< Previous page ^ Table of Contents Next page >

Joint Report of the Council and the General Board on guidelines for the acceptable use of computers

The COUNCIL and the GENERAL BOARD beg leave to report to the University as follows:

1. In order to comply with recent developments in employment legislation, in particular the Human Rights Act 1998, the Data Protection Act 1998, the specific requirements of the Regulation of Investigatory Powers Act 2000, and the Lawful Business Practice Regulations, employers are required to inform their staff about the following points:

(i) the extent to which, and the purposes for which, computing facilities and Internet access, including e-mail, may be used by staff;
(ii) whether or not the facilities and access provided by the employer may be used for purposes other than those specifically related to the employment of the member of staff concerned;
(iii) the purposes for which, and the procedure whereby, the computer usage, the Internet access, and the communications of members of staff may be monitored and/or intercepted.

2. To comply with this requirement a working group, including representatives of the University Computing Service, the Personnel Division, academic institutions, and the University Data Protection Officer, was set up by the Personnel Committee to prepare guidelines on the acceptable and unacceptable use of University computers and networks. These guidelines were issued in April 2001.

3. Following the publication of the guidelines a Discussion was requested on the following topic of concern to the University: 'the issuing by the Personnel Division of Guidelines, whose authority is unclear, on the acceptable use of computer facilities, e-mail, and the Internet'. This Discussion took place on 10 July 2001 (Reporter, 2000-01, pp. 971-77).

4. The Personnel Committee accepted that the guidelines had caused concern to some members of staff, and that revision and clarification of the guidelines was desirable. They nevertheless continue to believe that guidance was required, and noted that other universities had already provided this. The Committee therefore agreed to revise the guidelines to make it clear that there was no intention to permit those who manage the University's facilities to intrude capriciously upon individuals' privacy nor routinely to monitor e-mail and Internet traffic. They agreed also that the revision should set out in detail the procedure by which files and mailboxes would be accessed on the rare occasions when this is necessary.

5. A revised policy has now been drawn up, and account has been taken of advice sought from the Faculty Board of Law and that of the Information Technology (IT) Syndicate. The Council and the General Board have on the recommendation of the Personnel Committee approved a revised version of the guidelines.

6. The Council and the General Board accordingly recommend that the guidance set out in the Annex to this Report replace the earlier version, and that it be approved by the Regent House with immediate effect.

29 May 2002ALEC N. BROERS, Vice-Chancellor ANDREW CLIFFA. C. MINSON


Use of computer facilities in the University by staff

Guidance for Heads of Institutions and all members of staff

1. Introduction

Personal computers with access to local networks, e-mail facilities, and the Internet are widely used in the University. Many institutions and members of staff depend on their use for teaching, for research, and for the administration of the everyday business of the University. Recent developments in legislation relevant to the use of computers bear on employees and employers alike. It is therefore necessary and in the interest of Heads of Institutions and all staff employed by the University who use or have access to computing facilities for guidance to be issued which will explain what is acceptable use.

In addition to this guidance, all users should be aware of the Information Technology (IT) Syndicate's Rules and the rules of the wider network provided by the Joint Academic Network (JANET) (http://www.ja.net/documents/use.html). The IT Syndicate's rules apply to all users (including staff, students, and academic visitors) of Computing Service systems and of networked systems in institutions connected to the Cambridge University Data Network (CUDN) (see Authorization for Connection to the University Data Network).

Acceptable use facilitates the purposes and aims of the University as an academic institution. With regard to all electronic communication, the University is committed to:

(a) encouraging and facilitating appropriate access to knowledge and its dissemination;

(b) ensuring that computer use does not breach either national legislation or the rules published by the IT Syndicate, the University Software Policy, CUDN authorization, and the United Kingdom Education and Research Networking Association (UKERNA) regulations for the use of JANET;

(c) protecting

(i) research data, including personal data collected for research purposes held on computer or transmitted via e-mail or the Internet
(ii) the intellectual property of others
(iii) the right of staff and students not to be subjected to discrimination
(iv) staff, students, and other members of the University community against any harm or mischief which might be inflicted on them by the misuse of computer systems by others
(v) computer systems and data against any damage caused by virus or other forms of contamination or misuse by individual members of staff
(iv) the University's resources
(vii) communications from unauthorized access

(d) respecting the rights of staff and students under national legislation.

(This list is not necessarily exhaustive)

2. Good practice


(a) Reasonable personal use may be made of computing facilities provided by the University. This personal use should not interfere with the performance of duties or cause any damage or difficulty to computers or to networks, or any difficulty or distress to others.

(b) Computing facilities should be used in a reasonable manner. Inappropriate software should not be installed and machines should not be reconfigured against the advice of the appropriate authorized officer. Anyone in doubt should seek the advice of the appropriate authorized officer.

(c) No person should make substantial use of the University's IT facilities for private financial gain or for commercial purposes outside the scope of official duties or functions without specific authorization to do so.

Internet usage (including e-mail, the Web, chatrooms)

(a) Reasonable use of the Web for other than strictly work purposes is permitted insofar as it does not adversely affect the user's work and the work of others and has a minimal effect on the University's resources.

