POLICY
ON ACCEPTABLE USE OF UNIVERSITY COMPUTING AND DATA COMMUNICATIONS FACILITIES
(Incorporating modifications approved by Senate on 15
October 2003 )
Contents
1. General Framework
2. Network Policies
2.1 Acceptable Use Policy
2.2 Monitoring Policy
2.3 Electronic Information Security Policy
2.4 Server Connection Policy
2.5 Network Connection Policy
3. Policy on Use of
Electronic Mail
3.1 Policy
3.2 Complaints
3.3 Email Disclaimer
4. Code of Conduct
applying to use of Corporate Laboratories, Central Servers and Software
4.1 Guidelines
4.2 Code of Conduct
4.3 Casual Use of Laboratories during Timetabled Sessions
4.4 Laboratory Rules
4.5 Approved Software
5. Compliance
6. References
1.1 This policy
applies to all authorised use of the University of Ulster computing and data
communications facilities. It applies to all use of physical components and
software, and to use of network information services such as Electronic mail,
Internet news, nationally hosted electronic library resources and World Wide
Web. It is the users' responsibility to ensure that they use any services in an
acceptable manner and in accordance with current regulations.
1.2 The University
operates at all times under UK law [1] but users should be
aware that any material they import or transmit across international boundaries
must not contravene any international laws or treaties, for example the
importation of specific material from countries for which an embargo is in
force, or transmission of material lawfully provided in the UK which may cause an
offence in the recipient country.
1.3 Under the
terms of the Computer Misuse Act 1990, any use of University computing and data
communications facilities which is not authorised is illegal. Authorisation to
access facilities which present a username/password entry applies only to the
registered owner of the username, or a person using the username with the
owner's permission. Any public uses of network facilities which are advertised
by the University as being freely available, for example, incoming electronic
mail or access to the University's public Web pages from client browsers on the
Internet, are authorised only insofar as they comply with the University's
computing and data communications policy.
1.4 This policy is to take effect
in accordance with all applicable UK law.
All or any part of this policy is to be construed insofar as it is
possible to do so in conformity with all applicable UK law. To
the extent that this policy or any part of this
policy cannot be construed as being in conformity with applicable UK law, then
it shall not take effect to the extent of such non-conformity.
The University's data communications
network is maintained to support teaching, learning and research and their
associated administrative and management functions. Only users and
organisations whose predominant use of the facilities falls into these
categories, or whose use is approved by the Director of Information Services,
will be permitted to make a connection to the University network, whether directly
or via another organisation.
Subject to the following paragraphs,
computing and communications facilities may be used for any legal activity that
is in furtherance of the aims and policies of the University.
An individual's use of the University's
network is granted for the purpose of interworking with other users and
organisations, and with organisations attached to networks which are reachable
and not explicitly debarred. All use of University facilities is subject to
payment of the appropriate charges in force during the period of service. Any
provision of services must be authorised in advance.
Unacceptable Use
The University's network may not be
used for any of the following:
·
the creation or transmission (other than for properly
supervised and lawful research purposes) of any offensive, obscene or indecent
images, data or other material, or any data capable of being resolved into
obscene or indecent images or material;
·
the creation or transmission of material which is designed or likely
to cause annoyance, inconvenience or needless anxiety;
·
the creation or transmission of defamatory material;
·
the transmission of material such that this infringes the
copyright of another person;
·
the transmission of unsolicited commercial or advertising
material either to other users or organisations, or to organisations connected
to other networks;
·
deliberate unauthorised access to facilities or services
accessible via the network;
·
deliberate activities with any of the following
characteristics:
·
wasting staff effort or networked resources, including time
on end systems accessible via the network and the effort of staff involved in
the support of those systems;
·
corrupting or destroying other users' data;
·
unreasonably
violating the privacy of other users;
·
unreasonably
disrupting the work of other users;
·
using any networking or computing facility in a way that
denies services to other users (for example, deliberate or reckless overloading
of access links or of switching equipment);
·
continuing to use an item of networking software or hardware
after it has been requested that use cease because it is causing disruption to
the correct functioning of the service;
·
other misuse of computing or networked resources, such as
the introduction of computer
"viruses".
