Acceptable Use Policy

Scope of this policy and why it is important

The Harper Adams University (“the University”) Acceptable Use Policy (“the Policy”) applies to all individuals who access the Internet and/or internal electronic mail (“e-mail”) and other electronic communication and storage systems through the computing or networking resources made available by the University (together “the Systems”). This includes users who are permanent full-time, part-time and temporary employees, permanent full-time and part-time students and nominated contractors, agents, fellows and alumni, each of whom shall require individual nomination through a University-employed sponsor (“Users”), for so long as they remain authorised to be Users by the University. The principal initial point for contact or enquiry about this Policy or related issues is the University IT Service Desk (the “ServiceDesk”)

1. The University provides the Systems at its expense for Users. Such facilities provide many benefits to the University and to individual Users. It is the University’s policy that these facilities like other University assets, be used appropriately at all times. Each User must also comply with the Information Systems and Services 'Code of Practice’ at all times when accessing the Systems.
2. To apply for permission to be authorised as a User, you must complete the appropriate Access form (examples of which are available online and through the ServiceDesk). If your application is accepted you will be set up on the system, usually using your ID card number as a username, and supplied with an initial password for access to a suitable system. Guest users will be allocated a temporary unique set of username and password credentials. Students may periodically be provided with additional temporary account credentials for the specific purposes of undertaking online assessments and examinations. Such guest and examination accounts will have appropriately restricted access to University Systems and to external internet services, and will expire automatically after a fixed period of currency.
3. You are required to change the initial password provided for systems access, to a suitable strong password known only to yourself. Selection, use and maintenance of passwords should comply with the terms of the University Information Security Policy. Advice on password security is available through the ServiceDesk. It is the responsibility of all users to ensure their password remains secure at all times. Passwords should not be written down or emailed and should never be shared with anyone else. The ServiceDesk will never ask you to disclose your password. If you going away on annual leave, or other planned absence, and continuity of work is required please ensure any tasks or activities are handed over before you leave. You should not be asked, or offer, to share your password to provide this access. If you are absent for any other reason, in the interests of business continuity, your line manager may request indirect access to your email, network work areas and other systems without being given your account details. This can be arranged through the ServiceDesk and details of who was provided access will be recorded and you may be notified on your return. If you believe your password has been compromised please change it immediately either at your workstation, by using the password reset service or if neither of these methods are available to you through the ServiceDesk. They will provide you with a one-time use password but you will be expected to change your password on next logon
4. Once changed by the User, passwords are not accessible to or retrievable by any University Systems administrators, and restored access to any System should be achieved by reporting such loss or expiry to the ServiceDesk or through use of the Online Password Recovery service.
5. This Policy provides guidance to you on the standards of behaviour each User is expected to adopt when using the Systems, what the University considers to be inappropriate use of the Systems and informs you about the monitoring of use of the Systems.
6. Users are expected to be familiar with and to comply with this Policy. The University reserves the right to change this Policy at any time. Where changes are made to this Policy, the new Policy will be uploaded to the Harper Adams website. Users should periodically check to note any changes which have been implemented.
7. All Users are responsible for the success of this Policy and should ensure that they take the time to read and understand it. Before access to the Systems (including the Internet via the University network) is approved, you are required to read and agree to this Policy.
8. Any misuse or suspected misuse of the Systems or equipment should be reported to the Head of Information Services or their acting Deputy. Failure to comply with the obligations set out in this Policy may constitute a disciplinary offence amounting to gross misconduct and/or termination or suspension of your studies or other relationship with the University.
9. Questions regarding the content or application of this Policy should be directed to the Head of Information Services or their acting Deputy.
10. All the University facilities must be used in a professional and appropriate manner. Personal use (i.e. non-University business use) of University Systems by staff Users and by student Users is allowed so long as such usage:
    • does not, as deemed by the University, interfere with University work, studies or the working environment of others;
    • is not for any illegal activity or any activity which could bring the name of the University into disrepute or open the University up to legal action;
    • does not impact the University’s ability to provide Systems access for its legitimate business purposes;
    • does not mislead the recipient of communications;
    • is not used to support an independent enterprise with which a staff or student User is associated, and/or
    • by staff Users is kept to a minimum.

