Policy Introduction and Purpose

This Information Handling Policy is a sub-policy of the Information Security Policy (IS01) and sets out the requirements relating to the handling of the University’s Information Assets.

Information Assets must be managed in order to protect against the consequences of breaches of confidentiality, loss of integrity, interruption to availability or non-compliance with legislation which might would otherwise occur.

Scope and Definitions

This Policy applies to everyone who has a contractual relationship with the University including all employees (both full-time and part-time across all grades) and those engaged via the Variable Monthly Staff (VAM) Payroll and Unitemps/other agency contracts. It also includes visiting professors, consultants/self-employed carrying out roles which if carried out by an employee would require disclosure. For purposes of this Policy we will refer to everyone covered as “staff”.

A glossary of the terms used throughout the Policy can be found in Document IM03 – Glossary of Terms for Information Management.

This policy sits within the Information Management Policy Framework and should be read in conjunction with the over-arching policies IM01 – Information Management Policy of Policies and IM02 – Information Management Training Policy.

Responsibilities

Policy Responsibilities

The CITO has the accountability to ensure that this policy is implemented, monitored and reviewed regularly.

Operational Responsibilities

Principles of the Policy

Inventory and ownership of information assets

An inventory of the University’s main Information Assets will be developed and maintained, and the ownership of each asset clearly stated.

Each asset will have a nominated owner, the Information Asset Owner (IAO), who will be assigned responsibility for defining the appropriate uses of the asset and ensuring that appropriate security measures are in place to protect the asset.

Security Classification

The University has an Information Classification and Handling Policy (IG05) which details how information assets should be security classified.

Any information which is not explicitly classified will be classified as public, by default.

Each Information and data asset needs to be handled in an appropriate way based upon its designated security classification.

Where an Information Asset contains multiple components (multiple files, documents or data items) then the overall asset will be categorized to reflect the most sensitive component.

Access to Information

System users will be granted an Information Management Profile upon system set-up. This profile will establish the user’s permissions and access to both systems and different classifications of data as per User Account Management Policy (IS05).

Access permissions to particular protected and restricted data not allowed under the individual’s information management profile will be agreed by the IAO. In granting access to an individual the IAO must have satisfied themselves that the individual requesting access:

1. requires access to perform their duties

2. has access to only the specific information or asset needed

3. has the required level of training to ensure the continued security of the information or data asset (see Information Management Training Policy, IM02).

In no circumstances should members who have been granted access to protected or restricted data pass on the said data or information to any other person unless they have explicit, and evidenced, authorisation from the IAO.

Disposal of Information and Data bearing assets

Great care needs to be taken to ensure that information assets are disposed of securely. For disposal of information and data records staff are asked to refer to Information & Records Management Policy (IG03). All staff must act in a manner which enables them to be compliant with the IG03 policy.

For disposal of physical assets which may have data or information stored within them staff are required to follow the standard process for the secure disposal of data bearing assets (computers, servers, phones, tablets etc.).

In cases where a storage system (for example a computer disc) is required to be returned to a supplier it should be securely erased before being returned unless contractual arrangements are in place with the supplier which guarantees the secure handling of the returned equipment. If in any doubt, contact the Security and Information Management team for further advice.

Removal of information

University data and information records should never be stored on local hard drives or personally owned devices. As per the University’s Information Classification Policy (IG05) University owned information and data assets should be stored using University facilities or with authorised third parties.

In cases where it is necessary to otherwise remove data from the University, appropriate security measures must be taken to protect the data from unauthorised disclosure or loss. Staff should refer to Information Classification Policy for guidance (IG05).

Using personally owned devices

Any processing or storage of University information using personally owned devices must be compliant with the University’s Mobile & Remote Working Policy (IS10).

Information on desks, screens and printers

Staff must ensure that handling of information and data within their regular workspace is secure and compliant. As such individuals are required to comply with the University Safe Workspace and Desk Policy (IS03).

Backups

IAOs must assure themselves that appropriate backup and system recovery measures are in place.

Appropriate security measures must be taken to protect backups against unauthorised disclosure or loss. Recovery procedures should be tested on a regular basis.

IT Services provide standard solutions for secure data and information storage and handling. Such standard services must be used wherever possible. If, for any reason, such services are not appropriate then any alternative arrangements must be documented and approved by the CITO, or in their absence their delegated authority.

Exchanges of information

Any exchange of personal data or other confidential information must only be exchanged in a way which is compliant with the University’s Data Protection Policy (IG02).

Whenever significant amounts of personal data or other confidential information are shared or exchanged with other parties (either internal or external), then appropriate information security measures must be established to ensure the integrity and confidentiality of the data transferred. Regular exchanges must be covered by a formal written agreement with the third party.

Information classified as protected, may only be exchanged electronically if the information is strongly encrypted prior to exchange.

Information classified as Restricted, may only be exchanged electronically through University approved sharing software.

Information classified as Restricted Secret, should not be shared without explicit written consent of the asset owner and using University approved sharing software.

When exchanging information by email or fax, recipient addresses should be checked carefully prior to transmission.

Unsolicited emails, faxes, telephone calls, instant messages or any other communication requesting information which is not classified as public should not be acted upon until and unless the authenticity and validity of the communication has been verified.

Members of the University must not knowingly destroy, disclose or copy any information classified as restricted or above unless they are authorised to do so.

Reporting losses

All members of the University have a duty to report the loss, suspected loss or unauthorised disclosure of any University Information Asset to the information security incident response team at helpdesk@warwick.ac.uk.

References and further guidance

• Data Protection Policy (IG02)

• Information Handling Policy (IS04)

• Mobile and Remote Working Policy (IS10)

Network and IT Systems Monitoring

Standard University provided services are available that allow for information asset management and provide appropriate security for such assets. Individuals must use such services wherever possible.

If, for any reason, such services cannot be used then alternative arrangement must be documented and approved by the CITO, or in their absence the ITS Director.

The University (through appropriately authorised measures), may carry legally compliant monitoring and/or logging in order to ensure the integrity and security of the University network and associated assets. Details of the University policy on monitoring is contained within the Investigation of Computer Use Policy (IS12).

Exemptions

‘Exemption requests’ under this policy must be submitted to the CITO or their designate. Exemptions to this policy may only be granted by the CITO or their designate. Activities that have received prior approval by the Research Ethics Committee will be exempt, but the CITO must be notified.

This policy may have an impact on users of assistive technology or assistive software due to their disability. These individual cases will be considered on a case by case basis.

Compliance Monitoring

Compliance to this policy will be monitored on an ongoing basis. The compliance focus will be on:

• Information security incidents

• Backup recovery testing and outcomes

• Asset disposals

• Inventory changes and updating and inventory robustness (via an audit)

• Exemption requests and granting of exemptions

Compliance performance will be reported by IAOs monthly to the UIMC.

A failure to comply with this policy will be deemed to be a disciplinary offence and may lead to proceedings being taken through the University Disciplinary Process.