Policies, Procedures and Regulations

1. Introduction

Oxford Brookes University recognises that information and its associated processes, systems and networks are valuable assets and that the management of personal data has important implications for individuals. Through its security policies, procedures and structures, the University will facilitate the secure and uninterrupted flow of information, both within the University and in external communications.

The University believes that security is an integral part of the information sharing which is essential to academic and corporate endeavour and this Policy is intended to support information security measures throughout the University.

This policy should be read in conjunction with all other relevant policies, regulations and guidance published by the University.

This policy supports compliance with the information security standards IEC/ISO 27001:2013 and PCI DSS.

2. Definition

2.1 For the purposes of this document, information security is defined as the preservation of: 

(i)  confidentiality: protecting information from unauthorised access and disclosure.

(ii) integrity: safeguarding the accuracy and completeness of information and processing methods. 

(iii) availability: ensuring that information and associated services are available to authorised users when required.

2.2 Information exists in many forms. It may be printed or written on paper, stored electronically, transmitted by post or using electronic means, shown on films, photographs, video image, audio recording  or spoken in conversation. Appropriate protection is required for all forms of information to ensure business continuity and to avoid breaches of the law and statutory, regulatory or contractual obligations.

3. Protection of Personal Data

The University holds and processes information about employees, students, and other data subjects for academic, administrative and commercial purposes. When handling such information, the University, and all staff or others who process or use any personal information must comply with the Data Protection Principles which are set out in the Data Protection law. Responsibilities under the  Data Protection Act  and other relevant legal provisions are set out in the Data Protection & Privacy Policy.

4. Information Security Responsibilities

4.1 The University is committed to introducing, maintaining and continually improving the information security management system (ISMS) and all things related to this. It is the responsibility of all students and members of staff. Every person handling information or using University information systems is expected to observe the information security policies and procedures, both during and, where appropriate, after his or her time at the University.

4.2  This Policy is the responsibility of the Head of Information Security Management; supervision of the Policy will be undertaken by the Vice Chancellor’s Group where appropriate. This policy may be supplemented by more detailed interpretation for specific sites, systems and services. Implementation of information security policy is managed through the Information Security Working Group (ISWG) and the Head of Information Security Management.  

4.3 The University’s IT Services directorate has operational responsibility for the University’s IT systems and will therefore take action wherever necessary to protect those systems. 

5. Information Security Education and Training

5.1 The University recognises the need for all staff, students and other users of University systems to be aware of information security threats and concerns, and to be equipped to support University security policy in the course of their normal work. The Information Security team shall provide appropriate mandatory training on data protection and information security awareness.  

6. Compliance - Legal & Contractual Requirements

6.1 Authorised Use: University IT facilities must only be used for authorised purposes. The University may from time to time monitor or investigate usage of IT facilities; and any person found using IT facilities or systems for unauthorised purposes, or without authorised access, may be subject to disciplinary, and where appropriate, legal proceedings.

6.2 Monitoring of Operational Logs: The University shall only permit the inspection and monitoring of operational logs by appropriate IT Services staff or where it has been otherwise authorised by the Head of Information Security Management or nominated deputy. Disclosure of information from such logs, to the Police or to support disciplinary proceedings shall only occur (i) when required by or consistent with law; (ii) when there is reason to believe that a violation of law or of a University policy has taken place; or (iii) when there are compelling circumstances (circumstances where failure to act may result in significant bodily harm, significant property loss or damage, or other compelling reason).

6.3 Access to University Records: In general, the privacy of users' files will be respected but the University reserves the right to examine systems, directories, files and their contents, to ensure compliance with the law and with University policies and regulations as well as to determine which records are essential for the University to function administratively or to meet its teaching obligations. Except in emergency circumstances, authorisation for access must be obtained from the Chief Information Officer (or appropriate deputy) or the University Registrar, and shall be limited to the least access necessary to resolve the situation.

6.4 Protection of Software: To ensure that all software and licensed products used within the University comply with the Copyright, Designs and Patents Act 1988 and subsequent Acts, the University may carry out checks from time to time to ensure that only authorised products are being used. Unauthorised copying of software or use of unauthorised products by staff or students may be grounds for disciplinary, and where appropriate, legal proceedings. 

6.5 Malware prevention: The University will maintain detection and prevention controls to protect against malicious software and unauthorised external access to networks and systems. All users of electronic devices issued by the University or used for University business shall comply with best practice, as determined from time to time by IT Services, in order to ensure that malware protection is maintained.

