Data Protection - Quarantining Process FAQs


To ensure compliance with data protection regulations and the University's data retention schedule (which has been written in accordance with operational and legal requirements), all data stored on University systems must adhere to these guidelines. Files that do not meet these requirements may be quarantined. If you require access to these files, you will need to submit a request.

About the project

  1. What are you doing?
    We will be moving files that have been held longer than retention guidelines allow to a secure quarantine area for a three-month period in accordance with UK GDPR (General Data Protection Regulations). During this period you have the right to appeal for the restoration of your file. This will be restored to its original location within five working days if you appear is successful.
    A backup of these files will be stored for twelve months from the date of the initial quarantine period to accommodate appeals under exceptional circumstances. However, if an appeal is made after the initial three-month quarantine period, the restoration process may exceed the standard five working days.
  2. Why are you doing this?
    We're conducting this process to comply with UK GDPR regulations and our data retention schedule, which outlines the specific time periods for data retention at the University. This approach ensures adherence to both operational needs and legal requirements, including data protection legislation.
  3. Why are you doing this now?
    Under UK GDPR, the University must be able to provide evidence of actions taken to meet its requirements for personal data held in all locations, including file stores. 
  4. What do I need to do to help the project succeed?
    The quarantine will happen in the background and you do not need to take any action unless you have a legitimate business reason for restoring access to a quarantined file. Communications have been sent out to you regarding this process. Find out more from the 'Related Articles' section. 

Back to top

Data Classification

  1. What is personal data and how is it being scanned and identified? 
    Personally identifiable data (or personal data) is any data that can be used to identify an individual and can include:
    • Contact information (name, address, telephone number)
    • Financial information (bank account numbers, credit card information)
    • Personal characteristics (date of birth, age, gender)
    • Other sensitive information (political opinions, religious beliefs, sexual orientation)
    Data will be scanned and classified using the Varonis software tool to identify the types of personal data that exists in each file. No actual personal data will be revealed by this process, only the presence of personal data.
  2. Are you reading the contents of my files? 
    No, the software detects the presence of personal data that meets the criteria, but does not actively read, access, share or copy these files. 
  3. What specific criteria determine which files are quarantined, in line with security and data protection regulations?
    Any file of any age that appears to contain credit card account numbers. That is 16-digit numbers found in conjunction with terms associated with credit card providers (such as ‘Visa’ or ‘Mastercard’) (PCI DSS - Payment Card Industry Data Security Standard requirement).
    Any file of any age that appears to contain passwords. That is character strings containing a mixture of upper case, lower case, numbers, and/or special characters. These are often found in the context of the word 'password' or its variants (University requirement).
    Any file containing personally identifiable data that has not been modified in over seven years and not accessed in the last 120 days (UK GDPR requirement).
  4. What type of files are being looked at eg excel, word, media and zip files and password protected files? 
    All file types will be reviewed to ensure they are UK GDPR compliant.
  5. Which file locations are being looked at? 
    All files stored across the M and N drives and M365 (OneDrive and SharePoint) will be scanned. Data stored in other locations is not affected. 
  6. Are Documentum files being looked at?
    Yes.
  7. Does it cover email and attachments?
    No.
  8. What is being done about hard-copy paper files to be compliant with UK GDPR?
    You should check through your old files and destroy any that are out of the data retention schedule, although this is outside the scope of this project.
  9. I have files that are only accessed occasionally but remain active/needed how can I protect them?
    Files containing personally identifiable information (PII) that have been accessed in the past 120 days will not be part of this process. If you have files for which there is a clear business need which have not been modified in over seven years and not accessed in the past 120 days, you may wish to request for exemption from quarantining via the following Microsoft Form specifying the clear business need.
    Please note that if these files contain credit card information or passwords in clear text they will be quarantined regardless of age. This is a requirement of the credit card industry that enables us to accept payment by credit card. It is a University requirement for data security that passwords are not stored in clear text.
  10. How does the quarantining process comply with legal obligations such as the UK GDPR and PCI DSS? 
    The quarantining process is designed to ensure that the University complies with data protection regulations, including the General Data Protection Regulation (GDPR) and the Payment Card Industry Data Security Standard (PCI DSS). The process involves scanning all files on the University's systems for personal data and moving files that meet the criteria in place to a secure quarantine area. This process is automated and does not involve human access to the files, ensuring the privacy of individuals is maintained. The quarantining process is part of the University's broader commitment to data protection, ensuring that personal data is handled in a way that is secure and compliant with legal obligations.
  11. I have seen that the OneDrive policy has been updated to remove the right to store personal data on it. How does that affect me? 
    The new OneDrive policy means that personal (see definition below) usage of University OneDrive  is no longer permitted. This means that personal files should not be stored on the University's OneDrive. All files on the University's OneDrive, including those synced from your personal device, will be scanned. If files that meet the criteria for quarantining are located, they will be moved to a secure quarantine area within the University's systems. The Varonis software used in this process is designed to detect the presence of personal data that meets specific criteria but does not actively read or access these files. This ensures that your personal data remains private and secure. For more detailed information, please refer to the OneDrive FAQs.
  12. How is personal usage defined in contrast to institutional data, which is permitted on OneDrive? 
    Personal usage refers to the storage of files or data that are not related to your work or studies at the University. This could include personal photos, documents, or other files that are not directly connected to your role or course. In contrast, institutional data refers to data that contributes to or supports the University's ongoing operations, projects, or academic responsibilities. This can include data that is not strictly necessary for the University's functioning but is still relevant to its activities. Examples of institutional data could include research data, student records, administrative documents, and other data that supports the University's operations. The new OneDrive policy permits the storage of institutional data on OneDrive because these files support the University's operations. However, personal files should not be stored on the University's OneDrive under the new policy. This helps to ensure that the University's systems are used appropriately and helps to maintain the security and privacy of personal data.

