Calendar 2019/20

B - Regulations Relating to the Use of Information Technology Facilities

1

Headlines

  • Governance
    Don’t break the law, do abide by the University of Exeter’s regulations and policies, and do observe the regulations of any third parties whose facilities you access.
  • Identity
    Don’t allow anyone else to use your IT credentials, don’t disguise your online identity and don’t attempt to obtain or use anyone else’s.
  • Infrastructure
    Don’t put the institution’s IT facilities at risk by introducing malware, interfering with hardware or loading unauthorised software.
  • Information
    Safeguard personal data, respect other people’s information and don’t abuse copyright material.  Remember that mobile devices may not be a secure way to handle information.
  • Data breaches
    If you suspect a data breach has occurred report to the Student Information Desk as a matter of urgency.
1.1 These regulations apply to:
  • All users of computing, telecommunication and / or networking systems and services provided by, or for which access is facilitated by, the University of Exeter.
  • All computing, telecommunication and / or networking equipment owned by the University of Exeter, or equipment or services for which access has been facilitated by the institution.
  • Use of computing, telecommunication and / or networking systems and services owned by other bodies, access to which has been provided or facilitated by the University of Exeter. In such cases, the regulations of both bodies apply. In the event of a conflict of the regulations, the more restrictive takes precedence.
1.2 The IT facilities referred to here include items such as PDAs, smartphones (e.g. iPhones), tablet devices (e.g. iPads), personal computers whether desktop or portable, mini or mainframe computers and computer networks, all software and data thereon and all computer-based information systems provided for administrative or other purposes. The equipment covered includes IT and audio-visual facilities owned, leased, hired or otherwise provided by the University of Exeter, IT facilities connected directly or remotely to the institution’s network or IT facilities, and IT facilities used on the institution’s premises. Your personal IT equipment is included if it is used in any of the ways described herein. This list is not exhaustive, and if you are unsure whether a particular item is covered then you must assume that it is, unless the designated authority (see section 4) confirms in advance that it is not.
1.3 Individual Colleges or Services may lay down additional regulations at the discretion of the College Dean / Head of Service.
1.4 In order to ensure service continuity and the security of University systems and information, additional requirements will apply to anyone developing applications for multi-user use or web content for the University website; guidance will follow.
2 Applicable laws and policies
2.1 Those who use the facilities in the United Kingdom are bound by the laws of the UK. Appendix A contains a list of laws that may apply. Note that this list may not be exhaustive. Those who use the facilities from outside the UK may be bound by the laws of the UK and / or any other applicable local laws.
2.2 Use of IT facilities constitutes acceptance of these regulations, which apply subject to, and in addition to, the law.
2.3 Use of IT facilities must also comply with the requirements of the other applicable policies and regulations including:
2.4 In the case of any conflict between regulations, the order of precedence of regulations and policies is as follows (where 1 = first, 2 = second, etc.):
  1. These regulations
  2. Applicable University policies (eg for Information Security or Data Protection)
  3. Other acceptable use policies that apply (e.g. JANET Acceptable Use Policy if accessing the Internet)
  4. Additional College regulations (clause 1.3)
2.5 Acceptance of these regulations constitutes acceptance of the University of Exeter’s right to monitor use and of the University’s arrangements regarding privacy and confidentiality set out in Appendix B.
3 Infringement
3.1 Any infringement of these regulations may be subject to penalties under civil or criminal law and such law may be invoked by the University of Exeter. In addition, the use of computer software and other material may also be subject to the terms of licence agreements into which the University has entered. Use of the institution’s systems may be logged to permit the detection and investigation of infringement of policies and / or licence agreements.
3.2 In cases of infringement or possible infringement of these regulations, the University of Exeter reserves the right to suspend an offending user’s connection (temporarily or permanently) and / or to withdraw access to facilities. Any withdrawal of service may be notified to the user’s College Dean or Head of Service.
3.3

Any infringement of these regulations may constitute a disciplinary offence under the applicable procedure for members of staff or students. The University may commence disciplinary proceedings against a member of staff or a student following a breach or alleged breach of the regulations. Minor infringements of these regulations may be dealt with informally without recourse to the formal disciplinary procedure. Breaches of these regulations that have a serious or potentially serious adverse consequence for the University’s operation, business / academic activities or reputation, or for the security / integrity of the IT systems, may constitute gross misconduct and render the offender liable to dismissal without notice or to expulsion from the University.