·
any other use deemed as unacceptable unlawful by supervisory
staff
The University’s policies on
harassment and bullying cover the mis-use of email and other network services.
Where the University's network is being
used to access any other responsible network, any abuse of the acceptable use
policy of that network will be regarded as unacceptable use of the University's
network.
Passing on and Resale of Network
Services
It is not permitted to provide
registered access to the University's computing and data communications
facilities for third parties without the prior written agreement of the
Director of Information Services, with the exception in the following
sub-paragraphs.
Certain Departments are permitted to operate
resale schemes whereby they may sell on network services under defined
circumstances. Details may be obtained from the Director of Information
Services.
It is acceptable for system
administrators to extend access to others on a limited basis, provided no
charge is made for such access. For example, it is acceptable that a visitor to
the University be permitted to gain access to JANET for the purpose of
maintaining contact with his or her home organisation.
A third party, where an individual,
means someone who is not acting as a member or agent of the University. Where
it applies to a separate organisation, this is defined to be any organisation
that is in law a separate entity to the University of Ulster.
The University in the course of normal
business may monitor or record communications for activities such as the
following:
·
To establish existence of facts
·
To ascertain compliance with regulatory practices
·
In the interest of general security
·
To prevent or detect misuse
·
To investigate unauthorised use of networked systems
·
To secure effective system operation
·
In association with specialist training
2.2.1
Monitoring will be conducted in accordance with the
Regulation of Investigatory Powers Act 2000, and under Lawful Business Practice
being proportionate to achieving its purpose and respecting the privacy of
individuals. Interception will only be made by persons authorised, typically IT
support staff acting in accordance with their primary area of responsibility.
2.2.2
Any attempt to intercept network traffic without authority
is a disciplinary offence unless agreed in advance with the Director of
Information Services or his delegate. Anyone found to have abused the
facilities in this manner would be subject to the disciplinary procedures as
set out below in "Section 5, COMPLIANCE".
A statement of the Information Services
monitoring policy may be obtained by clicking here.
2.3 Electronic Information Security Policy
The Information Services electronic
information security policy is designed to ensure integrity and reliable
delivery of network data necessary for sustaining University business. Its
scope includes the network infrastructure, connections to external networks,
local host and server systems and users.
2.3.1 The
Information Services Department is responsible for provision of data security
to ensure compliance with relevant legislation, the JANET security policy and
other University regulations. In so doing it will:
·
provide necessary information to enable users control access
to restricted information
·
facilitate access to JANET
·
take measures to protect against external network threats or
attacks
·
report to, and assist UKERNA in the investigation of
breaches of security
2.3.2 Users are
responsible for the security of their personal computers and locally stored
data. Queries about data security issues, suspected security attacks or threats
should be forwarded to the Information Services Helpdesk. Calls will be
escalated to an appropriate level of contact within the department.
2.4.1 System Administration
Any system providing a service must
have both an identified system
administrator and a responsible
officer in a managerial role, so that a contact is available at all times
during the normal working week. It is the system administrator's responsibility
to ensure that servers are properly maintained and operated in a secure manner.
2.4.2 System Configuration
Servers must be appropriately
configured, unnecessary services disabled (or preferably not installed), and
all accesses to the server logged. System administrators are responsible for
keeping server software up to date. They must be able to provide relevant
logfile extracts when required.
2.4.3
Access Policy
·
Services must be audited before remote access to the server
will be granted.
·
Remote access to a compromised server may be withdrawn if it
proves impossible to contact a system administrator or other responsible person
who can take appropriate action.
·
Remote access to a server will be withdrawn if auditing of
the service shows it to be configured in a way that could permit the service to
be compromised by unauthorised users.
·
Servers must not be located in public areas. Physical access
must be restricted to prevent interference with server configuration or
software.
