All transfers of data should be risk assessed and should take into consideration the classification of information being transferred and the security conditions of the transfer itself.
Information that is classified as 'highly restricted' or 'secret' should never be transferred without mitigating controls. A 'transfer' can mean making a copy of a file, saving data to a new location, emailing information within or outside of UCL and even conveying information by telephone.
Mitigating controls means security features like encryption (which might be applied at the hardware level, the level of the file itself being encrypted or via an encrypted channel such as the UCL VPN), using devices that are physical secure, devices that run anti-malware, and using supported operating systems rather than older, unsupported versions of Windows etc. When transferring to third parties, it is our responsibility to get assurances from the recipient that they are appling mitigating controls for sensitive data. Staff should seek evidence and demand a contract be signed before making a transfer.
When transferring to a third party, data that are 'restricted' or above should be covered by a formal agreement to handle the data in line with, if not with explicit reference to, UCL's Information Security Policy. Data classified as 'highly restricted' or 'secret' would require a formal contract and a clear legal basis for transferring to the third party. In research, contracts for transferring personal data can be agreed at the outset when the protocol is agreed or during the study. The UCL Data Protection Office supports the requirement for contracts for transferring personal data in either situation.
If a contract is required to transfer data outside of UCL or UCL is required to sign a contract to