Acceptable Practices for Handling High Risk Data
Data classified as High Risk based under the HKUST Guideline for Risk Classification should be handled with care. The following outlines the acceptable practices for handling such sensitive data. It should be noted that these practices are considered mandatory for the protection of individuals, units and the University.
- High Risk data should, in general, not be stored in end user devices such as office desktop computers, home computers or portable devices (e.g. USB memory sticks, notebook computers, smart phones, tablets, etc.). Consider the alternative of storing the data in secure file servers managed by qualified IT professional. If this is inevitable, remember to:
- Trim down any sensitive data fields as much as possible from the data set;
- Encrypt the data set (e.g. using AIP)
- Delete the data set as soon as they are no longer used (and remember to empty the recycle bin).
Transmission and Processing
- Encrypt High Risk data when transmitting by email.
- Transmission of High Risk data using public cloud (except Microsoft Onedrive, Teams or Sharepoint provided by ITSC) is prohibited. Consider using the alternative Document Storage and Sharing services provided by ITSC.
- Do not use public terminals (e.g. those at the coffee shops) to access High Risk data
- The use of home computer to process High Risk data is, in general, discouraged. If this is inevitable, ensure that :
- The home computer is protected by appropriate security software with the latest security updates, and with all protection mechanisms turned on.
- Virtual Private Network (VPN) is used to transmit the data.
- Give special attention on disposing of a computer’s hard disk drive. Consider to use a degausser machine that erases magnetically all information stored on magnetic media (e.g. hard drives, floppy disks, tapes, etc.) in a quick and thorough manner. Wipe out all content on your hard drive before disposal.