1.1 These regulations are a statement of individual users’ responsibilities with respect to information and services. Authorised System Administrators are granted additional powers and are subject to additional regulation in order to maintain the University’s investment.
1.2 The University services are provided on condition that they are used for acceptable, authorised purposes only. The main purpose of the Acceptable Use Regulations (AUR) is to encourage responsible use of facilities; to maximise the availability of Information Technology (IT) resources (computing equipment, data, software, infrastructure and staff) for legitimate purposes; and to minimise exposure to misuse from inside or outside the University.
1.3 Use of the University services implies and is conditional upon acceptance of these AUR.
1.4 Failure to comply with this AUR could result in action under the University disciplinary procedures, withdrawal of privileges or withdrawal of access to IT resources.
2.1 University IT resources are provided to facilitate staff and students’ education, training, administration or research objectives. Use for other purposes, such as personal electronic mail or recreational use of the World Wide Web (WWW) or Usenet News, is a withdrawable privilege not a right. Any such use must not interfere with the user’s duties or studies or any other person’s use of the computer systems and must not, in any way, bring the University into disrepute. Priority must always be granted to those needing facilities for official activities. Use may be further limited by individual departments. Use of University IT resources beyond the limits of this AUR must be agreed in advance with the Director of Information Services.
2.2 University IT resources shall be used in an approved, ethical and lawful manner to avoid loss or damage to University operations, image, or financial interests. Users shall contact the IS Systems Manager if clarification of these regulations is required especially concerning new social and technical developments that are not fully addressed by these regulations.
2.3 Where the University’s IT resources are being used to access other resources, any action deemed abuse by the AUR of that resource, or illegal under UK law, will be regarded as abuse under this AUR. These Acceptable Use Regulations (AUR) are taken to include the Joint Academic Network (JANET) Acceptable Use Policy (AUP) published by the United Kingdom Educational and Research Network Association (UKERNA) and the terms of the various software and data licence schemes under which the University has agreed access, e.g. Microsoft Campus. More details of these schemes are in Software and Data Agreements section of the Regulations for the Use of Information and Services.
Access to the University’s IT resources is subject to the following conditions.
3.1 The user undertakes to comply with the provisions of all of the relevant Acts of Parliament, other relevant legislation and legal precedent. At the time of writing the relevant acts of parliament includes: Computer Misuse Act 1990, Criminal Justice and Public Order Act 1994, Copyright, Designs and Patents Act 1988, Trade Marks Act 1994, Data Protection Act 1998, Regulation of Investigatory Powers (RIP) Act 2000, Protection of Children Act 1999, Freedom of Information Act 2000, and the Telecommunications (Data Protection and Privacy) Regulations 1999, Telecommunications (lawful business practice)(interception of communications) regulations 2000.
3.2 The facilities (including software) are provided entirely at the risk of the user. The University will not be liable for loss (including any loss of software, data or other computer functionality or any economic, consequential or indirect loss), damage (including damage to hardware, software or data) or inconvenience arising directly or indirectly from the use of the facilities.
3.3 Use of the University’s IT resources is conditional on prior registration with, and granting of access privileges by, the appropriate Designated Authority for the relevant facilities.
3.4 All individually allocated cards, usernames and passwords are for the exclusive use of the individual to whom they are allocated. Passwords should not be divulged, even to Authorised System Administrators. The user is personally responsible and accountable for any use made of their accounts, logon IDs, passwords, passphrases, cards, PINs and tokens.
3.5 The use of the University’s IT resources for commercial gain or for the substantial advantage of other bodies such as employers of placement students must have explicit prior permission of the appropriate Designated Authority and may be subject to charges or other conditions.
3.6 The University reserves its right to take legal action against users who cause it to be involved in legal proceedings as a result of their use of the University’s IT resources. The user shall indemnify the University for any loss or damage, whether direct or indirect, suffered or incurred as a consequence of actions prohibited by this AUR.
3.7 Users must adhere to the terms and conditions of all licence agreements relating to IT resources; this includes software, data, equipment, services documentation and other goods. More details of the various agreements may be found in the Software and Data Agreements section of the Security Policy.
3.8 Users shall supply the key to any encrypted data they own held on University computer equipment or passed through University networks if requested to do so by the Registrar.
4.1 Users are prohibited from using the IT resources in any way that is fraudulent, offensive, obscene, racist, malicious, defamatory, libellous, abusive or indecent. Users are prohibited from deliberately viewing or attempting to view obscene or indecent material.
