Using USB Storage Devices

By default, there is no block on using any type of USB storage devices, although individual departments or divisions may have local policies that stop them being used.

Although the use of USB storage devices is allowed, that doesn't mean it's a good idea to indiscriminately save data to them, particularly if the information would be classifed by the LSE as confidential, or would in any other way fall under the Data Protection Act's definition of sensitive personal data.

USB storage devices are easily lost or stolen, putting any data they contain at great risk of being accidentally or deliberately exposed.

The loss of confidential or sensitive personal data on a USB storage device could result in LSE:

• being fined by the Information Commissioner's Office
• suffering reputational damage
• causing distress to those whose data has been lost
• losing valuable research contracts

It is consequently a good idea to assess very carefully what data you put on a USB storage device, and additionally use encryption on the device in order to keep the data safe.

The requirements of some research projects state that USB devices may not be used, or may only be used if encrypted.

LSE researchers should check the terms of their research agreements carefully before putting any research data on a USB stick.

We would recommend that USB storage devices are fine to use where the leaking, accidental exposure or deletion of the data wouldn’t cause any reputational or financial damage to the School.

Research using anonymised, previously published data, would be one example of data that can be put on a USB storage device.

If you're in doubt about whether or not your data is suitable, please contact the IT Service Desk.

See also LSE's information classification scheme, which will help you make such decisions.

We would advise against putting anything into an unencrypted storage that would contain very sensitive information, such as School financial data or datasets that contained the name, address, ethnicity and passport numbers of individuals. This includes information the School classifies as 'Confidential'.

Data classed as ‘Confidential’ or ‘Restricted’ should be carefully assessed by the owner for the risk of reputational and financial damage if it leaked before putting it onto a USB storage device.

If you're working with research data, there may be rules from your project funder about data handling. These will take precedence over any other consideration.

The risk of accidental exposure of confidential data on USB storage devices can be greatly mitigated by the use of encryption.

You can purchase hardware-encrypted USB storage devices, or else an encrypt a normal USB storage device using encryption software such as BitLocker (on Windows devices) and FileVault (on Macs).

You can also, if you so choose, use software to encrypt individual files.

As a general rule, if you need to store very large volumes of data on an external drive, it’s best to purchase a hardware-encrypted device, as the use of software encryption tends to slow the performance of the device considerably.

Good encryption still relies upon selecting a robust encryption method (256-bit AES is a good standard) and using a sophisticated passcode.

Please see LSE's Guide to Encryption.

You can also contact the IT Service Desk if you have any queries.