Portable storage device (PSD) use and security procedure

Intent and objectives

1. To comply with laws, regulations, contracts and university policies governing privacy and security of information.

2. To improve awareness of the protection of information and the use of portable storage devices (PSD).

3. To protect the information on PSDs to the level indicated by the sensitivity of the information.

Scope

University-wide.

Exclusions

None.

Procedure steps and actions

Protection of data stored on a Personal Storage Device (PSD):

1. Storage of personal information or information sensitive to RMIT operations should only be stored on a PSD when authorised by senior RMIT staff and should only be undertaken when necessary.

2. If using a laptop or iPad outside of the RMIT work environment, data should be accessed through the RMIT network via remote access, rather than downloading data to the laptop/iPad hard drive itself, following RMIT password protocols.

3. Where personal information or information that is sensitive to RMIT operations is stored on a personal storage device, the individual who uses the device is responsible for the security of both the personal storage device and the information stored on it.

4. Personal or sensitive information stored on a PSD should be encrypted where possible to protect the information from unauthorised access or disclosure.

5. The following precautions should be taken when storing personal or sensitive information on a personal storage device:

a. When not in use, place personal storage device in a location out of sight and protected from theft.

b. Prevent use of the device by any unauthorised persons. Do not lend or provide the PSD to another person.

c. Enable boot password protection and inactivity timeout when using a laptop.

d. Do not connect the PSD to the Internet without a firewall and up-to-date anti-virus program.

e. Do not transmit unencrypted personal or sensitive information from the personal storage device over an unsafe communication channel such as the Internet or none-RMIT wireless connection.

f. To prevent loss of original or master records, only use copied records on a PSD.

g. PSDs should not be used in lieu of an RMIT authorised data backup regime. Unauthorised information data backup practices are not appropriate without ITS approval.

h. When information stored within a PSD is no longer required, ensure that any relevant master document is updated on the RMIT system as necessary and the copy information on the PSD securely deleted.

i. It is staff responsibility to ensure that information is properly deleted – information may still reside on the PSD and be retrievable by a technologically competent person. For further information on secure deletion of data, please contact ITS security staff.

If a PSD or data is lost, stolen or accessed without authority:

1. If personal or sensitive information is lost, stolen or accessed by unauthorised persons, this must be reported to the individual’s manager or supervisor in the format attached to this procedure.

2. Upon receiving a report of a loss, theft or unauthorised access, the relevant manager or supervisor must also provide a report to the RMIT Privacy Officer.

3. Follow-up will be made by the RMIT Privacy Officer to establish what actions are necessary to mitigate loss impact and prevent recurrence.

4. No blame should be attached to the reporting of accidental compliance failures or those identifying process errors.

5. Staff committing deliberate or grossly negligent compliance or privacy breaches may be subject to RMIT disciplinary processes where considered appropriate.

6. Provisions within this procedure also relate to contractors or outsourced service providers who may access RMIT information.

7. Provisions within this procedure also relate to data downloaded onto home computers for the purposes of working remotely.

[Next: Supporting documents and information]