LDS_003\1817302\1 - York St John University
Acceptable Use Policy for University IT systems
Updated September 2008
By using your University IT account and accessing the IT facilities provided by York St John University
(“the
University”) (including use of our wireless network) you are agreeing to the Acceptable Use Policy as outlined below.
The University ’s electronic communications systems and equipment are intended to promote effective communication and working practices within the organisation, and are critical to the success of our institution. This policy outlines the standards the University requires users of these systems to observe, the circumstances in which the University will monitor use of these systems and the action we will take in respect of breaches of these standards. The sections below deal mainly with the use (and misuse) of computer equipment, e-mail, internet connection, telephones, mobile devices, personal digital assistants (PDAs) and voicemail, but this policy applies equally to use of fax machines, copiers, scanners,
CCTV, and electronic key fobs and cards. The University’s staff and students are expected to have regard to this policy at all times to protect its electronic communications systems from unauthorised access and harm.
1. SCOPE
These regulations apply to:
All users of services provided by, or for which access is facilitated by, the University. Any equipment owned by the University, or equipment for which access has been facilitated by the University.
Use of systems and services owned by other bodies, access to which has been provided by the University. In such cases, the regulations of both bodies apply. In the event of a conflict of the regulations, the more restrictive takes precedence.
To help you get a fuller understanding of how to use our IT facilities and resources we have developed user guidelines and it is strongly recommended that you read these along with the staff or student code of conduct.
2. APPLICABLE LAWS AND POLICIES
3. INFRINGEMENT
These regulations apply subject to and in addition to the law. Any infringement of these regulations may also be subject to penalties under civil or criminal law and such law may be invoked by the
University. Use of the University’s s ystems may be logged to permit the detection and investigation of infringement of Policies. In the event of a suspected infringement the user’s account will be disabled with immediate effect and the University’s disciplinary procedures will be invoked. Further details on University procedure in the event of an infringement of this policy can be found in both the staff and student handbooks.
4. USE
4.1.
4.2.
Users of the
University’s IT facilities must have a valid user account
Users must not act in any way which puts the security of the IT facilities at risk. In particular, user credentials must be kept safe and secure and only used by those authorised to do so. Passwords are unique to each User and must be changed regularly to ensure confidentiality. Please see item 5.1 for details on accessing staff files in their absence. Under no circumstances should users share their user details
or password with other people or organisations.
4.3. The University’s IT facilities must be used for the purposes and in the way they were intended to be used.
Other use may be allowed as a privilege, not a right.
4.4. Use of the
University’s IT facilities must not bring the University into disrepute.
4.5. Users must not cause deliberate damage to the
University’s IT facilities, nor to any of the accommodation or services associated with them.
4.6. Users must adhere to the terms and conditions of all licence agreements relating to IT facilities and services which they use including software, databases and full text resources, equipment, services, documentation and other goods.
4.7. Users must not infringe copyright in any form including the making of copies, digital or otherwise, of software, documents, records, images, audio or video recordings, etc, other than for the purposes of personal study or research within the terms of copyright legislation
4.8. Users must not load any software onto the IT facilities without permission from IT Services
4.9. Users must take all reasonable precautions to ensure that they do not deliberately or recklessly introduce any virus, worm, Trojan or other harmful or nuisance program or file into any IT facility. They must not take
deliberate action to circumvent any precautions taken or prescribed by the University to prevent this. They must take all reasonable precautions to avoid infection, by, for example, but not exclusive to, opening email attachments of unknown source.
4.10. Users must not access, delete, amend or disclose the data or data structures of other users without their permission.
4.11. Users must not illicitly connect to or attempt to illicitly connect to any computing IT facility without the permission of IT Services.
This is known as hacking and is a criminal offence in terms of the Computer
Misuse Act 1990, as amended. Users may be liable for the cost of remedying any damage they cause.
4.12. Users should not physically connect their own equipment to the University network without prior approval from IT Services . A list of equipment that is acceptable can be provided by IT services (for example USB sticks).
4.13. The use of IT facilities or information for commercial gain (ie Business activities unrelated to the University) must have the explicit prior permission of IT Services who will consult the relevant authorising bodies.
4.14. The use of IT facilities or information to the substantial advantage of other bodies, such as employers of placement students, must have the explicit prior permission of IT Services who will consult the relevant authorising bodies.
4.15. Except by prior arrangement with IT Services users should not carry out activities that will significantly interfere with the work of other users.
4.16. Users must not attempt to conceal or falsify the authorship of any electronic communication.
4.17. Users must not send unsolicited electronic communications to multiple recipients except where it is a communication authorised by the University.
Specifically, users must not use the
University’s
facilities to send spam or chain letters. If in doubt, advice must be sought from IT Services.
4.18. The creation, display, production or circulation of material which is illegal or likely to cause offence is forbidden. Where access to such material is deemed necessary, permission must be sought from the Head of IT who will consult the relevant University Officials
4.19. Users who have been issued with a laptop, PDA or other mobile device must ensure that it is kept secure at all times, especially when travelling. Passwords must be used to secure access to data kept on such equipment to ensure that confidential data is protected to some extent in the event that the machine is lost or stolen. Users should also observe basic safety rules when using such equipment, such as not using or displaying it obviously in isolated or dangerous areas. Users should be aware that if using equipment on, for example, public transport, documents can be read by other passengers. Similar precautions should be taken with the use of portable storage media such as external hard drives and USB drives. If any such media or equipment is lost or stolen, users should notify IT Services immediately. Data of a sensitive nature should not be taken off site without the express permission of the University Information Manager and never without full encryption protection on the device- please refer to the University’s data security guidelines for further information
5.
