Introduction

The University of Bath respects the privacy and academic freedom of its staff and students. The University acts in accordance with applicable legislation and the Information Commissioner’s Employment Practices code. This document outlines circumstances where in order to ensure the operational effectiveness of its services or aid in formal investigations that it is permissible for the University to access the data and communications of its members.

Decisions to access the data and communications of other members will be taken by a senior independent member of staff to ensure that the requests are free of bias and are not malicious.

Scope

This applies to all users (Staff, Students, visitors, contractors and others) of the University Information systems and communications technology facilities.

Guidelines

monitoring does not normally involve the monitoring of individual communications or disclose the contents of a user’s files. The University reserves the right to monitor the use of IT facilities and may access files and communications including electronic mail files, stored on any IT facilities owned, managed or provided by the University and may examine the content of these files and any relevant traffic data.

The University may take action for these reasons:

  • to protect the IT Facilities against viruses, hackers and other malicious attack;
  • to assist in the investigation of breaches of the University’s Conditions of Use as outlined in the IT Acceptable Use Policy;
  • to prevent or detect crime or other unauthorised use of the IT Facilities;
  • when legally required to do so, for example as part of a police investigation or by order of a court of law;
  • where such monitoring is necessary, to pursue the University’s other pressing academic and business interests; subject to the agreement of appropriate senior staff;
  • to disclose documents under the Data Protection Act or the Freedom of Information Act.

The Powers of Law Enforcement Authorities to Access Communications

A number of other non-University bodies and persons may be allowed access to user communications under certain circumstances. Where the University is compelled to provide access to communications by virtue of a Court Order or other competent authority, the University will disclose information to these non-institutional bodies/persons when required as allowed under the Data Protection Act 1998.

For example, under the Regulation of Investigatory Powers Act 2000 a warrant may be obtained by a number of law enforcement bodies regarding issues of national security, the prevention and detection of serious crime or the safeguarding of the economic well-being of the UK.

Other Third Parties

The University makes use of third parties in delivering some of its IT services. These third parties may intercept communications for the purpose of ensuring the security and effective operation of their service (for example, a third party which provides email services to the University may scan incoming and outgoing email for viruses and spam).

Covert Monitoring

Covert monitoring of computer use will only be authorised in exceptional circumstances where there is reason to suspect criminal activity or a serious breach of University regulations and notification of the monitoring would be likely to prejudice the prevention or detection of that activity. The period and scope of the monitoring will be as narrow as possible to be able to investigate the alleged offence and the monitoring will cease as soon as the investigation is complete.

Only information gathered in relation to the alleged offence will be retained. This information will only be viewed by those for whom access is strictly necessary, for example in relation to potential disciplinary proceedings.

Procedure

Requests for the investigation may be made by any member of the University. The request should be made to IT Security and should include the following information:

  • the name and department of the student or staff member;
  • the reasons for the request;
  • the nature of the information sought;
  • the times and dates that it relates to;
  • the details of any other relevant information that might be pertinent.

This information will then be passed to the head of the relevant department, the Director of Computing Services and the University Secretary. In the event of any conflict of interest or unavailability of the University Secretary, the Director of Human Resources or Vice-President (implementation) may be substituted for him.

It is the duty of the Director of Computing Services to identify any potential conflict of interests of the investigating staff. Investigating staff are obliged to report a conflict of interest at the earliest opportunity should one arise.

Document Control Information

  • Owner: Mark Acres - IT Security Manager
  • Version Number: 1.0
  • Approval Date: April 2016
  • Approved By: Executive Committee
  • Date of Last review: July 2016