(b) Reasonable use of University facilities is permissible for personal e-mails, provided that this does not have more than a minimal impact on resources and does not adversely affect the user's work or the work of others.

(c) If an e-mail message is personal, users may wish to make this clear by using the word 'personal' in the subject line.

(d) In their use of e-mail, staff should bear a number of points in mind:

(i) An e-mail message is legally equivalent to a letter. E-mail messages can be defamatory and can form contracts. For these reasons it is important to take the same care composing e-mail messages as letters.
(ii) E-mail messages, like other documents, can be disclosed to the person they are about under the Data Protection Act and in the event of legal proceedings.
(iii) Messages may be seen by system managers and other IT support staff, similarly to postcards being seen by postal workers. Moreover, the University cannot guarantee that communications will not be accessed illicitly.

Security and protection of information

The main points to be aware of are:

(a) Confidential material and personal information must be guarded by the proper use of passwords and other security measures.

(b) Not all computer systems are suitable for the storage of confidential information. Advice on this should be obtained from the appropriate authorized officer.

(c) Highly sensitive material can be further protected through the use of encryption. Advice on this may be sought from local computing staff.

(d) Passwords or other access codes must not be disclosed to other persons.

(e) All members of staff must comply with the Data Protection Act, which requires that the University keeps personal information secure.

(f) When working with confidential information, care must be taken not to leave it inappropriately on screen. A computer should not be left logged on when unattended, unless it is in a secure location.

(g) The same standards of confidentiality must be observed for electronically held or generated information as for information held on paper.

If you have a concern about the inadequate protection of data, you should inform your Head of Institution or the University Data Protection Officer so that any necessary steps can be taken to safeguard the data.

All members of staff have an obligation to protect data and systems by following up-to-date recommendations to avoid damage from viruses and other malicious programs. Guidance is available from the Computing Service and from institutional Computer Officers.

3. Misuse of computing facilities

Examples of misuse include:

(a) Hacking - attempts to access systems or information within or outside the University without authority, or encouraging others to do so.

(b) Deliberately accessing from the Internet material which is counter either to legislation, University rules or policies (e.g. equal opportunities), or to commonly accepted standards, or is likely to be offensive to reasonable people. Such material may be accessed only for bona fide academic purposes. It is recognized that accidental access to such sites can take place; members of staff who are concerned that such accidental access has taken place may wish to report their concerns to an appropriate person.

(c) E-mail communications which constitute bullying or harassment, as defined in the University's code of advice and instructions on bullying and harassment (the 'yellow booklet', http://www.admin.cam.ac.uk/offices/personnel/policy/bullying.html).

4. Investigation of misuse and interception

If the University is to investigate misuse of computing facilities, procedures must exist for inspection of any files held on any of the University's computing systems. These procedures will be applied infrequently and in a strictly controlled manner. Where inspection is deemed to be necessary, the Head of the Institution or authorized officer shall give permission for such access. The Registrary or the Academic Secretary, as appropriate, must be informed within 48 hours of any such action. Access will only be allowable in so far as it is necessary for the University to comply with national legislation, e.g. the Regulation of Investigatory Powers Act and the Lawful Business Practice Regulations or in connection with the investigation of misuse, examples of which are listed above, and will be initiated in accordance with the provisions of that legislation and to the extent permitted by data protection and human rights legislation and by general principles of employment law. The consent of the individual member of staff will normally be sought; however in certain circumstances access may exceptionally be obtained without consent,

(i) if urgent access is critically required for operational purposes but the member of staff is absent and cannot be contacted,
(ii) if there is prima facie evidence that a member of staff may be misusing facilities to an extent which would be considered serious or gross misconduct or if there is a need to initiate an investigation and there is a serious possibility that evidence might be destroyed.

The procedures set out above will be used only where there is an urgent operational need and the member of staff cannot be contacted or where there is prima facie reason to believe that misuse may have occurred. The privacy of individuals will be respected in other situations, and that privacy will be protected especially in connection with the areas defined in the Introduction. In the case of e-mail, normally subject headings only will be scanned, and the content of the messages will be read only where (in connection with item (i)) it is established that the message is one sent or received as part of the individual's duties as a member of staff or (ii) a prima facie case of misuse has already been established. While strict application of this principle cannot be guaranteed for arbitrary files (i.e., computer files other than e-mail) it will be used as a guide.

As part of normal procedures, computers linked to networks may be scanned automatically for vulnerability and a Head of Institution may authorize the routine monitoring of Internet access generally, including e-mail traffic volume (but not content), within their local area networks.

5. Misuse and disciplinary action

The Head of the Institution should decide in the light of the outcome of an investigation of possible misuse of computing facilities whether disciplinary action is appropriate, and if it is judged appropriate, instigate necessary action in accordance with the relevant disciplinary procedures concerned.

Heads of Institutions should consult with the relevant Personnel Consultant before instigating any disciplinary action against a member of staff.

< Previous page ^ Table of Contents Next page >

Cambridge University Reporter,
Copyright © 2002 The Chancellor, Masters and Scholars of the University of Cambridge.