advice and th
assistance of the University’s IT department (Oxford Brookes Information Solutions OBIS) to the appropriate current standard. Data minimisation means minimising the quantity and breadth of data and, where possible, anonymising personal data.3.2 All portable devices and removable media provided by the University to its staff shall be protected by encryption software.3.3 Staff will ensure that all such devices are protected by a secure password and that the password-protected auto-locking feature (where present) is enabled. Advice on secure passwords can be obtained from the University’s IT department OBIS.3.4 The University will abide by legislation and regulations relating to obtaining, using, storing, protecting and disclosing data required in the pursuance of University business.3.5 The University will provide appropriate organisational and technical measures to help keep data secure and to prevent loss, damage and destruction, assisting staff to implement such measures by producing relevant guidance.3.6
Individuals processing University data have a responsibility to protect the data from unauthorised use, disclosure, access, loss, corruption, damage or destruction and to adopt all proper and sensible precautions in their handling of sensitive and
personal data.3.7 Any individual using portable devices and removable media must ensure that sensitive or personal data are not compromised by inappropriate use of insecure facilities and storage.3.8 Individuals transferring data on to or storing such data on portable or removable devices shall ensure they have the appropriate authority and approval to do so.3.9 Sensitive data shall not be processed, opened, read or loaded on public access computers.3.10
The University’s sensitive data will not be transferred to, stored or processed on portable devices or removable media where those data are to be used or accessed by third parties unless such parties have a business relationship with the University
and appropriate contractual arrangements are in place.3.11 Antivirus precautions should be maintained in all use of removable media devices.4. Authorisation Process4.1 For sensitive University data to be transferred on to or stored on a portable device orremovable media for use by a member of staff appropriate authorisation shall be obtained fromthat member of staff’s Head of Department.4.2 The risks associated with transferring data onto a portable device or storing data on it must be assessed and controls to mitigate the risks must be identified and implemented where appropriate.4.3 The member of staff will complete the appropriate authorisation request and secure the necessary authorisation prior to the data being placed on the portable device or removable media.4.4 The appropriate authorisation form can be accessed here [link].5. Guidelines5.1 Make sure that you understand what your responsibilities are by consulting the University’s Information Security and Data Protection policies. If you need further training on data protection matters, get in
touch with the University’s Information Compliance Officer to arrange a session.5.2
Before using mobile computing devices to process University data, consider whether such processing is necessary. Can it be done without using a mobile device? If it can and the mobile processing is not necessary, then adopt a more appropriate and
secure alternative.5.3 If processing data on a mobile device is necessary, consider whether the data can be minimised, or personal data anonymised, in any way.5.4
Avoid using removable media devices for permanent or indefinite storage. Make sure data are transferred as soon as possible to a secure, permanent data store and securely removed from all intermediate media. Do not put yourself in a position where
sensitive data may be lost irretrievably without a backed u copy held in a secure University data store.5.5
Consult your manager to ensure that you have appropriate approval to transfer data on to or to store such data on a mobile device. In order to authorise the transfer of sensitive data on to a mobile device, the Head of Department will need to know
that it is necessary and that OBI guidance has been followed on the appropriate technical measures to keep the data secure.5.6
If you are a manager, make sure you are aware of any mobile processing carried out by your staff and that the policy is being applied. If you identify that the policy is not being applied despite appropriate briefing and training, then you will need
to escalate the matter through your own senior manager, involving HR if necessary.5.7
Consult the University’s IT department OBIS (email: email@example.com; tel. ext.3311) for advice on defensive computing and managing any risks. OBIS will help to identify and implement any appropriate technical measures, including
encryption, to ensure the security of the data and/or the device. Specific measures will depend upon the nature of the device.5.8
Take appropriate physical precautions against the theft or loss of portable devices and removable media. If it is necessary to travel by car with such devices, as well as making sure technical measures such as encryption have been applied, make sure
the devices are locked out of sight in the boot of the vehicle. If kept at home, devices still need to be kept secure to protect from opportunistic theft or access.5.9
If a mobile computing device is disposed of, make sure that the data are properly purged and destroyed. Seek advice from the University’s IT department OBIS to ensure that the data are destroyed. Guidance is available in the university’s Policy on
Secure Disposal of IT Equipment and Information.5.10 Software on portable devices and removable media are subject to the same audit procedures as other computer systems. Make sure you have appropriate authority and licence for use.6. Reporting Data Security Breaches and Lost or Stolen Portable Devices or Removable Media6.1 All staff should report lost or stolen devices immediately to their line manager and to the University’s Information Compliance Officer. This will enable an assessment to be made of any loss of data held on the device.6.2
Any security breach of data (or suspected breaches), including those involving portable devices or removable media, should be reported immediately by email to firstname.lastname@example.org or to the OBIS Service Desk at https://service.brookes.ac.uk or
by telephone on ext. 3311.6.3 A data security breach occurs when there is unauthorised or unlawful processing of sensitive data, including personal data, or there is accidental loss, or destruction of, or damage to such data.6.4 In reporting the loss or theft of a device and data you are required to identify in writing the type of device the nature and extent of the data, and the security measures which were taken to protect the device and the data.
