Skip to main content

IT Acceptable Use Policy

What you may and may not do when you use the University's IT systems, and the consequences of breaking the rules.


Policy


Owner
Chief Information and Digital Officer
Version
4.2
Approval date
14 Dec 2023
Approved by
Executive Committee
Date of last review
01 May 2023
Date of next review
Information not provided

This policy has been approved by the Executive Committee and any amendments to it require the Committee's approval.

Introduction

1.1 Purpose

The purpose of this IT Acceptable Use Policy is to outline the acceptable use of all IT resources, including computer hardware and software, network systems, internet access, email systems, and other electronic communication systems, by students, employees, contractors, and third-party service providers at the University of Bath. This policy aims to protect the integrity, confidentiality, and availability of the University's IT resources, and to promote responsible and ethical behaviour when using these resources.

1.2 Scope

Members of the University and all other users (staff, students, visitors, contractors and others) of the University's facilities are bound by the provisions of its policies in addition to this Acceptable Use Policy. The University of Bath seeks to promote and facilitate the positive and extensive use of Information Technology in the interests of supporting the delivery of learning, teaching, innovation and research to the highest possible standards. This also requires appropriate and legal use of the technologies and facilities made available to students, staff and partners of the University.

2 Acceptable use policy

2.1 Acceptable Use

2.1.1 Users are encouraged to use the IT facilities to further the goals and objectives of their work, study or research and in accordance with the Dignity and Respect policy. Subject to all of the following, the University permits personal use of the IT facilities as a privilege, not a right with the below condition:

  • It does not interfere with the member of staff’s work nor the student’s study;
  • It does not contravene any University policies; and
  • It is not excessive in its use of resource

2.1.2 All users of the University's IT resources must comply with all applicable laws, regulations, and policies, including but not limited to the Data Protection Act 2018, General Data Protection Regulation (GDPR), and the University's Information Security Policy.

2.1.3 The University has a statutory duty (the Prevent Duty), under Section 26(1) of the Counter Terrorism and Security Act 2015, to act to stop members of its community from being drawn into terrorism. In order to comply with this duty, the University reserves the right to monitor or block access to material that might incite extremism, radicalisation or violence. Anyone needing to access security sensitive material for legitimate academic purposes must register via the Ethics Review Process.

2.1.4 All users of the University's IT resources are responsible for maintaining the security of these resources by using strong passwords, regularly updating software, and reporting any suspicious activity to the IT department.

2.1.5 The University respects the privacy of its users and expects all users to respect the privacy of others. Any unauthorised access, use, or disclosure of personal information is strictly prohibited.

2.1.6 Users must comply with any request made to them by university staff in connection with the enforcement of this policy.

2.1.7 Users shall not use the IT facilities inappropriately. See 2.2 for the unacceptable use examples.

2.2 Unacceptable Use

2.2.1 Subject to exemptions defined in 2.2.8, the University IT Systems may not be used directly or indirectly by a User for the download, creation, manipulation, transmission or storage of:

  1. any offensive, obscene or indecent images, data or other material, or any data capable of being resolved into obscene or indecent images or material;
  2. unlawful material or material that is defamatory, threatening, discriminatory, extremist or which has the potential to radicalise themselves or others;
  3. any material which promotes terrorism or violent extremism, or which seeks to radicalise individuals to such causes;
  4. unsolicited and unauthorised bulk email (spam) which is unrelated to the legitimate business of the University. For the surveying of students, please refer to the protocol;
  5. material which is subsequently used to facilitate harassment, bullying and/or victimisation of a member of the University or a third party;
  6. material which promotes discrimination on the basis of race, gender, religion or belief, disability, age or sexual orientation;
  7. material with the intent to defraud or which is likely to deceive a third party;
  8. material which advocates or promotes any unlawful act;
  9. material that infringes the intellectual property rights or privacy rights of a third party, or that is in breach of a legal duty owed to another party; or
  10. material that brings the University into disrepute.

2.2.2 The University networks must not be deliberately used by a User for activities having, or likely to have, any of the following characteristics:

  1. Accessing or attempting to access unauthorised information or resources.
  2. Sharing passwords or other access credentials with others.
  3. Intentionally wasting staff effort or other University resources;
  4. Corrupting, altering or destroying another User’s data without their consent;
  5. Disrupting the work of other Users or the correct functioning of the University IT Systems;
  6. Engaging in any activity that may disrupt or interfere with the normal operation of the University's IT resources.
  7. Denying access to the University IT Systems and its services to other users.
  8. Pursuance of commercial activities (even if in support of university business), subject to a range of exceptions. Contact DDaT to discuss your commercial need.
  9. Introduce data-interception, password-detecting or similar software or devices to the University's Network;
  10. Deliberate unauthorised access to the University's IT systems;
  11. Attempting to undermine the security of the University's IT systems. (For the avoidance of doubt, this includes undertaking any unauthorised penetration testing or vulnerability scanning of any University systems);
  12. Intentionally or recklessly introduce any form of spyware, computer virus or other potentially malicious software;
  13. Installing or using unauthorised software or hardware.
  14. Using software which is only licensed for limited purposes for other purpose or otherwise breaching software licensing agreements;
  15. Failing to comply with a request from an authorised person for you to change your password.

