Data Protection and Information Security – a reminder
By: Sean Armstrong
Last updated: Thursday, 7 November 2019
It is important that the University and all our staff protect personal data and other information and ensure that it is kept secure and only used for appropriate purposes. A failure to do so can result in loss of important information such as personal data, research and intellectual property, as well as lead to financial loss, regulatory action or reputational damage.
University of Sussex is a high value target for criminals and they are actively trying to get our data. So it’s important that you take a few minutes to read this information.
What you need to know
The two most common causes of personal data or security breaches arise from the access that individuals have and sharing of data.
Below are some key ways you can avoid data and security breaches.
Access
- You should only have access to data that is necessary for your role(s)
- Don’t access or use information other than as required for your work – this is especially important for individuals who have different roles e.g. someone who is a member of staff and a student
- Managers and teams should consider what access staff should have e.g. to shared drives and email accounts
- When requesting IT accounts, line managers must be satisfied that access to systems and directories are limited to what is required for the individual
- If you indicate that access to a system should be based on another individual’s access, you must be certain this is correct and needed
- Additional controls like passwords should be reviewed and updated regularly, especially when individuals have left or changed roles
- Passwords for role-based email accounts should be changed regularly
Sharing data
Emails are the most common cause of data breaches – sending data to an incorrect recipient or attaching the incorrect data.
There are safer ways to share data:
- Where possible hyperlink to the file / directory rather than include personal data in emails
- You can use Box to give others access to documents and information. See IT Services page about how to use Box.
If you do have to share data by email:
- You should password protect any attachment but never include the password in the same email - call the recipient or email them the password separately
- If you regularly share personal information by email you should use secure email software. ITS can support and advise on associated licensing costs
Storing data
Be careful where personal and other information is stored. Advice can be found on the ITS FAQs on file storage options on what storage options are supported by ITS and are data protection compliant.
Security reminders
It only take simple steps to protect personal data and information securely and key tips on how to do this are on the IT Security webpages.
The weakest part is humans – criminals will target people over technology any day; remain vigilant and be sure who you are sharing information with
- If you receive a suspicious or unexpected email, even from a Sussex address, don’t click on the link. Check it carefully and if you’re still not sure, ask ITS to check it for you
- Don’t leave your computer unlocked or unattended, even for short periods
- Make sure you have a long, strong password, but make sure it’s one you can remember – it defeats the object if you have to write it down. If you haven’t changed your password in a long time, log on and change it
- Don’t use your Sussex password for other things like Facebook, Instagram, Dropbox – if these sites get compromised then so does your work account
- Make sure your device is protected – turn on security updates and anti-virus software and use a pin code / fingerprint on your mobile