Policies, Procedures and Regulations
Information Security Policy
1. Introduction
Oxford Brookes University recognises that information and its associated processes, systems and networks are valuable assets and that the management of personal data has important implications for individuals. Through its security policies, procedures and structures, the University will facilitate the secure and uninterrupted flow of information, both within the University and in external communications.
The University believes that security is an integral part of the information sharing which is essential to academic and corporate endeavour and this Policy is intended to support information security measures throughout the University.
This policy should be read in conjunction with all other relevant policies, regulations and guidance published by the University.
This policy supports compliance with the information security standards IEC/ISO 27001:2013 and PCI DSS.
2. Definition
2.1 For the purposes of this document, information security is defined as the preservation of:
(i) confidentiality: protecting information from unauthorised access and disclosure.
(ii) integrity: safeguarding the accuracy and completeness of information and processing methods.
(iii) availability: ensuring that information and associated services are available to authorised users when required.
2.2 Information exists in many forms. It may be printed or written on paper, stored electronically, transmitted by post or using electronic means, shown on films, photographs, video image, audio recording or spoken in conversation. Appropriate protection is required for all forms of information to ensure business continuity and to avoid breaches of the law and statutory, regulatory or contractual obligations.
3. Protection of Personal Data
The University holds and processes information about employees, students, and other data subjects for academic, administrative and commercial purposes. When handling such information, the University, and all staff or others who process or use any personal information must comply with the Data Protection Principles which are set out in the Data Protection law. Responsibilities under the Data Protection Act and other relevant legal provisions are set out in the Data Protection & Privacy Policy.
4. Information Security Responsibilities
4.1 The University is committed to introducing, maintaining and continually improving the information security management system (ISMS) and all things related to this. It is the responsibility of all students and members of staff. Every person handling information or using University information systems is expected to observe the information security policies and procedures, both during and, where appropriate, after his or her time at the University.
4.2 This Policy is the responsibility of the Head of Information Security Management; supervision of the Policy will be undertaken by the Vice Chancellor’s Group where appropriate. This policy may be supplemented by more detailed interpretation for specific sites, systems and services. Implementation of information security policy is managed through the Information Security Working Group (ISWG) and the Head of Information Security Management.
4.3 The University’s IT Services directorate has operational responsibility for the University’s IT systems and will therefore take action wherever necessary to protect those systems.
5. Information Security Education and Training
5.1 The University recognises the need for all staff, students and other users of University systems to be aware of information security threats and concerns, and to be equipped to support University security policy in the course of their normal work. The Information Security team shall provide appropriate mandatory training on data protection and information security awareness.
6. Compliance - Legal & Contractual Requirements
6.1 Authorised Use: University IT facilities must only be used for authorised purposes. The University may from time to time monitor or investigate usage of IT facilities; and any person found using IT facilities or systems for unauthorised purposes, or without authorised access, may be subject to disciplinary, and where appropriate, legal proceedings.
6.2 Monitoring of Operational Logs: The University shall only permit the inspection and monitoring of operational logs by appropriate IT Services staff or where it has been otherwise authorised by the Head of Information Security Management or nominated deputy. Disclosure of information from such logs, to the Police or to support disciplinary proceedings shall only occur (i) when required by or consistent with law; (ii) when there is reason to believe that a violation of law or of a University policy has taken place; or (iii) when there are compelling circumstances (circumstances where failure to act may result in significant bodily harm, significant property loss or damage, or other compelling reason).
6.3 Access to University Records: In general, the privacy of users' files will be respected but the University reserves the right to examine systems, directories, files and their contents, to ensure compliance with the law and with University policies and regulations as well as to determine which records are essential for the University to function administratively or to meet its teaching obligations. Except in emergency circumstances, authorisation for access must be obtained from the Chief Information Officer (or appropriate deputy) or the University Registrar, and shall be limited to the least access necessary to resolve the situation.
6.4 Protection of Software: To ensure that all software and licensed products used within the University comply with the Copyright, Designs and Patents Act 1988 and subsequent Acts, the University may carry out checks from time to time to ensure that only authorised products are being used. Unauthorised copying of software or use of unauthorised products by staff or students may be grounds for disciplinary, and where appropriate, legal proceedings.
6.5 Malware prevention: The University will maintain detection and prevention controls to protect against malicious software and unauthorised external access to networks and systems. All users of electronic devices issued by the University or used for University business shall comply with best practice, as determined from time to time by IT Services, in order to ensure that malware protection is maintained.
6.6 For further information please refer to the University’s IT Acceptable Use Policy.
7. Asset Management
7.1. All University information assets (data, software, computer and communications equipment) shall be accounted for and have a designated owner. The owner shall be responsible for the maintenance and the protection of the asset/s concerned.
8. Physical and Environmental Security
8.1 Physical security and environmental controls must be appropriate for identified risks. In particular, critical or sensitive information processing facilities must be housed in secure areas protected by defined security perimeters with appropriate security barriers and/or entry controls suitable for risk identified.
9. Information Systems Acquisition, Development and Maintenance
9.1 Information security risks must be identified at the earliest stage in the development of business requirements for new information systems or enhancements to existing information systems and risk treatments plans devised.
9.2 The responsibility for identifying and documenting any risks sits with the project or programme lead.
9.3 Controls to mitigate the risks must be identified and implemented where appropriate.
9.4 For further information see the Third Party Supplier Security Management policy.
10. Access Control
10.1 Access to information and information systems must be driven by business requirements and be commensurate and proportionate to the business need.
10.2 A formal access control procedure is required to cover the access to all information systems and services.
10.3 For further information please refer to the University’s IT Access Control policy.
11. Communications and Operations Management
Responsibilities and procedures for the management, operation and ongoing security and availability of all data and information processing facilities must be established.
12. Retention and Disposal of Information
All staff have a responsibility to consider security when disposing of information in the course of their work. Owners of information assets should establish procedures appropriate to the information held and processed and ensure that all staff are aware of those procedures. Retention periods should be set in consultation with the University Records Manager.
