Data Protection - Quarantining process

All data on University systems needs to comply with data protection regulations and the University's own data retention schedule. Files which do not comply may be moved into quarantine, and you will need to request access to them if they are still needed. 

What data is affected? 

Data protection regulations, which include the General Data Protection Regulation (GDPR) and Payment Card Industry (PCI) standards, as well as the University’s own data retention schedule, state that personal data can only be retained with a lawful basis and for a specified period of time. 

Personally identifiable data (or personal data) is any data that can be used to identify an individual and can include: 

  • Contact information (name, address, telephone number)
  • Financial information (bank account numbers, credit card information)
  • Personal characteristics (date of birth, age, gender)
  • Other sensitive information (political opinions, religious beliefs, sexual orientation) 

In December 2021 the University installed a tool called Varonis to scan all of the University files on the M: and N: drives and SharePoint Online in order to identify where personal, credit card and password data is being held in files. 

What is the quarantining process? 

The Information Governance team have determined that files which meet the following criteria should be quarantined for security and data protection reasons:

The Varonis software detects for the presence of personal data that meets these criteria but does not actively read or access these files. 

Any file that meets the above criteria will be moved to a secure quarantine location. The file will be held there for three months to allow individual appeals to take place if required.  All files will also be backed up for a twelve months from the initial quarantine date as an additional safeguard. If the appeal is approved after the file has been deleted from the quarantine location, it can still be restored during this backup period. 

What does this mean for me? 

Most of your files will be unaffected. If you do have a file which meets the criteria above, when you click on it you will be redirected to a University SharePoint site saying the data has been quarantined and explaining how to request that a file is restored. From there you will be able to submit a Microsoft Form to request a quarantined file to be restored. 

How do I request a quarantine file is restored? 

Full details of how to request the restoration of a file will be on the Microsoft Form which is link from the message you will be directed to when you click on a quarantined file. If you require a quarantined file to be restored, please fill out the following Microsoft Form:  

Request for Quarantined File

What happens after l raise a request?

The appeals process is outlined in the attached PDF and described below. 

Once you have completed the request via Microsoft Forms you will receive a confirmation email and the request will be reviewed by the Information Governance team within four working days, after which you will be notified of the outcome. If your appeal is upheld it will be sent to Vigil8 and the file will be restored within a further one working day. If it is not approved the data will be deleted as planned after a three-month quarantine period.  The restoration process in total may take up to five working days. 

How long do I have to raise a request?

At the end of initial three-month quarantine period, an appeal is still possible for a further nine months. However the time to restore a file may be longer than five working days. At the end of this nine month period it is no longer possible to restore a file.

More information

For more information see: 

If you have any further questions, please contact the Information Governance team.