The HECToR Service is now closed and has been superceded by ARCHER.

Information and Security Policy

The main target audience for this Policy is HECToR staff members and management. It lays down the standards we aim for in the handling of all the data in our care.

General

In its handling of personal information, HECToR will maintain the firm standards of security, integrity and privacy which are to be expected of a public service whose relationships with its users and staff are governed by an ethic of collegiality and respect.

Personal information is held by the service on trust. It is our responsibility to ensure that it is confidential, safe and correct.

This policy covers all information held by the service, whether on the computers or elsewhere. All members of the staff of HECToR are required to observe it.

Our handling of personal information is governed by our Notification under the Data Protection Acts; and by the HECToR Personal Data and Privacy Policy.

It is the responsibility of managers to ensure that the provisions of this Policy are made known to the staff they supervise, and that each staff member understands precisely what he or she must do in order to carry it out.

Personal information held on computers

Access to the HECToR database shall be denied to anyone who is not either a user of the service or a member of its staff. The systems and the information handling software shall be configured to ensure this.

Nor shall personal information from the HECToR database be transmitted to other people, except as specified in the Personal Data and Privacy Policy. Reports to external organisations on the activities of the service shall not refer to individual users by name.

Information on the HECToR database may be accessed by users or HECToR staff only through the webpages provided. These will ensure that only the information appropriate for each user of the database can be seen. Members of staff whose duties include the maintenance of the database and its software are exempt from this requirement; they are required to keep confidential the personal data they encounter.

The computers housing the database and its associated software shall be kept in secure conditions — either in the Edinburgh University Advanced Computer Facility, whose security provisions are defined in the Contract between HECToR and EPSRC; or in the secure portion of the James Clerk Maxwell Building in Edinburgh.

The database shall be backed up to tape each working day. Two copies shall be made, one of which shall be transferred off site.

Other information held on computers

The treatment of data, including users' data, held on the HECToR systems, is laid down by the Contract between UoE HPCX Ltd and EPSRC.

Policies for the backup of data held on disk are described in the HECToR Data Backup Policies.

All files held on the HECToR systems will be protected from interference by other users by means of a careful use of the standard UNIX file protection systems. Users will be assigned to groups corresponding to their research project groups and subgroups, and these will normally be inaccessible to other users. Users will also be able to protect their personal files from other users by prohibiting access.

Access to the systems shall be barred to anyone who is not properly registered. A person may only be registered if they are approved by the Principal Investigator of a research project. Principal Investigators will be designated to HECToR by EPSRC, or will gain access through a specific commercial agreement with the Service. Registration of users, communication of passwords, access control, etc, shall follow the best industry practice.

The HECToR Terms and Conditions of Access, accepted by all users as a condition of access, require users not to corrupt or delete one another's data, and to respect one another's privacy, and it specifies the actions to be taken should they not observe this.

Personal information held elsewhere

It is the responsibility of all members of HECToR staff to ensure that personal information about our users and staff is protected and their privacy maintained. This applies as much to information held on paper, or elsewhere, as to information held on computer. No such information shall be shown to any person not specified in the Personal Data and Privacy Policy as a person to whom personal data may be transmitted.

Personal data which is not currently in use shall at all times be securely locked away.

It shall be regarded as part of the professional ethic of our staff that information about our users which we come by in our work is not to be passed to any third party. Managers are required to ensure that their staff live up to this standard.

Contingency planning and business continuity

This topic is covered in the HECToR Contingency and Reversion Plan.