Staff must be aware of any legal requirements regarding how long data must be kept for and then by default apply the University’s records management policy, when determining how long to retain data.
13. Incident Reporting
All staff, students and other users should report immediately via the Service Desk Portal, or by telephone to the Service Desk on tel. ext. 3311, any observed or suspected security incidents where a breach of the University's security policies has or may have occurred, and any security weaknesses in, or threats to, systems or services. This includes but is not restricted to a data breach.
Staff must be familiar with the Information Security Incident Management Policy which sets out the process to follow where there is an actual incident or a near miss.
14. Business Continuity
14.1 The University will implement, and regularly update, a business continuity management process to counteract interruptions to normal University activity and to protect critical processes from the effects of failures or damage to vital services or facilities.
14.2 Business continuity planning shall consider information security requirements and regularly test plans to ensure that they are effective.
15. Setting of security objectives for the ISMS
15.1 Top management shall establish or adopt a framework for the setting of security objectives and these will be shared with relevant parties.
15.2. Security objectives are identified from different areas: such as guidance from regulators, changes in standards from certified bodies, risk raised by interested parties, changes in the organisation and changes external to the organisations, for example environmental, commercial, legal and community and third party agents the university employs as goods or service providers, and technological.
16. Continual improvement within the ISMS
16.1 Top leadership will ensure robust programmes of continual improvement are delivered by supporting from the top down implementation of such programmes necessary to continually improve upon the operational status of the information security management system (ISMS).
Version: 3.0
Reviewed date: 15/06/2023
Data Protection and Privacy Policy
Introduction
1.1 General
The University holds and processes information about employees, students, and other data subjects for academic, administrative and commercial purposes. the University, and all staff or others who process or use any personal information, must comply with the Principles which are set out in Data Protection law when handling such information,
In summary these state that personal data shall be:
- Processed lawfully, fairly and in a transparent manner (‘lawfulness, fairness and transparency’)
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation)
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- Accurate and, where necessary, kept up to date (“accuracy”)
- Kept in a form which permits identification for no longer than is necessary for the purposes for which the personal data are processed (“storage limitation”)
- Processed in a manner that ensures appropriate security using appropriate technical or organisational measures of the personal data (“integrity and confidentiality - security”)
- The controller shall be responsible for and be able to demonstrate compliance with the principles (“accountability”)
1.2 Definitions
“Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
"Staff", "students" and "other data subjects" may include past, present and potential members of those groups.
"Other data subjects" and "third parties" may include contractors, suppliers, contacts, referees, friends or family members.
"Processing" refers to any action involving personal information, this includes emailing collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Data Subjects” refers to any natural person whose personal data the University processes or is likely to process.
“Data Protection Law” in the UK principally refers to the 2018 Data Protection Act (‘the Act’ and the UK GDPR) as well as common law.
“Special Category Data” is personal data which the Act defines specifically and which requires additional legal safeguards. Types of personal data which fall into special categories are defined in 7.1
2 Privacy Notices
2.1 Standard Privacy Notices
The university will provide a privacy notice at the point of collection of personal data in order to provide fair and transparent processing under the first principle
This will contain:
- Purpose of Processing
- Legal basis and reason for Processing
- With whom personal data will be shared
- Information about international transfers
- A list of subjects’ rights
- Consequences of not providing the data
- Details of any automated processing
- Retention periods
- Contact details of the Brookes’ Data Protection Officer
- Contact details of the Regulator (Information Commissioner)
Where the data has not been acquired directly, the University will state:
- What types of personal data we will use and why
- The source of the personal data
2.2 Summary Privacy Notices
In some instances, it will be impractical or impossible to display a full privacy notice. In such cases we will display a summary privacy notice which will contain:
- Data protection contact details for the University
- Purpose of the processing
- Legal basis for processing
- Link to the full privacy notice
3. Staff Responsibilities
3.1 Staff Personal Data
All staff are data subjects of the University and are subject to the rights listed in section 5.2
3.1.1 Data protection compliance is the responsibility of the entire university and staff must ensure that personal data the university holds on them is kept accurate and up to date.
3.2 Processing Personal Data
3.2.1 Staff shall ensure that appropriate organisational and technical measures are taken to secure any personal data that is processed. This includes:
- Personal data is stored securely and access to personal data is controlled on a need to know basis
- All reasonable steps are undertaken to ensure that personal data is not disclosed either orally or in writing, accidentally or otherwise to any unauthorised third party. Unauthorised disclosure may be a disciplinary matter for staff and may be considered gross misconduct in some cases. Any such incidents must be reported to the IT Information Security Team in accordance with the requirements of the Information Security Incident Management Policy
- Staff are required to adhere to IT Acceptable Use Policy.
3.2.2 All staff must undertake the University’s mandatory Information Security Awareness Training every two years or as prescribed.
4. Student Responsibilities
4.1 All students shall ensure that all personal information which they provide to the University is accurate and up-to-date; and
4.1.1 Inform the University of any changes to that information.
4.1.2 Students should check periodically that any personal data the University holds about them and either update it through a self-service portal or inform the University of any amendments or corrections which are needed.
4.2 Students who use the University IT facilities may, from time to time, process personal information (for example, in course work or research). In those circumstances, they must notify their course tutor or research supervisor in the relevant Faculty who will provide further information about their responsibilities in processing personal data.
5. Rights of Data Subjects
5.1 Right of Access
5.1.1 Staff, students and other data subjects of the University have the right to access personal data about them. Any person may exercise this right by submitting a request in writing to the IT Services Information Security Team.
5.1.2 The University will not make a charge for such requests. Where the University deems the requests to be manifestly unfounded or excessive the University will charge a fee based on resources needed to fulfil the request.
5.1.3 The University aims to comply with requests for access to personal information as quickly as possible but will ensure that it is provided within one month except where requests are complex or numerous. In such cases the statutory time frame can be extended by two months. The reason for any extension will be explained in writing by the Information Compliance Team to the data subject making the request within one month of the initial request being made.
5.2 Other Rights
5.1.1 Data subject may have additional rights under the legislation:
- The right to be informed
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object to the processing of data
- Rights in relation to automated decision making and profiling.
