Information Services

Data contains information about living individuals and it is possible to identify those individuals, e.g.:

• list of student names and addresses;
• interview transcripts;
• application forms;
• bank account details (credit & debit card details MUST NOT be stored on University IT systems)

Protection from unauthorised access or disclosure
Personal data will need protection from unauthorised access or disclosure unless it is already in the public domain (e.g. on a public facing webpage).  The greater the potential distress or damage that could be caused to those individuals through unauthorised disclosure, the greater the level of security and access controls that should be applied.  See the definition of ‘Sensitive Personal Data’ and the University’s Data Protection Pages. 

Protection from inadvertent loss or corruption
It may also require protection from loss or corruption, depending on the nature and purpose of the dataset – see Category 3.

If access is restricted to staff who need access to the personal data

Closed Connections Community

If membership is restricted to staff who need access to the personal data and backup levels are deemed acceptable. 

Quickr TeamPlace

If membership is restricted to staff who need access to the personal data

Learning Central

If access to the area of Learning Central is restricted to those who need access to the personal data

School-based file or web server

Check with local IT staff to ensure suitability

External file store

If assessment of suitability has been made based on service level agreement and GOVRN's guidance

Local hard drive (in desktop PC) or large portable device

If data is encrypted.

Consider if backup is needed and consult with local IT staff to arrange.

Central Cardiff University website

External website

Small portable devices (e.g. USB, CD)

Not suitable as primary storage location and should not be used for extensive periods.

May be used for short term storage and transportation if suitable encryption or password security is applied.

Data contains confidential or 'secret' information (not falling into Category 1) which has the potential to harm the University's interests if it were disclosed inappropriately or inadvertently, or lost/corrupted. This category of data includes security details, certain financial information, information which is commercially sensitive or managed under contract, and confidential strategic matters, e.g.:

• passwords, restricted area access arrangements and plans. etc;
• intellectual property;
• information subject to contractual requirements re data security (e.g. research grant);
• workforce planning.

Protection from unauthorised access or disclosure
This data requires strict security measures and controlled access.

Protection from inadvertent loss or corruption
This data is likely to require protection from loss or corruption.

If access is restricted to staff who need access to the confidential business information

Closed Connections Community

If membership is restricted to staff who need access to the confidential business information and backup levels are deemed acceptable. 

Quickr TeamPlace

If membership is restricted to staff who need access to the confidential business information

Learning Central

If access to the area of Learning Central is restricted to those who need access to the confidential business information

School-based file or web server

Check with local IT staff to ensure suitability

External file store

If assessment of suitability has been made based on service level agreement and GOVRN's guidance

Local hard drive (in desktop PC) or large portable device

If data is encrypted.

Consider if backup is needed and consult with local IT staff to arrange.

Central Cardiff University website

External website

Small portable devices (e.g. USB, CD)

Not suitable as primary storage location and should not be used for extensive periods.

May be used for short term storage and transportation if suitable encryption or password security is applied.

A large (greater than 1000MB or 1GB) and/or unique collation/collection of information which it would be impossible to replicate or where it would cause extreme inconvenience to do so, e.g.:

• genome sequencing;
• geographical data;
• astronomical images.

Protection from unauthorised access or disclosure
Will not necessarily require protection from unauthorised access or disclosure unless the data also falls under either of Categories 1 and 2.

Protection from inadvertent loss or corruption
The need to protect from loss or corruption will be paramount.

See local IT staff for space requirements

Shared R or S:

See local IT staff for space requirements

Learning Central

File should be placed in the "Content Collection" and should only be stored here if used for teaching.

Check with local IT staff to ensure suitability

External file store or website

If assessment of suitability has been made based on service level agreement and GOVRN's guidance

Local hard drive (in desktop PC) or large portable device

Connections

Not suitable for files over 75MB. 

Quickr TeamPlace

Not suitable for files over 100MB. 

Central Cardiff University website

Small portable devices (e.g. USB, CD)

Not suitable as primary storage location and should not be used for extensive periods.

Information not falling into any of the above categories.

Protection from unauthorised access or disclosure
Unlikely to require protection from unauthorised access or disclosure.

Protection from inadvertent loss or corruption
May still require protection from loss or corruption for business efficiency purposes.

Shared R or S:

Learning Central

School-based file or web server

Check with local IT staff to ensure suitability

External file store or website

If assessment of suitability has been made based on service level agreement and GOVRN's guidance

Local hard drive (in desktop PC) or large portable device

Consider if backup is needed and consult with local IT staff to arrange.

Connections

If backup levels are deemed acceptable. 

Quickr TeamPlace

If backup levels are deemed acceptable.

Central Cardiff University website

If information needs to be communicated widely

Small portable devices (e.g. USB, CD)

If information is unlikely to require long term accessibility (periods over 7 years) or if small portable device is not the primary storage location.