Calendar 2010/11

C - Regulations Relating to the Use of Information Technology Facilities

1 Scope
1.1 These regulations apply to:
  • All users of computing, telecommunication and / or networking systems and services provided by, or for which access is facilitated by, the University of Exeter.
  • All computing, telecommunication and / or networking equipment owned by the University of Exeter, or equipment for which access has been facilitated by the institution.
  • Use of computing, telecommunication and / or networking systems and services owned by other bodies, access to which has been provided by the University of Exeter. In such cases, the regulations of both bodies apply. In the event of a conflict of the regulations, the more restrictive takes precedence.
1.2 The IT facilities referred to here include items such as PDAs, smartphones, personal computers whether desktop or portable, mini or mainframe computers and computer networks, all software and data thereon and all computer-based information systems provided for administrative or other purposes. The equipment covered includes IT facilities owned, leased, hired or otherwise provided by the University of Exeter, IT facilities connected directly or remotely to the institution’s network or IT facilities, and IT facilities used on the institution’s premises. Your personal IT equipment is included if it is used in any of the ways described herein. This list is not exhaustive, and if you are unsure whether a particular item is covered then you must assume that it is, unless the designated authority (see Section 4) confirms in advance that it is not.
1.3 Individual Schools or Services may lay down additional regulations at the discretion of the Head of School / Service.
1.4 In order to ensure service continuity and the security of University systems and information, additional requirements will apply to anyone developing applications for multi-user use or web content for the University website; guidance will follow during the 2010/2011 session.
1.5 These regulations may be modified from time to time; the latest version will be online at http://as.exeter.ac.uk/it/regulations/regs
2 Applicable laws and policies
2.1 Those who use the facilities in the United Kingdom are bound by the laws of the UK. Appendix A contains a list of laws that may apply. Note that this list may not be exhaustive. Those who use the facilities from outside the UK may be bound by the laws of the UK and / or any other applicable local laws.
2.2 Use of IT facilities constitutes acceptance of these regulations, which apply subject to, and in addition to, the law.
2.3 In the case of any conflict between regulations, the order of precedence of regulations and policies is as follows (where 1 = first, 2 = second, etc):
  1. These regulations
  2. Applicable University policies (eg for Information Security or Data Protection)
  3. Other acceptable use policies that apply (eg JANET Acceptable Use Policy if accessing the Internet)
  4. Additional School regulations (clause 1.3)
2.4 Acceptance of these regulations constitutes acceptance of the University of Exeter’s right to monitor use and of the University’s arrangements regarding privacy and confidentiality set out in Appendix B.
3 Infringement
3.1 Any infringement of these regulations may be subject to penalties under civil or criminal law and such law may be invoked by the University of Exeter. In addition, the use of computer software and other material may also be subject to the terms of licence agreements into which the University has entered. Use of the institution’s systems may be logged to permit the detection and investigation of infringement of policies and / or licence agreements.
3.2 In cases of infringement or possible infringement of these regulations, the University of Exeter reserves the right to suspend an offending user’s connection (temporarily or permanently) and / or to withdraw access to facilities. Any withdrawal of service may be notified to the user’s Head of School or Service.
3.3 Any infringement of these regulations may constitute a disciplinary offence under the applicable procedure (see Disciplinary Procedure for students and www.exeter.ac.uk/admin/personnel/~docs/disciplinary_procedure.pdf for staff), regardless of legal action. Minor infringements of these Regulations may be dealt with without recourse to the formal disciplinary procedure. Serious infringements may result in formal action under the Disciplinary Procedure including, in cases of gross misconduct by staff, summary dismissal.
4 Authority
4.1 The ‘designated authority’ referred to throughout these regulations is as follows:
  • For all academic facilities and services: The Director of Academic Services
  • For all administrative facilities and services: The Director of Academic Services or the Registrar and Deputy Chief Executive
  • For facilities wholly managed by a School: The Head of School
4.2 In all cases, the Assistant Director for Information and Computing Systems in Academic Services may act as a deputy for the designated authority.
5 Right to use IT facilities
5.1 Before using any IT facilities, users must be authorised by completing the IT account activation process. See http://as.exeter.ac.uk/it/account/usernameandpassword
5.2 Users must notify the designated authority of any change in status that may affect their right to use IT facilities. This does not apply to students completing their studies, or a section of their studies, in the normal way but would include, for example, exclusion from a course of study , or the transfer of a member of staff to a post that no longer required access to certain systems.
5.3 IT facilities are provided solely to support research, learning and teaching, and administration. Some personal use of the IT facilities is permitted, but this is not a right. In particular, facilities are provided to students in order to support their academic programmes of study and such use must always be given priority over non-academic activities. Personal use of the IT facilities may be subject to temporary or permanent suspension if necessary to ensure service continuity or the availability of adequate resources for research, learning and teaching, and / or administrative use.
5.4 The use of IT facilities or information for commercial gain must have the explicit prior permission of the designated authority and may be subject to charge.
5.5 The use of IT facilities or information to the substantial advantage of other bodies, such as employers of placement students, must have the explicit prior permission of the designated authority and may be subject to charge.
