Receiving sensitive information

Source: https://www.sussex.ac.uk/study/international-students/partner-zone/processes/sensitive-and-protected-emails Parent: https://www.sussex.ac.uk/study/international-students/partner-zone/processes

The University has taken steps to improve the safeguarding of information. Find out what it means if an email or files/folders are marked 'sensitive' and what actions are required.

Sensitive information

Consideration should always be given to the sensitivity and value of the information being handled.

Where there is a risk that inappropriate disclosure or dissemination of the information (either internally or externally) would cause financial reputational damage to the University, breach legal or regulatory requirements, or cause harm to or impact negatively on individuals, information should be classified as ‘Sensitive’. Examples include personal data, financial data, or commercially valuable information or where disclosure could cause harm to individuals, impact the University's commercial interests, or breach a contract.

You must:

• ensure information is only accessible to authorised users and only provided to intended recipients,
• ensure information isn’t processed on personal devices,
• ensure appropriate security measures are used, e.g. always use links rather than attachments when sending information where possible,
• prevent accidental loss, destruction, or damage of information,
• only hold onto information for as long as necessary and in accordance with the University's Records Management Policy and Master Records Retention Schedule securely dispose of information, for example through confidential waste disposal bins or IT-supported deletion. For electronic files, ensure you delete from your deleted folders for permanent deletion.

Further details

View our Information Classification and Handling Policy for further details on how sensitive and protected information should be accessed, stored, transferred and disposed of.

Breaches

If there is a breach, however minor, this must be reported immediately to the University's Data Protection Officer using the Data Breach Reporting Process.

Contact

Email the Information Management Team at gdpr@sussex.ac.uk if you have any queries.