The University of Chichester
15/07/2021 (reviewed annually)
IT Privacy and Monitoring Policy
1. Policy Statement
1.1. The Electronic Information Security Policy sets out the specific code of conduct that must be applied when using any technologies provided, enabled or advised for use by students, staff and visitors. This Privacy and Monitoring (of IT usage) Policy sets out that;
1.2. Some technologies have inherent monitoring facilities that log usage. These are inbuilt and in some cases cannot be switched off. Within this capability, collection of usage logging data is minimised (to avoid unreasonable profiling) and is stored securely with restricted access.
1.3. For the University these capabilities are used for safeguarding against grooming, bullying and radicalisation, but also to enable the University to demonstrate it has addressed any serious, and potentially illegality in the use of any provided, enabled or advised IT.
1.4. The purpose of this policy is:
1.4.1. Supplement the Electronic Information Security Policy, with corresponding guidance on privacy and monitoring of IT use.
1.4.2. To identify the relationship between IT use and the University's Privacy Standard.
1.4.2. To identify that systematised monitoring facilities exist, and the circumstances under which this data may be reviewed.
1.4.3. Reassure IT users that any access to the usage monitoring data is undertaken under strictly controlled circumstances and supervised processes.
2. Information Security and University Monitoring
In support of the University’s commitments and obligations to privacy and confidentiality, and as is set out in the Electronic Information and Security Policy, all users of University IT must comply with statutory provisions, and especially privacy protection, licence agreements and acceptable social conduct.
As the University is classed as an Internet Service Provider, it is regulated by Ofcom link to Ofcom. It is essential therefore that those people authorised to use the University’s technologies do so for lawful purposes only. Please note this includes where you might use your own device, attached to the University’s Wifi.
2.1 Monitoring the awareness and compliance with the policy
The Electronic Information Security Policy, sets out the Code of Conduct you are required to comply with in return for being granted access to use University IT and services. It is important that you comply with the policy, as you and the University are required by law to meet privacy and licensing conditions.
The Electronic Information Security Policy is presented to students, partners, suppliers and visitors in the induction and login-in processes. The policy is refreshed annually, or more frequently if new threats, changes or new practices emerge.
2.2 Privacy Statements
The University has set out its Privacy Standard (link to the privacy standard) which sets out in detail the commitment to protecting your details. The Electronic Information Security Policy sets out how protecting both your and other people's information and privacy requires key dos and don'ts in how University technology is used.
Some University systems inherently collect data from and about you, about how you access them, and what you do within them. How these are calibrated is undertaken in keeping with the Privacy Standard. The Privacy Standard contains further information about how this affects your privacy on a system by system basis.
Each University information system (Moodle, Teams, ChiPlayer, ChiView etc) has a Data Protection Impact Assessment (DPIA). The DPIA identifies the information collected into the system, who has access to this information and exactly what might be done with the information. The DPIA also identifies how long the data will be held for and the circumstances in which it can be altered, corrected or deleted for/by you.
In addition to technology safeguards (passwords etc), all University staff are expected to exercise good and informed judgement to avoid anyone being exposed to private or confidential information, to avoid unauthorised disclosure or your or anyone else's private or confidential information, and to avoid the risks of using technology whose integrity and cannot be assured.
Before being used, any proposed or changed system that; involves processing personal data which is likely to result in a high risk to individuals, must be assessed through consultation with IT and the DPO to establish whether a Data Protection Impact Assessment (DPIA) is required.
2.3 Reporting and Help
If you become aware of any risk of information loss, or suspect there has been any unauthorised access to your or anyone else's information please contact SIZ as soon as possible. This should include if you have inadvertently made a mistake, and NB addressing this as quickly as possible is critical to minimising any potential damage to your and other people's information.
SIZ will liaise with the key IT and senior staff such as the University’s Data Protection Officer, who is responsible for the University’s Data Protection Policy, and who oversees processes including where there is statutory reporting required with the Office of the Information Commissioner (see following link).
Where there is a risk of the loss of information through for example a cyber-attack, the incident will be referred to the University’s Serious Incident Management Team (SIMT), and all people affected will be contacted as soon as possible.
In addition to the safeguards to resist unauthorised access, the University’s has ‘aberrance’ detection facilities that are set to identify any unusual activities. These include detecting where someone attempts to infiltrate, export information (exfiltrate), or outwardly broadcast (spam etc) using University IT.
2.4 Systematised monitoring of IT and telephony systems
Most computer systems have some form of inbuilt usage monitoring facilities. These commonly involves logging who used a particular system, when, for how long, and identifying anything they changed or did during the time they were using that system or facility. Although there may be some calibration capability in these (ie only retaining such information for the minimum reasonable period of time) in some cases these cannot be fully switched off.
In addition to the privacy commitments set out in the Privacy Standard, the data within these logging capabilities may be needed to help in safeguarding against grooming, bullying and radicalisation, but also to enable the University to demonstrate it meets its obligations to (for example) law enforcement should there be any suspected to be illegal actions that involve using University facilities.
Where there are risks to persons or property, the logs of (for example) CCTV and door entry systems may be used to identify individuals and events relating to a specified concern, allegation or incident.
2.5 The potential consequences of the misuse of University IT and services
The UK Government’s Information Commissioners’ Office (ICO) can apply fines of up to £18,000,000 (per incident), for any breach of UK Data Protection Regulations. These fines are in addition to any other criminal or civil prosecutions that might be brought against the University and anyone specifically involved. We therefore have to ensure that both your and other people's privacy is maintained, including where this is involves inadvertent or deliberate misuse of University IT facilities and services.
