Policy Introduction and Purpose

This Acceptable use policy is a sub-policy of the Information Security Policy (IS01).

It sets out the responsibilities and required behaviour of users of the University’s information systems, networks and computers.

Scope and Definitions

This Policy applies to everyone who has a contractual relationship with the University including all employees (both full-time and part-time across all grades) and those engaged via the Variable Monthly Staff (VAM) Payroll and Unitemps/other agency contracts. It also includes students, visiting professors, consultants/self-employed carrying out roles which if carried out by an employee would require disclosure.

A glossary of the terms used throughout the Policy can be found in Document IM03 – Glossary of Terms for Information Management.

This policy sits within the Information Management Policy Framework and should be read in conjunction with the over-arching policies IM01 – Information Management Policy of Policies and IM02 – Information Management Training Policy.

Responsibilities

Policy Responsibilities

The CITO has the accountability to ensure that this policy is implemented, monitored and reviewed regularly.

Operational Responsibilities

Principles of the Policy

User Identification and Authentication

Each user will be assigned a unique identifier (UserID) for their individual use. This UserID may not be used by anyone other than the individual to whom it has been issued.

Each member will be assigned an associated account password which must not be divulged to anyone, including IT services staff – for any reason

The University UserID and password must not be used as the ID or password for any other service, other than University authorised systems.

Users are expected to remember their password and should not make a physical record of it. If there is a suspicion that their password has been compromised it must be changed immediately and the help desk must be notified.

Each member will be assigned a unique email address for their individual use and some members may also be given authorisation to use one or more generic (role based) email addresses (such as resource accounts). Users must not use the University email address assigned to anyone else without their explicit permission.

Email addresses are University owned assets and any use of these email addresses is subject to University policies.

Personal use of facilities

University information and communication facilities, including email addresses and computers, are provided for academic, teaching and administrative purposes related to work or study at the University. Very occasional personal use is permitted but only so long as:

• It does not interfere with the members of staff’s work
• It does not contravene any University policies
• It is not excessive in its use of resources

University facilities should not be used for the storage of data unrelated to the effective operation of the University (study, teaching, researching, provision of services etc.). In particular, University facilities should not be used to store copies of personal photographs, music collections or personal emails. The University will accept no responsibility for the loss of such personal assets in any circumstances.

Members should not use a personal (non-university provided) email account to conduct university business and should maintain a separate, personal email account for personal email correspondence.

All use of University Information and communication facilities, including any personal use is subject to University policies, including the Investigation of Computer Use Policy (IS12).

Connecting Devices to the University Networks

In order to reduce risks of malware infection and propagation, risks of network disruption and to ensure compliance with the JANET Acceptable Use and Security Policies, it is not permitted to connect personally owned equipment to any network socket which has not been provided specifically for the purpose.

It is permissible to connect managed personally owned equipment (such as laptops and tablets) to the University wireless networks.

To further reduce risks of data loss users should not connect any peripheral device which is capable of storing data (for example, a USB stick) to any equipment used to process University data, irrespective of where the equipment is located.

Only University-owned peripheral devices, which allow for appropriate encryption and virus protection, may be connected to University owned equipment.

Any device connected to a University network must be managed effectively. Devices which are not, and therefore may be deemed a threat, will be physically or logically disconnected from the network without notice.

Use of Technology Services provided by Third Parties

Wherever possible, members should only use technology services (such as cloud providers) provided or endorsed by the University for conducting University business. The University recognises, however, that there are occasions when it is unable to meet the legitimate requirements of its members and that in these circumstances it may be permissible to use services provided by other third parties.

Users must ensure that use of third-party providers is compliant with the University’s Information Handling Policy (IS04).

Unattended Equipment

Computers and other equipment used to access University facilities must not be left unattended and unlocked if logged in. Members must ensure that information marked ‘protected’ or ‘restricted’ is not left on display on any computer when it is left unattended.

Users must ensure that their computer and devices are locked before being left unattended. To support compliance University-owned devices will (where possible) auto-lock after five minutes of no use.

Particular care should be taken to ensure the physical security of devices used to process University data when in transit. Please see Mobile & Remote Working Policy (IS10) for more details.

Unacceptable Use

The following are considered to be unacceptable uses of University facilities. These restrictions are consistent with the JANET acceptable use policy (by which the University is bound) and the law.

• Any illegal activity or activity which breaches any University policy (see the Information Security Policy – IS01).
• Any attempt to undermine the security of the University’s facilities.
• Providing access to facilities or information to those who are not entitled to access.
• Any irresponsible or reckless handling of University data (see the Information Handling Policy – IS04).
• Any use of University facilities to intentionally bully, harass, intimidate or otherwise cause alarm or distress to others.
• Sending unsolicited and unauthorised bulk email (spam).
• Creating, storing or transmitting any material which infringes copyright.
• Creating, storing or transmitting defamatory or obscene material. (In the unlikely event that there is a genuine academic need to access obscene material, the University must be made aware of this in advance and prior permission to access must be obtained from the CITO.)
• Creating, accessing, storing, relaying or transmitting any material which promotes terrorism or violent extremism, or which seeks to radicalise individuals to such causes. (In the event that there is a genuine academic need to access such material, the University must be made aware of this in advance and prior permission to access must be obtained from the CITO.)
• Using software which is only licensed for limited purposes for any other purpose or otherwise breaching software licensing agreements.
• Failing to comply with a request from an authorised person to desist from any activity which has been deemed detrimental to the operation of the University’s facilities.
• Failing to report any breach, or suspected breach of information security to the CITO.
• Failing to comply with a request from an authorised person for you to change your password.

Penalties for misuse

Breaches of policy will be dealt with through the UIMEC escalation process (as indicated below in Compliance Monitoring).

Where appropriate, breaches of the law will be reported to the police. Where the breach has occurred in a jurisdiction outside the UK, the breach may be reported to the relevant authorities within that jurisdiction.

Network and IT Systems Monitoring

The University (through appropriately authorised measures), will carry out relevant monitoring and/or logging in to ensure the integrity and security of the University network and associated devices. Details of the University policy on monitoring is contained within the Investigation of Computer Use Policy (IS12).

Exemptions

‘Exemption requests’ under this policy must be submitted to the CITO or their designate. Exemptions to this policy may only be granted by the CITO or their designate. Activities that have received prior approval by the Research Governance and Ethics Committee will be exempt, but the CITO must be notified.

This policy may have an impact on users of assistive technology or assistive software due to their disability. These individual cases will be considered on a case by case basis.

Compliance Monitoring

Compliance to this policy will be monitored on an ongoing basis. The compliance focus will be on:

• Breaches of this policy
• Specific requests to create, store or transmit:

(a) defamatory or obscene material by a user

(b) any material which promotes terrorism or violent extremism, or which seeks to radicalise individuals to such causes.

• Exemption requests and granting of exemptions

Compliance performance will be reported monthly by the Information Asset Owners to the University Information Management Committee.

A failure to comply with this policy will be deemed to be a disciplinary offence and may lead to proceedings being taken through the University Disciplinary Process.