ISP-03 Compliance policy
This is a sub-policy of the ISP-01 Information security policy .
Summary
This policy sets out the requirement for all staff, students, and authorised users to follow legal and regulatory obligations when handling university data and using its IT systems. It outlines responsibilities related to compliance with UK laws, internal security policies, records management, payment card security, software licensing, and network usage to support the protection of sensitive information and maintain the university’s legal and ethical standards.
| Control information | Control detail |
|---|---|
| Owner | Chief Information Security Officer, IT Services |
| Author | Information Security Manager, IT Services |
| Sponsor | Chief Information Security Officer, IT Services |
| Consulted | Information Governance Manager and Data Protection Officer, Information Governance and Security Advisory Board (IGSAB) |
| Approved by | Information Governance and Security Advisory Board (IGSAB) |
| Responsible area | IT Services |
| Version | 5 |
| Approval date | 01 December 2025 |
| Effective date | 01 December 2025 |
| Interim review effective date | Not applicable |
| Full review period | 1 year |
| Date of next full review | 01 December 2026 |
| EIA completion date | Not applicable |
| DPIA completion date | Not applicable |
| SIA completion date | Not applicable |
| Reporting requirements | Any suspected breach of the University’s legal requirements must be reported to Legal Services and Secretariat |
| Applicable statutory, legal or best practice requirements |
|
| Keywords | acceptable use policy, compliance, data protection act, evidence collection, Freedom of Information Act, information access, information security, IT systems, Janet, legal obligations, Payment Card Industry Data Security Standard (PCI-DSS), records management, software licensing, statutory requirements |
On this page
- Updates to this policy
- Introduction
- Scope
- Definitions
- Responsibilities
- Compliance with the University’s information security policy
- Compliance with legislation
- Statutory information access requests
- Collection of evidence
- Records management
- Payment card industry data security standard (PCI DSS)
- Software license management
- Janet policies
1. Updates to this policy
1.1. This policy has been updated to align to the new University of Bristol policy management framework.
2. Introduction
2.1. This compliance policy is a sub-policy of the Information security policy (ISP-01) and outlines the University’s requirement to comply with legal and regulatory frameworks.
2.2. This policy is to be read in conjunction with the University's Information compliance policy and associated guidance, which provides details of the legislation relevant to information security, for example the UK GDPR.
3. Scope
3.1. All members of the University (as defined in the University's Constitution: Ordinance 9, section 7), members of other institutions who have been granted federated access to use the University’s facilities, and any others who may have been granted permission to use the University’s information and communication technology facilities by the Chief Digital Information Officer are subject to this policy.
4. Definitions
4.1. A member of the University: This is defined in University's Constitution: Ordinance 9, Section 7.
4.2. Data protection legislation: Laws that govern how personal data should be handled, stored, and shared to protect individuals' privacy rights.
4.3. Federated access: A method that allows members from external institutions to access the University’s resources by authenticating through their home institution’s credentials.
4.4. Freedom of Information Act: UK legislation that provides the public with the right to access information held by public bodies, including universities.
4.5. Janet policies: Policies governing the acceptable use and security standards for the Janet network, which connects UK academic and research institutions.
4.6. Payment Card Industry Data Security Standard (PCI DSS): A set of security standards for organisations that handle payment card information to prevent fraud and breaches.
4.7. Records management: The process of managing the creation, storage, and retention of University records in compliance with legal and organisational requirements.
4.8. Software license management: The process of ensuring that all software used by the University is legally licensed and used according to the terms of the licensing agreement.
4.9. Statutory information access requests: Legal requests from individuals or agencies seeking access to specific University-held data, as per the Freedom of Information Act or Data Protection Act.
5. Responsibilities
5.1. University Members: Must comply with Information security policies, ensuring they handle University information securely and responsibly, and report any breaches of policy or legislation to IT Services or Legal Services and Secretariat.
5.2. External Users of University Systems: Individuals external to the University who have been provisioned with access to University of Bristol systems must ensure they handle University information securely and responsibly, and report any breaches of policy or legislation to their relevant contact at the University.
