openUWS

IT ACCEPTABLE USE STATEMENT INTRODUCTION  

Information Technology plays a vital role in helping deliver efficient services and contributing towards the student experience. Staff will recognise the importance of maintaining good practice for IT to be effective. The purpose of this Statement is to support all users of University systems in understanding good practice, avoiding misuse of University facilities and behaving lawfully.  

Everyone using UWS IT equipment or systems is responsible for the security of data on them. As such, all users must adhere to the requirements of this statement at all times. Should anyone be unclear on the statement or how it impacts them, they should contact the Information Services Helpdesk.  

This Statement should be read in conjunction with the following UWS procedures and other documents that also apply to this context:  

1. Data Protection Code of Practice  

2. Dignity and Respect at Work Guidelines  

3. Disciplinary Procedure  

4. Equality, Diversity & Human Rights Code  

5. IT Information Security Procedure  

6. IT Software Licensing & Control Statement  

7. IT Password Management Procedure  

8. Records Management Protocol  

9. Guidelines for the use of Social Media at UWS  

10. University Regulation – Code of Discipline for Students  

11. Guidelines on USB devices  

The impact of this Statement will be monitored regularly to reflect the changing online environment and technologies. The Statement may also be amended where particular concerns are raised or where an incident has been recorded.  

This Statement supersedes any written or oral policy previously issued concerning IT acceptable use in the University.  

1. SCOPE OF STATEMENT  

This Statement applies to all individuals issued with a UWS user ID and password (hereafter referred to as ‘user’).  

This Statement covers the use of all UWS IT systems, equipment and networks whether accessed on or off campus. It applies to access gained through the wired or the wireless network and via a VPN and to personal equipment being used on the University networks.  

2. OUR STATEMENT  

Use of any UWS IT systems, equipment and network on or off campus implies acceptance of all terms and conditions within this and associated protocols and guidelines and of the consequences of inappropriate use.  

2.1 Computer Access Control  

Access to UWS IT systems is controlled by the use of a user ID and password using Multi-Factor Authentication. All user IDs are uniquely assigned to named individuals and consequently, individuals are accountable for all actions on UWS IT systems and equipment by anyone who uses that ID. All those with a user ID must comply with the Password Management Procedure.  

Individuals must not:  

1. Allow anyone else to use the user ID allocated to them on any UWS system or equipment.  

2. Allow any unauthorised person to use UWS devices  

3. Leave user accounts logged in at an unattended and unlocked computer.  

4. Use weak or easily guessable passwords. Where weak passwords are identified IT may disable access to the account if the service user is not contactable.  

5. Use someone else’s user ID and password to access UWS systems or equipment.  

6. Leave passwords unprotected (for example written down in view of others).  

7. Perform any unauthorised changes to UWS IT systems or information.  

8. Install any unauthorised software on UWS equipment  

9. Attempt to access data that they are not authorised to use or access.  

10. Exceed the limits of their authorisation or specific business need to interrogate the system or data.  

11. Gain or attempt to gain unauthorised access to accounts or passwords  

12. Fail to return UWS equipment at the end of a loan period  

13. Use USB storage devices which are not encrypted. Use of USB devices for storage should be by exception.  

14. RESPOND TO EMAILS OR ANYONE ASKING YOU TO DISCLOSE YOUR PASSWORD. THE HELPDESK WILL NEVER ASK YOU TO DIVULGE YOUR PASSWORD.  

The security of UWS information and information systems is critical and all use and access to data must comply with the IT Information Security Procedure.  

2.2 Internet Access  

Access to the internet is provided primarily via the Janet network. Use of the internet should also comply with the Jisc Acceptable Use Policy:  

Use of the internet via UWS equipment is intended for University use. Personal use is permitted, but should be kept to a minimum so that it does not compromise a staff member’s work or a student’s course related study. It should also not preclude others with work-related or course related needs from using the resources.  

2.3 Email  

University emails may require to be disclosed under the Freedom of Information (Scotland) Act 2002 or the Data Protection Act 2018. Therefore users should be aware of the content and language used in e-mails and avoid emotive or subjective language.  

Students must not send emails which make representations, contractual commitments or any other form of statement concerning the University unless they have specific authority to do so.  

2.4 Social Media  

Social media can be a useful tool to encourage student engagement and learning but can be far more informal in nature. Staff should be aware of this when communicating with students via social media and should never share information with students or interact with them in a way that they would not willingly or appropriately do in a University or other public setting.  Staff should not communicate via social media in a way that may bring the University into disrepute e.g. using offensive or discriminatory language or posting inappropriate images/content.  

Use of social media sites including Instagram, Facebook, Twitter, YouTube online blogs and wikis has increased the risk of inappropriate content being published. Users should be careful not to associate themselves with UWS on personal sites if the views or information on the site might cause conflict with the University.  

Access to these sites is not controlled by the institution but users are expected to behave responsibly when using them, particularly when accessing them via the university’s network and to comply with the Guidelines for the use of Social Media at UWS.  

2.5 Personal Data  

Under UK GDPR, personal data is any information which is related to an identified or identifiable natural person. Users must be familiar with the University’s Data Protection Code of Practice. Personal data being sent outside the University must be encrypted. If personal data is being transferred outside of the European Economic Area (EU members states plus UK, Iceland, Norway and Liechtenstein), please contact the Legal Services team.  