1. IntroductionThe University holds and processes a large amount of information and is required to protect that information in line with relevant legislation and in conformity with University regulations and policies such as the
Information Security Policy[link], the Data Protection Policy[link] and the Records Management Policy. This policy sets out the requirements for staff on the secure disposal of the University’s IT equipment and information.2. Definitions2.1 Secure DisposalSecure disposal means the process and outcome by which information including information held on IT equipment is irretrievably destroyed in a manner which maintains the security of the
equipment and information during the process and up to the point of irretrievable destruction.2.2 IT EquipmentIT
equipment means all equipment purchased by or provided by the University to store or process information including but not necessarily limited to desktop computers, servers, printers, copiers, laptops, tablet computers, electronic notebooks, mobile
telephones, digital recorders, cameras, USB sticks, DVDs, CDs and other portable devices and removable media.2.3 Information2.3.1 Information means all information and data held or recorded electronically on IT equipment or manually held or recorded on paper.2.3.2
For the purpose of this policy, the information held by the University can be divided into two categories: nonsensitive; and sensitive information. Sensitive information comprises: all personal information and all confidential information, the loss
of which would, or would be likely to, cause damage or distress to individuals or to the University.2.3.3 The default category is that all information is deemed to be sensitive unless specifically identified as otherwise.3. Responsibilities3.1 It is the responsibility of all University staff to ensure that the information held by the University is disposed of appropriately and that all sensitive information is disposed of securely.3.2 Responsibility for this policy resides with the University’s Executive Board. Implementation of this policy is managed through the University’s Information Security Working Group which reports to the Chief Information Officer.4. Statement of Policy4.1 This policy on disposal covers all data or information held by the University whether held digitally or electronically on IT equipment or as manual records held on paper or in hard copy.4.2 It is
the University’s policy to ensure that all information held by the University is disposed of appropriately, in conformity with the University’s legal obligations and in accordance with the University’s regulations[link] and Records Management policy.4.3 In particular it is the University’s policy to ensure that all sensitive information which requires disposal is disposed of securely.4.4 Where information is held on IT equipment, it is the policy of the University that such equipment will be assumed to hold sensitive information and that all information residing on such equipment must be disposed of securely.4.5
The University supports policies which promote sustainability and take account of environmental impact. The University will therefore support recycling or sustainable redeployment in the disposal of IT equipment as long as information held on the
equipment is irretrievably and securely destroyed prior to the the disposal of the equipment.4.6 WEEE: IT equipment must also be disposed of in line with the EU Waste Electrical and Electronic Equipment (WEEE) Directive and the UK Waste Electrical and Electronic Equipment Regulations 2006.[Link www.brookes.ac.uk/Documents/About/Sustainability/en103w2/]4.7 Copyright: software must be disposed of in line with copyright legislation and software licensing provisions.5. Policy Principles5.1 Hard copy5.1.1 Information and data held in paper or hard copy which contain sensitive information shall be irretrievably destroyed in a way in which the information cannot be reconstituted, by shredding, pulping or incineration.5.1.2 The process leading to and the process of shredding, pulping or incinerating such information shall be carried out securely.5.1.3 Where the shredding or incineration are carried out on behalf of the University by a third party, there shall be a contract with that third party which appropriately evidences:a) that party’s obligations to keep that data confidential and;b) that party’s responsibility under the Data Protection Act 1998 for the secure disposal of the data.5.1.4 Where hard copy information is stored externally by a third party data storage contractor, the contract shall ensure secure disposal of the data at a time which conforms with the University’s Retention Schedule[link].5.2 IT Equipment5.2.1
Since the policy default is that all IT equipment which stores or processes data will be deemed to hold sensitive data, then all such IT equipment will undergo appropriate physical destruction or an appropriate data overwrite procedure which
irretrievably destroys any data or information held on that equipment.5.2.2 Where an overwrite procedure fails to destroy the information irretrievably, the equipment shall be physically destroyed to the extent that the information contained in it is also irretrievably destroyed.5.2.3
For the avoidance of doubt, removable digital media including but not limited to CDs, DVDs, USB drives, where the default is that they contain sensitive data, shall, if not successfully overwritten, be physically destroyed to the extent that all data
contained in the media are irretrievable.5.2.4 All IT equipment awaiting disposal must be stored and handled securely.5.2.5
Where the overwriting procedure and/or physical destruction of IT equipment are carried out on behalf of the University by a third party, there shall be a contract with that third party which appropriately evidences: that party’s obligations to keep