6.6 For further information please refer to the University’s IT Acceptable Use Policy.

7. Asset Management

7.1. All University information assets (data, software, computer and communications equipment) shall be accounted for and have a designated owner.  The owner shall be responsible for the maintenance and the protection of the asset/s concerned.

8. Physical and Environmental Security

8.1 Physical security and environmental controls must be appropriate for identified risks. In particular, critical or sensitive information processing facilities must be housed in secure areas protected by defined security perimeters with appropriate security barriers and/or entry controls suitable for risk identified.

9. Information Systems Acquisition, Development and Maintenance

9.1 Information security risks must be identified at the earliest stage in the development of business requirements for new information systems or enhancements to existing information systems and risk treatments plans devised.  

9.2 The responsibility for identifying and documenting any risks sits with the project or programme lead. 

9.3 Controls to mitigate the risks must be identified and implemented where appropriate.

9.4 For further information see the Third Party Supplier Security Management policy.

10. Access Control

10.1 Access to information and information systems must be driven by business requirements and be commensurate and proportionate to the business need.

10.2 A formal access control procedure  is required to cover the access to all information systems and services.

10.3 For further information please refer to the University’s IT Access Control policy.

11. Communications and Operations Management

Responsibilities and procedures for the management, operation and ongoing security and availability of all data and information processing facilities must be established.

12. Retention and Disposal of Information

All staff have a responsibility to consider security when disposing of information in the course of their work. Owners of information assets should establish procedures appropriate to the information held and processed and ensure that all staff are aware of those procedures.  Retention periods should be set in consultation with the University Records Manager.

Staff must be aware of any legal requirements regarding how long data must be kept for and then by default apply the University’s records management policy, when determining how long to retain data. 

13. Incident Reporting

All staff, students and other users should report immediately via the Service Desk Portal, or by telephone to the Service Desk on tel. ext. 3311, any observed or suspected security incidents where a breach of the University's security policies has or may have occurred, and any security weaknesses in, or threats to, systems or services. This includes but is not restricted to a data breach.

Staff must be familiar with the Information Security Incident Management Policy which sets out the process to follow where there is an actual incident or a near miss. 

14. Business Continuity

14.1 The University will implement, and regularly update, a business continuity management process to counteract interruptions to normal University activity and to protect critical processes from the effects of failures or damage to vital services or facilities.

14.2 Business continuity planning shall consider information security requirements and regularly test plans to ensure that they are effective.

15. Setting of security objectives for the ISMS

15.1 Top management shall establish or adopt a framework for the setting of security objectives and these will be shared with relevant parties. 

15.2. Security objectives are identified from different areas: such as guidance from regulators, changes in standards from certified bodies, risk raised by interested parties, changes in the organisation and changes external to the organisations, for example environmental, commercial, legal and community and third party agents the university employs as goods or service providers, and technological.

16. Continual improvement within the ISMS

16.1 Top leadership will ensure robust programmes of continual improvement are delivered by supporting from the top down implementation of such programmes necessary to continually improve upon the operational status of the information security management system (ISMS).

Version: 3.0
Reviewed date: 15/06/2023

Introduction

1.1 General

The University holds and processes information about employees, students, and other data subjects for academic, administrative and commercial purposes. the University, and all staff or others who process or use any personal information, must comply with the Principles which are set out in Data Protection law when handling such information,

In summary these state that personal data shall be:

1. Processed lawfully, fairly and in a transparent manner (‘lawfulness, fairness and transparency’)
2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation)
3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
4. Accurate and, where necessary, kept up to date (“accuracy”)
5. Kept in a form which permits identification for no longer than is necessary for the purposes for which the personal data are processed (“storage limitation”)
6. Processed in a manner that ensures appropriate security using appropriate technical or organisational measures of the personal data (“integrity and confidentiality - security”)
7. The controller shall be responsible for and be able to demonstrate compliance with the principles (“accountability”)

1.2 Definitions

“Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

"Staff", "students" and "other data subjects" may include past, present and potential members of those groups.

"Other data subjects" and "third parties" may include contractors, suppliers, contacts, referees, friends or family members.

"Processing" refers to any action involving personal information, this includes emailing collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Data Subjects” refers to any natural person whose personal data the University processes or is likely to process.

