IT Acceptable Use Policy

Applicable Laws and Regulations

All users are bound by the laws of England and Wales when using the University’s IT resources, including WiFi. In addition, when using University devices or accessing the University’s network from abroad, users must also adhere to the laws of that country.

It is the user’s responsibility to ensure his or her activities comply with these laws.

• The use of University IT resources is subject to all relevant University regulations.
• When making use of the internet, the acceptable use policies of the carriers apply, in particular, the Joint Academic Network (JANET);
• The University has a statutory duty, under the Counter Terrorism and Security Act 2015, to aid the process of preventing people from being drawn into terrorism;
• Any information you create or store on University systems may be released under an information access request in line with (but not limited to) Data Protection and Freedom of Information.

Acceptable Use

Acceptable use is defined as any use that supports the University’s teaching, learning, research, consultancy and administrative activities, and does not meet the definition of Prohibited Use.

Prohibited Use

Prohibited use includes but is not limited to activity that:

• contravenes any laws, University policies or regulations;
• involves the creation, downloading, storage or transmission of material that is indecent, offensive, defamatory, threatening or discriminatory in nature. This includes pornography, hate speech, violence and promotion of terrorism;
• has the potential to create an environment that is offensive or threatening, or that may constitute harassment;
• involves threatening, abusive, obscene messages including those that may cause harm, offence or needless annoyance;
• harms the University’s reputation or that of its staff and/or students;
• commits the University to any contractual obligations without obtaining the appropriate authority;
• imitates or impersonates another person or their email address to create false accounts, send spam email or conduct any other activities unknown to the individual;
• is undertaken for unauthorised, personal commercial gain;
• otherwise acts against the aims and purposes of the University as specified in its governing documents or in rules, regulations and procedures adopted from time to time.

Specifically, users are prohibited from:

• uninstalling and/or reconfiguring anti-malware, updates, logging or other protective services (including but not limited to MFA) on University devices or services;
• intentionally or recklessly introducing to their device or University systems any form of spyware, computer virus or other potentially malicious software;
• sharing log-in credentials with another user;
• using personal email accounts instead of a University staff email account to conduct University business, or automatically forwarding emails from a staff email account to a personal account;
• introducing data-interception, password-detecting or similar software or devices to the University’s network;
• seeking to gain unauthorised access to restricted areas of the University’s network;
• accessing or trying to access data where the user knows or ought to know that they should have no access;
• the use of any unsupported remote access tools (including Teamviewer, LogMeIn), method or system in order to gain access to a device on the University's network is expressly forbidden;

Exceptions

Occasionally use of University IT systems is required for University‐related activities such as security sensitive research that may otherwise meet the definition of prohibited use. In this case prior, explicit approval through the University’s official processes for dealing with academic, ethical issues is required. Please contact the Information Services team for further information.

Personal Use of University IT Systems

The University recognise that users may make personal use of University systems, including email and the Internet. Personal use should be reasonable and not excessive, ensuring that it does not interfere with IT resources, business requirements or any other University or legislative requirement.

It is not recommended that users store or share their own sensitive data for personal use on University systems as the University cannot guarantee the confidentiality, integrity or availability of this information.

The University reserves the right to withdraw access to IT resources for personal use at any time and may remove or modify information (including personal data) held on its IT resources.

Logging and Access

The University may log all forms of IT use. Monitoring systems is necessary for administrators to identify and investigate technical or security related problems, and also provides an audit log in the event of misconduct or criminal investigations.

The University also reserves the right to inspect any items of computer equipment connected to the network. Any IT equipment connected to the University’s network will be removed if it is deemed to be breaching University policy or otherwise interfering with the operation of the network.

The University may need to access or suspend any user’s account for business and learning purposes. Action will only be taken where it has been authorised by a suitable HR representative, or where the Information Security team have identified an immediate threat to University information.

The University's Exit Procedures

Upon leaving the University it is expected that users:

• return all University IT equipment in reasonable working condition;
• not delete any data which belongs to the University and which the University may need in future;
• should ensure any data held in a personal area (OneDrive or Outlook, for example) which may be needed by the University is transferred to an appropriate shared area prior to their departure;
• ensure any of their own data that they wish to keep is removed from the University’s systems, as they will not be entitled to access this (and the University will not retrieve it for them) once they leave; the University has no obligation to retain such data which may be deleted by the University at any time after a user’s authorisation has ended;
• review and conform to any other procedures set out by the University in relation to your departure (line managers and student support services are best placed to advise on this)

Compliance

Failure to comply with this procedure could result in action in line with the University’s Disciplinary Procedure or Capability Procedure.

Any prohibited use which is deemed to be in contravention of the law and/or which involves the intentional access, creation, storage or transmission of material which may be considered indecent or obscene will be regarded as an act of gross misconduct on the part of staff which could result in       dismissal. This would also qualify as an act for which students may be expelled under the student disciplinary procedure.

Compliance checks will be undertaken by the University’s governance functions. The results of compliance checks, their risk assessment and their remediation will be managed by Information Services.