Information for staff > Records management > Records management guidance > Working at home

Working at Home: the Implications of Data Protection and Freedom of Information

On this page:

• Audience
• Purpose
• Scope
• What do I need to do?
• Guidance for all categories of information
• Guidance for high and medium risk information
• Why do data protection and freedom of information affect me when I work at home?

Audience

This guidance is intended for all University staff that work at home, either on an occasional or a regular basis. It applies to anyone undertaking administrative, research or teaching-related work at home.

Purpose

This document gives general advice on the issues you need to consider to ensure that any University information you work on at home is protected from loss or unauthorised access and exploitation, while at the same time ensuring that it is accessible to anyone that needs to use it for their work.

Scope

This guidance applies to all information in all formats, including paper files, electronic data, word processed documents and emails.

What do I need to do?

Taking University information home will always involve an element of risk so you should think carefully about whether you need to do so. The measures you take when working at home will depend on the nature and sensitivity of the information involved, and should take into account the cost of implementing precautions and the likelihood and consequences of someone gaining access to the information. The following guidance is divided into sections that apply to information in all risk categories, and others which apply only to high or medium risk information, as defined below.

• High and medium risk personal data or business information

This policy applies specifically to work that you do at home. You can limit the need to take information home by working directly to the University server using remote access facilities. If you remove information from the University computing environment you must also adhere to the following policy:

• Policy on the storage, transmission and use of personal data and sensitive business information outwith the University computing environment

Guidance for all categories of information

Home computing

• Work directly from/to the appropriate University server using remote access facilities where possible. This reduces the need to take home electronic information or to store it there, addresses business continuity concerns and limits the security measures you will need to take with regard to electronic information.
• If you work on a University laptop, do not use it to store the only copy of University information as it is more vulnerable to loss or theft. Make arrangements to back up information that is stored on a laptop and store this on the University network.
• Ensure that your computer system and applications are up to date with virus protection software and security patches.
• Do not use a non-University email account for University business. Most University email accounts are accessible via the Internet so you should not need to use any other account.

Physical security

• If you have to take University information home, try to take a copy rather than the official record. If you cannot avoid taking home the official record, ensure that your colleagues know that you have it at home.
• University records should be updated as soon as possible with any work that you do at home.
• When you work at home, security should be of the same standard as that which is provided in the University.
• Take care when transporting information to or from your home.
• If you travel by public transport, keep all University information to hand. Hold onto bags or laptops rather than placing them on luggage racks. Keep smaller storage media, such as portable drives, in secure compartments of bags, rather than in a jacket pocket.
• If you travel by car, lock University information in the boot. Do not leave it in plain sight.
• Dispose of University information securely and appropriately. For example, do not dispose of documents you no longer need in general waste or recycling bins; use a shredder if you have one at home, otherwise use the normal confidential waste facilities in the University.

Guidance for high and medium risk information

• High risk information should never leave the office in physical format. The only exceptions to this are members of staff who need to take high risk information away from University premises as a necessary part of their job, such as mobile medical staff. If using high risk information away from the University is an essential part of your job, ensure that you adhere to all sections of this guidance document. If you need to carry information with you, return it to the office at the end of your working day to store it securely, rather than taking it home.
• Do not use your own, non-University, desktop or laptop computer to store sensitive University information - you can avoid this by using remote access facilities. If you have done so however, you must make arrangements to ensure that the information is no longer available when you dispose of the computer. The measures you take will depend on the data involved. In some cases wiping the hard drive will be sufficient but in extreme cases (for example, research data on identifiable victims of sexual crime) it may be necessary to destroy the hard drive completely. The Records Management Section can assist in determining the level of risk involved, while your local IT support can advise on the technical measures required. Further information is available in the following guidance document:
  • Disposing of records
• If you do transfer information outside the University computing environment, adhere to the following policy:
  • Policy on the storage, transmission and use of personal data and sensitive business information outwith the University computing environment
• If you regularly access University information on your home computer, create a password protected account that you use exclusively for work. This restricts accidental access to University information by other users of the computer.
• Your web browser keeps a record (cache) of sites you visit. This means it saves images of sites, so that even if you do not intend to store information, your computer may do so. If you have accessed any personal or sensitive information, clear this cache of images. The procedure for clearing the cache depends on your browser although it can often be carried out by clicking on the 'Tools' tab. For further information contact your local IT support.
• Your work area should be in a separate location to general 'living' areas. This location should not be able to be easily seen or accessed by people outside the home. For example, do not situate your work area or computer station next to a ground floor window.
• Make sure that information is not left where other occupants of your home can see it.
• Keep paper documents, files and portable media devices in a lockable cabinet and make sure that this is locked when not in use.
• Physically protect laptops. You can do this by using a lock or cable to secure the laptop, or placing it in a locked cupboard or drawer when not in use.
• If you are taking sensitive information home, in any format, go there directly. This reduces the chances of losing the information on the way.
• Use an appropriate carrier. Documents or other portable media should be transported in a secure, lockable briefcase or bag. Laptops must be carried in a laptop bag or rucksack.
• Exercise discretion. Do not read sensitive documents on a bus, for example, or work on personal data on a train. Do not draw attention to the fact that you are carrying University information.

Why do data protection and freedom of information affect me when I work at home?

The Data Protection Act 1998 and the Freedom of Information (Scotland) Act 2002 apply to all paper and electronic information that you create and receive as part of your employment with the University, regardless of where you work or store that information.

The Data Protection Act sets out how organisations can handle personal data and gives an individual the right to access personal information held about themselves. The Freedom of Information (Scotland) Act entitles anyone from anywhere in the world to request access to any information held by the University. It also includes a statutory code of practice on records management which describes the systems we should have in place for managing our information. These pieces of legislation are as applicable to work you do at home as work you do on University premises, so you must therefore take this guidance into account when working at home.

A failure to safeguard personal data at home could breach the Data Protection Act 1998, which could lead to the University being fined up to £500,000. The Information Commissioner, who regulates data protection, is taking this issue seriously - two of the first four fines issued by his office were for the loss of laptops by organisations. In addition to financial penalties, a data protection breach could cause serious harm to the University's reputation and damage its relationship with a range of stakeholders including potential students and research funders. The loss of important information could also impact on the operation of the University, for example, by losing the only copy of financial information or research data. Following this policy enables you to access confidently the information you need to do your job and safeguards your information against loss, theft and corruption.

Page last updated: Friday November 11 2011