Information Protection policy

Here is an overview of the University's Information Protection Policy. For more information on each section click on the 'Related Articles' links on the right-hand side. 


The purpose of this Policy is to define the key principles behind the University’s handling of ‘sensitive information’ and to stipulate the controls required to protect it.

The University is committed to taking information security seriously. To this end, all those who access data related to University business must comply with this Policy, Information Protection Guidance and the University IT Security Policy.

There is additional guidance for each section which defines the controls that members of the University have to implement when creating and handling classified information.

After reading the Information Protection Policy and this guidance, if you are in any doubt as to what is required of you when dealing with classified information contact the IT Service Desk, tel: 0113 343 3333


This Policy classifies sensitive information according to its damage potential, and defines the specific controls which are to be applied in order to protect it from inappropriate disclosure. Sensitive information is categorised as ‘Classified Information’ which is either ‘Confidential’ or ‘Highly Confidential’.

Any information that is not categorised as either ‘Confidential’ or ‘Highly Confidential’ is by default ‘Unclassified’. No particular controls apply to the disclosure of unclassified information.

With the exception of information which is clearly and legitimately in the public domain (such as name, email address, job titles and department), personal data will, as a general rule, fall into one or other of the classified categories.

The volume of personal data needs to be taken into account in the assessment of the classification of any set of information. For example, information which in itself would be classified as ‘Confidential’ when it relates to just one individual might need to be classified as ‘Highly Confidential’ when it covers many individuals, especially (but not only) if it is held in electronic form. The potential for damage from unauthorised disclosure is much higher in the latter case and the level of control needs accordingly to be higher.

Protecting Information

1. The University’s Data Protection requirements must be fully adhered to.

2. The sensitivity of all information and data you create or receive must be assessed, classified and managed in accordance with this Policy.

3. All use of the University’s IT systems and networks must be in full compliance with this Policy and all other University IT security policies.

4. All staff must complete the University’s Information Governance training course within two weeks of joining the University and every year thereafter.

5. Personal data may only be downloaded from University IT systems where there is a business need to do so. Once downloaded such data must be held and managed securely and deleted immediately the data is no longer required and in accordance with the University’s retention schedules.

6. Personal data collected for research purposes must, in addition to research ethics committee approval, also reflect any relevant conditions contained within research grants and privacy impact assessment / data management plan.

7. Personal data must be anonymised or pseudonymised wherever practical to do so and only the minimum amount of personal data necessary is to be collected. Consideration may also need to be given to the completion of a data privacy impact assessment.

8. Those using University IT systems have no absolute right to privacy.

See Related articles for further details.

Accessing and Sharing Information

9. Classified information may only be accessed and shared where necessary for the conduct of University business and only with appropriate authorisation.

10. Before transferring classified data to or from a third party a Data Processing Agreement or Data Sharing Agreement signed by both parties must be in place.

11. Classified research data can only be shared in accordance with University, funder and project requirements, and as specified within ethical and contractual agreements and in most cases a signed Data Sharing Agreement.

12. All third party security requirements concerning information that has been shared with the University must be implemented as agreed at the time of transfer.

13. Only approved methods of external access can be used to access University IT systems.

14. Password protection must be used to prevent unauthorised access to all University computer systems.

15. All University members must comply with the University Password Policy. University passwords are to be kept secret, never divulged or shared, and never reused elsewhere.

See Related articles for further details.

Security and Incidents

16. Any actual or suspected security incidents or breaches involving classified data must be reported in accordance with the University’s incidents and breaches reporting process.

17. If you suspect that an information protection or IT security weakness exists you are required to report it as soon as possible to the IT Service Desk. On no account attempt to exploit any suspected vulnerability for any purpose whatsoever.

See Related articles for further details.

Device Security

18. The in-built security functionality available on any portable IT device e.g. mobile phone, laptop and pen drives, capable of accessing or storing University data must be operational prior to doing so.

19. All portable IT devices and removable storage devices, including those which are privately-owned and used to store University data, must be encrypted.

20. University-owned portable devices must either be held securely about the person or if unattended locked securely away.

21. University-owned portable IT devices may be used temporarily to hold Highly Confidential data. Only the absolute minimum data must be held in this manner.

22. Privately-owned computers used for University work must have up-to-date security functionality.

23. Privately-owned portable devices must generally not be used to create or access classified data other than via approved access routes such as Desktop Anywhere.

24. Only IT equipment managed by University IT may be connected to the University wired networks.

25. All unwanted, damaged or obsolete University-owned IT devices (including computer hardware, laptops, tablets and smart phones) must be disposed of through Estates Cleaning Services.

See Related articles for further details.

Security of Data

26. Unclassified and Confidential University data must be kept on the University servers or in approved cloud services such as Office 365.

27. The use of non-University approved cloud services for the storage of ANY University data, including that which is unclassified, is forbidden without formal approval from IT.

28. The M: Drive should be used for the storage of data, including Highly Confidential data that is not to be shared.

29. The N: Drive or SharePoint or OneDrive should be used for the storage of data that needs to be shared. If Highly Confidential information is kept in these shared storage areas it must be encrypted.

See Related articles for further details.

Security of Paper Documents

30. Classified papers must be locked away when not in use, with keys held securely.

31. Highly Confidential paper documents can only be taken outside the University with the appropriate controls in place.

32. When posting classified documents envelopes must not display security markings which indicate the sensitivity of the contents.

33. Classified documents must be securely disposed of as soon as they are no longer required.

See Related articles for further details.

Data Management

34. Individuals must adhere to the University’s Document Retention schedules.

35. Classified information must be reviewed regularly and frequently and data that is no longer required must be deleted.

See Related articles for further details.

Email Security

36. Only your assigned University of Leeds email account can be used for the sending and receiving of University-business-related emails.

37. The use of University email accounts for the sending and receiving of personal emails should be avoided.

38. Due diligence must be applied when using email, for example double check the recipients’ address and the content of any attachments is correct.

39. University email accounts must not be configured to automatically forward email to an external email service provider.

40. Classified information can be sent from one University email account to another University email account without being encrypted.

41. Highly Confidential information being emailed outside the University must be sent as an encrypted attachment. It must be sent to a business email address and never to a person’s personal (e.g. Gmail) address.

See Related articles for further details.