The legal landscape for Data Protection has changed since April 2016 and the Data Protection Act 1998 will be replaced by the General Data Protection Regulation (GDPR).
Under the new law, financial sanctions include fines of up to €20 million, or 4% of annual global turnover, whichever is greater, in the most recent financial year for each breach. This level of financial penalty and the ensuing negative publicity can potentially cause serious harm to an organisation’s goodwill, reputation and financial well-being.
It is everybody’s responsibility to ensure that all personal data is well protected. Personal data includes, but is not limited to:
- Racial or ethnic origin
- Political opinions
- Religious Affiliations
- Philosophical beliefs
- Trade union membership
- Data concerning health, sex life and sexual orientation
- Genetic data
- Biometric data where processed to uniquely identify a person
Even online identifiers, including IIP addresses and cookies, may be regarded as personal data if they can identify someone. Access to personal data should follow PoLP (Principle of Least Privilege) and should only be shared where there is a legitimate need and clear justification. Any repository that could contain personal/sensitive data should be treated as if it does.
- Never send sensitive data via unencrypted email, FTP, telnet, unencrypted web forms, other plaintext services or wireless networks.
- Personal data must only be processed where there are fair and lawful grounds to do so.
- Personal data may only be processed, moved, disposed of, deleted and stored in secure and/or encrypted environments.
- Personal data should only be accessible to users where there are fair and lawful grounds to do so.
- Computers logged into secure databases and other secure repositories of personal data should never be left unattended.
- Never allow another person to access the university’s network using your username and password.
- Inform CUC ICT services immediately if your computer has been contaminated by viruses or other malware.
• Report all suspected security breaches immediately to CUC ICT Services.
• Never loan your IT equipment intended for work purposes (laptop, tablet, smartphone, data storage etc.)
• Never allow others to access removable storage devices, e.g. ash drives or CDs, where sensitive data might be stored.
• When securing data by password, use strong, alphanumeric passwords (with a minimum of six characters)
or passphrases (sentences of mixed letters and numbers).
• When working from home use VPN or CU2work to access CUC resources.
• Do not save/store personal
data on local hard drives, removable drives, unsecured servers and home computers.
• When leaving desks/areas of work, always lock computers, no matter how short the time away might be.
If you require further information or assistance with encryption of data please contact our ICT Services Manager via firstname.lastname@example.org.