Everyone who handles sensitive information at work has a responsibility to safeguard it against theft, loss or any other inappropriate use.
This guide is intended as a gateway to more detailed and specialist advice and guidance around UCL to help you protect the information you use. If you carry out research at UCL, you should also read the guidance specifically intended for researchers.
If you have any comments or concerns, you are invited to contact in the first instance Colin Penman, UCL Records Manager.
Records must be accurate and complete. They should be compiled at the time of the event or transaction to which they relate, or as soon as possible afterwards, and protected from unauthorised alteration or deletion.
You should use standardised referencing and titling, so that information can be promptly identified and retrieved, naming conventions to ensure the consistent use of terms, and version control so that different versions can be distinguished and the latest version readily identified.
Creation, use and disposal of information in all forms and formats is controlled by the UCL Records Management Policy. All departments are required to have adequate systems and procedures for managing their records, ensuring their integrity, security and safe disposal. The UCL Records Office provides guidance on managing paper and electronic records.
The UCL Information Security Policy defines the security infrastructure for the university's information systems. It includes the Data Protection Policy, which applies to personal data, email, portable storage devices and encryption.
Where to keep information
Electronic records should be held on departmental shared drives, with appropriate access controls: passwords on individual documents should not be used. Storage of data on hard drives (the 'C' drive) is not acceptable.
Take care when considering using third party services, often known as 'cloud computing'. These include services such as Dropbox and Google Drive. As they come with little guarantee of continuity of service, you should either agree a contract with the provider, or ensure you have a backup copy of your data within UCL. Personal data may not be stored with such providers without specific contractual provisions, and absolutely no sensitive personal data may be stored with them. At all times you should follow the Guidelines contained in the Information Security Policy.
You should keep paper records close at hand within your immediate office space if you use them frequently, and records you use occasionally or which need to be retained for legal or regulatory reasons off-site. Local filing rooms or 'archives' must not be used. Off-site storage is managed by the Records Office: third party storage services are not permitted.
You must take appropriate measures to protect personal data from unauthorised disclosure and loss.
It is rarely necessary to download personal data to portable storage devices, or take manual records off site. Where it is unavoidable, it must be authorised in writing by the Data Owner, who should justify the need. Data downloaded to portable devices must be strongly encrypted, following the Computer Security Team's guidance.
Losses of personal and other sensitive data must be reported to your Departmental Data Protection Coordinator and the UCL Data Protection Officer. Security-related incidents should also be reported to the Computer Security Team. Loss or unauthorised disclosure of information, or failure to report it, may be treated as a disciplinary matter, up to and including gross misconduct.
Email is not a wholly secure means of communication, and you should exercise great caution before using it to transmit personal data. As for any sensitive data, personal data should be encrypted before being transmitted by email, and personal names should not be included in the Subject line. The minimum information necessary should be transmitted. Consult the UCL Policy on Electronic Mail and related Guidelines before using email to send personal data.
Handover and disposal
Records should be disposed of when they are no longer needed. The UCL Retention Schedule describes how long records should be held (this is currently in draft form, but will shortly be issued as UCL policy).
When staff are due to leave UCL, managers should ensure as part of the handover process that the records they use will be accessible to colleagues. Any work-related documents held in personal folders should be transferred to the shared drive. Further guidance can be found in the Information Security Policy.
The UCL Records Office manages off-site storage of records which need to be kept, but are not in frequent active use: no other storage providers are permitted.
Failure to comply with UCL policies and, where relevant, those of the NHS Trust where you work, could lead to disciplinary action, civil action, or criminal prosecution. If you hold an honorary contract with an NHS Trust which is subsequently withdrawn by the Trust, your contract with UCL may also be terminated.