5.1.2 The University will take appropriate steps to ensure necessary policy and procedures are in place to allow subjects to exercise their rights as stated in 5.1.1.
6. Lawful Processing and Consent
6.1 The University must provide a lawful basis for processing any personal data. The University will use the following lawful bases:
- Consent: the subject has given clear consent for the University to process their personal data for a specific purpose.
- Contract: the processing is necessary for a contract the University has with the individual, or because they have asked the University to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for the University to comply with the law.
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for the University to perform a task in the public interest or to carry out official functions, and the task or function has a clear basis in law (core business)
- Legitimate interests - Processing is necessary for the purposes of the legitimate interests pursued by the University with full consideration to safeguard the rights and freedoms of the data subject.
7. Special Category Data & Criminal Convictions
7.1 The University will not process any data relating to:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data or biometric data
- Health data
- Sexual life or sexual orientation
- Criminal proceedings or convictions
Unless one of the conditions is 7.2 is fulfilled.
7.2 The University will only process special categories where:
- Explicit consent of the subject has been obtained
- Processing is necessary for employment, social security or social protection purposes
- It is necessary to protect the vital interests of the subject themselves or others
- It is necessary for the legitimate interests of the university and will not be shared externally without consent
- The data has been made public by the data subject
- It is necessary for legal proceedings or is otherwise lawful
- It is necessary for reasons of substantial public interest
- It is necessary for medical or social care reasons
- It is necessary for reasons of public interest in the area of public health
- It is necessary for archiving purposes
8. Data Protection Officer
8.1 Designation of the Data Protection Officer (DPO)
8.1.1 The University has a Data Protection Officer
8.1.2 The University’s Information Security Team will be the point of contact and will facilitate appropriate information sharing with the designated DPO.
9. Retention of Data
9.1 The University processes personal data for many different lawful purposes. The University will maintain a records retention schedule on which decisions on how long personal data can be retained for the specified purpose. The retention schedule is published and can be found on our records management page.
10. Compliance
10.1 Compliance with the Data Protection and Privacy law is the responsibility of all students and members of staff. Any deliberate or reckless breach of this Policy may lead to disciplinary, and where appropriate, legal proceedings. The University has a dedicated Information Security Team and any questions or concerns about the interpretation or operation of this policy should be taken up with them in the first instance by email at info.sec@brookes.ac.uk. This is a team email address
10.2 Any data subject who considers that the policy has not been followed in respect of their personal data can report it to the University Information Security Team.
11. Data Protection Breach Management
11.1 A data protection breach is where any personal data held by the University, in any format, is compromised by being lost, destroyed, altered, copied, transmitted, stolen, used or accessed unlawfully or by unauthorised individuals whether accidentally or on purpose. Such as:
- Loss or theft of equipment on which data is stored, e.g. laptop or mobile phone
- Unauthorised access to data
- Emails sent to wrong recipients
- Public posting of confidential material online
- Incorrect sharing of Google (or any) documents
- Failure of equipment or power leading to loss of data
- Hacking attack
- Data maliciously obtained by way of social engineering
11.2 The University shall maintain and publish an Information Security Incident Management Policy.
11.3 All such breaches must be reported immediately to The IT Service Desk, or the ServiceNow Portal.
12. Register of Processing Activity
12.1 The University shall maintain a register of processing activity
12.2 The register described in 12.1 shall be periodically updated when required and reviewed by data owners at least once within a period of 12 calendar months.
13. Data Protection Privacy Impact Assessments (DPIA)
13.1 Where there is a new, or change of existing processing activity, which may result in a risk to the rights and freedoms of data subjects (privacy intrusive), the University will conduct a Privacy Impact Assessment (DPIA).
13.2 The University will embed DPIA within its project governance procedures so that privacy risks are identified and assessed at point of proposal.
13.3 Any changes to existing processing activities captured in the register of processing activity deemed to be privacy intrusive will require a PIA.
14. Processing Personal Data for Research
14.1 Where processing data for research purposes you must ensure that you obtain consent in accordance with the Act
14.2 The University Research Ethics Committee (UREC) will be able to provide assistance.
You can find guidance on the Research ethics pages.
15. International Personal Data Transfers
15.1 The University will only transfer data within the UK and the EU or to a country or international organisation which has a finding of adequacy of protection for the rights and freedoms of the data subjects, save where an acceptable level of risk has been assessed and determined based on the facts of the transfer, or: the data subject has explicitly consented to the proposed transfer
16. Personal Data Processed by Third Parties and Suppliers
16.1 Where the University uses third parties and suppliers (to be known as processors in this section) to process personal data. The University shall:
- Use only processors providing sufficient guarantees to implement appropriate technical and organisational measures to facilitate data security as the law requires.
- Seek assurances that the processor shall not engage another processor without prior specific or general written authorisation of the controller in advance of so doing.
- Processing by a processor shall be governed by a contract in which the processor or otherwise by written or formal agreement:
- Only processes the personal data only on documented instructions from the controller
- Ensures that persons authorised to process the personal data have committed themselves to confidentiality
- Assists the controller in the fulfilment of requests exercising the data subject’s rights.
- Deletes or returns all the personal data to the controller after the end of the contract.
- Agree to regular audits by the University.
17. Data Protection Audits
17.1 The University will periodically undertake data protection audits. These will include:
- Auditing of internal policies and procedures
- Auditing of planned projects and changes to systems (via privacy impact analysis)
- Auditing of contractual terms
- Auditing of supplier policies and physical security measures.
Policy version: 2.4
Reviewed date: 15/06/2023
Information Sharing and Transfer Policy
1 Introduction
1.1 The University holds a large amount of information, both in hard and soft copy. This includes personal and special category data (as defined by the UK Data Protection Act, 2018), and also non-personal information, which could be sensitive or commercially confidential (e.g. financial data).
1.2 Sometimes it is necessary to share personal data or information when we are working with partner organisations or other institutions or on collaborative projects.
This might entail:
- The University may receive personal information from the institution or partner
- The University may send personal information to the institution or partner
- A request for personal information held by one or more parties
1.3 These partners might be our partner colleges or universities, or other institutions with whom we have a relationship. We may or may not have a formal contract with these institutions or partners. Therefore we must consider what legal requirements there are associated with sharing information in the context of privacy and confidentiality.
2. Information Sharing
2.1 Disclosures of information (sharing) should be relevant, proportionate and lawful.
2.2 All regular sharing of information to the same source should be governed by a data sharing agreement which sets out the protocols for:
- What data is to be shared
- For what purpose
- Legal justifications for sharing
- Benefits and risks of sharing
- Information lifecycle (retention and disposal)
- Responsibilities and liabilities in the event of information security incidents
- Agreed methods of transfer
- Appropriate audit trails and governance
- Appropriate ID and background checks (where applicable)
- Identifying points of contact in the event of a security incident
3 Methods of Transfer
3.1 Electronic Documents
3.1.1 Sufficiently secure methods must be used when transferring personal data.
3.1.2 In the case of confidential and/or sensitive data it is recommended that data is encrypted to an acceptable standard (i.e. compliant with FIPS 140-3) prior to transfer and protectively marked.
3.1.3 Encryption passwords must not be relayed using the same communication channel as the data.
3.1.4 An audit trail of all transfers must be maintained in line with the retention policy.
3.1.5 If transfer is by email, information must be sent to named persons where possible, the use of group mailboxes is to be avoided.
3.1.6 Information no longer in use by either party must be securely deleted.
3.2 Hardcopy Documents
3.2.1 All hardcopy data must be posted using the University's approved mail delivery company.
3.2.2 All confidential and/or sensitive data must be identified and sent with the appropriate level of tracking via the University’s approved mail delivery company.
3.2.3 Personal information must be labelled ‘private and confidential’ and ‘addressee only’ where appropriate.
Version: 1.1
Reviewed date: 22/05/2023
Information Classification Policy
1. Purpose
This policy establishes a framework for classifying work-related information in order to:
- To promote the safe transmission and sharing of information with legitimate parties.
- To reduce the risk of harm to the confidentiality, integrity and availability of information processed by or on behalf of the Oxford Brookes University.
- To advance our compliance with ISO 27001:2013 standards.
2. Scope
This policy covers all types of handling, sharing (processing) and storage of information, including teaching, research, commercial and non-commercial activities as well as administration carried out directly for the University, any affiliates or partners, or by the University on behalf of another organisation.
Scope of use: this Information Classification Policy will apply to either an instance or regular information sharing, save where the law or other written agreement provides otherwise.
3. Information classification
(Examples of how to apply the classification markings are found in section 5.and Appendix 1.)
All information falling within the scope of the policy must be classified in accordance with the following categories: ‘Confidential’, ‘Restricted’ and ‘Public’.
The following classifications are generally available for application:
Confidential:
Information has a significant value for Oxford Brookes University, another organisation or for an individual. Wrongful disclosure could impact the reputation or standing of an organisation or an individual, the safety of an individual or could cause significant financial loss. Information of this type is shared on a “need to know basis” only. This classification will include Special Category Data as defined in Data Protection Law (see Appendix 1).
Large amounts of datasets of information which would otherwise be classified as “Restricted” were it a smaller amount, may become classified as “Confidential” by merit of the quantity of data involved. If in doubt as to whether a dataset is large, query this with the Information Security team by
Restricted:
This information can be shared appropriately with a limited audience, usually but not exclusively within the University. Some of the features attributed to “Confidential” information apply, yet the implications associated with sharing this information are less serious.
This information could be financial or commercial value, or be subject to intellectual property, trademark or other legal protection. It would be likely to include emails and documents containing personal data.
Public (or unclassified):
This information can be readily shared and publically available. It could be on the Oxford Brookes University website with no adverse consequences for any organisation or individual.
4. Responsibility for classifying information
Anyone who is the author of information, or involved in processing information is responsible for ensuring that it is appropriately classified. Should anyone receive information which is not classified as it should be, that recipient becomes responsible for ensuring that any information is classified at that stage, in consultation with the relevant data owner. This can be achieved either by reverting to the source or by classifying it on receipt, whichever is appropriate in the circumstances.
5. Guidance
5.1 How to apply the classification marking
Consider all relevant factors when classifying documents which are set out in the respective classifications and examples in Appendix 1 and apply the appropriate classification marking: Confidential, Restricted or Public.
5.2 Transmitting and sending information
Please apply the Information Sharing and Transmission Policy when transmitting or sending information found on IT Policies, Procedures and Regulations.
5.3 The storage and retention requirements
Any documents or data must be classified whether saved digitally or stored manually. (It is good practice for a document or data to contain a date, as well, to facilitate applying the Retention schedule.)
Any document or data which is classified as “Confidential” or “Restricted” must be handled in accordance with the Oxford Brookes Information Handling Guidelines.
Appendix 1
Examples of how to classify different types of information are included in this table. This list is neither exhaustive nor prescriptive, it is included as an aid.
Confidential | Restricted | Public |
Interviewee applications (including references) Human Resources records for staff Occupational Health Records Disciplinary Records Some student information (confidential addresses etc.) Staff information Special Category Data such as racial/ethnic origin, political opinion, religious beliefs, Trades Union Membership. Individuals’ Bank details University bank details Information about Criminal Convictions and/or DBS checks Large amounts of Personal Data are deemed to be Confidential because of the quantity of records. Minutes of confidential meetings, or any section of minutes which are confidential. | Research prior to publication Personal Data (information which identifies or leads to identifying an individual, including email addresses or financial information.) Financially or commercially sensitive information such as certain procurement exercises or planning. Restricted policies (e.g. parts of the Business Continuity Plan, security procedures etc.) Student contact information (save where it is confidential.) Preparatory work for Annual Accounts Minutes of meetings where the discussion was not about a confidential matter. | Material which can appear on the Brookes website Published research Course prospectus Policies, Guidance and Procedures (save when restricted) Annual accounts once formally released for publication. Faculty and staff directory information Salary ranges (not individuals’ salaries, generally) Annual accounts |
Appendix 2
Additional Factors to consider when classifying information
- Where information is not classified and is not in the public domain already it should be treated as “Confidential” and afforded the highest levels of protection pending classification.
