Electronic Information Security Policy - IT Code of Conduct

Policy Statement

Electronic information is acquired and created all the time and is increasingly essential to all aspects of the function of the University.  Whilst the loss or exposure of some information would perhaps be no more than inconvenient, the loss or exposure of more sensitive could be extremely detrimental, particularly if it is personal information that relates to an individual or to individuals.  The security of electronic information is therefore of paramount importance and something that all users of IT facilities provided by, or made available by, the University must share responsibility for, and ownership of, in order to successfully manage the potential risks involved.   All users are required to accept this policy at the point of logging in.

The purpose of this policy is:

• to minimise the risks to the University arising from loss or exposure of information;
• to raise awareness of the potential risks involved;
• to provide all users with a clear articulation in the form of the Code of Conduct which follows below, of the University’s expectations regarding the use of IT facilities provided or made available;
• to ensure consistency in the way IT facilities provided or made available are used.

IT Code of Conduct

The code of conduct set out below, applies to all usage of IT facilities provided by, or made available by the University. This includes University IT equipment and services, but also covers any device (including personal devices) that uses the University’s WiFi or connects to any other University IT asset or service (for example, during remote working). 

All ‘users’ (students, staff and visitors) of University’s IT systems and services are required to comply with this code of conduct. Failure to do so may result in access being withdrawn, and in serious cases, action under the applicable disciplinary policies.

You must;

• Use University IT systems and services for University business and in accordance with all University policies.
• Ensure that your use of University IT devices, systems and services is appropriate, safe and in accordance with the University policies and objectives.
• Abide by all ‘terms of service’ and other contracts for software and any associated information that is used in relation to the University. 
• When using a personal device to access University IT systems or services, ensure the device, and your use of the device complies with the advice set out in the Personal Devices guidance [LINK] 
• Report any misuse or abuse of IT systems, and any infringement of this code of conduct through the SIZ
• Store information in the most suitable (lowest risk) facility, for example in a University case management system or network folder, and not in ad-hoc or personal general storage such as cloud or removable media such USB Sticks.
• Physically secure (lock away) all equipment containing (or with facility to access) private [1] and confidential [1] information when not being used.
• Inform the University's Support and Information Zone (SIZ) if you believe there has been a loss of of a device (e.g., a laptop) containing such information.
• Inform the University’s Data Protection Officer immediately if you become aware of a loss of your or anyone else's personal data, or of any other issue that may endanger the University’s full compliance with UK Data Protection legislation.
• Advise SIZ of any leaving date, intermittence, or sabbatical to enable your access to services and information to be updated, and for you to return University owned IT

You must not;

• Alter administrative device or systems settings, or otherwise jeopardise the integrity of computer equipment, software or information.
• Alter or install software onto University computing equipment [2] .
• Solicit, encourage or endorse use of, any non University or external computer system, until or unless this is approved by the University's IT Service
• Use a University system in a new context without first having consulted IT and the DPO and established whether a Data Protection Impact Assessment (DPIA) is required.
• Take University IT equipment off-campus, without the appropriate authority to do so.
• Use University IT systems or services for any non University activity [2] without appropriate authority from IT Services.
• Use your University identification or passwords with non University services.
• Use any University computing services to gain unauthorised access to any University or non-University information. This includes unauthorised access to copyrighted, personal, private or confidential material [3].
• Acquire, store, share or distribute unauthorised [1] information. This includes through web browsing, where using proxy-avoidance and anonymiser websites is expressly prohibited [4].
• Create, download, store or transmit unlawful material, or material that is indecent, offensive, defamatory, threatening [5], discriminatory or extremist  [6] .
• Share any documents or folders you have access to, particularly any that contain private [1] or confidential [1] information, other than as required for University business and with the proper authorisation.
• Transform any confidential information communicated with you (for example using a recording of a video conference or copying any email or instant messages) to any other media or facility.