Although there is a culture of openness in the academic world, research institutions can have incredibly valuable and commercially-sensitive research data that is of interest to organised criminals and hostile or unscrupulous nation states and there have been several confirmed high-profile attacks reported in the press. Even the UK Government’s Centre for the Protection of National Infrastructure (CPNI) which reports to MI5, is sufficiently concerned to have produced guidance for academics on how to protect their research.
According to the Jisc cyber security survey in 2018, one of the top three causes of security breaches in higher education relates to poor practice in the handing of information, often due to a lack of awareness or just being careless.
Figures on recent personal data breaches from the Information Compliance Team at the University of Oxford echo the Jisc assessment (see below).
Figure 1: Causes of personal data breaches are recorded by the ICT.
The consequences of a breach can be far reaching and include:
Impact on research and researchers
loss of confidence among research sponsors
fines by regulatory authorities
The Information Security Team works with departments to ensure appropriate system and technical controls are in place to protect information but, to minimize the need for restrictive security measures, everybody needs to take responsibility to protect the information in their possession. It’s not difficult.
The University of Oxford’s Information Security Team provides lots of guidance on its website and has produced information handling rules, based on best practice, to help you look after your research information.
What should I do?
When it comes to handling information, the first thing is to know the level of confidentiality then ensure it is protected accordingly. It may have a confidentiality label if you received it from someone else but if you own the information, you will need to assess it.
Confidentiality is determined by the amount of harm that would be caused to your research, department and the University as a whole, of the information being wrongly disclosed. If the information is about people, the potential harm to those people also need to be assessed.
In considering harm, it can be useful to think of threat actors. Who might want the information? What would they do with it? Why? Threat actors may include individuals, criminal gangs, competitors, media organisations, disgruntled employees, students, activist groups and hostile nation states.
Then having worked out the level of confidentiality, protect the information in your possession, according to its classification using the University’s information handling scheme as a guide.
Information classification policy
The University’s information classification policy defines three levels of confidentiality, depending on the impact of inappropriate disclosure:
- Public - no harm.
- Internal - some harm, such as increased risks to researchers, additional costs or delays.
- Confidential - serious harm that could lead to increased risks to researchers, substantial costs, regulatory fines, long-term reputational damage or loss of sponsorship.
Information handling rules
The University’s information handling rules are intended to provide simple and clear advice on common methods for secure creation, storage, sharing and disposal of information. It covers common use cases but is not exhaustive and does not replace the need for common sense.
There is advice on emailing, printing, faxing, telephoning, using shared drives, portable devices, as personally-owned devices and more. It also includes specific guidance on how to use enterprise services supported by the University, such as SharePoint and Nexus365, making best use of the security features available such as encryption and protection against unauthorised sharing.
Marking information with its classification level helps those who receive it to take the appropriate precautions.
More general advice can also be found More information is available on the Information Security Team’s website.
The classification and handling of information in accordance with the information handling rules does not remove the obligation to comply with applicable legislation and contractual obligations. For example personal information about some academic staff as may be classified as ‘Public’ but the requirements of the GDPR and Data Protection Act 2018 still apply.