Protecting Your Data

The University deals with a large quantity of data on a daily basis. Some of this data is vital to business operations and should be protected accordingly. The same important principles apply, whether you are working in the office, or remotely.

The University creates, processes and stores a large quantity of information electronically on a daily basis. How can we keep our information secure and protect the University's brand and reputation?

    Expand
  • Step 1: Identify

    You cannot secure what you don't know

    The first step is to make an inventory of the information you use as part of your research, teaching, and administrative work, and identify where they are located. If the source information is contained within an application or database, make sure you take any data exports, dumps or reports from the application into consideration as well.

    What Where
    • Research data
    • Research records
    • Clinical trial data
    • Draft papers
    • Teaching materials
    • Student records
    • Financial data
    • HR records
    • University U: and S: drives
    • Personally owned laptop
    • Box
    • LabArchives
    • DropBox
    • Within business application (e.g., PeopleSoft or HPE Content Manager)
    • USB memory stick
    • Mobile device (iPhone, iPad, etc)
    • See the storage webpage for more information
  • Step 2: Classify

    Distinguish what's important from what's not

    The next step is to categorise the identified information into what is sensitive and what is not. It is often useful to set up a common language to facilitate this categorisation process.

    Classification Description

    Class 3 "Confidential"

    Example:

    • Personally identifiable data (TFN, home address, phone number, DOB, etc)
    • Credit card data
    • Medical records and patient data
    • Unpublished research data
    • Student academic records
    Class 2 "University Internal"

    Example:

    • Teaching materials (PowerPoint, Word, recorded lectures, etc)
    • Non-sensitive and de-identified research data
    • Normal business administration records
    Class 1 "Public"

    Example:

    • Course description / synopsis
    • Published papers
    • Information on public website

    You may want to define a more fine-grained classification to suit the needs of your own division. For example, you could create Sub-Class 3A - Medical Records, 3B - Top Secret Research, etc.

    If you are unsure if a piece of data is Class 3 or Class 2, ask yourself:
    • If the data were to be exposed to major media, would it hurt the reputation of yourself, your work/research unit, or the University?
    • Would an exposure violate University policies, privacy laws, or other laws and regulations?
    • Would unauthorised exposure to a malicious person be detrimental to the success of your work?
    • Would you suffer a significant setback for your work if the data was lost permanently?
    • Does the data contain personal or personally identifiable data?

    If the answer to any of the questions is 'YES' then consider the data Class 3.

  • Step 3: Protect

    Guidelines for classifying and protecting information

    Compliance with policies, laws and regulations

    Protection of sensitive information is also a requirement under University Policies, as well as Federal and State laws. Refer to the following for some policies, laws and regulations that apply to information protection.

Protection of information is everyone's responsibility in order to protect the University's brand and information assets. If you have any questions or require assistance, do not hesitate to contact the Technology Service Desk at servicedesk@adelaide.edu.au.

At the University, many of us deal with a large quantity of data every day. Some of this data is considered sensitive and is vital to the University’s business operations. By understanding which data is considered sensitive, you can help the University safeguard its most important assets.

Public data Sensitive / private data
  • Information that is public domain and is not private or sensitive
  • University policies
  • Course and degree information
  • Work contact details
  • Information that would cause damage to the University or individual if it were disclosed to the public
  • Personally identifiable information
  • Medical and health information
  • Student records
  • Financial information
  • Intellectual property
  • Research data
 

Protecting sensitive information from unauthorised access, corruption and accidental loss is vital to upholding the University’s world-class research and teaching standards.

Here are some SecureIT tips to safely manage your data.

    Expand
  • Stop and think before you share data

    Sharing information is an important part of achieving a productive learning and teaching environment at the University. Some information, however, is sensitive and may harm you or the University if it gets in the wrong hands.

    Criminals can use sensitive information against the University to tarnish our brand and impact the teaching and learning prospects of the University.

    Discretion should be used when sharing any of the following information:

    • Personally identifiable information
    • Medical and heath information
    • Student records
    • Financial information
    • Research data and intellectual property
  • Always protect your sensitive files

    Keeping your sensitive files secure plays an important role in protecting the University's data. Storing sensitive information in the cloud or on local hard drives can have serious consequences, including data loss (due to a device failure) or data theft (due to lost or unattended equipment).

    The University offers two locations where students and staff can securely store their files
    U: drive

    The U: drive, or User drive, is a private online storage location offered to every student and staff member. Your U: drive is automatically mapped when you login to any University computer. The data stored on your U: drive is backed up nightly and is protected from other users.

