This guidance expands on the principles set out in the Acceptable Use Policy for IT Facilities and Equipment. It gives many examples of specific situations and is intended to help you relate your everyday use of the IT facilities to the do’s and don’ts in the core regulations.
This guidance expands on the principles set out in the Acceptable Use Policy for IT Facilities and Equipment. It gives many examples of specific situations and is intended to help you relate your everyday use of the IT facilities to the do’s and don’ts in the core regulations.
Where a list of examples is given, these are just some of the most common instances, and the list is not intended to be exhaustive.
Where terms similar to Authority, Authorised, Approved or Approval appear, they refer to authority or approval originating from the person or body identified in section 9 “Authority”, or anyone with authority delegated to them by that person or body.
York St John University’s Acceptable Use Policy for IT Facilities and Equipment, along with these guidance notes, have been adapted from the model regulations put forward by UCISA as an example of appropriate regulations for the use of IT in Higher Educational establishments, held at the UCISA website.
These regulations apply to anyone using York St John University’s IT facilities. This means more than students and staff. It could include, for example:
• Visitors to York St John University, and people accessing the institution’s online services from off campus;
• External partners, contractor and agents using York St John University’s network, or accessing the institution’s systems;
• Tenants of the institution using the University’s computers, servers or network;
• Visitors using the institution’s Wi-Fi;
• Students and staff from other institutions logging on using Eduroam.
1.2. IT facilities
The term IT facilities include:
• IT hardware that York St John University provides, such as PCs, laptops, tablets, smart phones and printers, whether owned directly by the University or leased from another party;
• Software that the institution provides, such as operating systems, office application software, web browsers etc. It also includes software that the institution has arranged for you to have access to, for example, special deals for students on commercial application packages;
• Data that York St John University provides, or arranges access to. This might include online journals, data sets or citation databases;
• Access to the network provided or arranged by the institution. This could cover, for example, network connections in halls of residence, on campus Wi-Fi, connectivity to the internet from University PCs;
• Online services arranged by the institution, such as external resources, databases and web services or web applications;
• IT credentials, such as the use of your institutional login, or any other token (email address, smartcard, dongle) issued by York St John University to identify yourself when using IT facilities. For example, you may be able to use drop in facilities or Wi-Fi connectivity at other institutions using your usual username and password through the eduroam system. While doing so, you are subject to these regulations, as well as the regulations at the institution you are visiting.
The way you behave when using IT should be no different to how you would behave under other circumstances. Abusive, inconsiderate or discriminatory behaviour is unacceptable.
2.1. Conduct online and on social media
York St John University’s policies concerning staff and students also apply to the use of social media. These include human resource policies, codes of conduct, acceptable use of IT and disciplinary procedures.
You must not harass people, or discriminate against people based on protected characteristics as defined in the Equality Act 2010 (age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, religion or belief, sex, sexual orientation.) This includes joking and “banter”, harassment, taunting, name-calling, revealing private information about somebody’s past (e.g. “deadnaming”), deliberately mis-gendering somebody or anything else which might make someone feel undermined or uncomfortable. In some cases such actions may be a criminal offence.
As required under the Counter Terrorism and Security Act 2015 (the “PREVENT” Duty), you must not use IT facilities to attempt to radicalise or encourage extremist views or behaviours in others, or to distribute material related to such views or behaviours that risk drawing people into terrorism or are shared by terrorist groups. Do not join online communities that encourage such behaviours or take part in discussions online which may promote radical or extremist causes, including the distribution, promotion or expression of extremist views.
You must not send unsolicited bulk emails or chain emails, nor send unsolicited bulk messages on social media, forums or other services, nor promote any commercial activity by use of IT facilities, other than in certain specific circumstances. Advice on this is available from the Information Learning and Estates Service Desk.
2.3. Denying others access
Do not occupy specialist facilities unnecessarily if someone else needs them. If you are using shared IT facilities for personal or social purposes please be considerate of the needs of others who may need access to facilities for work, particularly at peak times.
