This Human Resources policy is a sub-policy of the Information Security Policy (ISP-01) and sets out the Human Resources processes that must be implemented to ensure that employees are able, trained and required to protect the University’s information assets.
This policy applies to all members of the University who have been given Staff status (this includes any contractors, students, interns, honorary and associate or temporary members with a contractual agreement to work for the University).
For roles involving handling of data classified as confidential or above, Human Resources may use a pre-employment or change of role screening process to help ensure that employees selected are suited to the requirements of the job.
Further guidance on pre-employment checks can be found at http://www.bristol.ac.uk/hr/resourcing/practicalguidance/appointment/checks.html.
Employees are to sign a contract binding them to comply with the Rules of Conduct for Members of Staff (Ordinance 10, Section 4, Appendix A) and the Terms and Conditions of Employment .
An example of behaviour that may constitute misconduct as outlined in Ordinance 10, is: "Computer misuse, contrary to the University's regulations".
It is a stipulation of the Terms and Conditions of Employment that members of staff are expected to: “Comply with all of the University's employee rules, regulations, statutes, ordinances, procedures, policies and codes of practice (including but not limited to those relating to health and safety, the use of computers and data protection).”
The University is committed to providing staff with sufficient training to ensure that they are able to fulfil their specific information security responsibilities. The University’s information security training programme is mandatory for all staff and can be accessed from the University's learning management system. This training must form part of staff induction and must be taken by all staff on an annual basis thereafter.
Information system users will be provided with instructions and training to ensure they do not compromise security through lack of awareness or skill.
Upon termination, suspension or change of appointment, Human Resources will revise the staff records system accordingly. This will trigger appropriate account management processes on centrally managed IT systems. For IT systems where access is not centrally managed it is the manager’s responsibility to ensure access to these systems is removed at the same time.
Upon termination, all employees, contractors and third parties must return all University owned information assets and equipment.
It is stated in the general terms and conditions of employment that:
"10.1 Any property of the University shall remain the property of the University (except for intellectual property belonging to a member of staff under clause 11) and shall be handed over by staff to the University on demand and in any event on the termination of employment".
The full list of terms and conditions can be read at: http://www.bristol.ac.uk/hr/terms/
The University's Legal Services and Secretariat may authorise for the legally compliant monitoring of its IT systems to be undertaken for legitimate University purposes. The policy relating to how the University may monitor use of its IT systems is outlined in the Investigation of Computer Use policy (ISP-18).
Where there are reasonable grounds for suspected misuse of IT facilities, as identified in the Investigation of Computer Use Policy (ISP-18), the University's Leagal Services and Secretariat may authorise that account to be suspended and/or investigated by IT Services.
Employees who, after an investigation, have been found to have breached University Policy or their contract fo employment, may be subject to disciplinary action under the Conduct Procedure in Ordinance 10.
Unless the police are involved from the outset, when different procedures may apply, Human Resources and IT Services will coordinate the investigation of any suspected improper use of University IT facilities. Any resultant disciplinary action will be taken in accordance with Ordinance 10.
If you are employing a University of Bristol undergraduate or taught postgraduate student, consideration must be given to the information they are able to access. Access levels must be appropriate based on the role they are performing. Access to the personal data of other University students and staff is not acceptable.
If you are sponsoring honorary or associate staff, consideration must be given to the data they are able to access. Access levels must be appropriate based on the capacity in which they are working with the University.
Guidance on the engagement with third-parties is outlined in the Outsourcing and Third Party Compliance policy (ISP-04).
You can read more guidance using the links below.
Human Resources Policy (ISP-05), version 3.0
Last reviewed: January 2024. Next review: January 2025.
This policy is also available as a PDF: ISP-05 Human Resources (PDF, 204kB)
