6. Protection of Confidential Information

Identifying confidential information is a matter for assessment in each individual case. Broadly, however, information will be confidential if it is of limited public availability; is confidential in its very nature; has been provided on the understanding that it is confidential; and/or its loss or unauthorised disclosure could have one or more of the following consequences:

  1. financial loss e.g. the withdrawal of a research grant or donation, a fine by the ICO, a legal claim for breach of confidence;
  2. reputational damage e.g. adverse publicity, demonstrations, complaints about breaches of privacy; and/or
  3. an adverse effect on the safety or well-being of members of the University or those associated with it e.g. increased threats to staff or students engaged in sensitive research, embarrassment or damage to benefactors, suppliers, staff and students

6.1. Storage

Confidential information should be kept secure, by keeping it, where possible, on site using dedicated storage (e.g. file servers), rather than local hard disks, and with an appropriate level of physical security.

File or disk encryption should be considered as an additional layer of defence, where physical security is considered insufficient.

6.2. Access

Confidential information must be stored in such a way as to ensure that only authorised persons can access it.

All users must be authenticated. Authentication should be appropriate, and where passwords are used, clearly defined policies should be in place and implemented. Users must follow good security practices in the selection and use of passwords.

Where necessary, additional forms of authentication should be considered.

To allow for potential investigations, access records should be kept for a minimum of six months, or for longer, where considered appropriate.

Users with access to confidential information should be security vetted, as appropriate, in accordance with existing policies.

Physical access should be monitored, and access records maintained.

6.3. Remote Access

Where remote access is required, this must be controlled via a well-defined access control policy and tight access controls provided to allow the minimum access necessary.

Any remote access must be controlled by secure access control protocols using appropriate levels of encryption and authentication.

6.4. Copying

The number of copies made of confidential information, whether on portable devices or media or in hard copy, should be the minimum required, and, where necessary, a record kept of their distribution. When no longer needed, the copy should be deleted or, in the case of hard copies, destroyed (see 6.12.5).

All copies should be physically secured e.g. stored in a locked cupboard drawer or filing cabinet.

6.5. Disposal

Policies and procedures must be in place for the secure disposal/destruction of confidential information The University's policy on the disposal of old computers can be found at http://www.ict.ox.ac.uk/oxford/disposal/.

6.6. Use of Portable Devices or Media

Procedures should be in place for the management of removable media in order to ensure that they are appropriately protected from unauthorised access.

The permission of the information owner should be sought before confidential information is taken off site. The owner must be satisfied that the removal is necessary and that appropriate safeguards are in place e.g. encryption. For further information, please see the Toolkit.

In the case of personal data, the ICO recommends that all portable devices and media should be encrypted where the loss of the data could cause damage or distress to individuals.

The passphrase of an encrypted device must not be stored with the device (see also section 6.8.2).

6.7. Exchange of Information and Use of Email

Controls should be implemented to ensure that electronic messaging is suitably protected.

Email should be appropriately protected from unauthorised use and access.

Email should only be used to send confidential information where the recipient is trusted, the information owner has given their permission, and appropriate safeguards have been taken e.g. encryption.

Further guidance on managing the risks associated with the use of e-mail is available on the University website and in the Toolkit.

6.8. Cryptographic Controls

Procedures should be in place to support the use of cryptographic techniques and to ensure that only authorised personnel may gain access to confidential information.

University guidance, provided via the Toolkit, on cryptographic policy and key management, should be followed to ensure that data are appropriately secured and that all legal and regulatory requirements have been considered.

6.9. System Planning and Acceptance

A risk assessment should be carried out as part of the business case for any new ICT system that may be used to store confidential information. The risk assessment should be repeated periodically on any existing systems.

6.10. Backup

Information owners should ensure that appropriate backup and system recovery procedures are in place. Backup copies of all important information assets should be taken and tested regularly in accordance with such an appropriate backup policy.

6.11. Further information

The Toolkit provides further guidance on the matters covered in this section.

6.12. Hard Copies

6.12.1. Protective Marking

Documents containing confidential information should be marked as ‘Confidential’ or with another appropriate designation e.g. ‘sensitive’, etc, depending on the classification system adopted by the department.

6.12.2. Storage

  1. Wherever practicable, documents with confidential information should be stored in locked cupboards, drawers or cabinets. Where this is not practicable, and the information is kept on open shelving, the room should be locked when unoccupied for any significant length of time.
  2. Keys to cupboards, drawers or cabinets should not be left on open display when the room is unoccupied.

6.12.3. Removal

Confidential information should not be removed from the University unless it can be returned on the same day or stored securely overnight, as described in section 6.12.2 above.

6.12.4. Transmission

  1. If confidential documents are sent by fax, the sender should ensure they use the correct number and that the recipient is near to the machine at the other end ready to collect the information immediately it is printed.
  2. If confidential documents are sent by external post, they should ideally be sent by a form of recorded delivery. The sender must ensure that the envelope is properly secured.
  3. If confidential documents are sent by internal post the documents should be placed in an envelope marked ‘Confidential’ with the addresse’s name clearly written on it.

6.12.5. Disposal

Confidential documents must be shredded in a confidential manner prior to disposal.

6.12.6. Enforcement

There must be a written policy in place at the local level for the handling of confidential information, whether electronic or hard copy, and a copy of the procedures must be provided to every user so that they are aware of their responsibilities.

Any failure to comply with the policy may result in disciplinary action.

Any loss or unauthorised disclosure must be promptly reported to the owner of the information.

Computer security incidents involving the loss or unauthorised disclosure of confidential information held in electronic form must be reported to Oxford University Computer Emergency Response Team (OxCERT) and investigated.

If the loss or unauthorised disclosure involves personal data, whether electronic or hard copy, the University’s Data Protection Officer must also be informed, either by e-mail or by phone ((2)70002).

Up: Contents Previous: 5. Protection of Information Systems and Assets Next: 7. Compliance