IT ServicesStaff

Help and Support

Photo: Memory stick.

Removable Media Policy

Introduction

1.1. The purpose of this policy is to minimise the loss, unauthorised disclosure, modification or removal of sensitive information maintained by Loughborough University.

2. Scope

2.1. This policy refers to all types of computer storage which are not physically fixed inside a computer and includes the following:

• Memory cards (like those used in cameras), USB pen drives etc;
• Removable or external hard disk drives;
• Newer Solid State (SSD) drives
• Mobile devices (iPod, iPhone, iPad, MP3 player);
• Optical disks i.e. DVD and CD;
• Floppy disks;
• Backup Tapes.

2.2. This policy also covers all data including:

• Research data;
• Teaching and learning data;
• Administration and management information data.

3. Classification of Data

For the purposes of this policy, data is going to be classified into different categories in line with the Data Protection Act (DPA).

3.1. Non-sensitive Data

Data whose inappropriate use would not adversely affect an individual, for example:

• Class lists (course and learner names only)
• Management information reports which do not identify individuals
• Any data which has been made a matter of public record

3.2. Sensitive Data

Sensitive data includes

• Any data identified by the Data Protection Act (1988) as personal sensitive data, specifically data relating to radical or ethnic origin, political opinions, religious beliefs, membership of trade union organisations, physical or mental health, sexual list, offences or alleged offences.
• Data that if lost or stolen would be likely to cause damage or distress to one or more individuals. This includes, but is not limited to, human resources data and exam or assessment results, which are not a matter of public record.
• Any data, which may reasonably be expected to be considered sensitive, personal confidential or commercially confidential. For example, data or materials pertaining to existing or planned courses, which may be of interest to a competing organisation.

3.3. Highly Sensitive Data

• Data, which if used inappropriately may have a significant impact upon Loughborough University or an individual. In particular employee or student banking details or any other data that it is believed could be used for illegal purposes.

4.1. The use of removable media is not prohibited within Loughborough University; it is infact an essential part of everyday business.


4.2. The use of removable media to transport non-sensitive data can be done on standard devices (see above list for details).

4.3. Regularly updated Anti Virus software should be present on all machines from which the data is taken from and machines on which the
data is to be loaded.

4.4 When removable media is used to transport sensitive data, the data on the device must be encrypted to a recommended encryption standard
(AES-256). Please see our Kingston Data Traveler page for IT Services recommended devices.

4.5. Research grants may require a higher level of encryption of data to a standard such as FIPS140-2, in these circumstances please contact IT
Services for assistance with Research Data Management and completionof prerequisite proposals. It is recommended that Microsoft Bitlocker to Go
be used for encryption at a higher level. 

For other Operating Systems please consult IT Services.

4.6. All Schools and departments within the University that use removable media should be encrypted to the recommended standard if they are going
to be used to hold School or University sensitive or highly sensitive data.

4.7. Mobile devices and/or removable storage containing sensitive or highly sensitive data should not be sent off site without prior agreement. IT
Services should be consulted to ensure the level of security is appropriate for the type of data being transferred. For example, database ‘dumps’.

4.8. If highly sensitive data is required to be transported via removable media please seek advice from IT Services.

4.9. Removable media used to store sensitive and highly sensitive data shall only be used by staff who have an identified and business need for
them.

4.10. Any sensitive or highly sensitive data transferred to a removable media device must remain encrypted and must not be transferred to any
external system in an unencrypted form.

4.11. Data stored on removable media is the responsibility of the individual who operates the devices.

4.12. The user must note and accept that should their encryption password be forgotten, the removable device allows for a new password to
be created, but this will involve a reformatting of the device and thus a total loss of the data. The removable device must therefore not be used to keep
data that is not backed-up security in a central location.

4.13. Removable media should be physically protected against loss, damage, abuse or misuse when in use, storage and transit.

4.14. Mobile devices and/or removable media that have become damaged should be handed back to local IT Support or IT Services to ensure it is
disposed of securely to avoid data leakage.

4.15. If a member of staff who used a mobile device and removable media was to leave, they should return the devices to local IT Support or IT
Services for secure destruction and/or redistribution.

4.16. The use of removable media by sub-contractors and temporary worker on University owned machines should be risk assessed and
authorised.

4.17. When the business purpose has been satisfied the contents of the removable media should be removed from the media through a destruction
method that makes recovery of the data impossible. Alternatively the removable media and its data should be destroyed and disposed of
beyond its potential reuse.