“Data Protection Law” in the UK principally refers to the 2018 Data Protection Act (‘the Act’ and the UK GDPR) as well as common law.

“Special Category Data” is personal data which the Act defines specifically and which requires additional legal safeguards. Types of personal data which fall into special categories are defined in 7.1

2 Privacy Notices

2.1 Standard Privacy Notices

The university will provide a privacy notice at the point of collection of personal data in order to provide fair and transparent processing under the first principle

This will contain:

• Purpose of Processing 
• Legal basis and reason for Processing
• With whom personal data will be shared
• Information about international transfers
• A list of subjects’ rights
• Consequences of not providing the data 
• Details of any automated processing
• Retention periods 
• Contact details of the Brookes’ Data Protection Officer
• Contact details of the Regulator (Information Commissioner)

Where the data has not been acquired directly, the University will state:

• What types of personal data we will use and why
• The source of the personal data

2.2 Summary Privacy Notices

In some instances, it will be impractical or impossible to display a full privacy notice.   In such cases we will display a summary privacy notice which will contain:

• Data protection contact details for the University
• Purpose of the processing
• Legal basis for processing
• Link to the full privacy notice

3. Staff Responsibilities

3.1 Staff Personal Data

All staff are data subjects of the University and are subject to the rights listed in section 5.2 

3.1.1 Data protection compliance is the responsibility of the entire university and staff must ensure that personal data the university holds on them is kept accurate and up to date.

3.2 Processing Personal Data

3.2.1 Staff shall ensure that appropriate organisational and technical measures are taken to secure any personal data that is processed. This includes:  

• Personal data is stored securely and access to personal data is controlled on a need to know basis
• All reasonable steps are undertaken to ensure that personal data is not disclosed either orally or in writing, accidentally or otherwise to any unauthorised third party. Unauthorised disclosure may be a disciplinary matter for staff and may be considered gross misconduct in some cases. Any such incidents must be reported to the IT Information Security Team in accordance with the requirements of the Information Security Incident Management Policy
• Staff are required to adhere to IT Acceptable Use Policy.

3.2.2 All staff must undertake the University’s mandatory Information Security Awareness Training every two years or as prescribed.

4. Student Responsibilities

4.1 All students shall ensure that all personal information which they provide to the University is accurate and up-to-date; and

4.1.1 Inform the University of any changes to that information.

4.1.2 Students should check periodically that any personal data the University holds about them and either update it through a self-service portal or inform the University of any amendments or corrections which are needed.

4.2 Students who use the University IT facilities may, from time to time, process personal information (for example, in course work or research). In those circumstances, they must notify their course tutor or research supervisor in the relevant Faculty who will provide further information about their responsibilities in processing personal data.

5. Rights of Data Subjects

5.1 Right of Access

5.1.1 Staff, students and other data subjects of the University have the right to access personal data about them.  Any person may exercise this right by submitting a request in writing to the IT Services Information Security Team.

5.1.2 The University will not make a charge for such requests.  Where the University deems the requests to be manifestly unfounded or excessive the University will charge a fee based on resources needed to fulfil the request.  

5.1.3 The University aims to comply with requests for access to personal information as quickly as possible but will ensure that it is provided within one month except where requests are complex or numerous. In such cases the statutory time frame can be extended by two months.  The reason for any extension will be explained in writing by the Information Compliance Team to the data subject making the request within one month of the initial request being made.

5.2 Other Rights

5.1.1 Data subject may have additional rights under the legislation:

• The right to be informed
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object to the processing of data
• Rights in relation to automated decision making and profiling.

5.1.2 The University will take appropriate steps to ensure necessary policy and procedures are in place to allow subjects to exercise their rights as stated in 5.1.1.

6. Lawful Processing and Consent

6.1 The University must provide a lawful basis for processing any personal data.   The University will use the following lawful bases:

• Consent: the subject has given clear consent for the University to process their personal data for a specific purpose.
• Contract: the processing is necessary for a contract the University has with the individual, or because they have asked the University to take specific steps before entering into a contract.
• Legal obligation: the processing is necessary for the University to comply with the law.
• Vital interests: the processing is necessary to protect someone’s life.
• Public task: the processing is necessary for the University to perform a task in the public interest or to carry out official functions, and the task or function has a clear basis in law (core business) 
• Legitimate interests - Processing is necessary for the purposes of the legitimate interests pursued by the University with full consideration to safeguard the rights and freedoms of the data subject.

