Data Protection Policy: Security of Data
The seventh Data Protection Principle (see Data Protection Act Overview) requires that precautions should be taken against the physical loss or damage of personal data, and that access to and disclosure of personal data should be restricted. Members of SOAS who are responsible for processing personal data must ensure that personal data are kept securely, and that personal information is not disclosed orally or in writing, by accident or otherwise, to unauthorised third parties.
Information security is a large area, so the following recommendations are meant as general guidance only. They apply equally to data processed off-site (e.g. by staff at home or on laptops), as to data processed on SOAS premises. In fact, off-site processing presents a potentially greater risk of accidental loss, theft or damage to data.
- When not in use, files containing personal data should be kept in locked stores or cabinets to which only authorised staff have access.
- Procedures for booking files in and out of storage should be developed, so that file movements can be tracked.
- Files should be put away in secure storage at the end of the working day, and should not be left on desks overnight.
Members of SOAS using the School's IT systems must conform to the School's Information Technology Policies. Attention is drawn in particular to the following policies, which are directly relevant to the security of personal data and other data for which SOAS is responsible:
- B2. Conditions of Use of IT Systems (covering security of usernames, passwords, shared file areas etc).
- B3. School IT Security Policy (covering overall responsibility for IT security).
- B4. Policy for Use of Information Servers (duties of staff responsible for servers).
- B5. Equipment & Software Used by Individuals and Workgroups (authorised use of hardware and software).
- B7. Connection to and Accounts on the School Network (authorised use of network connections).
Care must be taken to ensure that PCs and terminals on which personal data are processed are not visible to unauthorised persons, especially in public places. Screens on which personal data are displayed should not be left unattended. Particular care must be taken when transmitting personal data. Appropriate security precautions, such as the use of encryption and digital signatures, should be taken when sending personal data by email. Transmission of personal data by fax should generally be avoided.
As well as preventing unauthorised access, it is equally important to avoid the accidental or premature destruction of personal data which could prejudice the interests of data subjects and of SOAS. To prevent the accidental loss of electronic data, members of SOAS should ensure that storage of personal data in electronic form conforms to the good practice guidelines set down in SOAS's Code of Practice for Electronic Data Storage, Transmission and Backup.
Personal data in both manual and electronic formats should only be destroyed in accordance with agreed retention schedules (see Retaining data). Care must be taken to ensure that appropriate security measures are in place for the disposal of personal data. Manual data should be shredded or disposed of as confidential waste, while hard drives, disks and other media containing personal data should be wiped clean (e.g. by reformatting, over-writing or degaussing) before disposal. Disposal of electronic media and equipment should be in accordance with SOAS's Procedure for Disposing of Information Technology Equipment and Packaging.
The Data Protection Act lays particular obligations on data controllers to ensure that there are adequate safeguards for processing which is carried out on their behalf by data processors. Whenever personal data is to be processed by an external body acting on SOAS's behalf, SOAS must:
- Choose a data processor which provides sufficient guarantees in regard to its technical and organisational security measures;
- Take reasonable steps to ensure that the data processor complies with these measures, and
- Ensure that the processing takes place under a written contract which stipulates that the processor will act only on instructions from SOAS, and that the processor will have security measures in place that ensure compliance with the seventh Data Protection Principle.
Last updated December 2007