that data confidential and; that party’s responsibility under the Data Protection Act 1998 for the secure disposal of the data.5.2.6
In any case where IT equipment is to be passed on by the University for reuse,those staff involved in the sale or transfer of the equipment shall ensure that any information on the equipment has been irretrievably destroyed and that any other
appropriate issues, including, but not limited to, the safety of the equipment are satisfactorily addressed.5.2.7 Photocopiers and printers used or owned by the University may have a data storage capacity. Where such IT equipment contains information or data, the disposal of such equipment must have due regard to this policy.5.3 Online Data5.3.1
The University has a contract with Google for the use of its Google Apps for Education. This enables University staff to take advantage of the features provided for data storage of emails and documents. The University does not sanction the use of
external online (cloud) services for University data where there is no contract in place.5.3.2 Data held in the University’s Google applications or other authorised online storage applications should be destroyed to the extent possible by using the delete facilities provided.6 Record of Destruction6.1 Any third party contracted to dispose of sensitive hard copy information shall certify the irretrievable destruction of the information.6.2 University staff who have responsibility for the
information which is disposed of shall ensure that the disposal conforms with the University’s Records Management policy[link] and Retention Schedule and that, where necessary, a record is kept documenting the disposal.6.3
Where the disposal involves the disposal of IT equipment, the University shall keep a record of the asset number of the equipment which has been disposed of along with a record of the process by which the information stored on the equipment has been
irretrievably destroyed.7 Reporting7.1 All staff, students and other users of information should report immediately to the Service Desk via the Servicedesk portal https://service.brookes.ac.uk or by telephone (tel. ext. 3311) any observed or suspected
incidents where sensitive information has or may have been insecurely disposed of.8 Advice and Assistance8.1 Advice on the implementation of this policy can be obtained from the University Information Compliance Officer (tel. ext. 4354: email address info.sec.@brookes.ac.uk) and the University Records Manager (tel. ext. )8. 2 Advice on the disposal of IT equipment can be obtained from the University’s IT department, OBIS, by contacting the Service Desk on tel. ext 3311 or via the Servicedesk portal https://service.brookes.ac.uk9 Guidelines9.1 Hard Copy9.1.1 Staff holding University data in hard copy should routinely dispose of the data when it is no longer required to be held for legal or contractual purposes or is no longer necessary for the
business purpose for which it was originally created or held. In determining whether and whenthe data should be disposed of, staff should consult the University’s Retention Schedule obis.brookes.ac.uk/records/Retention%20Schedule%201c.doc Further information can be obtained from the University Records Manager.9.1.2
It is good practice to shred, pulp or incinerate all University data which requires destruction. Where hard copy waste is sensitive data (as defined in 2.3.2) it should always be securely and irretrievably destroyed by shredding, pulping or
incineration. In order to ensure the secure andirretrievable destruction of hard copy, staff are required to use the service provided by the University’s selected contractor for the destruction of confidential waste.9.1.3
Confidential waste bags for information requiring secure destruction can be obtained from Campus Services which will collect the bags when they are ready for disposal. Bags which contain confidential waste should be sealed and kept secure until
collected by Campus Services.9.1.4 Confidential waste bags awaiting collection or further processing should not be left in public areas or areas where they can be accessed by unauthorised staff.9.1.5
Where sensitive data are stored under contract externally, staff responsible for the contract should ensure the contract includes secure, certificated destruction of the data in accordance with the appropriate retention period. External storage and
destruction of University data should not be arranged without reference to the University Records Manager.9.1.6 Where staff consider a document is of sufficient historic importance to be retained by the University, they should consult the University Archivist.9.2 IT Equipment9.2.1
Staff holding University data on IT equipment should routinely dispose of the data when it is no longer required to be held for legal or contractual purposes or is no longer necessary for the business purpose for which it was originally created or
held. In determining whether and whenthe data should be disposed of, staff should consult the University’s Retention Schedule [link obis.brookes.ac.uk/records/Retention%20Schedule%201c.doc].Further information can be obtained from the University Records Manager (tel. ext. 4046: )9.2.2
Where a decision has been made that data held on IT devices or media should not be retained, the files containing the data should be deleted from those devices. Deletion involves putting the information “beyond use” by the user of the device or
media. Data held in a recycling “bin” on the device or data which can easily be recovered by the user are not regarded as being “beyond use” and may still be subject to discovery and disclosure under information law (Freedom of Information, Subject
Access Request) or litigation.9.2.3 Staff shall never dispose of University IT equipment (devices or media) without taking steps to ensure the irretrievable deletion of data held on the equipment.9.2.4
