Data protection

Find out more about how Imperial protects data by visiting the guidance webpage.

Making the wrong choices when storing or sharing data can lead to data losses and leaks, resulting in serious repercussions for you and for Imperial. It is vital that sensitive information is adequately protected. We recommend that you protect all data and files as best as you can, but pay particular attention to how you manage sensitive information. 

Keeping Data Safe

A video explaining how to keep your data safePlay video
A video explaining how to keep your data safe

What is sensitive information?

This kind of data is considered sensitive and should be encrypted:

  • commercially sensitive administrative or planning data
  • commercially sensitive research data
  • personal data covered by the Data Protection Act (see Information Governance Policy Framework for more information)
  • personal financial data (read our Data Loss Prevention practices)
  • Patient Identifiable Data held for research purposes (see Code of practice 2 for full policy)
  • data protected by confidentiality agreements with third parties.

Visit the Data Protection Policy webpage for details of each policy.

How to save and share your files securely

Read Imperial's recommendations on saving and sharing data:

  1. Saving files and data
  2. Sharing and collaboration

OneDrive for Business is one of the options for saving personal files securely. It is authenticated to meet our high standards for data security and resilience ensuring compliance to ISO27001, HIPAA and FISMA, US-EU Safe Harbor framework, EU Data Protection Directive model clauses. Our contract with Microsoft ensures that data is only held in the EU. Your data can only be accessed or viewed by you as the owner of the file, or those you choose to give permissions to for collaboration and not by Microsoft or anyone else.

Saving your data with other providers (e.g. Google, Dropbox etc.)

There are benefits to using cloud storage providers, including the ability to easily share and sync documents across multiple devices and potentially with external collaborators. However, many consumer web-based cloud storage providers (Dropbox, Google Drive etc.) do not encrypt (protect) data adequately. This means data could be accessed, shared or lost and there have been a number of high profile cases of personal data infringements reported in the press due to storing data and photos on cloud platforms.

Data stored with cloud service providers is outside of your control, meaning that the company could change their terms and conditions or upgrade their hardware or software without your permission or knowledge. In the past, problems with upgrades have caused data to be exposed on the Internet. Your data may be stored outside the European Union, meaning that is it subject to local not UK law. This could enable third parties in other countries to access your data.

Access to cloud storage data could also be removed at any time and this is also outside of your control. This could result in your account and any related data being deleted. So, if you are storing sensitive or confidential university data on one of these platforms, you may be breaching Imperial policy. This could result in legal action and fines against you and the university.

Encrypt data stored in the cloud

Encrypting data makes the information unreadable, it can only be read using a secret key to unlock it, called decryption. If you do use Dropbox or Google Drive, you run the risks above. However, to offer some level of protection we recommend that you use eShare, software which enables you to encrypt data to prevent third parties and unauthorised users from reading your data by scrambling the contents. Find out more by visiting our encrypt and protect your data webpages

Removable media (USB keys, hard drives, memory cards, DVDs etc.)

Using removable media such as USB keys, hard drives, memory cards and DVDs have a number of risks associated with them and so, should be carefully considered as an option before use.

Removable media can store vast amounts of information but, due to their design and portability, they are very easy to steal or lose. If the device contains sensitive data then it should be protected to prevent misuse.

If you find a device or are given data on removable media from an unknown source, do not connect it to your computer. It may contain malware that could infect your machine. 

Any removable media device that is used to store data should be password-protected and the information stored on it encrypted, to prevent misuse. And, if you must use a USB device, make sure it's not your only copy!

Using Cloud apps e.g. Eventbrite, Zoom, Wufoo, Doodle, Slack

As tools such as Eventbrite and Zoom have free versions that you can use to complete your work, they profit by buying and selling your data. Visit our cloud apps guidance webpage for more information. 

Data Loss prevention

Sensitive data as defined by university policy needs to be protected from accidental disclosure. Data Loss Prevention helps Imperial achieve this by checking for sensitive data included in email and Sharepoint Online, when shared externally.

What type of data is being monitored? 
Type Example
 Uk Financial  Credit Card Numbers
   EU Debit Card Number
   SWIFT Code
 
Summary of the table's contents

If you do include any of the above sensitive information in your email or work and attempt to send it outside of the Imperial network, you will receive the below message:

 Data loss prevention warning

At this stage, this message is just a warning and no further action is required, your email will be sent as normal. 

If you think you have received the above message in error, please contact the ICT Service Desk who will investigate further.