• Skip to content

• Home
• Tools
• Help
• Services
• Email
• Networking
• Your computer
• Your account

Computing Services

About BUCS

• Overview
• About the site
• Organisation chart
• Policies and guidelines
• Levels of support
• Technical documentation
• News

Computer systems monitoring and scanning

1. Overview

1.1 This policy describes the University of Bath's Computer Systems Monitoring and Scanning policy. The policy describes:

• The monitoring and scanning procedures approved by the University of Bath for this purpose.
• The prescribed circumstances which may be invoked to initiate the monitoring procedures.
• The procedures that shall ensure the execution of this monitoring policy conforms to the prescribed initiation circumstances, alone, and may be reviewed, ad hoc, by those with authority to intercept to prevent the abuse of the monitoring process.

1.2 The University may monitor and record communications:

• To collect evidence pertaining to compliance with this policy, and other related policies, regarding the acceptable use of computing facilities at the University of Bath
• In the interests of national security, as required by Law.
• To prevent or detect crime, as by required by Law.
• To investigate or detect unauthorised use of the computing and network facilities of the University of Bath: as described in the University Regulations.
• To secure, fix, enhance or as an inherent part of effective and responsible systems operation.

1.3 The University may monitor but not record:

• Any communications to determine whether they are business or personal communications.

1.4 The University may scan systems:

• To investigate or detect unauthorised use of the computing and network facilities of the University of Bath: as described in the University Regulations.
• When a host or workstaion is suspected of showing unauthorised or unusual activity on the network.
• In an effort to resolve a service problem, as a part of normal system operations and maintenance or to enhance the security of the overall campus network.
• To monitor compliance with University or Computing Services policy, to perform security assessments or to investigate security incidents.

2. Notice of intent

The University of Bath hereby notifies all users of its Computing Services that it reserves the right to monitor all communications on those facilities in accordance with this policy. As such, authorised users of the system should be aware that personal communications, as well as communications relating to the functioning of the University made via the University's computing facilities, may be intercepted and/or monitored by Computing Services staff or other technical staff as specified in this policy.

3.Scope

3.1 The University has the right, at any time, to inspect all data held on the University's computer equipment, and to inspect all email and other electronic data entering, leaving, or within the University network to ensure conformity with:

• The University's regulations, policies and practices,
• Contractual agreements with third parties, and
• Telecommunications Regulations 2000

3.2 The University is obliged by virtue of the agreement entered into with UKERNA to ensure as far as possible that its users do not use JANET to transmit or transfer certain types of electronic data

3.3 The University is obliged by law to report to the police the discovery of certain types of electronic data if that data is found on the University's computer systems or transmitted across the University's networks.

3.4 Many types of routine computer service tasks will involve members of Computing Services and other member of the University's technical staff having access to various levels of staff and student held data.

3.5 Examples include, but are not limited to:

• Email postmasters receiving mail failure notifications will often be sent the text of the failed message by the email server which has rejected or redirected the mail.
• Staff making or retrieving backup copies of data from file servers will, as part of the backup process, often be able to read the names of files held in staff and student accounts.
• Staff sorting output from shared printers prior to its dissemination to users will be able to view the content of that output.

4.Operational practice

4.1 It is the University of Bath's policy that the staff, in Computing Services and in other administrative and academic units, may not access staff and student data held on the University's computer systems or personal PCs and workstations, or inspect the content of email and other electronic data entering, leaving or within the University's network unless it is in accordance with section 4.3 below. Attempts by any member of staff to implement any such system of monitoring will be in breach of this policy and may be the subject of disciplinary proceedings.

4.2 The University recognises that, due to the nature of computer systems, data held on its systems, passing across its network, or printed out on the University's equipment, whether deliberately or accidentally, may be, at times, visible in human readable form. In such circumstances that data may well be viewed by the people in Computing Services or by relevant people in other administrative and academic departments. Such incidental viewing will not constitute a breach of this policy even where such viewing leads to the implementation of authorised monitoring (as in section 5) and/or to the disciplinary procedures against the individual concerned.

4.3 The University reserves the right to monitor and access data held on its computer systems, email and other electronic data entering, leaving or within the University's network in the following circumstances:

• Where by carrying out routine computing service tasks members of Computing Services and other members of the Universities technical staff discover data which breaches the Universities regulations, the University's contractual obligation to third parties, or UK law, or where the nature of the data suggests such a breach has occurred or will occur.
• Where complaints are received by the authorities (such as the Police or UKERNA) suggesting that the University's computer systems or networks are being used to store, transmit or transfer data which breaches the University's regulations or the University's contractual obligation to their parties or UK law.
• Where the University has been requested or required to monitor data by the police as part of a criminal investigation.
• Where there is other reasonable suspicion that users are storing, transmitting or transferring data which breaches the University's regulations, the University's contractual obligation to their parties or UK law.

4.4 The University reserves the right to monitor the nature and extent of data uploaded and downloaded from the Internet. This may be carried out by various means including random filename searches of fileservers, email servers, cache servers etc. and real time logging of packet data as it traverses the University's gateway router.

5. Authority to intercept

5.1 Specific monitoring of user data and specific access to user data by Computing Services staff may only be legitimately carried out under this policy with the knowledge and written consent of the Registrar of the University. Additionally at least one of the following may be notified:

• The Director of Computing Services.
• University's Director of IT

5.2 The specific monitoring of user data and the specific access to user data by staff and other administrative or academic departments may only be legitimately carried out under this policy after carrying out an impact assessment and with the knowledge and written consent of the Registrar of the University. Additionally at least one of the following may be notified:

• The Director of Computing Services
• University's Director of IT
• The Dean of Faculty, Head of School or head of the unit which owns the equipment on which the data is stored, or from which is it transmitted or transferred.

5.3 Specific monitoring of, or specific access to, user data should only take place for such time as is required to ascertain whether the user or users concerned are storing, transmitting or transferring data which breaches the University's Regulations, the University's contractual obligations to third parties or UK Law. Long-term monitoring should only be permitted when this is specifically requested by the police as part of an on-going criminal investigation, or as part of an on-going internal investigation.

5.4 All specific monitoring or specific access to user data must be reported, along with the reasons for that action being taken and the result, if any, of the monitoring or access to the University's Acceptable Use of Computing Facilities Committee (AUCFC) and Director of Computing Services, as required and as soon as the monitoring is completed.

5.5 Data collected via specific monitoring of, or specific access to, user data shall (if not falling under a statutory exemption) be disclosable as part of a request for access under the Data Protection Act 1998. Data collected in this way will only be used, for example, for carrying out and concluding the investigation and any subsequent disciplinary proceedings and retained for at least 6 years afterwards.

6. References and documentation

Legislation:

RIP Act 2001
The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000

Guidance:

RIPA 2000: Home Office Guidelines
JISC Senior Management Briefing paper (PDF) (Short Version)
JISC Senior Management Briefing paper (HTML)(Long Version)