B5b: Removable Media Policy

Introduction

The purpose of this policy is to minimise the loss, unauthorised disclosure, modification or removal of sensitive information maintained by ORMS.

  1. Scope
    • This policy refers to all types of computer storage which are not physically fixed inside a computer and includes the following:
      • Memory cards (like those used in cameras), USB pen drives etc.;
      • Removable or external hard disk drives;
      • Newer Solid State (SSD) drives;
      • Mobile devices (iPod, iPhone, iPad, MP3 player);
      • Optical disks i.e. DVD and CD;
      • Floppy disks;
      • Backup Tapes.
    • This policy also covers all data including:
      • Research data;
      • Teaching and learning data;
      • Administration and management information data.
  1. Classification of Data

For the purposes of this policy, data is going to be classified into different categories in line with the Data Protection Act (DPA).

  • Non-sensitive Data
    Data whose inappropriate use would not adversely affect an individual, for example:

    • Class lists (course and learner names only)
    • Management information reports which do not identify individuals
    • Any data which has been made a matter of public record
  • Sensitive Data
    Sensitive data includes

    • Any data identified by the Data Protection Act (1988) as personal sensitive data, specifically data relating to radical or ethnic origin, political opinions, religious beliefs, membership of trade union organisations, physical or mental health, sexual list, offences or alleged offences.
    • Data that if lost or stolen would be likely to cause damage or distress to one or more individuals. This includes, but is not limited to, human resources data and exam or assessment results, which are not a matter of public record.
    • Any data, which may reasonably be expected to be considered sensitive, personal confidential or commercially confidential. For example, data or materials pertaining to existing or planned courses, which may be of interest to a competing organisation.
  • Highly Sensitive Data
    • Data, which if used inappropriately may have a significant impact upon ORMS or an individual. In particular, employee or student banking details or any other data that it is believed could be used for illegal purposes.
  1. Policy
    • The use of removable media is not prohibited within ORMS; it is an essential part of everyday business.
    • The use of removable media to transport non-sensitive data can be done on standard devices (see above list for details).
    • Regularly updated Anti-Virus software should be present on all machines from which the data is taken from and machines on which the data is to be loaded.
    • When removable media is used to transport sensitive data, the data on the device must be encrypted to a recommended encryption standard (AES-256). The use of the Kingston Data Traveller is appropriate.
    • ORMS staff that use removable media should be encrypted to the recommended standard if they are going to be used to hold ORMS’ sensitive or highly sensitive data.
    • Mobile devices and/or removable storage containing sensitive or highly sensitive data should not be sent off site without prior agreement.
    • If highly sensitive data is required to be transported via removable media, please seek advice from the Commercial Director.
    • Removable media used to store sensitive and highly sensitive data shall only be used by staff who have an identified and business need for them.
    • Any sensitive or highly sensitive data transferred to a removable media device must remain encrypted and must not be transferred to any external system in an unencrypted form.
    • Data stored on removable media is the responsibility of the individual who operates the devices.
    • The user must note and accept that should their encryption password be forgotten, the removable device allows for a new password to be created, but this will involve a reformatting of the device and thus a total loss of the data. The removable device must therefore not be used to keep data that is not backed-up securely to a central location.
    • Removable media should be physically protected against loss, damage, abuse or misuse when in use, storage and transit.
    • Mobile devices and/or removable media that have become damaged should be handed back to the Data Protection Officer to ensure it is disposed of securely to avoid data leakage.
    • If a member of staff who used a mobile device and removable media was to leave, they should return the devices to the Data Protection Officer for secure destruction and/or redistribution.
    • The use of removable media by sub-contractors and temporary workers on ORMS- owned machines should be risk assessed and authorised.

When the business purpose has been satisfied, the contents of the removable media should be removed from the media through a destruction method that makes recovery of the data impossible. Alternatively, the removable media and its data should be destroyed and disposed of beyond its potential reuse.