·
Remote access for the purposes of server administration must
use approved and secure protocols.
·
Critical servers offering external 24x7 web services to the
general public should be located in rooms which provide backup mains power
supply and a secure physical environment.
In the event that the operation of any
server causes disruption to other services, the system administrator (or
deputy) will take action to rectify the situation. If prompt action is not
taken, the Information Services Department will take any steps necessary up to
and including physical disconnection of the system.
For a complete statement of the
Information Services connection policy please click here.
The data network is a key component of
University business. The Information Services Infrastructure Division is
responsible for its installation, configuration and management. Its network connection
policy is designed to protect against malicious or accidental damage to the
network, and to prevent unauthorised attachments to any part of the network, or
other unauthorised configuration changes.
2.5.1 Departmental networks
Departments wishing to install their
own networks must obtain approval of the Director of Information Services for
their equipment to be connected to the University network infrastructure. Such
equipment must be of a type approved and manageable by Information Services.
Departments managing their own network
segments must appoint a network administrator to act as a contact with the
Information Services Infrastructure Division.
Network administrators must ensure that
the University's security guidelines are fully implemented before connection of
their equipment to the network.
Network management passwords must be
secure and in event of a suspected violation should be changed promptly.
2.5.2 Staff connection requests
Network points in staff offices are for
the connection of staff computers and printers. No other devices may be
connected to the network points without approval of the Director of Information
Services.
It is a user's responsibility to ensure
that a networked computer is maintained in a secure state in line with current personal computer
security advice published by the Information Services Department.
2.5.3 Compliance
The Director of Information Services
reserves the right to refuse to connect to the University network, or to
disconnect, any departmental network or individual item of equipment, which is
either proven or suspected of having an adverse effect on the performance or
integrity of the rest of the network infrastructure.
3. Policy on use of Electronic Mail
This policy applies to all authorised
use of email accounts issued by the University, and to any use of University
computing and data communications facilities by users of email accounts issued
by other service providers. Any use which does not comply with this policy is
not authorised.
·
Staff email accounts may be used for any academic,
administrative, or social and recreational use which is in furtherance of the
aims and mission statement of the University.
·
Student email accounts are issued for communication in connection
with their course of academic studies.
·
The format of staff email addresses is
initials.surname@ulster.ac.uk The format of student email addresses is
surname-initials@ulster.ac.uk.
·
Student email address lists may be made available by course
or module number to any member of staff who may require them for academic
purposes.
·
Staff email addresses may be listed in electronic
directories available on University servers and its public Web pages. Any
member of staff may elect to have his or her email address removed from such
lists upon application.
·
Users must not attempt to disguise the sender or sending
address of an email in order to fraudulently misrepresent some aspect of a
communication.
·
The use of multiple email aliases is permitted in order to expedite
the prioritising and filing of incoming messages, as long as each alias is
properly registered with Information Services.
·
All external communication by email must be initiated from
approved hosts using approved software, and will include a date/time stamp
issued by the University's central mail hub.
·
Users must not send defamatory material by email, or send
communications to knowingly cause distress or offence to another user, or
transmit any files of an obscene or pornographic nature or data that is capable
of being rendered as obscene or pornographic images.
·
Users must not send persistent email communications to an
individual or mailing list when, as a result of a complaint, a warning has been
issued that further communications were not wanted.
·
The University's email service must not be used for private
gain or advertising except in special circumstances approved in writing by the
Director of Information Services for which an appropriate charge has been
levied or agreed.
·
Users must not waste resources by sending or inviting large
amounts of unnecessary email not connected with their job or course of academic
study, or forwarding chain mail or other frivolous material.
·
Users must not attempt to deliberately introduce harmful
computer viruses via email messages or attachments.
·
The maximum size of email message which can be guaranteed to
be delivered to the University's central mail hub is 5M bytes. Some user
mailboxes may have lower limits.
