Protecting our data (File Remediation project)

We're introducing a new tool to help us manage the data held across University file store areas.

The University holds vast – and ever-increasing – amounts of information across its file stores, from business information and research data to highly sensitive personal data. Due to the volume of data we have, it’s a challenge to manage all this data properly. We’re introducing a new tool to help us. Find out how this might affect your work and the good practice things you can do to support this.

What exactly is the problem?

  • We risk hefty regulatory fines (up to £17.5 million or 4% of our total annual turnover) if we hold onto personal data for longer than required. (Personal data is any information which relates to an identifiable individual such as: name, identification number, location data and any online identifier.)
  • The number of places to store information continues to multiply.
  • When staff move roles and leave behind old records it can lead to messy shared drives and precious time wasted by colleagues trying to identify up-to-date information.

What’s the solution?

All this means good data management is a challenge. To help us meet this challenge, we’re introducing a new software tool (Varonis), which will give us oversight of where our sensitive and stale data is held, as well as alerting us to any malicious activity taking place across file stores. Its data-driven reports will allow the Secretariat and IT to work with schools and services to discuss the types of information they hold, recommend remediation action in line with our retention schedule and alert University security teams  to potential security issues.

Personal good practice

Individually we all contribute to the University’s good information management by deleting ‘stale’ files that are no longer needed for business purposes and making sure sensitive information is only accessed by permitted members of staff.

What are the benefits?

Introducing the new software and review actions will help us to:

  • increase the University’s compliance with data protection legislation
  • reduce the amount of the sensitive data that we hold
  • increase security oversight across our file stores

Which file stores are in scope?

The Varonis tool will scan: 

  • N and M drives 
  • Office 365 (including SharePoint and OneDrive)
  • H drive (FBS) 
  • Z drive
  • CServ (Engineering)
  • Maths
  • S drive (FBS)
  • SCIF (M&H)
  • Y drive (Chemistry)
  • Environment (research)
  • DCS (Research).

Will research data be included?

Yes, but it will be monitored for security risks only. 

Will information be deleted without consultation?

No information will be deleted without prior consultation and authorisation from the school or service. However areas will need to provide robust justification for holding onto personal data for longer than stated in our retention schedule. We are focused on removing stale files which are no longer need to be retained for business purposes. There are many legitimate reasons for holding on to sensitive information, for example as part of legal compliance or because information relates to an ongoing issue. 

Will the reports generated by the tool show on the contents of my files?

The reports are focused on providing areas with an oversight of the types of data held in their file stores (such as personal data or financial data), where this data is stored and how old it is. In consultation with the Secretariat, schools and services can use this information to inform any deletion activities. The reports will not list the contents of any identified sensitive data. 

When will the project begin?

We’re currently introducing the Varonis tool across all our file stores. After this we’ll conduct a pilot to test that the tool is working as expected.

We expect to start talking to schools and services no later than March 2022, and will inform schools and services if that changes. 

If you have any queries about the file store remediation project, please contact Rosalind Ryan-Mills (r.ryanmills@leeds.ac.uk).

Posted in: