Skip to main content

Protocol for Investigation of Computer Use and Monitoring Guidelines

When the University may access its members' data and how we ensure monitoring is lawful.

Procedure

Owner
Martin D G Parsons
Version
1.1
Approval date
01 Apr 2016
Approved by
Executive Committee
Date of last review
01 Oct 2025
Date of next review
01 Oct 2027

Introduction

The University of Bath respects the privacy and academic freedom of its staff and students. The University acts in accordance with applicable legislation and the Information Commissioner’s Employment Practices code. This document outlines the circumstances under which it is permissible for the University to access the data and communications of its members to ensure the operational effectiveness of its services or aid in formal investigations.

Decisions to access the data and communications of other members will be taken by a senior independent member of staff to ensure that the requests are free of bias and are not malicious.

The University is committed to ensuring that any monitoring of IT systems is conducted in a transparent, accountable, and legally compliant manner. All monitoring activities are subject to oversight, documentation, and periodic review to ensure alignment with data protection principles and human rights obligations.

Scope

This applies to all users (Staff, Students, visitors, contractors and others) of the University's Information systems and communications technology facilities.

Guidelines

Monitoring does not routinely involve accessing individual communications or the contents of user files. However, the University reserves the right to monitor the use of IT facilities and, where justified, may access files and communications - including email, stored data, and traffic metadata - on any IT systems owned, managed, or provided by the University. Such access will only occur under the circumstances outlined below and in accordance with applicable data protection laws and University policies. 

The University may take action for these reasons:

  • to protect the IT Facilities against viruses, hackers and other malicious attacks
  • to assist in the investigation of breaches of the University’s Conditions of Use as outlined in the IT Acceptable Use Policy
  • to prevent or detect crime or other unauthorised use of the IT Facilities
  • when legally required to do so, for example, as part of a police investigation or by order of a court of law
  • where such monitoring is necessary to protect the University’s legitimate academic or operational interests, subject to senior-level authorisation and in accordance with applicable data protection laws
  • to disclose documents under the Data Protection Act or the Freedom of Information Act

Users are informed of routine monitoring activities through privacy notices, acceptable use policies, and system login banners where applicable. The University ensures that monitoring is proportionate and that users are aware of the types of data that may be accessed under specific circumstances. 

The Powers of Law Enforcement Authorities to Access Communications

Some non-University bodies and persons may be granted access to user communications under specific legal circumstances. Where the University is compelled to provide access to communications by virtue of a Court Order, warrant, or other direction from a competent authority, it will do so in accordance with applicable legislation, including:

  • The Data Protection Act 2018 and UK General Data Protection Regulation (UK GDPR), as amended by the Data (Use and Access) Act 2025 (DUAA);
  • The Investigatory Powers Act 2016, including amendments introduced by the Investigatory Powers (Amendment) Act 2024;
  • The Regulation of Investigatory Powers Act 2000 (RIPA), where applicable

Under these laws, law enforcement and intelligence agencies may obtain access to communications data for purposes such as:

  • Safeguarding national security
  • Preventing or detecting serious crime
  • Protecting the economic well-being of the UK
  • Complying with legal obligations or court orders

The University will only disclose personal data where legally required and will ensure that such disclosures are:

  • Proportionate, necessary, and lawful
  • Subject to appropriate authorisation and oversight
  • Logged and documented in accordance with internal procedures and applicable legislation

Where joint operations with law enforcement or intelligence services are undertaken, the University may process data under the intelligence services data protection regime, as permitted by the DUAA 2025, subject to the Home Secretary's approval.

Transparency and Governance

  • A Data Protection Impact Assessment (DPIA) will be conducted in compliance with relevant laws and regulations prior to any activity involving high-risk processing, including the disclosure of communications data to law enforcement, unless an exemption applies.
  • When do we need to do a DPIA? | ICO
  • The University maintains a record of all DPIAs conducted and makes summaries available to relevant oversight bodies upon request
  • Individuals’ rights under UK GDPR - such as the right to access, object, or request erasure - may be restricted in specific cases involving law enforcement or national security, as permitted under the DUAA 2025 and relevant exemptions in the Data Protection Act 2018.

Covert Monitoring

Covert monitoring of computer use will only be authorised in exceptional circumstances, where there is reasonable suspicion of criminal activity or a serious breach of university regulations, and where prior notification of the monitoring would be likely to prejudice the prevention or detection of that activity.

Before any covert monitoring is undertaken, the University will:

  • Conduct a Data Protection Impact Assessment (DPIA) to assess the necessity, proportionality, and risks of the proposed monitoring
  • Ensure that the monitoring is strictly limited in scope and duration to what is necessary to investigate the alleged offence
  • Seek senior-level authorisation, including consultation with the University Secretary and, where appropriate, legal counsel
  • Consider whether judicial approval or external oversight is required, particularly where monitoring may involve sensitive or special category data

Only information directly relevant to the alleged offence will be retained. This information will be:

  • Accessed only by individuals for whom access is strictly necessary, such as those involved in disciplinary or legal proceedings
  • Stored securely and retained only for as long as necessary
  • Subject to review and deletion in accordance with the University’s data retention and privacy policies
  • Records retention schedule

The University recognises that covert monitoring may engage individuals’ rights under Article 8 of the Human Rights Act 1998 (right to privacy). As such, covert monitoring will only be used where no less intrusive means are available and the University's legitimate interests clearly outweigh the individual's privacy rights.

Procedure

Requests for the investigation may be made by any member of the University. The request should be made to IT Security and should include the following information:

  • the name and department of the student or staff member
  • the reasons for the request
  • the nature of the information sought
  • the times and dates that it relates to
  • the details of any other relevant information that might be pertinent

This information will then be passed to the head of the relevant department, the Director of Digital, Data & Technology and the University Secretary. In the event of any conflict of interest or the University Secretary's unavailability, the Director of Human Resources or the Vice-President (implementation) may substitute for him.

It is the duty of the Chief Digital Officer to identify any potential conflict of interest of the investigating staff. Investigating staff are obliged to report any conflict of interest at the earliest opportunity. 

All requests for investigation and monitoring will be documented, including the rationale, scope, authorisation, and outcome. These records will be retained securely to ensure compliance with internal policies. An annual report on monitoring activities may be submitted to the Executive Committee for governance and oversight purposes.

Requests involving sensitive personal data or special category data will be subject to additional scrutiny and may require consultation with the University’s Data Protection Officer.

On this page