Students Staff

Information security

Phishing scams


Phishing is real and everyone is a target! See our advice on phishing scams.

Information matters to all of us. Whether it's at home or at work, as a member of our University, you need to know how to protect and manage the information in your care.

As individuals, we might fall prey to identity theft, and as an organisation we could suffer potential damage to our reputation or even have large fines to pay if we get things wrong. As with all risks, managing them isn't about ignoring them or avoiding them. It means that we all take responsibility, stop and think before we act.

This page provides guidance and resources on how to find, handle, store and protect the University's data and your personal data.

EU General Data Protection Regulation (GDPR)

  • Preparing for the GDPR

    GDPR is the new EU General Data Protection Regulation. It will replace the Data Protection Act (DPA) in May 2018. As is often the case when legislation is new there is a lot in the Regulations that hasn’t yet been finalised, and guidance is being issued from a variety of sources.

    However, the GDPR is not radically different from DPA and we should continue to follow the good practice we have around using personal information.


    As further guidance is issued we will post it here.

    Have a question?

    If you have specific concerns or questions about how GDPR will affect your work please contact the Information Manager

Security awareness

  • Your responsibilities

    As a member of our University you're required to protect and manage the information in your care. Here are the core expectations that the University has of you:

  • Information Security Essentials online training course

    This online training course is mandatory for all new staff. IT should take around 30 minutes to complete.

  • Mobile device security

    Our top tips to protect your mobile device:

    1. Lock your device with a personal identification number (PIN) or password.
    2. Don't leave it unattended
    3. Only download apps from trusted sources and pay close attention to what permissions the app requests
    4. Keep your operating system (OS) and apps up to date at all times.
    5. Turn off wifi, Bluetooth and location services when not in use.
    6. Install a mobile security app.
    7. Don't jailbreak, hack or root your own device.
    8. Always log out of banking and shopping websites.
    9. Set up remote locate, lock and wipe services.

    If you think your device is compromised, we recommend you:

    • use your device's remote locate and wipe facility
    • change the passwords for all of your important online accounts, such as your email account and online banking
    • if your device has sensitive University data on it, report it to the IT Helpdesk

    For more information about mobile security, see the University's mobile device guidelines.

  • Disposal of information

    When to dispose

    As a general rule most information and data do not need to be kept indefinitely, and in some instances, particularly for personal data, it can be illegal to retain information longer than necessary. Storage absorbs resources. The more you store the harder it is to find the particular item you want, and it becomes easier to lose track of where information is.

    If there is a retention schedule on the University's Records Management website for your area you should ensure that you adhere to it. If your area doesn't have a retention schedule and requires one, email the Information Assurance Manager for advice

    These guidelines cover all restricted information in all formats. ("Restricted" is defined in the Information Security Policy and in the separate Information Classification Guidelines.)

    How to dispose

    What are you disposing of? What you should do
    Paper-based information

    Paper-based information must be shredded using office shredding machines.

    Paper for shredding should be held securely until it is collected. It should not be left in bags in corridors or other public spaces.

    If you have large amounts of shredding, contact the Estates Management Helpdesk and arrange to have the paper taken away for secure shredding.

    Electronic-based information (including email)

    Standard deletion tools are generally sufficient. You should remember to frequently clear out your desktop recycle bin and the deleted items folder in Outlook. It is possible to set up Outlook to automatically empty the deleted items folder when the application closes. You should also ensure that you regularly delete items from your sent items folder and from drafts.

    Removable storage (memory sticks)

    If you are intending to re-use a memory stick or similar yourself then it is sufficient just to delete items from it in the usual way. If you are passing the storage device on to someone else, then fully reformat the device before doing so.

    Mobile devices

    If you are getting rid of a mobile device (smartphone, iPad) you should follow the advice set out in the Mobile Device Guidelines.

    Computers and hardware

    If you're permanently disposing of a computer, hard disk, laptop or similar item or passing it on to another part of the University that should happen via IT Services who will ensure that everything is properly deleted. If the item is for disposal they will also make sure that disposal complies with the WEEE regulations.

    This information is outlined in the Information Disposal Guidelines.

