General Regulation XII - Regulations for the use of University IT Facilities
‘REGULATIONS FOR THE USE OF UNIVERSITY IT FACILITIES’ refer to the conditions under which members of the University are allowed to use computing equipment and stored information belonging to or held by the University and its members, and in addition govern the way in which access is authorised to computer systems outside the University. Members of the University include all staff of the University and the Recognised Colleges, the Sabbatical Officers of the Durham Students' Union (DSU) and Common Rooms, and all students.
Additional regulations may apply to specific services available in CIS and elsewhere. Regulations for the use of these services will be stated by the relevant IT provider (eg CIS, academic department, college)
In these Regulations of the University for the Use of University IT Facilities, the following expressions shall have the meaning assigned below, unless the context requires otherwise:
"Authorised user" means a user who is registered with the Authorised University Officer responsible for a particular IT Facility or set of facilities to use that facility or set of facilities for a particular purpose or purposes, and "authorised use" shall be interpreted accordingly. Users who use the IT Facilities solely for the purpose of accessing publicly available data shall be considered authorised users for that purpose only.
(b) "Commercial usage" is defined as any activity employing the University IT Facilities or any software supplied by or through the University for potential monetary gain, whether that gain is for the University or for an individual or group of individuals.
(c) "Data Protection Legislation" means the Data Protection Act 1998 and all subordinate legislation and regulations made there under.
(d) "Misuse" of an IT Facility is any use of that facility which constitutes a breach of these regulations or of any additional rules for the use of that facility laid down by the appropriate Authorised University Officer and includes the use or attempted use of a facility (other than publicly available data) by a person who has not been given permission to use that facility or the use of a facility for a purpose for which permission has not been given. Modest personal use of an IT facility will not constitute misuse under these regulations.
(e) "Password" means the secret string of characters allocated to, or chosen by a user, that is used to gain access to University IT Facilities.
(f) “Authorised University Officer” means any authority so defined in the General Regulations of the University, and anyone so designated for the purposes of these regulations by the Registrar and Secretary.
(g) "Publicly available data" means all information made available via University IT Facilities both to Members of the University and to external users by means of a public network such as the Internet or the World Wide Web.
(h) "Regulations" refer to these conditions under which members and employees of the University and others are permitted to have access to and to use any facilities belonging to or held by the University and its members, and in addition govern the way in which access is authorised to IT Facilities outside the University.
(i) "Transmit" means to transfer any form of data over the University’s data network or over any other network that is accessible from the University’s network.
(j) "User" means any natural or legal person using or attempting to use University IT Facilities, whether authorised or not, and the word "use" shall be interpreted accordingly.
(k) "User name" means the identification given as part of the authorisation procedure that allows an authorised user to access a particular IT Facility. Normally a password is used with the user name to provide secure access to an IT Facility.
III. Use and Misuse
(a) Members of the University and other natural or legal persons may use a University IT Facility provided they are authorised users. Authorised use shall be on such terms and conditions, which may include charges, as the Authorised University Officer may determine, and will take the form of registration.
(b) The University IT Facilities are provided for the academic work and normal University duties of members of the University. Any other use, and in particular use for commercial gain, requires the explicit, prior permission of the relevant Authorised University Officer.
(c) To comply with these Regulations, an authorised user of a University IT Facility shall:
(i) Comply with applicable legislation and case law. The schedule of these Regulations sets out a non-exhaustive list of legislation which has been shown to be relevant to the use of IT Facilities.
(ii) Have regard to any other Code of Practice or procedures approved by Senate and Council and in particular to any listed in the Schedule to these regulations.
(iii) Comply with any University Regulations approved by Senate and Council.
(iv) Comply with any regulations made by Colleges and Boards of Studies or other recognised authorities under these Regulations.
(v) Adhere to the terms and conditions of all licence agreements relating to University IT Facilities which they use including software, equipment, services, documentation and other goods.
(vi) When processing personal data ensure full compliance with all obligations under the Data Protection Legislation. The University maintains a general notification under the current legislation that should cover most data used for academic purposes, but users are responsible for ensuring that any particular use of personal data complies with the Data Protection Legislation and any other relevant legislation, and notwithstanding this obligation, must consult the University’s Data Protection Officer.
(vii) Have primary responsibility for the security and back-up of their work and data.
(viii) Exercise due care and consideration for the interests of the University and other users, including the efficient use of consumables and other resources. In particular, they shall not engage in deliberate activities with the following characteristics:
• Corrupting or destroying other users' data;
• Violating the privacy of other users;
• Disrupting the work of other users;
• Using the network in any way which denies service to other users;
• Continuing to use an item of software or hardware after receiving a request to cease from the Authorised University Officer;
• Wasting support staff effort;
• Wasting IT resources, including wasting time on an IT Facility;
• Any activity infringing or being capable of infringing the Data Protection Legislation or any other relevant legislation.
(d) No person, whether knowingly or negligently, shall:
(i) Use another’s Username and Password to access an IT Facility.
(ii) Allow another person to use any Username issued to them to access an IT Facility.
(iii) Log in to an IT Facility and then leave the IT Facility unattended and usable by some other person.
(iv) Distribute to a third party software, the whole or any part of which, is subject to copyright without the express written permission of the copyright owner.
(v) Decompile or otherwise reverse-engineer software without the written permission of the copyright owner, or attempt to do so.
(vi) Create, access, download, store, process or transmit any indecent, obscene, pornographic, racist, or otherwise offensive data, images or other material promoting incitement or intolerant behaviour of any nature or otherwise offensive images, data or other material, or any data capable of being resolved into such images, data or other material. An authorised user may make a written request to the Authorised University Officer for permission to have this clause of the Regulations waived for properly supervised and lawful research purposes and in accordance with legal access permitted under the appropriate legislation. Such a written request must in every case be made before any of the above acts are undertaken by the user in question.