Institutional fines take into account the safeguarding measures (such as those that enable logging and monitoring, to evidence what has, and has not occurred). The ICO can also serve compliance orders, which might include appointing external experts (at further cost to the University) until they can ensure that the policies, monitoring, technical and user compliance with the code of conduct are secure.
2.6 Personal consequences of infringement
The Electronic Information Security Policy is a guide to what you should or should not do, it is not an exhaustive list, and you should satisfy yourself of the best practices and the principles of law.
Our aim is to support and guide, however in order to protect everyone else, for anyone whose actions appear to be deliberate, illegal or reckless, the circumstances may be considered in accordance with the:
- the published Employment related policies and procedures (for staff)
- the published Student related policies and procedure( Academic Regulations) for students.
As part of addressing any urgent or immediate risks, or where there is suspicious activity, the related user’s access to University systems and information may be suspended.
2.7 University monitoring of IT and telephony systems
In order to ensure compliance with, UK Data Protection legislation and other statutory and contractual requirements the University may occasionally be required to review the system usage logs.
Only in exceptional circumstances are usage access logs or any other use of University IT reviewed. Any such circumstances will be assessed by a member of the Vice Chancellor's Group (VCG). Only if the need for review is formally approved by VCG will there be any access made to any usage logs.
Any such approved review is undertaken by specified officers, and follows strict procedures to protect the privacy of anyone whose data is accessed. Exceptional circumstances includes where;
- A request is made by the security forces.
- There are concerns that the user of the IT is at the risk of radicalism.
- A request is made by a police force investigating alleged criminal activity, or in support of other law enforcement processes.
- The University is undertaking an internal investigation in line with its published Employment related policies and procedures.
- The University is undertaking an internal investigation in line with its published Student related policies and procedures.
- The University is required to provide information to external bodies such as a software licensing company in line with the terms and conditions of a licensing agreement
- The Vice Chancellors Group (VCG) determines that monitoring or investigation is necessary to ensure compliance with the law or with University Policies and Procedures.
2.8 Website filtering and logging
Internet browsing is one such facility (system) that collects data on usage. Internet Browsing is commonly where there is increased likelihood that there may be inadvertent, or deliberate use that may contravene the Code of Conduct set out in the Electronic Information Security Policy. The logging facilities and particular rules applied to accessing certain categories of websites are set out below.
Websites may be categorised into one of, or several of around 64 standard filters. Categorisation and recategorisation happens constantly through a not for profit international consortium, which includes international law enforcement agencies. Most websites and filters are benign, (for example motor vehicles, music, or news etc) and any access logging can therefore be fully switched off, however, if these types of site were changed to exhibit any more sensitive content these might also become identified in the categories set out below.
Using University IT will allow access to most sites, however for those that are prohibited (the 8 categories set out below as blocked) a substitute web page will notify the user, and will not load the web page, some others are not prohibited, but may require some caution (the 12 categories set out below) , for which a web page with guidance is shown, but this allows you to continue to the target web page.
Access Blocked –
Sites containing malicious content, executables, scripts, viruses, trojans, and code.
Sites that provide access to or clients for peer-to-peer sharing of torrents, download programmes, media files, or other software applications. This does not include shareware or freeware sites. This is primarily for those sites that provide bittorrent download capabilities.
Seemingly reputable sites that harvest personal information from its users via phishing or pharming
Proxy Avoidance and Anonymizers
Proxy servers and other methods that bypass URL filtering or monitoring.
Sites containing tasteless humour, offensive content targeting specific demographics of individuals or groups of people, criminal activity, illegal activity, and get rich quick sites.
Sites that provide and/or utilise dynamic DNS services to associate domain names to dynamic IP addresses. Dynamic DNS is often used by attackers for command-and-control communication and other malicious purposes
Unknown – possibly using IP address direct (or dark-web), or where the site has not been categorised (this is common in the first 24 hours of its existence)
Sites that promote the abuse of both legal and illegal drugs, use and sale of drug related paraphernalia, manufacturing and/or selling of drugs
Warning page deployed –
Sexually explicit material, media (including language), art, and/or products, online groups or forums that are sexually explicit in nature. Sites that promote adult services such as video/telephone conferencing, escort services, strip clubs, etc…# Anything containing adult content (even if it's games or comics) will be categorised as adult.
Websites and services that are dedicated to illegally serving videos, movies or other media for download, explicitly infringing copyright holders.
Websites promoting terrorism, racism, fascism or other extremist views discriminating people or groups of different ethnic backgrounds, religions or other beliefs.
Lottery or gambling websites that facilitate the exchange of real and/or virtual money. Related websites that provide information, tutorials or advice regarding gambling, including betting odds and pools. Corporate websites for hotels and casinos that do not enable gambling are categorised under Travel
Sites that provide online play or download of video and/or computer games, game reviews, tips, or cheats, as well as instructional sites for non-electronic games, sale/trade of board games, or related publications/media. Includes sites that support or host online sweepstakes and/or giveaways.
Sites relating to the illegal or questionable access to or the use of communications equipment /software. Development and distribution of programmes, how-to-advice and/or tips that may result in the compromise of networks and systems. Also includes sites that facilitate the bypass of licensing and digital rights systems.
Websites and services that present test pages, no content, API access not intended for end-user display, or that require authentication without displaying any content that suggests a more specific categorisation.
Sites that serve as a starting point for users, usually by aggregating a broad set of content and topics.
Sites that contain nude or seminude depictions of the human body, regardless of context or intent, such as artwork. Includes nudist or naturist sites containing images of participants.
Online Storage and Backup
Websites that provide online storage of files for free and as a service.
Shareware and Freeware
Sites that provide access to software, screensavers, icons, wallpapers, utilities, ringtones, themes or widgets for free and/or donations. Also includes open source projects.
Sales, reviews, descriptions of or instructions regarding weapons and their use.