Home » Keeping your information secure

Keeping your information secure

BU has guidance on keeping you and BU safe and other useful guidance and policies on  protection against unauthorised recording, access, use, disclosure, modification, loss or destruction of information.  If you intend to use mobile devices – please refer to the Mobile Device Security Guide (staff version) or Mobile Device Security Guide (student version).

The Data Protection Legislation comprises the EU General Data Protection Regulation and the UK Data Protection Act 2018.   It sets out the circumstances in which, or purposes for which, personal data can be processed and the safeguards which must be applied to such processing.  To keep up to date on latest developments visit Data Protection and online training resources.

Recognise a data breach – A data breach is a security incident in which information is accessed without authorisation. If you’re ever concerned about a potential data breach at BU, it’s important to call the IT Service Desk as quickly as possible on 01202 965515 (option 1).  See Policy for more details.

If you’re collecting data outside of the UK, you need to be aware of restrictions regarding the transfer of data to and from the UK.  To help navigate this complicated area of law, there is a useful website https://www.dlapiperdataprotection.com (made available from DLA Piper) which compares data protection laws from around the world; for the transfer of data please click on the tab ‘Transfer’.

Useful Documents

  • Research Ethics Code of Practice
  • Data Protection at BU – link to guidance and BU policies (including how to report a data breach – this includes ‘near misses’).
  • Research Data Mangement
  • Mobile Computing Policy
  • Information Security Policy
  • Mobile Device Security Guide (Staff)
  • Mobile Device Security Guide (Student)
  • Information Classification Policy – see Information Classification Types (also see flow chart) for further details in relation to classification (Public, Non-Sensitive, Restricted and Confidential), risk level (none, low, medium and high), types of information (for example racial or ethnic origin of an individual, research data containing identifiable information and data which contains highly sensitive private information about living individuals), general handling methods (BU-provided Office 365, External ‘Cloud’ storage, file sync provider or non university contract (e.g. individually set up dropbox account and personal onedrive account), email and file transfer ( ), saving and storing files (BU desktop PC drives in non-public areas, BU desktop PC drives in public areas, personally owned desktop PC drives, BU owned laptop, BU owned smartphone or tablet, personally owned laptop, personally owned smartphone or tablet, networked storage I, networked storage H, small capacity portable storage USB, CD, large capacity portable storage devices e.g. external hard drive, Faculty/Department based server, other IT Services mainted service .e.g database) and storing paper records (paper copies, printing and copying) .
    • Example of how to treat data which includes collecting identifiable medical details (relating to physical or mental health)Type of Information
      • This information should be treated as confidential (classification) and the risk is high (risk of inappropriate disclosure could cause great distress to an individual and significant damage to BU’s reputation)
      • Sharing this information should be restricted or included as part of a data sharing agreement; data kept up to date and stored in restricted areas, access limited and securely destroyed (as appropriate) – if retaining for research, safeguards must be applied.
      • Handling guidelines
        • Online Collaborative spaces and cloud storage would be BU-provided Office 365 only where specifically set up for this level of security with restricted recipients
        • Email and File Transfer
          • From: @bmth.ac.uk to @bmth.ac.uk – marked confidential and double check recipient
          • From: @bmth.ac.uk to @xxx.xxx – marked confidential and double check recipient (attachments encrypted) – note auto forward to a personal email account from your BU account NOT PERMITTED
          • From @xxx.com (hotmail, gmail) to @xxx.xxx NOT PERMITTED.  University business must be conducted via your university email account.
          • Sending a personal email from BU hosted email account – In line with the Electronic Communications policy personal use of business email should be clearly labelled as personal and will be subject to the terms of the Acceptable Use Policy and the Code of Practice – Use of Communication Facilities (C7 – Section 3.3)
          • File transfer – Only as password protected attachment marked strictly confidential and double check recipient.
      • Saving and Storing Files (see Information Classification Types for details about using smartphone, I drive etc)
        • BU desktop PC drives in non-public areas (e.g. staff centre) – lock screen when unattended, consider appropriate backup but no storage or creation permitted on device.
        • BU desktop PC drives in public areas (e.g. Open Access Centre) – high risk of incidental disclosure (use university desktop PC on non-public area).  Do not use for this type of information
        • Personally owned desktop PC drive – No storage or creation permitted on device.  May be used for read only remove connection to access files if used in a private environment.  Encrypt drive.  Do not download files to device.  Do not leave logged in and unattended.  Clear browser cache after read only use.
        • BU owned laptop – encrypt device, use secure remote connection to access files and avoid download or storage, do not use to store master copy of vital records, do not work on files in public areas, do not leave logged in and unattended, do not share use of device with non-university staff, consider back up requirements
      • Storing paper files:
        • do not take in to public areas, kept in lock filing cabinet in a lockable office (when left unattended), do not leave out on your desk.
        • Working off site – if needed to be taken off site, back up copy must be made beforehand; alternative – create as/convert to electronic documents and use secure remote connection with permitted device.
        • Presumption is that confidential papers are not taken offsite.
        • If printing documents should be marked confidential. Printed copies should be sealed in envelopes marked ‘confidential’.

Useful links on the anonymisation of data and the use of anonymised data:

Research Data Management (RDM)

BU aims to make our research data as openly accessible as possible.  Data will be registered and discoverable via BORDaR, BU’s research data repository.  To find our more, please visit our website or if you have any queries, please contact the RDM team by email to bordar@bournemouth.ac.uk.

External Resources

  • UKRI GDPR and Research – An Overview for Researchers.  Compiled with the support of the Information Commissioner’s Office, the UKRI have provided a GDPR overview for researchers, which sets out guidance and signposts to further sources of information.