2.4. Excessive consumption of bandwidth/resources
Consider the impact of your use of IT facilities on the environment and the performance of the service. Do not waste paper by printing more than is needed, or by printing single sided when double sided would do. Don’t waste electricity by leaving equipment needlessly switched on. Don’t download large amounts of information across the wireless network frequently.
3. Intended use
York St John University’s IT facilities, and the Janet network that connects institutions together and to the Internet, are funded in part by the tax paying public. The public have a right to know that the facilities are being used for the purposes for which they are intended.
3.1. Use for purposes in furtherance of institution’s mission
The IT facilities are provided for use in furtherance of the institution’s mission. Such use might be for learning, teaching, research, knowledge transfer, public outreach, the commercial activities of the institution, or the administration necessary to support all of the above.
3.2. Personal use
You may currently use the IT facilities for personal use provided that it does not otherwise breach the regulations, and that it does not prevent or interfere with other people using the facilities for valid purposes. You should be considerate of others’ needs to use computers for work purposes at all times.
The allowance of personal use is a concession and can be withdrawn at any time.
Employees using the IT facilities for non-work purposes during working hours are subject to the same management policies as for any other type of non-work activity.
3.3. Commercial use and personal gain
Use of IT facilities for non-institutional commercial purposes, or for personal gain, such as running an external club or society, requires the explicit approval of the Director of Information Learning and Estates.
Even with such approval, the use of some licences, particularly those under the Chest agreements, for anything other than teaching, studying or research, administration or management purposes is prohibited, and you must ensure that licences allowing commercial use are in place.
Many of the IT services provided or arranged by the institution require you to identify yourself so that the service knows that you are entitled to use it.
This is most commonly done by providing you with a username and password, but other forms of IT credentials may be used, such as an email address, a smart card or some other form of security device.
4.1. Protect identity
You must take all reasonable precautions to safeguard any IT credentials issued to you.
Do not use obvious passwords, and do not record them where there is any likelihood of someone else finding them. Do not use the same password as you do for personal (i.e. non-institutional) accounts to minimise the risk of both your University and personal accounts being compromised at the same time. Do not share passwords with anyone else, even IT staff or your line manager, no matter how convenient and harmless it may seem.
In some cases you may consider it necessary for others to use IT facilities on your behalf (e.g. a personal assistant or carer). In such cases please contact Information Learning and Estates Service Desk who will be able to offer advice or authorisation. Should there be a need to gain access to another’s account or information (e.g. a manager in the case of staff who are absent) please contact Information Learning and Estates Service Desk who will arrange such access in accordance with the principles set out in section 6 of this guidance.
If you think someone else has found out what your password is, change it immediately and report the matter to Information Learning and Estates Service Desk.
Do not use your username and password to log in to websites or services you do not recognise.
Do not leave logged in computers unattended without first locking the screen, and then only for short periods of time. Log out properly when you are finished.
Don’t allow anyone else to use your smartcard or other security hardware. Take care not to lose them, and if you do, report the matter to Information Learning and Estates Service Desk.
Never use someone else’s IT credentials except as explicitly allowed by the Director of Information Learning and Estates, or attempt to disguise or hide your real identity when using the institution’s IT facilities.
However, it is acceptable not to reveal your identity if the system or service clearly allows anonymous use (such as a public facing website).
4.3. Attempt to compromise others’ identities
You must not attempt to usurp, borrow, corrupt or destroy someone else’s IT credentials.
The IT infrastructure is all the underlying stuff that makes IT function. It includes servers, the network, PCs, printers, operating systems, databases and a whole host of other hardware and software that has to be set up correctly to ensure the reliable, efficient and secure delivery of IT services.
You must not do anything to jeopardise the infrastructure.
5.1. Physical damage or risk of damage
Do not damage, or do anything to risk physically damaging the infrastructure, such as being careless with food or drink at a PC, or being careless in your handling of equipment.
