Our Information Security Policy is here
Our policy on use of Email is here
Our policy on Acceptable Use of IT equipment is here
The policies and Handbook are supported by the guidance on these pages
Our Staff handbook states (Section 4.10 – Security):
Security is a serious concern and we make all reasonable efforts to provide a safe, secure environment for staff, students and visitors. However, we must all work together to improve security.
You should familiarise yourself with the security arrangements in your office and…you should make sure that:
Additional requirements to help secure the data within our buildings are:
Our Staff handbook states (4.12 – Staff cards):
Your staff identity card will be given to you on your first day at work. You are required to wear your staff identity card at all times whilst on our premises.
Further requirements over correct use of the ID card are:
Our Staff handbook states (6.8 – Communications: Personal Computing Devices / Bring Your Own Device)
“Bring Your Own Device” (BYOD) is a term which refers to when you use your personal computing device(s), typically smartphones and tablets, in connection with your duties and/or in the workplace. You’re allowed to connect your personal devices to our network. Any and all data associated with the University, including email messages, that is held or processed on the device is the property and responsibility of Anglia Ruskin University and extra care is needed on the part of anyone doing so to manage the security risks”.
As a minimum:
It will be your responsibility to ensure that your device is maintained and supported. It is ARU’s expectation that this will include the latest versions of the operating system, anti-malware and personal firewalls that are installed on the device. All relevant patches and critical information security updates will be installed by you within one week of release from the software supplier.
We reserve the right to require additional security protection software to be loaded onto your personal devices in the future. Please contact IT Services for help and advice about configuring your device. Disciplinary action may be taken against staff in breach of this guidance.
When we send personal data to an internal or external recipient, GDPR challenges us to ensure this is done with ‘appropriate’ security measures. This means that we need to understand the sensitivity of the data in order to decide the appropriate method of sending.Email
Sending within ARU
An email containing personal data sent from one ARU email address to another ARU email address does not leave ARU’s IT secure systems, therefore there is no need to protect it in the same way as sending externally.
There is no need to password protect email attachments containing personal data when sending internally.
See our Email Policy for more details.Sending Externally
Where the data is ‘Special Category’ or relates to over 100 individuals it must be saved in an attachment and the attachment should be password-protected.
The password should be complex:
The password should be shared with the recipient preferably by a separate communication method (e.g. phone or text). By email is permissible if no other contact means is available.
A password can be re-used when there is frequent data sharing going on with the same recipient(s), however it should be changed at least every 12 months.Post (Hard-copy information)
Sending within ARU
Where information is being sent through the internal mail post system and it contains personal data or is sensitive in other ways (e.g. commercially or legally) then it should be sealed in an envelope (or other container), marked ‘confidential’ with care taken to address it correctly.
For more information about the internal post service, please see hereSending Externally
See current range of Royal Mail services
Where information is being sent using external providers and it contains personal data then a routine first or second class service is acceptable.
Where the data is special category or has other non-personal data sensitivity then a service is required which confirms delivery. It is important to note that with Royal Mail ‘Tracked’ services it is possible for items to be delivered to a recipient’s neighbour if they are not available. Although there would be a record that a neighbour took delivery there are still risks with this and specific cases may mean that this service should be avoided and a ‘Confirmed’ delivery option should be selected instead. Typically Royal Mail will not leave ‘Tracked’ mail with a neighbour if sent to a business address. The preferred method of delivery should be clearly marked on the item before handing to the custody of ARU Postal Services.
Wherever possible the envelope or packaging should contain a return address which allows an incorrect recipient or postal service to identify where the item needs to be returned to without needing to open it. This should give sufficient data to get the item back to ARU but care should be taken not to reveal to much information about the nature of the intended recipient’s relationship with us in case this in itself gives an incorrect recipient some personal data about the Data Subject.Post (Storage Device)
All devices storing ARU personal data should be secured before sending through a postal service. It should not be possible for someone to easily gain access to the data on a lost or stolen device. A device here means a USB memory stick, external hard-drive, phone, laptop, PC hard-drive, CD or DVD disc, memory card etc.
All devices should therefore be encrypted ensuring credentials (PIN code, pattern, password or biometric data) are provided before the stored data can be accessed. The following guidance assumes that encryption is in place before sending. Whilst encryption does not guarantee that someone with enhanced skills and access to the right resources cannot still gain access to the stored data, these steps will ensure that ARU has taken reasonable and appropriate steps to guard against unauthorised access.Encrypted USB memory sticks are available from IT Services.
Items should be packaged (or where they are larger items – labelled) stating the contents are confidential and where they should be returned to if they are lost. Details of the credentials required to access the device or the data on it should never be provided in the same delivery as the item. This information should be emailed or provided over the phone. Where special category data is stored or data of another type of high sensitivity then the following guidance applies:Sending within ARU
The ARU Post Service should be informed through the description field of the Post Collection Request online form that the signature of the recipient is required to evidence safe delivery.Sending Externally
The ARU Post Service should be informed through the description field of the Post Collection Request online form that the item must be delivered with the ability to be tracked to its destination and evidence of a signature of the recipient obtained.
Where the recipient is another public sector organisation, in particular a central government department or agency or a law enforcement service, then Protective Marking guidance should be considered.Fax
Please follow the ‘Safe Haven Fax Procedure’ guidanceProtective Marking
When sending data to another Public sector recipient, we must also consider the Government’s Protective Marking guidance. The Government’s Security Classifications provides the UK public sector with a common means of describing the sensitivity of data to help make sure that it’s transferred between organisations with appropriate security and marked in a way which helps a receiving organisation to handle it appropriately.
There are 3 classifications: OFFICIAL, SECRET and TOP SECRET.
ARU will only handle data at OFFICIAL level unless explicitly required to do so by a government department.
OFFICIAL data is described as: “The majority of information that is created or processed by the public sector. This includes routine business operations and services, some of which could have damaging consequences if lost, stolen or published in the media, but are not subject to a heightened threat profile”.
There is no requirement to label or physically mark data with the word ‘OFFICIAL’, however where there is a clear need to protect the ‘need to know’, data should be marked ‘OFFICIAL-SENSITIVE’. For example, in the context of personal data this may because the data is ‘special category’ and shows that we’ve taken extra steps to make sure the recipient understands that the data needs to be shared with only those entitled to see it.
Where data is OFFICIAL SENSITIVE it must be marked by:
The scheme allows for us to add a ‘descriptor’ to help others to understand the specific nature of the information to help with handling measures where this may be useful. For example: