Use cases

The safest way to handle University data is to store it on - and process it from - University provided services such as DataStore, DataSync, OneDrive or SharePoint. Storage of University data on portable devices should be minimised whenever possible. 

There may be other requirements for handling of specific data sets set by Schools, Colleges or the providers of the sets; these should always be used in addition to the guidance below, which represents the minimum needed. 

Portable devices - laptops, tablets and phones - used to access or process University data should have their storage encrypted. 

When considering use of other portable devices - for example, e-readers or specialised devices - this requirement for encryption if University data is to be accessed or process should be taken into account.

In some rare circumstances, usually associated with travel to high risk countries, it may be necessary to use an unencrypted device. No data should be stored on such an unencrypted device and all access to data should be done remotely. Further information can be found on our "before you go" pages.

Portable hard drives or USB keys are easily lost or stolen and therefore should be treated as a risk; storage of University data on them should be minimised. Where it is necessary to use such a device then encryption should be used. This could be a hardware encryption solution specific to the device, an operating system provided whole-disk solution to encrypt the entire disk or a encrypted container file containing the data. Depending on the application in use there may also be an encryption option available as part of the application.

University provided services should be used to store University data. Other third-party services such as Google Drive, DropBox or any other such service should not be used. 

There are University provided services which allow sharing of files with local and external users (DataSync, OneDrive, Globus and SharePoint). These should be used in preference to sharing files by email as who has access can be checked, removed and changed as required. Once data is sent as an attachment you no longer have any control over access. 

If third-party sharing services are the only option due to collaboration requirements then encryption must be used and a risk assessment should be performed and accepted by the School/Unit. The data should be deleted from the sharing service once accessed to reduce the window of opportunity. Arrangements should be made with the recipient of the data to ensure that this window is as small as possible. 

If the only option is to use email then the data should be sent as an encrypted file or in an encrypted container. The password for this file/container should be provided by a different mechanism to the file - if the file has been emailed then the password should be passed by phone, for example. 

When encryption is used an appropriate mechanism usable for both parties should be agreed in advance. 

For all sharing mechanisms, whether cloud or email, it should be ensured that the data is only shared with those who need the data. It should be confirmed that the users being given access are the correct users and not anyone with a similar name or role. Sharing with groups, mailing lists or any mechanism where it may not be clear specifically who will receive and have access to the data should be avoided. 

The responsibilities of the recipients of the data should be made clear in any agreement to share data. 

Remember that if someone can view data then they can take a copy of that data. There is no technological way to prevent this, even if a product or service claims that is the case. At minimum a screenshot or photograph with another device will always be possible, so even if access is revoked at a later date the data may still be held by the recipient.