Most members of the University access or process University data regularly. This page outlines your responsibilities when accessing, handling or storing data as part of your role as a staff member or a student at the University.
Data is a collection of information - facts or figures - often used by computers or stored electronically.
Personal data is information that relates to an identified or identifiable person and may include a name, an identification number, location data or an online identifier. Personal data can relate to any identifiable individual, including students, staff, research participants or members of the public.
The University owns and processes a great deal of data about people, research projects and teaching.
Data accessed and stored by the University includes:
More information about the main categories of University information and the level of risk associated with them can be found in the University’s Information Classification Scheme.
Loss or leakage of University data could:
Data loss includes:
University staff and students are granted access to the information they need in order to do their role at the University.
University members that have been granted access to particular data must not share information with other people unless the others have also been granted access through appropriate authorisation.
Staff are required by their contract of employment to handle University information appropriately and responsibly.
Data owners and University staff with line manager responsibility should ensure that their processes include steps to add, change and remove individuals’ access to data (for example joiners, movers and leavers processes).
For more information please refer to the Information Handling policy (ISP-07).
The University has defined levels of confidentiality for different types of information. These levels, or classifications, range from “Public” to “Secret”.
If you access, handle or store University information, you need to understand the University's Information Classification scheme.
All staff and students are provided with secure cloud-based storage through their Microsoft OneDrive account and SharePoint. OneDrive and SharePoint allow you to share large files with other people within and outside the University without sending the files via email.
We recommend you follow the University’s guidance to share files in Office 365.
Please be aware that sending data in an email is similar to sending it on a postcard: it is possible that someone other than the intended recipient may get hold of it and read it.
If you need to share University data that is classified as confidential or above or data classified as "special category" under the Data Protection Act you must use a secure service.
Sending sensitive data by email could be considered a breach of confidentiality. If personal data is lost or disclosed, the University could suffer a heavy fine as well as suffering damage to its reputation.
Information classified as sensitive and confidential must be strongly encrypted before sending it electronically, both within the University and in exchanges with third parties.
You must follow the University’s Encryption policy (ISP-16) and Information Handling policy (ISP-07).
We recommend that you store information including documentation on secure and encrypted devices wherever possible. It can be easier to appropriately secure digital documents than printed or hard copy documents.
The Data Protection Act (2018) and University data protection policies apply to printed data and documentation.
The Secretary’s office has published records management guidance.
Documents containing data classified as confidential or above need to be appropriately stored and secured when not being used.
Staff must ensure hard copy or printed documents are secure while they’re travelling, including when moving between campus and home.
If you need to handle and store printed information, you must:
If you store sensitive data about identifiable people or data classified as confidential or above, that data must be securely stored for example on an encrypted laptop or on a secure, password protected, University of Bristol system.
Storing sensitive data on non-University systems can put the University in breach of its legal requirements.
Some research data provided by third parties may be subject to strict storage and handling conditions, such as specific levels of encryption, data retention policies, access logs, or evidence of deletion. In these cases, recipients of the data must be aware of such conditions and consult the Information Security team via the IT Service Desk for advice on appropriate storage solutions.
The University Secretary's Office has information about data protection for research data.
Staff and postgraduate research students must follow the University’s policy for the disposal of computer equipment (University access only).
Electronic information must be securely deleted or otherwise rendered inaccessible before leaving the possession of the University, unless the disposal is undertaken under contract by an approved contractor.
Paper documents containing information classified as confidential or above must be disposed of following the confidential waste disposal procedure, documented by the University’s sustainability team.