Regulation 11: Using University information
11.1 Scope
11.2 Using and processing information
11.3 Using information systems, devices and networks
11.4 Investigations and breaches
11.5 Control and monitoring
11.1 Scope
11.1.1 The University aims to facilitate the flow of information, while protecting the confidentiality, availability and integrity of information and complying with legal, regulatory, compliance or contractual requirements.
11.1.2 This Regulation, together with subsidiary Information Policies, applies to everyone who uses or processes University information. This includes, but is not restricted to, University staff and students, staff of University companies, associates, partners, contractors, consultants, visitors and guests.
11.1.3 This Regulation relates to information of any nature and in any format which is held by the University including:
- created or managed by the University;
- purchased by the University;
- provided freely to the University;
- made available to the University under licence;
- used or processed by the University for a third party;
- used or processed through University networks or systems.
11.1.4 For the avoidance of doubt, this Regulation applies to all information as described in clause 11.1.3, in either physical or digital format.
11.1.5 This regulation applies to all networks and IT services provided by or used at the University, including, but not limited to, all applications, systems, devices and networks to which you gain access by virtue of your association with the University or that you may procure or use for your work at the University.
11.1.6 The regulation applies when you use any personal device to interact with University applications, systems and networks.
11.2 Using and processing information
11.2.1 Everyone must abide by the law, University of York information policies, and the policies and contractual obligations of third parties whose information is used and processed for or by the University.
11.2.2 Users of information and information systems must be aware of, and fulfil their responsibilities under, the Government’s Prevent Strategy.
11.2.3 Users of information and information systems must not:
- use or process personal data in a manner prohibited by Data Protection or Privacy legislation;
- breach, or cause others to breach, copyright law;
- breach, or cause others to breach, licences or contracts for information or information systems provided to or by the University;
- breach, or cause others to breach, confidentiality;
- engage in activity that might lead to a breach of Information Security;
- cause disruption, mischief or harassment;
- knowingly misrepresent the University;
- run a business unconnected with the University using University systems without prior written permission from the Chief Financial and Operating Officer, and the Director of IT Services.;
- access or disseminate offensive, obscene or indecent material except where this is a necessary part of a course of research or study conducted with prior written approval by a University Ethics Committee, or in the course of an authorised investigation into misuse of information or information systems following the IT Investigations and Data Access Policy;
- create or transmit defamatory material.
11.2.4 All University staff are responsible for ensuring that any information sharing is secured inline with the value and classification of the information. University managed communication channels should be used for official University business.
11.3 Using information systems, devices and networks
11.3.1 Users must not share any system names and passwords or grant access to their University User Accounts to anyone without prior written authorisation from IT Services Cyber Security team.
11.3.2 Users must never attempt to obtain or use credentials for a University User Account belonging to another user.
11.3.3 Users must not use their University User Account to gain or facilitate deliberate unauthorised access to facilities or services accessible via the University network.
11.3.4 Users must not impersonate a third party or otherwise disguise their identity on University networks and systems.
11.3.5 Users may use University provided IT services; laptop, desktop, wifi, etc., to access personal services (e.g. web sites), but must not use their University User Account; email, Google Drive, OneDrive, to store non-University related data or install personal software on University devices.
11.3.6 Personal use must not hinder or interfere with your contractual, legal or professional duties, or with course or research obligations.
11.3.7 Personal use must not hinder or interfere with the use of University IT services by others.
11.3.8 Users may not use their University User Account to authenticate or subscribe to personal services that are not facilitated by the University.
11.3.9 Personal use may be withdrawn if such use is deemed to be excessive.
11.3.10 Users must only store information on personal devices or personal storage in line with the Information Classification Policy and Guidance.
11.4 Investigations and breaches
11.4.1 When breaches of this Regulation are suspected, the University will conduct an investigation to determine the nature and severity of the breach, to implement remedies and to suggest further courses of action as appropriate.
11.4.2 Breaches of this Regulation by University staff or students may be referred for further action, following the University’s Disciplinary procedure and guidelines;
11.4.3 In addition to the Disciplinary procedure and guidelines procedure and process described there, the University reserves the right to take action to mitigate the effect of the breach during or after any investigation. Action might include, but is not limited to:
- withdrawal of users’ IT services for a specified period;
- blocking, disabling or confiscation of users’ University equipment;
- blocking of users’ personal equipment;
- removal of offending material;
- the imposition of fines or cost recovery;
- legal action.
11.4.4 Information about suspected or actual breaches of this Regulation will be passed to law enforcement agencies as appropriate to the case.
11.4.5 Where a third party reports a suspected or actual breach of these Regulations, the University will cooperate with third parties relevant to the breach, and may share data outside the University in the furtherance of the investigation, subject nevertheless to the rights of any data subjects concerned.
11.5 Control and monitoring
11.5.1 The Chief Finance and Operating Officer (CFOO) is responsible for the enforcement of this Regulation. The CFOO may delegate this responsibility to other people they judge to be appropriate in the circumstances of each case.
11.5.2 The University monitors and records the use of its IT services and may access data during investigations as described in the IT Investigations and Data Access Policy.
11.5.3 University Officers, Deans, Directors, Heads of Departments and Section Heads are responsible for ensuring staff, students and associates are aware of the requirement to comply with this Regulation.
11.5.4 11.5.4 Everyone is responsible for informing the Computer Emergency Response Team (CERT) if they become aware of a breach of this Regulation.
Term Definitions
- Information - covers all data and information that is:
- created or managed by the University;
- purchased by the University;
- provided freely to the University;
- made available to the University under licence;
- used or processed by the University for a third party;
- used or processed through University networks or systems.
- University User Account - the individual user account that is unique to you and you use to access IT services and information.
- Credentials - the set of information used to verify your identity and grant access to the University network and IT services; username, password, two factor authentication biometric, smart card.