ScHARR Information Governance

Policy Section 4: Remote working

Version 18/03/31


Working away from University premises and/or with mobile devices introduces additional risks, for example devices may be lost, damaged or stolen. Without appropriate protection this could result in the loss or inappropriate disclosure of risk-bearing data. Each member of ScHARR has a responsibility to protect risk-bearing information and the systems they use to store, process or access that information. Each member of ScHARR should be aware of the risks involved and take measures to safeguard the data. Losses of confidential data are viewed very seriously by the Information Commissioner’s Office and the University, and may result in consequences such as disciplinary procedures, civil court actions and criminal charges.


It is expected that most staff, the majority of the time, will work within the University environment. Remote working involving risk-bearing data should only be carried out when all of the following criteria are satisfied:

  • alternative means of working have been explored
  • there is an operational or business reason to handle the information this way
  • the individual has the authority to do so
  • the information is protected using an approved encryption system.

Written authorisation must be given by line managers who must maintain a record of permissions granted.

Risk-bearing data must be stored, created and processed securely when accessed off-site (eg device storage must be encrypted and must not be accessed by unauthorised users. This includes taking care that work on sensitive information cannot be overlooked or accessed by public wifi).

Appropriate protection must be in place if remotely accessing risk-bearing data (e.g. VPN access to network files, secure access to web applications, working securely at NHS locations using NHS equipment, networks and systems). Data must never be downloaded to unencrypted devices when working off-site.

There may be further restrictions placed on data received from third party providers, and data sharing agreements (DSA) must be adhered to in these cases.

Section 5: Information sharing