4 Authority
4.1

The ‘designated authority’ referred to throughout these regulations is as follows:

  • For all academic facilities and services: The Director of ESE
  • For all administrative facilities and services: Registrar and Secretary
  • For facilities wholly managed by a College: The College Dean
4.2 In all cases, the Chief Information and Digital Officer may act as a deputy for the designated authority.
5 Right to use IT facilities
5.1 Before using any IT facilities, users must be authorised by completing the IT account activation process. See www.exeter.ac.uk/it/account/usernameandpassword
5.2 Users must notify the designated authority of any change in status that may affect their right to use IT facilities. This does not apply to students completing their studies, or a section of their studies, in the normal way but would include, for example, exclusion from a course of study, or the transfer of a member of staff to a post that no longer required access to certain systems.
5.3

IT facilities are provided solely to support research, learning and teaching, and administration. Although not a right, limited personal use is permitted, provided it does not interfere with a member of staff's work nor adversely affect a student's studies. Personal / recreational use of the IT facilities may be subject to temporary or permanent suspension if necessary to ensure service continuity or the availability of adequate resources for research, learning and teaching, and / or administrative use. Staff should not normally use IT facilities for personal use during their regular working hours without prior permission. Users must not use a University email address for purposes other than those permitted by this clause unless special permission has been granted. In particular, users must not use or advertise their University email address for any non-University business or for campaigning or any party political purpose without the prior permission of the designated authority.

5.4 The use of IT facilities or information for commercial gain must have the explicit prior permission of the designated authority and may be subject to charge.
5.5 The use of IT facilities or information to the substantial advantage of other bodies, such as employers of placement students, must have the explicit prior permission of the designated authority and may be subject to charge.
5.6 Use of IT facilities by persons other than staff or students must have the explicit prior permission of the designated authority and may be subject to charge.
6 Use
6.1 Use of the University of Exeter’s IT facilities must not bring the institution into disrepute.
6.2 Users must not tamper with, or cause damage to, the University of Exeter's IT facilities, nor to any of the accommodation or services associated with them.
6.3 Users must adhere to the terms and conditions of all licence agreements relating to IT facilities and information that they use including software, equipment, services, documentation and other goods.
6.4 Users must not infringe intellectual property rights or copyright works in any form including software, documents, images, or audio or video recordings.
6.5 Users must not install any software or other copyright material onto any shared IT facility, or in such a way that it may be accessed by other users, without permission from the copyright owner and the designated authority.
6.6 Users must take all reasonable precautions to ensure that they do not deliberately or recklessly introduce any virus, worm, Trojan or other harmful, illegal or nuisance program or file into any IT facility. They must not take deliberate action to circumvent any precautions taken or prescribed by the University of Exeter to prevent this. They must take all reasonable precautions to avoid infection, including on their personal IT equipment. Precautions may include, but are not limited to, accessing only legitimate sites; only using USB memory sticks, CDs, DVDs, software, games and films from known and lawful sources; running up-to-date anti-virus software and ensuring that all security patches for Operating System(s) and installed applications are applied promptly. Users must comply with any other requirements defined in the University’s Information Security Policy.
6.7 Users must not access, delete, amend or disclose the data or data structures of other users without their permission.
6.8

Users must not act in any way that puts the security of the IT facilities at risk. In particular, usernames and passwords must be kept safe and secure and only used by those authorised to do so. Passwords must never be divulged to others by any means. Users must never use login details other than their own to access the IT facilities nor allow others to use the IT facilities they are connected to without logging out and disconnecting first. Users must not store University IT account credentials in such a way that their access rights could be used by any other user of the device. In the case of a legitimate multi-user account, it may be necessary for authorised users to share the password for the account. Users must not use the password for their University IT account as the password for any other account they use. Users with system administration accounts must use a different password to their user account.  The University of Exeter reserves the right, without prejudice, to issue a warning to, or take other appropriate action (including disciplinary action) against, users who are responsible for security breaches. Advice on using strong passwords is available at https://www.exeter.ac.uk/it/account/changepassword

