Information ServicesInformation Security Policy for managers

We recognise the importance of information as a corporate asset. Our Information Security policy:

  • ensures all data in the University is handled and stored with an appropriate level of security
  • outlines the monitoring measures the University takes to ensure the security of data and IT services
  • outlines user policies which must be adhered to including:
    • acceptable use
    • physical security
    • personal devices
  • outlines management policies for business/system/service owners

Some of the core policies of our Information Security Policy are to:

  • support the University and IT strategic vision
  • follow and develop the Scottish Government’s Public Sector Action Plan on Cyber Resilience
  • make students, staff and third parties at the University aware of their responsibility to data
  • maintain the integrity (accuracy and security) of information we hold
  • comply with all legal and contractual obligations we have to data

Our Information Security policy is an overarching policy. We have summarised the contents of the policy here. You can download the Information Security Policy and other related policies below.

Summary of Information Security Policy


You should use our computing facilities in a way which is:

  • ethical
  • legal
  • appropriate to the University's aims
  • not detrimental to others

You are responsible for ensuring the security of University devices and University data which you have access to.

You must adhere to standards of acceptable use for use of University devices and services.

Information security

Information security is the responsibility of every member of staff, students, and third parties.

All information and data held by the University must be accurate and stored with an appropriate level of security.

Data handling

Data must be categorised, processed, and stored according to the following registers:

High Any data that is high confidential. This could be time sensitive data that will later become public (such as research of financial plans). This category includes special categories of personal data, as described by GDPR.
  • Passport and visa information
  • Health records
  • Grievance data
  • Biometrics
  • DNA
Medium Any data for the internal running of the University, which is not classed as high. This category includes personal data as described by GDPR.
  • Unpublished research data (at owner's discretion
  • Student records and admission
  • Staff employment applications
  • Personnel files
  • Benefits
  • Salary
  • Birthdate
  • Personal contact information

Any data publicly available.

Any data not classified as high or medium.

  • Unpublished research data (at owner's discretion)
  • Public policies and procedures
  • Job postings


The University will monitor the use of University devices and services to comply with legal, regulatory and operational requirements.

The University will ensure the integrity and confidentiality of this information.

All monitoring activities will be appropriately authorised and documented.

User policies

All students, staff, and third parties must comply with guidelines on:

  • acceptable use in accessing University devices and services
  • acceptable personal use of University devices
  • physical security of IT equipment
  • personal device use for University purposes

Find out more about University Cyber Security standards.

Management Policies Section

For more guidance on information security for managers, please visit the IT Spotlight Security Pages.


All staff and students should complete cyber security awareness training available from Myplace.