Back to top

Research Data

  1. Is research data in scope for quarantining?
    No. However, we acknowledge that the shared network drives (M: and N: drives) and M365 environment (OneDrive and SharePoint) are being used for storing research data in certain instances. The University has been diligently working to identify and exempt research data from the quarantine process, ensuring it remains safe.
    To ensure that your research data is not at risk of deletion all data being quarantined that potentially contains research data is being kept in a secure and restricted location to allow it to be restored to affected users if we are notified that it contains research data.
  2. How is research data being identified and exempted from the quarantine process?
    Any folder with the word 'Research' in its title, along with its subfolders, has been exempted. Additionally, folders known to contain research data have been identified and exempted based on existing knowledge and feedback from the research community.
  3. How can I ensure that my research data is exempted from the quarantining process?
    You can inform the Information Governance Team of any folder locations containing research data not already within a parent folder labelled with the word 'Research' by filling out the Microsoft Form - Request for Exemption from Quarantine. Alternatively, you can rename the parent folder containing your research data to include the word 'Research' in the folder name.
  4. What is the deadline for submitting requests for exemption or renaming folders?
    The deadline for submitting requests for exemption or renaming folders is before Thursday 3 August 2023 when quarantining for Personal Identifiable Information (PII) begins.
    It is important to note that your research data is not at risk of deletion. However, to ensure that you maintain continuity of your research data and do not have to request to restore it from quarantining, it is advisable to submit your requests or rename folders before the deadline.
  5. How can I confirm if my research data has already been exempted?
    Contact the Information Governance Team with the folder location to confirm whether your research data has already been exempted.
  6. What happens to research data that is inadvertently quarantined? 
    If research data is inadvertently quarantined, it is stored in a secure and restricted location indefinitely. This allows for the possibility of restoration if it is later identified that the quarantined data contains research information. We understand the importance of research data availability and the potential implications of any disruption. Therefore, in the event that the availability of research data is impeded due to the quarantining process, we will prioritize the restoration of the data as quickly as possible to minimize any disruption to research activities. We are aware of the potential need to notify relevant parties about the availability of research data, and we will act swiftly to ensure that the risk of this is minimized.

Back to top

About quarantine

  1.  When will quarantine begin? Is it phased? 
    Quarantining began on 1 March 2023 for the M: and N: drives. This process will continue with quarantining for M365 (OneDrive and SharePoint) commencing on Wednesday 5th July, 2023. The quarantining of files will be an ongoing process as additional files meet the criteria. 
  2. Will the process be phased – for example by department, age of data files or software system?  
    It is phased, with older files being moved into quarantine first across the University.  
  3. Will I be told which of my files have been moved into quarantine? 
    Not directly, however if you click onto a file that has been quarantined, you will be given the opportunity to appeal the quarantining. Details of the quarantining and appeal processes can be found in the 'Data Protection - Quarantining process' article (see 'Related Articles') in addition to communications that will go out regarding this process.
    Furthermore, you can contact the Information Governance team at any time with the file paths of the work areas relevant to you. We can then provide you with a list of all files due to be quarantined for your area. This will allow you to review the files and take necessary action.
  4. What happens if files that I require are quarantined? 
    If your files are quarantined, they are not permanently deleted. You have the right to appeal for the restoration of your file within a three-month period. If successful, the file will be restored to its original location. Furthermore, a backup of these files will be maintained for twelve months from the date of the initial quarantine, allowing for appeals under exceptional circumstances.
  5. What if I have files that need to be exempted from quarantine?  
    If you have folders with files that require exemption from quarantine you will be able to fill in a Request for Exemption from Quarantine on Microsoft Forms. We anticipate this to be due to provisions within the Data Retention Schedule exceeding the quarantining criteria in place, however we acknowledge that additional justifications might exist. You will be asked within the form to provide justification.  
  6. A colleague I manage is on a period of absence (maternity/long term sick/secondment/field trip etc) what happens to their files?
    We understand these concerns and we have developed a twelve-month quarantine and back up strategy to give the maximum opportunity for appeals and restoration. The process moves any file that meets the above criteria to a secure quarantine location. The file will be held there for three months to allow individual appeals to take place if required. All files will also be backed up for twelve months from initial quarantining as an additional safeguard. This means it is possible to request a quarantined file anytime within a twelve-month period from initial quarantining. This extended period should allow most people an opportunity to appeal files they still require.

Back to top

Appeals process

  1. How do I recover a quarantined file?
    When you click on a file that has been quarantined you will be redirected to a SharePoint site. From there you will be able to submit a Microsoft form requesting the clicked file to be restored.
  2. What message will I see when I click on a file that has been quarantined?
    You will be directed to this Quarantine Message which you will need to follow if you wish to appeal a quarantined file.
  3. If a file is deleted through this process, will I still be able to recover it from the recycle bin?
    No. To recover the file you will need to follow the quarantine process set out above.  If a file is restored from the quarantine area, it will be moved back to its original location.
  4. What constitutes a valid appeal – what do I need to provide to make my case? 
    You will be required to provide a justifiable reason why a file that is out of retention should be retained. 
    Some possible reasons include:
    • Financial compliance (e.g. tax or VAT implications)
    • Legal disputes (e.g. salary disputes, employee disputes)
    • Business operations (e.g. ongoing projects, customer service)
    More information is provided on the Microsoft Form.
  5. If my appeal is denied, will I be able to respond before any deletion is carried out? 
    Yes, but it is best to provide all your justifiable reasons when appealing a file. It is important to add any information you feel is relevant to your request in the initial Microsoft form.
  6. How long will it take to get my quarantined file back? 
    If your appeal is successful, your file will be restored to its original location within five working days. The Secretariat will respond to all restore requests within four working days and if the appeal is upheld the quarantined file will be restored to its original location within a further working day.
  7. Will there be a limitation on files released from quarantine? And why? 
    Details of any limitations on files released from quarantine will be communicated as part of the process to restore the file to the user after a successful appeal.
  8. Can I appeal all my files at once?
    No. Each file must be appealed individually with a separate business case made. Each case and each file will be considered on its own merits. 
  9. Does the request to restore a file freeze the three-month quarantining period?  
    No. However, at the end of initial three month quarantine period, an appeal is still possible for a further nine months. However the time to restore a file may be longer than five working days. At the end of this twelve month period it is no longer possible to restore a file.

Back to top

More information

  1. How do I contact if I have any further questions?
    Please contact the Information Governance team via dpo@leeds.ac.uk

Back to top