Information Governance Policy

Transcription

1 2015 Information Governance Policy University of Wolverhampton Version th October 2015

2 Policy Approval Procedure Information Governance Policy Policy Author: Stephen Hill Dept.: DAS Information Governance Policy Check and Approval: Senior Information Risk Officers Information Governance Policy Check and Approval: Information Systems Committee Information Governance Policy Approval by Executive: CMT Signed Off: 23 rd September 2015 Signed Off: 7 th September 2015 Signed Off: 4 th November 2015 Approved: 06/01/2016 CMT 1

3 Contents University Information Governance Policy Introduction Information Protection Context Overview Data Definition Classified Data Applicability Requirements Applicability Classification University contractual agreements Data Storage Mobile Device Management Research Classified Data ing Classified Data Document Confidentiality Data Sharing Outside the European Economic Area Disposal of Devices Data/ Device Loss Appendix 1 University of Wolverhampton Data Classification Appendix 2 Key Controls for protecting classified information (Summary)

4 University Information Governance Policy 1. Introduction 1.1. Information Protection Context This policy sets out the steps which members of the University are required to take to protect the security of all sensitive information processed or shared by the University, a category which includes but is not limited to information which relates to or identifies living individuals personal data. ( personal data as defined by the Data Protection Act 1998 (DPA); the Data Protection Policy 2015 provides additional guidance on acceptable data processing processes and procedures for the university. This policy applies to all members of the University of Wolverhampton ( the University ). For the purposes of this policy, the term Staff means all members of University staff including permanent, fixed term, and temporary staff, governors, secondees, any third party representatives, agency workers, volunteers, interns, agents and sponsors engaged with the University in the UK or overseas. This policy also applies to all members of staff employed by any of the University s subsidiary companies All contractors and agents acting for or on behalf of the University should be made aware of this policy and the requirement to secure data confidentiality agreements prior to data transfer from the University repository or databases or outsourcing data processing responsibilities. This policy applies to all personal and sensitive personal data processed on computers and also includes information stored in manual ( paper based ) files. It is the members of Staff s responsibility when creating data, accessing a document or using media to ensure the documents, media or databases are correctly classified either at the point of creation, or where the document, data or media was created prior to implementation of this policy, at the first opportunity when processing or using the data for research or University business. The overall responsibility is for each member of staff to provide suitable data classification for their records, documents and media which enables all members of the University staff to easily process information in a safe and secure manner which complies with legal and regulatory compliance requirements. 3

5 1.2. Overview The Policy classifies sensitive information according to its perceived damage potential, this is defined as being the damage which would be sustained to an individual, physical or reputational, or damage to organisational reputation likely to be suffered by the University as a consequence of a data breach or data loss. The University has three types of classified information: Highly Confidential, Confidential and Personal. Any information that is not categorised as Highly Confidential, Confidential or Personal is Public. No particular controls apply to the disclosure of Public information and therefore this is not classed as classified data Data Definition For the purposes of this policy the Data Protection Act 1998 definition of data, information will be used: Data means information which a) is being processed by means of equipment operating automatically in response to instructions given for that purpose, b) is recorded with the intention that it should be processed by means of such equipment, c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, d) does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined by section 68 (Data Protection Act 1998), or e) is recorded information held by a public authority and does not fall within any of paragraphs (a) to (d) Classified Data The following definitions will be used to classify all university data: Personal - Inappropriate disclosure could cause damage to the University's reputation or operations, may cause great distress to individuals, possibly pose a danger to personal safety or to life or likely impede the investigation or facilitate the commission of serious crime; substantial financial or legal penalties Confidential Inappropriate disclosure of the information to an unauthorised recipient will cause significant damage to the University s reputation or operations or will cause great distress to individuals, poses a probable danger 4

