Personal Data Protection Guidelines

University Data Privacy Security Guidelines for handling personal data

  1. Never download data to home computers. If you need to process data at home, consider using remote desktop with VPN.
  2. Personal data should not be downloaded, processed or transmitted to office desktop computers unless absolutely necessary. Be sure to apply encryption on those files.
  3. Delete the personal data once they are no longer used. Be aware of cleaning up the recycle bin after deletion of those files.
  4. When downloading or transferring personal data, consider only extracting the required fields.
  5. Instead of downloading data to desktop, it is highly recommended to consider other alternatives of directly processing data stored in file shares.
  6. For email transmission with personal data files attached, mandatory password protection is required in all transmission of email attachments containing personal data files. Password protected file and password must be delivered separately via different channels.
  7. Departmental file shares that are not managed by professional IT personnel should not be used.
  8. Personal data should be stored in servers provided by the University or shared drives within the office for access by the authorized staff only.
  9. For shared drive and shared documents, password should be changed regularly. It is good practice to change password regularly, e.g. every 3 months.
  10. Portable storage devices such as USB memory sticks, notebooks, smart mobile phones, and tablets, should, as far as possible, not be used for storage of personal data files. If such storage is necessary, always encrypt and/or add password to the portable device.
  11. Sensitive and personal data should never be saved in unprotected devices. Mandatory password protection is required for all files containing personal data.
  12. All portable storage devices or hard copy documents which contain personal data must be securely locked in the office when not in use, and should never be left unattended. Please do mark “confidential” on the hard copy documents.
  13. Do not export personal data from computer system for temporary storage or storage of personal data in public “cloud/internet storage services”, e.g. Dropbox, iCloud, google drive etc.
  14. On disposal of a hard disk, floppy disks, CD, DVDs, magnetic tapes or any other storage, be sure that all data stored have been deleted and/or that the storage media are destroyed through cutting, breaking or drilling holes before disposal.
  15. Storing and processing personal data outside the office or on a personally-owned storage device or PC is strongly discouraged. If it is absolutely necessary to do so for operational reasons, make sure that:
    • The device is protected by appropriate security software with the latest updates, and with all protection mechanisms turned on.
    • No peer-to-peer file sharing software such as Foxy is installed in the device as such software could auto-download and redistribute other software without your authorization.
    • VPN is used
  16. Maintaining a stable and secure computing environment is critical to personal data protection.  Please read ITSC’s Cyber Security at