This Acceptable Use policy is a sub-policy of the Information Security Policy (ISP-01) and sets out the responsibilities and required behaviour of users of the University’s information systems, networks and computers.
All members of the University (as defined in the University’s Constitution: Ordinance 9, section 7), together with any others who may have been granted permission to use the University provided information and communication technology facilities, are subject to this policy.
Each member will be assigned a unique identifier (userID) for their individual use. This userID may not be used by anyone other than the individual user to whom it has been issued.
Each member will be assigned an associated account password which must not be divulged to anyone, including IT Services staff, for any reason. This University password must not be used as the password for any other services, including for University accounts providing privileged access (such as administrative accounts for finance or HR systems), or any external services (for example social media sites). Individual members are expected to remember their password and to change it if there is any suspicion that it may have been compromised.
If University members suspect that the credentials of another member or their own credentials have been compromised, this must be reported to the IT Service Desk.
University members will be asked to set up Multi-Factor Authentication (MFA) as a requirement to authenticate to University systems.
In addition to a password, authentication methods may include use of an authentication app on a mobile phone or another device, such as a USB security key, or a one-time code sent to a phone. Similar to passwords, Multi-Factor Authentication (MFA) tokens, such as one-time passcodes and number matches must not be divulged to anyone, including IT Services staff, for any reason.
Information given to the University for MFA will be stored securely and only used for authentication purposes. It will be stored by the University or a contracted IT service provider and will not be provided to any third-party without the user’s written consent unless the University is required to do so by law.
All administrative or highly privileged accounts must have Multi-Factor Authentication enabled where available.
Each member will also be assigned a unique email address for their individual use and some members may also be given authorisation to use one or more generic (role based) email addresses. Members must not use the University email address assigned to anyone else without their explicit permission via the appropriate mailbox delegation process.
Email addresses are University owned assets and any use of these email addresses is subject to University policies.
Members of staff and research postgraduates should not use a personal (non-University provided) email account to conduct University business and should maintain a separate, personal email account for personal email correspondence.
University members must not configure their University email account to automatically forward incoming mail to third-party services with which the University has no formal agreement.
Where University members are permitted to use non-University provided email clients, these must not synchronise email data with cloud services with which the University has no formal agreement, for example backing up University email with personal iCloud storage.
University information and communication facilities, including University networks, email addresses and computers, are provided for academic and administrative purposes related to work or study at the University. Very occasional personal use is permitted but only so long as:
University facilities should not be used for the storage of data unrelated to membership of the University. In particular, University facilities should not be used to store copies of personal photographs, music collections or personal emails.
The use of University facilities to mine, harvest or farm cryptocurrency for non-research purposes is specifically prohibited. Any research driven activity must be approved by the appropriate Head of School.
All use of University information and communication facilities, including any personal use, is subject to University policies, including the Investigation of Computer Use Policy (ISP-18).
In order to reduce risks of malware infection and propagation, risks of network disruption and to ensure compliance with the JANET Acceptable Use and Security policies, it is not permitted to connect personally owned equipment to any network socket which has not been provided specifically for the purpose. It is permissible to connect personally owned equipment to the University’s wireless networks.
Any device connected to a University network must be managed effectively. Devices that do not comply with IT Services’ standards for effective management are liable to physical or logical disconnection from the network without notice.
Wherever possible, members should only use services provided or endorsed by the University for conducting University business. The University recognises, however, that there are occasions when the services offered by the University are unable to meet the legitimate business requirements of its members. On these occasions, members must liaise with IT Services to identify and onboard third-party solutions.
Further information is available in the Information Handling policy (ISP-07) and the Outsourcing and Third Party Compliance policy (ISP-04).
Computers and other equipment used to access University data and facilities must be locked before being left unattended to prevent unauthorised access to data.
Particular care should be taken to ensure the physical security of University supplied equipment when in transit. For more guidance on travel and University equipment read the Mobile and Remote Working Policy (ISP-14).
In addition to what has already been written above, the following are also considered to be unacceptable uses of University facilities. These restrictions are consistent with the JANET acceptable use policy (by which the University is bound) and the law.
Any illegal activity, for example:
Any activity which breaches any University policy (see the Compliance Policy - ISP-03.), for example:
Depending on the severity and context, some items above may constitute illegal activity.
Users are strongly encouraged to report any breach or suspected breach of the University’s Information Security Policies to IT Services.
The University takes all policy breaches seriously. Incidents will be reviewed to determine the severity and appropriate course of action. This may include guidance, further investigation, or potential restrictions on individuals’ account and access privileges.
Repeated minor and all major breaches will follow a defined escalation process for a more thorough review and will be handled in accordance with the Human Resources Policy (ISP-05).
Relevant supervisors and leadership will be kept informed throughout the incident process to ensure a coordinated response.
In cases where there is a potential legal violation, the matter may be reported to the appropriate law enforcement agency via the University's Legal Services and Secretariat with consideration to the jurisdiction where the breach may have occurred.
Acceptable Use policy (ISP-09), version 3.0
Last reviewed: May 2024, Next review: May 2025.
This policy is also available as a PDF: ISP-09 Acceptable Use Policy (PDF, 216kB)