6 to personal safety or to life or likely to impede the investigation or facilitate the commission of serious crime: substantial financial or legal penalties. All information which is bound by a non-disclosure agreement will fall within this classification. Highly Confidential Inappropriate disclosure could severely adversely affect the University's reputation or operations, likelihood of causing substantial distress to individuals extremely probable or data breach will incur statutory restriction penalties for inappropriate disclosure of information; data breach has a high likelihood of financial or legal punitive penalties being imposed against the university. The term Classified Data in this policy refers to data classified as Personal, Confidential or Highly Confidential within the context of this policy. Except for information which is obviously and legitimately in the public domain (such as job titles, departments etc.), personal data (as defined by the DPA 1998) will fall within one of the above classified categories. The scale, volume and medium of storage needs to be taken into account in the assessment of the classification of any set of information. For example, information which in itself would be classified as Confidential when it relates to just one individual might need to be classified as Highly Confidential when it covers hundreds or thousands of individuals, especially (but not only) if it is held in electronic form. The potential for damage from unauthorised disclosure is very much higher in the latter case, therefore the level of control needs to be accordingly higher, and this Policy reflects this need. This Policy is a sub-policy of the University Information Security Policy and should be implemented with regard to the associated policies within the Information Security Framework and associated guidance. Appendix 1 - Provides guidance on the University of Wolverhampton data classification matrix. Appendix 2 Provides a summary of the key data handling controls. 2. Applicability Requirements The University is seeking to create and reinforce a robust data handling culture within the University. All members of the University are expected to comply with the following requirements. 5

7 2.1. Applicability This Policy is intended for use by all staff that creates, handle or processes Classified Data within the university. The Policy adopts existing guidelines relating to document retention Document Retention Schedule and the Record Management Policy; as well as the Data Protection Policy. The Policy provides guidance on handling and storage requirements for classified data which members of the University will encounter during normal teaching, business and research activities. Further guidance on data classification, information handling and data processing may be found in the accompanying Data Classification Guidance document The adoption of the Policy and associated Data Classification Guidance document is a mandatory part of the University Information Security Policy. The policy is overseen by the Office of the University Registrar and Secretary (OURS) The University recognises that there may be legitimate circumstances where it may not be possible to adhere strictly to this policy. In these cases, advice should be sought from the Office of the University Registrar and Secretary (OURS) on how best to secure your data processing requirements within the spirit of this policy which comply with UK data protection legislation Classification All information and data within the University will be designated as falling within one of four distinct control groups: i. Public, ii. Personal, iii. Confidential, iv. Highly Confidential. Only Personal, Confidential and Highly Confidential data will be termed as being Classified Data for the purposes of this policy University contractual agreements Members of the University will ensure access to or sharing of classified information will only be conducted as part of a University business requirement and necessary data processing permissions are secured prior to granting access to data or information. 6

8 Members of the University will endeavour to obtain any necessary permissions before sharing classified information with colleagues or third parties, where practicable. External partnerships will secure data confidentiality agreements where classified data is to be shared and the partner agency will be required to adopt a data security framework which attains the same level of information security as the University Where data sharing agreements are with partner agencies outside the European Economic Area (EEA) then UK legislation will take priority and the partner agency will be required to adopt data processing standards which adhere to UK legislation. Processing data outside the EEA will comply with Data Protection Act 1998 compliance requirements The University will ensure any additional third party rules, regulations or compliance requirements relating to data that has been shared with the University under a joint data sharing with the University are adhered to as far as practicable, where the additional requirements do not negate any of the information security controls under this Policy Data Storage The University Data Protection Officer must provide permission for any classified data to be stored outside the University provided servers. Classified data must only be stored on the University s servers (encryption of highly confidential data is a mandatory requirement where data is stored in unrestricted shared areas). Storage of classified data outside the approved service providers is a severe breach of this Policy and may result in disciplinary action for insecure storage of data which breaches this Policy The University will authorise and maintain a list of approved service providers that have been security-tested and approved by the University as suitable data storage options, Cloud services must not be used for storing or processing data which is either: Classified data Or Of such criticality that functions or operations would be disrupted should it be lost or become unavailable or corrupted Or Valuable intellectual property (IP) of the University (further advice on securing IP can be sought from OURS legal advice). 7