- Where information is held, handled or shared regularly or there is a large amount of data being processed either by or on behalf of another organisation, a contract or Information Sharing Agreement should cover the processing. This document is a legal requirement. It should set out which organisation’s Classification Policy applies (as well as covering other issues).
- Certain professions or functions have a regulatory body which stipulates how work-related information must be handled (e.g. occupational health, social services, research). In the unlikely event of any conflict within this policy and any guidance from a professional body, please raise this with the IT Services Information Security team by email using info.sec@brookes.ac.uk
- Where material contains characteristics of more than one classification, the entire document or all data is afforded the most protective marking.
- Databases or stored information classified as containing “Public” information must not contain any “Restricted” or “Confidential” information, except where the confidential parts have been redacted, or protected. The Restricted or Confidential information must be unavailable. This redaction can be achieved by e.g pseudonymisation de - identification, anonymisation or obfuscation.
- Any restricted or confidential elements of the information must be logically separated and given the relevant classification and protection relevant to their content.
- The classification of information may change over its lifespan, as its value to the University or to an individual changes.
Version: 1.1
Reviewed date: 15/06/2023
Mobile Computing and Remote Access Policy
1 Introduction and Policy Objectives
1.1 This document specifies the University policy for the use, management and security of any mobile computing devices (‘mobile device/s’) that may hold University data.
1.2 This policy applies to both mobile devices issued and owned by Oxford Brookes and personally owned mobile devices (also known as ‘BYOD’).
1.3 This policy also stipulates requirements for remote access to secure University systems, whether by mobile or non-mobile computing devices.
1.3 The policy applies to all users (staff, associates, consultants, contractors and visitors) who have been given access to Brookes’ information and communication systems or information assets (herein ‘users’). This policy only applies to students that are carrying out an official function on behalf of the University.
2 Definitions
2.1 Mobile devices that may hold University data include, but are not limited to:
- Laptop computers and netbooks
- Tablets
- Smartphones
- Portable storage devices (e.g. external hard drives, USB ‘thumb drives’ and memory cards).
2.2 University ‘issued and owned’ devices includes any device purchased, owned or leased by the University regardless of the source of funding.
2.3 Remote access refers to the ability of a user to directly access a Brookes’ computer, information and communication system or information asset from an offsite or other, non-secure, location.
3 Mobile Device Policy - Technical Requirements
3.1 IT Services is responsible for determining minimum security requirements for mobile devices. Minimum security requirements will be communicated to users through advice given by IT Services staff and published guidance, in particular the Information Handling Guidelines.
3.2 Mobile devices shall be updated in accordance with vendor recommendations and only use operating systems supported by the vendor.
3.3 Mobile devices must store all user-saved passwords in encrypted form.
3.4 ‘Jailbreaking(*1)’ or ‘rooting(*1)’ of University owned mobile devices is strictly forbidden. Personally owned devices that are ‘jailbroken’ or ‘rooted’ must not be used to access University systems or store University data.
4. Mobile Device Policy - User Responsibilities
4.1 Users are responsible for ensuring appropriate physical security controls are applied. These may include, but are not limited to:
- Logical ‘locking’ of unattended mobile devices (with a PIN, password, or biometric ID required to unlock the device).
- Secure physical storage of devices when not in use, e.g. in locked cupboards, drawers or cabinets.
- Care should be taken when travelling with mobile devices, e.g. not leaving devices unattended when offsite and keeping devices locked in the boot of a car.
4.2 Users must report any lost or stolen mobile devices to IT Service immediately. Users must also notify IT Services if they have reason to believe a mobile device has been compromised or tampered with.
4.3 Users must ensure the use of mobile devices is in accordance with the Brookes’ IT Acceptable Use Policy.
4.4 Applications must only be installed from official vendor platforms (‘app stores’). Users must not install applications from untrusted sources without prior approval from IT Services.
4.5 Users must ensure devices receive updates and security patches according to vendor recommendations.
4.6 Users must consider the risk of storing or accessing University data using mobile devices. The storage of confidential University data on mobile devices is not recommended unless enhanced security controls are applied, e.g. device encryption. For restricted or confidential data users should seek advice from IT Services and subsequent approval from line management and / or appropriate data owners.
4.7 Users shall take care when using personally owned mobile devices to ensure that University data is not stored or shared using personal accounts. Such usage may constitute an information security incident or breach of the Data Protection Act 2018 and should be reported to IT Services immediately.
4.8 Users must delete University data from mobile devices (whether University owned or personally owned) when the data is no longer needed for business purposes.
4.9 When users leave the University, mobile devices owned by the University must be returned to IT Services (this may be via line management or other channels depending on local procedure). IT Services are responsible for either wiping and re-imaging devices for subsequent use, or arranging secure collection and disposal.
4.10 When leaving the University, it is the responsibility of users to ensure all University data is deleted from personally owned mobile devices (after transferring any necessary data to University-managed systems) and that tools or applications that access University systems are removed or reset. Users should be aware that inappropriate access to University data or systems after termination of employment could constitute a criminal offence.
5. Remote Access Policy
5.1 Users must only use remote access tools and solutions installed or approved by IT Services.
5.2 Remote access to University systems provided to third party suppliers and contractors must comply with the requirements of the Brookes’ Network Security Policy.
5.3 IT Services and / or relevant information asset owners reserve the right to refuse remote access to University systems at their discretion.
6. Policy Enforcement
6.1 Non-compliance with this policy could result in the initiation of disciplinary procedures against users. Under certain circumstances, failure to comply with this policy may constitute a criminal offence under the Computer Misuse Act 1990 and / or the Data Protection Act 2018.
6.2 Non-compliance with this policy by contractors or third-party suppliers may constitute a breach of contract.
6.3 Users must provide reasonable cooperation with IT Services to enable access, inspection and other appropriate actions in relation to their University owned mobile devices.
