Key information


All Information Security and Governance Policies can be found here:

It should be noted that our current Information Security Policy is acting as the organisation's Data Protection Policy. This may change in the future and you will be notified. 

How to report an Information Security incident

At the University of Bristol there are two teams that primarily deal with Information Security incidents. They are the Information Security team in IT Services and the Data Protection team in the Secretary’s Office. The Information Security team in IT largely deal with computer related issues such as concerns around computer viruses or accounts being misused. The Data Protection team give legal advice on data protection legislation and respond to reports of issues such as accidental disclosure or the loss of paper based records.

To report a security incident, you can contact these teams via the following addresses:

Information Security:

Data Protection:

If you have an urgent or serious matter that you would like to speak to someone about, please contact the IT Service Desk

The Data Protection Officer

The role of the Data Protection Officer currently resides within the Secretary’s Office. You can contact them by emailing

Privacy Impact Assessments

Privacy Impact Assessments must be completed if you or your team are collecting or changing the way it handles personally identifiable information. They must also be completed if your team wishes to use a third party to collect or process information.

If you have any questions or would like to see our Privacy Impact Assessment Policy please contact

Mobile Working Policy

The University’s mobile working policy can be found here: Note that this allows the use of personal devices as long as they meet certain conditions, these include but are not exclusive to:

Further details can be found within the policy. Note that the University does not currently require you to install software to access your email or some remote working solutions. For details of our remote access solutions please see the following pages:   

All flexible working arrangements must be discussed with your manager.

Sending mass emails

The University’s Mass emailing policy can be found here: (note that this is behind Single Sign-On). Please ensure that before sending mass emails, you are using the appropriate tool and that you have sought the correct permissions.

Direct Marketing

Direct marketing is broadly defined as sending information about future events, or newsletters or other information promoting an activity, product or service to individuals. At the University, we regularly send information to our staff and students using their University email address. Where this relates to their job or course, this is generally considered to be acceptable as it is not marketing an activity, product or service. However, if the information does fall into these marketing categories we need to ensure individuals have ‘opted in’. This is a legal requirement under General Data Protection Regulations (GDPR).

SITS (the central student record system) does not yet have field or flag indicating consent to market, so if you are intending to access these records for a marketing communication, you cannot assume consent has been provided.

GDPR also places a greater emphasis on being able to evidence that someone has chosen to opt in, by having an up to date record. Individuals have a right to withdraw their consent so need to be given the chance to opt-out of receiving future communications every time they are contacted.

Email Encryption

Information that is classed as Confidential or above (in line with the University of Bristol’s Data Classifications should not be sent over email. Please view the advice for sharing and collaborating on documents (note this is behind Single Sign-On).

While functions like 7-Zip ( are available for use, Modern Attachments is far simpler and allow you to maintain control of the document after you have shared it.