Regulations for the Use of University I.T. Facilities (June 2003)
In the General Regulations of the University for the Use of University I.T. Facilities, the following expressions shall have the meaning assigned below, unless the context requires otherwise:
- "Authorised user" means a user who is registered with the properly recognised authority responsible for a particular IT Facility or set of facilities to use that facility or set of facilities for a particular purpose or purposes, and "authorised use" shall be interpreted accordingly. Users who use the IT Facilities solely for the purpose of accessing publicly available data shall be considered authorised users for that purpose only.
- "Commercial usage" is defined as any activity employing the University IT Facilities or any software supplied by or through the University for potential monetary gain, whether that gain is for the University or for an individual or group of individuals.
- "Data Protection Legislation" means the Data Protection Act 1998 and all subordinate legislation and regulations made thereunder.
- "General Regulations of the University" are the rules laid down by Senate and Council for the conduct of members of the University under the authority accorded to those bodies by Statutes of the University.
- "IT Facilities" include inter alia personal computers whether desktop or portable, workstations, servers, mini and mainframe computers, computer peripherals, networks, data communication lines and equipment, telephone lines and equipment used for data communications, computer software and information stored in computer systems and all databases and other computer-based information systems.
- "Members of the University" includes all members of the Academic and Administrative staff of the University and the Colleges, the Sabbatical Officers of Durham Students' Union (DSU), Durham University Athletic Union (DUAU) and of the Colleges, and all students.
- "Misuse" of an IT Facility is any use of that facility which constitutes a breach of these regulations or of any additional rules for the use of that facility laid down by the appropriate properly recognised authority and includes the use or attempted use of a facility (other than publicly available data) by a person who has not been given permission to use that facility or the use of a facility for a purpose for which permission has not been given. Modest personal use of a CIS facility will not constitute misuse under these regulations.
- "Password" means the secret string of characters allocated to, or chosen by a user, that is used to gain access to University IT Facilities.
- "Properly recognised authority" means any authority so defined in the General Regulations of the University, and anyone so designated for the purposes of these regulations by the Registrar and Secretary.
- "Publicly available data" means all information made available via University IT Facilities both to Members of the University and to external users by means of a public network such as the Internet or the World Wide Web.
- "Regulations" refer to these conditions under which members and employees of the University and others are permitted to have access to and to use any facilities belonging to or held by the University and its members, and in addition govern the way in which access is authorised to IT Facilities outside the University.
- "Transmit" means to transfer any form of data over the University’s data network or over any other network that is accessible from the University’s network.
- "University" includes all the Colleges maintained by Council, the Recognised Colleges, the Licensed Halls of Residence, St. Cuthbert's Society, and Ustinov College, of which it is comprised as well as the academic, service and administrative departments.
- "University IT Facilities" includes all the IT Facilities that are owned, hired by, outsourced to or otherwise possessed or controlled by the University. The expression also includes all the IT Facilities that are provided for the use of members of the University by other organisations as a result of a contract or other arrangement with the University.
- "User" means any natural or legal person using or attempting to use University IT Facilities, whether authorised or not, and the word "use" shall be interpreted accordingly.
- "User name" means the identification given as part of the authorisation procedure that allows an authorised user to access a particular IT Facility. Normally a password is used with the user name to provide secure access to an IT Facility.
II Use and misuse
- Members and employees of the University and other natural or legal persons may use a University IT Facility provided they are authorised users. Authorised use shall be on such terms and conditions, which may include charges, as the properly recognised authority may determine, and will take the form of registration.
- The University IT Facilities are provided for the academic work and normal University duties of members and employees of the University. Any other use, and in particular use for commercial gain, requires the explicit, prior permission of the relevant properly recognised authority.
- To comply with these Regulations, an authorised user of a University IT Facility shall:
- Comply with applicable legislation and case law. The schedule of these regulations sets out a non-exhaustive list of legislation which has been shown to be relevant to the use of IT Facilities.
- Have regard to any other Code of Practice or procedures approved by Senate and Council and in particular to any listed in the Schedule to these regulations.
- Comply with any University regulations approved by Senate and Council.
- Comply with any regulations made by Colleges and Boards of Studies or other recognised authorities under these Regulations.
- Adhere to the terms and conditions of all licence agreements relating to University IT Facilities which they use including software, equipment, services, documentation and other goods.
- When processing personal data ensure full compliance with all obligations under the Data Protection Legislation. The University maintains a general notification under the current legislation that should cover most data used for academic purposes, but users are responsible for ensuring that any particular use of personal data complies with the Data Protection Legislation and any other relevant legislation, and notwithstanding this obligation, must consult the University’s Data Protection Officer.
- Have primary responsibility for the security and back-up of their work and data.
- Exercise due care and consideration for the interests of the University and other users, including the efficient use of consumables and other resources. In particular, they shall not engage in deliberate activities with the following characteristics:
- Misuse of IT Facilities;
Corrupting or destroying other users' data;
Violating the privacy of other users;
Disrupting the work of other users;
Using the network in any way which denies service to other users;
Continuing to use an item of software or hardware after receiving a request to cease from the Properly Recognised Authority;
Wasting support staff effort;
Wasting IT resources, including wasting time on an IT Facility;
- Any activity infringing or being capable of infringing the Data Protection Legislation or any other relevant legislation.
- Misuse of IT Facilities;
- No person, whether knowingly or negligently, shall:
- Use another’s Username and Password to access an IT Facility.
- Allow another person to use any Username issued to them to access an IT Facility.
- Log in to an IT Facility and then leave the IT Facility unattended and usable by some other person.
- Distribute to a third party software, the whole or any part of which, is subject to copyright without the express written permission of the copyright owner.
- Decompile or otherwise reverse-engineer software without the written permission of the copyright owner, or attempt to do so.
- Create, access, download, store, process or transmit any blasphemous, indecent, obscene, pornographic, racist or otherwise offensive images, data or other material, or any data capable of being resolved into such images, data or other material. An authorised user may make a written request to the properly recognised authority for permission to have this clause of the regulations waived for properly supervised and lawful research purposes and in accordance with legal access permitted under the appropriate legislation. Such a written request must in every case be made before any of the above acts are undertaken by the user in question.
- Create, access, download, store, process or transmit any material which is designed or likely to cause annoyance, inconvenience or needless anxiety to another.
- Create, access, download, store, process or transmit any defamatory material.
- Create, access, download, store, process or transmit material that infringes the intellectual property rights of another person or organisation.
- Create, access, download or store, process or transmit unsolicited commercial or advertising material.
- Facilitate, encourage or allow deliberate unauthorised access to facilities or services accessible via the network.
- Reveal their Password to any person not authorised by the Properly Recognised Authority to receive it.
- Where resources such as machine time or filestore space are regulated by the grant of allocations, it will be a breach of these Regulations to use such resources without such an allocation having been granted or when an allocation has lapsed or been fully used. Such allocations may neither be used by other individuals or groups nor be transferred to users other than those to whom they were originally given without the approval of the properly recognised authority.
- For the purposes of these Regulations, where University IT Facilities are used to access remote IT Facilities, those remote facilities shall be deemed to be University IT Facilities. Users who use networks and remote IT Facilities shall obey both the University of Durham regulations and any applicable regulations for the remote facilities. It is the responsibility of the individual making use of remote IT Facilities to ensure that all applicable regulations are known and observed.
- A breach of any regulations related to the use of University IT Facilities will be regarded as a breach of these regulations. In the event of any conflict with regulations made by a properly recognised authority under II(c)(iv) these regulations take precedence.
III Commercial Usage
- Subject as otherwise expressly indicated, the University IT Facilities and software supplied by or through the University are for educational use only. If any work is to involve commercial usage of the IT Facilities, this fact must be notified to the Properly Recognised Authority before any use is made of the facilities for such work. Whether or not the individual(s) concerned are authorised to use these facilities for educational purposes, further authorisation is required before commercial usage can commence, and an appropriate rate of charges must be agreed by the Properly Recognised Authority.
- Where IT Facilities are to be used in connection with research grants, short courses or contracts involving specific provision for computing costs, this fact must be communicated to the Properly Recognised Authority and an appropriate rate of charges must be agreed before such utilisation may commence.
- Any software, process or other invention developed by a member of the University using University IT Facilities must not be commercially exploited without the prior consent of the University. Students are referred to the General Regulations of the University, Section X and staff to the terms and conditions of their appointment.
- (Commercial usage of software supplied under “educational use only” agreements is permitted only if explicit written approval has been obtained from the supplier of the software and, consequentially, without such express authorisation, such use will be a Misuse under the terms of these Regulations).
IV Publicly available data
Use of the University IT Facilities for the provision of publicly available data shall be subject to such technical and editorial conditions as, after consultation with the IT Strategy Committee, the Director of the IT Service may impose in the interests of security and the good name of the University.
The University undertakes to provide and operate its IT Facilities with reasonable care and skill. However, the University accepts no liability for any loss or damage a user may suffer from any failure or malfunction of the University IT Facilities or any parts thereof.
VI Penalties and sanctions
- In the case of misuse or breach of these regulations the properly recognised authority responsible for a particular IT Facility or set of IT Facilities may take action in one or more of the following ways:
- deal with the case as provided for in the regulations made by that properly recognised authority (see II(c)(iv) above), which may include a withdrawal of facilities, a fine and a requirement to pay compensation;
- refer the case to the relevant University disciplinary bodies, to be dealt with in accordance with the approved procedures;
- refer the case to the Registrar and Secretary for a decision on whether criminal or other legal proceedings should also be instituted.
- A serious breach will be treated as a major offence.
- An appeal by a user who is a member or employee of the University against a penalty or sanction imposed by a University body under these regulations shall be made in accordance with the relevant University appeal procedures.
- If, as a result of misuse of University IT Facilities, an individual causes the University to be involved in legal action, the University reserves its right to take consequential action against the said individual.