6.9 Users must not, in their use of IT facilities, exceed the terms of the permissions associated with their IT account. In particular they must not connect to, or attempt to connect to, any IT facility without the permission of the Chief Information and Digital Officer.  This is known as hacking and is a criminal offence under the Computer Misuse Act 1990, as amended.
6.10 Users must log out from their account and make their computer and network connection secure against unauthorised use whenever they are not actively using the machine.
6.11 Users must not allow anyone else to use a network connection provided for their personal use or provide any services to others via remote access.
6.12 Users may be liable for the cost of remedying any damage they cause or to which they contribute.
6.13 Users of networks and remote IT facilities shall obey any rules (such as the JANET Acceptable Use Policy available via www.exeter.ac.uk/it/regulations/regs) that may be published from time to time for their use.
6.14 University business must be conducted using University email accounts rather than personal accounts.
7 Equipment
7.1 Users are responsible for ensuring that they are sufficiently familiar with the operation of any equipment they use in order to access the IT facilities to make their use of it safe and effective and to avoid interference with the use of it by others.
7.2 Non-portable University equipment may not be moved or removed without the prior agreement of the designated authority.
7.3 No equipment may be connected in any way into any network or other IT facility of the University of Exeter without the prior agreement of the designated authority.
7.4 Users must make any changes specified by Exeter IT in order to safeguard the University of Exeter’s IT facilities and users thereof. If the changes are not carried out, the University reserves the right to disable network connection until the device is secured or the vulnerability has been removed.
7.5 Disposal of computing equipment must be done safely and securely, in accordance with the University of Exeter’s policies and contractual obligations, including the Disposal of IT Equipment form. All data and software must be securely removed and the requirements of the WEEE Directive must be met. Details of the procedure to be followed are available at www.exeter.ac.uk/sustainability/wasteandrecycling/a-z/
8 Behaviour
8.1 Except by prior arrangement, users should not carry out activities utilising the IT facilities that will interfere with the work of other users nor should they attempt to prevent the legitimate use of the IT facilities by others.
8.2 Users must not attempt to conceal or falsify the authorship of any electronic communication.
8.3 Users must not send unsolicited electronic communications to multiple recipients except where it is a communication authorised by the University of Exeter.  Specifically, users must not send spam or chain letters. If in doubt, advice must be sought from the designated authority.
8.4

The University has a statutory duty, under the Counter Terrorism and Security Act 2015, termed ‘PREVENT’.  The purpose of this duty is to aid the process of preventing people being drawn into terrorism.

You must not create, download, store or transmit unlawful material, or material that is indecent, offensive, defamatory, threatening, discriminatory or extremist.  The University reserves the right to block or monitor access to such material.  The interpretation will normally be the responsibility of the Registrar and Secretary. Any such material that is introduced to the IT facilities will be removed forthwith. Where access to such material is deemed necessary, prior permission must be sought from the designated authority. See Appendix B for clarification.

8.5 Use of the TOR browser (The Onion Router) and other similar forms of anonymous internet activity from within the university network are now restricted for reasons of IT Security. Where users have a genuine requirement to use TOR for academic or professional purposes, an approval process called 'Access to Restricted Materials' has been agreed. Details on the process can be found at www.exeter.ac.uk/ig/policy/restrictedmaterials/.
9 Disclaimer
9.1 The University of Exeter makes no representations about the suitability of this service for any purpose. All warranties, terms and conditions with regard to this service, including all warranties, terms and conditions, implied by statute, or otherwise, of satisfactory quality, fitness for a particular purpose, and non-infringement are excluded to the fullest extent permitted by law.
9.2 The University of Exeter shall not in any event be liable for any damages, costs or losses (including without limitation direct, indirect, consequential or otherwise) arising out of, or in any way connected with, the use of the service, or with any delayed access to, or inability to use the service and whether arising in tort, contract, negligence, under statute or otherwise. Nothing in these terms excludes or limits liability for death or personal injury caused by the negligence of the institution in providing this service.

Appendix A: List of laws

This section contains a list of laws and policies that may apply to use of IT facilities. Note that this list may not be exhaustive and will be subject to amendments and any superseding legislation that may be enacted. The legislation can be viewed via www.legislation.gov.uk. Those who use the facilities from outside the UK may be bound by the laws of the UK and / or any other applicable local laws.

