Data must be protected and backed up, the retention of personal data is subject to General Data Protection Regulations (GDPR), and all suspected or actual security breaches must be reported immediately.
Data should be stored where it will be backed up - on network directories (M: or N: drives) or the University's approved cloud services. Classified information, as defined within the University’s Information Protection policy, is subject to restrictions on where it can be stored and may need to be encrypted.
Data should not be transferred to devices (home computers, laptops, tablets, mobiles) or removable media (external hard drives, usb sticks, etc) unless the requirements of that policy are fully met and the device/media is fully secure.
You should delete all information, including emails, which contain personal data beyond the period defined in the Records Retention Schedule as keeping this is unlawful. Failure to do so may result in the University receiving penalties under the General Data Protection Regulations (GDPR). More information on data protection and retention schedules can be found on the University’s data protection website.
It is really important that all actual or suspected security breaches are immediately reported. This allows the University to take necessary steps to prevent a breach or to minimise the potential impact of a breach.