All users are accountable for their actions on the internet and when using email and social media. All institutional protocols and legislation restricting the disclosure of confidential or personal information must be maintained.  Disciplinary procedures may be taken where this is not adhered to.  

2.6 Unacceptable Use  

Unless such use has been approved for an academic or research purpose, or pursuant to a formal University investigation, one or more of the following is considered unacceptable use for all users:  

1. Installation of any software that is not provided by the University. Use of pirated software or illegal use of licensed software.  

2. Use of software no longer receiving vendor security updates and not supported by a current maintenance agreement  

3. Modifying or circumventing the precautions taken by the University to prevent virus infection.  

4. Using the facilities for monetary gain  

5. Preventing others from making legitimate, work related use of the facilities.  

6. Trying to gain unauthorised entry to other computer systems or files ('hacking').  

7. Copying, deleting or making changes to any files, directories or folders other than those in connection with their work.  

8. Tampering, adjusting, switching on/off or otherwise interfering with the equipment in open access labs and teaching labs other than normal usage.  

9. Transmission of unsolicited commercial or advertising material, save where that material is embedded within, or is otherwise part of, a service to which the recipient has chosen to subscribe  

10. Creating, transmitting, transferring, downloading, browsing, viewing, reproducing or accessing any image, material or other data of any kind, which contains unacceptable content, including but not limited to:-  

These restrictions apply to work, course related use and personal use. The University considers it important that all use is restricted in this way to avoid disruption in the workplace and the learning environment while reducing the likelihood of embarrassment, distress or offence to others.  Any failure to comply may be dealt with under disciplinary Procedures  

3. PROCEDURE  

3.1 Monitoring and Compliance  

The use of any University IT systems, equipment and network is monitored in order to ensure that this use is compliant with the law and with University rules.  

All data that is created and stored on UWS computers remains the property of UWS. Only under certain circumstances will access to another user account or email be permitted.  Any access requires to be authorised by the IT Security and Customer Support Manager, Legal Team, P&OD or Dean of School or Head of Department.  Any access will only be given to an appropriate staff member subject to Data Protection laws and monitored by P&OD.  

Personal data should not be stored on UWS equipment, network or cloud storage. Examples of this include but are not restricted to personal photographs, music, films and other media files.  Network storage will be monitored for these files and may be deleted.  

Inbound and outbound internet traffic is scanned for security threats. Access to categories of websites that are deemed unacceptable are blocked by Information Services from the University network.   

Some staff and students may be involved in legitimate teaching or research that involves a blocked website. When this is the case, access should be requested via the Information Services Helpdesk. Authorisation will be required from the relevant Dean of School or Head of Department prior to this access being granted.  

Investigations will be commenced where reasonable suspicion exists of a breach of this or any other relevant policy. The University may use an external agency to carry out appropriate technical investigations. Any suspected breach of this procedure must be reported immediately to the IT Security and Customer Support Manager or the Information Services Helpdesk to allow investigation of the incident prior to taking appropriate action.   

All breaches will be investigated. Where investigations reveal misconduct, disciplinary action may follow in line with UWS disciplinary procedures for staff. Pending investigation of a suspected breach of the policy, IT services may be suspended for that individual.  

User behaviour is subject to the laws of the land, even those that may not apparently relate to IT such as the laws on fraud, theft and harassment. Where investigation reveals activity that is considered to be in breach of current laws, the incident will be escalated to a senior member of staff. The matter may be reported to the appropriate authorities on the guidance of senior management. Relevant current legislation includes, but not limited to, the following:   

1. Communications Act 2003  

2. Computer Misuse Act 1990  

3. Copyright, Designs and Patents Act 1988  

4. Criminal Justice and Public Order Act 1994  

5. Data Protection Act 2018  

6. Human Rights Act 1998  

7. Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended)  

8. Equality Act 2010   

9. Regulation of Investigatory Powers Act 2000  

10. Freedom of Information (Scotland) Act 2002  

11. Prevention of Terrorism Act 2005  

12. Counter Terrorism & Security Act 2015  

3.2 Government Prevent Strategy  

The University has a duty under the Counter Terrorism & Security Act 2015 to have “due regard to the need to prevent people from being drawn into terrorism”.  

One way in which people can become drawn into terrorism or extremism is via online material. This policy prohibits accessing, posting or contributing any material (whether at the University or otherwise) that promotes terrorism or extremism as defined in the Government’s Prevent Strategy 2011: “Vocal or active opposition to fundamental British values, including democracy, the rule of law, individual liberty and mutual respect and tolerance of different faiths and beliefs. We also include in our definition of extremism calls for the death of members of our armed forces.” A secure web gateway provides UWS with web content categorisation. Website categories that would breach this policy are blocked by default. Some staff may be involved in legitimate teaching or research into blocked topics that are sensitive in nature. When this is the case:  

1. Explicit approval must be obtained from the staff member’s line manager.  

2. Ethical approval must be obtained through the appropriate School Ethics Committee or University Ethics Committee  

3. Robust storage must be in place so the material is only accessible by the relevant individual(s)  

Should a member of staff become aware that a student or member of staff has been attempting to access terrorism or extremism related content, they should discuss this confidentially with their line manager or a senior member of staff. If necessary, the line manager or senior member of staff will then escalate this via the VP (Governance) & University Secretary.