Security & Compliance
A Guide for Staff and Administrators
What This Covers
This guide explains how the system protects sensitive materials and helps you meet legal requirements for:
- Privacy - POPIA (South Africa), GDPR (Europe)
- Records Management - NARSSA requirements
- Security Classifications - Controlling who sees what
- Audit Trails - Tracking who did what and when
Security Classifications
The Five Levels
┌─────────────────────────────────────────────────────────────┐
│ SECURITY LEVELS │
├─────────────────────────────────────────────────────────────┤
│ │
│ 🟢 PUBLIC │
│ Anyone can view, including the general public │
│ │
│ 🔵 INTERNAL │
│ Staff members only │
│ │
│ 🟡 CONFIDENTIAL │
│ Authorised staff with a need to know │
│ │
│ 🟠 SECRET │
│ Named individuals only, approved by management │
│ │
│ 🔴 TOP SECRET │
│ Special clearance required, very restricted │
│ │
└─────────────────────────────────────────────────────────────┘How Access Works
RECORD USER
┌──────────┐ ┌──────────┐
│ Security │ │ Clearance│
│ Level: │ │ Level: │
│CONFIDENT-│ │ SECRET │
│ IAL │ │ │
└────┬─────┘ └────┬─────┘
│ │
│ COMPARISON │
└──────────────┬───────────────┘
│
▼
┌─────────────────────┐
│ User clearance │
│ (SECRET) is HIGHER │
│ than record level │
│ (CONFIDENTIAL) │
└──────────┬──────────┘
│
▼
┌─────────────────────┐
│ ✅ ACCESS │
│ GRANTED │
└─────────────────────┘Simple Rule: Your clearance level must be equal to or higher than the record's security level.
| Your Clearance | Can Access |
|---|---|
| Public | Public only |
| Internal | Public + Internal |
| Confidential | Public + Internal + Confidential |
| Secret | All except Top Secret |
| Top Secret | Everything |
Setting Security on Records
When Creating a Record
- Look for the Security Classification field
- Select the appropriate level
- The system remembers this for all future access checks
Changing Security Level
- Go to the record
- Click Edit
- Change the Security Classification
- Click Save
Note: You can only set security levels up to your own clearance. If you have Confidential clearance, you cannot mark something as Secret.
User Clearance
Checking Your Clearance
- Click on your username (top right)
- Select My Profile
- Your clearance level is shown
Requesting Higher Clearance
Contact your administrator if you need access to records above your current level. They will:
- Verify your need
- Get appropriate approval
- Update your clearance in the system
Privacy Compliance
POPIA (South Africa)
The Protection of Personal Information Act requires us to:
- Only collect information we need
- Keep it secure
- Allow people to see their information
- Delete it when no longer needed
What You Need to Do
┌─────────────────────────────────────────────────────────────┐
│ PRIVACY CHECKLIST │
├─────────────────────────────────────────────────────────────┤
│ │
│ ✓ Only access records you need for your work │
│ │
│ ✓ Don't share login details with anyone │
│ │
│ ✓ Log out when leaving your computer │
│ │
│ ✓ Report any suspected breaches immediately │
│ │
│ ✓ Don't copy personal information unnecessarily │
│ │
│ ✓ Ask if unsure about sharing information │
│ │
└─────────────────────────────────────────────────────────────┘Handling Information Requests
If someone asks to see their personal information:
┌──────────────────┐
│ Person requests │
│ their data │
└────────┬─────────┘
│
▼
┌──────────────────┐
│ Verify their │
│ identity │
└────────┬─────────┘
│
▼
┌──────────────────┐
│ Log the request │
│ in the system │
└────────┬─────────┘
│
▼
┌──────────────────┐
│ Forward to │
│ Information │
│ Officer │
└────────┬─────────┘
│
▼
┌──────────────────┐
│ Response within │
│ 30 days │
└──────────────────┘Audit Trail
What Gets Recorded
The system automatically tracks:
| Action | What's Recorded |
|---|---|
| Login/Logout | Who, when, from where |
| View Record | Who looked at what |
| Create | Who created what record |
| Edit | Who changed what (old and new values) |
| Delete | Who deleted what |
| Download | Who downloaded files |
| Who printed what |
Why This Matters
- Accountability - Everyone is responsible for their actions
- Investigation - If something goes wrong, we can find out what happened
- Compliance - Legal requirement for many organisations
- Protection - Protects you by showing you followed procedures
Viewing Audit History
For any record:
- Go to the record
- Click History or Audit Trail
- See all changes with who, what, and when
Embargoes
What is an Embargo?
An embargo prevents access to a record until a specific date. Common reasons:
- Personal information (e.g., 75 years after creation)
- Donor requirements
- Legal restrictions
- Commercial sensitivity
How Embargoes Look
┌─────────────────────────────────────────────────────────────┐
│ 🔒 THIS RECORD IS EMBARGOED │
│ │
│ Available from: 1 January 2050 │
│ Reason: Contains personal information │
│ │
│ Contact the archivist if you need special access │
└─────────────────────────────────────────────────────────────┘Setting an Embargo
- Go to the record
- Click Edit
- Find Embargo Settings
- Enter:
- End date (when it becomes available)
- Reason
- Click Save
Requesting Embargo Exemption
If you need access to embargoed material:
- Submit a written request
- Explain your research purpose
- Wait for approval from management
- If approved, you'll get temporary access
Best Practices
Daily Habits
┌─────────────────────────────────────────────────────────────┐
│ SECURITY HABITS │
├─────────────────────────────────────────────────────────────┤
│ │
│ WHEN STARTING WORK │
│ • Use your own login │
│ • Check for any security announcements │
│ │
│ DURING THE DAY │
│ • Lock screen when away (Windows+L) │
│ • Don't leave sensitive records on screen │
│ • Be careful what you discuss in public areas │
│ │
│ WHEN FINISHING │
│ • Log out properly │
│ • Clear your desk of sensitive papers │
│ • Secure any physical records │
│ │
└─────────────────────────────────────────────────────────────┘If Something Goes Wrong
Suspected security breach:
- Don't panic
- Stop what you're doing
- Tell your supervisor immediately
- Don't try to fix it yourself
- Document what happened
Lost password:
- Contact IT support
- Never share passwords
- Use the password reset function
Suspicious activity:
- Note what you saw
- Report to your supervisor
- Don't confront anyone directly
Quick Reference
Security Level Colours
| Colour | Level | Access |
|---|---|---|
| 🟢 Green | Public | Everyone |
| 🔵 Blue | Internal | Staff |
| 🟡 Yellow | Confidential | Authorised staff |
| 🟠 Orange | Secret | Named individuals |
| 🔴 Red | Top Secret | Special clearance |
Key Contacts
| Issue | Contact |
|---|---|
| Access problems | System Administrator |
| Security concerns | Information Officer |
| Privacy requests | Information Officer |
| Policy questions | Your Manager |
For technical support, contact your system administrator.