In the case of personal data, especially 'special category' personal data (e.g. relating to health), it is particularly important that only authorised persons have access to that data.
Note: this section deals with St George’s members who handle personal data in the course of their work or study – please refer to the sections on subject access requests and sharing personal data for other types of access to personal data.
In terms of physical security, the following guidance applies:
-
Operate a ‘clear desk’ policy – all paper files and documents containing personal data should be kept in lockable storage and never left out on a desk when not in use.
-
When taking paper files off-site they must not be left overnight in a car or left unsecured in an area accessible by the general public.
-
Do not leave your work PC logged on while you are away from your desk.
-
Never leave documents containing personal data unattended at a photocopier or fax machine.
-
St George’s computers should not be given away, sold or otherwise disposed of before consulting IT Services in order to ensure all personal data is removed first.
In terms of technical security, the following guidance applies:
-
Never divulge your St George’s password(s) to anyone else.
-
Do not log onto a PC on behalf of another person using your St George’s username and password.
-
Ensure access to secure resources is restricted to authorised St George’s members only.
-
Password-protect secure files stored on a shared network drive where others using the drive may not be authorised to access the information in those files.
-
Use encryption when transferring personal data in electronic form.
For further advice on using password protection and encryption, or about the decommissioning of IT equipment, please contact ITAV.
The manner in which personal data is stored is also an important part of maintaining the security and integrity of that data. The university provides secure storage on its servers for St George’s members, with the added advantage that data stored on these central servers are backed up overnight every night.
The following guidance applies to the storing of St George’s personal data:
-
Never store personal data on the hard drive of your machine – if that machine is lost or stolen or becomes corrupted, you risk losing the data completely. Storing data on one of the university’s central network drives, such as your H: drive, means that it will get backed up regularly.
-
St George’s personal data should not be routinely downloaded and stored on a personal mobile phone or handheld device, or on any other device not directly owned or maintained by the university.
-
Personal data belonging to the university should not be stored with external service providers, eg in your Google or Yahoo account, or a public Dropbox folder or any other provider that the university does not currently have a formal contract with.
While the university has overall responsibility for the security of its data, it is also down to each individual member to ensure that they adhere to the relevant guidelines when handling personal information. If you are unsure as to whether or not it is OK to store personal data in a particular location, please contact the Data Protection Officer for advice.
The advice in this section works on the assumption that personal data is being transferred off-site for authorised purposes only, or where a formal data sharing agreement exists to do so. Please refer to the other sections of these guidance pages for information about data sharing, or contact the Data Protection Officer for more advice.
By post
In most instances, personal data will be sent in electronic format. In situations where it is necessary for information to be sent as a hard copy, e.g. records that only exist in paper-based format or clinical letters, appropriate care should be taken to ensure the information is sent securely.
-
Consider using registered delivery or courier, especially when sending sensitive personal data such as medical information.
-
Always direct information to a named individual rather than to generic addresses such as ‘Head of HR’ or ‘The Finance Department’.
-
Make sure envelopes are marked ‘Private and Confidential’ or ‘For Addressee Only’.
-
If necessary, ask the recipient to confirm with you that the information has arrived safely.
Electronically
Personal data, and especially ‘sensitive’ personal data, should always be encrypted (and password-protected, where relevant) when being transmitted electronically. The same applies if you are downloading personal data to removable media or portable devices for transfer off-site.
Where personal data is being conveyed by email you should use Office Message Encryption, which offers protection for the contents of the email and any Office-based attachments that you are sending. Emails should be marked ‘confidential’ in the subject line and at the top of the message itself.
Alternatively, and especially where large files are involved, you can use SGUL's secure file transfer service, iDrop External parties can also use this service to send files securely to SGUL recipients.
Staff and students should contact ITAV for help with using Office Message Encryption or the iDrop service, and for further guidance on password-protecting and encrypting files.