Use of Computer Systems Policy

­

3.1 Policy Requirements

Those who use email or who create, manage or use web sites are responsible for ensuring that their usage complies with the legislative requirements outlined below. Those who manage such facilities are governed by the Systems Security, Network Access & Management Policy which details applicable legislation.

3.2 Connectivity

Users will be provided with Internet, web access and email facilities either by Local Area Network (LAN) connectivity, Wireless LAN connectivity, via Virtual Private Network (VPN) or through Thin Client Technology connections. In addition, some University computing resources are available through web services.

Access to these facilities is granted subject to compliance with the legal requirements, behavioural standards and responsibilities specified within this Policy. Additional requirements concerning 'mobile and remote access' (including home working) are defined in the Mobile & Remote Working Policy.

3.3 Conditions of Acceptable Usage Applicable to All Users

University IS/IT facilities must not be used (outside the authorised exemption process - see Information Security Policy Controls & Mechanisms) for, or in connection with, the following activities, many of which could result in legal action or civil proceedings being mounted against either an individual, the University, or both:

• Deliberately accessing, creating or transmitting any obscene or indecent images, data or other material, or any data capable of being resolved into obscene or indecent images or material, with the exception of email traffic which is connected with University work or official research or other professional activity, where the sender/recipient would expect to exchange such material with other users in a professional capacity;
• creating or transmitting material which is designed or likely to cause offence, annoyance, inconvenience or needless anxiety to another, with the exception of email traffic which is connected with University work or official research or other professional activity, where the sender/recipient would expect to exchange such material with other users in a professional capacity;
• creating or transmitting defamatory material or material that is libellous of any other person's or company's reputation, products or services;
• viewing, transmitting, copying, downloading or producing material, including (but not exhaustively) software, films, television programmes, music, electronic documents and books which infringes the copyright of another person, or organisation;
• making offensive or derogatory remarks about staff, students or the University on interactive life-style websites such as Facebook;
• posting offensive, obscene or derogatory photographs, images, commentary or soundtracks on interactive life-style websites such as Facebook and YouTube;
• transmitting or producing material which breaches confidentiality undertakings;
• attempting to gain deliberate access to facilities or services which you are unauthorised to access;
• deliberately undertaking activities that corrupt or destroy other users' data; disrupt the work of other users, or deny network resources to them; violate the privacy of other users; waste staff effort or networked resources;
• creating or transmitting unsolicited commercial or advertising material unless that material is part of a service to which recipients have chosen to subscribe;
• making commitments via email or the Internet on behalf of the University without full authority;
• undertaking any activities detrimental to the reputation or business interests of the University;
• deliberately contributing to News Groups or web sites that advocate illegal activity;
• initiating or participating in the sending of chain letters, 'junk mail', 'spamming' or other similar mailings.

Any user who inadvertently accesses an inappropriate Internet site must immediately close the session or return to the previous page.

Any member of staff who receives an inappropriate email message or email content that appears to have been sent by a member of staff or student may wish to report the matter to their line manager. Students may report any such occurrences to either their tutor or to ISS Help Desk staff.

3.4 Other Restrictions Applicable to Staff and Students

Staff and students must obtain formal University permission before using University computer resources* for any work which is funded (partly or wholly) by any person or organisation outside the University or on any consultancy basis.

Permission for such work to be undertaken on University systems may be refused, but where it is granted, a charge may be applicable.

Students must obtain formal University permission before using University computer resources* for any work which is in connection with any person or organisation outside the University, regardless of whether it is funded or not. They may be given a separate username which must be used for all associated computing activity and charges may be incurred.

3.5 Additional Restrictions Applicable to Students in Residences

The following additional restrictions apply to students in residences who access University network resources**, regardless of whether network connection is effected using privately owned equipment, through equipment owned by the University, or via equipment owned by any third party.

Each student is responsible for maintaining effective security of their equipment attached to the University network, by updating service packs, applying security patches and maintaining up to date virus protection software etc.

The resale (or making available to others without charge) of network and computing services (for example through hubs, proxy services or wireless facilities) is prohibited.

The connection of games consoles to University network resources is prohibited.

Privately owned and third party equipment connected to the University network will be subjected to the same monitoring activities as the University's own equipment (Ref. 3.7). Logs of computer system usage will be taken and may be scrutinised. These will be retained for periods appropriate for operational purposes.

The University accepts no responsibility for the security of any privately owned or third party owned computer attached to its network, or any liability for any damage to any such device how so ever caused. This disclaimer also extends to any other network which the University does not provide (including its components) to which private, third party or University equipment may be attached by a student.

