Processing personal data off campus (home/remote working)

This guidance should be read in conjunction with the University's Mobile and Remote Working Policy (PDF, 95.1 Kb).

Many information security breaches occur when personal data is being taken off work premises, when working from home for example. While it is permitted to take personal data off University premises for work purposes, staff must take appropriate security measures to protect against the loss or theft of that information.

Staff responsibilities

Under the Data Protection Act, personal data can only be processed off campus if all of the following conditions are met:

  • the personal data is used or processed to carry out the duties of the member of staff and for no other purpose;
  • the processing is carried out only for legitimate purposes related to University business;
  • the Data Protection Principles are followed strictly;
  • adequate security is maintained to protect against the loss or theft of the personal data.

Any breach of these responsibilities could lead to disciplinary action and the University receiving a fine of up to £17million or 4% of turnover from the Information Commissioner's Office.

Use of non-University owned computing equipment

Non-University owned computing equipment must only be used in accordance with the University's Mobile and Remote Working Policy (PDF, 95.1 Kb) to ensure that appropriate security measures are in place for such devices. Accessing the Staff Desktop from a personally owned computer/device is acceptable as this is simply accessing the University network remotely and no information should be retained on your computer/device. When using the Staff Desktop, it is important to ensure that no information is copied or saved to any end user computer/device.

Do not send documents including personal data to a private, non-University email address to access these documents remotely – storing personal data with an unauthorised third party (without consent) is likely to be a breach of the Data Protection Act. Similarly, storing personal data with third party cloud storage providers that do not meet security standards acceptable to the University is not permitted.

For further guidance on the use of cloud storage providers, please see the Cloud Storage Wiki.

Also ensure any backup devices used to store personal data are fully encrypted and physically secure at all times.

Alternatives

Always consider how necessary it is to take personal data off University premises, taking the following into account:

  • Rather than storing personal data on a mobile storage device, could you use the Staff Desktop to access the information remotely? This would remove the need for any personal data to be carried off premises and reduce the risk to the University. If you have trouble accessing Staff Desktop remotely, please speak to IT Services.
  • If you need to use hard copy documents containing personal data, do you need a whole file or could you limit the personal data you take off premises?
  • Could the personal data be anonymised before being taken off premises?
  • Can you ensure that no special category data is taken off premises? A breach of the Data Protection Act will be deemed more serious if it involves special category data.

Security measures

If taking personal data off University premises, it is the responsibility of individual members of staff to ensure that they have adequate security measures in place to protect against loss or theft.

For guidance on secure mobile storage devices for electronic personal data, please see the Information Security website.

For hard copy personal data, you should consider -

Security of information when in transit:

  • Are you using public transport? If so, there is a greater risk of loss or theft
  • If working on bus/train, do other passengers have sight of your work?
  • If driving, is the information safe if your car were to be stolen or broken in to?
  • If you are hand delivering personal data, ensure it is handed to the recipient or put through the letterbox - do not leave a package in a porch or similar.

Security of information at home:

  • Where are you working at home?
  • Have you taken precautions against burglary and unauthorised access by family members?
  • Do you have a “safe space” for storing personal data?
  • Can you lock personal data away?

Taking personal data overseas

If you are planning to take personal data outside the European Economic Area, please contact the Information Governance Team for advice (data-protection@bristol.ac.uk or ext. 41824).