GDPR – HBS Learning Teaching

MANAGING PERSONAL, SENSITIVE AND CONFIDENTIAL INFORMATION TO COMPLY WITH GDPR

V1 (March 2018)

The General Data Protection Regulation (GDPR) requires
the University to handle personal data securely, with very large
fines and serious negative publicity if we suffer a breach.

Personal Data is any data that identifies an individual. A name on its own is probably not personal data – there will be lots of John Smiths, for example – but when combined with some other information such as Date of Birth, ID number, address, email address, etc, then it becomes personal.

Generally, ask yourself if someone got hold of this data could they do anything malicious with it, such as impersonate another person? If the answer is yes, then that is personal data.

All staff who handle personal data have a responsibility to take appropriate precautions to ensure that it is not exposed to anyone who should not have access to that data, whether accidentally or deliberately – failure to follow policy and instructions will be treated as a disciplinary issue.

In summary:

If you do not store data locally, you cannot lose it

Do not keep any personal data for longer than you need it. If data is stored in central systems, you do not need to keep a copy, and it will be secure if your computer is lost/compromised.

If a password-protected file is accidentally lost, the data is still secure

Use the password option in Office documents to protect personal data.

Lock away paper files and computers GDPR applies to paper records as well as electronic. Shred documents when no longer needed.

Cyber-security is important at work and home

Lock your workstation when you leave your desk. Do not put personal data on a USB stick. Do not respond to phishing emails. Use the Secure Access Service (VPN – Pulse – https://uhvpn.herts.ac.uk) when using wifi to ensure that your work is secure.

Do not use email to send personal data outside UH Emails are not secure. Within UH, any personal data must be password protected/encrypted before sending and deleted when the data is no longer needed. Teams who send personal data outside UH must ensure it is permitted to send the data, and make arrangements for the data to be transmitted securely, eg

using the Exchange File service https://www.exchangefile.herts.ac.uk

The following are examples of best practice that must be followed to protect you and the University from a breach.

1) If you do not have any personal data, you cannot lose it
a. Do you have a legitimate reason for holding the personal data? If not, then delete or shred it immediately.
b. Do you need to store the personal data, or can you get it when you need it from the central University
systems? If not, then delete it (if you are unsure if it is held centrally, check first). All personal data must be
stored in the agreed official University files. See guidance File management and storage
c. Do you still need to hold the data after the purpose for which you received it? If not, then delete it – do not
keep it “just in case”. You probably already have personal data that you no longer need – in particular in your
old emails and sent emails. Take the time to delete these if you do not need to store them. This applies to
function/team email boxes as well as personal email.
d. Do you have more data than you need? Only request, access and store the personal data that you need for
the task in hand – if you only need the email address, do not also store the home address, date of birth, etc
e. Have you taken photos of personal data or people for work purposes? Camera / phone / scanner images of
personal data must be transferred to official files as soon as possible and then deleted. Photographs and
videos taken of people for work purposes may be classed as sensitive personal data and must be handled
accordingly.

2) When data is password/PIN-secured or encrypted, if you lose it accidentally it will have less impact
a. Do you have files of personal data that could be read by anyone if they are lost? Password protect Office files
(eg Word, Excel) containing personal data, so that if they are accidentally lost or sent to the wrong person
they cannot be read. Do not accidentally reveal personal data in the filename.
Go to http://go.herts.ac.uk/lynda and login with your username@herts.ac.uk and password. Then see guidance Password protecting a document
b. Are your devices secured with a password or PIN? Ensure that every device that you use requires a login
password or PIN to gain access – this includes your personal devices if you use these to access University emails, files, systems, etc
c. Are you responsible for storing the master copy of any data? Master copies of any data must only be securely
stored on University file servers (eg University business systems or X: drive) and should not be individually encrypted in case you forget the encryption key.

3) When devices and paper records are physically secure, they cannot be accessed without authorisation
a. Is there any personal data on your desk that could be seen by others?
Keep your desk clear of all personal data whenever you leave your desk unattended, even if you have your
own office (as other people may have access), especially at the end of the day. If others can see your desk,
ensure they cannot read any personal data. Non-sensitive information and personal items can be left on
desktops.
b. Do you leave any devices on your desk when you are not there?
PCs, laptops, tablets, mobile phones must be locked away when unattended. Filing cabinets and desk
drawers containing personal data must be locked when unattended. Only authorised staff should have
access. Computers, disks or documents must not be left lying around in offices and storerooms.
c. Do you need to store data on your PC/laptop?
Data stored on a University file server is physically more secure than on a PC or laptop as the server cannot
be stolen – keep personal data only on a file server whenever possible. If you need access to the data for
when you cannot connect to the network, delete it again immediately afterwards.
d. Do you really need a paper copy of the data?
If you print personal data, the paper can be lost. If you must print it, watermark confidential documents with
the word “Confidential” so that they are easy to recognise, remove them from the printer immediately, lock
them away when not required and shred them when no longer needed. Whenever possible, use a MultiFunction Device printer which will only print your documents when you release them. Go
to http://go.herts.ac.uk/lynda and login with your username@herts.ac.uk and password. Then see
guidance see guidance Adding a watermark
e. Do you always shred personal data?
All sensitive material must be shredded. It should not be disposed of in either confidential waste bags or in
general waste bins.
f. Do you travel abroad?
Ideally, do not have any personal data on your devices, or ensure that they are encrypted. Immigration /
customs may require you to show what is on your device, so it is better if you have nothing that cannot be
revealed. There are restrictions on the import of some software applications to some countries. It may be
simplest to take a clean laptop with just what you need on it, and access email etc via the web interface,
rather than take your normal work laptop.

