University home > University Secretary's … > Data Protection > Advice for Departments > Security measures

Security should be appropriate to the potential degree of harm caused by the misuse of personal data.

The Data Protection Act 1998 ("the Act") obliges organisations to take 'appropriate technical and organisational measures' to prevent the unauthorised or unlawful processing or disclosure of personal data.

Departments should consider the implications of this requirement and ensure any existing security measures are appropriate for the types of personal data they are processing.

Data processing agreement

Sharing personal data with other organisations (either providing or receiving personal data) must be covered by a data processing agreement. Similarly, departments employing an external organisation (a data processor) to process personal data on their behalf must have a data processing agreement in place requiring the data processor to act only on the instructions of the Department/University and to abide with the provisions of the security principle in the Data Protection Principles. Further advice and a template agreement can be obtained from the Information Rights Officer at data-protection@bristol.ac.uk.

Physical Security Arrangements

Departments/Schools should always:

• control access to buildings or rooms containing computer hardware;
• take adequate precautions against burglary and fire;
• ensure that casual passers-by or other unauthorised personnel cannot read personal data from screens or printouts;
• store backup copies of data separately from live files;
• keep secure source documentation from which personal data are extracted and lock the personal data away when not in use;
• handle and dispose of printed material containing personal data correctly (see University's guidance on disposal of confidential waste).

Electronic data:

• Ascertain the classification of the data in terms of what is defined by the University's data classifications;
• Identify the data guardian (as distinct from the data controller) and establish if they have any particular security requirements you need to abide by;
• Security measures should be appropriate and reasonable to the potential degree of harm which could be caused to the data subjects and the University
• Minimise the number of copies of the data. If copies must be made, only retain them for as long as is necessary and make sure they are securely deleted when you have finished using them;
• Encrypt all sensitive data at rest wherever possible;
• Encrypt all personal data in transit (e.g. data on laptops, mobile storage devices, and sent in emails and other electronic forms of transmission);
• Do not process personal data on non-University owned computing equipment (includes mobile storage devices);
• Store personal data on a central or departmental file server rather than laptops/mobile storage devices;
• Do not process sensitive data when running your computer with administrative rights;
• Ensure that all computers are effectively managed i.e. use supported software, make sure it is firewalled, use anti-virus software etc.
• Conduct regular audits of the personal data you hold electronically;
• Notify the Secretary’s Office and Information Security Manager immediately as soon as there is a loss or suspected loss of data;

Further information is available on the Information Security website.

Other suggested safeguards:

• prohibit the identification of data subjects where possible, especially in emails;
• anonymise data as far as possible;
• depersonalise data for statistical analysis;
• separate identification data (personal data) and store them separately;
• give access to personal data only on a "need to know" basis;
• do not create duplicate files unnecessarily;
• revisit departmental weeding and archiving policies;
• make use of Central Filing;
• encourage discipline when holding information; do not hoard data.