This page offers guidance on data protections considerations during the College's period of remote operations.

Data security and protection

Accessing electronically stored data

If you need to have access to personal data (and in particular any sensitive data) to carry out your research, teaching or admin activities these must remain within a College data environment or a College-approved external environment. The easiest way to achieve this in most cases is to use a remote gateway into a College computer. This may not, however, be appropriate for very sensitive data types (such as NHS data sets or criminal conviction data).

If you feel that there is strong need to save data to your personal devices you must raise this with the FoNS Data Protection Coordinator a.hamilton@imperial.ac.uk to ensure that appropriate protection and encryption can be put in place, and to discuss how to process such data securely and in accordance with GDPR.

Maintaining security of hard copies

There may be circumstances where staff are working with hard copy data from their remote location. We would advise that you treat this data set as you would when working in the office. Secure the data after use in a locked location that cannot easily be accessed by others in your household.

In the cases of highly sensitive data sets we would advise that these documents stay within the College environment to avoid potential data breaches.

Third party data requests

During this time it is likely that you may receive third party requests for data regarding staff or students. It is integral that we apply the same level of diligence that we would as were we physically in office.

Generally personal data must not be disclosed to unauthorized third parties, including family members, friends, local authorities, government bodies, foreign Embassies and the police, unless the data subject has consented to the disclosure or consent is exempted by the GDPR, or by other legislation. Consequently, staff should be cautious when a third party enquirer requests disclosure of personal data.

It's important to ensure the validity of each request in order to minimize the risk of illegitimate disclosure. In most cases enquiries should be submitted in writing on official headed paper and should ideally cite the relevant data protection legislation or exemption.

In the case of police enquiries, the police are required to provide the request in writing in a specific format. If you receive such a request please contact the Colleges Data Protection Officer on dpo@imperial.ac.uk.

Reporting breaches

During this time it is integral that you continue to report your data breaches to the Faculty. A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Data breaches can be both accidental and deliberate.

Examples can include but are not limited to:

  • sending an email to the wrong recipient;
  • accidentally disclosing personal data to an unintended party (via chain emails);
  • deleting data that you cannot retrieve;
  • being the victim of a phishing email scheme;
  • having access to data you should not have access to;
  • computing devices containing personal data being lost or stolen.

If you are party to a breach or suspect there has been a breach in your area please complete the data breach form on the FoNS data protection SharePoint site. The details will go to the FoNS Data Protection Coordinator and Data Protection Officer who will work towards mitigating any risk to you and to the College.