7. Special Category Data & Criminal Convictions

7.1 The University will not process any data relating to:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic data or biometric data
• Health data
• Sexual life or sexual orientation
• Criminal proceedings or convictions

Unless one of the conditions is 7.2 is fulfilled.

7.2 The University will only process special categories where:

• Explicit consent of the subject has been obtained
• Processing is necessary for employment, social security or social protection purposes
• It is necessary to protect the vital interests of the subject themselves or others
• It is necessary for the legitimate interests of the university and will not be shared externally without consent
• The data has been  made public by the data subject
• It is necessary for legal proceedings or is otherwise lawful
• It is necessary for reasons of substantial public interest
• It is necessary for medical or social care reasons
• It is necessary for reasons of public interest in the area of public health
• It is necessary for archiving purposes

8. Data Protection Officer

8.1 Designation of the Data Protection Officer (DPO)

8.1.1 The University has a Data Protection Officer

8.1.2 The University’s Information Security Team will be the point of contact and will facilitate appropriate information sharing with the designated DPO.

9. Retention of Data

9.1 The University processes personal data for many different lawful purposes. The University will maintain a records retention schedule on which decisions on how long personal data can be retained for the specified purpose.  The retention schedule is published and can be found on our records management page.

10. Compliance

10.1 Compliance with the Data Protection and Privacy law is the responsibility of all students and members of staff. Any deliberate or reckless breach of this Policy may lead to disciplinary, and where appropriate, legal proceedings. The University has a dedicated Information Security Team and any questions or concerns about the interpretation or operation of this policy should be taken up with them in the first instance by email at info.sec@brookes.ac.uk. This is a team email address

10.2 Any data subject who considers that the policy has not been followed in respect of their personal data can report it to the University Information Security Team.

11. Data Protection Breach Management

11.1 A data protection breach is where any personal data held by the University, in any format, is compromised by being lost, destroyed, altered, copied, transmitted, stolen, used or accessed unlawfully or by unauthorised individuals whether accidentally or on purpose. Such as:

• Loss or theft of equipment on which data is stored, e.g. laptop or mobile phone
• Unauthorised access to data
• Emails sent to wrong recipients
• Public posting of confidential material online
• Incorrect sharing of Google (or any) documents
• Failure of equipment or power leading to loss of data
• Hacking attack
•  Data maliciously obtained by way of social engineering 

11.2 The University shall maintain and publish an Information Security Incident Management Policy.  

11.3 All such breaches must be reported immediately to The IT Service Desk, or the ServiceNow Portal.

12. Register of Processing Activity

12.1 The University shall maintain a register of processing activity

12.2 The register described in 12.1 shall be periodically updated when required and reviewed by data owners at least once within a period of 12 calendar months.

13. Data Protection Privacy Impact Assessments (DPIA)

13.1 Where there is a new, or change of existing processing activity, which  may result in a risk to the rights and freedoms of data subjects (privacy intrusive), the University will conduct a Privacy Impact Assessment (DPIA).

13.2 The University will embed DPIA within its project governance procedures so that privacy risks are identified and assessed at point of proposal.

13.3 Any changes to existing processing activities captured in the register of processing activity deemed to be privacy intrusive will require a PIA.

14. Processing Personal Data for Research

14.1 Where processing data for research purposes you must ensure that you obtain consent in accordance with the Act

14.2 The University Research Ethics Committee (UREC) will be able to provide assistance.

You can find guidance on the Research ethics pages.

15. International Personal Data Transfers

15.1 The University will only transfer data within the UK and the EU or to a country or international organisation which has a finding of adequacy of protection for the rights and freedoms of the data subjects, save where an acceptable level of risk has been assessed and determined based on the facts of the transfer, or: the data subject has explicitly consented to the proposed transfer

16. Personal Data Processed by Third Parties and Suppliers

16.1 Where the University uses third parties and suppliers (to be known as processors in this section) to process personal data.  The University shall:

• Use only processors providing sufficient guarantees to implement appropriate technical and organisational measures to facilitate data security as the law requires.
• Seek assurances that the processor shall not engage another processor without prior specific or general written authorisation of the controller in advance of so doing. 
• Processing by a processor shall be governed by a contract in which the processor or otherwise by written or formal agreement:
• Only processes the personal data only on documented instructions from the controller
• Ensures that persons authorised to process the personal data have committed themselves to confidentiality
• Assists the controller in the fulfilment of requests exercising the data subject’s rights.
• Deletes or returns all the personal data to the controller after the end of the contract.
• Agree to regular audits by the University.

