It’s really good to hear that the University will be adopting “One Drive for Business.” I’d now like to ask an associated question regarding the management of email. We are, undoubtedly, very reliant on email for a range of communication. I understand that staff have limited email storage quota on the Exchange Server. The consequence of this is that individuals need to create their own offline email storage provision. This, in our case at the University, typically comprises the creation of ‘.PST’ files which are stored on local hard drives on laptops. These email files are thus subject to the same risks associated with any other file stored on local drives/laptops. Are there any plans to provide alternative forms of email management and thus mitigate/remove these risks? For example, will the “One Drive for Business” provision allow for unlimited cloud-based email storage and access? The current approach is (a) not conducive of supporting information access at times/locations where it might be needed; (b) limits access to email and associated information/knowledge therein; (c) places the burden of risk and responsibility with individual employees. With respect to (c) I’d like to make reference to the recent email sent by the Director of Finance & Infrastructure and Deputy Chief Executive which reminds staff of our legal obligations. That email states that ‘personal data should not be copied to local hard drives’ – however, this requirement is unlikely to be (and cannot be) realistically met given the current policy and practice that governs email management. The ‘exceptional circumstances’ referred to in that email are, in fact business as usual circumstances for many. Please note that this issue is not about how individuals manage their email – it is about corporate governance and how the institution is protecting its data, enabling its employees, and how it is embracing technology to support the needs of a modern workforce.
All staff have recently been reminded regarding our legal obligations in terms of looking after and using personal data and how breaching the data protection rules has major legal and reputation implications for the University. Personal data must not be copied to local hard drives, USB keys etc. except in exceptional circumstances in which case additional security must be implemented.
The use of unencrypted e-mail storage mediums for personal or business sensitive data is not acceptable. Any member of staff who has a legitimate business requirement to send/receive emails containing personal details or business sensitive data must always undertake regular reviews and securely delete any email containing such data at appropriate points in time. Additionally, any staff who are experiencing issues regarding their storage provision, and have a legitimate business requirement to retain emails containing the types of data mentioned above, should contact Information Services for advice.
The majority of day-to-day emails do not contain personal data or business sensitive data and therefore the creation of ‘ .PST’ files stored on local hard drives would not be considered a security issue for these items.
Information Services are investigating our future email strategy to take full advantage of cloud offerings based around Microsoft Office 365.