IT Acceptable Use Policy

Policy Statement

This control procedure defines the University’s approach to acceptable use of our information systems and infrastructure, and directly supports the following policy statement from the Information Security System:

The University’s security policies and expectations for acceptable use will be communicated to all users to ensure that they understand their responsibilities. Information security training will be made available to all staff, and poor and inappropriate behaviour will be addressed.

Audience

This procedure is intended to be read and understood by all users accessing University information, IT systems, networks or software using any University or personally owned device. This includes social media, communication and interactive platforms including but not limited to WhatsApp, Facebook, Facebook Messenger, and Microsoft Teams.

Control Statements

Applicable Laws and Regulations

Users are bound by the laws of England and Wales when using the University’s IT resources. In addition, when using University devices or accessing the University’s network from abroad, users must also adhere to the laws of that country.

It is the user’s responsibility to ensure his or her activities comply with these laws.

• The use of University IT resources is subject to all relevant University regulations.
• When making use of the internet, the acceptable use policies of the carriers apply, in particular, the Joint Academic Network (JANET) (See the JANET Acceptable Use Policy);
• The University has a statutory duty, under the Counter Terrorism and Security Act 2015, to aid the process of preventing people from being drawn into terrorism;
• Any information you create or store on University systems may be released under an information access request in line with (but not limited to) Data Protection and Freedom of Information.

Acceptable Use

Acceptable use is defined as any use that supports the University’s teaching, learning, research, consultancy and administrative activities, and does not meet the definition of Prohibited Use.

Prohibited Use

Prohibited use includes but is not limited to activity that:

• contravenes any laws, University policies or regulations;
• involves the creation, downloading, storage or transmission of material that is indecent, offensive, defamatory, threatening or discriminatory in nature. This includes pornography, hate speech, violence and promotion of terrorism;
• has the potential to create an environment that is offensive or threatening, or that may constitute harassment;
• involves threatening, abusive, obscene messages including those that may cause harm, offence or needless annoyance;
• harms the University’s reputation or that of its staff and/or students;
• commits the University to any contractual obligations without obtaining the appropriate authority;
• imitates or impersonates another person or their email address to create false accounts, send spam email or conduct any other activities unknown to the individual;
• is undertaken for unauthorised, personal commercial gain;
• otherwise acts against the aims and purposes of the University as specified in its governing documents or in rules, regulations and procedures adopted from time to time.

Specifically, users are prohibited from:

• uninstalling and/or reconfiguring anti-malware, updates, logging or other protective services on University devices;
• intentionally or recklessly introducing to their device or University systems any form of spyware, computer virus or other potentially malicious software;
• sharing log-in credentials with another user;
• using personal email accounts instead of a University staff email account to conduct University business, or automatically forwarding emails from a staff email account to a personal account;
• introducing data-interception, password-detecting or similar software or devices to the University’s network;
• seeking to gain unauthorised access to restricted areas of the University’s network;
• accessing or trying to access data where the user knows or ought to know that they should have no access.

Exceptions

Occasionally use of University IT systems is required for University‐related activities such as security sensitive research that may otherwise meet the definition of prohibited use. In this case prior, explicit approval through the University’s official processes for dealing with academic, ethical issues is required. Please contact the Information Services team for further information.

Personal Use of University IT Systems

The University recognise that users may make personal use of University systems, including email and the Internet. Personal use should be reasonable and not excessive, ensuring that it does not interfere with IT resources, business requirements or any other University or legislative requirement.

It is not recommended that users store or share their own sensitive data for personal use on University systems as the University cannot guarantee the confidentiality, integrity or availability of this information.

The University reserves the right to withdraw access to IT resources for personal use at any time and may remove or modify information (including personal data) held on its IT resources.

Logging and Access

The University may log all forms of IT use. Monitoring systems is necessary for administrators to identify and investigate technical or security related problems, and also provides an audit log in the event of misconduct or criminal investigations.

The University also reserves the right to inspect any items of computer equipment connected to the network. Any IT equipment connected to the University’s network will be removed if it is deemed to be breaching University policy or otherwise interfering with the operation of the network.

The University may need to access or suspend any user’s account for business purposes. Action will only be taken where it has been authorised by a suitable HR representative, or where the Information Security team have identified an immediate threat to University information.

The University’s Exit Procedures

Upon leaving the University it is expected that users:

• return all University IT equipment in reasonable working condition;
• not delete any data which belongs to the University and which the University may need in future;
• should ensure any data held in a personal area (OneDrive or Outlook, for example) which may be needed by the University is transferred to an appropriate shared area prior to their departure;
• ensure any of their own data that they wish to keep is removed from the University’s systems, as they will not be entitled to access this (and the University will not retrieve it for them) once they leave; the University has no obligation to retain such data which may be deleted by the University at any time after a user’s authorisation has ended;
• review and conform to any other procedures set out by the University in relation to your departure (line managers and student support services are best placed to advise on this)

Compliance

Failure to comply with this procedure could result in action in line with the University’s Disciplinary Procedure or Capability Procedure.

Any prohibited use which is deemed to be in contravention of the law and/or which involves the intentional access, creation, storage or transmission of material which may be considered indecent or obscene will be regarded as an act of gross misconduct on the part of staff which could result in       dismissal. This would also qualify as an act for which students may be expelled under the student disciplinary procedure.

Compliance checks will be undertaken by the University’s governance functions from time to time.

Related Documents

This control procedure needs to be understood in the context of the other policies and procedures constituting the University’s Information Security Management System, in addition to others not limited to those that relate to professional conduct and behaviours of staff and students when representing or undertaking any University activities, including the use of communications platforms.

Review

A review of this policy will be undertaken by the Information Services team annually or more frequently as required, and will be approved by the University Executive.