The Counter Terrorism and Security Act 2015 and the Prevent Duty

1. There is a duty on authorities (including HE) under the above act to have due regard to the need to prevent people from being drawn into terrorism. Under this duty, the University will block, and as stated in 11.1 below may monitor, access or attempted access to websites carrying inappropriate materials.

Information Systems And Network Security

1. Security of the University’s Systems is paramount. Each User must not permit any unauthorised person to gain access to the University’s Systems (or to a third party’s system) nor seek unauthorised access to a third party’s systems or documents. The University has implemented a number of security controls to safeguard its computer equipment, software and data and these are monitored on a regular basis.
2. Unless approved in advance through the ServiceDesk, under no circumstances must any User:
   • introduce or use any program that is not already installed on any System, and/or
   • download programs or other executable material from the Internet for use on the System.
3. The use of any type of removable media on the Systems must involve a preliminary check for viruses by an effective scanning utility approved by the ServiceDesk. University-provided equipment is normally configured to perform such scans automatically.

Internet Use

1. The rules and requirements for e-mail use apply equally to Internet usage, with the following additional guidelines:
   • each User must ensure that, in obtaining information or material from websites or from any other source, the User is not infringing copyright or incurring unauthorised expense to the University;
   • each User is responsible for ensuring compliance with any terms and conditions governing the use of external websites;
   • access to certain sites may be blocked by configurations set through the Information Services team. If any User has a legitimate requirement to be able to access such sites, they should contact the ServiceDesk for authorisation;
   • Users must not visit sites, download material, transfer data or images, store data or images, transmit information or display web pages that may fall into one or more of the following (non-exhaustive) categories (and given the widest meaning of the terms):
     • defamatory, offensive, vulgar or obscene material (including any type of pornography or sexually explicit material);
     • any racist or sexist material;
     • any material that could constitute bullying or harassment (such as on the grounds of sex, including sexual orientation, race or disability);
     • any material that could incite violence or hatred;
     • engaging in any form of intelligence collection from the University facilities;
     • engaging in fraudulent activities, or knowingly disseminating false or otherwise libellous materials;
     • any material that could be otherwise considered illegal, or reasonably perceived as falling into one of the above categories; and/or
     • (for staff Users only,) for the conduct of an independent business enterprise or political activity
     • breach of any legal duty owed to a third party such as obligations of confidentiality and contractual duties
     • users must not impersonate any person, or misrepresent their identity or affiliation with others or the University
     • users must not give the impression that comments/contributions they make are on behalf of the University if this is not the case
2. Staff Users must not under any circumstances, even outside normal working hours, at lunchtimes etc., use University systems to participate in any Internet chat room, post messages on any Internet message board or set up or log text regarding the University on a blog, where there is a risk that engagement with such media could bring the University into disrepute. [The use of social sites, e.g. Twitter, Facebook, etc., is permitted, but the usage must not interfere with the University's work and/or the University’s legitimate business interests]. Nor should such engagement bring the University into disrepute.
3. Cloud computing can provide benefits in terms of accessibility, integration and operation of systems, and storage and processing of data. However, before any University data is stored or processed in a cloud hosted system it is the responsibility of the system owner, and/or data processor, to ensure that data processed, in a cloud hosted system, is only stored in EU located data centre(s). Cloud storage is available using Microsoft’s OneDrive for Business. It is important to ensure that only OneDrive for Business is used as Microsoft also offer personal cloud storage but that is not under the control and management of the University and data may be stored in locations outside the EU. Storage provided as part of the OneDrive for Business service is guaranteed to be within the EU and the University retains full ownership and control over the data and is satisfied that the data is properly secured and protected. The contractual agreements between Microsoft and the University have been negotiated by the JISC on behalf of the UK HE sector and abide by all relevant UK and European legislation. The files held within OneDrive for Business are backed up by the University’s enterprise backup solution. OneDrive for Business is the only cloud storage service that the University provides.
4. OneDrive for Business also allows staff to share files both inside the University and with external colleagues. However, it is important that staff ensure appropriate data sharing agreements are in place if personally identifiable information is to be shared and they should refer to the Data Protection Policy for guidance. Staff must understand how to manage the sharing process to limit access to the files they intend to share and to ensure they are only shared with the intended recipients. Guidance can be provided by the ServiceDesk. It is also important that staff monitor these file shares and remove them as soon as they are no longer required. It is good practice to maintain a log of sharing activity with expected sharing end dates.
5. Alternative cloud data storage services may be used by University staff and students if a project they are working on dictates this but no University non project specific data should be stored or shared through these services
6. Other activities that are strictly prohibited include, but are not limited to:
   • accessing the University’s information using the Systems (or held on the Systems) that is not within the scope of the User’s work and/or studies;
   • misusing, disclosing, or altering staff/student personal information, (unless with regard to alteration ONLY) the user's job description specifically requires them to update the personal data of others);
   • deliberate pointing or hyper-linking of the University Websites to other internet sites, domain names or IP addresses whose content may be inconsistent with or in violation of the aims or policies of the University; and/or
   • use, transmission, duplication, or voluntary receipt of material that infringes on the copyrights, trademarks, trade secrets, or patent rights of any person or organisation. Users should assume that all materials on the Internet are subject to copyright and/or patented unless specific notices state otherwise.
7. Users must not place any University materials (examples: internal documentation, policies, course literature etc.) on any mailing list, public news group, or such service, unless such sharing of materials meets the legitimate business needs of the University.