6.4 In the event of a high-severity security or data protection incident IT Services may request access to personally owned mobile devices, especially where:
- The mobile device is believed to have caused the incident
- The mobile device is believed to either store University data or has been used to access University data.
7. Related Policies & Guidance
7.1 Related policies include, but are not limited to, the following University policies and guidance documents:
- IT Acceptable Use Policy
- Data Protection & Privacy Policy
- Network Security Policy
- Information Classification Policy
- Information Handling Guidelines
- Disciplinary Policy
7.2 The main IT Services contact for users will be the IT Service Desk. The IT Service Desk can be contacted:
- by telephone - +44 (0) 1865 521125
- using the self-service Service Desk Portal
7.3 The IT Services Information Security team may be contacted directly at info.sec@brookes.ac.uk..
Version: 1.0
Reviewed date: 15/06/2023
(*1) To ‘jailbreak’ or ‘root’ a mobile device is to remove the limitations imposed by the manufacturer. This gives direct access to the device's operating system and increases the risk of compromise by malicious software or agents.
For PDF copies of the policies:
E13 Data Protection and Privacy Policy
1. Introduction
1.1 General
The University holds and processes information about employees, students, and other data subjects for academic, administrative and commercial purposes. the University, and all staff or others who process or use any personal information, must comply with the Principles which are set out in Data Protection law when handling such information, thus it is known as a Data Controller under UK-GDPR.
In summary these state that personal data shall be:
Processed lawfully, fairly and in a transparent manner (‘lawfulness, fairness and transparency’).
Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation).
Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’).
Accurate and, where necessary, kept up to date (“accuracy”).
Kept in a form which permits identification for no longer than is necessary for the purposes for which the personal data are processed (“storage limitation”).
Processed in a manner that ensures appropriate security using appropriate technical or organisational measures of the personal data (“integrity and confidentiality - security”).
The controller shall be responsible for and be able to demonstrate compliance with the principles (“accountability”).
1.2 Definitions
“Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
"Staff", "students" and "other data subjects" may include past, present and potential members of those groups.
"Other data subjects" and "third parties" may include contractors, suppliers, contacts, referees, friends or family members.
"Processing" refers to any action involving personal information, this includes emailing collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Data Subjects” refers to any natural person whose personal data the University processes or is likely to process.
“Data Protection Law” in the UK principally refers to the 2018 Data Protection Act (‘the Act’ and the UK GDPR) as well as common law.
“Special Category Data” is personal data which the Act defines specifically and which requires additional legal safeguards. Types of personal data which fall into special categories are defined.
“Data Controller” an entity defined under UK-GDPR responsible for the managing and the processing of data information it holds on data subjects.
“Data Processor” is a third-party under UK-GDPR that processes data information for the Data Controller; has a responsibility to the Data Controller.
“Sub-Data Processor” is a third-party under UK-GDPR that sub-processes data information for the Processor; has a responsibility to the Data Processor.
2 Privacy Notices
2.1 Standard Privacy Notices
The University will provide a privacy notice at the point of collection of personal data in order to provide fair and transparent processing under the first principle
This will contain:
- Purpose of Processing
- Legal basis and reason for Processing
- With whom personal data will be shared
- Information about international transfers
- A list of subjects’ rights
- Consequences of not providing the data
- Details of any automated processing
- Retention periods
- Contact details of the Brookes’ Data Protection Officer
- Contact details of the Regulator (Information Commissioner)
Where the data has not been acquired directly, the University will state:
- What types of personal data we will use and why
- The source of the personal data
2.2 Summary Privacy Notices
In some instances, it will be impractical or impossible to display a full privacy notice. In such cases we will display a summary privacy notice which will contain:
- Data protection contact details for the University
- Purpose of the processing
- Legal basis for processing
- Link to the full privacy notice
3. Staff Responsibilities
3.1 Staff Personal Data
All staff are data subjects of the University and are subject to the rights in 5.2.
3.1.1 Data protection compliance is the responsibility of the entire University and staff must ensure that personal data the University holds on them is kept accurate and up to date.
3.2 Processing Personal Data
3.2.1 Staff shall ensure that appropriate organisational and technical measures are taken to secure any personal data that is processed which includes:
Personal data is stored securely and access to personal data is controlled on a need to know basis.
All reasonable steps are undertaken to ensure that personal data is not disclosed either orally or in writing, accidentally or otherwise to any unauthorised third party. Unauthorised disclosure may be a disciplinary matter for staff and may be considered gross misconduct in some cases. Any such incidents must be reported to the Information Security Team via the Information Security Incident Management Policy.
Staff are required to adhere to IT Acceptable Use Policy.
3.2.2 All staff must undertake the University’s mandatory Information Security Awareness Training every two years or as prescribed.
4. Student Responsibilities
4.1 All students shall ensure that all personal information which they provide to the University is accurate and up-to-date; and
4.1.1 Inform the University of any changes to that information.
4.1.2 Students should check periodically that any personal data the University holds about them and either update it through a self-service portal or inform the University of any amendments or corrections which are needed.
4.2 Students who use the University IT facilities may, from time to time, process personal information (for example, in course work or research). In those circumstances, they must notify their course tutor or research supervisor in the relevant Faculty who will provide further information about their responsibilities in processing personal data.
5. Rights of Data Subjects
5.1 Right of Access
5.1.1 Staff, students and other data subjects of the University have the right to access personal data about them. Any person may exercise this right by submitting a request in writing to the IT Services Information Security Team.
5.1.2 The University will not make a charge for such requests. Where the University deems the requests to be manifestly unfounded or excessive the University will charge a fee based on resources needed to fulfil the request.
5.1.3 The University aims to comply with requests for access to personal information as quickly as possible but will ensure that it is provided within one month except where requests are complex or numerous. In such cases the statutory time frame can be extended by two months. The reason for any extension will be explained in writing by the Information Compliance Team to the data subject making the request within one month of the initial request being made.
5.2 Other Rights
5.2.1 Data subject may have additional rights under the legislation:
- The right to be informed
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object to the processing of data
- Rights in relation to automated decision making and profiling.
