IMP 09: Acceptable Use Policy

Information Classification - Public

Policy Introduction and Purpose

This policy sets out activities that are deemed to be acceptable and unacceptable use of the University’s information systems, networks, information assets, and devices (E.g. computers, phones etc.)

Scope and Definitions

The policy covers everyone who has a contractual (formal or informal/implied) relationship with the University, including employees, students, visiting academics, and consultants. Please note that this list is not exhaustive.  

For purposes of this Policy, we will refer to everyone covered as “members”.

This policy applies to all university information and IT assets that interface with, or are connected to, the university's systems or operations. An IT asset is defined as any item, entity or resource that contains information or forms part of a system that processes information, including hardware, software or digital resources.

Responsibilities

The Chief Information Security Officer (CISO) retains overall accountability for this policy and for ensuring the Policy meets legal and regulatory requirements; for keeping this Policy up to date; and for ensuring that controls, checks, and audits are carried out as part of compliance with this Policy.

Operational Responsibilities

Adherence to this policy and its supporting Standards and Standard Operating Procedures (SOPs) is achieved by following the policy principles and provisions. It is everyone’s responsibility to ensure that they follow this policy.

Role	Function
Designate of Head of Department (e.g. academic lead on research, individuals with delegated authority for information, system administrators)	Responsible – for overseeing compliance with the Policy within areas of responsibility
Head of Department	Accountable – for compliance with this policy within Departments
Information Risk and Compliance Team, Data Protection Officer(with escalation to CISO as required)	Consult – to discuss organisational level compliance with the Policy
IDG Digital Business Partners	Inform – must be informed of the content of the Policy to communicate it to their departments

Principles of the Policy

In addition to this policy users must abide by the terms of the JANET Network acceptable use policyLink opens in a new window.

User Identification, Passwords and Authentication

Each user will be assigned a unique identifier (Usercode) for their individual use. This User code may not be used by anyone other than the individual to whom it has been issued. Passwords must not be divulged to anyone, including IT staff, for any reason.

All accounts must be used in compliance with IMP 03: User Account Management PolicyLink opens in a new window.

University passwords must not be used for any other service, other than University authorised systems.

All accounts issued by the University, all IT systems operated by the University, all data relating to the operation of the University's functions or deemed to be owned by the University in Regulation 28Link opens in a new window, (including communications and documents) are the property of the University and may be accessed, managed, monitored, or have access withdrawn in line with University policy.
Personal data as defined in UK GDPR remains the property of the data subject.

Email Addresses

Each member will be assigned one or more unique email addresses for their individual use, and some members may also be given authorisation to use one or more generic (role based) email addresses (such as resource accounts). Users must not use the University email address assigned to anyone else without their explicit permission. 

Email addresses are University owned assets, and any use of these email addresses is subject to University policies. 

Personal use of facilities

University information and communication facilities, including email addresses and computing devices, are provided for academic, teaching, and administrative purposes related to work or study at the University. Very occasional personal use is permitted but only so long as:

It does not interfere with the staff members’ work
It does not contravene any University policies
It is not excessive in its use of resources e.g. excessive use of bandwidth or electricity, or the creation of additional costs and/or support burden for university staff.

Use of University information and IT assets for private work is restricted in accordance with FP10.

University facilities must not be used for the storage of data unrelated to the effective operation of the University (study, teaching, researching, provision of services etc.). In particular, University facilities must not be used to store copies of personal photographs, media collections or personal emails. The University will accept no responsibility for the loss of such personal assets in any circumstances.

Members must not use a personal (non-university provided) email account to conduct university business and should maintain a separate personal email account for personal email correspondence.

All use of University Information and communication facilities, including any personal use, is subject to University policy, including the IS12: Investigation of Computer Use Policy.Link opens in a new window

Use of University email addresses to sign up for personal services is not advised as it presents risks such as loss of access to those accounts, inability for the University to provide support for issues arising from said accounts, and elevated security risks associated with engaging with non work-related services. 

Connecting devices to University Networks

It is not permitted to connect personally owned equipment to any network port which has not been provided specifically for the purpose e.g. plugging devices into network ports intended for university owned devices.

Personally owned equipment (such as laptops and tablets) can be connected to the University wireless network provided they are compliant with all relevant policies.

To further reduce risks of data loss users must not connect any peripheral device which can store data (e.g. a USB stick) to any equipment used to process University data, irrespective of where the equipment is located, unless with prior authorisation from the Information Security Risk and Compliance team.

Only University owned smart or data bearing devices, which allow for appropriate encryption and virus protection, may be connected to University-owned equipment.

Any device connected to a University network must be managed effectively (e.g. regularly updated, and core security controls maintained and enabled). Devices which are not, and therefore may be deemed a threat, will be disconnected from the network without notice.

Use of Technology Provided by Third Parties

Only technology products and services provided by third parties that have been approved by the university via relevant procurement and approval processes may be used for university business.

Unattended Equipment

Computers and other equipment used to access University facilities must not be left unattended and unlocked if logged in (with the exception of devices which have been purposefully set up to be accessible such as kiosks and public display screens). Members must ensure that ‘general’, ‘confidential’ or ‘highly confidential’ information is not displayed on screens intended for public display IMST 01 Information Classification StandardLink opens in a new window

Particular care must be taken to ensure the physical security of devices used to process University data when in transit. Refer to: IMST 04 Secure Remote Working StandardLink opens in a new window

Unacceptable Use

The following are prohibited behaviours while using university information assets and digital services:

Any illegal activity or activity which breaches any University policy (see the IMP 01: Information Management Framework PolicyLink opens in a new window).