17. Data Protection Audits

17.1 The University will periodically undertake data protection audits. These will include:

• Auditing of internal policies and procedures
• Auditing of planned projects and changes to systems (via privacy impact analysis)
• Auditing of contractual terms
• Auditing of supplier policies and physical security measures.

Policy version: 2.4
Reviewed date: 15/06/2023

1 Introduction

1.1 The University holds a large amount of information, both in hard and soft copy. This includes personal and special category data (as defined by the UK Data Protection Act, 2018), and also non-personal information, which could be sensitive or commercially confidential (e.g. financial data).

1.2 Sometimes it is necessary to share personal data or information when we are working with partner organisations or other institutions or on collaborative projects. 

This might entail:

• The University may receive personal information from the institution or partner
• The University may send personal information to the institution or partner
• A request for personal information held by one or more parties

1.3 These partners might be our partner colleges or universities, or other institutions with whom we have a relationship. We may or may not have a formal contract with these institutions or partners. Therefore we must consider what legal requirements there are associated with sharing information in the context of privacy and confidentiality.  

2. Information Sharing

2.1 Disclosures of information (sharing) should be relevant, proportionate and lawful.

2.2 All regular sharing of information to the same source should be governed by a data sharing agreement which sets out the protocols for:

• What data is to be shared
• For what purpose
• Legal justifications for sharing
• Benefits and risks of sharing
• Information lifecycle (retention and disposal)
• Responsibilities and liabilities in the event of information security incidents
• Agreed methods of transfer  
• Appropriate audit trails and governance
• Appropriate ID and background checks (where applicable)
• Identifying points of contact in the event of a security incident

3 Methods of Transfer

3.1 Electronic Documents

3.1.1 Sufficiently secure methods must be used when transferring personal data.

3.1.2 In the case of confidential and/or sensitive data it is recommended that data is encrypted to an acceptable standard (i.e. compliant with FIPS 140-3) prior to transfer and protectively marked.

3.1.3 Encryption passwords must not be relayed using the same communication channel as the data.

3.1.4 An audit trail of all transfers must be maintained in line with the retention policy.

3.1.5 If transfer is by email, information must be sent to named persons where possible, the use of group mailboxes is to be avoided. 

3.1.6 Information no longer in use by either party must be securely deleted.

3.2 Hardcopy Documents

3.2.1 All hardcopy data must be posted using the University's approved mail delivery company.

3.2.2 All confidential and/or sensitive data must be identified and sent with the appropriate level of tracking via the University’s approved mail delivery company.

3.2.3 Personal information must be labelled ‘private and confidential’ and ‘addressee only’ where appropriate.

Version: 1.1
Reviewed date: 22/05/2023

1. Purpose 

This policy establishes a framework for classifying work-related information in order to:

• To promote the safe transmission and sharing of information with legitimate parties.
• To reduce the risk of harm to the confidentiality, integrity and availability of information processed by or on behalf of the Oxford Brookes University. 
• To advance our compliance with ISO 27001:2013 standards.

2. Scope

This policy covers all types of handling, sharing (processing) and storage of information, including teaching, research, commercial and non-commercial activities as well as administration carried out directly for the University, any affiliates or partners, or by the University on behalf of another organisation.

Scope of use: this Information Classification Policy will apply to either an instance or regular information sharing, save where the law or other written agreement provides otherwise. 

3. Information classification 

(Examples of how to apply the classification markings are found in section 5.and Appendix 1.)

All information falling within the scope of the policy must be classified in accordance with the following categories: ‘Confidential’, ‘Restricted’ and ‘Public’.

The following classifications are generally available for application:

Confidential:  

Information has a significant value for Oxford Brookes University, another organisation or for an individual. Wrongful disclosure could impact the reputation or standing of an organisation or an individual, the safety of an individual or could cause significant financial loss. Information of this type is shared on a “need to know basis” only.  This classification will include Special Category Data as defined in Data Protection Law (see Appendix 1). 

Large amounts of datasets of information which would otherwise be classified as “Restricted” were it a smaller amount, may become classified as “Confidential” by merit of the quantity of data involved. If in doubt as to whether a dataset is large, query this with the Information Security team by

Restricted:  

This information can be shared appropriately with a limited audience, usually but not exclusively within the University. Some of the features attributed to “Confidential” information apply, yet the implications associated with sharing this information are less serious.