The University reserves the right to restrict or block any device or services which have an adverse affect on the University's network or which are resulting in a degradation of its network services.

Further details are available in Residence Network - Terms & Conditions of Connectivity.

3.6 Website Management

The creators of websites are personally accountable for ensuring that the contents comply with the requirements of this Policy and relevant legislation. As such, except where anonymous input is allowed (for example guest books), scripting which enables others to alter the content is not to be made available to anyone who is not subject to this Policy. Where anonymous input is allowed this must be policed at regular and frequent intervals by the owner of the site to remove any inappropriate content and to prevent further site access by anyone posting such material.

The University's guidelines, codes and Acceptable Use Policy applicable to web pages, which can be found at http://campus.leeds.ac.uk/guidelines/ are to be strictly adhered to by those creating and managing websites.

3.7 Monitoring the Use of Facilities

Under The Telecommunications (Lawful Business Practice [LBP]) (Interception of Communications) Regulations 2000 (Statutory Instrument 2000 No.2699) the University reserves the rights to monitor users' activities to:

• record evidence of official transactions;
• ensure compliance with regulatory or self-regulatory guidelines;
• maintain effective operations of systems (e.g. preventing viruses);
• prevent or detecting criminal activity;
• prevent the unauthorised use of computer and telephone systems - i.e. ensuring that the users do not breach University policies.

Under this regulation there is a requirement for employers to inform staff about such monitoring. The publishing of this Policy is one means of fulfilling that obligation.

In accordance with the above regulation, the University reserves the right to deploy software and systems that monitor, block or record all Internet access. These systems are capable of recording (for each and every user) exactly how much Internet usage is being conducted for each World Wide Web site visit (the date and time visited and how long was spent on the site), each email message, and each file transfer into and out of our internal networks. This right is reserved at all times, although it is anticipated that instances of such monitoring will be minimal and proportional to operational needs.

Privately owned equipment connected to University networks in accordance with 2.2 will be subjected to the same monitoring activities as University equipment.

Logs of computer system usage will be taken and may be scrutinised. These will be retained for periods appropriate for operational purposes.

Data may be archived and the University reserves the right to examine this in accordance with 3.9, and to delete archived data in accordance with the Archiving Policy.

3.8 Personal Use of Internet and Email*

Significant bandwidth and disk space overheads are incurred through Internet and email traffic usage, and for email and attachment serving and storage. In view of this, the University's IS/IT facilities are provided for operational and research purposes only. However, non-excessive and reasonable personal use of these facilities by staff** may be permitted provided that such use does not interfere with the work performance of the employee or the activities of other staff or students, and is wholly compliant with legislative requirements and the terms of this Policy.

Those who use University computing resources to make purchases, pay bills or conduct on-line banking or similar activities do so at their own risk. The University cannot be responsible for any direct or indirect losses sustained by those using its computer resources for personal transactions.

3.9 Privacy and Third Party Access

A degree of privacy can be expected in the private use of the University's computing facilities. However, all users should be aware that owing to the University's obligations (statutory and otherwise) there are limitations to the privacy that can be enjoyed.

For operational purposes it may be necessary for the University to access email folders and file stores occasionally during periods of unexpected staff absence. This applies when no-one else (such as personal assistants, secretaries etc., who are granted shared access to their manager's account on their manager's authority) can access the data required, and arrangements for them to do so could not have been made in advance of their absence.

Likewise, when staff have ceased University employment it may be necessary for ISS staff to recover or copy archived data that needs to be subsequently accessed by faculty or department staff.

With these points in mind, you should not use University systems for the transmission or storage of any material that you would not wish others to see, and you should inform your correspondents not to send you material that is personal and which you or they wish to keep private.

Any University access to users' data in their absence, or when they have ceased University employment, is to be both controlled and accountable and must be in accordance with the requirements of the Access Control & Account Management Policy.

Any member of the University who is granted operational access to another user's data may only view material that it is considered necessary to see for the operational reason for which access was granted. They are required to treat all material as confidential and not to act upon it or disclose it to any other person except those directly associated with the operational requirement for which the access was granted, and they must preserve the confidentiality of any private or personal data that they may view inadvertently whilst undertaking operational matters. A failure to do so could constitute an offence under the terms of the Human Rights Act 2000.
As an additional safeguard against inadvertent disclosure, staff may wish to precede the subject title with 'PRIVATE' in the subject line of any personal emails, or use the 'personal' or 'private' sensitivity settings available through 'message options' in Microsoft Outlook.

It is stressed that any access to users' emails or data outside of the above controls could constitute a criminal offence.

