Policy Introduction and Purpose

This Investigation of Computer Use Policy is a sub-policy of the University’s Information Security Policy (IS01).

It sets out the circumstances in which it is permissible for the University to access the IT accounts, communications and other data of its members.

The University respects the privacy and academic freedom of its staff and students and recognises that investigating the use of IT maybe perceived as an invasion of privacy. However, the University may carry out lawful monitoring of its IT systems when there is sufficient justification to do so and when the monitoring has been authorised at an appropriately senior level.

Scope and Definitions

This Policy applies to everyone who has a contractual relationship with the University including all employees (both full-time and part-time across all grades) and those engaged via the Variable Monthly Staff (VAM) Payroll and Unitemps/other agency contracts. It also includes visiting professors, consultants/ self-employed carrying out roles which if carried out by an employee would require disclosure. For purposes of this Policy we will refer to everyone covered as “staff”.

A glossary of the terms used throughout the Policy can be found in Document IM03 – Glossary of Terms for Information Management.

This policy sits within the Information Management Policy Framework and should be read in conjunction with the over-arching policies IM01 – Information Management Policy of Policies and IM02 – Information Management Training Policy.

Responsibilities

Policy Responsibilities

The CITO has the accountability to ensure that this policy is implemented, monitored and reviewed regularly.

Operational Responsibilities

Principles of the Policy

Instigating this Policy

Staff, students and other members should be aware that the University may access records of use of email, telephone and other electronic communications, whether stored or in transit. This is in order to comply with the law and applicable regulations, to ensure appropriate use of the University’s IT systems and to ensure compliance with other University policies.

The University's approach to access and monitoring will comply with UK legislation including the Regulation of Investigatory Powers Act 2000 (RIPA), the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (LBP), the Human Rights Act 1998 (HRA) and the Data Protection Act 2018 (DPA).

Decisions to access the IT accounts, communications or other data of members will not be taken by IT Services nor any member of the department of the individual to be investigated in order to ensure that such requests are free of bias and are not malicious.

Decisions to undertake such investigations will therefore be made at an appropriately senior level by the Chief Information and Transformation Officer (CITO), University Registrar or Vice Chancellor who will also determine the scale of the work to be undertaken.

The University’s Power to Access Communications

Authorised University staff may access files and communications, including electronic mail files, stored on any IT facilities owned, managed or provided by the University and may examine the content of these files and any relevant traffic data.

The University may access files and communications for the following reasons:

• to ensure the operational effectiveness of its services (for example, the University may take measures to protect its systems from viruses and other threats)
• to establish the existence of facts relevant to the business of the institution (for example, where a case of suspected plagiarism is being investigated and there is sufficient evidence, the contents of an individual's communications and/or files may be examined without their consent with the authority of an authorised person)
• to investigate or detect unauthorised use of its systems
• to ascertain compliance with regulatory or self-regulatory practices or procedures relevant to the University's business
• to monitor whether or not communications are relevant to the business of the University
• to comply with information requests made under the Data Protection Act or Freedom of Information Act (individuals would in normal circumstances be notified).

The Powers of Law Enforcement Authorities to Access Communications

A number of other non-University bodies and persons may be allowed access to user communications under certain circumstances. Where the University is compelled to provide access to communications by virtue of a Court Order or other competent authority, the University will disclose information to these non-institutional bodies/persons when required as allowed under the Data Protection Act 1998.

Under the Regulation of Investigatory Powers Act 2000 a warrant may be obtained by a number of law enforcement bodies regarding issues of national security, the prevention and detection of serious crime or the safeguarding of the economic wellbeing of the UK. In these cases, the University will comply with the warrant.

If any member of staff is requested to disclose information by a third party of law enforcement authority, guidance should be taken from the CITO immediately – before disclosure is granted – unless the CITO, Registrar or Vice Chancellor or their designates have already provided explicit consent for disclosure.

Other Third Parties

The University makes use of third parties in delivering some of its IT services. These third parties may intercept communications for the purpose of ensuring the security and effective operation of their service (for example, a third party which provides email services to the University may scan incoming and outgoing email for viruses and spam).

Covert Monitoring

Covert monitoring of computer use will only be authorised in exceptional circumstances where there is reason to suspect criminal activity or a serious breach of University regulations and where notification of the monitoring would be likely to prejudice the prevention or detection of that activity.

The period and scope of the monitoring will be as narrow as possible to be able to investigate the alleged offence and the monitoring will cease as soon as the investigation is complete. Only information gathered in relation to the alleged offence will be retained.

This information will only be viewed by those for whom access is strictly necessary, for example in relation to potential disciplinary proceedings.

Procedure

Requests for investigation under this policy may be made by any member of staff or student, although typically the request will come from a head of department, school or division.

Occasionally requests are made from outside of the University, for example by the police. The request should be made to the University CITO and should include the following information:

1. the name and department of the student or staff member whose computer or computing activity you wish to be investigated
2. the reasons for the request
3. where computer misuse is alleged, the evidence on which this is based
4. the nature of the information sought
5. any other relevant information, for example, that the request relates to ongoing disciplinary or grievance procedure.

In order to monitor the number and type of requests made, the CITO will keep a record of the requests that have been made and those which were acceded to.

Exemptions

‘Exemption requests’ under this policy must be submitted to the CITO or their designate. Exemptions to this policy may only be granted by the CITO or their designate. Activities that have received prior approval by the Research Ethics Committee will be exempt, but the CITO must be notified.

This policy may have an impact on users of assistive technology or assistive software due to their disability. These individual cases will be considered on a case by case basis.

Compliance Monitoring

Compliance to this policy will be monitored on an ongoing basis. The compliance focus will be on:

• Requests made for an investigation to be initiated
• Requests granted and requests denied – including any reasons provided for the decision
• If action granted the scale and scope of the measures granted
• The outcome from any actions taken, and appropriate review and recommendations of the Information Management Policy Framework to stop repeat offences.

Compliance performance will be reported monthly by the Information Asset Owners to the University Information Management Committee.

A failure to comply with this policy will be deemed to be a disciplinary offence and may lead to proceedings being taken through the University Disciplinary Process.