·
The maximum size of an address list for broadcast is not
limited, but users are requested to keep individual batches below 64 names and
allow a reasonable time interval between batches. Broadcasts to entire campus
lists, or University-wide, may only be done through Information Services using
a special account which is digitally signed for authentication.
·
Broadcasting to distribution lists or joining specialist
subject lists on the Internet are resource intensive. Student use of these
activities may only be undertaken with academic supervision or approval.
General complaints about the email
service should be addressed to postmaster@ulster.ac.uk. The University has
additional procedures for dealing with offensive email. If you receive
offensive email from any source please report the matter to abuse@ulster.ac.uk,
including all text and header information contained in the original message for
follow-up investigation. You should delete the offensive material immediately
you receive an acknowledgement of receipt of your complaint.
Where necessary, email accounts will be
withdrawn from a user for offences committed in contravention of this policy.
Disciplinary action for any serious breach of this policy will follow
procedures described below in "Section 5,
COMPLIANCE".
The following email disclaimer is
approved for external communications with other organisations.
"This email and any attachments are confidential and intended solely for
the use of the addressee and may contain information which is covered by legal,
professional or other privilege. If you have received this email in error
please notify the system manager at postmaster@ulster.ac.uk. The University's
computer systems may be monitored and communications carried on them recorded
to secure the effective operation of the system and for other lawful purposes.
4.
Code of Conduct applying to use of Corporate Laboratories, Central Servers and
Software
Unless otherwise defined, University
means the University of Ulster, Director means the Director of Information
Services.
Any use of the central computing
facilities and computer software should be in accordance with this document,
and with regulations or rules from time to time approved by established
committees of the University, or on the instruction of a member of staff of
this University in the performance of their duties acting in accord with this
Code or in special circumstances. Inter-university access would be in
accordance with relevant guidelines and codes of both universities.
4.1
Guidelines
4.1.1
Academic Staff Usage and Responsibilities
(a) Academic staff may use appropriate systems under their own responsibility
for the development of their computing expertise, for research projects, for
the support of teaching and administration, for the exchange of academic
information with their peers throughout the linked institutions in the UK or
elsewhere, for communication with students and for related access to public
domain facilities.
(b) Registration of staff would be effected on presentation of a current ID
card or note of introduction from their Head of Department. The resources
allocated at any time would be as approved by an appropriate University
committee that has responsibility for computing matters. Registration would be
cancelled when the user ceases to be a member of the University.
(c) It is a direct staff responsibility
in relation to their own or their students files to ensure that personal data
e.g. in surveys, assessments or references when computer based, even
temporarily, is registered in consultation with the Data Protection Adviser
(Academic). Academic staff are responsible for ensuring that students under
their supervision are properly prepared in relation to any general legal or
contractual requirements and of any such requirements specific to assignments
given.
(d) Members of academic staff are responsible for students' computing
activities based on their assignment or general direction.
(e) Where there is any financial return
to the University for established resources, or to a member of staff, then any
use of the central computing and data communication facilities should be
included in the project submission or contract at market rates factored to
include overheads as determined by the Research department. Subsequent
implementation should be identified to Information Services and arrangements
made for payment in accordance with University procedures. There would be no
charge to Research Council funded institutions for normal academic use.
(f) Where use is to be made of any national or chargeable database or service
and costs are charged through Information Services, the user concerned should
make prior Central arrangements for Information Services to be reimbursed.
4.1.2
Student use
(a) Computing and data communications facilities may be used by students of the
University for course work, projects or other assignments set by their
lecturers or for development related to their studies. Such work may be on an
individual or group project basis. Students may exchange information by e-mail
with other students or their lecturers under the particular rules applying to
communications facilities provided.
(b) Registration may be undertaken by Information Services against a schedule
of names held in the Academic Registry's current student file. An ID card
should be presented when any adjustments are being made to a registration.
Registrations would be cancelled at a date associated with each related module
or project as agreed with the appropriate lecturer unless a prior authorised
request for continuation was received. Resources allocated to students would be
in accordance with an approved schedule.