This information could be financial or commercial value, or be subject to intellectual property, trademark or other legal protection. It would be likely to include emails and documents containing personal data.

Public (or unclassified):  

This information can be readily shared and publically available. It could be on the Oxford Brookes University website with no adverse consequences for any organisation or individual. 

4. Responsibility for classifying  information 

Anyone who is the author of information, or involved in processing information is responsible for ensuring that it is appropriately classified. Should anyone receive information which is not classified as it should be, that recipient becomes responsible for ensuring that any information is classified at that stage, in consultation with the relevant data owner. This can be achieved either by reverting to the source or by classifying it on receipt, whichever is appropriate in the circumstances.

5.  Guidance

5.1 How to apply the classification marking

Consider all relevant factors when classifying documents which are set out in the respective classifications and examples in Appendix 1 and apply the appropriate classification marking: Confidential, Restricted or Public.  

5.2 Transmitting and sending information 

Please apply the Information Sharing and Transmission Policy when transmitting or sending information found on IT Policies, Procedures and Regulations.

5.3 The  storage and retention requirements 

Any documents or data must be classified whether saved digitally or stored manually. (It is good practice for a document or data to contain a date, as well, to facilitate applying the Retention schedule.)

Any document or data which is classified as “Confidential” or “Restricted” must be handled in accordance with the Oxford Brookes Information Handling Guidelines.

Appendix 1

Examples of how to classify different types of information are included in this table. This list is neither exhaustive nor prescriptive, it is included as an aid.

Appendix 2

Additional  Factors to consider when classifying information 

• Where information is not classified and is not in the public domain already it should be treated as “Confidential” and afforded the highest levels of protection pending classification.
• Where information is held, handled or shared regularly or there is a large amount of data being processed either by or on behalf of another organisation, a contract or Information Sharing Agreement should cover the processing. This document is a legal requirement. It should set out which organisation’s Classification Policy applies (as well as covering other issues).
• Certain professions or functions have a regulatory body which stipulates how work-related information must be handled (e.g. occupational health, social services, research). In the unlikely event of any conflict within this policy and any guidance from a professional body, please raise this with the IT Services Information Security team by email using info.sec@brookes.ac.uk
• Where material contains characteristics of more than one classification, the entire document or all data is afforded the most protective marking.
• Databases or stored information classified as containing “Public” information must not contain any “Restricted” or “Confidential” information, except where the confidential parts have been redacted, or protected. The Restricted or Confidential information must be unavailable. This redaction can be achieved by e.g  pseudonymisation de - identification, anonymisation or obfuscation. 
• Any restricted or confidential elements of the information must be logically separated and given the relevant classification and protection relevant to their content. 
• The classification of information may change over its lifespan, as its value to the  University or to an individual changes.

Version: 1.1
Reviewed date: 15/06/2023

1    Introduction and Policy Objectives

1.1    This document specifies the University policy for the use, management and security of any mobile computing devices (‘mobile device/s’)  that may hold University data.

1.2    This policy applies to both mobile devices issued and owned by Oxford Brookes and personally owned mobile devices (also known as ‘BYOD’).

1.3    This policy also stipulates requirements for remote access to secure University systems, whether by mobile or non-mobile computing devices.

1.3    The policy applies to all users (staff, associates, consultants, contractors and visitors) who have been given access to Brookes’ information and communication systems or information assets (herein ‘users’). This policy only applies to students that are carrying out an official function on behalf of the University.

2    Definitions

2.1    Mobile devices that may hold University data include, but are not limited to:

• Laptop computers and netbooks
• Tablets
• Smartphones
• Portable storage devices (e.g. external hard drives, USB ‘thumb drives’ and memory cards).

2.2    University ‘issued and owned’ devices includes any device purchased, owned or leased by the University regardless of the source of funding.

2.3    Remote access refers to the ability of a user to directly access a Brookes’ computer, information and communication system or information asset from an offsite or other, non-secure, location.

3    Mobile Device Policy - Technical Requirements

3.1    IT Services is responsible for determining minimum security requirements for mobile devices. Minimum security requirements will be communicated to users through advice given by IT Services staff and published guidance, in particular the Information Handling Guidelines.

