HSD must be protected by encryption:

• In transport – when being moved from one place to another:
  • Over the internet
  • On removable media
  • In an encrypted file in an otherwise non-encrypted transport (e.g. mail)

• At rest – when being stored on:
  • Office computers and laptops
  • Removable media
  • A server that has not been approved by the IT Security Office as having sufficient mitigating controls in place