This guidance should be read in conjunction with the University's Mobile and Remote Working Policy (PDF, 95.1 Kb).
Many information security breaches occur when personal data is being taken off work premises, when working from home for example. While it is permitted to take personal data off University premises for work purposes, staff must take appropriate security measures to protect against the loss or theft of that information.
Under the Data Protection Act, personal data can only be processed off campus if all of the following conditions are met:
Any breach of these responsibilities could lead to disciplinary action and the University receiving a fine of up to £17million or 4% of turnover from the Information Commissioner's Office.
Non-University owned computing equipment must only be used in accordance with the University's Mobile and Remote Working Policy (PDF, 95.1 Kb) to ensure that appropriate security measures are in place for such devices. Accessing the Staff Desktop from a personally owned computer/device is acceptable as this is simply accessing the University network remotely and no information should be retained on your computer/device. When using the Staff Desktop, it is important to ensure that no information is copied or saved to any end user computer/device.
Do not send documents including personal data to a private, non-University email address to access these documents remotely – storing personal data with an unauthorised third party (without consent) is likely to be a breach of the Data Protection Act. Similarly, storing personal data with third party cloud storage providers that do not meet security standards acceptable to the University is not permitted.
For further guidance on the use of cloud storage providers, please see the Cloud Storage Wiki.
Also ensure any backup devices used to store personal data are fully encrypted and physically secure at all times.
Always consider how necessary it is to take personal data off University premises, taking the following into account:
If taking personal data off University premises, it is the responsibility of individual members of staff to ensure that they have adequate security measures in place to protect against loss or theft.
For guidance on secure mobile storage devices for electronic personal data, please see the Information Security website.
For hard copy personal data, you should consider -
Security of information when in transit:
Security of information at home:
If you are planning to take personal data outside the European Economic Area, please contact the Information Governance Team for advice (data-protection@bristol.ac.uk or ext. 41824).