Information Policy index

The policies on this page are part of the University of York Information Policy. Each policy has supporting information to help you understand and implement the policy.

The policies are sorted by theme:

Information Policy: the overarching policies that cover all information use at the University

Information security: security, incidents, cloud computing, and outsourcing

Information rights: data protection, freedom of information, copyright, and intellectual property

Records management: general records, research data management and publication, and dissertations

Ethics and integrity: ethical codes of practice, and research and academic integrity

Information Policy

PolicyRelated pagesSummary
University Regulation 11: Use of computing facilities

Guidelines to the Regulations for the use of computing facilities

Janet acceptable use policy (external link)

York local acceptable use policy

Policy for bulk emailing

External visibility of web servers

Applies to everyone - all staff, students, associates, and anyone else authorised to use University IT facilities and information.

Defines the legal framework in which the University operates in providing computing and networking facilities. This legal framework has implications for both the University as a corporate body and for individual members and employees. It is therefore essential that you are fully aware of the regulation.

Information classification & handling scheme

 

Applies to everyone - all staff, students, associates, and anyone else authorised to use University IT facilities and information.

Provides guidance on the classification of information and the appropriate methods for handling the different levels of security required. It encompasses all information held by the University, in all formats (physical and electronic).

Information Policy Compliance  

Applies to everyone - all staff, students, associates, and anyone else authorised to use University IT facilities and information.

Explains how the University and individuals comply with legal requirements and University information policies. It also outlines how compliance is monitored and reviewed.

Information security

For a summary of information security, see:

PolicyRelated pagesSummary
Information Security Policy  

Applies to everyone - all staff, students, associates, and anyone else authorised to use University IT facilities and information.

This is the overarching policy which explains the key ways that the University ensures the secure handling of its information while providing appropriate access. It is linked very closely with all other information policies.

Information Security Incident Management Policy‌

Method Statement – Data loss and information security breach management‌

Guidance – Checklist for information security breaches‌

Applies to everyone who is involved in an actual, suspected, threatened or potential incident which involves data loss or a breach of information security. This potentially includes all staff, students, associates, and anyone else authorised to use University IT facilities and information.

Explains how information about reporting incidents is provided, who is responsible for reporting, responding and investigating and how these are handled.

Managing User Access Policy

Method Statement - Password management

Applies to all holders of a University username and password.

Explains how individual, group and temporary accounts are managed and privileges assigned.

Policy for safe use of University information on all devices

Guidance for policy for safe use of University information on all devices

Applies to everyone - all staff, students, associates, and anyone else authorised to use University IT facilities and information.

Explains what you need to do to make sure University information is safe when you are accessing, storing or managing it using any device whether University owned, personally owned or provided by third parties and whether you are on or off campus.
Information Security - Human Resources Policy‌ Human Resources terms and conditions

Applies to all employees, including those who are provided with access to University information and IT systems via an 'associate staff' account.

Explains that all employees must abide by University information policies, undertake compulsory training and maintain their knowledge and skills. Failure to follow information policies may lead to disciplinary proceedings.

IT Outsourcing and Cloud Computing Policy

Method Statement - Contractual requirements for IT outsourcing and cloud computing

Method Statement - Risk assessment for selection of outsourcing or cloud computing

Use of external IT services for learning and teaching

Social media guidelines

Applies to all departments and members of the University who are considering, selecting, implementing or operating a third party service as a University IT service.

Links with University policy on information handling which specifies how individuals may use outsourced or cloud computing providers that are not University IT Services (e.g. DropBox, Amazon web services).

Explains the procedures, risk assessments and permissions required before third party solutions can be selected and implemented.

Third Party Access to University Information and IT Services Policy Method statement - Managing third party access

Applies to University staff who are responsible for the specification and management of University IT services that are supported or accessed via third parties.

Explains the risk assessments and access arrangements that are required to ensure effective information security when third parties need access to University information and systems

IT Investigations and Data Access Policy

Method statement - IT Investigations and Data Access

Applies to any member of the University who thinks they need access to data.

Applies to data held in any University IT service whether it is provided directly by a University department or is managed by a third party on behalf of the University. University data held on third party systems that are not provided as a University IT service, for example DropBox, are excluded.

Explains the situations in which access to data and investigations can be carried out.

Use of the remote control facility  

Applies to staff who wish to resolve issues through a remote session rather than visiting the PC owner.

Explains how to become an authorised user and how to manage the remote session.

Google Wallet for staff  

Applies to all staff.

Explains how you must set up Google Wallet and what you can and cannot use it for.

Information rights

For a summary of information rights, see:

PolicyRelated pagesSummary
Data Protection Act: University Policy, Procedures and Guidelines

The University and your information

Access to your personal data

Surveillance Policy

Data Protection

Applies to everyone - all staff, students, associates, and anyone else authorised to use University IT facilities and information.

Data protection law establishes key principles that govern the collection, use and handling of personal information and provides individuals with important rights. Comprehensive guidance is available on the Data Protection website.

