Protecting information in your role

Everyone is responsible for handling University information correctly.

Always ask yourself:

• Do you know how best to protect yourself, your information and the University?
• What type of information are you handling - is it confidential?
• Do you know what security measures you should be taking with confidential University information?
• Are you laying yourself open to identity theft?
• Could you become responsible for a "reckless disclosure" of confidential information?

What do I need to do?

• Familiarise yourself with the regulations on the use of computing facilities
• Remember the seven golden rules
• Be aware of other legal and licence requirements: Information and IT legislation, external policies and licences
• Follow the guidance on this website and adhere to the relevant policies and guidelines
• Attend any training courses relevant to your role
• If you think any University information may be vulnerable to inappropriate disclosure or manipulation, or that a breach has occurred, report it to your manager or the IT Support
• If you think your device has been lost, stolen, attacked or other activity of concern is taking place contact the York CERT (Computer Emergency Response Team) immediately
• Understand any additional responsibilities or common risks relating to your role (see below)
• When in doubt, ask for help

You are responsible for ensuring University information is properly managed within your department.

What do I need to do?

• Understand University information policies and procedures and how University information is managed in your department
• Be familiar with your specific responsibility for requesting an IT investigation or data access:
  • IT investigations and data access policy (see Section 2 in particular)
• Be alert to anything that exposes your department to risks of inappropriate use of information and devices
• Ensure your staff participate in training
• Ensure your staff handle University information and manage their devices appropriately

You are responsible for ensuring that you and those you manage are working appropriately with the University's information.

What do I need to do?

• Understand University information policies and procedures that apply to your activities and how University information is managed in your team
• Be alert to anything that exposes your team to risk of inappropriate use of information, including how devices are used by your staff
• Ensure your staff participate in training and handle University information and manage their devices appropriately

You have access to confidential and research information and are responsible for ensuring strict safeguards are in place to protect yourself and others, such as students and research subjects, from loss, accidental exposure or theft of research information.

What do I need to do?

• Understand which University information is confidential and how to protect it from inappropriate disclosure
  • Information classification and handling
• Ensure you manage your devices so that University information is not exposed inappropriately, including when travelling in the UK and abroad
• Ensure members of your team adhere to policies and guidelines, including students working with you
• Understand the particular responsibilities associated with managing research data and complying with funder requirements; more guidance is available at Information policy for researchers (link to follow)

You are likely to work with confidential University information (for example financial records, exam information, student lists, staff records).

What do I need to do?

• Understand which University information is confidential and how to protect it from inappropriate disclosure
  •  Information classification and handling
• Double check who you are sending emails to before you click Send. Common risks are using Cc instead of Bcc in the address or circulating email threads with confidential information in them

You are responsible for ensuring that all the systems you manage are operated correctly and securely in accordance with University and departmental policies, including the information stored on or handled by them.

What do I need to do?

• A method statement for System Administrators is under development. This will provide detailed guidance on your responsibilities. In the meantime, if in doubt ask the IT Support Office for help
• Understand University information policies and procedures and how University information is managed in your department so that you can manage your systems appropriately
• Be alert to anything that exposes your systems to risks of inappropriate use of information and devices
• Manage your systems and information securely and in accordance with the Information Security Policy and other information policies
• Report any security incidents promptly to York CERT (Computer Emergency Response Team)

You need to know what acceptable use of University IT systems means and how to protect yourself from potential harm when using social networks.

What do I need to do?

Understand the following documents:

• University Regulation 11: Use of computing facilities the associated guidelines
• Acceptable Use Policy: York Local AUP (PDF , 58kb)

Learn how to use social media effectively: the Student guide to social media (developed by Leeds, York and Manchester University libraries) provides useful advice and a list of dos and don'ts:

• Student guide to social media

Understand how to use social media safely:

• : advice from Student Support Services
• Online safety: useful information from the Information Commissioner

Ensure you manage your devices so that University information is not exposed inappropriately, including when travelling in the UK and abroad:

• Policy for device access to University information

If you are undertaking original research, you will need to understand the particular responsibilities associated with managing research data. More guidance is available from your supervisor and at Research data management.