5.6 Use of IT facilities by persons other than staff or students must have the explicit prior permission of the designated authority and may be subject to charge.
6 Use
6.1 Use of the University of Exeter’s IT facilities must not bring the institution into disrepute.
6.2 Users must not tamper with, or cause damage to, the University of Exeter's IT facilities, nor to any of the accommodation or services associated with them.
6.3 Users must adhere to the terms and conditions of all licence agreements relating to IT facilities and information that they use including software, equipment, services, documentation and other goods.
6.4 Users must not infringe intellectual property rights or copyright works in any form including software, documents, images, or audio or video recordings.
6.5 Users must not install any software or other copyright material onto any shared IT facility, or in such a way that it may be accessed by other users, without permission from the copyright owner and the designated authority.
6.6 Users must take all reasonable precautions to ensure that they do not deliberately or recklessly introduce any virus, worm, Trojan or other harmful, illegal or nuisance program or file into any IT facility. They must not take deliberate action to circumvent any precautions taken or prescribed by the University of Exeter to prevent this. They must take all reasonable precautions to avoid infection, including on their personal IT equipment. Precautions may include, but are not limited to, running up-to-date Anti-Virus software, ensuring that all security patches for Operating System(s) and installed applications are applied promptly, and any other requirements defined in the University’s Information Security Policy.
6.7 Users must not access, delete, amend or disclose the data or data structures of other users without their permission.
6.8 Users must not act in any way that puts the security of the IT facilities at risk. In particular, usernames and passwords must be kept safe and secure and only used by those authorised to do so. The University of Exeter reserves the right, without prejudice, to issue a warning to, or take other appropriate action (including disciplinary action) against, users who are responsible for security breaches. Advice on ‘strong’ passwords is available at http://as.exeter.ac.uk/it/account/changepassword
6.9 Users must not in their use of IT facilities exceed the terms of the permissions associated with their IT account. In particular they must not connect to, or attempt to connect to, any IT facility without the permission of the designated authority. This is known as hacking and is a criminal offence under the Computer Misuse Act 1990, as amended.
6.10 Users must logout from their account and make their computer and network connection secure against unauthorised use whenever they are not actively using the machine.
6.11 ResNet users must not allow anyone else to use their network connection or provide any services to others via remote access.
6.12 Users may be liable for the cost of remedying any damage they cause or to which they contribute.
6.13 Users of networks and remote IT facilities shall obey any rules (such as the JANET Acceptable Use Policy available via http://as.exeter.ac.uk/it/regulations/regs) that may be published from time to time for their use.
7 Equipment
7.1 Users are responsible for ensuring that they are sufficiently familiar with the operation of any equipment they use in order to access the IT facilities to make their use of it safe and effective and to avoid interference with the use of it by others.
7.2 Non-portable University equipment may not be moved or removed without the prior agreement of the designated authority.
7.3 No equipment may be connected in any way into any network or other IT facility of the University of Exeter without the prior agreement of the designated authority.
7.4 Users must make any changes specified by Academic Services in order to safeguard the University of Exeter’s IT facilities and users thereof. If the changes are not carried out, the University reserves the right to disable network connection until the device is secured or the vulnerability has been removed.
7.5 Disposal of computing equipment must be done safely and securely, in accordance with the University of Exeter’s policies and contractual obligations, including the Disposal of IT Equipment Policy. All data and software must be removed and the requirements of the WEEE Directive must be met. Details of the procedure to be followed are available at http://as.exeter.ac.uk/it/equipmentandsoftware/disposal
8 Behaviour
8.1 Except by prior arrangement, users should not carry out activities utilising the IT facilities that will significantly interfere with the work of other users.
8.2 Users must not attempt to conceal or falsify the authorship of any electronic communication.
8.3 Users must not send unsolicited electronic communications to multiple recipients except where it is a communication authorised by the University of Exeter. Specifically, users must not use the institution’s facilities to send spam or chain letters. If in doubt, advice must be sought from the designated authority.
8.4 The creation, display, production or circulation of material that is illegal, defamatory, likely to cause offence or that promotes terrorism is forbidden. The interpretation will normally be the responsibility of the Director of Academic Services. Any such material that is introduced to the IT facilities will be removed forthwith. Where access to such material is deemed necessary, prior permission must be sought from the designated authority. See Appendix B for clarification.
9 Disclaimer
9.1 The University of Exeter makes no representations about the suitability of this service for any purpose. All warranties, terms and conditions with regard to this service, including all warranties, terms and conditions, implied by statute, or otherwise, of satisfactory quality, fitness for a particular purpose, and non-infringement are excluded to the fullest extent permitted by law.
9.2 The University of Exeter shall not in any event be liable for any damages, costs or losses (including without limitation direct, indirect, consequential or otherwise) arising out of, or in any way connected with, the use of the service, or with any delayed access to, or inability to use the service and whether arising in tort, contract, negligence, under statute or otherwise. Nothing in these terms excludes or limits liability for death or personal injury caused by the negligence of the institution in providing this service.

