Regulation 11: Using University information

11.1 Scope
11.2 Using and processing information
11.3 Using information systems, devices and networks
11.4 Investigations and breaches
11.5 Control and monitoring


11.1 Scope

11.1.1 The University aims to facilitate the flow of information, while protecting the confidentiality, availability and integrity of information and complying with legal and contractual requirements.

11.1.2 This Regulation applies to everyone who uses or processes University information including, but not restricted to, University staff and students, staff of University companies, associates, partners, contractors, consultants, visitors and guests.

11.1.3 This Regulation applies to information of any nature and in any format which is:

  • created by the University;
  • purchased by the University;
  • made available to the University under licence;
  • used or processed by the University for a third party;
  • used or processed through University networks or systems.

11.1.4 For the avoidance of doubt, this Regulation applies to all information as described in clause 1.3 wherever it might be found physically or in digital format.

11.1.5 This regulation applies to all networks and systems provided by the University, including, but not limited to, all systems and networks to which you gain access by virtue of your association with the University; and to personal equipment interacting with University networks and/or systems.

11.2 Using and processing information

11.2.1 Everyone must abide by the law, University of York information policies, and the regulations of third parties whose information is used and processed for or by the University.

11.2.2 Users of information and information systems must be aware of, and fulfil their responsibilities under, the Government’s Prevent Strategy.

11.2.3 Users of information and information systems must not:

  • use or process personal data in a manner prohibited by Data Protection or Privacy legislation;
  • breach, or cause others to breach, copyright law;
  • breach, or cause others to breach, licences or contracts for information or information systems provided to or by the University;
  • breach, or cause others to breach, confidentiality;
  • engage in activity that might lead to a breach of Information Security;
  • cause disruption, mischief or harassment;
  • knowingly misrepresent the University;
  • run a business unconnected with the University using University systems without prior written permission from the Deputy Registrar and Director of Corporate and Information Services;
  • access or disseminate offensive, obscene or indecent material except where this is a necessary part of a course of research or study conducted with prior written Ethics approval or in the course of an authorised investigation into misuse of information or information systems;
  • create or transmit defamatory material.

11.3 Using information systems, devices and networks

11.3.1 Users must not share their University IT Accounts with anyone without prior written authorisation from IT Services.

11.3.2 Users must not disclose their University IT Account passwords to anyone.

11.3.3 Users must not obtain or use a University IT Account password for a University Account belonging to a third party.

11.3.4 Users must not use their University IT account to gain or facilitate deliberate unauthorised access to facilities or services accessible via the University network.

11.3.5 Users must not impersonate a third party or otherwise disguise their identity on University networks and systems.

11.3.6 Users may access University IT services for personal purposes. Personal use may be withdrawn if such use is deemed to be excessive.

11.3.7 Personal use must not hinder or interfere with contractual or professional duties, or with course or research obligations.

11.3.8 Personal use must not hinder or interfere with the use of University IT services by others.

11.4 Investigations and breaches

11.4.1 When breaches of this Regulation are suspected the University will conduct an investigation to determine the nature and severity of the breach, to implement remedies and to suggest further courses of action as appropriate.

11.4.2 Breaches of this Regulation by University staff or students may be referred for further action following the University’s Disciplinary procedure and guidelines.

11.4.3 In addition to the Disciplinary procedure and guidelines procedure and process described there, the University reserves the right to take action to mitigate the effect of the breach during or after any investigation. Action might include, but is not limited to:

  • withdrawal of users’ IT services for a specified period;
  • blocking, disabling or confiscation of users’ University equipment;
  • blocking of users’ private equipment;
  • removal of offending material;
  • the imposition of fines or cost recovery;
  • legal action.

11.4.4 Information about suspected or actual breaches will be passed to law enforcement agencies as appropriate to the case.

11.4.5 Where a third party reports a suspected or actual breach of these Regulations the University will cooperate with third parties relevant to the breach, and may share data outside the University in the furtherance of the investigation, subject nevertheless to the rights of any data subjects concerned.

11.5 Control and monitoring

11.5.1 The Director of Information Services is responsible for the enforcement of this Regulation. The Director of Information Services may delegate this responsibility to other people he/she judges to be appropriate in the circumstances of each case.

11.5.2 The University monitors and records the use of its IT services and may access data during investigations as described in the IT Investigations and Data Access Policy.

11.5.3 University Officers, Heads of Departments and Section Heads are responsible for ensuring staff, students and associates comply with this Regulation.

11.5.4 Everyone is responsible for informing the Deputy Registrar and Director of Corporate and Information Services if they become aware of a breach of this Regulation.