Electronic or digital data which have been put “beyond use” by users may still be reconstituted by IT specialists or by forensic computer analysts. This means that when IT equipment (devices or media) are disposed of, the data should be irretrievably
destroyed by being overwritten in accordance with the appropriate industry standard, or the hard disc containing the data within the equipment or the media containing the data (e.g. CD, USB stick) should be physically destroyed. The University has
some shredding machines available which can destroy CDs and DVDs as well as shred hard copy.9.2.5 Staff requiring the disposal of IT equipment which holds or may hold University data should contact the Service Desk via the Servicedesk portal https://service.brookes.ac.uk (tel ext. 3311) to arrange for the disposal.9.2.6
Staff should also be mindful that University mobile telephones contain data which will need to be extracted or deleted from the device before the device is disposed of. The telephone should be returned to the Service Desk should be contacted to
initiate the secure return and disposal of the device.9.2.7
While the University supports the recycling or sustainable redeployment of IT equipment, University staff shall not arrange for such a process without consulting the OBIS Client Device Support Manager contacted via the service desk via the
Servicedesk portal https://service.brookes.ac.uk (tel. ext. 3311), obtaining appropriate authority from OBIS for the proposed recycling and ensuring that any data held on the equipment are securely and irretrievably destroyed.9.2.8
Where University staff are leasing equipment (such as multifunctional copiers), staff responsible for the contracts should ensure that the leasing contract certifies the secure disposal of any University data held on the devices during the period of
lease.9.2.9 When disposing of IT equipment, staff must be mindful of the WEEE regulations. /about/sustainability/docs/en103w2.pdf]9.3 Online data9.3.1
Staff using the delete facility provided by Google in the University’s online Google applications should be aware that the deleted material will be held for 30 days in their online “bin”. Such data will not be regarded as “beyond use” until it has
been further deleted from the “bin”.9.3.2
Online data held in Google accounts provided to staff by the University for the purpose of their employment are not automatically deleted when staff leave the University. These accounts are deactivated and access to the data retained for any
necessary business purpose. Prior to leaving the University, staff should, wherever possible, ensure the appropriate management and handover of the University data in their accounts, deleting from their accounts data which are no longer required by
1. IntroductionThe Data Protection Act is concerned with the handling of personal information, covers both manual and electronic records and stipulates the setting of security standards. As part of the University's compliance
with the legislation it has published an Information Security Policy and E13 Data Protection Policy and it is important that you make yourself familiar with them. These guidelines are intended as a supplement to those policies. Further information
and advice are available from the Information Compliance Team on ext 4354 or by email at email@example.com. Standard InformationAll staff process information about students on a regular basis, when marking registers, writing reports or references, or as part of a pastoral or academic supervisory role. The University will ensure throughregistration procedures that all students are notified of such processing, as required by the Act, and give their consent where necessary. The information that staff deal with on a day-to-day basis is "standard" and covers categories such as:• General personal details such as name and address;• Details about class attendance, course work marks and grades and associated comments;• Notes of personal supervision, including matters about behaviour and discipline;• Sponsorship details.3. Sensitive InformationInformation about a student’s physical or mental health, ethnicity or race, political or religious views, trade union membership, sexual life, or criminal record is classified as sensitive information
under the Data Protection Act. Such information can only be collected and processed when permitted or required by law or with the student’s express (written) consent. Examples would include:• keeping of sick notes;• recording information about dietary needs, for religious or health reasons, prior to taking students on a field trip;• recording information that a student is pregnant, as part of pastoral duties.Disclosure
of such information without explicit consent is permitted only in exceptional circumstances, for example if the University is under a statutory obligation to make the disclosure or if the disclosure is in the vital interests of the student
(information about a medical condition may be disclosed in "life or death" circumstances). Sensitive information must be protected with a higher level of security. It is recommended that sensitive records are kept separately in a locked drawer or
filing cabinet, or in a password protected computer file, or, if held on a mobile device, protected by encryption. If you (or one of your students) areholding,
or intending to hold, sensitive personal information which is outside routine University processing, you should notify your manager or, if for research purposes, your research supervisor and your Faculty Research Ethics Team. Every application to the
University's Research Ethics Committee must include details of the measures to be taken to ensure the security of personal data.4. Processing of Personal InformationProcessing refers to any action involving personal information, including obtaining, viewing, copying, amending, adding, deleting, extracting, storing, disclosing or destroying information.