Appendix A: List of laws

This section contains a list of laws and policies that may apply to use of IT facilities. Note that this list may not be exhaustive and will be subject to amendments and any superseding legislation which may be enacted. The legislation can be viewed via www.legislation.gov.uk. Those who use the facilities from outside the UK may be bound by the laws of the UK and / or any other applicable local laws.

Obscene Publication Act 1959 & 1964
Protection of Children Act 1978
Police and Criminal Evidence Act 1984
Copyright, Designs & Patents Act 1988
Computer Misuse Act 1990
Human Rights Act 1998
Data Protection Act 1998
Regulation of Investigatory Powers Act 2000
Freedom of Information Act 2000
Prevention of Terrorism Act 2005
Terrorism Act 2006
Police and Justice Act 2006  

Appendix B: Guidance on the regulations relating to the use of information technology facilities

This section provides further information for guidance purposes and does not form part of the IT regulations.

Material that may be illegal, defamatory or ‘likely to cause offence’

The decision on whether any activity is ‘likely to cause offence’ will depend on the context and will be subject to grounds of reasonableness. Users are required to avoid activity that undermines the dignity of others and to consider how their behaviour when using IT facilities may affect other users. The following list is not exhaustive but is designed to give guidance as to what might constitute unacceptable activity likely to cause offence:

  • The creation, transmission or display of pornographic or indecent images
  • The creation or transmission of material that is abusive or threatening or could be interpreted as harassment
  • The creation or transmission of material that is designed, or likely, to cause needless anxiety to others
  • The creation or transmission of material that is defamatory, inflammatory or discriminatory

The regulations and other policies are not designed to restrict academic freedom and exceptions are possible for properly authorised lawful academic purposes. Anyone who is uncertain whether any proposed use of the IT facilities may cause offence to others must check the position through the IT Help Desk (www.exeter.ac.uk/it/helpdesk) and, if necessary, obtain permission from the designated authority before engaging in the activity.

Material that may promote terrorism

The interpretation will normally be the responsibility of the Director of Academic Services. Any such material that is introduced to the IT facilities will be removed forthwith. Where access to such material is deemed necessary for legitimate academic pursuits, the relevant Code of Conduct must be followed (in preparation May 2010).

Monitoring of activity

The University of Exeter reserves the right, consistent with the relevant legislation, to exercise control over computer resources and to use any system-generated files (such as log files and error / exception reports) along with management tools to maintain system performance and investigate system faults as well as breaches, or possible breaches, of these regulations.

Users should note that:

  • Traffic through email gateways is logged. These logs contain information about the flow of email, including source and destination, but not the content of email messages.
  • Internet and other network traffic through the caches and firewalls is logged. These logs contain information about Internet activity, including sites visited, which can be traced back to individual computers.

System logs are monitored by authorised University of Exeter staff who require information about the operation of email, cache and other services. In the event of any disciplinary or legal investigation, Academic Services may be asked (by the University or other authority) to assist in the collation of information, including information from logs, for more detailed examination. Details of the University’s Data Protection Policy are available via http://as.exeter.ac.uk/library/about/special/recordsmanagement/dataprotection/guidance In reviewing or investigating Internet activity in particular, the University of Exeter recognises the possibility that sites may have been visited accidentally.

Privacy and confidentiality

Academic Services makes every effort to ensure the privacy of users’ data, including email messages and files held on computer systems. Email content is not viewed during the course of normal systems administration, nor are user files opened or read. However, where there is good reason to believe that there may have been a breach of University of Exeter regulations and / or the law, the designated authority may authorise staff to investigate the content of a user’s files and electronic mail folders. The user will be informed that this action has been taken, unless this might prejudice any future police investigation. Details of the University’s Data Protection Policy are available via http://as.exeter.ac.uk/library/about/special/recordsmanagement/dataprotection/guidance