5.2.2 The University will take appropriate steps to ensure necessary policy and procedures are in place to allow subjects to exercise their rights as stated in the above section.
6. Lawful Processing and Consent
6.1 The University must provide a lawful basis for processing any personal data.
The University will use the following lawful bases:
- Consent: the subject has given clear consent for the University to process their personal data for a specific purpose.
- Contract: the processing is necessary for a contract the University has with the individual, or because they have asked the University to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for the University to comply with the law.
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for the University to perform a task in the public interest or to carry out official functions, and the task or function has a clear basis in law (core business).
- Legitimate interests: Processing is necessary for the purposes of the legitimate interests pursued by the University with full consideration to safeguard the rights and freedoms of the data subject.
7. Special Category Data & Criminal Convictions
7.1 The University will not process any data relating to:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data or biometric data
- Health data
- Sexual life or sexual orientation
- Criminal proceedings or convictions
Unless one of the conditions shown in 7.2 is fulfilled.
7.2 The University will only process special categories where:
- Explicit consent of the subject has been obtained.
- Processing is necessary for employment, social security or social protection purposes.
- It is necessary to protect the vital interests of the subject themselves or others.
- It is necessary for the legitimate interests of the University and will not be shared externally without consent.
- The data has been made public by the data subject.
- It is necessary for legal proceedings or is otherwise lawful.
- It is necessary for reasons of substantial public interest.
- It is necessary for medical or social care reasons.
- It is necessary for reasons of public interest in the area of public health.
- It is necessary for archiving purposes.
8. Data Protection Officer
8.1 Designation of the Data Protection Officer (DPO)
8.1.1 The University has a Data Protection Officer
8.1.2 The University’s Information Security Team will be the point of contact and will facilitate appropriate information sharing with the designated DPO.
9. Retention of Data
9.1 The University processes personal data for many different lawful purposes. The University will maintain a records retention schedule on which decisions on how long personal data can be retained for the specified purpose. The retention schedule is published and can be found on our records management page.
10. Compliance
10.1 Compliance with the Data Protection and Privacy law is the responsibility of all students and members of staff. Any deliberate or reckless breach of this Policy may lead to disciplinary, and where appropriate, legal proceedings.
The University has a dedicated Information Security Team and any questions or concerns about the interpretation or operation of this policy should be taken up with them in the first instance by email at info.sec@brookes.ac.uk.
10.2 Any data subject who considers that the policy has not been followed in respect of their personal data can report it to the University Information Security Team.
11. Data Protection Breach Management
11.1 A data protection breach is where any personal data held by the University, in any format, is compromised by being lost, destroyed, altered, copied, transmitted, stolen, used or accessed unlawfully or by unauthorised individuals whether accidentally or on purpose. Such as:
- Loss or theft of equipment on which data is stored, e.g. laptop or mobile phone
- Unauthorised access to data
- Emails sent to wrong recipients
- Public posting of confidential material online
- Incorrect sharing of Google (or any) documents
- Failure of equipment or power leading to loss of data
- Hacking attack
- Data maliciously obtained by way of social engineering
11.2 The University shall maintain and publish an Information Security Incident Management Policy.
11.3 All such breaches must be reported immediately to the IT Service Desk or the ServiceNow Portal.
12. Register of Processing Activity
12.1 The University shall maintain a register of processing activity
12.2 The register described in 12.1 shall be periodically updated when required and reviewed by data owners at least once within a period of 12 calendar months.
13. Data Protection Privacy Impact Assessments (DPIA)
13.1 Where there is a new, or change of existing processing activity, which may result in a risk to the rights and freedoms of data subjects (privacy intrusive), the University will conduct a Privacy Impact Assessment (DPIA).
13.2 The University will embed DPIA within its project governance procedures so that privacy risks are identified and assessed at point of proposal.
13.3 Any changes to existing processing activities captured in the register of processing activity deemed to be privacy intrusive will require a PIA.
14. Processing Personal Data for Research
14.1 Where processing data for research purposes you must ensure that you obtain consent in accordance with the Act
14.2 The University Research Ethics Committee (UREC) will be able to provide assistance.
You can find guidance at:
https://www.brookes.ac.uk/sites/research-support/research-ethics-and-integrity/research-ethics
15. International Personal Data Transfers
15.1 The University will only transfer data within the UK and the EU or to a country or international organisation which has a finding of adequacy of protection for the rights and freedoms of the data subjects, save where an acceptable level of risk has been assessed and determined based on the facts of the transfer, or: the data subject has explicitly consented to the proposed transfer.
16. Personal Data Processed by Third Parties and Suppliers
16.1 Where the University uses third parties and suppliers (to be known as processors in this section) to process personal data. The University shall:
- Use only processors who provide sufficient guarantees to implement appropriate technical and organisational measures to facilitate data security as the law requires.
- Seek assurances that the processor shall not engage another processor without prior specific or general written authorisation of the controller in advance of so doing.
- Processing by a processor shall be governed by a contract in which the processor or otherwise by written or formal agreement:
- Only processes the personal data only on documented instructions from the controller
- Ensures that persons authorised to process the personal data have committed themselves to confidentiality
- Assists the controller in the fulfilment of requests exercising the data subject’s rights.
- Deletes or returns all the personal data to the controller after the end of the contract.
- Agree to regular audits by the University.
17. Data Protection Audits
17.1 The University will periodically undertake data protection audits. These will include:
- Auditing of internal policies and procedures
- Auditing of planned projects and changes to systems (via privacy impact analysis)
- Auditing of contractual terms
- Auditing of supplier policies and physical security measures.
18. Industry Regulator
18.1 The industry regulator for data protection known as the Information Commissioner's Office (ICO), is a source of guidance via their website or if a data subject wishes to lodge a formal complaint. The correspondence details are provided below for reference only; as most concerns will be raised with the University before reaching the ICO. However, this route is available if one wishes to bypass the University and go to the ICO.
Correspondence details shown below and here's a link to the website https://ico.org.uk/
There are many ways you can contact us, including by phone, email, live chat and post. More details can be seen on the ICO website.
