Electronic Information Security Policy

1. Electronic Information Security Policy  

The Electronic Information Security Policy consists of the succinct code of conduct set out below and is supported by the further advice and guidance set out in these help pages. The Electronic Information Security Policy applies to all usage of IT facilities provided by or made available by the University. This includes University IT equipment and services but also covers any device (including personal devices) that use the University’s WiFi or connects to any other University IT asset or service. 

All ‘users’ (students, staff and visitors) of University’s IT systems and services must comply with the Electronic Information Security Policy. Failure to do so may result in access being withdrawn, and in serious cases, referral to the applicable disciplinary policies. 

1. You must: 

• Use University IT systems and services for University business and in accordance with all University policies. 

• Ensure that your use of University IT devices, systems and services is appropriate, minimising risks to privacy and is in accordance with the University policies and objectives. 

• Abide by all ‘terms of service’ and the conditions of contracts and licencing for software that is used in relation to the University.  

• When using a personal device to access University IT services, ensure the device, and your use of the device complies with the advice set out in the Personal Devices guidance [Link]  

• Maintain a clear screen, clear desk approach – storing data not on ‘the desktop’ but in suitable network storage, and paper information in secure cabinets  

• Store information in the most suitable (lowest risk) facility, for example in a University case management system or network folder. 

• Inform the University’s Data Protection Officer immediately if you become aware of a loss of your or anyone else’s personal data. 

• Inform the University’s Data Protection Officer immediately if you become aware of any issue that may endanger the University’s full compliance with UK Data Protection legislation. 

• Inform the University’s Support and Information Zone (SIZ) immediately, if you believe there has been a loss of a device (e.g., a laptop or mobile phone) that may contain University information. 

• Physically secure (lock away) all equipment containing (or with facility to access) private1 and confidential1 information when not being used. 

• Advise SIZ of any leaving date, intermittence, or sabbatical to enable your access to services and information to be updated, and for you to return University owned IT. 

• Report any misuse of IT systems or infringement of this Electronic Information Security Policy2  

• Comply with the Universities and Colleges Information Systems Associations’ (UCISA) HE IT code 

1. You must not: 

• Alter administrative device or systems settings, or otherwise jeopardise the integrity of computer equipment, software or information. 

• Alter or install software onto University computing equipment3 . 

• Solicit, encourage or endorse use of, any non University or external computer system, until or unless this is approved by the University’s IT Service 

• Use any computer system or software in a new context without first having consulted IT and the DPO and established whether a Data Protection Impact Assessment (DPIA) is required. 

• Take University IT equipment off campus, without the appropriate authority to do so. 

• Store University information in ad-hoc or general storage such as email accounts, non University personal cloud storage or removable media such USB Sticks. 

• Use University IT systems or services for any non-University activity2 without appropriate authority from IT Services. 

• Use your University identification or passwords with non-University services. 

• Use any University computing services to gain unauthorised access to any University or non-University information. 

• Use any University computing services to gain unauthorised access to copyrighted, personal, private or confidential material. 

• Acquire, store, share or distribute unauthorised1 information. 

• Use proxy-avoidance and anonymiser websites to access unauthorised and unsuitable websites4. 

• Use AI assistance, or applications that share overtly or covertly your activity, especially where this involves data on research subjects (people) or private intellectual property with Large Language Models. 

• Access, or use University IT systems or services to design, or 3D print any form of weaponry, or any items that are indecent, defamatory, threatening, discriminatory or extremist. 

• Create, use or access Generative AI (GAI) or Chatbots - whether public or private, to create, store or transmit unlawful material, or material that is indecent, offensive, defamatory, threatening, discriminatory or extremist. 

• Create, download, store or transmit unlawful material, or material that is indecent, offensive, defamatory, threatening5, discriminatory or extremist6. 

• Share any documents or folders you have access to, particularly any that contain private1or confidential1 information, other than as required for University business and with the proper authorisation. 

• Transform any confidential information communicated with you (for example using a recording of a video conference or copying any email or instant messages) to any other media or facility. 

• Please review the privacy and use monitoring information and the Privacy Standard which set the University’s commitments to privacy  

• Further information on how to use University IT and how to stay safe on-line is available on this help website. 

• Further information on use of non-University equipment and BYOD is available on this help website is available at the following link (Link)  

• Cyber security training for University staff can be accessed using the following link (Link)   

• The University’s Electronic Information Security Policy (above) incorporates the HE IT Code (Link)  

1. The Universities and Colleges HE IT Code  

The University of Chichester recognises and supports the HE IT Code, all users of the University’s Systems, services and information must Comply with the HE IT Code, as well as complying with the University’s Electronic Information Security Policy  

1. Summary IT Code 

1. The (full) HE IT code 

The aim of these regulations is to help ensure that the University’s IT facilities can be used safely lawfully and equitably. The issues covered by these regulations are complex and you are strongly urged to read the accompanying guidance available at https://help.chi.ac.uk   

These regulations apply to anyone using the facilities (hardware software data network access third party services online services or IT credentials) provided or arranged by the University. 

