Acceptable Use Policy

for University IT systems

Updated September 2008

By using your University IT account and accessing the IT facilities provided by York St John University (“the
University”) (including use of our wireless network) you are agreeing to the Acceptable Use Policy as outlined
below.

The University’s electronic communications systems and equipment are intended to promote effective communication and
working practices within the organisation, and are critical to the success of our institution. This policy outlines the
standards the University requires users of these systems to observe, the circumstances in which the University will
monitor use of these systems and the action we will take in respect of breaches of these standards. The sections below
deal mainly with the use (and misuse) of computer equipment, e-mail, internet connection, telephones, mobile devices,
personal digital assistants (PDAs) and voicemail, but this policy applies equally to use of fax machines, copiers, scanners,
CCTV, and electronic key fobs and cards. The University’s staff and students are expected to have regard to this policy at
all times to protect its electronic communications systems from unauthorised access and harm.

1. SCOPE
These regulations apply to:

• All users of services provided by, or for which access is facilitated by, the University. Any equipment owned by
the University, or equipment for which access has been facilitated by the University.
• Use of systems and services owned by other bodies, access to which has been provided by the University. In
such cases, the regulations of both bodies apply. In the event of a conflict of the regulations, the more restrictive
takes precedence.
• To help you get a fuller understanding of how to use our IT facilities and resources we have developed user
guidelines and it is strongly recommended that you read these along with the staff or student code of conduct.

2. APPLICABLE LAWS AND POLICIES

Those who use the facilities in the UK are bound by the laws of the UK. A non exhaustive list is given in Appendix A.

3. INFRINGEMENT
These regulations apply subject to and in addition to the law. Any infringement of these regulations may also be subject
to penalties under civil or criminal law and such law may be invoked by the University. Use of the University’s systems
may be logged to permit the detection and investigation of infringement of Policies. In the event of a suspected
infringement the user’s account will be disabled with immediate effect and the University’s disciplinary procedures will be
invoked. Further details on University procedure in the event of an infringement of this policy can be found in both the staff
and student handbooks.

4. USE
4.1. Users of the University’s IT facilities must have a valid user account

4.2. Users must not act in any way which puts the security of the IT facilities at risk. In particular, user credentials
must be kept safe and secure and only used by those authorised to do so. Passwords are unique to each
User and must be changed regularly to ensure confidentiality. Please see item 5.1 for details on accessing
staff files in their absence. Under no circumstances should users share their user details or password
with other people or organisations.

4.3. The University’s IT facilities must be used for the purposes and in the way they were intended to be used.
Other use may be allowed as a privilege, not a right.

4.4. Use of the University’s IT facilities must not bring the University into disrepute.

4.5. Users must not cause deliberate damage to the University’s IT facilities, nor to any of the accommodation or
services associated with them.

4.6. Users must adhere to the terms and conditions of all licence agreements relating to IT facilities and services
which they use including software, databases and full text resources, equipment, services, documentation
and other goods.

4.7. Users must not infringe copyright in any form including the making of copies, digital or otherwise, of software,
documents, records, images, audio or video recordings, etc, other than for the purposes of personal study or
research within the terms of copyright legislation
4.8. Users must not load any software onto the IT facilities without permission from IT Services

4.9. Users must take all reasonable precautions to ensure that they do not deliberately or recklessly introduce any
virus, worm, Trojan or other harmful or nuisance program or file into any IT facility. They must not take
deliberate action to circumvent any precautions taken or prescribed by the University to prevent this. They
must take all reasonable precautions to avoid infection, by, for example, but not exclusive to, opening email
attachments of unknown source.

4.10. Users must not access, delete, amend or disclose the data or data structures of other users without their
permission.

4.11. Users must not illicitly connect to or attempt to illicitly connect to any computing IT facility without the
permission of IT Services. This is known as hacking and is a criminal offence in terms of the Computer
Misuse Act 1990, as amended. Users may be liable for the cost of remedying any damage they cause.

4.12. Users should not physically connect their own equipment to the University network without prior approval
from IT Services . A list of equipment that is acceptable can be provided by IT services (for example USB
sticks).

4.13. The use of IT facilities or information for commercial gain (ie Business activities unrelated to the University)
must have the explicit prior permission of IT Services who will consult the relevant authorising bodies.

4.14. The use of IT facilities or information to the substantial advantage of other bodies, such as employers of
placement students, must have the explicit prior permission of IT Services who will consult the relevant
authorising bodies.

4.15. Except by prior arrangement with IT Services users should not carry out activities that will significantly
interfere with the work of other users.

4.16. Users must not attempt to conceal or falsify the authorship of any electronic communication.

4.17. Users must not send unsolicited electronic communications to multiple recipients except where it is a
communication authorised by the University. Specifically, users must not use the University’s facilities to
send spam or chain letters. If in doubt, advice must be sought from IT Services.

4.18. The creation, display, production or circulation of material which is illegal or likely to cause offence is
forbidden. Where access to such material is deemed necessary, permission must be sought from the Head
of IT who will consult the relevant University Officials

4.19. Users who have been issued with a laptop, PDA or other mobile device must ensure that it is kept secure at
all times, especially when travelling. Passwords must be used to secure access to data kept on such
equipment to ensure that confidential data is protected to some extent in the event that the machine is lost
or stolen. Users should also observe basic safety rules when using such equipment, such as not using or
displaying it obviously in isolated or dangerous areas. Users should be aware that if using equipment on, for
example, public transport, documents can be read by other passengers. Similar precautions should be taken
with the use of portable storage media such as external hard drives and USB drives. If any such media or
equipment is lost or stolen, users should notify IT Services immediately. Data of a sensitive nature should
not be taken off site without the express permission of the University Information Manager and never without
full encryption protection on the device- please refer to the University’s data security guidelines for further
information

4.20. Any infringement of these regulations constitutes a disciplinary offence under the applicable procedure and
may be treated as such regardless of legal action.

5. POLICY ON ACCESS TO STAFF ACCOUNTS BY AUTHORISED PERSONS

5.1 Staff Absence. Where a member of staff is absent from work and access is required to that member of staff's IT
account for a specific reason (for example to access correspondence in order to complete an item of work), the
University will follow the procedure set out below:

5.1.1 If appropriate, the member of staff will be contacted and consent sought for access to specific communications
and/or documents.
 5.1.2 Where consent is not or cannot be given and there is no alternative way to get the required information,
permission to access the member of staff's account will be sought in writing from an authorised person (Dean of
Faculty or Head of Department). Authorisation will only be given for access to specific information and not for
general access to the account in question.

5.1.3 The person authorised to access the account is responsible for ensuring that only the specific information
authorised is accessed and that other information is not read or disclosed.

5.1.4 After the necessary information has been retrieved, the password to the absent member of staff's IT account will
be reset and the new password will be communicated only to that member of staff.

6. MONITORING OF SYSTEMS
For business reasons, and in order to perform various legal obligations in connection with our role as an employer, use of
our systems and any personal use of them is monitored. Monitoring will only be carried out to the extent permitted or
required by law and as necessary and justifiable for business purposes.

We monitor all e-mails passing through our system for viruses. Users should exercise caution when opening e-mails from
unknown external sources or where, for any reason, an e-mail appears suspicious. The IT department should be informed
immediately if a suspected virus is received. We reserve the right to block access to attachments to e-mails for the
purpose of effective use of the system and for compliance with this policy. We also reserve the right not to transmit any e-
mail message.

Users who receive an e-mail which has been wrongly delivered should return it to the sender of the message. If
the e-mail contains confidential information or inappropriate material (as described above) it should not be
disclosed or used in any way.

We reserve the right to retrieve the contents of messages or check searches which have been made on the
internet for the following purposes:

(a) to monitor whether the use of the e-mail system or the internet is legitimate and in accordance with this policy; or

(b) to find lost messages or to retrieve messages lost due to computer failure; or

(c) to assist in the investigation of wrongful acts; or

(d) to comply with any legal obligation.

(e) in cases of staff absence as outlined in item 5 of this policy

7. ETIQUETTE
Users should refer to the staff or student codes of conduct but in particular:

Users should take care with the content of e-mail messages or posts on virtual learning environments and
social networking sites, as incorrect or improper statements can give rise to personal or corporate liability in the
same way as the contents of letters or faxes. For example, in connection with claims of discrimination,
harassment, defamation, breach of confidentiality or breach of contract. Users should assume that e-mail
messages may be read by others and should be mindful of content should it find its way into the public domain.

E-mail messages may be disclosed in legal proceedings in the same way as paper documents. Deletion from a
user’s inbox or archives does not mean that an e-mail is obliterated and all e-mail messages should be treated
as potentially retrievable, either from the main server or using specialist software.

8. PERSONAL USE OF UNIVERSITY SYSTEMS (STAFF)

The University permits the incidental use of its internet, e-mail and telephone systems to send personal e-mail,
browse the web and make personal telephone calls subject to certain conditions. Our policy is that personal
use is a privilege and not a right. The policy is dependent upon its not being abused or overused and we
reserve the right to withdraw our permission or amend the scope of this policy at any time. Staff should refer to
the staff code of conduct for further information.

9. DISCLAIMER.
The University makes no representations about the suitability of this service for any purpose. All warranties, terms and
conditions with regard to this service, including all warranties, terms and conditions, implied by statute, or otherwise, of
satisfactory quality, fitness for a particular purpose, and non-infringement are excluded to the fullest extent permitted by
law.

The University shall not in any event be liable for any damages, costs or losses (including without limitation direct, indirect,
consequential or otherwise) arising out of, or in any way connected with, the use of the service, or with any delayed
access to, or inability to use the service and whether arising in tort, contract, negligence, under statute or otherwise.
Nothing in these terms excludes or limits liability for death or personal injury caused by the negligence of the University in
providing this service.

Appendix A.

LAW
Applicable laws and policies include the following together with any amendments and any superseding legislation which
may be enacted.

a. Obscene Publication Act 1959 & 1964

b. Protection of Children Act 1978
c. Police and Criminal Evidence Act 1984
d. Copyright, Designs & Patents Act 1988
e. Computer Misuse Act 1990
f. Human Rights Act 1998
g. Data Protection Act 1998
h. Regulation of Investigatory Powers Act 2000
i. Freedom of Information Act 2000
j. Employment Code of Practice 2002 (link)
k. Prevention of Terrorism Act 2005
l. Terrorism Act 2006
m. Police and Justice Act 2006

Applicable policies include:

a. JANET Acceptable Use Policy
b. Institutional Information Security Policy (under construction)
c. Institutional Communications Policy (under construction)
d. Chest Code of Conduct

This list is not exhaustive and will be subject to change.