Page: 1 2 3
7. Security of Personal Data
7.4.1 The University's guidance on the student processing of personal data is available in Section 5 of this Code. The University does not envisage that many students will have access to or be processing personal data for which the University is the Data Controller; this is particularly so for undergraduate students.
7.4.2 Employed students are not permitted under any circumstances to remove personal data in any format from the University. However, research students in certain subjects, such as Nursing and Midwifery and certain life and social sciences, may be permitted to access or process personal data for which the University or a University's partner is the Data Controller, in the course of their studies or research.
7.4.3 University staff who have authorised this processing of data are responsible for ensuring that such students are given formal training in their and the University's obligations under Data Protection legislation and advised on appropriate security measures. This could be carried out as part of the University's ethical review process for postgraduate research projects.
7.4.5 In particular students must be made aware of the following:
- In the case of data for which the University is the data controller, the purposes for which the data has been collected, including the parties to whom disclosure may legitimately be made, and that disclosure may not be made to other parties, unless one of the exemptions in Data Protection Legislation applies.
- In dealing with personal data, for which the University is the Data Controller, requests for disclosure under one of the exemptions in Data Protection legislation (e.g. law enforcement) are to be referred to the University's Information Governance Manager.
- In dealing with personal data for which the institution is Data Controller, their access to and use of personal data is for specified authorised purposes only and that any breach of these requirements will constitute an offence under the Student Conduct Regulations
- The requirement to apply and abide by any relevant security requirements contained in agreements with outside bodies who may furnish personal data for university research purposes
- Casual access to personal data, for which the University is the Data Controller, by unauthorised persons by act or omission, is not permitted and that any such acts or omission that do or could lead to unauthorised access or disclosure to unauthorised persons will constitute an offence under the Student Conduct Regulations.
- Failure to adhere to the correct use of applicable access control mechanisms will constitute an offence under the Student Conduct Regulations
7.5 Transfer of Personal Data
7.5.1 All transfers of personal data are to be authorised and/or conducted at an administrative or managerial level appropriate to the type of personal data being transferred and carried out in accordance with any applicable data transfer agreement. Data is only to be transferred in secure conditions which are commensurate with the anticipated risks and appropriate to the type of personal data involved.
7.5.2 Key points to note are:
- It must not be assumed that documents transferred by electronic means e.g. email, web transfers, File Transfer Protocol are secure
- Material containing special category personal data, or data that if it should be lost is likely to cause damage or distress to the subjects should always be encrypted to an appropriate standard before it is transferred
- Staff must consider whether data can be anonymised before it is taken off University premises and/or sent either by post or courier
- If this is not possible and it is deemed absolutely necessary to download personal data to physical devices e.g. USB memory sticks, CDs or DVDs then the data must be encrypted.
- Hardcopy data should also be transferred in a manner proportionate to its sensitivity
Information Services publish guidance on data encryption and the software to be used.
A staff checklist on Security of Personal Information is available for summary reference purposes.
Page: 1 2 3
Page last updated 21 February 2019