Skip to main content Skip to navigation

Information and Digital Group (IDG)

IS03: Clear Desk Safe Working Policy

This Information Handling Policy is a sub-policy of the Information Security Policy (IS01) and sets out the requirements for maintaining a safe working environment with respect to handling the University’s information assets and ensure the two core principles of Value and Security.

Purpose
  • This Information Handling Policy is a sub-policy of the Information Security Policy (IS01) and sets out the requirements relating to maintaining a safe working environment with respect to handling the University’s information assets. The University operates and enforces a Clear Desk and Safe Workstation Policy in order to reduce the risk of information breaches and disclosures.
Scope
  • This Policy enforces and supports two University Information Governance Core Principles: Value – recognising the importance of the University's information assets and ensuring that maximum value is obtained from them. Security – ensuring that information, especially protected and confidential information, is always handled safely and securely.
Responsibilities
  • The Chief Information & Transformation Officer (CITO) has the accountability to ensure that this policy is implemented, monitored and reviewed regularly. The Policy and corresponding procedures apply to everyone who has a contractual relationship with the University; to all information held for the purposes of the University’s operations including the provision of teaching and education, research, student and staff support, internal and external reporting and publications. It applies to information created by members of the University and to information received from third parties. It applies to all work activities across the University’s campuses, in all locations and to all activities managed by the University at off-campus accommodation properties.
Compliance
  • Compliance will be monitored by the CITO on an ongoing basis. The compliance focus will be on a programme of sample audits to test the level of compliance across the University – key metric is the % of compliant workstations; and an annual Departmental compliance report with agreed actions for departments below a target compliance level agreed in advance by University Information Management Executive Committee (UIMEC) for each year.

Policy Introduction and Purpose

This Information Handling Policy is a sub-policy of the Information Security Policy (IS01) and sets out the requirements relating to maintaining a safe working environment with respect to handling the University’s information assets.

The University operates and enforces a Clear Desk and Safe Workstation Policy in order to reduce the risk of information breaches and disclosures. It sets out the responsibilities and reporting lines for all members of staff.

Scope and Definitions

This Policy applies to everyone who has a contractual relationship with the University including all employees (both full-time and part-time across all grades) and those engaged via the Variable Monthly Staff (VAM) Payroll and Unitemps/other agency contracts. It also includes visiting professors, consultants/ self-employed carrying out roles which if carried out by an employee would require disclosure. For purposes of this Policy we will refer to everyone covered as “staff”.

This Policy and corresponding procedures apply to all information held for the purposes of the University’s operations including, but not limited to, the provision of teaching and education, research, student and staff support, internal and external reporting and publications. It applies to information created by members of the University and to information received from third parties.

This Policy and corresponding procedures apply to all work activities across the University’s campuses, in all locations. The Policy also applies to all activities managed by the University at off-campus accommodation properties.

A glossary of the terms used throughout the Policy can be found in Document IM03 – Glossary of Terms for Information Management.

This policy sits within the Information Management Policy Framework and should be read in conjunction with the over-arching policies IM01 – Information Management Policy of Policies and IM02 – Information Management Training Policy.

Responsibilities

Policy Responsibilities

The Chief Information & Transformation Officer (CITO) has the accountability to ensure that this policy is implemented, monitored and reviewed regularly.

Operational Responsibilities

Role

Function

Digital Strategy Group representative 

Responsible 

Head of Department 

Accountable 

Chief Information and Transformation Officer 
Data Protection Officer 

Consult 

University Information Management Committee representative  

Inform 

Principles of the Policy

This Policy enforces and supports two University Information Governance Core Principles:

  • Value – recognising the importance of the University's information assets and ensuring that maximum value is obtained from them.

  • Security – ensuring that information, especially protected and confidential information, is always handled safely and securely

Policy Requirements

  • Screens must be locked when workstations are out of sight of the individual.

  • Those who regularly work with ‘Restricted’ data should try to ensure – where possible – that monitors are positioned to minimise the visibility of any restricted information to non-authorised colleagues, students or visitors

  • To support the limited visibility requirement above Departmental Heads/Line Managers should consider the layout of offices, offering more discreet/less visible working spaces for those staff who regularly handle ‘restricted data’.

  • Sensitive papers – classified as “Protected” or as “Restricted” - must be locked away when not required when staff are away from the desk or workstation for long periods, and always at the end of the day.

  • Laptops, tablets and other University devices must be adequately secured from theft.

  • Passwords or authentication details must never be written down or stored in unencrypted media.

Exemptions

‘Exemption requests’ under this policy must be submitted to the CITO or their designate. Exemptions to this policy may only be granted by the CITO or their designate. Activities that have received prior approval by the Research Ethics Committee will be exempt, but the CITO must be notified.

This policy may have an impact on users of assistive technology or assistive software due to their disability. These individual cases will be considered on a case by case basis.

Compliance Monitoring

Compliance to this policy will be monitored by the CITO on an ongoing basis. The compliance focus will be on:

  • A programme of sample audits to test the level of compliance across the University – key metric is the % of compliant workstations

  • Departmental compliance report on an annual basis with agreed actions for departments below a target compliance level agreed in advance by University Information Management Executive Committee (UIMEC) for each year

Compliance performance will be reported monthly by Information Asset Owners to University Management Information Committee (UMIC).

A failure to comply with this policy will be deemed to be a disciplinary offence and may lead to proceedings being taken through the University Disciplinary Process.