Physical documents and devices left unattended or unsecured are more susceptible to damage, disclosure or theft, particularly in shared/public spaces and outside office hours. This policy sets out some basic measures to help prevent unauthorised access to confidential information when staff are away from their workspace, device or screen.
1.1 To ensure that personal, confidential or otherwise sensitive information (in digital and physical formats) and information assets (for example, computers and mobile devices, notebooks etc.) that hold or provide direct access to confidential University information, are not left unprotected at desks or in personal workspaces or public settings when they are not in use.
2.1 Everyone working at or for the University has a responsibility under its Information Security Policy to use information securely, and to maintain the integrity of, and appropriate levels of confidentiality for, University records and information.
2.2 The policy is binding on all those who use or have access to confidential University information, such as University staff, contractors and consultants, whether accessing this information from on or off-campus.
2.3 Confidential information: definition
2.3.1 Information given to the University under a common law duty of confidentiality. Information given in confidence may be used only for the purposes that the information’s provider has been informed about and has agreed to or would reasonably expect, unless there is a statutory requirement or court order to do otherwise. Information which is owed a duty of confidence may include information about deceased as well as living individuals.
2.3.2 Personal data and special categories of personal data under the UK GDPR. Any information relating to an identified or identifiable natural person (someone one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person).
2.3.3 Commercially sensitive information whose disclosure may harm the commercial interests of, or be damaging to, the University or a third party (for example, a research/commercial partner or supplier) if improperly accessed or shared.
2.3.4 Information under an embargo prior to wider release, or information which could not be disclosed under Freedom of Information legislation.
3.1 Ensure you have taken reasonable measures to prevent unauthorised access to confidential information. Lock away documents containing Restricted or Confidential information when the records are not in use and, in particular, when the office/workspace is unoccupied or the workstation is left unattended for an extended period of time.
Guidance
The University’s Information Classification and Handling Scheme provides further definition and handling guidance in respect of Restricted and Confidential information.
3.2 If you are away from your desk for a short period of time, ensure any hard copy records containing confidential information are not left in view and that devices/screens are locked.
3.3 Avoid printing or duplicating documents unnecessarily. Do not leave printing on or by copiers for others to find: wherever possible, remain at the printer while your print job is in progress. Keep your University Card safe and report any loss of a card to Security without delay.
3.4 Store confidential records and files securely and out of sight. Pedestal and tambour units, drawers, filing cabinets and/or shared cupboards and store rooms should be locked when left unattended.
3.5 Keep desks and workspaces free of clutter. Actively manage records and data at all stages of the information life cycle, using appropriate University storage solutions to ensure the safekeeping, accessibility and retention of records for as long as required.
Guidance
For the bulk secure storage of inactive hardcopy records that are not regularly needed/consulted and cannot be securely accommodated locally, departments can use the Records Store. Digital and hardcopy records with long term evidential or historical value and selected for permanent preservation should be transferred to the University Archive. Contact records-manager@york.ac.uk to discuss.
3.6 Do not put confidential information on sticky notes and/or leave such notes on monitors, boards or under keyboards.
3.7 Dispose of documents with restricted or confidential information in a timely and secure manner, via confidential waste or by shredding, in accordance with the University’s Retention Schedule and its Information Classification and Handling Scheme. Do not place sensitive or confidential documents in the general waste.
3.8 Erase information on white boards and take away or dispose of flip-chart sheets securely after use, and remove any documents/papers used during meetings/training/teaching when vacating meeting and teaching rooms and dispose of them securely (for example, via confidential waste or shredding).
4.1 There is a risk that information could be viewed by unauthorised users if left on an unlocked and unattended monitor or display screen. Lock your computer screen whenever it is left unattended.
Guidance
For Windows machines, use Ctrl+Alt+Del and Enter or the Windows key and ‘L’. For Macs, use Control+Shift+Power. IT Services provide further guidance on enabling screen locks.
On University-supported machines, screens should automatically lock after a short period of inactivity. Configure personal and unsupported devices used to access University systems and information to auto-lock after a period of inactivity of no more than 10 minutes.
4.2 Log out of accounts/applications and devices when they are not in use for any length of time. Log out of classroom and meeting room PCs after use.
4.3 Position/protect screens and devices to prevent members of the public, or people passing by who lack the necessary authority, from being able to see any confidential information that may be displayed there.
Guidance
Privacy filters for computer screens can help reduce the risk and may help where desks or monitors cannot be repositioned easily.
5.1 Follow the same policies when working away from the office, including at home. Be aware of the risks of others (including family) being able to view or access confidential University material - for instance by ‘shoulder surfing’ or being able to listen into confidential conversations, whether at home, when travelling or in public locations, such as conferences and cafes.
Guidance
The University has provided further guidance on accessing services and information from home and managing confidential records when working remotely.
6.1 Mobile devices, laptops and dictaphones must be encrypted and, with office equipment, must be appropriately placed and protected to reduce the risks from environmental threats and opportunities for unauthorised access.
6.2 Encrypted removable media are not permitted without evaluating other options. All confidential information should be backed up.
Guidance
The IT Security pages carry advice on the safe use of devices, encryption, cloud storage, remote security features on devices, and two-factor authentication. The Information Classification and Handling Scheme also provides further information. Take measures to secure mobile devices, including encrypted laptops, containing confidential data, when not in use and to address risks in the physical environment (for example, do not leave devices unattended, or in the car overnight, and keep devices in a secure location when not in use to prevent unauthorised access, damage, loss or interference).
7.1 Any individual who accesses, uses or manages the University’s information is responsible for reporting immediately actual or potential information security incidents or failures of data protection compliance. A data protection breach can include both confirmed and suspected incidents and should be reported in line with the Data Protection Breach Procedure.
8.1 This policy is supported by the policy framework set out below, with guidance that describes the recommended best practice in support of the policies and method statements. The guidance also serves as a reference when no particular standard or procedure is in place.
Document control |
||||
Title |
Clear Desk and Screen Policy |
|||
Approved by |
Information Security Board |
|||
Date of approval |
8 April 2022 |
|||
Review cycle |
Three yearly |
|||
Review due |
April 2025 |
|||
Document history |
||||
Version |
Date |
Author |
Description of change |
|
0.1 |
06/01/2022 |
Records Manager |
Author |
|
0.2 |
03/2022 |
Data Protection Officer, IT Security |
Reviewed and revised |
|
1.0 |
08/04/2022 |
Information Security Board |
Approved |