When processing personal information, you must comply with the data protection principles, which are set out in the Data Protection Policy (regulation E13). In particular, you should ensure that records are:• accurate• up-to-date• fairly and legally obtained• kept and disposed of safelyFor further details please refer to the University’s record retention schedule.5. Project and Research SupervisorsIf you supervise students doing work that involves the processing of personal information, you should ensure
that those students are aware of the Data Protection Principles, in particular, the requirements to notify and to obtain the data subject’s consent where appropriate. Students should be referred to the Faculty Research Ethics Team or the Information
Compliance Team for further information.6. Handling EnquiriesWhen students ask to see information about themselves, you should, where possible, deal with these enquiries informally. If an informal response is not appropriate, you should advise the student to make a
formal Subject Access Request under the Data Protection Act. Such requests should be directed to the Information Compliance Team. For all requests, both formal and informal, the information has to be provided within the 40 calendar days permitted by
the Data Protection Act. You should not disclose personal information over the telephone unless you are able to validate the identity of the person making the request. You may disclose personal information to other staff members who require the
information in order to carry out their normal duties. You should not disclose personal information to any third party, e.g., to a parent or sponsor, except with the consent of the student or where this is permitted or required by legislation. In
exceptional and urgent circumstances (e.g. cases where there are reasonable grounds for believing that an individual has become a danger to him/herself or others, or has committed / is about to commit a serious crime), you may release personal
information directly to a law Team. Be sure to establish the identity of the law Team before releasing the information, and keep a record of the incident including name, date, circumstances and information disclosed. The details of any such
disclosures should be reported to the Information Compliance Team.7. Examination MarksYou should be aware that students are entitled to see preliminary marks and comments, which contribute to final assessments. SEC and MEC minutes will also be subject to access requests unless they are
anonymised. Similarly, when writing an academic reference, you should keep in mind that it may be subject to an access request by the student to the recipient. The Academic Registry publish E11. Procedures for the preparation of student references
and the Supporting Students Handbook provides a template that you can work from.8. Private FilesIt is essential that relevant information is available to all University staff, so the case for holding "private", separate files has to be justified as being in the interest of the student (e.g., where the data
is particularly sensitive). The information contained in them will still be subject to the student’s right of access and you must ensure compliance with the notification requirements of the Act. Wherever possible, you should avoid duplication or
fragmentation of student files.9. Home WorkingWhen working from home or on a laptop or tablet computer, you must maintain appropriate levels of security, including anti-virus (also known as anti-malware) software. It is recommended that you ensure personal
information is not stored on your domestic PC or computing device if this is used by other members of your family or household. University data containing personal information should not be placed on portable devices unless it is necessary for a
University business purpose and such processing has been authorised and the information is protected by encryption software. If it is found necessary to work off site with University personal data then, in addition to encryption if held
electronically, you must take sensible precautions to keep the data physically secure, for example, by using a lockable briefcase, storing data in the locked boot of a car while travelling, keeping the data in a secure location if held off site. If
you have concerns about the security of data, please consult the University Information Compliance Team for further guidance.10. Exemption for Research RecordsThere is an exemption from some parts of the Data Protection Act where data is being processed for research and statistics. Information collected for the purpose of one piece of research can be
used for other research, without breaching the "specified processing" principle (see the E13. Data Protection Policy), and can be kept indefinitely. For example, staff and students involved in academic research can keep records of questionnaires and
contacts, so that the research can be re-visited at a later date, or so that, in support of a research project looking at an associated area, they can re-analyse the information. Researchers must ensure that the final results of the research do not
identify the individual, or they will be subject to access requests under the 1998 Act. This exemption is only applicable to academic research and cannot be relied on to prevent access to information about a particular individual, following research
carried out for a redundancy or efficiency exercise, for example.For further information about these regulations, please contact the Information Compliance Team.