9 Classified information obtained from an external source (outside the University), for example, through the collection of research data with a partner organisation, must be kept securely, such data must be stored on University servers (registered with and approved by the Data Protection Officer) at the earliest opportunity Mobile Device Management Members of University staff must ensure access to devices and data is restricted to authorised persons, password protection will be activated on all devices used to store or access University data Mobile phones, including personal devices, used to access University must be secured with a PIN code to prevent unauthorised access. Minimum requirement will be for a four digit PIN which is changed on a regular basis Members of University staff must ensure devices or media used for the storage of Classified Data are utilising secure encryption tools for data storage Classified Data may only be stored on encrypted laptops, memory sticks and other portable devices. Data classified as Highly Confidential information must not be included within the body of an unencrypted e- mail Research Classified Data Members of University staff must comply with the University s Data Protection Policy Research data must be anonymised wherever practicable, the removal of classified research data from the University servers must be authorised by the supervising academic. Classified Data should not be kept longer than required for the conduct of University business or purposes of research and must be destroyed at the earliest opportunity in accordance with University policy ing Classified Data Members of University staff are required to use University addresses when ing classified data to other members of the University. Externally-hosted facilities will not be used for the transmission of classified data between University staff, unless the data is encrypted with an approved encryption tool validated by the University; 8

10 the Directorate of Academic Support, IT Services will maintain a list of university approved encryption technologies Members of University staff are required to use University-approved methods to access University or data when off campus. Staff should use the approved Microsoft 365 portal or OWA Exchange Server for access Document Confidentiality Only in very exceptional circumstances, and with the permission of your line manager, will highly confidential paper documents be taken outside the University. Members of staff wishing to take classified paper documents outside the University, will ensure the documents are removed for the shortest time possible and kept securely at all times The posting of classified material must use a first class envelope for confidential material, and use recorded post and a double envelope (one inside the other) for material that is highly confidential. The external envelope must not bear the classification The University will ensure disposal of classified paper documents is in accordance with the Confidential Waste Disposal Policy The University requires that members of Staff utilising home or other non-university computers to create or access classified data, ensure that the device has up-to-date security protection, and that the member of Staff ensures data confidentiality is maintained at all times. Classified Data must not be stored on privately-owned computers, mobile equipment or unencrypted removable media Data Sharing Outside the European Economic Area The university will ensure that UK data protection legislation is applied to all data processing, storing and sharing agreement between the university and partner organisations. Where data is stored, processed or shared with partner organisations outside the UK local data compliance rules may impose additional data processing requirements, these local compliance requirements will be respected where they do not negate UK data protection legislation, UK data protection legislation will remain the primary data security control in all instances. 9

11 2.10. Disposal of Devices All unwanted, damaged or obsolete computer hardware must be disposed of in accordance with the Waste Electrical and Electronic Equipment Collection Procedure (WEEE Collection Procedure). Unwanted, damaged or obsolete hardware cannot be sold or donated to members of the University or to other organisations, such as charities without prior authority of the Director of the Directorate of Academic Support Data/ Device Loss Members of Staff are required to inform their Line Manager or University central point of contact representative at the earliest opportunity of the loss of a device or data which contains or may contain Classified Data. End of document Version 1.2 Author Stephen Hill Approved date 6 th January 2016 Approved by CMT Review date 6 th January

12 Appendix 1 Data Classification Classification RISK Assessment Risk None Low Medium High Confidentiality is of no particular significance to this information Inappropriate disclosure could cause damage to the University's reputation or operations, may cause great distress to individuals, possibly pose a danger to personal safety or to life or likely impede the investigation or facilitate the commission of serious crime; substantial financial or legal penalties Inappropriate disclosure of the information to an unauthorised recipient will cause significant damage to the University s reputation or operations or will cause great distress to individuals, poses a probable danger to personal safety or to life or likely to impede the investigation or facilitate the commission of serious crime: substantial financial or legal penalties. All information which is bound by a non-disclosure agreement will fall within this classification). Inappropriate disclosure could severely adversely affect the University's reputation or operations, likelihood of causing substantial distress to individuals extremely probable or data breach will incur statutory restriction penalties for inappropriate disclosure of information; data breach has a high likelihood of financial or legal punitive penalties being imposed against the university. 11

13 Appendix 1 Data Classification Access May be viewed by anyone, anywhere in the world Available to all University of Wolverhampton members (e.g. secured behind a login screen) Available only to specified authorised University of Wolverhampton members (e.g. secured behind a login screen, requires authorisation to gain access) Access is controlled and Highly Confidential to a small number of authorised University of Wolverhampton members (e.g secured behind a login screen, requires authorisation to gain access) Appendix 1 University of Wolverhampton Data Classification 12