  • Email and phishing scams


    Phishing is the use of fake emails that claim to be from a company, organisation or person you trust. Their aim is to trick you into handing over personal information, usually in order to steal your identity or your money.

    If you think you've received a phishing email, stay calm. Don't reply to it, don't action it, just delete it. There's no risk in simply receiving a phishing email. If you would like a second opinion you can contact the IT Helpdesk.

    Making sure you email the right person

    As the University grows we're finding that the Outlook address book has an increasing number of names that are the same or very similar. When staff share names with students, and where confidential or personal information is being sent, there are very real risks involved in misdirected email causing reputation, financial or legal damage to the University.

  • Information classification

  • Research data

    Research data needs to be looked after properly and handled well, just like any other type of data. However, there are some aspects of data or information management that are particularly relevant for research.

  • Retention schedules - how long to keep information for

    Our retention schedules explain what information we keep, where we keep it, and how long we keep it forLoss of personal or restricted information.

  • Useful external links

    We've pulled together some useful information and resources from the web. Please contact us if you would like to add something this list.

  • Report an information security incident

    If you're aware of or suspect that information is at risk, see Loss of personal or restricted information.

Information Champions network

  • About the Information Champions network

    Growing an information culture

    The University is a knowledge organisation with information and data flowing through everything we do.

    We're growing an information culture in which staff and students are:

    • aware of sources of information
    • engaged and inspired by the value of information and skilled in using it
    • have the confidence and competence to make best use of the information available, to value the information that they use, to keep it safe and exploit it to the full.

    Information Champions

    Information Champions are our local information heroes and they are key to developing our information culture.

    The role of an Information Champion is to:

    1. Be an advocate for information skills literacy and best practice and information security, providing a central point of contact and signposting colleagues to further help and support.
    2. Ensure that best practice, including new guidelines and ways of working, are circulated, understood and implemented in your area, through departmental meetings and other routes.
    3. Provide a signposting service to ensure staff can access resources available to them, including advice on research data management, ethical approval for handling personal data, analytics and data visualisation, contracts and information skills training.
    4. Guide and support the Head in managing information risk from project development through to business as usual.
    5. Be part of an active network of Information Champions across the University, learning together, supporting each other and the Information Assurance Manager.

  • Become a Champion

    Who are champions?

    Information Champions are:

    • Diverse: Academics and professional services staff; at the top or bottom of the grade scale – or anywhere in between; newly appointed or long-established; geek, nerd or just someone with the urge to find out more and do better: any member of staff can volunteer to be considered for the role of Information Champion.
    • Passionate: Information Champions believe in the power of information and data and want to inspire others to share their passion.
    • Eager to learn: Information Champions don't need to be IT experts: the information culture is about people as much as the technology. Information Champions have a thirst for knowledge, they are brave enough to have new ideas and generous enough to share them.

    As one of our Information Champions you'll be part of a dynamic network, sharing good practice and learning a range of skills. You will be given access and licenses to new tools for working with data. You'll also be able to include Information Champion on your Essex email signature and you CV.

    Time requirements

    The minimum time requirement for this role is likely to be five days per year. You will also be expected to:

    • take the online Information Security Essentials course on Moodle
    • attend a monthly training and network session

    There is scope for more time to be devoted to the role, particularly in areas where there is a lot of handling of restricted data, and where Information Champions feel comfortable in engaging colleagues and being proactive in offering support.

    Additional time requires the support and approval of the relevant line manager and the Head of Department or Section. The Head may consider appointing additional Information Champions where the workload is high.


    If you think that you could be an Information Champion please discuss the role with your line manager, in particular the time commitment involved. Your nomination should come from your Head of Department or Section. If you have further questions contact the Information Assurance Manager

  • Network events

    Upcoming events

    • There are no upcoming events.

    Previous events

Information Security Policy

  • 12 April 2017

    Information Security Policy

    Adobe PDF File
    (61 KB)

    The policy you need to follow that underpins everything we do with information.

Contact details

Sara Stock

Information Assurance Manager

University of Essex, Wivenhoe Park, Colchester, Essex, CO4 3SQ

Telephone 01206 87 4853


Clare Chatfield

Information Assurance Assistant

University of Essex, Wivenhoe Park, Colchester, Essex, CO4 3SQ

Telephone 01206 87 2285