Compliance policy (ISP-03)

  1. Introduction
  2. Scope
  3. Policy
  4. Further guidance 

1. Introduction

This Compliance policy is a sub-policy of the Information Security policy (ISP-01) and outlines the University’s requirement to comply with certain legal and regulatory frameworks.

This policy is to be read in conjunction with the University’s Guide to Information Legislation, which provides details of the legislation relevant to information security, for example the Data Protection Act.

2. Scope

All members of the University (including staff, students and associates), members of other institutions who have been granted federated access to use the University’s facilities, and any others who may have been granted permission to use the University’s information and communication technology facilities by the Chief Information Officer are subject to this policy.

3. Policy

3.1 Compliance with legislation

The University provides policy statements and guidance for staff and students in relation to compliance with relevant legislation to help prevent breaches of the University’s legal obligations. However, individuals are ultimately responsible for ensuring that they do not breach legal requirements during the course of their work or studies. 

Users of the University’s online or network services are individually responsible for their activity and must be aware of the relevant legal requirements when using such services. 

The University must comply with all relevant legal requirements whether such requirements are detailed in internal policies or not. Any suspected breach of the University’s legal requirements must be reported to the University Secretary’s Office

The Guide to Information Legislation document gives further details of the relevant legal requirements the University must adhere to. 

Other regulatory requirements are set out below.

3.2 JANET policies

The University, along with other UK educational and research institutions, uses the ‘JANET’ (Joint Academic NETwork) electronic communications network and must therefore comply with JANET’s Acceptable Use and Security policies.

3.3 Payment Card Industry Data Security Standard (PCI DSS)

The University must comply with the Payment Card Industry Data Security Standard (PCI DSS) and the relevant legislation when processing payment (credit/debit) cards. To assist with this compliance, the University has published its own PCI DSS policy.

3.4 Software licence management

All software used for University business must be appropriately licensed. The University must comply with the software and data licensing agreements it has entered into. During the negotiation process of such agreements, full consideration must be given to how compliance with the agreement can practically be achieved. Agreements may need to be specifically negotiated to enable the University to comply.

Please refer to the University’s Software Management policy for additional guidance.

3.5 Third party terms and conditions

Where the University uses the services of a third party provider, staff and students will also be subject to their terms and conditions in so far as they relate to information security.

Please refer to the University’s Outsourcing and Third Party Compliance policy for additional guidance. 

3.6 Compliance with the University’s Information Security policy

The University’s own information security policies must be adhered to at all times when an individual or organisation is handling University information. The University must ensure it is acting legally when operating such policies.

All staff, students and other persons who may handle University information must be made aware of the University’s information security policies and of any amendments made to them. Individuals must also confirm that they have read and understood these policies and how they apply to the information they handle.

3.7 Collection of evidence

At times, it may be necessary for the University to collect evidence in relation to a potential legal claim or internal investigation.

Where there is suspicion of a criminal offence involving the University’s information or systems, the University will cooperate with the relevant agency to assist in the preservation and gathering of evidence on the basis of appropriate internal authorisation and compliance with relevant statutory requirements.

Please refer to the University’s Investigation of Computer Use policy for additional guidance.

3.8 Statutory information access requests

Under UK Freedom of Information and Data Protection legislation, individuals as well as agencies with statutory powers are entitled to request recorded information and personal data from the University.

In the course of processing statutory information access requests, the University is subject to the requirements of the aforementioned legislation, which includes the provision of access to, and disclosure of, certain information.

3.9 Records management

The University is required to retain certain information, whether held in hard copy or electronically, for legally defined periods. Such information must be appropriately safeguarded and not destroyed prior to the defined minimum retention period while remaining accessible to those who require access and are authorised to access that information.

In accordance with the UK Data Protection legislation, personal data should not be retained for longer than it is required for the purposes for which it was collected.

Please refer to the University’s Records Retention Schedule for additional guidance.

4. Further guidance

Further information can be found at the University Secretary’s Office site and by reading the University’s Guide to Information Legislation.

Compliance policy (ISP-03), version 1.3
Last reviewed: October 2021, Next review: October 2022.
This policy is also available as a PDF: Compliance policy - ISP-03 (PDF, 174kB)