As the University has moved towards Flexible Working, it is imperative staff are aware of the significant risks this way of working could present to the University. There is a much greater risk to data, via unauthorised access, loss or destruction.

Data Protection still applies to any identifiable personal data (of a living individual) that is processed by a member of staff on behalf of the University as part of their employment, including paper-based records.

All members of staff are reminded of the need to ensure they comply with relevant University Policies and guidance documents relating to the management of information including personal data, such as; the University Data Protection Policy, Bring Your Own Device (BYOD) Policy, and ICT Password Policy. (A list of relevant policies and guidance documents are listed below.)

---

When working flexibly:

• You must ensure the computer/device you are working on is adequately protected with the latest anti-virus and malware software installed (if you are using an ICT sourced laptop this software should already be installed). For further guidance, please see the ICT website here.

• Passwords and usernames must not be written down, passwords for any device used to access University data and personal data must comply with the University ICT Password Policy. The full policy is available here.

• You must ensure you are using one of the options described in the ICT Working Flexible Working Guidance, which can be found here, when accessing University systems and data. (If you are unable to use any of these options you must seek advice from ICT immediately.)

• You must ensure when you have finished working you fully close down all applications, browser, cloud desktop and VPN sessions.

• You should only use University approved and/or supported third party service providers and software. Use of other third party services and/or software requires approval from the ICT department, and if personal data will be processed, approval by the Information Compliance Team.

• If you are using University devices, please ensure other members of your family use different private devices for their own activities.

• As much as possible you should work in a private environment, away from other family members, with screens not left visible to others.

• Only University approved systems and software may be used for sending and receiving files. Please refer to the guide: How to send Personal and Non Public Information.

• If you receive emails or emails containing attachments, you should check the source is genuine. Extra care should be taken to ensure all staff are being vigilant regarding phishing emails. For further guidance on spotting potential phishing emails as well as how to report them, please see the ICT website here.

• You must not download or save any University or personal data to non-University devices.

• If you believe a data breach has occurred whilst you are working from home, you must report this through the normal breach reporting process. Contact the ICT Helpdesk and the Compliance Mailbox as soon as you are aware of the breach or the suspected breach. This will allow the relevant teams to mitigate where possible. (Contact addresses: ICT Service Desk and Compliance Team.)

• Please note the University has limited ability to mitigate a breach that occurs outside the University environment (e.g. an email sent to a non-University email address cannot be recalled).

• Staff are reminded to only use their University work email address, and not to use their private email addresses when conducting University business. Emails must not be automatically forwarded from University email addresses to non-University or private email addresses.