Data Protection - quarantining process FAQs


All data on University systems needs to comply with data protection regulations and the University's own data retention guidelines. Files which do not comply may be moved into quarantine, and you will need to request access to them if they are still needed. This article answers some frequently asked questions about the quarantine process. 

About the project

  1. What are you doing?
    We will be moving files that have been held longer than retention guidelines allow to a secure quarantine area for a three-month period in accordance with GDPR (General Data Protection Regulations). Within this three-month period you can appeal to have your file to be restored within five working days. A backup of these files will be stored for a further nine months after the initial quarantine period to allow files to be appealed under exceptional circumstances. Please note this may take longer than five working days.  
  2. Why are you doing this?
    GDPR (General Data Protection Regulations) states that we should not hold on to data that we do not need, legally we cannot keep data that is outside of our data retention policy.  
  3. Why are you doing this now?
    Under GDPR, the University must be able to provide evidence of actions taken to meet its requirements for personal data held in all locations, including file stores. 
  4. What do I need to do to help the project succeed?
    The quarantine will happen in the background and you do not need to take any action unless you have a legitimate business reason for restoring access to a quarantined file. Communications have been sent out to you regarding this process. Find out more from the 'Related Articles' section. 

Back to top

Data

  1. What is personal data and how is it being scanned and identified? 

    Personally identifiable data (or personal data) is any data that can be used to identify an individual and can include:

    • Contact information (name, address, telephone number)
    • Financial information (bank account numbers, credit card information)
    • Personal characteristics (date of birth, age, gender)
    • Other sensitive information (political opinions, religious beliefs, sexual orientation)

    Data will be scanned and classified using the software tool to identify the types of personal data that exists in each file. No actual personal data will be revealed by this process, only the presence of personal data.

  2. Are you reading the contents of my files? 
    No, the software detects the presence of personal data that meets the criteria, but does not actively read, access, share or copy these files. 

Back to top

What files are covered by this process?

  1. What type of files are being looked at eg excel, word, media and zip files and password protected files? 
    All file types will be reviewed to ensure they are GDPR compliant.
  2. Which file locations are being looked at? 
    All files stored on M and N drives will be scanned. Data stored in other locations is not affected. 
  3. Are Documentum files being looked at?
    Yes.
  4. Does it cover email and attachments?
    No.
  5. Is (academic) research data or clinical data in scope? 
    No, however we acknowledge that whilst research data should not be stored on the M: drive as a long-term solution, that some research data may currently be stored on the M: drive. If this is the case, we would advise that a Data Management Plan is set up which includes provisioning to store the data on the Research Data Leeds repository in line with the Research Data Management Policy. Contact the Information Governance team if you believe you will be affected.
    Please note, it is still possible to have any affected research data restored to you even after quarantining commences if you let us know within 12 months of quarantining. We can then exclude that research data from future quarantining whilst you arrange to store the data within University policy outlined above.
  6. What is being done about hard-copy paper files to be compliant with GDPR?
    You should check through your old files and destroy any that are out of the data retention schedule, although this is outside the scope of this project.
  7. I have files that are only accessed occasionally but remain active/needed how can I protect them?
    Files that have been accessed in the past 120 days will not be part of this process. If you have files for which there is a clear business need which have not been modified in over seven years and not accessed in the past 120 days, we would advise that the Appeals Process (as outlined below) is followed to restore these files to their original location. Upon successful appeal of the relevant files, if these files are then accessed at least once every 120 days after they have been restored they will no longer be eligible for quarantining.
    Please note that if these files contain credit card information or passwords in clear text they will be quarantined regardless of age. This is a requirement of the credit card industry that enables us to accept payment by credit card. It is a University requirement for data security that passwords are not stored in clear text.

Back to top

About quarantine

  1.  When will quarantine being? Is it phased? 
    Quarantining will commence on 1 March 2023 for the M: and N: drives. The quarantining of files will be an ongoing process as additional files meet the criteria. 
  2. Will the process be phased – for example by department, age of data files or software system?  
    It is phased, with older files being moved into quarantine first across the University.  
  3. Will I be told which of my files have been moved into quarantine? 
    Not directly, if you click onto a file that is held in the three-month quarantine you will be given the opportunity to appeal the quarantining. Details of the quarantining and appeal processes can be found in the 'Data Protection and quarantined files' article (see 'Related Articles') in addition to communications that will go out regarding this process.
  4. What if I have folders with files that require exemption from quarantine?  
    If you have folders with files that require exemption from quarantine you will be able to fill in a Request for Exemption from Quarantine on Microsoft Forms. We anticipate this to be due to provisions within the Data Retention Schedule exceeding the quarantining criteria in place, however we acknowledge that additional justifications might exist. You will be asked within the form to provide justification.  
  5. A colleague I manage is on a period of absence (maternity/long term sick/secondment/field trip etc) what happens to their files?
    We understand these concerns and we have developed a twelve-month quarantine and back up strategy to give the maximum opportunity for appeals and restoration.
    The process moves any file that meets the above criteria to a secure quarantine location. The file will be held there for three months to allow individual appeals to take place if required.  All files will also be backed up for a further nine months as an additional safeguard.  This means it is possible to request a quarantined file anytime within a twelve-month period. This extended period should allow most people an opportunity to appeal files they still require. 

Back to top

Appeals process

  1. How do I recover a quarantined file?
    When you click on a file that has been quarantined you will be redirected to a SharePoint site. From there you will be able to submit a Microsoft form requesting the clicked file to be restored.
  2. What message will I see when I click on a file that has been quarantined?
    You will be directed to this Quarantine Message which you will need to follow if you wish to appeal a quarantined file.
  3. If a file is deleted through this process, will I still be able to recover it from the recycle bin?
    No. To recover the file you will need to follow the quarantine process set out above.  If a file is restored from the quarantine area, it will be moved back to its original location.
  4. What constitutes a valid appeal – what do I need to provide to make my case? 
    You will be required to provide a justifiable reason why a file that is out of retention should be retained. 
    Some possible reasons include:
    • Financial compliance (e.g. tax or VAT implications)
    • Legal disputes (e.g. salary disputes, employee disputes)
    • Business operations (e.g. ongoing projects, customer service)
    More information is provided on the Microsoft Form.
  5. If my appeal is denied, will I be able to respond before any deletion is carried out? 
    Yes, but it is best to provide all your justifiable reasons when appealing a file. It is important to add any information you feel is relevant to your request in the initial Microsoft form.
  6. How long will it take to get my quarantined file back? 
    If your appeal is successful, your file will be restored to its original location within five working days. The Secretariat will respond to all restore requests within four working days and if the appeal is upheld the quarantined file will be restored to its original location within a further working day.
  7. Will there be a limitation on files released from quarantine? And why? 
    Details of any limitations on files released from quarantine will be communicated as part of the process to restore the file to the user after a successful appeal.
  8. Can I appeal all my files at once?
    No. Each file must be appealed individually with a separate business case made. Each case and each file will be considered on its own merits. 
  9. Does the request to restore a file freeze the three-month quarantining period?  
    No. However, at the end of initial three month quarantine period, an appeal is still possible for a further nine months. However the time to restore a file may be longer than five working days. At the end of this twelve month period it is no longer possible to restore a file.

Back to top

More information

  1. How do I contact if I have any further questions?
    Please contact the Information Governance team via dpo@leeds.ac.uk

Back to top