Staff Obligations in relation to storage and security of University Data

As a member of staff at the University of Newcastle, you have an obligation to maintain security safeguards to protect University data and information against loss, unauthorised access, modification, disclosure and other misuses as required by Information Privacy Principle (IPP) 5 of the Privacy and Personal Information Protection Act 1998 and the Health Records and Information Privacy Act 2002

This obligation compels you to maintain security safeguards to protect University data and information against loss, unauthorised access, modification, disclosure and other misuses. 
 
University data or information may be stored on a number of devices, both University owned and personally owned. Most common devices are desktop or laptop computers and portable storage device(s) - PSDs, which include portable external hard drives, CD/DVD burners, USB storage devices, personal digital assistants (such as PocketPC, PalmPilot and Blackberry) and devices with in-built accessible storage (such as MP3 players, iPods and mobile phones).  Many large printers, photocopiers and multi-function devices (MFDs) also store printed and scanned information on local hard drives.
 
Regardless of the ownership of the hardware, the data remains the property of the University. Maintaining appropriate storage and security of the data, in accordance with the Privacy Act, poses specific challenges.
 
When removing these devices from the University, it is important to consider the type of data stored on them and the potential for risk of a privacy breach of student or staff information if the device is lost or stolen.
 
The following guidelines are provided to assist you in this matter.
 

Data Security

Ensure you securely maintain all computer equipment, including any portable storage devices, containing University data or information. 

In the event of the loss of a computer or removable device containing University data (e.g. stolen laptop, lost USB stick) please report the loss to Sara Knight, Senior Risk Officer, phone 49216489. If you are concerned that such loss may lead to a breach of staff or student’s personal information, please contact Bríd Corrigan on 49215922.
 

 Replacement or disposal of computer equipment

Staff responsible for the replacement (e.g. lease return) or disposal (e.g. asset write-off) of computer equipment must ensure that University data is removed at the time of disposal;

a) Desktop or laptop decommission - IT Services will wipe all desktop and laptop hard drives as part of the decommission process.  To request desktop or laptop decommission, please log a job with the 17triplezero IT Service Desk (via Self Service Portal http://www.newcastle.edu.au/17000 or phone ext 17000);

b)   Computer equipment write-off for very old/obsolete computer equipment - confirm the disposal process includes data wiping (e.g. via an e-waste recycling company);

c)   Portable Storage Devices (PSDs) - remove/delete all University data prior to their disposal/re-use;

d)   Photocopiers, Printers/MFDs (with Hard Disk Drives) - check with the printer or MFD supplier regarding their data wiping process (any additional fee that may be charged for this service is to be covered by the Business Unit).