    *Please note: U: drive storage capacity is limited to 2GB for students and 5GB for staff.

    S: drive The S: drive, or Shared drive, is a centralised online storage location where staff can share files with colleagues. Access to files on S: drive can be restricted to staff members residing in a particular Faculty, Division, Branch, Area or team. S: drive is backed up nightly.
  • Be mindful if you are storing data in the cloud

    Many internet companies offer online storage for your photos, emails and documents. The term commonly used to describe this service is called cloud storage. Box is a cloud storage and collaboration service that is university-endorsed and supported. LabArchives is a cloud-based electronic research notebook system that is also university-supported. Dropbox, Apple iCloud, Microsoft OneDrive, and Google Drive are all cloud storage options that are not endorsed or supported by the University of Adelaide.

    While cloud storage may feel like a hassle-free way to manage your data, it has some very real security implications that should be considered.

    Before storing any of your data in the cloud you should consider:

    • Would the cloud provider tell you if they were hacked and your data was stolen?
    • Is your data being backed up?
    • Is your data being shared with advertising companies?
    • What happens if the cloud provider goes bankrupt or is taken over?
    • Are employees of the cloud provider allowed to view and share your data?

    When it comes to university-endorsed systems such as Box and LabArchives, you can be confident that the University has asked and answered these questions on your behalf. While you use these systems, be aware of the type of data you are storing and de-identify personal details. Also, keep an eye on who has been given access to the files and remove people's access when it is no longer appropriate.

    Always read your cloud provider’s privacy policy and data storage policy before storing any sensitive information in the cloud. If your questions cannot be answered in these documents you should contact your cloud provider directly.

    Here are some steps you can take to protect your information:

  • Avoid storing and accessing sensitive data on public or shared computers

    Public computers often contain hidden programs that can secretly record your passwords, emails and banking information. Hackers will also use public wifi hotspots to (surreptitiously) intercept your traffic and steal your passwords and other private information.

    Hackers can use this information to commit identity fraud or other cybercrimes.

    Here are some steps you can take to increase your security whilst away from the University:

    • Always use the University VPN when accessing sensitive data over a public wifi hotspot
    • Avoid entering passwords or private information into public or shared computers
    • Only use secure websites

Working from home presents a number of unique risks to the way that we protect, store and secure information. 

It is important that we all take appropriate steps to ensure that University information is only accessed by authorised personnel and is protected from inadvertent access by other members of our households.

The University’s normal policies and procedures continue to apply while working from home.

If you become aware of an actual or suspected breach of personal information you must follow the University’s Data Breach Response Plan available here.

Further information to help you work safely from home can be found on the Working From Home With Technology page.

    Expand
  • Confidentiality and privacy

    We all have an obligation to protect the confidentiality of University information and records when working from home, and to ensure that we do not inadvertently breach the University’s privacy obligations in relation to any data or documents we handle.

    Here are some tips to help you ensure you are the only one who accesses University information:

    • keep any hard copy materials in a safe place and ensure that they are not accessed by other members of your household
    • ensure you are the only one who is able to access University IT systems by keeping your password confidential and locking your computer or other device when it is not in use
    • if you are using a University device to work from home, it generally should not be used by other members of your household.  You may, however, use a University device for reasonable personal use under the IT Acceptable Use and Security Policy
    • if you are using a personal device to work from home, ensure that it has adequate virus protection software, that all software is up-to-date, and that it is protected with a strong password
    • if you are using a shared personal device, ensure that any University information is stored on official University systems only, not on the local device.  Documents stored on the local device may be accessible to members of your household who use the device, which could result in a breach of privacy or confidentiality
    • hard copy documents should be disposed of in a shredder or confidential waste paper bin, not with ordinary household rubbish.  If necessary, retain documents until you can access campus facilities again to securely dispose of them.
  • Records Management

    Your work-related communications and documents are University records and should be filed and stored in a manner which complies with the State Records Act and the Freedom of Information Act.  This means you should:

    • store University records on a University-controlled system or device, not a personal device or record storage system
    • in most cases, continue to store electronic records using the University’s recordkeeping system, HPE Content Manager
    • retain printed matter until it is no longer needed or can be provided to Records Services for archiving
    • not delete emails or discard printed matter that comprise University records
    • lodge contracts with Records Services for inclusion on the Legal Documents Register as per normal practice