---

* Director HR, and AUT, Amicus & Unison representatives previously consulted on this matter.
** What constitutes 'reasonable use' of resources for personal matters is at the discretion of the Dean of each faculty or head of each school/service.

3.10 Mass Mailing Restrictions & Controls

The University encourages and promotes the use of electronic mail to further its educational, research and service missions for legitimate academic and administrative pursuits. However, the sending of bulk University-wide / inter-faculty / departmental emails has to be regulated to prevent misuse or abuse. This Policy provides a framework for the authorisation of bulk, unsolicited emailing by any delivery means.

3.10.1 University-Wide and Inter-Faculty emails

The distribution of University-wide emails by staff or students using the 'all staff address list' or 'all students address lists', or by harvesting global address lists is prohibited unless the messages have been formally approved by the University Secretary*, or are sent by or on behalf of a member the Vice Chancellor's Executive Group. Messages that are sent outside of the authorisation process will not be released by the ISS mailing list moderator. The process for requesting authority to send bulk emails can be found at Annex A.

Messages that are likely to be approved for University-wide distribution generally will be restricted to urgent operational matters that need to be brought to the attention of the University's members. However, this mechanism may also be used for notifying staff of certain personnel issues and for the undertaking of official University surveys.

Messages that may be approved as being appropriate for widespread distribution include, but are not limited to, those concerning:

• Security issues, such as bomb or terrorist threats and computer system viruses and other threats;
• health and safety matters such as hazard warnings and natural disaster alerts;
• urgent upgrades of the University's IT/IS services that may result in temporary disruption to systems;
• the announcement of University policies that are time critical or which members have to be made aware of for legal compliance reasons;
• informing students of new registration or examination information;
• informing staff of new pay structures or industrial action;
• important announcements from the University's executives/governance groups (Strategy Group, Senate, Council, etc.)
• time critical financial and administrative deadlines.

Anyone wishing to send an inter-faculty email must obtain authority for sending it from the dean of the faculty that will receive it.

All approved bulk email messages are to contain the following information:

• Subject line: with clearly stated subject:
• From: line that contains the email address of sender;
• To: line that includes University group/s to which the mass email will be sent;
• signature information providing the name, department and telephone number of the sender.

The email body is to contain:

• plain text only - graphics, bolding or other font styles are not permitted;
• no attachments - a link to an appropriate web page which includes the detailed information is to be provided by the sender;
• brief and to the point messages only, although instructions on how additional information can be obtained may be included.

Departments wishing to announce campus sponsored events should use the facilities available on campusweb, such as 'Events', 'Bulletin Board' etc.

Alternatively, there is provision for users to subscribe to opt-in mailing lists. The approved procedure for the creation and management of these mailing lists is available in the Mailing Lists section.

3.10.2 Mass Mailing within Faculty

The dean of each faculty is authorised to send bulk emails to those members of their own faculty using the respective 'all staff lists' and respective 'all student lists', and may provide authority for other members of their faculty to do the same.

However, the use of faculty-wide mailing must be restricted to important matters where this communication mechanism is considered to be both appropriate and necessary to reach the required audience. Details of less important matters such as conferences, events, etc. are to be published using other facilities.

Those wishing to send a faculty-wide bulk email are to follow the process at Annex B

3.10.3 Mass Mailing - Mailing Lists, Address Book and Database Held Addressees

Users who send emails to multiple recipients by compiling a list from a personal address book or database are to enter the email addresses in the BCC field so that they cannot be seen and harvested by others.

With the exception of emails to mailing lists to which users have chosen to subscribe, such mailings are also include the following statement in the body of their mail: This email has been sent to you because you are considered to be a likely interested party in the subject matter. If you no longer wish to receive email of this nature please reply and your address will be removed from the list

All removal requests are to be actioned by the recipient on receipt.

3.11 Computer Crime and Misuse

The University expects users to use IS/IT facilities, and in particular email and the Internet, responsibly at all times.

Suspected computer crime and misuse of University IS/IT facilities, including excessive personal use by staff, will be investigated in accordance with the University's Security Incident & Computer Misuse Policy.

Members of staff should check and agree conditions of personal usage of computers with their Line Manager or Head of School/Service if they are in any doubt.

3.12 Use of Computer Clusters

The use of computer cluster facilities is governed by the Computer Standards, Codes of Conduct & Guidelines­.

* The University Secretary will delegate approval authority to other senior managers within the University.

---

* All references to computer or network resources include network connections (physical and wireless), routing and switching.­

** All references to computer or network resources include network connections (physical and wireless), routing and switching. ­