- The applicable legislation referred to in II(c)(i) includes the versions of the following statutes and statutory instruments that are currently in force, together with all subordinate legislation and regulations made thereunder:
- The Computer Misuse Act 1990
- The Copyright and Rights in Databases Regulations 1997
- The Copyright, Designs and Patents Act 1988
- The Criminal Damage Act 1971
- The Criminal Justice Act 1988
- The Criminal Justice and Public Order Act 1994
- The Data Protection Act 1998
- The Defamation Act 1996
- The Design Right (Semiconductor Topographies) Regulations 1989
- The Electronic Communications Act 2000
- Health and Safety at Work Act 1974
- The Human Rights Act 1998
- The Offences against the Person Act 1861
- The Obscene Publications Acts 1959 and 1964
- The Protection of Children Act 1978
- The Patents Act 1977
- The Public Order Act 1986
- The Regulation of Investigatory Powers Act 2000
- The Telecommunications Act 1984
- The Trade Marks Act 1994
- The current Codes of Practice referred to in II(c)(ii) include without limitation to the generality:
- Code of Conduct for Use of Software and/or Computer Readable Datasets
- Code of Conduct for Use of IT Service Public Facilities
- Code of Conduct for Handling Personal Data Using Information Technology Systems.
CODE OF CONDUCT FOR USE OF SOFTWARE AND/OR COMPUTER READABLE DATASETS
Under this code of conduct, which the University has agreed to uphold, authorised users must:
- Assume that all software and datasets are subject to Copyright Law and are provided for Educational Use only.
- Not make any copies of software or datasets.
- Not attempt to decompile or otherwise reverse engineer software or datasets without such provision being specifically included in the licence for the software or datasets.
CODE OF CONDUCT FOR USE OF CIS PUBLIC FACILITIES
This code of conduct applies to all Computing and Information Services (CIS) public facilities, including computer classrooms. The main purpose of the code of conduct is to establish an environment where authorised users can make use of the facilities provided in pursuit of their academic activities.
- CIS public facilities are available to all authorised users. The opening hours of each facility are given in student and staff handbooks available from CIS.
- Some of the facilities may be booked for particular groups of users at certain times. Details of all such bookings are available on the CIS WWW pages at:
and are also displayed at each of the locations. During booked sessions only those users for whom the session is booked may remain in the room. All others are asked to leave the room before the booked session begins.
- Some facilities are only available to a subset of the user community (for example to staff and postgraduates). Where this is the case this is clearly indicated at the location itself and in the handbooks.
- The IT facilities should not be used for non-academic or illegal activities. For example, viewing of pornographic or offensive material, downloading copyright material, the playing of computer games, are expressly prohibited.
- Users should only make use of one workstation or PC at any time.
- Users must not leave a workstation or PC which they have logged into unattended; users must follow the recommended logout procedure when they leave a station. Users are not allowed to run any software to prevent others from using the PC or workstation when they leave the station.
- Users must not attempt to open, move, disconnect or in any other way tamper with or attempt to destroy or damage any IT equipment.
- Users must not remove, deface or destroy output not originated by them.
- Users must not attempt to connect any items of equipment to a PC, workstation, printer or network connection in a University public facility, except in those areas authorised for the purpose.
- Users are asked to co-operate with CIS in keeping the public locations tidy. Users are asked to remove their output and other pieces of paper from the public facilities and to place unwanted items in the dustbins provided.
- Users are asked to ensure that their hands are clean before using the public facilities.
- Smoking, eating and drinking are not permitted in the CIS public facilities. Food or drinks may not be taken into CIS public facility rooms.
- Users are asked to minimise any noise they make so as not to disturb other users.
- Users are asked to report any faults they encounter in using the public facilities to the IT Service Desk.
CODE OF CONDUCT FOR HANDLING PERSONAL DATA USING INFORMATION TECHNOLOGY SYSTEMS
The use of computers, networks and other systems for handling personal data is governed by the Data Protection legislation and associated statutory instruments. The University has also published a Data Protection Policy to which all staff and students and any other persons using personal data on behalf of the University must comply.
Personal data means data that relate to a living individual who can be identified either from that data alone, or from that data used in conjunction with other information that is held or likely to be held. The University requires users of personal data to adhere to the eight principles of the Data Protection Act:
- The data shall be obtained and processed fairly and lawfully, and in particular, shall not be processed unless at least one of the conditions set out in Schedule 2 and, where appropriate, one of the conditions in Schedule 3 of the Data Protection 1998 is met.
- The data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- The data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- The data shall be accurate and, where necessary, kept up-to-date.
- Data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- The data shall be processed in accordance with the rights of data subjects under the Data Protection Act 1998.
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of the data and against accidental loss or destruction of, or damage to, the data.
- The data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Staff and students must only process personal data for the purposes covered in the University's entry in the Data Protection Register maintained by the Information Commissioner's Office. Staff or students who wish to process personal data for additional purposes must inform the Records Manager (the University's Data Protection Officer) before this processing is undertaken. The University's current entry is available through http://www.ico.gov.uk/ESDWebPages/search.asp
Further information about Data Protection can be obtained from the Records Manager in the Governance Support Unit, from the University's Data Protection webpage at http://www.dur.ac.uk/data.protection/ or from the Information Commissioner's Office website at http://www.ico.gov.uk