1. Governance 

• When using IT, you remain subject to the same laws and regulations as in the physical world. 

• It is expected that your conduct is lawful. Furthermore, ignorance of the law is not considered to be an adequate defence for unlawful conduct. 

• When accessing services from another jurisdiction, you must abide by all relevant local laws, as well as those applicable to the location of the service. 

• You are bound by the University’s general regulations when using the facilities available 

• You must abide by the regulations applicable to any other organisation whose services you access 

• When using services via Eduroam, Guest Wifi or other Campus (including) Halls of Residence Wifi you continue to be subject to the University’s regulations. 

• When using Eduroam at a different institution, you are subject to BOTH the institutions regulations, and those of the University and Chichester.  

• Some software licences procured by the University will set out additional, or specific obligations for the user. (some may not allow commercial, private or external use for example)  

• Breach of any applicable law or third party regulation will be regarded as breach of these IT regulations 

1. Authority 

• These regulations are issued under the authority of the Director of Information and Learning Technologies who is also responsible for their interpretation and enforcement and who may also delegate such authority to other people 

• You must not use the IT facilities without the permission of IT Services 

• You must comply with any reasonable written or verbal instructions issued by people with delegated authority in support of these regulations. If you feel that any such instructions are unreasonable or are not in support of these regulations, you may make an appeal through the SIZ. 

1. Intended use 

• The IT facilities are provided for use in furtherance of the mission of the University, for example to spot a course of study, research or in connection with your employment by the University. 

• Use of these facilities for personal activities (provided that it does not infringe any of the regulations and does not interfere with others’ valid use) is permitted, but this is a privilege that may be withdrawn at any point. 

• Use of these IT facilities for non University commercial purposes or for personal gain requires explicit approval of the Director of Information and Learning Technologies. 

• Use of certain licences is only permitted for academic use and where applicable to the code of conduct published by the combined higher education software team (CHEST) who are a part of UCISA (Universities and Colleges Information Systems Association). 

1. Identity 

• You must take all reasonable precautions to safeguard any IT credentials (for example a username and password, e-mail address, door/campus/ID/Printing smartcard card or other identity hardware issued to you. 

• You must not allow anyone else to use your IT credentials 

• Nobody has the authority to ask you for your password and you must not disclose it to anyone. 

• You must not attempt to obtain or use anyone else’s credentials 

• You must not impersonate someone else or otherwise disguise your identity when using the IT facilities. 

1. Infrastructure 

You must not do anything to jeopardise the integrity of the IT infrastructure by, for example, doing any of the following without approval from the It Change Board; 

• Damaging reconfiguring or moving equipment. 

• Loading software on University equipment other than in approved circumstances. 

• Reconfiguring or connecting equipment to the network other than by approved methods. 

• Accessing University information or services, with personal devices that do not have security, to the standards set out by IT Services   

• Setting up servers or services on the network 

• Deliberately or recklessly introducing malware 

• Downloading, or accessing AI software  

• Attempting to disrupt or circumvent IT security measures 

1. Information 

• If you handle personal confidential or sensitive information you must take all reasonable steps to safeguard it and must observe the University’s data protection information security policies and guidance available at https://help.chi.ac.uk, Particularly with regard to removable media, mobile and privately owned devices. 

• You must not infringe copyright or break the terms of licences for software or other material. 

• You must not attempt to access delete, modify or disclose information belonging to other people without their permission or explicit approval from the Director of Information and Learning Technologies. 

• You must not create download store or transmit unlawful material or material that is indecent, offensive, threatening or discriminatory. 

• The University has procedures to approve and manage valid activities involving such material; where, for example, this is required for approved research. 

• You must abide by the University’s publication and social media policies. 

1. Behaviour 

• Real world standards of behaviour apply online and on social networking platforms such as Facebook, Instagram and Twitter (X). 

• You must not cause needless offence concerns or annoyance to others. 

• You should also adhere to the University’s guidelines on social media. 

• You must not send spam (unsolicited bulk e-mail) 

• You must not deliberately or recklessly consume excessive IT resources, such as processing power bandwidth or consumables. 

• You must not use the facilities in a way that interferes with others’ valid use of them 

1. Monitoring 

The University monitors and records the use of its IT facilities for the purposes of: 

• The effective and efficient planning and operation of the IT facilities. 

• Detection and prevention of infringement of these regulations 

• Investigation of alleged misconduct 

• Ensuring the Prevent duty of care 

The University will comply with lawful requests for information from government and law enforcement agencies. 

1. Infringement 

• Infringing these regulations may result in sanctions under the University’s disciplinary processes. Penalties may include withdrawal of services and offending material will be taken down 

• information about infringement may be passed to appropriate law enforcement agencies and any other organisations whose regulations you have breached. 

• The University reserves the right to recover from you any cost incurred as a result of your infringement. 

• You must inform SIZ if you become aware of any infringement of these regulations. 

Document Owner: Director of Information and Learning Technologies 

Most Recent Review Date: 23 Sept 2025 – Review by 31 Dec 2026 

This document has been prepared using the following ISO27001:2022 standard controls as reference: