Mandatory information security training

This advice accompanies the current GDPR and Information Security training in myReview. While this training was especially commission for universities some policies, certain practices and even job titles will differ from instruction to institution. This advice will help clarify information for staff and managers raised in the training. If you still have questions, please contact


All Information Security and Governance Policies can be found here:

It should be noted that our current Information Security Policy is acting as the organisation's Data Protection Policy. This may change in the future and you will be notified. 

How to report an Information Security incident

At the University of Bristol there are two teams that primarily deal with Information Security incidents. They are the Information Security team in IT Services and the Data Protection team in the Secretary’s Office. The Information Security team in IT largely deal with computer related issues such as concerns around computer viruses or accounts being misused. The Data Protection team give legal advice on data protection legislation and respond to reports of issues such as accidental disclosure or the loss of paper based records.

To report a security incident, you can contact these teams via the following addresses:

Information Security:

Data Protection:

If you have an urgent or serious matter that you would like to speak to someone about, please contact the IT Service Desk on 0117 428 2100 (internal 82100). The IT Service Desk operates 24/7 so if you discover an issue out of hours, the relevant response teams will be contacted if the issue is serious.

The Data Protection Officer

The role of the Data Protection Officer currently resides within the Secretary’s Office. They can be contact via the email address

Privacy Impact Assessments

Privacy Impact Assessments must be completed if you or your team are collecting or changing the way it handles personally identifiable information. They must also be completed if your team wishes to use a third party to collect or process information.

If you have any questions or would like to see our Privacy Impact Assessment Policy please contact

Mobile Working Policy

 The University’s mobile working policy can be found here: Note that this allows the use of personal devices as long as they meet certain conditions, these include but are not exclusive to:

-          Run a supported and current version of the operating system

-          They must be encrypted and locked with an appropriate passcode/password

-          If they are at risk of malware infection, they must run up-to-date anti-virus software

-          The loss must be reported to IT Services

Further details can be found within the policy. Note that the University does not currently require you to install software to access your email or some remote working solutions. For details of our remote access solutions please see the following pages:   

All flexible working arrangements must be discussed with your manager.

Sending mass emails

The University’s Mass emailing policy can be found here: (note that this is behind Single Sign-On). Please ensure that before sending mass emails, you are using the appropriate tool and that you have sought the correct permissions.

Direct Marketing

Direct marketing is broadly defined as sending information about future events, or newsletters or other information promoting an activity, product or service to individuals. At the University, we regularly send information to our staff and students using their University email address. Where this relates to their job or course, this is generally considered to be acceptable as it is not marketing an activity, product or service. However, if the information does fall into these marketing categories we need to ensure individuals have ‘opted in’. GDPR moves this from best practice to being a legal requirement.

SITS (the central student record system) does not yet have field or flag indicating consent to market, so if you are intending to access these records for a marketing communication, you cannot assume consent has been provided.

GDPR also places a greater emphasis on being able to evidence that someone has chosen to opt in, by having an up to date record. Individuals have a right to withdraw their consent so need to be given the chance to opt-out of receiving future communications every time they are contacted.

Password standards at the University

Picking a strong password that you will remember can be difficult. Currently at the University, a strong password is defined as:

-          Having 10 or more characters

-          Containing upper case and lower case characters as well at least one number or symbol

-          Not being a dictionary word

The answer in the training does contain dictionary words and does not contain a number or symbol. Despite this it is by far the strongest of the four options.

We will continue to evaluate or password strength standards as threats emerge and will update you if they change. The important points to remember is to make them difficult to guess, easy to remember and unique for each of your internet services.  

Email Encryption

Information that is classed as Confidential or above (in line with the University of Bristol’s Data Classifications should not be sent over email. Please view the advice for sharing and collaborating on documents (note this is behind Single Sign-On).

While functions like 7-Zip ( are available for use, Modern Attachments is far simpler and allow you to maintain control of the document after you have shared it.

Please note: further training resources, including interactive tutorials and document-based materials, are also available.