Thank you all for the suggestions for actual policies – much appreciated.

My personal approach would be risk based and apply length/longevity/second factor etc. to the category of data and user that I’m looking at. Taking a for-instance a person with a high level of access to sensitive personal info would have to meet a higher bar in terms of password policy (or intro of 2^nd factor – crypto-card etc.) than one who was just using it for personal web-browsing with no significant data exposure threat.

You should usually be able to identify some categories of user (in my case staff/student/techy for instance) and apply suitable policies and training.

What I was wondering is whether there were any “best practice” documents put forth by such bodies as the ICO etc?

Kind regards,

Jon

All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html

Selected commands (the command has been filled in below in the body of the email if you are receiving emails in HTML format):

Leaving this list: send leave data-protection to [log in to unmask]
Suspending emails from all JISCMail lists: send SET * NOMAIL to [log in to unmask]
To receive emails from this list in text format: send SET data-protection NOHTML to [log in to unmask]
To receive emails from this list in HTML format: send SET data-protection HTML to [log in to unmask]

All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body of an otherwise blank email to [log in to unmask]

Any queries about sending or receiving messages please send to the list owner [log in to unmask]

(Please send all commands to [log in to unmask] not the list or the moderators, and all requests for technical help to [log in to unmask], the general office helpline)