E-mail Use

1. The e-mail System is installed as a method of communication for the University. If you are a member of staff whose day to day work normally involves the use of the University's email, on working days, you should wherever possible ensure you access your e-mails at least once per day; stay in touch by remote access when travelling; use an out of office response when away from the office for more than a day; and endeavour to respond to e-mails marked “high priority” as soon as practicable.
2. All e-mail communications may be monitored and subject to random compliance checks at any time as defined below.
3. This Policy should not be exploited for personal use. If you are a staff User, you should keep personal use to a minimum and ensure that such use does not interfere with the proper performance of your duties.
4. The University e-mail System should only be used by members of staff to conduct the University’s business and by students for correspondence that does not infringe this Policy. Wherever possible, staff or students should use their own personal email accounts held out with of the University to conduct correspondence on personal matters that do not relate to their work, study or well-being at the University.
5. Personal mail accounts must not be used by members of staff to conduct the University’s business. In addition, members of staff and other Users must not:
   • use a University e-mail account to send or receive large/multiple personal attachments including screensavers, games, pictures, executable files, video images and/or presentations from your University or personal e-mail account unless the receipt/sending of such materials relates directly to the University's legitimate business activities;
   • use a University e-mail account to create, send or receive screensavers, chain letters or notes, junk mail or for-profit messages;
   • use a University email account for automated and/or unsolicited bulk emailing. Users with legitimate bulk mailing requirements may request access to a separate bulk mailing facility through the University ServiceDesk
   • forward University email messages to a personal email account whether by an auto forward rule or through a manual process
6. E-mail encryption facilities are available [for appropriate business and/or learning uses] to ensure the confidentiality and integrity of messages sent between the University and its Users and/or third parties. Requests should be directed to the ServiceDesk.
7. As with written correspondence, e-mail communications can give rise to binding obligations and expose the University to liability in the same way as conventional correspondence.
8. Users should not write anything in an electronic communication that could jeopardise the integrity or reputation of the University, or which the User cannot or would not be prepared to justify. Always consider whether e-mail is the appropriate medium for a particular communication. For example, confidential or sensitive personal information should not be sent within the main text of an e-mail but should be sent in the form of either a password protected file, encrypted attachment or as a separate letter.
9. Users must not use the electronic communications systems to write, store, send, forward or otherwise transmit any material in any of the following categories, without prior approval of their Line or Programme Managers. To do so may constitute gross misconduct and could result in summary dismissal in accordance with the University disciplinary procedures and/or termination of your studies or other relationship with the University. The (non-exhaustive) list of categories includes:
   • material which breaches any obligations of confidentiality you have to the University, or the University obligations of confidentiality to any third party or is in breach of the proprietary interest, trade mark, trade secret or copyright of others;
   • defamatory material;
   • abusive, offensive, vulgar, sexually explicit or obscene material (including any type of pornography);
   • any material which is untrue or malicious, whether about another student, a member of staff or someone else outside the University;
   • information promoting terrorism or cults;
   • any material that could constitute bullying or harassment (such as on the grounds of sex, including sexual orientation, race or disability); and/or
   • any material that could be otherwise considered illegal, or perceived as falling into one of the above categories.
   • material which could breach of any legal duty owed to a third party such as obligations of confidentiality and contractual duties
   • material giving the impression that comments/contributions are on behalf of the University if this is not the case
   • any racist or sexist material;
   • any material that could incite violence or hatred
10. If a recipient properly asks you to stop sending messages (whether of a personal nature or otherwise), you should always stop immediately.
11. Users should not send abusive, obscene, discriminatory, racist, harassing, derogatory or defamatory e-mails. Anyone who feels that they have been harassed or bullied, or are offended by material received from another User via e-mail should inform the ServiceDesk
12. Users should assume that e-mail messages may be read by others and not include anything which would offend or embarrass the University, any other reader, or themselves, if it found its way into the public domain.
13. Users should not:
    • contribute to System congestion by sending trivial messages or unnecessarily copying or forwarding e-mails to those who do not have a real need to receive them;
    • sell or advertise using the University's communication systems or broadcast messages about lost property, sponsorship or charitable appeals or other non-University business matters without prior permission from the ServiceDesk;
    • agree to terms, enter into contractual commitments or make representations by e-mail on behalf of the University unless appropriate authority has been obtained. A name typed at the end of an e-mail is a signature in the same way as a name written at the end of a letter;
    • download or e-mail text, music and other content from the Internet subject to copyright protection, unless it is clear that the owner of such works allows this;
    • send messages from another User’s computer or under an assumed name.