4.2 Users are prohibited from use of the IT resources which is designed or likely to cause harassment.
4.3 Users are prohibited from sending unsolicited advertising, chain letters, pyramid schemes or other “nuisance” messages.
4.4 Users are prohibited from any activities that may be described as “hacking”. Hacking is defined here as the intent to cause, or actions committed knowing they are likely to cause, wrongful loss or damage or alteration to information residing on a computing resource or any action that attempts to gain unauthorised access to, or diminishes the value of, or reduces the utility of, or affects injuriously by any means an IT resource. Hacking is further defined in the Definition of Terms.
4.5 No user shall access, interfere or attempt to interfere with data belonging to or material prepared by or for another without permission. Similarly no user shall make copies of data belonging to another without permission.
4.6 Users shall not deliberately waste staff time or IT resources. Users shall take reasonable care not to disrupt the work of others and are prohibited from using the University’s IT resources in a way that denies service to other users.
4.7 Users shall not load or reconfigure any software or data onto the IT resources without permission from the Designated Authority. Any member of the University who installs software or data must be aware that they take full responsibility for the consequences of their actions.
4.8 No user shall connect or attempt to connect any other device or extend the University’s networks or computing services without the express approval of the Designated Authority for the network.
5.1 UK legislation and University regulations require the University to inform users how it will protect the privacy of their communications and data. Users should be aware that some system administrators have access to system event logs, network traffic, data stored by users and images displayed on computers in public access areas. The University’s stance is that the legitimate activities of the individuals which can be inferred from this material should be confidential.
5.2 The University may monitor and record communications and data:
1. To establish the existence of facts to ascertain compliance with UK law or University regulations or procedures.
2. In the interests of national security.
3. To prevent or detect a crime.
4. To investigate or detect unauthorised use of telecommunications systems.
5. To secure, or as an inherent part of, effective system operation.
5.3 Network traffic and data stored by users may be automatically monitored for threats such as viruses, hostile and inappropriate activity etc. and may be automatically modified to remove such threats.
5.4 System Administrators will not exploit or release any material to another party unless at least one of the following conditions is met:
1. With the express permission of the user.
2. To respond to a request for information supporting investigation by UK law enforcement agencies. Such requests must be validated by the University Records Manager.
3. In cases where there are grounds to believe that there is a breach of University regulations or UK law. Investigation will require the express approval of the Director of Information Services or, in his absence, another senior officer of the University.
4. To properly designated staff, in a crisis situation.
5. Where access to University data is essential for operational reasons. Such access will require the express approval of the Registrar. Personal material will remain confidential.
5.5 System administrators may copy user data or lock an account to preserve evidence until such time as approval for further investigation can be granted.
5.6 Users should note that the images captured by the University’s Closed Circuit Television Cameras (CCTV) may be recorded and used to prevent or detect crime or breaches of University regulations. The access card systems also record the movements of users and this data may also be used subject to the same conditions as other recorded data.
5.7 Users are required to protect any private or confidential data appropriately. For instance sending such unencrypted data over an unsecured medium such as Email is not acceptable.
User: Any person making use of University IT facilities. This includes but is not limited to all staff, students, and any other person or group granted access to the University facilities by a Designated Authority.
Authorised Systems Administrator: A member of staff who administers systems holding data belonging to others. They are bound by legislation and are required to sign a Declaration that they have read and understood the Charter for System and Network Administrators.
Designated Authority: The Designated Authority for IT facilities is whoever is responsible for their provision. Thus, in the case of centrally provided facilities, the Designated Authority will be the Director of Information Services or a nominee and, in the case of departmentally provided facilities, it will be the Head of School or Department concerned or a nominee.
Hacking: An abuse of the University’s IT facilities. Such abuses include:
1. Attempts to access or actions intended to facilitate access to computers, data or network equipment for which the individual is not authorised.
2. Unauthorised resale of data or services.
3. Attempts to damage or deny service from computer or network systems.
4. Attempts to monitor data on the network or to introduce spoofed packets or forge routing or switching information.
5. Deliberately scanning for or attempting to make use of any security bug or weakness.
6. Deliberately introducing any virus, worm, Trojan horse or other such software into any IT facility, or taking action to circumvent any precautions taken or prescribed by the University to prevent this.
Information Technology (IT): For this policy IT is defined as any operation involving the manipulation, transmission or viewing of data by electronic means.