Information Security - Information Handling Policy
Purpose and scope
The Information Security policies provide everyone (e.g. students, staff, third parties) with clear and consistent instructions, on how to protect themselves, others and College IT assets (e.g. data and services) from ever-evolving cyber threats. The policies, associated processes and procedures help reduce information-related risk to tolerable levels.
The College has various information assets (meaningful data that has value to the College, e.g. a student record). They can take both physical and digital forms such as a paper file or a Microsoft Word or Google document. Everyone must take adequate steps to prevent accidental or deliberate disclosure and unauthorised access. The level of protection required is proportionate to its classification (more sensitive data requires additional security measures; for example, sensitive personal data such as ethnicity or religion must be encrypted and strict permissions maintained at all times - see below for more information on classifications).
Non-compliance puts everyone at risk (including the College) from cyber threats and legal and regulatory penalties. Therefore, this may lead to the removal of IT equipment, services and account privileges. In some cases, disciplinary measures might be pursued, which may also lead to legal action. A breach may result in damage to you, your colleagues and friends, such as loss of control over personal data, discrimination, identity theft or fraud and financial loss.
Schools and Professional Service must have one named individual (information asset owner) to take accountability for information assets. This individual will be expected to ensure that everyone who accesses personal data is suitably trained and guided on how to protect this data. Managers (information asset managers) are responsible for processing (e.g. usage, storage, sharing and destruction), protection and record-keeping of all confidential information assets.
This policy sets out standards and guidelines to assist individuals with the processing of information assets. Compliance with this policy will help the College meet its legal requirements.
Managers must periodically audit and assess the risk to information assets to determine the sensitivity in order to apply appropriate security measures.
The College defines its information assets as one of the following classification types:
Available to anyone (including members of the public). Such information should be stored on College systems where possible to maintain availability and appropriate management of data.
Impact of disclosure
Little to no damage.
Access is restricted and limited to an authorised group. Information in this class may include but is not limited to:
● commercially or financially valuable information;
● student coursework and exam scripts;
● internal reports;
● general research data held;
● Protected Personal Information (information that links an identifiable individual with information that, if released, would put them at significant risk of harm or distress);
● any source of information relating to a substantial number of individuals.
Impact of disclosure
Moderate to significant reputational and financial damage.
Strictly confidential information
Access is restricted to a small, named group, regularly reviewed and requires additional protection. Information in this class may include but is not limited to:
● protected Personal Information (special category data);
● research data covered explicitly by patent or legal agreement;
● information protected by clauses in commercial contracts;
● evidence of criminal activity;
● highly sensitive financial information.
Impact of disclosure
Significant to substantial reputational and financial damage.
The College maintains a Record of Processing Activity (ROPA) to conform with the GDPR. The ROPA outlines third parties that process data, on behalf of the College (for example Student Finance England, who process the student loans that the students can apply for to study at the College).
When new data processors are engaged, the College will choose processors with sufficient guarantees as to their technical and organisational measures. If advice is needed in relation to the engagement of data processors, please contact the Data Protection Officer or Information Security Manager.
● Information should only be shared with authorised individuals;
● Only College approved storage should be used (e.g. Google Drive) to share and manage data;
● Before sharing data with third parties, the College shall ensure that the third party has adequate information security policies in place. A data processing agreement may be required;
● The method of sharing should be considered as not all systems are considered secure (e.g. sending confidential information by email can be intercepted, and easily sent to the wrong person);
● Consider the type and volume of data and the impact of improper disclosure;
● Confidential information must be protected (e.g. encrypted) when sent outside the organisation or transferred to external media (e.g. a memory stick).
● Do not keep information on local computer drives (e.g. 'C drive' or local 'My Documents' folder). Use College approved storage such as Google Drive or the network file share;
● Keep confidential paper records secure (e.g. a locked cabinet);
● Do not use a USB drive as a permanent storage solution. They should only be used to store non-confidential data for short periods.
Disposal● Securely erase (shred paper copies or use confidential waste bins) confidential information according to retention periods or when no longer needed.
Information security policy suite
● Data Protection Policy;
● Data Breach Policy.
Information security guidance● Information security training (mandatory)
For more information or to provide feedback please email
This page was last updated on
21 May 2020
This page is reviewed and updated every 6 months.