4) Electronic data can be accidentally revealed, you must take special care with personal data
a. When you leave your desk, do you lock your workstation? There is a risk that information could be viewed by unauthorised users if left on an unlocked, unattended computer screen. Screens must be locked when not in use, either by using Ctrl/Alt/Del and Enter or the Windows key and ‘L’ for Windows computers, or Control/Shift/Power for Macs, or by setting the auto-screen saver to activate after a short period.
b. Do you have any personal data on a USB stick? Personal data must never be put onto a portable USB device. For all other uses, removable media should be encrypted and secured with a password/PIN and locked away when not in use.
c. Do you email lists of people? If you email a group of people who do not know each other and put their email address in the “To” or “Cc” fields, then you are revealing their personal data. Always Blind Copy “Bcc” emails to a group (put your own email address in the “To” field if you wish to keep a copy) and use the “Do not forward” or “Confidential” options to increase security. (When creating a new email, the Options menu allows you to show the “Bcc” field and set the Permissions.)
d. Do you work online when not in the office? Care must be taken when working away from the office, including at home. Always be aware of others being able to view University material by ‘shoulder surfing’ or fake wifi hotspots (made to look like genuine wifi connections), especially when on public transport or in public locations such as cafes and hotels. Avoid open wifi networks and use the Secure Access Service (VPN) as this will encrypt everything you do. This includes if you use Remote Desktop. See guidance Using the UH Secure Access Service (VPN)
e. Do you work from home? Staff using computers not owned by the University to access University systems and services must ensure they are set up for automatic Windows updates and have up to date anti-virus protection. See guidance Dealing with Viruses and Worms on Your PC
Do not allow your browser or application to remember your University password. Do not synchronise data to your own devices (eg OneDrive). If you access work email on your own device, only synchronise recent emails.
f. Do you have IT equipment that is no longer required? All desktop and laptop computers, software, data files and documents must be disposed of in line with University policy, agreed retention periods and procedures. For recovery of data from corrupt hard drives etc, advice must be sought from Library and Computing Services (LCS) Support.
g. Do you know how to keep your computer and personal details safe?
i. Keep your username and password details confidential and safe. You are responsible for all actions taken with your username and password – do not share them with anyone else. No-one within the University should ask you for your username and password, so if any email asks for this information, it will be a scam. Change your password regularly – if you forget your password or wish to change
See: How to change your password guide or go direct to https://www.pss.herts.ac.uk
ii. Do not respond to Spam / Phishing emails that ask you to login to systems or provide your login or contact details. See guidance Fraudulent emails, spam and phishing attacks
iii. You should always save and backup your work regularly. All staff are provided with online storage areas where data or documents can be stored and accessed from any location: Office 365 OneDrive cloud storage and X: drive department or team shared storage. Delete backups when you no longer need them, in case they also contain personal data that should be disposed of. See guidance File management and storage
iv. Operating system and anti-virus protection updates for your computer are delivered automatically over the University network. You must ensure your computer including laptops are regularly connected to the Internet and preferably to the University network either directly or via the Secure Access Service (VPN) at least weekly. If you discover or suspect you have a virus on your computer immediately contact the LCS Helpdesk (x 4678) in the first instance See guidance Dealing with Viruses and Worms on Your PC

5) If you need to send personal data to someone else, extra precautions must be taken
a. If you are providing personal data to anyone (internal or external), always ensure that they are authorised to receive that data and that you have validated their identity. For multiple records, an external recipient must be authorised in advance using a University Data Access / Sharing Agreement signed off by the appropriate Data Steward, or within a contract, which ensures that the external recipient understands their duty of confidentiality. StaffNet home > How to guides > Computing how to guides and guidelines > Information and data security and encryption > Master Data and Document Sources
b. Do not email personal data to an external recipient – always use the University Exchange File service. See https://www.exchangefile.herts.ac.uk/about.php
c. To send personal data to internal recipients, send a link to the data stored on a file server, whenever possible. Do not put any personal data in the body of an email. Personal data may only be sent by email internally, in an encrypted attachment, and to an agreed named recipient. Always check you have selected the correct recipient, and not quickly picked a name from a list. Keep recipient list to an absolute minimum. Ensure unnecessary email trails are deleted before sending message.
d. Personal data in electronic format (eg disk) must not be sent by post or courier.

Footnote

This document supports the policies and principles set out in the University Information Management Policy (UPR IM02), Information Security Policy (UPR IM03), Data Management Policy (UPR IM16) and the Records Management Standards. See UPRs

University of Hertfordshire has Cyber Essentials accreditation – a government-backed, industry supported scheme to help organisations protect themselves against common cyber attacks.