Acceptable use of University IT systems control procedure

Defining our approach to acceptable use of IT systems.

Acceptable use of IT systems

Contents

Policy statement

This control procedure defines the University’s approach to acceptable use of its IT systems and infrastructure, and directly supports the following policy statement from the Information Security Policy: ”The University’s security policies and expectations for acceptable use will be communicated to all users to ensure that they understand their responsibilities. Information security education and training will be made available to all staff, and poor and inappropriate behaviour will be addressed.”

Audience

This procedure is intended to be read and understood by all users accessing University information, IT systems, networks or software using any University or personally owned device. This includes social media and communication platforms i.e. WhatsApp, Facebook, Facebook Messenger, Microsoft Teams etc.

Control statements

There are other University policies which will apply when you access University systems, including the University’s Data Protection Policy, and users should complete the University’s mandatory information governance training.

Applicable laws and regulations

Users are bound by the laws of England and Wales when using the University’s IT resources. In addition, when using University devices or accessing the University’s network from abroad, users must adhere to the laws of that country too.

  • It is the user’s responsibility to ensure his or her activities comply with these laws.
  • The use of University IT resources is subject to all relevant university regulations.
  • When making use of the internet, the acceptable use policies of the carriers apply, in particular, the Joint Academic Network (JANET). (See the JANET Acceptable Use Policy)
  • The University has a statutory duty, under the Counter Terrorism and Security Act 2015, to aid the process of preventing people being drawn into terrorism.
  • Any information you create or store on University systems may be released under an information access request in line with (but not limited to) Data Protection and Freedom of Information.

Acceptable use

Acceptable use is defined as any use that supports the University’s teaching, learning, research, consultancy and administrative activities, and does not meet the definition of prohibited Use.

Prohibited use

Prohibited use includes but is not limited to activity that:

  • contravenes any laws, University policies or regulations;
  • involves the creation, downloading, storage or transmission of material that is indecent, offensive, defamatory, threatening or discriminatory in nature. This includes pornography, hate speech, violence and promotion of terrorism;
  • has the potential to create an environment that is offensive or threatening, or that may constitute harassment;
  • involves threatening, abusive, obscene messages including those that may cause harm, offence or needless annoyance;
  • harms the University’s reputation or that of its staff and/or students;
  • commits the University to any contractual obligations without obtaining the appropriate authority;
  • imitates or impersonates another person or their email address to create false accounts, send spam email or conduct any other activities unknown to the individual;
  • is undertaken for unauthorised, personal commercial gain;
  • otherwise acts against the aims and purposes of the University as specified in its governing documents or in rules, regulations and procedures adopted from time to time.

Specifically, users are prohibited from:

  • uninstalling and/or reconfiguring anti-malware, updates, logging or other protective services on University devices;
  • intentionally or recklessly introducing to their device or University services or systems any form of spyware, computer virus or other potentially malicious software;
  • sharing log-in credentials with another user;
  • using personal email accounts instead of a University staff email account to conduct University business, or automatically forwarding emails from a staff email account to a personal account;
  • linking personal accounts to University-managed clients, for example, attempting to use Outlook to automatically access a personal email account; 
  • introducing data interception, password-detecting or similar software or devices to the University’s network;
  • seeking to gain unauthorised access to restricted areas of the University’s network;
  • accessing or trying to access data where the user knows or ought to know that they should have no access.
  • introducing new equipment to the wired University network that has not been approved by IT&Digital.

Exceptions

Occasionally use of University IT systems is required for University‐related activities such as security-sensitive research that may otherwise meet the definition of prohibited use. In this case prior, explicit approval through the University’s official processes for dealing with academic, ethical issues is required. Please contact the Information Security team for further information.

Personal use of University IT systems

The University recognises that users may make personal use of University systems, including email and the Internet. Personal use should be reasonable and not excessive, ensuring that it does not interfere with IT resources, business requirements or any other University or legislative requirement.

It is not recommended that users store or share their own sensitive data for personal use on University systems as the University cannot guarantee the confidentiality, integrity or availability of this information.

The University reserves the right to withdraw access to IT resources for personal use at any time and may remove or modify information (including personal data) held on its IT resources.

Logging and access

The University may log all forms of IT use. Monitoring systems are necessary for administrators to identify and investigate technical or security-related problems, and also provide an audit log in the event of misconduct or criminal investigations.

The University also reserves the right to inspect any items of computer equipment connected to the network. Any IT equipment connected to the University’s network will be removed if it is deemed to be breaching University policy or otherwise interfering with the operation of the network.

The University may need to access or suspend any user’s account for business purposes. Action will only be taken where it has been authorised by a suitable HR representative, or where the Information Security team have identified an immediate threat to University information.

The University’s exit procedures

Upon leaving the University it is expected that users:

  • return all University IT equipment in reasonable working condition
  • not delete any data which belongs to the University and which the University may need in future
  • should ensure any data held in a personal area (OneDrive or Outlook, for example) which may be needed by the University is transferred to an appropriate shared area prior to their departure
  • ensure any of their own data that they wish to keep is removed from the University’s systems, as they will not be entitled to access this (and the University will not retrieve it for them) once they leave
  • review and conform to any other procedures set out by the University in relation to your departure (line managers and student support services are best placed to advise on this)

Compliance

Failure to comply with this procedure could result in action in line with the University’s disciplinary procedure or performance improvement procedure. 

Any prohibited use which is deemed to be in contravention of the law and/or which involves the intentional access, creation, storage or transmission of material which may be considered indecent or obscene will be regarded as an act of gross misconduct on the part of staff. This would also qualify as an act for which students may be expelled under the student disciplinary procedure.

Compliance checks will be undertaken by the University’s information governance functions. The results of compliance checks, their risk assessment and their remediation will be managed by the Information Security Board.

Related documents

This control procedure needs to be understood in the context of the other policies and procedures constituting the University’s Information Security Management System, as well as the University’s Dignity at Work policy (under review) and soon-to-be-published social media policy. These two latter policies relate to this control procedure in terms of the professional conduct and behaviours of staff when representing or undertaking any University activities, including the use of communications platforms.

Browse Information Security policies and control procedures

Review

A review of this policy will be undertaken by the Information Security team annually or more frequently as required, and will be approved by the Information Governance Board.

  • Version: 7.5
  • Release date: 13/12/2023
  • Review date: 13/11/2024