Any attempt to undermine the security of the University’s facilities.

Providing access to facilities or information to those who are not entitled to access.

Withholding or preventing access to information or systems to those authorised to access them. Or to those who require access to carry out University work as prescribed by their role.

Any handling of University data which presents unnecessary risk (see the IMST 03: Handling Information StandardLink opens in a new window).

Any use of University facilities or information to intentionally bully, harass, intimidate, or otherwise cause harm or distress to others.

Creating, accessing, storing or transmitting defamatory or obscene material or any material which promotes terrorism or violent extremism, or which seeks to radicalise individuals to such causes. Academic activity is exempt from this prohibition, provided said academic activity complies with Ordinance 11: Academic EmploymentLink opens in a new window, Reg. 29 Freedom of Speech CodeLink opens in a new window, and is subject to ethical review processes where stipulated in: Do I need ethical approval? | Research at WarwickLink opens in a new window.

Sending bulk email messages (commonly referred to as 'spam') without prior consent from recipients or authorisation from IDG, or teams to whom such authority has been delegated by IDG. This includes promotional or irrelevant messages sent to recipients who have not opted to receive them, regardless of the number of recipients.

Creating, storing or transmitting any material which infringes copyright.

Using software which is only licensed for limited purposes for any other purpose or otherwise breaching software licensing agreements.

Failing to comply with a request from an authorised person to desist from any activity which has been deemed detrimental to the operation of the University’s facilities.

Failing to comply with a request from an authorised person to implement changes to any IT assets (e.g. user accounts, systems, equipment etc.) where a risk to the operation of the university facilities has been identified.

Using University information, digital services or IT assets for any commercial enterprise or activity not expressly permitted by the University.

Failing to report any breach, or suspected breach of information securityLink opens in a new window.

Failing to report any breach, or suspected breach of personal data via university data incidents and breaches processLink opens in a new window.

Causing disruption to the operations of the University, its network (internal or external) or to any devices connected to it e.g. excessive use of bandwidth or electricity, crypto mining, or the creation of additional costs and/or support burden for university staff.

Use the University’s service for any activities that cause reputational damage to the University.

Any attempt to purposefully access (including downloading, sharing, altering, systems, data or any other asset that are not intended for you to access. Where any such assets are found, it is the responsibility of the individual who has discovered them to report the immediately via the data breach process.

Attempting to seek out security vulnerabilities or unintentionally accessible information, systems or other assets, unless instructed to do so by policy or with prior authorisation from the Information Security, Risk and Compliance team.

Any attempt to modify, damage, tamper or otherwise undermine the security or integrity of University IT assets. Including but not limited to University-issued laptops, phones, desktops etc. Please refer to the IT Asset Management Policy (currently in development).

Residents' Use of University Network

In addition to the rest of this policy, the following rules apply to those using the University network as residents. Residents may use the university network for personal use, provided it does not breach the following and you are responsible for all activity originating from any device using the network.

You Must:

Notify the Service Desk of any problems, faults, and breaches of policy relating to university information or digital services you detect or become aware of.
Run and regularly update your computer’s Anti-Malware software.
Maintain and run an appropriate firewall on all devices where available.
Abide by any other special conditions notified to you by IDG needed to ensure the continued operation of university services.
Ensure that the means of access to the network connection and personal equipment (i.e. passwords) are kept secure and are not disclosed to third parties.
Maintain all devices in line with the Secure Configuration Standard (currently under development).

You Must Not:

Connect hubs, network switches or wireless networking equipment.
Connect machines running server operating systems or services (e.g. DHCP, DNS, web servers) to the network.
Install or use any peer-to-peer filesharing applications on machines connected to the network.
Never disable, bypass, tamper with, or attempt to remove any security software or controls installed on university systems. These protections are essential for maintaining the integrity, confidentiality, and availability of institutional data and IT assets.

Failure to comply with these rules may result in you being disconnected from the network. Disconnection may also occur if it is believed that there is an imminent security risk.

Exceptions

Exception requestsLink opens in a new window under this policy must be submitted to the CISO or their designate. Authority to approve exception requests is delegated to the Information Risk and Compliance Team. Activities that have received prior approval by the Research Governance and Ethics Committee will be exempt, but the CISO must be notified.

This policy may have an impact on users of assistive technology or assistive software dependent on circumstances. These individual cases will be considered on a case-by-case basis.

Compliance Monitoring

All members of the University are expected to comply with this document as part of the Information Management Policy Framework (IMPF). Where breaches of the IMPF present a significant risk, including those falling under Regulation 23 (Student Disciplinary Offences Link opens in a new windowand Regulation 31 (Information Management, Security and Records Management)Link opens in a new window, they will be subject to the appropriate student or staff disciplinary procedure or applicable contractual terms for staff not employed directly by the University or contractors.

It is the responsibility of all members to report any instances of non-compliance to the Information Risk and Compliance Team. This can be done via the Self Service PortalLink opens in a new window. This team monitors adherence to the IMPF using reported data and other available tools.

Where issues require escalation or further review, they will be referred to the Information Security and Data Protection Committee via the Chief Information Security Officer (CISO) and include either Conduct and Resolution Team or Employee Relations Team, as appropriate.

Version Control

Version	Date Created	Date Published	Next review	Notes/outcomes
1.0	April 2026	11 May 2026	May 207	A new policy within the Information Management Policy Framework (IMPF)