14 Appendix 1 Data Classification Classification PERSONAL Information PERSONAL Information Examples (nonexhaustive) As defined by the Data Protection Act 1998 (see University Data Protection Policy) Anonymised information 1 Staff Details shared publically by the University Information on individuals made public with their consent including on social media sites or departmental websites Individual s home addresses, contact details and passport or NI number. Individual s name, home addresses, contact details and age Individual s image (incl. CCTV footage) List of student or staff names and ID number. Student registration and attendance details. Financial information relating to individuals e.g. banking information, salary details, indebtedness (student fees) Information on individual s, racial or ethnic origin, political option, religious or other beliefs, physical or mental health or criminal record. 1 For these purposes anonymised information is information which cannot identify an individual either in isolation or when combined with other information (Section 1 (1) of the DPA 1998). Anonymised data may also carry other handling requirements please see below. 13

15 Appendix 1 Data Classification Classification PERSONAL Information PERSONAL Information Dates of birth (DoB) Individual s name plus DoB or national insurance number(ni) 3 References for staff or students 2 UCAS forms Individual s name plus DoB or NI number, passport details, home address and telephone number 3 2 Content dependent e.g. information relating to health, criminal record or disciplinary matters would make the reference or form Confidential 3 Adding additional combinations of data can change the overall classification (sensitivity) of the information. Increasing the volume can also increase the classification level. 14

16 Appendix 1 Data Classification Classification NON-PERSONAL Information Research proposals prior to award Information relating to supply or procurement of goods/services prior to approve publication. NON- PERSONAL Information Examples (nonexhaustive) Anything subject to disclosure under the Freedom of Information Act. Department and Course details Marketing or Press Information Factual and general organisational for public dissemination incl. annual reports or accounts. 'Trade' secrets, intellectual property intended for commercialisation. Research data which is securitysensitive or has been similarly classified by an external body (e.g. Government, commercial partner with a confidentiality agreement) Legal advice or other information relating to legal action against or by the University 15

17 Appendix 2 Key Controls for protecting Classified Data Activity Electronic Data 4 Storage of data in shared areas of University server Storage of data in HDD of University desktop/laptop Remote access to data Storage of data on University-owned laptops or other portable devices. Yes data to be stored in folders with restricted access. Yes data to be stored in folder with password protection Yes, connection to be made to document through Desktop Anywhere Only on temporary basis, taking care to avoid loss or theft. Only in backed up personal or shared network spaces with access Highly Confidential to only those with a valid right to access the information (by adding a password to the document, encrypting it or apply permissions to a folder). No Yes, data must not be stored on local hard drive or removable media. Connection to be made through Desktop Anywhere. No only accessible on campus Only on temporary basis and if encrypted/ password protected, taking care to avoid loss or theft. Storage of data on privately-owned laptops or other portable devices (including memory sticks) Sending data by Unencrypted Only addresses or other internal domains e.g. wbs.ac.uk or No Only as encrypted/password protected attachment (take care to check address of recipient(s)) Only via secure system such as NHS external account or Police PNN network. 4 See Digital Storage User Guide for additional data handling requirements. 16

18 Appendix 2 Key Controls for protecting Classified Data jobs.ac.uk (take care to check address of recipient(s)) Encrypted To external address, data not to be included in body of as clear text. (University is not a secure system) Appendix 2 Key Controls for protecting classified information (Summary) 17

19 Appendix 2 Key Controls for protecting Classified Data Activity Paper and other media Storage in University Locked filing cabinet or equivalent Locked filing cabinet or equivalent in office which is locked or attended at all times. Facsimile transmission Ensure fax number is correct and entered correctly No (unless to pre-arranged safe haven Data collection outside Kept securely on the person (and returned to the University at the earliest opportunity) machine ). Kept securely on the person, preferably in a locked case (and returned to the University at the earliest opportunity) Taking documents off campus For the shortest time possible and documents to be kept securely about the person Only permitted exceptionally and once authorised by your line manager. Posted Yes via first class post in an envelope without any classification marking Yes, via Recorded post when double enveloped, without classification marking on outer. Disposal Confidential Waste Disposal Policy 18