1. SCOPE OF THIS POLICY AND WHY IT IS IMPORTANT
The Harper Adams University (“the University”) Acceptable Use Policy (“the Policy”) applies to all individuals who access the Internet and/or internal electronic mail (“e-mail”) and other electronic communication systems through the computing or networking resources made available by the University (together “the Systems”). This includes users who are permanent full-time, part-time and temporary employees, permanent full-time and part-time students and nominated contractors, agents, fellows and alumni, each of whom shall require individual nomination through a University-employed sponsor (“Users”), for so long as they remain authorised to be Users by the University. The principal initial point for contact or enquiry about this Policy or related issues is the University IT ServiceDesk (the “ServiceDesk”)
1.1 The University provides the Systems at its expense for Users. Such facilities provide many benefits to the University and to individual Users. It is the University’s policy that these facilities like other University assets, be used appropriately at all times. Each User must also comply with the Information Systems and Services 'Code of Practice’ at all times when accessing the Systems.
1.2 To apply for permission to be authorised as a User, you must complete the appropriate Access form (examples of which are available online and through the ServiceDesk). If your application is accepted you will be set up on the system, usually using your ID card number as a username, and supplied with an initial password for access to a suitable system. Guest users will be allocated a temporary unique set of username and password credentials. Students may periodically be provided with additional temporary account credentials for the specific purposes of undertaking online assessments and examinations. Such guest and examination accounts will have appropriately restricted access to University Systems and to external internet services, and will expire automatically after a fixed period of currency.
1.3 You are required to change the initial password provided for systems access, to a suitable strong password known only to yourself. Selection, use and maintenance of passwords should comply with the terms of the University Information Security Policy. Advice on password security is available through the ServiceDesk.
1.4 Once changed by the User, passwords are not accessible to or retrievable by any University Systems administrators, and restored access to any System should be achieved by reporting such loss or expiry to the ServiceDesk or through use of the Online Password Recovery service.
1.5 This Policy provides guidance to you on the standards of behaviour each User is expected to adopt when using the Systems, what the University considers to be inappropriate use of the Systems and informs you about the monitoring of use of the Systems.
1.6 Users are expected to be familiar with and to comply with this Policy. The University reserves the right to change this Policy at any time. Where changes are made to this Policy, the new Policy will be uploaded to the Harper Adams website. Users should periodically check to note any changes which have been implemented.
1.7 All Users are responsible for the success of this Policy and should ensure that they take the time to read and understand it. Before access to the Systems (including the Internet via the University network) is approved, you are required to read and agree to this Policy.
1.8 Any misuse or suspected misuse of the Systems or equipment should be reported to the Head of Information Services or their acting Deputy. Failure to comply with the obligations set out in this Policy may constitute a disciplinary offence amounting to gross misconduct and/or termination or suspension of your studies or other relationship with the University.
1.9 Questions regarding the content or application of this Policy should be directed to the Head of Information Services or their acting Deputy.
1.10 All the University facilities must be used in a professional and appropriate manner. Personal use (i.e. non-University business use) of University Systems by staff Users and by student Users is allowed so long as such usage:
2. THE COUNTER TERRORISM AND SECURITY ACT 2015 AND THE PREVENT DUTY
2.1 There is a duty on authorities (including HE) under the above act to have due regard to the need to prevent people from being drawn into terrorism. Under this duty, the University will block, and as stated in 11.1 below may monitor, access or attempted access to websites carrying inappropriate materials.
3. INFORMATION SYSTEMS AND NETWORK SECURITY
3.1 Security of the University’s Systems is paramount. Each User must not permit any unauthorised person to gain access to the University’s Systems (or to a third party’s system) nor seek unauthorised access to a third party’s systems or documents. The University has implemented a number of security controls to safeguard its computer equipment, software and data and these are monitored on a regular basis.
3.2 Unless approved in advance through the ServiceDesk, under no circumstances must any User:
3.3 The use of any type of removable media on the Systems must involve a preliminary check for viruses by an effective scanning utility approved by the ServiceDesk. University-provided equipment is normally configured to perform such scans automatically.
4. INTERNET USE
4.1 The rules and requirements for e-mail use (see section 5.9 below) apply equally to Internet usage, with the following additional guidelines:
4.2 Staff Users must not under any circumstances, even outside normal working hours, at lunchtimes etc., use University systems to participate in any Internet chat room, post messages on any Internet message board or set up or log text regarding the University on a blog, where there is a risk that engagement with such media could bring the University into disrepute. [The use of social sites, e.g. Twitter, Facebook, etc., is permitted, but the usage must not interfere with the University's work and/or the University’s legitimate business interests]. Nor should such engagement bring the University into disrepute.
4.3 Staff Users must not upload University staff/student/consultant/research or project information which is confidential or personal in nature to cloud based storage solutions (for example, but not limited to DropBox), without the risk-management consent of their line manager. The University has concerns about the security of these storage solutions and does not recommend the use of cloud storage solutions to share files over the Internet and encourages individuals to use alternate sources for the sharing/receiving of information. If consent to use a cloud storage solution is given, there will be conditions as to the usage of such a solution.
4.4 Other activities that are strictly prohibited include, but are not limited to:
4.5 Users must not place any University materials (examples: internal documentation, policies, course literature etc.) on any mailing list, public news group, or such service, unless such sharing of materials meets the legitimate business needs of the University.
5. E-MAIL USE
5.1 The e-mail System is installed as a method of communication for the University. If you are a member of staff whose day to day work normally involves the use of the University's email, on working days, you should wherever possible ensure you access your e-mails at least once per day; stay in touch by remote access when travelling; use an out of office response when away from the office for more than a day; and endeavour to respond to e-mails marked “high priority” as soon as practicable.
5.2 All e-mail communications may be monitored and subject to random compliance checks at any time as defined below.
5.3 This Policy should not be exploited for personal use. If you are a staff User, you should keep personal use to a minimum when within normal working hours, and ensure that such use does not interfere with the proper performance of your duties.
5.4 The University e-mail System should only be used by members of staff to conduct the University’s business and by students for correspondence that does not infringe this Policy. Wherever possible, staff or students should use their own personal email accounts held outwith of the University to conduct correspondence on personal matters that do not relate to their work, study or well-being at the University.
5.5 Personal and web mail accounts must not be used by members of staff to conduct the University’s business unless the user’s University account is inaccessible and the matter to be communicated is urgent. In addition, members of staff and other Users should not:
5.6 E-mail encryption facilities are available [for appropriate business and/or learning uses] to ensure the confidentiality and integrity of messages sent between the University and its Users and/or third parties. Requests should be directed to the ServiceDesk.
5.7 As with written correspondence, e-mail communications can give rise to binding obligations and expose the University to liability in the same way as conventional correspondence.
5.8 Users should not write anything in an electronic communication that could jeopardise the integrity or reputation of the University, or which the User cannot or would not be prepared to justify. Always consider whether e-mail is the appropriate medium for a particular communication. For example, confidential or sensitive personal information should not be sent within the main text of an e-mail but should be sent in the form of either a password protected file, encrypted attachment or as a separate letter.
5.9 Users must not use the electronic communications systems to write, store, send, forward or otherwise transmit any material in any of the following categories, without prior approval of their Line or Programme Managers. To do so may constitute gross misconduct and could result in summary dismissal in accordance with the University disciplinary procedures and/or termination of your studies or other relationship with the University. The (non-exhaustive) list of categories includes:
5.10 If a recipient properly asks you to stop sending messages (whether of a personal nature or otherwise), you should always stop immediately.
6.1 All e-mails passing through the University Systems are monitored for viruses. However, you should exercise caution when opening e-mails from unknown external sources or where, for whatever reason, an e-mail appears suspicious (if for example its filename ends in .exe). The ServiceDesk should be immediately informed if a suspected virus is received. The University reserves the right to block access to attachments to e-mails for the purpose of effective use of the Systems and to ensure compliance with this Policy. Certain types of attachment are considered to be high risk, and the range of blocked attachment types is periodically reviewed.
6.2 Users should be wary of incoming emails from an unknown source. Unsolicited emails from unknown sources should be discarded before opening or referred to the ServiceDesk. Links from emails should not be followed / used unless the email is from a known reliable sender.
7. RETENTION OF E-MAIL MESSAGES
7.1 Every member of staff should individually create an archive file on a matter-by-matter basis of all important e-mail messages which must be kept for University business, and should ensure its periodic backup. Advice on this is available from the ServiceDesk.
7.2 On a regular basis to conserve space on our e-mail server, the University will conduct maintenance to review e-mail file storage.