Freedom of Information policy

University Freedom of Information Publication Scheme

Freedom of Information Enquiry Handling Method Statement

Freedom of Information Fees and Charging Method Statement

Freedom of Information Public Interest Test Method Statement

Freedom of Information Complaints and Reviews Method Statement

Freedom of Information

Freedom of Information: staff guidance

Applies to everyone - all staff, students, associates, and anyone else authorised to use University IT facilities and information.

Freedom of Information (FoI) statutory regulations provide members of the public with a general right of access to the recorded information held by the University and promote openness across the public sector.

Copyright (policy to follow)

Copyright guidance and solutions

Copyright

Applies to everyone - all staff, students, associates, and anyone else authorised to use University IT facilities and information.

The Copyright, Designs and Patents Act 1988 protects intellectual property by giving creators of fixed original works the right to control the use of their material by third parties. Copyright is a property right so can be given away or sold.

The guidelines help you decide what you can use without permission and how to ask for permission if necessary.

University policy on intellectual property Intellectual Property

Applies to all University staff and students and explains what is covered by IP, who owns it and how it can be protected.

Intellectual Property (IP) can include know-how, inventions, results, copyright, patents and software. It can arise from many different activities within the University, including unfunded and publicly funded research activities, sponsored or collaborative research, student projects and general academic endeavours.

Records management

For a summary of records management, see:

PolicyRelated pagesSummary
Records Management Policy

RM Policy Guidance (formal)

Records management guidance for staff

Draft Retention Schedules

University Archive

Records Management

Policy for the handling and use of DBS certificate information

Applies to everyone who creates, receives or maintains University records in all formats (physical and electronic) - all staff, students, associates, and anyone else authorised to use University IT facilities and information.

Records management describes the corporate and professional function of managing records to meet the University's needs, promote business efficiency and provide legal and financial accountability.

Research Data Management Policy

Research Data Management Policy Implementation Plan

Research Data Management web pages

Applies to all University members engaged in research, including staff and research students, and those who are conducting research on behalf of the University. It applies to all research irrespective of funding.

Good research data management enables the University and its researchers to meet the standards and responsibilities set out in the University's Code of practice on research integrity and to meet funder, ethical, legal and other responsibilities. It also ensures that research data is accurate, complete, authentic and reliable, stored securely, preserved where necessary and accessible as required.

Policy on the Publication of Research

Policy on the Publication of Research with Guidance

Author Checklist for Policy on the Publication of Research

Open Access at York

Applies to all published research outputs created by employees of University of York in the course of their employment, where publication is an expectation of their employment, and by postgraduate research students in the course of their studies, including submission of Doctoral and Masters by Research theses.

Provides direction on the publication process, from preparing publications through to facilitating access (including open access).

Policy on the deposit of taught master-level dissertations in the University Library Method statement on the deposit of taught masters-level dissertations in the University Library

Applies to dissertations submitted by University students on taught Masters level programmes which have been marked and awarded at least a 'pass' grade.

Explains how to deposit electronic format dissertations in York Digital Library after which they are available to University members and users of the Library walk-in service.

Ethics and integrity

For a summary of ethics and integrity, see:

PolicySummary
Ethics and integrity

Ethics and integrity underpin appropriate use of information.

The University expects all staff and students to demonstrate the highest standards of conduct in all their academic endeavours.

It has codes of conduct and guidance which staff and students must comply with.

Code of Practice and Principles for Good Ethical Governance

Applies to all staff, students, visiting or emeritus staff, associates, honorary or clinical contract holders, contractors and consultants.

Applies to all academic activity undertaken in the University's name or on its behalf, including research, teaching, consultancy and outreach work, across all subject disciplines and fields of study.

Establishes an ethical framework for the conduct of academic activity under the auspices of the University focused on the key principle of 'avoidance of harm'. It articulates a set of principles and standards to help identify and address ethical considerations, and sets out the procedures for conducting ethical review on behalf of the institution wherever such considerations have been identified, including formal approval where necessary.

Paragraph 2.5 of the Code relates specifically to handling data.

Code of Practice on Research Integrity

This sets out the foundations for the proper conduct of research, from conception through to dissemination and application.

Applies to all those undertaking research under the University's auspices.

Section 3.7 (Research data and supporting records) and Section 4 (Publication) relate specifically to protecting and handling information.

Research integrity and ethics website

Research integrity refers to high quality and robust practice across the full research process, ie the planning and conduct of research, the recording and reporting of results, and the dissemination, application and exploitation of findings.

Research ethics are a subset of research integrity, focusing on the principle of avoidance of harm, within a statutory and regulatory framework.

Applies to all research undertaken by staff, students, visiting or emeritus staff, associates, honorary or clinical contract holders, contractors and consultants

The website provides links to key policies, information on governance arrangements, and information on central support, resources and formal training courses in this area.

Academic integrity website

Applies to anyone who writes and publishes. The website provides guidance aimed particularly at students, but the principles apply to everyone.

Principles include independent thought, critical thinking (comparing and evaluating other people's theories and evidence to reach your own conclusions), and differentiating between your own and other people's ideas.

Professional codes of conduct

Most professions and organisations have their own codes of conduct to regulate the profession or staff members. They provide a clear description of acceptable behaviour and may include information on how difficult ethical decisions are made.

If you are a member of a professional organisation, failure to comply with the relevant code of conduct will be investigated and may lead to expulsion.