Information for staff > Data protection > Data protection guidance > Storage and use of electronic personal data

Storage and Use of Electronic Personal Data

On this page:

• Purpose
• Who is this guidance for?
• Why should I be concerned about how I store this information?
• Dos and don'ts

Purpose

This guidance highlights the general issues to consider when storing and using information about living, identifiable individuals in an electronic format to ensure that personal information is kept secure and the University complies with its obligations under the Data Protection Act 1998.  In some circumstances you will need to take additional measures; to see the full range of guidance available, visit the University's data protection home page.

• Data protection home page

Who is this guidance for?

This guidance is for all members of staff who store personal information in an electronic format.  This includes word processed documents, spreadsheets, databases and e-mails, all of which can be found on and accessed via various devices such as your desktop, laptop PCs, PDAs, mobile telephones, USB memory devices, CDs and DVDs.

The document includes tips for users of Microsoft Windows.  Over time, information will be added about other environments commonly in use around the University.

Why should I be concerned about this?

The Data Protection Act 1998 applies to all “personal data” about a living, identifiable individual.  It sets out how we should us this information.  Failure to comply with this Act could expose the University to legal proceedings or reputational damage.

The definition of personal data is highly complex.  For day-to-day purposes it is best to assume that all information about a living, identifiable individual is personal data. However, sometimes you may need to know precisely what personal data is as this can affect which parts of the legislation apply.  If this is the case, please take the ‘What is Personal Data’ test.

• What is personal data?

Dos and Don'ts

Do:

Anonymise personal information whenever possible. For more information see the FAQ on anonymising personal information. Anonymising personal information

	Practice good IT security. Please refer to the University's Computing Regulations and the University's IT security policy for more information. University Computing Regulations University IT security policy
	Use encryption, access permissions and other features to restrict access to personal information to staff who need to see it to do their job.
	Take particular care when transporting personal information to different locations (including passing data to other organisations).   Always encrypt the data and ensure that physical devices cannot be accidentally lost, for example, by using special delivery post or by not leaving the device unattended.
	Take appropriate security precautions if you take any information about people home with you. Make sure it cannot be accessed by thieves or accidentally viewed by visitors or family members. For further information see the guidance on home working. Home working
	Choose a password that is not easy to guess.
	Site PCs where the screen cannot be seen by unauthorised staff or the public.
	Lock your computer, if possible, if you are leaving your desk for more than 5 minutes.  I use Microsoft, how can I lock my computer?
	Delete personal data as soon as it is no longer required.
	Ensure that your deleted items are actually deleted – simply deleting items does not always remove them completely from you computer. For example, in Microsoft Outlook when you delete e-mails they are moved to and stored in your ‘deleted items’ folder and you must also delete them from here. Similarly in Windows when you delete items from your computer they will often be sent to the ‘recycle bin’ on your desktop, from where you must delete them again.
	Take particular care when disposing of or selling a PC or any other device that potentially holds personal data – ensure that all personal information has been deleted.  For information see the guidance on disposing of records. Disposing of records
	Use the network in preference to your hard drive whenever possible, this makes back ups, deletion and legislative requirements easier to manage.
	Take action if you suspect unauthorised staff have accessed personal information.
	Be careful when embedding documents - when you embed a document it is possible for the reader to access the entire document and not just the information on display. What is embedding?
	Be aware that many file types maintain lists of changes making it possible for users to access the previous text.  I use Microsoft, how can I delete hidden data?
	Ask your IT support service for advice on making your computer and your information secure.

Don’t:

	Assume that information has been anonymised just because you have removed names – codes may still link the information to particular individuals, or they could still be identified from the data that remains, for example a combination of department, ages and gender. For more information see the FAQ on anonymising personal information. Anonymising personal information
	Leave information on the screen when you are not there – have your screensaver set to activate quickly if you leave your computer unattended. I use Microsoft, how do I set my screensaver to activate automatically?

	Assume that e-mail is a private or secure form of communication.
	Share passwords.
	Write your password down. If you must write it down then don’t store it in an easily accessible place
	Send someone’s username and password in the same e-mail or document, send them under separate cover.

Page last updated: Monday February 25 2008