Page: 1 2 3
7. Security of Personal Data
7.6 Migration or Update Plans
Staff with responsibility for the future migration or upgrade plans for the University's systems are expected to:
- document in the relevant project plan and subsequently address, the potential effect of hardware, software and operating system upgrades, or obsolescence on personal data processing operations
- consider whether a Privacy Impact Assessment is required.
- carry out successful data transfer tests of existing systems to new systems or file formats before those systems go live and old systems, including manual systems, are discarded
7.7 Back-Up of Personal Data
Key personal data on staff and students is maintained electronically and is therefore backed up in accordance with the University's Information Security Policy. The University is developing guidance on its vital records and the appropriate business continuity measures to be adopted for all electronic and manual data. Although there is currently no policy for maintaining backup copies of manual data, the control measures for access will ensure that manual personal data is kept in an appropriately secure environment where risk of loss or damage is minimised.
Further information is provided in the Manual and Physical Data Security Policy.
7.8 Working Off-Site, on Home Computers or at Remote Locations
All University staff working from home, either on an occasional or a regular basis must be aware of their obligations under Data Protection legislation and the University's Information Security Policies, when they undertake administrative, research or teaching-related work at home and use information in all formats, including paper files, electronic data, word processed documents and e-mails.
Addressing these issues will also help in compliance with requests received under Data Protection legislation and the Freedom of Information (Scotland) Act 2002. These Acts apply to all paper and electronic information that staff may receive and create as part of their employment with the University, regardless of where that work takes place or where the information is stored.
Staff working from home must not dispose of any paper records containing personal or sensitive data in domestic waste. All such paper records must be returned to the University and disposed of in accordance with the Safe Disposal of Confidential Waste.
Further guidance is available from Human Resources in the Home Working Policy, available on the HR Documents intranet page and from Information Services on Remote Access to the Network.
Personal data in both manual and electronic formats should only be destroyed in accordance with the University's agreed retention schedules and Section 20 of this Code. Further advice and guidance may be sought from the University's Information Governance Manager. Once it has been established that the data may be disposed of, care must be taken to ensure that appropriate security measures are in place to carry this out, whatever the format in which the data is held. Guidance is available on the Safe Disposal of Confidential Waste and the use of Shredding Consoles.
7.10 Procedure for a Data Breach
In the event of a data breach occurring in the case of either electronic or manual personal data the Procedure for a Breach of Data Security must be consulted.
Page: 1 2 3
Page last reviewed 22 June 2022