5.3. University Senior Management: Including the Executive Board and Vice-Chancellor, are responsible for ensuring compliance with this policy, supporting its implementation, and ensuring sufficient resources are available to meet legal and regulatory requirements.
5.4. IT Services: Responsible for implementing technical safeguards, supporting user access controls, managing authentication protocols, and responding to suspected breaches, while providing guidance on the secure use of IT systems and services.
5.5. Supervisors and Line Management: Responsible for ensuring that their team members are aware of and adhere to the Information Security Policy, providing appropriate training, and escalating any incidents of non-compliance to IT Services or Legal Services and Secretariat.
5.6. Legal Services and Secretariat: Ensure compliance with statutory and regulatory obligations and provide advice on legal matters related to information security, particularly when there is a potential legal violation or information access request.
6. Compliance with the University’s Information Security Policy
6.1. The University’s own information security policies must be adhered to whenever an individual or organisation is handling University information. The University must ensure it is acting legally when following such policies.
6.2. All staff, students and other persons who may handle University information must be made aware of the University’s information security policies and of any amendments made to them. Individuals must also confirm that they have read and understood these policies and how they apply to the information they handle.
7. Compliance with legislation
7.1. The University requires its members to comply with relevant legislation to help prevent breaches of the University’s legal obligations. However, individuals are ultimately responsible for ensuring that they do not breach legal requirements during the course of their work or studies.
7.2. The University must comply with all relevant legal requirements whether such requirements are detailed in internal policies or not. Any suspected breach of the University’s legal requirements must be reported to the Legal Services and Secretariat.
7.3. The University's Information compliance policy and associated guidance gives further details of the relevant legal requirements the University must adhere to.
7.4. Users of the University’s online or network services are individually responsible for their activity and must be aware of the relevant legal requirements when using such services.
7.5. Other regulatory requirements are set out in the policy control information table above.
8. Statutory information access requests
8.1. Under UK Freedom of Information and relevant Data Protection legislation, individuals as well as agencies with statutory powers are entitled to request recorded information and personal data from the University.
8.2. When processing statutory information access requests, the University is subject to the requirements of the above legislation, which includes the provision of access to, and disclosure of, certain information.
9. Collection of evidence
9.1. At times, it may be necessary for the University to collect evidence in relation to a potential legal claim or internal investigation.
9.2. Where there is suspicion of a criminal offence involving the University’s information or systems, the University will cooperate with the relevant agency to assist in the preservation and gathering of evidence on the basis of appropriate internal authorisation and compliance with relevant statutory requirements.
9.3. Please refer to the University’s ISP-18 Investigation of computer use policy for additional guidance.
10. Records management
10.1. The University is required to retain certain information, whether held in hard copy or electronically, for legally defined periods. Such information must be appropriately safeguarded and not destroyed prior to the defined minimum retention period, while remaining accessible to those who require access and are authorised to access that information.
10.2. In accordance with the UK Data Protection legislation, personal data should not be retained for longer than it is required for the purposes for which it was collected.
10.3. For additional guidance refer to the University’s Records retention schedule (PDF, 2,575kB) and the Records management and retention policy - IGP-03 (PDF, 404kB).
11. Payment Card Industry Data Security Standard (PCI-DSS)
11.1. The University must comply with the Payment card industry data security standard (PCI-DSS) and the relevant legislation when processing payment (credit/debit) cards. To assist with this compliance, the University has published its own ISP-19 PCI DSS cardholder data policy.
12. Software license management
12.1. All software used for University business must be appropriately licensed. The University must comply with the software and data licensing agreements it has entered into. During the negotiation process of such agreements, full consideration must be given to how compliance with the agreement can practically be achieved. Agreements may need to be specifically negotiated to enable the University to comply.
12.2. Please refer to the University’s ISP-13 Software management polic for additional guidance.
13. Janet policies
13.1. The University, along with other UK educational and research institutions, uses the ‘Janet’ (Joint Academic NETwork) electronic communications network and must therefore comply with Janet's Acceptable Use and Security Policies. These policies are available on the Janet Website.
Request this policy in an alternative format
If you need this policy in a different format, email uob-policymanager@bristol.ac.uk. In your message, include the format you need, for example: plain text, braille, BSL, large print or audio.