Page: 1 2 3
7. Security of Personal Data
Introduction
The University is required under Data Protection legislation to have in place an institutional framework designed to ensure the security of all personal data, in whatever format, from collection through to destruction. All staff, students and authorised visitors who deal in any way with personal data have a responsibility under Data Protection Legislation to take all appropriate security measures to protect data against unauthorised loss, destruction, corruption or disclosure. The level of security used should be appropriate to the degree of harm that could occur if the personal data is misused.
Personal data should only be processed in accordance with:
- the data protection principles
- the University's notification with the UK Information Commissioner
- This Code of Practice, relevant University policies and associated guidance
Any failure to comply with the above requirements may result in disciplinary action being taken.
7.1 Electronic Data
Information Systems play a major role in supporting the day to day activities of the University. Staff and students using the University's systems must comply with all University Information Security Policies, these can be found here:
http://napierstaff.napier.ac.uk/services/cit/infosecurity/Pages/InformationSecurityPolicy.aspx
Third party systems not provided by the University's Information Services (IS) department must have a Privacy Impact Assessment carried out with approval for its system/technical security measures by IS.
7.2 Manual Data
All personal data must be stored in a secure environment with controlled access. The level of security to be applied should be agreed after a basic risk assessment has been carried out.
Appropriate secure environments include:
- locked metal cabinets with access to keys limited to authorised personnel only
- locked drawer in a desk (or other storage area) with access to keys limited to authorised personnel only
- locked room accessed by key or coded door lock where access to keys and/or codes is limited to authorised personnel only
Further guidance on risk assessments and appropriate security measures is available in the University's Manual & Physical Data Security Policy.
7.3 Contractors, Vendors and Suppliers
Vendors, contractors or suppliers will at times be required to have access to areas in which personal data may be stored or processed. In certain circumstances it may also be necessary to allow contractors access to personal data (e.g. computer engineers) in the course of maintenance or repair work.
7.3.1 Contractors
Staff responsible for securing the services of contractors are required to ensure that the contractors are:
- Controlled, documented and required to wear some form of identification
- Restricted from unnecessary access or admittance to areas where personal data is held or processed
- Required to sign an oath of confidentiality where access to personal data is unavoidable
7.3.2 Vendors and suppliers
Staff responsible for vendors and suppliers visiting their areas are required to ensure that vendors and suppliers are:
- Controlled, documented and required to wear some form of identification
- Escorted throughout the area by the staff member they are visiting
- Restricted from unnecessary admittance to areas where personal data is held or processed
Staff and students are asked to challenge or report to security, individuals they may see without the proper credentials, in areas where personal data is held or processed.
Page: 1 2 3
Page last updated 22 June 2022