2.2.3 The University's email system and instant messaging system are intended for University-related activities only. It is recommended to use clear and concise language when composing messages and avoid sending large attachments or forwarding chain emails.

2.2.4 All users of the University's email system should not:

  • 1. harass, threaten, or intimidate others.
  • 2. solicit or promote personal or personal commercial activities.
  • 3. send confidential or sensitive information without using appropriate encryption methods.

2.2.5 The University recognises the value of social media as a communication and engagement tool. Use social media in a responsible and ethical manner.

2.2.6 All users of social media accounts representing as a member of University of Bath should not:

  • Post offensive or inappropriate content, including but not limited to sexually explicit or discriminatory material.
  • Harass, threaten, or intimidate others.
  • Promote personal or commercial activities without prior approval from the University.

2.2.7 The University monitors all activities on its IT resources for ensuring security and performance, including but not limited to access to and usage of the University networks, emails, Internet and telecommunications means, remote connections, and social media use. Any unauthorised use of IT resources may result in disciplinary action, up to and including termination of employment or contractual relationship.

2.2.8 Any breach of industry good practice that is likely to damage the reputation of the Janet network will also be regarded prima facie as unacceptable use of the University IT Systems.

2.2.9 Where the University networks are being used to access another network, any abuse of the acceptable use policy of that network will be regarded as unacceptable use of the University networks.

2.2.10 Exemptions from Unacceptable Use:

  1. There are a number of legitimate academic activities that may be carried out using University networks that could be considered unacceptable use, as defined in 2.2.1 to 2.2.96. For example, research involving defamatory, discriminatory or threatening material, the use of images that may depict violence, the study of hate crime, terrorism-related material or research into computer intrusion techniques. In such circumstances, advice should be sought from the University’s Legal Office (if potentially illegal material is involved) and/or notification made to the Chief Compliance Officer via the procedure outlined in the University’s Prevent Policy if the material relates to the promotion of extremism/terrorism before the introduction of said material onto the University networks.

  2. Exemption requests’ under this policy must be submitted to the Chief Information & Digital Officer (CIDO) or their designate. Exemptions to this policy may only be granted by the CIDO or their designate.

  3. This policy may have an impact on users of assistive technology or assistive software due to their disability. These individual cases will be considered on a case by case basis.

  4. Any potential research involving obscene or indecent material **must always be approved by the University’s Legal Office. If a member of the University community believes they may have encountered breaches of any of the above, they should make this known to an appropriate University authority (such as the Director of HR, Director of DDaT or Head of Security Services).

2.3 Consequences of Breach

2.3.1 In the event of a breach of this Acceptable Use Policy by a User, the University may at its sole discretion:

  • 1. restrict or terminate a User’s right to use the University network and systems;
  • 2. withdraw or remove any material uploaded by that User in contravention of this Policy and;
  • 3. where appropriate, disclose information to law enforcement agencies and take any legal action against a User for breach of this Policy, including but not limited to claiming all costs, fees and disbursements (including but not limited to legal fees) connected therewith.

2.3.2 In addition, where the User is also a member of the University community, the University may take such action, disciplinary or otherwise as it deems appropriate and which is in accordance with its Charter, Statute, Ordinances and Regulations.

2.4 Other notes

2.4.1 Students are additionally reminded of Regulations for Students, particularly section 10. ‘Use of Facilities’.

2.4.2 This IT Acceptable Use Policy is taken to include the Janet Acceptable Use Policy and the Janet Security Policy published by Jisc; the Combined Higher Education Software Team (Chest) User Obligations, together with its associated Copyright Acknowledgement; and the Eduserv General Terms of Service.

2.4.3 The University also has a statutory duty, under Section 26 of the Counter Terrorism and Security Act 2015, termed "Prevent”. The purpose of this duty is to aid the process of preventing people from being drawn into terrorism.

2.5 Definitions

  • 2.5.1 University - University of Bath.
  • 2.5.2 Staff – Staff, whether academic, administrative, technical, or other, currently employed by the University, or engaged on a contract of service.
  • 2.5.3 Student – An individual currently enrolled or registered with the University, or undertaking study of any kind provided by, at, or under the auspices of, the University.
  • 2.5.4 Visitor – An individual, other than Staff or Students, who uses the University IT Systems in any way.
  • 2.5.5 University IT Systems – any of the University’s IT facilities, including email, connection from the campus to the Internet and other networks, and all computers, laptops, other mobile devices, and any other related software and hardware.

3 Roles & Responsibilities

3.1 The University Executive board is responsible for approving the Acceptance User Policy and the University’s annual accountability and monitoring return for Students in compliance with the University’s policy.

3.2 The CISO is responsible for ensuring this policy is implemented across the University to ensure information and University networks are protected.

3.3 All members of staff should be aware of the University’s responsibility under the Acceptable Use Policy and of the measures set out above to comply with it.

3.4 DDaT is responsible for ensuring all relevant controls are implemented so the policy can be implemented, and relevant controls enforced and monitored.

3.5 All students, staff and visitors are required, where applicable, to follow the requirements of this policy. Failure to do so may result in disciplinary action in line with university policies or, where necessary, removal of access to services provided by the University.

4 Related Policies and Procedures

The following policies and procedures are related to the Acceptable Use Policy:

On this page