Do not attempt to change the setup of the infrastructure without authorisation, such as changing the network point that a PC is plugged in to, connecting devices to the network or altering the configuration of the institution’s devices.
You must not load software onto equipment unless you have been given the rights to do so, and in any case, you must never load software which is harmful or has harmful intent or is not properly licensed for the use you intend. You must make no efforts to circumvent any restrictions that are in place to prevent the loading of software onto equipment.
Do not move equipment without authority, and make sure that Information Learning and Estates are made aware of any movement of fixed computers or transfer of responsibility for equipment.
5.3. Network extension
You must not extend the wired or Wi-Fi network without authorization. Such activities, which may involve the use of routers, repeaters, hubs or Wi-Fi access points, can disrupt the network and are likely to be in breach of the Janet Security Policy.
5.4. Setting up servers
You must not set up any hardware or software that would provide a service to others over the network without permission. Examples would include games servers, file sharing services, chat servers or websites.
5.5. Introducing malware
You must take all reasonable steps to avoid introducing malware to the infrastructure.
The term malware covers many things such as viruses, worms and Trojans, but is basically any software used to disrupt computer operation or subvert security. It is usually spread by visiting websites of a dubious nature, downloading files from untrusted sources, opening email attachments from people you do not know or inserting media that have been created on compromised computers.
If you avoid these types of behaviour, keep your antivirus software up to date and switched on, and run scans of your computer on a regular basis, you should not fall foul of this problem.
5.6. Subverting security measures
York St John University has taken measures to safeguard the security of its IT infrastructure, including things such as antivirus software, firewalls, spam filters and so on.
You must not attempt to subvert or circumvent these measures in any way.
6.1. Personal, sensitive and confidential information
During the course of their work or studies, staff and students may handle personal information that comes under the Data Protection Act (1998) (DPA) or the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) , or is sensitive or confidential in some other way. For the rest of this section, these will be grouped together as protected information.
Safeguarding the security of protected information is a highly complex issue, with organisational, technical and human aspects. If your role is likely to involve handling protected information, you must make yourself familiar with and abide by the provisions of the DPA and GDPR. Particular attention should be paid when using external services to the requirements under the act that data be kept safe and secure and not transferred outside the European Economic Area without adequate protection. If you are in any doubt about your responsibilities relating to protected information or the suitability of an IT system for holding protected information, seek advice from Information Learning and Estates and/or the University Secretary or refer to other guidance they may publish on these matters.
6.1.1. Transmission of protected information
When sending protected information electronically, you must use a method with appropriate security. Advice about how to send protected information electronically is available from Information Learning and Estates.
6.1.2. Removable media and mobile devices
Protected information must not be stored on removable media (such as USB storage devices, removable hard drives, CDs, DVDs) or mobile devices (laptops, tablet or smart phones) unless it is encrypted, and the key kept securely.
Advice on the use of removable media and mobile devices for protected information is available from Information Learning and Estates.
6.1.3. Remote working
If you access protected information from off campus, you must make sure you are using a connection method that ensures that the information cannot be intercepted between the device you are using and the source of the secure service. Typically, this will take the form of a Virtual Desktop connection, a secure website (https) or by transfer via a secure external service such as the University’s Office 365 platform including OneDrive. Further advice is available from Information Learning and Estates.
You must also be careful to avoid working in public locations where your screen can be seen.
6.1.4. Personal or public devices and cloud services
Even if you are using approved connection methods, devices that are not fully managed by York St John University cannot be guaranteed to be free of malicious software that could, for example, gather keyboard input and screen displays. You should therefore exercise appropriate caution in using such devices to access, transmit or store protected information.