(c) Students of other institutions may access University facilities under
sponsorship of a member of academic staff, and where work is not part of the
University's academic activity, may be dependent on availability of resources.
(d) No chargeable work may be undertaken.
(e) Where the use of facilities is not directly related to course work it will
require approval of the Head of School associated with the student's
registration at the University.
4.1.3
Administrative Staff Usage and Responsibility
(a) Staff involved in the administrative activities of the University, faculty
or department, may use allocated resources for purposes associated with their
responsibilities and duties as approved by their Head of Department. This
approval may include related network use for the exchange of information with
peer institutions or for access to public domain facilities.
(b) Registration requires the signature of the appropriate Supervisor or Head
of Department. The Director may determine that use of particular facilities
requires special authorisation.
(c) Heads of Department are responsible for ensuring that all users in their
department are informed of any legal or University requirements relevant to
their work, and that all personal data is covered by Data Protection
notification.
(d) Chargeable use would be as in 4.1.1(e) and 4.1.1(f).
4.1.4
General
(a) Information Services will maintain the highest possible level of integrity
of the facilities and services, data, access and image of the central computing
and data communications systems.
(b) Information Services cannot accept responsibility for the correctness of
computational results, or for failure to produce output as a result of
equipment failure, or for consequential damage.
(c) Information Services may charge for special items or usage e.g. printing,
media conversion, scanning or disc repair.
4.2 Code of Conduct
(1) Users should adhere to legal requirements relating to the protection of
data and software and to all other aspects of computer or software access and
usage, and contractual licence agreements published by Information Services.
(2) Users should not
(a) divulge their password except where required to do so by their Head of
Department;
(b) access any facility under another user's password without the user's
expressed permission unless authorized to do so by that user's Head of
Department;
(c) access another user's files except with the expressed approval of the owner
for each occasion
unless the files have been established for such access;
(d) damage any other users data, program or directory structure;
(e) cause offensive display directly or indirectly;
(f) override systems management actions on any computing or data communications
facility;
(g) access any systems management file or command, or use restricted commands
except in conjunction with authorised system administrators;
(h) upset booking arrangements or other administration associated with the use
of facilities;
(i) deliberately consume excessive resources, or waste the time of computer
staff;
(j) copy or download any programs or data without the owner's permission or
proper regard to
licence and copyright requirements;
(k) load unapproved software packages on University equipment;
(l) use any facility for any chargeable or funded purpose or for the direct or
indirect commercial
benefit of another organisation or individual without the written approval of
the Director;
(m) transfer commercial data over JANET in any way that contravenes UKERNA
guidelines
or JANET Acceptable Use Policy;
(n) use Information Services facilities for any work outside the guidelines
without the approval of
the Director;
(o) disseminate or make use of any information that would allow a breach of
security without authority.
(p) for student laboratory clusters; retain any user files on hard discs
without the approval of the
local administrator.
(q) create or introduce a program into any of the University computer systems
whose effect causes
or is intended to cause any of (a) to (p) to take place.
4.3 Casual use of laboratories
during timetabled class sessions
4.3.1 University IT infrastructure
laboratories are available both for timetabled course use and for casual
access. Casual use of the facilities is encouraged during non-timetabled
periods. During timetabled periods casual use is permitted only if there is
spare capacity in the laboratory and the teaching session will not compromised
by the presence of the casual user.
4.3.2 Persons who book an IT laboratory
do so on the understanding that Information Services will:
·
advertise the booking on the laboratory
timetable
·
indicate the number of seats available
for casual use during the timetabled session
·
expect casual users to be accommodated
during a timetabled session, and to be able to use printing facilities unless a
person in charge of the session advises otherwise.
4.3.3 Casual users who occupy rooms
during timetabled sessions will be expected to:
·
conduct their work in a manner that is
not disruptive to the teaching in progress
·
respect and observe instructions given
to them by any person in charge of the session
·
At all times during a timetabled
session persons in charge of the session will have the right to make decisions
pertaining to casual use, or the presence of casual users, solely in the
interest of the student group for which they are responsible.
