Show/Hide navigation
University of Reading

Play it safe when handling sensitive information: follow the new encryption policy

Wednesday, 17 July 2013

computer security

The new encryption policy is in force and all staff handling electronic information need to be aware of it provisions.

The policy statement

The policy statement is relatively simple:

If medium and high risk personal data or sensitive information is to be processed off campus or on an external network then it must be stored and transmitted in encrypted form

Having provided the policy statement, the document goes on to set out classes of medium and high risk personal data and sensitive information that must be encrypted if stored or transmitted off campus, and then provides staff with the tools that do just that.

When to encrypt information?

If you are sending sensitive information (see policy for examples) off campus by email, then encrypt it; if you are storing sensitive information on a mobile device, such as a laptop, memory stick, tablet or Smartphone, then encrypt it; if you are sending information outside of the secure environment provided by ITS, i.e. off campus or using an external network, to a third party or a non-University employee then use encryption.

You can encrypt the information itself or, even better, and depending on functionality, the entire device. Methods of encryption and other options for ensuring information security are provided here. ITS-help will be able to advise further on ext 6262 or its-help@reading.ac.uk

Why have this new encryption policy?

We all need to handle information carefully and respectfully. Since April 2010 the Information Commissioner (IC), the regulator for information compliance in the UK, has had the power to fine organisations up to £500k for breaches of the Data Protection Act 1998, and he is flexing his muscles. Nearly all the fifty or so monetary penalty notices so far issued are for breaches of information security, such as losing personal data on a laptop or disclosing personal information in an unauthorised way. Reading the summaries of these notices is sobering. Organisations are fined hundreds of thousands of pounds for relatively simple human errors or oversights: an email going to the wrong recipient, not having a written contract in place with an IT disposal firm, accidentally leaving some confidential papers on the train - all these breaches, some of which appear quite routine and very easy to commit in today's busy and mobile working environment, have incurred huge penalty notices from the Information Commissioner and are often accompanied by significant reputational damage.

Most of the breaches that involved electronic data would not have occurred had the data been encrypted, as encrypted offers a powerful and robust way of securing information so that even if the information is lost or stolen then without a decryption ‘key' there is no unauthorised disclosure. This is why the University has developed a new encryption policy.

Where can I read more on information security?

Here and here.

Is there training on information security?

Yes. All non-manual staff are now required to take this training i.e. any colleague who uses a University email account or processes information fitting in the medium and high risk classes set out in the policy.