Be cautious about storing protected information in personal cloud services, such as Dropbox. In general, use of the University’s Microsoft Office 365 OneDrive system is to be preferred, if you opt to store protected information in another system you are responsible for ensuring it is secure and meets the territorial requirements of the DPA and GDPR. Whichever cloud services you use, be aware that the service may be synchronising your data to other devices that may be less secure or are shared by others. Take special care when using the file sharing facilities of such services; sharing should only ever be to named individuals and should be reviewed periodically. You should never use a “sharable link” to share protected information, as proliferation of such links cannot be easily controlled. Information Learning and Estates can provide further advice on the use of cloud services.
6.2. Copyright information
Almost all published works are protected by copyright. If you are going to use material (images, text, music, software), the onus is on you to ensure that you use it within copyright law. This is a complex area, and guidance is available from Information Learning and Estates at https://www.yorksj.ac.uk/ils/copyright/. The key point to remember is that the fact that you can see something on the web, download it or otherwise access it does not mean that you can do what you want with it.
6.3. Others’ information
You must not attempt to access, delete, modify or disclose restricted information belonging to other people without their permission, unless it is obvious that they intend others to do this, or you have lawful approval from the Director of Information Learning and Estates. Bear in mind that such actions may be a criminal offence.
Where information has been produced in the course of employment by York St John University, and the person who created or manages it is unavailable the following considerations for access will apply:
• If possible and appropriate the owner of the information will be contacted and informed of the need to access specific communications or information. Where appropriate consent will be sought.
• Where consent is not or cannot be given, permission to access the information will be sought from a Head of School or Director of Department (Deputy Director where no Director exists). Such authorisation should be for specific information, and limited to as little information as necessary.
• The member of staff allowed access to this information will be responsible for ensuring that only the authorised information is accessed and that no other information is avoidably accessed or disclosed.
Private information may only be accessed by someone other than the owner under very specific circumstances governed by institutional and/or legal processes.
6.4. Inappropriate material
You must not create, download, store or transmit unlawful material, or material that is indecent, offensive, defamatory, threatening or discriminatory, liable to radicalise or is considered extremist. Valid activities involving the use of such material should be discussed and agreed with the Director of Information Learning and Estates in advance of access or usage.
There is an exemption covering authorised IT staff involved in the preservation of evidence for the purposes of investigating breaches of the regulations or the law.
6.5. Publishing information
Publishing means the act of making information available to the general public, this includes through websites, social networks and news feeds. Whilst York St John University generally encourages publication, you must not make statements that purport to represent York St John University without the approval of the Deputy Director of Marketing.
7.1. Institutional monitoring
York St John University may monitor and logs the use of its IT facilities for the purposes of:
• Detecting, investigating or preventing misuse of the facilities or breaches of the University’s regulations;
• Monitoring the effective function of the facilities;
• Investigation of alleged misconduct;
• Any other lawful purpose as may arise or be imposed upon the University.
York St John University will comply with lawful requests for information from law enforcement and government agencies for the purposes of detecting, investigating or preventing crime, and ensuring national security.
You should not assume that any activities you perform on the University IT facilities are unmonitored or protected from analysis, even where such activities are considered to be secure or encrypted.
7.2. Unauthorised monitoring
You must not attempt to monitor the use of the IT without the explicit permission of the Director of Information Learning and Estates.
This would include:
• Monitoring of network traffic;
• Network and/or device discovery, other than consumer discovery protocols such as uPNP;
• Wi-Fi traffic capture;
• Installation of key logging or screen grabbing software that may affect users other than yourself;
• Attempting to access system logs or servers or network equipment.
Where IT is itself the subject of study or research, special arrangements will have been made, and you should contact your course leader/research supervisor for more information.
It is helpful to remember that using IT has consequences in the physical world.
Your use of IT is governed by IT specific laws and regulations (such as these), but it is also subject to general laws and regulations such as your institution’s general policies.
8.1. Domestic law
Your behaviour is subject to the laws of the land, even those that are not apparently related to IT such as the laws on fraud, theft and harassment.