USERS MUST
·
Adhere to University SAFETY regulations
·
Abide by DATA PROTECTION and COMPUTER MISUSE legislation
·
Comply with JANET Acceptable Use Policy on network use
·
Leave faulty units alone and report them to staff
·
Vacate the room if requested by a member of staff
·
Report accidents to staff at once
·
Ensure that printers are aligned and left on-line
·
Keep the laboratory tidy and place waste paper in bins
USERS MUST NOT
·
Make unauthorised copies of software
·
Load unauthorised software on to laboratory computers
·
Move any equipment from its established position
·
Undertake prolonged activity at a VDU screen without a break
·
Remove manuals, templates or software from the lab
·
Interfere with the server or communications lines
·
Smoke, Eat or Drink in the Laboratory
No liability is accepted for loss of
data files or personal belongings
Failure to observe any of the above may
lead to disciplinary action under "Section 5,
COMPLIANCE," below.
4.5 Approved Software
Guidelines pertaining to approved software may be issued from time to time by
the Information Services Department or by the Working Group on Common
Standards.
A provisional definition of approved
software is "software which is endorsed by Information Services as
commercially marketed and proven elsewhere, or developed in-house by or under
the supervision of academic staff and meets both Faculty and Information
Services requirements."
All use of software and datasets must
comply with the CHEST Code of Conduct for the Use of Software or Datasets [3].
5.1
It
is the responsibility of every user to take all reasonable steps to ensure
compliance with the conditions set out in this policy document, and to ensure
that unacceptable use of computing and data communications facilities does not
occur. The discharge of this responsibility must include informing students and
staff under their direction or supervision of their obligations in this respect
and for organisational compliance with the UKERNA statement on JANET Acceptable
Use Guidelines and the CHEST Code of conduct for the Use of Software or
Datasets [2][3].
5.2 Where necessary, services may be
withdrawn from a user. This may take one of two forms:
·
An indefinite withdrawal of service, should a violation of
these conditions persist after appropriate warning have been given. Such a
withdrawal of services would only be made on the authority of a University
Disciplinary Committee. For student offences Ordinance 1990/1 Student
Discipline will apply. Academic and academic related staff are subject to
Ordinances 1994/3 and 4, and for other categories of staff whatever rules may
apply. Restoration will be made only when the Committee is satisfied that the
appropriate steps had been taken to ensure acceptable behaviour in future.
·
A suspension of service, should a violation of these
conditions cause serious degradation of the services to other users of the
network. Such a suspension would be made on the judgement of the Director of
Information Services, Dean of Faculty or Senior Head of Administrative
Department, and service would be restored when the cause of the degradation of
services to others had been removed.
5.3 Where
violation of these conditions is illegal or unlawful, or results in loss or
damage to University resources or the resources of third parties accessed via
the University's network, the matter may be referred for legal action.
It is preferable for misuse to be
prevented by a combination of responsible attitudes to the use of University
network resources on the part of users with appropriate disciplinary measures
taken by lecturers in the case of students and, in the case of staff or
research students, their immediate supervisors.
1.
Relevant UK Legislation
·
Data Protection Act 1984/1998
·
Freedom of Information Act 2000
·
Computer Misuse Act 1990
·
Copyright, Designs & Patents Act 1988/1992
·
Defamation Act 1952/1996
·
Obscene Publications Act 1959/1964/1994
·
Northern Ireland Act 1998
·
Electronic Communications Act 2000
·
Regulation of Investigatory Powers Act 2000
·
The
Human Rights Act 1999
2.
UKERNA
Statement of JANET Acceptable Use Policy (2008)
3.
CHEST Code of
Conduct for the Use of Computer Software or Data sets (2009)
At common law civil actions may be
brought for Fraudulent/Negligent Misrepresentation and Breach of Confidence.