(vii) Use University or other IT facilities to create, access, download, store, process or transmit, by whatever means, (including the internet and social networking sites) any material, data or images:
that promote, or are capable of being resolved in such a form so as to promote, incitement or intolerant behaviour or that promote or incite intolerance of any nature or
that are indecent, obscene, pornographic, racist, or defamatory. [Note An authorised user may make a written request to an Authorised Officer for permission to have this clause of the regulations waived for properly supervised and lawful research purposes and in accordance with legal access permitted under the appropriate legislation. Such a written request must in every case be made before any of the above acts are undertaken by the user in question];
that is designed or is likely to cause annoyance, inconvenience or needless anxiety to another;
that infringes the intellectual property rights of another person or organisation;
that is unsolicited commercial or advertising material;
that affect or have the potential to affect the University’s reputation
(ix) Reveal their Password to any person not authorised by the Authorised University Officer to receive it.
(f) For the purposes of these Regulations, where University IT Facilities are used to access remote IT Facilities, those remote facilities shall be deemed to be University IT Facilities. Users who use networks and remote IT Facilities shall obey both the University of Durham Regulations and any applicable Regulations for the remote facilities. It is the responsibility of the individual making use of remote IT Facilities to ensure that all applicable regulations are known and observed.
(g) A breach of any regulations related to the use of University IT Facilities will be regarded as a breach of these Regulations. In the event of any conflict with regulations made by an Authorised University Officer under III(c)(iv) these Regulations take precedence.
IV. Commercial Usage
(a) Subject as otherwise expressly indicated, the University IT Facilities and software supplied by or through the University are for educational use only. If any work is to involve commercial usage of the IT Facilities, this fact must be notified to the Authorised University Officer before any use is made of the facilities for such work. Whether or not the individual(s) concerned are authorised to use these facilities for educational purposes, further authorisation is required before commercial usage can commence, and an appropriate rate of charges must be agreed by the Authorised University Officer.
(b) Where IT Facilities are to be used in connection with research grants, short courses or contracts involving specific provision for computing costs, this fact must be communicated to the Authorised University Officer and an appropriate rate of charges must be agreed before such utilisation may commence.
(c) Any software, process or other invention developed by a member of the University using University IT Facilities must not be commercially exploited without the prior consent of the University. Students are referred to the General Regulation X and staff to the terms and conditions of their appointment.
(d) (Commercial usage of software supplied under “educational use only” agreements is permitted only if explicit written approval has been obtained from the supplier of the software and, consequentially, without such express authorisation, such use will be a Misuse under the terms of these Regulations).
V. Publicly Available Data
Use of the University IT Facilities for the provision of publicly available data shall be subject to such technical and editorial conditions as, after consultation with the IT Steering Group, the University Director of IT may impose in the interests of security and the good name of the University.
The University undertakes to provide and operate its IT Facilities with reasonable care and skill. However, the University accepts no liability for any loss or damage a user may suffer from any failure or malfunction of the University IT Facilities or any parts thereof.
VII. Penalties and Sanctions
(a) In the case of misuse or breach of these regulations the Authorised University Officer responsible for a particular IT Facility or set of IT Facilities may take action in one or more of the following ways:
(ii) refer the case to the relevant University disciplinary bodies, to be dealt with in accordance with the approved procedures;
(iii) refer the case to the Registrar and Secretary for a decision on whether criminal or other legal proceedings should also be instituted.
(b) A serious breach will be treated as a major offence. A major offence as defined in General Regulations IV Discipline 5(a) broadly involves behaviour that either does or has the potential to cause serious damage to the University, its staff and other students and, as such, may include but is not restricted to the following examples of offences:
• conduct which brings the University into serious disrepute by causing serious reputational damage.
(c) An appeal by a user who is a member or employee of the University against a penalty or sanction imposed by a University body under these Regulations shall be made in accordance with the relevant University appeal procedures.
(d) If, as a result of misuse of University IT Facilities, an individual causes the University to be involved in legal action, the University reserves its right to take consequential action against the said individual.
The applicable legislation referred to in III (c) (i) includes the versions of the following statutes and statutory instruments that are currently in force, together with all subordinate legislation and regulations made there under:
• The Computer Misuse Act 1990
• The Copyright and Rights in Databases Regulations 1997
• The Copyright, Designs and Patents Act 1988
• The Criminal Damage Act 1971
• The Criminal Justice Act 1988
• The Criminal Justice and Public Order Act 1994
• The Data Protection Act 1998
• The Defamation Act 1996
• The Design Right (Semiconductor Topographies) Regulations 1989
• The Electronic Communications Act 2000
• Health and Safety at Work Act 1974
• The Human Rights Act 1998
• The Offences against the Person Act 1861
• The Obscene Publications Acts 1959 and 1964
• The Protection of Children Act 1978
• The Patents Act 1977
• The Public Order Act 1986
• The Regulation of Investigatory Powers Act 2000
• The Telecommunications Act 1984
• Freedom of Information Act 2000
• Terrorism Act 2006
• Police and Justice Act 2006
• Disability Discrimination Act 2006
The current Codes of Practice referred to in III (c) (ii) include without limitation to the generality:
• Code of Conduct for Use of Software and/or Computer Readable Datasets
• Code of Conduct for Use of IT Service Public Facilities
• Code of Conduct for Handling Personal Data Using Information Technology Systems.