Privacy of e-mail communications is not guaranteed

1. Users should be aware that even if a message is deleted from the University’s e-mail system, it will still be retained by the University either on backups of all data or in other ways. Users should also be aware that e-mail messages may be read by persons other than the intended recipient, including University’s employees or outsiders, under certain circumstances.
2. Like hard copy documents, once a User distributes an e-mail message, even if only to an individual recipient, that User (and the University) may not have the ability to control the subsequent distribution, review or retention of that message thereafter.
3. Users that receive a wrongly-delivered e-mail should return it to the sender. If the e-mail contains confidential information or inappropriate material (as described above) it should not be disclosed or used in any way and should be reported to the ServiceDesk
4. Confidential information, whether of a personal or commercial nature, should only be shared with colleagues where necessary and only with those who are entitled to see it in their own right. Sharing confidential information outside of the organisation may require a data sharing agreement and be subject to additional controls. Further guidance on acceptable methods to share confidential information can be obtained from the Data Protection Officer and the ServiceDesk

Retention of e-mail messages

1. Retention of messages should be in line with the University’s data retention policy. Advice is available from the Data Protection Officer and ServiceDesk.
2. On a regular basis the University will conduct maintenance to review e-mail file storage.

Information disposal

1. Information should only be retained for the period it is required. Personally identifiable information must only be retained in line with the University’s Data Protection Policy and ideally should only be stored within management systems. Other data should be reviewed and deleted when it is no longer required to avoid the build of stale data on the University’s systems

Viruses

1. All e-mails passing through the University Systems are monitored for viruses. However, you should exercise caution when opening e-mails from unknown external sources or where, for whatever reason, an e-mail appears suspicious. The ServiceDesk should be consulted if you are uncertain regarding the validity of an email and be immediately informed if a suspected virus is received. The University reserves the right to block access to attachments to e-mails for the purpose of effective use of the Systems and to ensure compliance with this Policy. Certain types of attachment are considered to be high risk, and the range of blocked attachment types is periodically reviewed.
2. Users should be wary of incoming emails from an unknown source. Unsolicited emails from unknown sources should be discarded before opening or referred to the ServiceDesk. Links from emails should not be followed / used unless the email is from a known reliable sender.

