Data privacy at UCT
Highlighting the importance of data privacy at UCT this Cybersecurity Month
Each one of us has been given privileged access to services, systems, and information at UCT. It is therefore important that we’re mindful of each action that we take to prevent outsiders from gaining unauthorised access to our digital assets.
Data privacy is our joint responsibility
UCT requires access to all types of information to function optimally. This includes information that is publicly available as well as those classified as private, confidential, and sensitive. Whereas information that is publicly available on UCT websites, is not at risk, all other information about people, the institution, vendors, funders, and government that are not for public consumption, should be protected all costs by the people that access has been given too.
Data privacy therefore ensures that non-public facing information in all formats (i.e., physical and digital) is handled with the utmost care and confidentiality. Whether it’s student records, research data, financial information, medical files, or personal communications, each of us has a role to play in protecting this information.
Protecting information is important
UCT therefore has a variety of security measures in place to protect the systems, services and platforms where this information is stored. These measures are there to ensure that information isn’t lost, misused or abused.
Over the past few years, ICTS has put numerous security measures in place to protect the UCT network and its and your digital issues.
Multi-factor authentication (MFA)
This electronic authentication method requires you to log in using your UCT network password along with authenticating via the Microsoft Authenticator app (which is recommended) on your smartphone or entering a verification code that is sent to you via SMS. MFA is mandatory for all UCT accounts, with the university's Risk Management Executive Committee (RMEC) supporting its implementation as a necessary mechanism for enhancing the university's digital security.
Mimecast
UCT uses the Mimecast online email management tool for all UCT email addresses (i.e. UCT staff, third parties, students and post-doctoral fellows). Due to the significant amount of spam UCT receives daily, Mimecast uses a spam filtering process that contains multiple steps to determine what emails are outright spam, and which emails should be actioned by you to determine whether it’s legitimate or not.
There are still some suspicious emails that manage to get through this process. You can report these directly to Mimecast via the Outlook add-in or to the IT Helpdesk by forwarding the email as an attachment to icts-helpdesk@uct.ac.za.
Encryption
When a document is encrypted, the content within it is encoded. This ensures that only the intended recipients can view its contents, assuring them that the information is genuine.
Encryption also guarantees that sensitive and confidential information does not end up in the wrong hands as it limits unauthorised access.
Once a document has been encrypted, it can only be viewed by individuals who have been given an encryption key (i.e., a password). To avoid any risk of the document being intercepted, we recommend using a complex and secure password. Two different methods should be used to send the encrypted documents and the encryption key. For example, send encrypted documents via email, and the password via an SMS or secure instant messaging platform.
Microsoft Purview
UCT staff members also have access to Microsoft Purview to assist with better managing sensitive and confidential information, sent via email, to prevent disclosure to unauthorised individuals.
Email communication remains one of the most used methods to share information with an individual or a group of people. General and sensitive information is sent via this platform to internal and external parties. In some instances, a sender may send information that they view as sensitive or confidential and only intend for the selected recipients to read it. The recipient may not see the information as sensitive and pass it on to additional people.
In such instances, Microsoft Purview Message Encryption provides the ideal solution as it encodes the message content allowing only the intended recipients to view it. It even goes as far as encrypting Microsoft 365 documents such as Word and Excel, as well as PDFs.
Important: should you accidentally send confidential information to the wrong recipient, you must immediately report it to the UCT Computer Security Incident Response Team, as per the UCT Password policy.
Information Security Management System (ISMS)
An ISMS has recently been implemented at UCT to systematically protect all the information that UCT has access to no matter what format it is in. This includes all data – yours and that of the university – stored on all UCT systems and services, online storage platforms, paper-based documentation, and even intellectual property. This information must be protected from accidental disclosure and unauthorised access at all costs to prevent scenarios that could affect the university’s reputation, financial sustainability, and competitiveness.
The ISMS therefore guarantees that a formal process is in place to continually govern information security, and manage UCT’s policies, procedures, guidelines, and associated resources.
Balancing access and security
While data sharing is essential for collaboration and innovation, it must be done responsibly.
- Use secure methods for sharing data, such as encrypted email or secure file transfer services.
- Only share data with individuals who need it for legitimate purposes.
- Keep track of who has access to your data and how it is being used.
By working together and understanding everyone’s role in protecting the confidentiality and integrity of the information that they use or manage, we can create a secure and privacy-conscious environment that supports our academic and research missions.