Please upgrade your browser

For the best experience, you should upgrade your browser. Visit our accessibility page to view a list of supported browsers along with links to download the latest version.

Information Security - Information Security Policy

This policy overarches all Information Security policies. It sets out the high-level expectations for anyone processing information (digital or physical) on behalf of the College, concerning learning, teaching and administration.

This policy was last reviewed by the Information Security Working Group in April 2020.

This policy was last approved by Information Security Working Group in April 2020.

Purpose and scope 

The Information Security policies provide everyone (e.g. students, staff, third parties) with clear and consistent instructions, on how to protect themselves, others and College IT assets (e.g. data and services) from ever-evolving cyber threats. The policies, associated processes and procedures help reduce information-related risk to tolerable levels. 

This document overarches all Information Security policies. It sets out the high-level expectations for anyone processing information (digital or physical) on behalf of the College, concerning learning, teaching and administration. 

Non-compliance puts everyone at risk (including the College) from cyber threats and legal and regulatory penalties. Therefore, this may lead to the removal of IT equipment, services and account privileges. In some cases, disciplinary measures might be pursued, which may also lead to legal action. A breach may result in damage to you, your colleagues and friends, such as loss of control over personal data, discrimination, identity theft or fraud and financial loss. 

Information security fundamentals 

Information and systems must remain secure and private. Everyone must agree to and uphold the following information security fundamentals: 

1. Consider and process information (e.g. confidential student record or restricted commercial document) according to the ''Information Handling Policy''; 

2. Safeguard information (according to its classification) with appropriate security measures (e.g. encryption) to protect against unauthorised access; 

3. Make information available only to those who have a legitimate right to access it; 

4. Report breaches of the information security policies to the IT Services; 

5. Take personal responsibility for IT resources (e.g. computers, accounts, storage) and use inline with the policies. 


Anyone using College services is personally responsible for protecting information and may be liable for any incidents that arise from a failure to take appropriate protective measures. Therefore everyone must read and adhere to the information security policies, including completing any mandatory training. 


Managers must ensure staff are aware of and comply with information security policies, complete mandatory training (including any additional training required for certain roles e.g. Finance), report non-compliance and maintain the confidentiality, integrity and availability of College information assets. 


IT Services does not routinely monitor internet usage, electronic communication, (e.g. email), documents (e.g. on Google Drive) or other digital information. Such information may be viewed where necessary to protect the rights, property, or personal safety and to preserve the integrity of systems (e.g. investigations as a result of a security breach) of the College, students and staff, or to comply with legal obligations, such as responding to requests from enforcement agencies, court orders, or other legal processes. 


Most College systems maintain transactions and events, this is required for operational management. They may include: 

● The geographic area where a device is using College websites, applications or services; 

● Device data such as type of software and hardware used, IP address, browser type and settings, date and times (e.g. creation, modification and erasure), language preferences, and cookie information. 


The College, each student and member of staff have an obligation to abide by all relevant legislation. Particularly: 

● Computer Misuse Act 1990; 

● Copyright, Designs and Patents Act 1988; 

● Data Protection Act 2018; 

● EU General Data Protection Regulation (GDPR) 2018 

● Human Rights Act 1998; 

● Regulation of Investigatory Powers Act 2000; 

● Terrorism Act 2006; 

● Counter-Terrorism and Security Act 2015. 

Data security breaches 

The College has 72 hours to notify the ICO of a reportable data breach. It is, therefore, essential you report data security breaches to the IT Services Desk ([email protected]) immediately to limit the impact to the College and individuals. 

Some examples of data security incidents are: 

● Loss or theft of confidential information (e.g. documents taken from a car or left in a cafe); 

● Loss or theft of equipment used to store confidential information (e.g. laptop, smartphone, USB stick); 

● Accidental or unauthorised disclosure of ‘confidential’ or ‘strictly confidential’ information (e.g. documents sent to an incorrect recipient or incorrect permissions to files); 

● Unauthorised modification of records; 

● A computer system or equipment compromise (e.g. malware, denial of service attack); 

● A compromised account (e.g. spoofing, hacking, shared password); 

● A compromised location holding confidential information or critical equipment such as servers. 

Third-party services 

Individuals must only use systems provided by IT Services for carrying out College business. In some circumstances, existing solutions may not meet requirements and therefore using third party services may be possible but only with the express permission from IT Services. 


The College uses Google services for the use of email, storing and sharing files in the cloud. Information uploaded to, read, modified and shared using these apps (e.g. Google Mail and Google Docs) are automatically encrypted to ensure the data is secure. Google undergoes regular independent audits on their data centres (e.g. cloud services), network, and operations (e.g. internal processes). Compliance is certified compliance through industry standards such as ISO 27,001 and 27,017. 

Google has recently confirmed that as a higher education client, our data will remain in the EEA from March 31, 2020. Google will, therefore, continue to process RCA data in a way that is compliant with both the GDPR and the DPA(2018). 

Personal information collected in the Core Services (e.g. Google Mail and Google Docs) is used only to provide the Core Services. Google does not serve ads in the Core Services or use personal information collected in the Core Services for advertising purposes. 

For more information, please read Google’s ‘G Suite for Education Privacy Notice’: 

Training and awareness 

The college will provide the necessary resources to help everyone meet their information security obligations. All staff must complete mandatory training, others may need to complete additional modules depending on their department or school and the confidentiality of the data they manage.

Information security policy suite 

Information Security Policy

Account and Password Policy

Acceptable Use Policy

Information Handling Policy

● Home and Remote Access to Services Policy. 

Related policies 

● Data Protection Policy; 

● Data Breach Policy. 

Information security guidance 

● Information security training (mandatory)

For more information or to provide feedback please email 

[email protected]

This page was last updated on 

21 May 2020

This page is reviewed and updated every 6 months.