Encryption Policy (ISP-16)

  1. Introduction
  2. Scope
  3. Policy
  4. Further Guidance

1. Introduction

This Encryption policy is a sub-policy of the Information Security policy (ISP-01) and sets out the principles and expectations of how and when information should be encrypted.

2. Scope

This policy applies to all systems (including but not limited to personal computing devices, cloud systems, servers and networks) containing University owned information classified as confidential or above, and anyone processing University information classified as confidential or above. 

2.1. Definitions

Encryption is a mathematical function using a secret value - the key - which encodes (scrambles) data so that only users with access to that key can read the information. In many cases, encryption can provide an appropriate safeguard against the unauthorised or unlawful processing of data. 

3. Policy

3.1. When to Use Encryption

Encryption is a critical method of safeguarding data across various data storage and transfer activities. This includes, but is not limited to, the short term or long-term storage of data (for example data locally stored on a device, portable drives, cloud backups, databases and file servers) and the transfer of data between systems (for example through email, web and file sharing solutions and instant messaging). 

When handling data classified as Confidential or above in the University's data classification scheme, either during storage or transfer, encryption must always be used to prevent unwanted access to the data.

In most cases, encryption keys will be in the form of a password or passphrase. 

Losing or forgetting the encryption key will render encrypted information unusable so it is critical that encryption keys are effectively managed. When encrypting files, individuals are responsible for the management and secure storage of encryption keys. 

It is important to note the means of decrypting files (encryption keys, passwords etc.) should never be stored or transmitted alongside the encrypted files themselves and only shared on a need-to-know basis with authorised parties.  

If the encryption key or password needs to be shared, this should be shared through a different media than that of the encrypted data sharing. Suitable options could be: in person, SMS or over a voice call.  As an example, where an encrypted file is sent via email, the password should be sent via SMS (text message) or verbally by phone. 

3.2. Encryption Methods

When encrypting data, it must be encrypted using industry recognised standards, such as Advanced Encryption Service (AES) for data at rest, and Transport Layer Security (TLS) for data in transit.

From time to time, security flaws can be found in encryption methods which can result in them being deprecated and removed as an industry standard. Care should be taken to ensure any encryption used does not contain deprecated standards (examples of this are SHA1, TLS1.1, SSL) 

3.3. Encryption of Data at Rest

Data can be considered at rest when it is held physically in computer storage (on cloud storage, file hosting services, databases, spreadsheets and as files stored on computing devices). When at rest, data classified as Confidential or above must always be encrypted to prevent unwanted access. 

All end-user devices (laptops, mobile phones and portable drives) containing or accessing University owned data of any classification must be encrypted.

University owned devices will be encrypted as part of the deployment process with encryption keys managed by IT Services. In cases where data classified as Confidential or above is handled on a non-University owned device or system (including laptops, USB drives, mobile devices and third-party cloud storage solutions), the owner of the device, or user of the system, must take responsibility for ensuring the encryption of the data. This includes the secure storage of passwords and keys for accessing and decrypting the data. 

3.4. Encryption of Data in Transit

When transferring data classified as Confidential or above from one device or system to another (such as across the internet or over wired or wireless connections), data must be encrypted.

Encryption during transfer must either be through the conversion of data into an encrypted format (for example through file encryption) or through the use of a secure communication method which is able to provide assurance that the content cannot be understood if intercepted (such as using Transport Layer Security or TLS for short).

Where University data is accessed but not stored (such as using a web browser to access websites containing University data), these services must be protected using encryption such as TLS.

For information classified below confidential (Public and Open), encryption is still recommended and is best practice for maintaining data integrity.

For additional guidance on encryption standards and when to use encryption, contact IT Services.

3.5. UK Law and Travelling Abroad

Upon leaving or entering the UK, you may be required by UK authorities to decrypt any devices or files you have stored on devices in your possession. Section 49 of the Regulation of Investigatory Powers Act (RIPA) includes a provision whereby certain "public authorities" (including, but not limited to, law enforcement agencies) can require the decryption of devices or files. Failure to comply with such a lawful request is a criminal offence in the UK.

Similarly, government agencies operating outside of the UK may require you to decrypt your devices or files upon entry to or exit from their territories. If you travel abroad with encrypted data classified as Confidential or above, there is a risk that the data may require decryption and therefore a risk of disclosure. It is advised that you consider the consequences of such disclosure and wherever possible information classified as Confidential or above should not be taken with you while travelling. 

For access to information classified as Confidential or above abroad, it is recommended the data remains stored on University systems, with access to the data provided by means of a secure and encrypted remote connection.

For further information on device encryption and processing personal data when traveling abroad see IT Services guidance page: Keep safe when you travel (sharepoint.com).

4. Further Guidance

Encryption policy (ISP-16), version 4.0
Last reviewed: January 2024. Next review: January 2025.
This policy is also available as a PDF: ISP-16 Encryption Policy (PDF, 120kB)