Data protection

Find out more about how the College protects data by visiting the Data Protection web pages.

Making the wrong choices when storing or sharing data can lead to data losses and leaks, resulting in serious repercussions for you and for Imperial College London. It is vital that sensitive information is adequately protected. The College recommends that you protect all data and files as best as you can, but pay particular attention to how you manage sensitive information. 

Keeping Data Safe

A video explaining how to keep your data safe

What is sensitive information?

This kind of data is considered sensitive and should be encrypted:

  • commercially sensitive administrative or planning data
  • commercially sensitive research data
  • personal data covered by the Data Protection Act (see Information Governance Policy Framework for more information)
  • personal financial data (read our Data Loss Prevention practices)
  • Patient Identifiable Data held for research purposes (see Code of practice 2 for full policy)
  • data protected by confidentiality agreements with third parties.

Visit the Data Protection Policy web page for details of each policy.

How to save and share your files securely

Read Imperial's recommendations on saving and sharing data:

  1. Saving files and data
  2. Sharing and collaboration

OneDrive for Business is one of the options for saving personal files securely. It is authenticated to meet College's high standards for data security and resilience ensuring compliance to ISO27001, HIPAA and FISMA, US-EU Safe Harbor framework, EU Data Protection Directive model clauses. Our contract with Microsoft ensures that data is only held in the EU. Your data can only be accessed or viewed by you as the owner of the file, or those you choose to give permissions to for collaboration and not by Microsoft or anyone else.

Saving your data with other providers (e.g. Google, Dropbox etc.)

There are benefits to using cloud storage providers, including the ability to easily share and sync documents across multiple devices and potentially with external collaborators. However, many consumer web-based cloud storage providers (Dropbox, Google Drive etc.) do not encrypt (protect) data adequately. This means data could be accessed, shared or lost and there have been a number of high profile cases of personal data infringements reported in the press due to storing data and photos on cloud platforms.

Data stored with cloud service providers is outside of your control, meaning that the company could change their terms and conditions or upgrade their hardware or software without your permission or knowledge. In the past, problems with upgrades have caused data to be exposed on the Internet. Your data may be stored outside the European Union, meaning that is it subject to local not UK law. This could enable third parties in other countries to access your data.

Access to cloud storage data could also be removed at any time and this is also outside of your control. This could result in your account and any related data being deleted. So, if you are storing sensitive or confidential College data on one of these platforms, you may be breaching College policy. This could result in legal action and fines against you and the College.

Encrypt data stored in the cloud

Encrypting data makes the information unreadable, it can only be read using a secret key to unlock it, called decryption. If you do use Dropbox or Google Drive, you run the risks above. However, to offer some level of protection we recommend that you use nCrypted Cloud, software which enables you to encrypt data to prevent third parties and unauthorised users from reading your data by scrambling the contents. Find out more by visiting our Encrypt and protect your data web pages

Removable media (USB keys, hard drives, memory cards, DVDs etc.)

Using removable media such as USB keys, hard drives, memory cards and DVDs have a number of risks associated with them and so, should be carefully considered as an option before use.

Removable media can store vast amounts of information but, due to their design and portability, they are very easy to steal or lose. If the device contains sensitive data then it should be protected to prevent misuse.

If you find a device or are given data on removable media from an unknown source, do not connect it to your computer. It may contain malware that could infect your machine. 

Any removable media device that is used to store data should be password-protected and the information stored on it encrypted, to prevent misuse. And, if you must use a USB device, make sure it's not your only copy!

Using Cloud apps e.g. Eventbrite, Zoom, Wufoo, Doodle, Slack

More and more members of the College are making use of free tools such as Eventbrite and Zoom to do work however as these tools are free, they profit by buying and selling your data. Visit our Cloud apps guidance web page for more information. 

Data Loss prevention

Sensitive data as defined by College policy needs to be protected from accidental disclosure. Data Loss Prevention helps Imperial College achieve this by checking for sensitive data included in email and Sharepoint Online, when shared externally.

What type of data is being monitored? 
TypeExample
 Uk Financial  Credit Card Numbers
   EU Debit Card Number
   SWIFT Code
 
Summary of the table's contents

If you do include any of the above sensitive information in your email or work and attempt to send it outside of the College network, you will receive the below message:

 Data loss prevention warning

At this stage, this message is just a warning and no further action is required, your email will be sent as normal. 

If you think you have recieved the above messgae in error, please contact the ICT Service Desk who will investigate further.