4.20. Any infringement of these regulations constitutes a disciplinary offence under the applicable procedure and may be treated as such regardless of legal action.
POLICY ON ACCESS TO STAFF ACCOUNTS BY AUTHORISED PERSONS
5.1 Staff Absence. Where a member of staff is absent from work and access is required to that member of staff's IT account for a specific reason (for example to access correspondence in order to complete an item of work), the
University will follow the procedure set out below:
5.1.1 If appropriate, the member of staff will be contacted and consent sought for access to specific communications and/or documents.
5.1.2 Where consent is not or cannot be given and there is no alternative way to get the required information, permission to access the member of staff's account will be sought in writing from an authorised person (Dean of
Faculty or Head of Department). Authorisation will only be given for access to specific information and not for general access to the account in question.
5.1.3 The person authorised to access the account is responsible for ensuring that only the specific information authorised is accessed and that other information is not read or disclosed.
5.1.4 After the necessary information has been retrieved, the password to the absent member of staff's IT account will be reset and the new password will be communicated only to that member of staff.
6. MONITORING OF SYSTEMS
For business reasons, and in order to perform various legal obligations in connection with our role as an employer, use of our systems and any personal use of them is monitored. Monitoring will only be carried out to the extent permitted or required by law and as necessary and justifiable for business purposes.
We monitor all e-mails passing through our system for viruses. Users should exercise caution when opening e-mails from unknown external sources or where, for any reason, an e-mail appears suspicious. The IT department should be informed immediately if a suspected virus is received. We reserve the right to block access to attachments to e-mails for the purpose of effective use of the system and for compliance with this policy. We also reserve the right not to transmit any email message .
Users who receive an e-mail which has been wrongly delivered should return it to the sender of the message. If the e-mail contains confidential information or inappropriate material (as described above) it should not be disclosed or used in any way.
We reserve the right to retrieve the contents of messages or check searches which have been made on the internet for the following purposes:
(a) to monitor whether the use of the e-mail system or the internet is legitimate and in accordance with this policy; or
(b) to find lost messages or to retrieve messages lost due to computer failure; or
(c) to assist in the investigation of wrongful acts; or
(d) to comply with any legal obligation.
(e) in cases of staff absence as outlined in item 5 of this policy
7. ETIQUETTE
Users should refer to the staff or student codes of conduct but in particular:
Users should take care with the content of e-mail messages or posts on virtual learning environments and social networking sites, as incorrect or improper statements can give rise to personal or corporate liability in the same way as the contents of letters or faxes. For example, in connection with claims of discrimination, harassment, defamation, breach of confidentiality or breach of contract. Users should assume that e-mail messages may be read by others and should be mindful of content should it find its way into the public domain.
Email messages may be disclosed in legal proceedings in the same way as paper documents. Deletion from a user’s inbox or archives does not mean that an e-mail is obliterated and all e-mail messages should be treated as potentially retrievable, either from the main server or using specialist software
.
8. PERSONAL USE OF UNIVERSITY SYSTEMS (STAFF)
The University permits the incidental use of its internet, e-mail and telephone systems to send personal e-mail, browse the web and make personal telephone calls subject to certain conditions. Our policy is that personal use is a privilege and not a right. The policy is dependent upon its not being abused or overused and we reserve the right to withdraw our permission or amend the scope of this policy at any time. Staff should refer to the staff code of conduct for further information.
9. DISCLAIMER.
The University makes no representations about the suitability of this service for any purpose. All warranties, terms and conditions with regard to this service, including all warranties, terms and conditions, implied by statute, or otherwise, of satisfactory quality, fitness for a particular purpose, and non-infringement are excluded to the fullest extent permitted by law.
The University shall not in any event be liable for any damages, costs or losses (including without limitation direct, indirect, consequential or otherwise) arising out of, or in any way connected with, the use of the service, or with any delayed access to, or inability to use the service and whether arising in tort, contract, negligence, under statute or otherwise.
Nothing in these terms excludes or limits liability for death or personal injury caused by the negligence of the University in providing this service.
Appendix A.
LAW
Applicable laws and policies include the following together with any amendments and any superseding legislation which may be enacted. a. Obscene Publication Act 1959 & 1964 b. Protection of Children Act 1978 c. Police and Criminal Evidence Act 1984 d. Copyright, Designs & Patents Act 1988 e. Computer Misuse Act 1990 f. Human Rights Act 1998 g. Data Protection Act 1998 h. Regulation of Investigatory Powers Act 2000 i. Freedom of Information Act 2000 j. Employment Code of Practice 2002 (link) k. Prevention of Terrorism Act 2005 l. Terrorism Act 2006 m. Police and Justice Act 2006
Applicable policies include: a.
JANET Acceptable Use Policy b.
Institutional Information Security Policy (under construction) c.
Institutional Communications Policy (under construction) d.
Chest Code of Conduct
This list is not exhaustive and will be subject to change.