There are many items of legislation that are particularly relevant to the use of IT, of which the following is a non-comprehensive list:
• Obscene Publications Act 1959 and Obscene Publications Act 1964
• Protection of Children Act 1978
• Police and Criminal Evidence Act 1984
• Copyright, Designs and Patents Act 1988
• Criminal Justice and Immigration Act 2008
• Computer Misuse Act 1990
• Human Rights Act 1998
• Data Protection Act 1998
• General Data Protection Regulation (Regulation (EU) 2016/679)
• Regulation of Investigatory Powers Act 2000
• Prevention of Terrorism Act 2005
• Terrorism Act 2006
• Police and Justice Act 2006
• Freedom of Information Act 2000
• Freedom of Information (Scotland) Act 2002
• Equality Act 2010
• Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended)
• Defamation Act 1996 and Defamation Act 2013
• Counter Terrorism and Security Act 2015
Links to the full text of each Act can be found in the appendix to this guidance.
So, for example, you may not:
• Create or transmit, or cause the transmission, of any offensive, obscene or indecent images, data or other material, or any data capable of being resolved into obscene or indecent images or material;
• Create or transmit material with the intent to cause annoyance, inconvenience or needless anxiety;
• Create or transmit material with the intent to defraud;
• Create or transmit defamatory material;
• Create or transmit material such that this infringes the copyright of another person or organisation;
• Create or transmit unsolicited bulk or marketing material to users of networked facilities or services, save where that material is embedded within, or is otherwise part of, a service to which the user or their user organisation has chosen to subscribe;
• Deliberately (and without authorisation) access networked facilities or services;
• Take part in activities online that are designed to radicalise others or encourage extremist views or behaviours.
8.2. Foreign law
If you are using services that are hosted in a different part of the world, you may also be subject to their laws. It can be difficult to know where any particular service is hosted from, and what the applicable laws are in that locality.
In general, if you apply common sense, obey domestic laws and the regulations of the service you are using, you are unlikely to go astray.
8.3. Third party regulations
If you use York St John University IT facilities to access third party service or resources you are bound by the regulations associated with that service or resource. (The association can be through something as simple as using your institutional username and password). Very often, these regulations will be presented to you the first time you use the service, but in some cases the service is so pervasive that you will not even know that you are using it.
Some examples of this would be:
Using Janet, the IT network that connects all UK higher education and research institutions together and to the internet
When connecting to any site outside York St John University you will be using Janet, and subject to the Janet Acceptable Use Policy, https://community.ja.net/library/acceptable-use-policy the Janet Security Policy, https://community.ja.net/library/janet-policies/security-policy and the Janet Eligibility Policy https://community.ja.net/library/janet-policies/eligibility-policy. The requirements of these policies have been incorporated into these regulations, so if you abide by these regulations you should not infringe the Janet policies.
Using Chest agreements. Eduserv is an organisation that has negotiated many deals for software and online resources on behalf of the UK higher education community, under the common banner of Chest agreements. These agreements have certain restrictions, which may be summarised as:
• non-academic use is not permitted;
• copyright must be respected;
• privileges granted under Chest agreements must not be passed on to third parties;
• users must accept the User Acknowledgement of Third Party Rights, available at www.eduserv.org.uk/services/Chest-Agreements/about-our-licences/user-obligations
There will be other instances where York St John University has provided you with a piece of software or a resource.
Other licence agreements. You may be subject to other licence agreements related to the use of electronic resources or software. Normally these will be presented to you on first usage of the facility, but if you need to review a licence or have any queries about these agreements, please contact Information Learning and Estates Service Desk.
These regulations are issued under the authority of the Director of Information Learning and Estates who is also responsible for their interpretation and enforcement, and who may also delegate such authority to other people.
Authority to use the institution’s IT facilities is granted by a variety of means:
• The issue of a username and password or other IT credentials;
• The explicit granting of access rights to a specific system or resource;
• The provision of a facility in an obviously open access setting, such as an Institutional website; a self-service kiosk in a public area; or an open Wi-Fi network on the campus.