General Data Protection Regulation
Obscene Publications Act 1959 & 1964
Protection of Children Act 1978
Police and Criminal Evidence Act 1984
Copyright, Designs & Patents Act 1988
Computer Misuse Act 1990
Human Rights Act 1998
Data Protection Act 2018
Regulation of Investigatory Powers Act 2000
Freedom of Information Act 2000
Counter Terrorism and Security Act 2015
Terrorism Act 2006
Police and Justice Act 2006
Digital Economy Act 2017
Equality Act 2010
Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011

Appendix B: Guidance on the regulations relating to the use of information technology facilities

This section provides further information for guidance purposes and does not form part of the IT regulations.

Material that may be illegal, defamatory or ‘likely to cause offence’

The decision on whether any activity is ‘likely to cause offence’ will depend on the context and will be subject to grounds of reasonableness. Users are required to avoid activity that undermines the dignity of others and to consider how their behaviour when using IT facilities may affect other users. The following list is not exhaustive but is designed to give guidance as to what might constitute unacceptable activity likely to cause offence:

  • The creation, transmission or display of pornographic or indecent images
  • The creation or transmission of material that is abusive or threatening or could be interpreted as harassment
  • The creation or transmission of material that is designed, or likely, to cause needless anxiety to others
  • The creation or transmission of material that is defamatory, inflammatory or discriminatory

The regulations and other policies are not designed to restrict academic freedom and exceptions are possible for properly authorised lawful academic purposes. Anyone who is uncertain whether any proposed use of the IT facilities may cause offence to others must check the position through the IT Help Desk (www.exeter.ac.uk/it/helpdesk) and, if necessary, receive acknowledgement from the designated authority before engaging in the activity.

Material that may promote terrorism

The interpretation will normally be the responsibility of the Registrar and Secretary. Any such material that is introduced to the IT facilities will be removed forthwith. Where access to such material is deemed necessary for legitimate academic pursuits, the relevant Code of Conduct must be followed (www.exeter.ac.uk/ig/policy/restrictedmaterials/).

Monitoring of activity

The University of Exeter reserves the right, consistent with the relevant legislation, to exercise control over computer resources and to use any system-generated files (such as log files and error / exception reports) along with management tools to maintain system performance and investigate system faults as well as breaches, or possible breaches, of these regulations.

Users should note that:

  • Traffic through the email system is logged. These logs contain information about the flow of email, including source, destination and subject, but not the body content of email messages.
  • Internet and other network traffic through the caches, servers and network devices, is logged. These logs contain information about Internet activity, including sites visited, which can be traced back to individual computers.
  • To manage licence compliance, we log user access to our e-resources.
  • We may log and monitor data about installed software on user machines.

System logs are monitored by authorised University of Exeter staff who require information about the operation of email, cache and other services. In the event of any disciplinary or legal investigation, Academic Services may be asked (by the University or other authority) to assist in the collation of information, including information from logs, for more detailed examination.

In reviewing or investigating Internet activity in particular, the University of Exeter recognises the possibility that sites may have been visited accidentally.

Privacy and confidentiality

Exeter IT makes every effort to ensure the privacy of users’ data, including email messages and files held on computer systems. Email content is not viewed during the course of normal systems administration, nor are user files opened or read. However, where there is good reason to believe that there may have been a breach of University of Exeter regulations and / or the law, or where there are justifiable grounds for concern for the safety or well-being of any user of the IT facilities, the designated authority may authorise staff to investigate the content of a user’s files and electronic mail folders. Investigation of file or email content will normally be carried out by at least two people acting together. The user will be informed that this action has been taken, unless this might prejudice any future police investigation. Please note that, in order to protect the confidentiality of the individual and third parties, we are not normally able to provide the representatives of a deceased user with access to his / her email or files except where there is a legal requirement to do so.

In order to attempt to return files of unknown ownership to the owner, the content of files may be examined; where this reveals material indicating that there may have been a breach of these regulations and / or the law, the designated authority may authorise further investigation as described above.

Details of the University’s Data Protection Policy are available via www.exeter.ac.uk/recordsmanagement/dataprotection/guidance.

Social media policy documents

Staff: www.exeter.ac.uk/staff/employment/hrpoliciesatoz/socialmedia/
Students: www.exeter.ac.uk/staff/equality/dignity/online_student_conduct/

Published September 2019