Homeworking

1. It is the responsibility of the member of staff to ensure that their line manager is in agreement with the amount of time they designate as working from home.
2. When using computer systems to complete work they must abide by the University’s Data Protection Policy and Information Security Policy to ensure that information is handled in an appropriate and safe manner. This applies when working away from the office whether that be at home, whilst working at another location, at home or abroad, or working whilst traveling
3. It is the responsibility of the employee to ensure that any personal device they are using has an operating system that is still supported by the vendor and has been patched up to date. The ServiceDesk can provide guidance however, it is not their responsibility for updating personal devices or managing their update processes.
4. Any personal device that is used to access a University system must have an up to date end point security solution and again the ServiceDesk can provide guidance on suitable products. However, the University will not install corporate software on any personal device for the purpose of providing end point security.
5. If a colleague is unsure of the security of a personal device it should not be used to access or work on University data.
6. Any personal device may be remotely wiped if it is believed that it has been lost or stolen or if there is concern about a potential compromise. The wiping of the device may remove personal information so users should regularly backup all personal data stored on their mobile device.
7. Whilst working away from the office a member of staff should, wherever possible, only access data using the virtual desktop infrastructure which provides a remote desktop with standard applications installed and ensures the University’s data does not effectively leave the confines of the computer system infrastructure.
8. No personally identifiable information or commercially sensitive data should be stored or processed on a non-University provided device.
9. Any mobile device used for distance working must be managed to minimise the risk of data loss.

Portable computing equipment and mobile devices

1. All portable computing equipment, whether laptop, external hard drive, tablet, phone or any other item that can hold data is the responsibility of the person that it is issued to.
2. If the item is to be reassigned it must first be returned to the Service Desk to be checked, updated and then re-issued. If the equipment is to be shared then one person will be expected to take responsibility for the item and record who is currently using it.
3. Laptops, external hard drives/pen drives must have their storage encrypted by the Service Desk before they are issued. Tablets and phones should have a minimum of a PIN code to prevent access.
4. Appropriate steps will be taken to ensure that University information on or accessible from the Mobile Device is secured, including remote wiping of the Mobile Device. The remote wipe will destroy all University data on the Mobile Device. Although it is not intended to wipe other data that is personal in nature, it may not be possible in all circumstances to distinguish such information from University data. Users should, therefore, regularly backup all personal data stored on the Mobile Device.
5. The Information Services Department will periodically expect portable computing equipment to be bought to the Service Desk for updates and checking and this request must be responded to in a timely fashion

Equipment security

1. It is the responsibility of the member of staff, or student, to ensure the physical security of University provided computing equipment. This applies equally on campus as it does with items taken away from the site.
2. Offices should be locked when not occupied and mobile equipment should not be left unsecured.
3. When travelling with laptops, tablets or phones you must ensure they are secured when not in use and be aware of their location at all times.
4. Equipment should not be left unattended in public places or on public transport. If you are taking them in a vehicle they should be out of sight and if you need to leave them in a vehicle they should be locked away in the boot.
5. Computing equipment must not be left in a vehicle overnight.
6. All University computer equipment will be asset tagged and relevant identification details recorded on the Service Desk system. Items will also be security marked, and labelled, with Smartwater forensic detection liquid

Equipment disposal

1. All computer equipment must be returned to the Service Desk for disposal.
2. The University does not allow disposal through any other channels as it has a responsibility under the WEEE initiative to dispose of equipment in a regulated fashion.
3. All end of life computer equipment is collected by an external contractor who will provide disposal records.
4. Any system which has a disk drive installed must, as a minimum, have the data area wiped using the HMG IS 5 Enhanced standard