If you have any doubt whether or not you have the authority to use an IT facility you should seek further advice from Information Learning and Estates Service Desk.
Attempting to use the IT facilities without the permission of the relevant authority is an offence under the Computer Misuse Act.
10.1. Disciplinary process and sanctions
Breaches of these regulations will be handled by the York St John University’s disciplinary processes.
This could have a bearing on your future studies or employment with the institution and beyond.
Sanctions may be imposed if the disciplinary process finds that you have indeed breached the regulations, for example, imposition of restrictions on your use of IT facilities; removal of services; withdrawal of offending material; recovery of any costs incurred by York St John University as a result of the breach.
Depending on the nature of the infringement, you may also face criminal charges or civil action brought by other parties, e.g. you may be charged by the Police for a crime under an act of parliament, or you may be sued for damages by a copyright holder related to unlicensed use or distribution of copyrighted materials.
10.2. Reporting to other authorities
If the institution believes that unlawful activity has taken place, it will refer the matter to the police or other enforcement agency.
10.3. Reporting to other organisations
If the institution believes that a breach of a third party’s regulations has taken place, it may report the matter to that organisation.
10.4. Report infringements
If you become aware of an infringement of these regulations or use of IT facilities for unlawful purposes, you should report the matter to the relevant authorities.
Appendix: Links to Key Legislation
• Obscene Publications Act 1959 www.legislation.gov.uk/ukpga/Eliz2/7-8/66/contents
• Obscene Publications Act 1964 www.legislation.gov.uk/ukpga/1964/74
• Protection of Children Act 1978 www.legislation.gov.uk/ukpga/1978/37/contents
• Police and Criminal Evidence Act 1984 www.legislation.gov.uk/ukpga/1984/60/contents
• Copyright, Designs and Patents Act 1988 www.legislation.gov.uk/ukpga/1988/48/contents
• Criminal Justice and Immigration Act 2008 www.legislation.gov.uk/ukpga/2008/4/contents
• Computer Misuse Act 1990 www.legislation.gov.uk/ukpga/1990/18/contents
• Human Rights Act 1998 www.legislation.gov.uk/ukpga/1998/42/contents
• Data Protection Act 1998 www.legislation.gov.uk/ukpga/1998/29/contents
• Regulation (EU) 2016/679 (GDPR) https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32016R0679
• Regulation of Investigatory Powers Act 2000 www.legislation.gov.uk/ukpga/2000/23/contents
• Prevention of Terrorism Act 2005 www.legislation.gov.uk/ukpga/2005/2/contents
• Terrorism Act 2006 www.legislation.gov.uk/ukpga/2006/11/contents
• Police and Justice Act 2006 www.legislation.gov.uk/ukpga/2006/48/contents
• Freedom of Information Act 2000 www.legislation.gov.uk/ukpga/2000/36/contents
• Freedom of Information (Scotland) Act 2002 www.legislation.gov.uk/asp/2002/13/contents
• Equality Act 2010 www.legislation.gov.uk/ukpga/2010/15/contents
• Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended) www.legislation.gov.uk/uksi/2003/2426/contents
• Defamation Act 1996 www.legislation.gov.uk/ukpga/1996/31/contents
• Defamation Act 2013 www.legislation.gov.uk/ukpga/2013/26/contents
• Counter-Terrorism and Security Act 2015 http://www.legislation.gov.uk/ukpga/2015/6/contents
• The Children Act (1989) https://www.legislation.gov.uk/ukpga/1989/41/contents
• The Children Act (2004) https://www.legislation.gov.uk/ukpga/2004/31/contents
• Safeguarding Vulnerable Groups Act (2006) https://www.legislation.gov.uk/ukpga/2006/47/contents
• Working Together to Safeguard Children (2015) https://www.gov.uk/government/publications/working-together-to-safeguard-children--2