Data security

Most members of the University access or process University data regularly. This page outlines your responsibilities when accessing, handling or storing data as part of your role as a staff member or a student at the University.

What data is
Loss of University data
Data access in your role
University data classifications
Sharing and storing University data
- Digital information
- Printed information (including paper records)
Research data
Disposal of data

What data is

Data is a collection of information - facts or figures - often used by computers or stored electronically.

Personal data is information that relates to an identified or identifiable person and may include a name, an identification number, location data or an online identifier. Personal data can relate to any identifiable individual, including students, staff, research participants or members of the public.

The University owns and processes a great deal of data about people, research projects and teaching.

Data accessed and stored by the University includes:

personal details and identifiable information such as name, address, telephone number, date of birth
student assessment marks
staff pay details
research data.

More information about the main categories of University information and the level of risk associated with them can be found in the University’s Information Classification Scheme.

Loss of University data

Loss or leakage of University data could:

put someone at risk
jeopardise a research project
harm the University's reputation
incur financial cost to the University.

Data loss includes:

Theft or loss of a University laptop or personal smartphone or laptop used to access University data
Someone who should not have access to University or personal data gaining access
Accidental or deliberate disclosure, sharing or leakage of University or personal data.

Data access in your role

University staff and students are granted access to the information they need in order to do their role at the University.

University members that have been granted access to particular data must not share information with other people unless the others have also been granted access through appropriate authorisation.

Staff are required by their contract of employment to handle University information appropriately and responsibly.

Data owners and University staff with line manager responsibility should ensure that their processes include steps to add, change and remove individuals’ access to data (for example joiners, movers and leavers processes).

For more information please refer to the Information Handling policy (ISP-07).

University of Bristol data classification

The University has defined levels of confidentiality for different types of information. These levels, or classifications, range from “Public” to “Secret”.

If you access, handle or store University information, you need to understand the University's Information Classification scheme.

Digital information

Share data digitally (online)

All staff and students are provided with secure cloud-based storage through their Microsoft OneDrive account and SharePoint. OneDrive and SharePoint allow you to share large files with other people within and outside the University without sending the files via email.

We recommend you follow the University’s guidance to share files in Office 365.

Please be aware that sending data in an email is similar to sending it on a postcard: it is possible that someone other than the intended recipient may get hold of it and read it.

Share data classified as confidential or above

If you need to share University data that is classified as confidential or above or data classified as "special category" under the Data Protection Act you must use a secure service.

Sending sensitive data by email could be considered a breach of confidentiality. If personal data is lost or disclosed, the University could suffer a heavy fine as well as suffering damage to its reputation.

Information classified as sensitive and confidential must be strongly encrypted before sending it electronically, both within the University and in exchanges with third parties.

You must follow the University’s Encryption policy (ISP-16) and Information Handling policy (ISP-07).

Store data digitally

We recommend that you store information including documentation on secure and encrypted devices wherever possible. It can be easier to appropriately secure digital documents than printed or hard copy documents.

Printed information (including paper records)

The Data Protection Act (2018) and University data protection policies apply to printed data and documentation.

The Secretary’s office has published records management guidance.

Store and secure printed data

Documents containing data classified as confidential or above need to be appropriately stored and secured when not being used.

Staff must ensure hard copy or printed documents are secure while they’re travelling, including when moving between campus and home.

If you need to handle and store printed information, you must:

Use the print release system when printing confidential documents.
Keep printed data that is classified as confidential or above locked away securely. This means that every time you leave your office you should lock them in a secure filing cabinet or desk drawer. A locked office door is good practice but is not sufficient.
Follow the security requirements around paper documents whether you’re storing them in a University building or at home, or elsewhere off-campus. You must avoid keeping paper documents containing data that is classified as confidential or above at home. We recommend that you store information digitally on a secure device instead.
Securely dispose of all printed documents that contain data classified as confidential or above. Follow the confidential waste disposal procedure, documented by the University’s sustainability team.

Research data

If you store sensitive data about identifiable people or data classified as confidential or above, that data must be securely stored for example on an encrypted laptop or on a secure, password protected, University of Bristol system.

Storing sensitive data on non-University systems can put the University in breach of its legal requirements.

Some research data provided by third parties may be subject to strict storage and handling conditions, such as specific levels of encryption, data retention policies, access logs, or evidence of deletion. In these cases, recipients of the data must be aware of such conditions and consult the Information Security team via the IT Service Desk for advice on appropriate storage solutions.

The University Secretary's Office has information about data protection for research data.

Disposal of data

Staff and postgraduate research students must follow the University’s policy for the disposal of computer equipment (University access only).

Electronic information must be securely deleted or otherwise rendered inaccessible before leaving the possession of the University, unless the disposal is undertaken under contract by an approved contractor.

Paper documents containing information classified as confidential or above must be disposed of following the confidential waste disposal procedure, documented by the University’s sustainability team.