How can I keep my data secure and protected?
Data that contains sensitive or confidential information should be treated with higher levels of security. Keeping your data secure allows you to control access and prevent accidental or malicious loss and damage.
- Your data should be securely stored yet remain accessible to those authorised to access it.
- The General Data Protection Regulation (GDPR) does not apply to anonymised data so where possible, personal data should be anonymised, or pseudonymised and any identifying information such as a key kept securely in a separate location.
- Sensitive data held on external hard drives should be kept in a physically secure location overnight and/or encrypted
- Any personally identifiable data that is held on any mobile device should be password protected and encrypted. This includes data stored on USB keys, laptops, desktop computers, smart phones, workgroup servers and relevant emails
- If sensitive data has to be stored temporarily on a USB stick, an encrypted device such as an "IronKey" should be used
- Copies of sensitive data should be held in separate locations and kept to a minimum - preferably just a master copy and a single back up copy
Encryption
Encryption provides a higher level of privacy and security by limiting access to sensitive and confidential data. It means that data is encoded so that only those who have the decryption key can access the data providing a safer way for sensitive and confidential data to be stored and shared.
Certain categories of data, such as highly sensitive data will often require encryption, and some data management activities, such as the transferal of data, may require you to consider encryption.
Encryption is used to protect the data in your files and on your devices and you can also encrypt emails, so that they are accessible only by the intended party.
Devices - Laptops, tablets, mobile phones
University managed laptops (SOE devices) will be encrypted as standard. To guarantee the security of the device, encryption must always remain enabled. If you are unsure whether this is enabled on your device, contact the IT Service Desk.
If the use of external devices is unavoidable, be aware of the risks of doing so and follow the guidance by IT Services.
Guidance from IT services on Mobile & Portable Storage and Third-party Storage
King’s systems
Central IT supplied systems and storage is encrypted as a default. In most cases, using the encryption provided by King’s devices and systems will be enough to secure your data.
SharePoint and OneDrive for Business provided by IT
SharePoint is a web-based, Microsoft Office integrated collaborative platform.
OneDrive for Business is a web-based storage solution for your data as part of Microsoft 365 suite of tools.
The data is hosted and stored in Microsoft’s European data centres and protected by multiple layers of security technology and encryption.
Microsoft Multi-factor Authentication (MFA) can be enabled to provide enhanced security access to SharePoint data.
For specific security information about credentials such as encryption levels and protection see the specific information provided by Microsoft online.
If you need further information or need clarification on the technical information provided, contact the IT Service Desk.
Email
Encrypting an email protects the privacy of the content by turning it into indecipherable text. Personal and confidential information should never be shared in the body of an email unless the email is encrypted. The recipient should be informed that they are receiving sensitive data in order that they can view this in a secure environment. When encrypted, the text is only returned to a readable version when the email is opened by the intended recipient.
Information on encrypting emails can be found on this webpage for Encrypted Messages.
Other considerations
If using personal (not provided by King's) devices and systems, using special category data, MOD data, or if a data provider such as NHS Digital, has stated requirements, take further action.
As noted above, information on using personal devices can be found on IT services pages Mobile & Portable Storage and Third-party Storage. IT Assurance can be contacted for further information.
IT Assurance
The IT Assurance team provide advice and guidance around data storage locations controlled by central IT. This page of guidance for Researchers includes a section about data storage.
External guidance
UK Data Service encryption guidance
Guidance and related information from King's IT
International transfer of personal data
To comply with data protection law, personal data can only be transferred to countries outside the protections of UK/EU GDPR if that country is considered to have an adequate level of personal data protection or contractual commitments to provide adequate levels of protection have been agreed with the intended recipient.
Guidance from Research Governance Office (section on ‘Sharing personal data outside of the United Kingdom’)
If you are transferring personal data from a country or territory outside the United Kingdom or the EU you must ensure that the collection and transfer of the data complies with the General Data Protection Regulation (GDPR) and any equivalent legislation in that country or territory. For digital files use SharePoint Online or One Drive for Business. For paper and other non-digital records we recommend that you keep the records with you on the flight (i.e. in hand luggage).
If the postal service must be used as a form of transfer, data should be sent by secure courier or recorded delivery. King's has agreed terms with City Sprint for national and international courier services.
What is a data sharing agreement?
If you are sharing personal or other sensitive data it is a good idea to have a data sharing agreement in place. A data sharing agreement sets out a common set of rules to be adopted by the various parties involved in any data sharing activities.
The Research Grants and Contracts team can provide assistance with drawing up a data sharing agreement.