Our postal address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
E14 Data Protection Guidelines for Academic Staff
1. Introduction
1.1 General
The Data Protection Act is concerned with the handling of personal information, covers both manual and electronic records and stipulates the setting of security standards. As part of the University's compliance with the legislation it has published an Information Security Policy and E13 Data Protection Policy and it is important that you make yourself familiar with them.
These guidelines are intended as a supplement to those policies. Further information and advice are available from the Information Compliance Team by email at info.sec@brookes.ac.uk.
2. Standard Information
All staff process information about students on a regular basis, when marking registers, writing reports or references, or as part of a pastoral or academic supervisory role. The University will ensure through registration procedures that all students are notified of such processing, as required by the Act, and give their consent where necessary.
The information that staff deal with on a day-to-day basis is "standard" and covers categories such as:
- general personal details such as name and address
- details about class attendance, coursework marks, grades and comments
- notes of personal supervision, including matters of behaviour and discipline
- sponsorship details.
3. Sensitive Information
Information about a student’s physical or mental health, ethnicity or race, political or religious views, trade union membership, sexual life, or criminal record is classified as sensitive information under the Data Protection Act.
Such information can only be collected and processed when permitted or required by law or with the student’s express (written) consent. Examples would include:
- keeping of sick notes
- recording information about dietary needs, for religious or health reasons, prior to taking students on a field trip
- recording information that a student is pregnant, as part of pastoral duties.
Disclosure of such information without explicit consent is permitted only in exceptional circumstances, for example if the University is under a statutory obligation to make the disclosure or if the disclosure is in the vital interests of the student (information about a medical condition may be disclosed in "life or death" circumstances).
Sensitive information must be protected with a higher level of security. It is recommended that sensitive records are kept separately in a locked drawer or filing cabinet, or in a password protected computer file, or, if held on a mobile device, protected by encryption. If you (or one of your students) are holding, or intending to hold, sensitive personal information which is outside routine University processing, you should notify your manager or, if for research purposes, your research supervisor and your Faculty Research Ethics Team.
Every application to the University's Research Ethics Committee must include details of the measures to be taken to ensure the security of personal data.
4. Processing of Personal Information
Processing refers to any action involving personal information, including obtaining, viewing, copying, amending, adding, deleting, extracting, storing, disclosing or destroying information. When processing personal information, you must comply with the data protection principles, which are set out in the Data Protection Policy (regulation E13). In particular, you should ensure that records are:
- accurate
- up-to-date.
- fairly and legally obtained.
- kept and disposed of safely.
For further details please refer to the University’s record retention schedule.
5. Project and Research Supervisors
If you supervise students doing work that involves the processing of personal information, you should ensure that those students are aware of the Data Protection Principles, in particular, the requirements to notify and to obtain the data subject’s consent where appropriate. Students should be referred to the Faculty Research Ethics Team or the Information Compliance Team for further information.
6. Handling Enquiries
When students ask to see information about themselves, you should, where possible, deal with these enquiries informally. If an informal response is not appropriate, you should advise the student to make a formal Subject Access Request under the Data Protection Act. Such requests should be directed to the Information Compliance Team. For all requests, both formal and informal, the information has to be provided within one-month of being received into the organisation.
You should not disclose personal information over the telephone unless you are able to validate the identity of the person making the request.
You may disclose personal information to other staff members who require the information in order to carry out their normal duties.
You should not disclose personal information to any third party, e.g., to a parent or sponsor, except with the consent of the student or where this is permitted or required by legislation.
In exceptional and urgent circumstances (e.g. cases where there are reasonable grounds for believing that an individual has become a danger to him/herself or others, or has committed / is about to commit a serious crime), you may release personal information directly to a law Team. Be sure to establish the identity of the law Team before releasing the information, and keep a record of the incident including name, date, circumstances and information disclosed. The details of any such disclosures should be reported to the Information Compliance Team.
7. Examination Marks
You should be aware that students are entitled to see preliminary marks and comments, which contribute to final assessments. SEC and MEC minutes will also be subject to access requests unless they are anonymised.
Similarly, when writing an academic reference, you should keep in mind that it may be subject to an access request by the student to the recipient.
The Academic Registry publishes procedures for the preparation of student references and the Supporting Students Handbook provides a template that you can work from.
8. Private Files
It is essential that relevant information is available to all University staff, so the case for holding "private", separate files has to be justified as being in the interest of the student (e.g., where the data is particularly sensitive). The information contained in them will still be subject to the student’s right of access and you must ensure compliance with the notification requirements of the Act. Wherever possible, you should avoid duplication or fragmentation of student files.
9. Home Working
When working from home or on a laptop or tablet computer, you must maintain appropriate levels of security, including anti-virus (also known as anti-malware) software.
It is recommended that you ensure personal information is not stored on your domestic PC or computing device if this is used by other members of your family or household.
University data containing personal information should not be placed on portable devices unless it is necessary for a University business purpose and such processing has been authorised and the information is protected by encryption software.
If it is found necessary to work off site with University personal data then, in addition to encryption if held electronically, you must take sensible precautions to keep the data physically secure, for example, by using a lockable briefcase, storing data in the locked boot of a car while travelling, keeping the data in a secure location if held off site.
If you have concerns about the security of data, please consult the University Information Compliance Team for further guidance.
10. Exemption for Research Records
There is an exemption from some parts of the Data Protection Act where data is being processed for research and statistics. Information collected for the purpose of one piece of research can be used for other research, without breaching the "specified processing" principle (see the E13. Data Protection Policy), and can be kept indefinitely. For example, staff and students involved in academic research can keep records of questionnaires and contacts, so that the research can be re-visited at a later date, or so that, in support of a research project looking at an associated area, they can re-analyse the information. Researchers must ensure that the final results of the research do not identify the individual, or they will be subject to access requests under the Act.
This exemption is only applicable to academic research and cannot be relied on to prevent access to information about a particular individual, following research carried out for a redundancy or efficiency exercise, for example.
For further information about these regulations, please contact the Information Compliance Team via info.sec@brookes.ac.uk.
Version: Vs_1.0_2023-2024