8. PRIVACY OF E-MAIL COMMUNICATIONS NOT GUARANTEED
8.1 Users should be aware that even if a message is deleted from the University’s e-mail system, it will still be retained by the University either on the daily backups of all data or in other ways. Users should also be aware that e-mail messages may be read by persons other than the intended recipient, including University’s employees or outsiders, under certain circumstances.
8.2 Like hard copy documents, once a User distributes an e-mail message, even if only to an individual recipient, that User (and the University) may not have the ability to control the subsequent distribution, review or retention of that message thereafter.
8.3 Users that receive a wrongly-delivered e-mail should return it to the sender. If the e-mail contains confidential information or inappropriate material (as described above) it should not be disclosed or used in any way.
Please note that wherever possible before sending highly confidential information by email, users should consider whether there is a need to encrypt the information and/or use a different means of transfer.
9. IMPROPER MESSAGES PROHIBITED
9.1 Users should not send abusive, obscene, discriminatory, racist, harassing, derogatory or defamatory e-mails. Anyone who feels that they have been harassed or bullied, or are offended by material received from another User via e-mail should inform the ServiceDesk
9.2 Users should assume that e-mail messages may be read by others and not include anything which would offend or embarrass the University, any other reader, or themselves, if it found its way into the public domain.
9.3 In general, Users should not:
10.1 The IS Service Delivery Manager may immediately suspend access to System(s) by any person suspected of contravening any conditions applied to the use of the university system. After enquiries, the IS Service Delivery Manager may at their discretion either continue the suspension or reinstate access:
11.1 The University reserves the right for business reasons and in order to carry out any legal obligations in our role as an employer and learning institution, to monitor, review, record and check the use of all information systems, including Internet and e-mail use, from all computers and devices connected to the University network.
11.2 The University may exercise this right in order to establish facts relevant to the University’s business and teaching activities and:
11.3 In these circumstances, individuals do not have a right to privacy when using the University Systems or in relation to any communication generated, received or stored on the University systems.
11.4 Access to monitoring applications is strictly controlled. IS Service Managers may access all monitoring reports and data if necessary to respond to a security incident.
11.5 The University’s systems enable us to monitor and access e-mail communications. For legitimate business reasons, and in order to carry out legal obligations in our role as a University (and as an employer), use of the University’s Systems including the computer systems, and any personal use of them, may be continually monitored by the University. Monitoring and accessing of e-mail accounts is only carried out to the extent legally required or lawfully permitted or as required as necessary and justifiable for business purposes.
11.6 The University reserves the right to monitor e-mails (including personal e-mails), retrieve the contents of and access mailboxes and private directories (and/or check associated Internet use) without further notifying the individual User concerned, where reasonably necessary for the following purposes (this list is not exhaustive):
11.7 E-mail filters have been put in place to monitor e-mail messages for viruses, spam and general compliance with this Policy.
11.8 The University reserves the right to monitor Internet and e-mail traffic data (including domain names of websites visited, duration of visits, details of any blocked sites visited, and details of files downloaded from the Internet) at a network level (but covering both personal and business use) in accordance with this Policy. Each User of the Systems must be aware that the effect of such monitoring or e-mail access may be to reveal certain personal data (including sensitive personal data) about that User as an identifiable individual. For example, a visit to a website relating to a political party or a religious group may indicate your political or religious beliefs. E-mail monitoring or access for business purposes may also identify the presence of personal e-mails containing sensitive personal data. By accessing websites of this type using the University IT systems, each User is providing consent to the University processing any sensitive personal data that may be revealed by monitoring or access for business purposes as described. Monitoring is carried out automatically and access to any recorded information is limited to a small number of IS staff and then under a strict set of guidelines
11.9 If in doubt, and you wish to preserve your personal privacy, do not use the University IT systems to access any such websites or send/receive personal e-mails.
12. CONSEQUENCES OF VIOLATION OF POLICY
12.1 Violations of this Policy will be documented and can lead to revocation of System privileges and/or disciplinary action up to and including termination of employment and/or termination of studies or other relationship with the University.
12.2 Additionally, the University may at its discretion seek legal remedies for damages incurred as a result of any violation. The University may also be required by law to report certain illegal activities to the proper enforcement agencies.
13.1 Reasonable endeavours are made by the University to:
14. POINTS OF CONTACT
If you need assistance regarding the following topics related to Systems usage, you should initially contact the Service Desk, for additional assistance.
12th October 2015
The principal initial point for contact or enquiry about this Policy or related issues is the IT ServiceDesk