3.2    Mobile devices shall be updated in accordance with vendor recommendations and only use operating systems supported by the vendor.

3.3    Mobile devices must store all user-saved passwords in encrypted form.

3.4    ‘Jailbreaking(*1)’ or ‘rooting(*1)’ of University owned mobile devices is strictly forbidden. Personally owned devices that are ‘jailbroken’ or ‘rooted’ must not be used to access University systems or store University data.

4.     Mobile Device Policy - User Responsibilities

4.1    Users are responsible for ensuring appropriate physical security controls are applied. These may include, but are not limited to:

• Logical ‘locking’ of unattended mobile devices (with a PIN, password, or biometric ID required to unlock the device).
• Secure physical storage of devices when not in use, e.g. in locked cupboards, drawers or cabinets.
• Care should be taken when travelling with mobile devices, e.g. not leaving devices unattended when offsite and keeping devices locked in the boot of a car.

4.2    Users must report any lost or stolen mobile devices to IT Service immediately. Users     must also notify IT Services if they have reason to believe a mobile device has been compromised or tampered with.

4.3    Users must ensure the use of mobile devices is in accordance with the Brookes’ IT Acceptable Use Policy.

4.4    Applications must only be installed from official vendor platforms (‘app stores’). Users must not install applications from untrusted sources without prior approval from IT Services.

4.5    Users must ensure devices receive updates and security patches according to vendor recommendations.

4.6    Users must consider the risk of storing or accessing University data using mobile devices. The storage of confidential University data on mobile devices is not recommended unless enhanced security controls are applied, e.g. device encryption. For restricted or confidential data users should seek advice from IT Services and subsequent approval from line management and / or appropriate data owners.

4.7    Users shall take care when using personally owned mobile devices to ensure that University data is not stored or shared using personal accounts. Such usage may constitute an information security incident or breach of the Data Protection Act 2018 and should be reported to IT Services immediately.

4.8    Users must delete University data from mobile devices (whether University owned or personally owned) when the data is no longer needed for business purposes.

4.9    When users leave the University, mobile devices owned by the University must be returned to IT Services (this may be via line management or other channels depending on local procedure). IT Services are responsible for either wiping and re-imaging devices for subsequent use, or arranging secure collection and disposal.

4.10    When leaving the University, it is the responsibility of users to ensure all University data is deleted from personally owned mobile devices (after transferring any necessary data to University-managed systems) and that tools or applications that access University systems are removed or reset. Users should be aware that inappropriate access to University data or systems after termination of employment could constitute a criminal offence.

5.    Remote Access Policy

5.1    Users must only use remote access tools and solutions installed or approved by IT Services.

5.2    Remote access to University systems provided to third party suppliers and contractors must comply with the requirements of the Brookes’ Network Security Policy.

5.3    IT Services and / or relevant information asset owners reserve the right to refuse remote access to University systems at their discretion.

6.    Policy Enforcement

6.1    Non-compliance with this policy could result in the initiation of disciplinary procedures against users. Under certain circumstances, failure to comply with this policy may constitute a criminal offence under the Computer Misuse Act 1990 and / or the Data Protection Act 2018.

6.2    Non-compliance with this policy by contractors or third-party suppliers may constitute a breach of contract.

6.3    Users must provide reasonable cooperation with IT Services to enable access, inspection and other appropriate actions in relation to their University owned mobile devices.

6.4    In the event of a high-severity security or data protection incident IT Services may request access to personally owned mobile devices, especially where:

• The mobile device is believed to have caused the incident
• The mobile device is believed to either store University data or has been used to access University data.

7.    Related Policies & Guidance

7.1    Related policies include, but are not limited to, the following University policies and guidance documents:

• IT Acceptable Use Policy
• Data Protection & Privacy Policy
• Network Security Policy
• Information Classification Policy
• Information Handling Guidelines
• Disciplinary Policy

7.2    The main IT Services contact for users will be the IT Service Desk. The IT Service Desk can be contacted:

• by telephone - 01865 483311 (or 3311 internally)
• using the self-service Service Desk Portal

7.3    The IT Services Information Security team may be contacted directly at info.sec@brookes.ac.uk..

Version: 1.0
Reviewed date: 15/06/2023

(*1) To ‘jailbreak’ or ‘root’ a mobile device is to remove the limitations imposed by the manufacturer. This gives direct access to the device's operating system and increases the risk of compromise by malicious software or agents.