All employees and agents processing personal data for and on behalf of the University are responsible for ensuring that any processing of personal data carried out by them complies with the Data Protection Legislation.
All line managers are responsible for ensuring that the processing of personal data carried out in their School/Service Area is compliant with the Data Protection Legislation and that employees reporting to them are aware of their responsibilities under the Data Protection Legislation and have received training.
All users of personal data at Edinburgh Napier University are required to comply with:
- The Data Protection Legislation
- The University’s Data Protection Code of Practice and Information Security Policies
- Associated University policies, procedures and guidance on the provisions and practical implementation of the Data Protection Legislation
Any breach of the University’s policies, procedures or guidance may result in the University being legally liable for the consequences and internal disciplinary action being taken.
Handling Personal Data
Data must be:
- Processed fairly, lawfully and transparently.
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with these purposes.
- Adequate, relevant and limited.
- Accurate and up to date.
- Kept in a form which permits identification of data subjects for no longer than is necessary.
- Processed in a manner that ensures appropriate security.
- The Controller shall be responsible for and demonstrate accountability.
- Data held on a portable device could be at risk from loss or theft.
- The University provides “VeraCrypt” to our users to encrypt their data. The software can be found within AppsAnywhere.
- Any data that is to move from the premises and is of a sensitive or confidential nature must be encrypted.
Data Sticks, USB Drives or Flash Drives
- Password protect your device.
- Encrypt any data on the device.
- Keep your software up to date.
- Never leave your device unattended.
- Keep a backup of your data.
- Do not use unknown devices that you may find lying around. They may be infected with malware or a virus just waiting for someone to plug them into a Universities computer!
Security is particularly vital for records containing:
- Personal data.
- Commercially sensitive information.
- Information provided in confidence.
- Legally privileged information.
- The Data Protection Act requires us to protect personal data against unauthorised access and accidental loss.
- Poor data security (e.g. loss of USB data sticks or paper records) can lead to reputational damage and result in the University being fined or prosecuted.
A data security breach can happen for a number of reasons:
- Loss or theft of data or equipment on which data is stored and has not been protected sufficiently with passwords or data encryption.
- Equipment failure.
- Human error or behaviour.
- Disgruntled employees.
- Cyber criminals – ransomware, malware and phishing attacks.
Social engineering where information is obtained by deceiving you.
- Employees who have not completed the cyber security awareness training.
Keep Your Data Secure
- Passwords –Use a passphrase which will be easier for you to remember.
- Lock your PC or electronic device whenever you leave it unattended.
- Mobile devices (laptop/USB/etc.) should be encrypted and kept secure.
- Encrypt emails as appropriate.
- University systems should be accessed remotely through the virtual private network (VPN).
- Complete the online Information Security Awareness training module.
Keeping Information Secure
- Lock your PC when you move away from your desk no matter how long you will be away!
- Clear desk policy.
- Locked drawers / cabinets / offices
- Ensure you have all your printouts when you finish printing.
- Use the University’s offsite storage facility to store records that are not live or in constant demand.
- Use the confidential disposal consoles (paper and redundant electronic media) or arrange for bulk shredding (via Property and Facilities).
- Don’t put confidential or personal data in the recycling bins but instead use the confidential waste consoles which are located on each campus.
- Ensure your PC monitor cannot be overlooked.
- If you work from home, it is not advisable to take paper documents and records home with you, particularly if they contain personal or confidential information. Only take them home if you really have to!
- Don’t leave any documents or devices in your vehicle en-route and do lock them up when you get home.