ISP-07 Information handling policy
This is a sub-policy of the ISP-01 Information security policy.
Summary
This policy outlines the University's requirements for handling its information assets, ensuring compliance with legislation and protecting against data breaches or loss. It sets rules for how information should be classified, accessed, stored, and disposed of, ensuring secure handling and compliance with legal obligations. The policy impacts all University members and others granted access to its information, promoting accountability and data security.
| Control information | Control detail |
|---|---|
| Owner | Chief Information Security Officer, IT Services |
| Author | Information Security Manager, IT Services |
| Sponsor | Chief Information Security Officer, IT Services |
| Consulted | Information Governance Manager and Data Protection Officer, Information Governance and Security Advisory Board (IGSAB) |
| Approved by | Information Governance and Security Advisory Board (IGSAB) |
| Responsible area | IT Services |
| Version | 5 |
| Approval date | 14 November 2025 |
| Effective date | 14 November 2025 |
| Interim review effective date | Not applicable |
| Full review period | 1 year |
| Date of next full review | 30 September 2026 |
| EIA completion date | Not applicable |
| DPIA completion date | Not applicable |
| SIA completion date | Not applicable |
| Reporting requirements | See section titled Reporting losses |
| Applicable statutory, legal or best practice requirements |
|
| Keywords | Data Protection Act 2018, data security, Freedom of Information Act 2000, guide to information legislation, information handling, Official Secrets Act 1989, Payment Card Industry Data Security Standard, PCI-DSS, statutory requirements, UK legislation |
On this page
- Updates to this policy
- Introduction
- Scope
- Definitions
- Responsibilities
- Inventory and ownership of information assets
- Security classification
- Access to information
- Disposal of information
- Removal of information
- Using personally owned devices
- Information on desks, screens and printers
- Backup
- Exchanges of information
- Reporting losses
- Further guidance
1. Updates to this policy
1.1. This policy has been updated to align to the new University of Bristol policy management framework.
2. Introduction
2.1. This information handling policy is a sub-policy of the ISP-01 Information security policy and sets out the requirements relating to the handling of the University’s information assets. Information assets must be managed in order to prevent breaches of confidentiality, loss of integrity, interruption to availability, and non-compliance with legislation that would otherwise occur.
3. Scope
3.1. This policy applies to all members of the University, as defined in the University’s Constitution (Ordinance 9, section 7), as well as to individuals from other institutions granted access to the University’s information assets. It also covers anyone who has been authorised to use the University’s information and communication technology facilities by the Chief Digital and Information Officer.
3.2. Generated research data is governed by the University of Bristol Open research policy.
4. Definitions
4.1. A member of the University: This is defined in University Constitution: Ordinance 9, section 7.
4.2. Information Asset Owner: A designated senior member of staff responsible for managing information assets, risks, and assurance.
4.3. Information Asset Assistant: A designated individual responsible for supporting Information Asset Owners with operational management of information assets.
4.4. Confidential waste: Paper or digital information requiring secure disposal due to its content, usually classified as Confidential or above.
4.5. Encryption: A mathematical function using a secret value - the key - which encodes (scrambles) data so that only users with access to that key can read the information. In many cases, encryption can provide an appropriate safeguard against the unauthorised or unlawful processing of data.
4.6. Information asset: An item or body of information, an information storage system or an information processing system which is of value to the University.
4.7. Personal data: Any information relating to an identified or identifiable individual, such as names, ID numbers, or contact details.
4.8. Special category data: A legal term under the Data Protection Act for personal data requiring extra protection, such as health, race, or religious beliefs.
4.9. University Information Classification Scheme: The University's system for organising and categorising information based on its sensitivity and the level of protection it requires.
5. Responsibilities
5.1. University Members: Must ensure they understand and comply with information security policies, handle data appropriately according to classification, and report any security incidents or breaches promptly.
5.2. Information Asset Owners: Senior staff responsible for managing information assets, risks, and assurance.
5.3. Information Asset Assistants: Are responsible for supporting Information Asset Owners with operational management of information assets.
5.4. IT Services: Responsible for implementing and maintaining technical security measures, supporting information asset owners, responding to security incidents, and providing guidance on secure data handling and disposal processes.
5.5. Supervisors and Line Management: Oversee the compliance of their teams with information security policies and provide necessary training to ensure information assets are handled appropriately.
5.6. Legal Services and Secretariat: Responsible for advising on compliance with legal and regulatory requirements, handling requests related to statutory information access requests, and assisting in managing incidents of non-compliance or breaches of legal obligations.
5.7. External Partners and Contractors: Any third parties who handle University information must comply with the University's security policies and contractual arrangements, including secure data exchanges and information handling during their engagement.
6. Inventory and ownership of information assets
6.1. The University maintains information asset registers detailing its main information assets and assigning ownership to Information Asset Owners and Information Asset Assistants. Each asset will have a nominated Asset Owner who will be assigned overall accountability, and an Information Asset Assistant who is assigned responsibilities for defining the appropriate uses of the asset and ensuring that appropriate security measures are in place to protect the asset.
7. Security classification
7.1. Each information asset will be assigned a security classification by the asset owner. This security classification will reflect the sensitivity of the asset according to the following classification scheme:
- Public – available to any member of the public without restriction.