Monitoring

1. The University reserves the right for business reasons and in order to carry out any legal obligations in our role as an employer and learning institution, to monitor, review, record and check the use of all information systems, including Internet and e-mail use, from all computers and devices connected to the University network.
2. The University may exercise this right in order to establish facts relevant to the University’s business and teaching activities and:
   • to comply with regulatory practices or procedures;
   • to prevent or detect crime;
   • to ensure compliance with the University policies, including this Policy;
   • to investigate or detect unauthorised uses of the Systems or to ensure the effective operation of the Systems (e.g. to check if viruses are being transmitted);
   • to meet contractual obligations for disclosure of information; and/or
   • for business reasons, this may include gathering information about how often information contained on our IT systems is used and by whom in order to help us develop our strategy and to ensure resources are focused on the correct areas and identify unauthorised usage.
3. In these circumstances, individuals do not have a right to privacy when using the University Systems or in relation to any communication generated, received or stored on the University systems.
4. Access to monitoring applications is strictly controlled. IS Service Managers may access all monitoring reports and data if necessary to respond to a security incident.
5. The University’s systems enable us to monitor and access e-mail communications. For legitimate business reasons, and in order to carry out legal obligations in our role as a University (and as an employer), use of the University’s Systems including the computer systems, and any personal use of them, may be continually monitored by the University. Monitoring and accessing of e-mail accounts is only carried out to the extent legally required or lawfully permitted or as required as necessary and justifiable for business purposes.
6. The University reserves the right to monitor e-mails (including personal e-mails), retrieve the contents of and access mailboxes and private directories (and/or check associated Internet use) without further notifying the individual User concerned, where reasonably necessary for the following purposes (this list is not exhaustive):
   • where the University has a business (including learning/pastoral) need to access your mailbox. For example, if a staff User is absent from the office and a supervisor has reason to believe that information required for the day’s business is located in that individual’s mailbox. Suitable arrangements need to be made to cover staff absence to avoid such access being required wherever possible;
   • to monitor whether the use of the Systems is legitimate and in accordance with this Policy;
   • to find lost messages or to retrieve messages lost due to computer failure;
   • to assist in the investigation of suspected or actual wrongful acts; or
   • to comply with any legal obligation, such as requests for personal information, litigation or regulatory enquiry or investigations and for the University to be able to obtain legal advice and/or to bring or defend legal proceedings.
7. E-mail filters have been put in place to monitor e-mail messages for viruses, spam, data loss prevention and general compliance with this Policy.
8. The University reserves the right to monitor Internet and e-mail traffic data (including domain names of websites visited, duration of visits, details of any blocked sites visited, and details of files downloaded from the Internet) at a network level (but covering both personal and business use) in accordance with this Policy. Each User of the Systems must be aware that the effect of such monitoring or e-mail access may be to reveal certain personal data (including sensitive personal data) about that User as an identifiable individual. For example, a visit to a website relating to a political party or a religious group may indicate your political or religious beliefs. E-mail monitoring or access for business purposes may also identify the presence of personal e-mails containing sensitive personal data. By accessing websites of this type using the University IT systems, each User is providing consent to the University processing any sensitive personal data that may be revealed by monitoring or access for business purposes as described. Monitoring is carried out automatically and access to any recorded information is limited to a small number of IS staff and then under a strict set of guidelines
9. If in doubt, and you wish to preserve your personal privacy, do not use the University IT systems to access any such websites or send/receive personal e-mails.

Consequences of violation of policy

1. 15.1 Violations of this Policy will be documented and can lead to revocation of System privileges and/or disciplinary action up to and including termination of employment and/or termination of studies or other relationship with the University.
2. 15.2 Additionally, the University may at its discretion seek legal remedies for damages incurred as a result of any violation. The University may also be required by law to report certain illegal activities to the proper enforcement agencies.

Liability

1. Reasonable endeavours are made by the University to:
• ensure that the systems are available as scheduled, and function correctly. No liability can be accepted by the University for any inability to use our systems, any reliance placed on any content displayed on University sites, or any loss of data or delay as a result of any System malfunction or failure.
• ensure the integrity and security of information held on the System or in computer media. No liability can be accepted by the University as a result of data being lost or corrupted for any reason or if it is inappropriately accessed.

Authority

1. The IS Service Delivery Manager may immediately suspend access to System(s) by any person suspected of contravening any conditions applied to the use of the university system. After enquiries, the IS Service Delivery Manager may, at their discretion, either continue the suspension or reinstate access:
   • in the case of students, after consultation with the appropriate academic colleague,
   • in the case of staff, after consultation with the line manager,
   • in the case of contractors, agents, fellows or alumni, after consultation with the nominating sponsor.

Points of contact

If you need assistance regarding this policy, or associated policies, please initially contact the Service Desk