- Open – available to any authenticated member of the University.
- Confidential – available only to specified members, with appropriate authorisation.
- Confidential and Sensitive – available to only a very small number of members, with appropriate authorisation.
- Secret – the most restricted category. Available only to a limited and defined number of authorised members and may have additional document handling and access requirements.
7.2. Any information that is disclosable under the Freedom of Information Act 2000 will be classified as public.
7.3. Any personal data that is classified as special category data under the Data Protection Act 2018 (or its successor legislation) will be classified as Confidential and Sensitive.
7.4. Any data that is subject to the Official Secrets Act 1989 will be classified as secret.
7.5. Any information that is not explicitly classified in accordance with the University's Information classification scheme and the examples therein should be handled as Confidential by default.
7.6. Guide to legislation relevant to information security policy: Guide to information security legislation (PDF, 206kB).
8. Access to information
8.1. Members of the University will be granted access to the information necessary to fulfil their roles. Information must not be shared with others unless they have also been authorised to access it.
9. Disposal of information
9.1. Information assets must be disposed of with care in accordance with classification requirements.
9.2. Paper waste that is classified as Confidential or above must be disposed of following formal University procedure.
9.3. University Confidential Waste Procedure: https://uob.sharepoint.com/sites/sustainability/SitePages/Confidential.aspx. (staff access only)
9.4. Electronic information must be securely erased or otherwise rendered inaccessible before leaving the possession of the University, unless the disposal is undertaken under contract by an approved contractor.
9.5. In cases where a storage system (for example a USB stick, portable drive or printer hard drive) is required to be returned to a supplier, it should be securely erased before being returned unless contractual arrangements are in place with the supplier which guarantee the secure handling of the returned equipment. If this is not possible, then the storage system should not be returned to the supplier and should remain in the possession of the University until it is disposed of securely.
9.6. In all cases, members are responsible for removing University data from personal devices before disposal.
10. Removal of information
10.1. University data subject to the UK data protection regime or that has a classification of Confidential or above must be stored using University facilities or with third parties subject to a formal, written legal contract with the University. In cases where it is necessary to otherwise remove data from the University, appropriate security measures must be taken to protect the data from unauthorised disclosure or loss. Information classified as Confidential or above in electronic form must be securely encrypted, as instructed in the University's ISP-16 Encryption policy, prior to removal or transmission. Secret data must never be removed except with the explicit written permission, and in accordance with the directions of, the data owner.
11. Using personally owned devices
11.1. Any processing or storage of University information using personally owned devices must comply with the University’s ISP-14 Mobile and remote working policy.
12. Information on desks, screens and printers
12.1. Members of staff who handle paper documents containing information classified as Confidential or above must take appropriate measures to protect against unauthorised disclosure, particularly when they are away from their desks. Documents classified as Confidential or above must be locked away overnight, at weekends and at other unattended times.
12.2. Care must also be taken when printing confidential documents to prevent unauthorised disclosure.
12.3. Computer screens on which information classified as Confidential or above is processed or viewed must be sited in such a way that they cannot be viewed by unauthorised persons.
12.4. All computers must be locked while unattended.
13. Backup
13.1. Information asset owners must ensure that appropriate backup and system recovery measures are in place and that those measures are compliant with any agreements with external partners from whom data has been obtained.
13.2. For all backups, appropriate security measures must be taken to protect against unauthorised disclosure or loss. Recovery procedures should be tested on a regular basis.
14. Exchanges of information
14.1. Whenever significant amounts of personal data or other confidential information are exchanged with other organisations, appropriate information security measures must be established to ensure the integrity and confidentiality of the data transferred. Regular exchanges must be covered by a formal written agreement with the third party.
14.2. Information classified as Confidential and Sensitive must be encrypted prior to electronic exchange, both within the University and in exchanges with third parties. Information classified as Secret may not be transmitted electronically except with the explicit written permission of the information owner and in accordance with their handling requirements.
14.3. When exchanging information by email, SharePoint, fax or other digital information sharing methods, recipient addresses should be checked carefully prior to transmission.
14.4. When exchanging data classified as Confidential or above over email, IT Services provided mailing lists should be used (as opposed to the use of Bcc). For further guidance see the ICO guidance on Email and security | ICO.
14.5. Unsolicited emails, faxes, telephone calls, instant messages or any other communication requesting information that is not classified as public should not be acted upon until and unless the authenticity and validity of the communication has been verified.
14.6. Members of the University must not disclose or copy any information classified as Confidential or above unless they are authorised to do so.
15. Reporting losses
15.1. All members of the University have a duty to report the loss, suspected loss or unauthorised disclosure of any University information asset to the information security incident response team (cert@bristol.ac.uk). This includes the loss of personal devices, such as phones or USB drives, on which University information assets might reside.
15.2. For information about how to manage incidents involving personal data, visit: www.bristol.ac.uk/secretary/data-protection/data-breaches-and-incidents/.
15.3. All losses, suspected losses or unauthorised disclosure of University information should be reported as soon as possible.
16. Further guidance
Request this policy in an alternative format
If you need this policy in a different format, email uob-policymanager@bristol.ac.uk. In your message, include the format you need, for example: plain text, braille, BSL, large print or audio.