ICT acceptable use policy

STFC acceptable use policy for information & communication technology systems and services (effective from 1 December 2010)

The STFC policy statements on the acceptable use of Information Communications Technology (ICT) systems and service (also available in PDF format) (PDF - 63kB - link opens in a new window) was formally endorsed by STFC on 24 November 2010 by the STFC Operations Board. The policy is effective from 1 December 2010 and supersedes earlier versions.

Purpose and scope

The policy is designed to:

• help all individuals (e.g. employees, visitors, contractors, Facilities users etc.) understand the ways in which they are / are not allowed to use the STFC ICT systems;
• help maintain the security, integrity and performance of the STFC ICT systems;
• minimise both the STFC and individual users' exposure to possible legal action arising from unauthorised use of the STFC ICT systems;
• help ensure that the STFC can demonstrate effective and appropriate use of publicly funded resources; and
• set the minimum standard for acceptable use across all STFC ICT systems

The policy covers use of all ICT systems and facilities provided either directly or indirectly by the STFC, and whether accessed from an STFC site or remotely, in particular:

• the Internet
• e-mail (all forms)
• electronic bulletin boards and social media
• Internet Relay Chat, Instant Messaging etc
• file sharing by whatever means
• Computing devices (e.g. Desktops, laptops, printers, PDAs etc.) and servers
• Communications equipment (e.g. telephones (land-line and mobiles), faxes and video conferencing)

In the absence of their own more restrictive requirements, the policy applies to STFC employees working on other organisations' sites and using their ICT infrastructure and services.

Policy

The STFC ICT systems, services and facilities are provided to enable employees and other authorised individuals to perform their jobs effectively and efficiently. All normal use of these systems in pursuit of the STFC business within an employee's authority to act is allowed.

Some limited and reasonable personal use of the STFC ICT systems by employees is allowed provided that it is not excessive, does not interfere with normal work or the work of others, does not involve more than minimal amounts of working time, does not involve the STFC in significant expense, does not expose the STFC to legal action or risk bringing the STFC into disrepute, and does not relate to running a private business.

All use by non-employees is subject to the same restrictions as for employees. This includes all Tenant organisations that make use of STFC ICT systems and services.

Additional information on acceptable (including personal) use, restrictions on use and penalties that can be applied is available in Annex A below.

Where additional local standards of acceptable use are set, these should be respected provided that they do not violate, weaken or void any of the minimum standards set by this policy.

Breaches of the policy will be dealt with under STFC's disciplinary and/or, as appropriate, STFC Fraud policy, or by equivalent sanctions in the case of non-employees.

Monitoring

The STFC reserves the right to monitor communications according to its published policy (see Annex B)

Related Policies and Procedures

• Where an external network connections is provided as part of the Joint Academic Network (JANET), the JANET Acceptable Use Policy (link opens in a new window) applies;
  
• the procedures laid down in the STFC Information Systems Privacy & Security Policy;
• the STFC data protection policy (available on the STFC Staff Intranet "InFocus") - see 'Data protection fair processing' notice;
• and the STFC 'Code of practice on copying copyright material';
• Frequently asked questions (FAQ) about the STFC AUP.

(NB: Some related policies may not be accessible from non STFC networks or systems.)

Annex A

A1 STFC Acceptable Use Policy - Details and Penalties

The STFC Information Systems Privacy & Security Policy is the primary source of the STFC policy on acceptable use of its ICT systems and services. This web page (also available in PDF format (PDF - 63kB - link opens in a new window)) is intended as a guide to the interpretation of the policy and provides a list of uses which are specifically excluded and the penalties which may be applied to transgressors. The list is not necessarily comprehensive.

Unacceptable activities

• Spending more than minimal amounts of working time making personal use of the internet, e-mail, and other ICT Systems and services (see section on private/personal use below).
• Transmitting or storing any material such that this infringes the copyright of the owner.
• Purchasing goods or services or entering into any contract via the Internet or any other ICT system on behalf of the STFC without the necessary authority.
• Business advertisements or trade sales*.
• Trading, i.e. sale of any goods purchased with the sole intention of making a profit*.
• Using an unauthorised Instant Messaging or Internet Relay Chat service.
• Sending or forwarding chain emails.
• Making your personal user name and password (also known as a 'user account') available for other people to use on your behalf.
• Accessing another individual's data without appropriate authorisation.
• Deliberately creating, storing or transmitting information which infringes the STFC data protection registration.
• Using the STFC-provided communication equipment to make unauthorised personal/non-business related calls to premium rate or international numbers; or subscribing to premium rate text messaging services.
• Knowingly allowing the use of STFC ICT resources (for example Internet bandwidth) by unauthorised third parties*.

* STFC Tenants may be permitted these activities if they are explicitly included in tenancy agreements.

Forbidden activities

• Using another person's identity so as to appear to be someone else.
• Attempting to gain unauthorised access to another user's e-mail, data files or information.
• Deliberately accessing, viewing, receiving, downloading, sending or storing material:
  • with pornographic, offensive, obscene or indecent content;
  • related to criminal skills or terrorist activities;
  • that promote or encourage racism or intolerance;
  • that is illegal in the UK or the host country;
  • that is defamatory, offensive or abusive;
  • that will, or is likely to, bring the STFC, its staff or Council members into disrepute;
  • that is known to be infected with a virus, worm, Trojan or any form of malicious software or code.

A2 Penalties

Unacceptable activities:

Any activity that falls within this definition will render an employee liable to disciplinary action (described in CEM 8). Serious instances of 'unacceptable' use (e.g. forwarding a large number of chain emails) may be regarded as gross misconduct and may lead to summary dismissal.  Where relevant the STFC Fraud policy will also be invoked. For non-employees the appropriate action will be discussed with the individual's management and will result in equivalent sanctions which may lead to a bar on site access. Any suspected illegal action will be reported to the police.

Forbidden activities:

Any 'forbidden' activity will render an employee liable to disciplinary action (described in CEM 8) which, where the activity is deemed to amount to gross misconduct, will normally lead to summary dismissal. The STFC Fraud policy may also be invoked. Other individuals will be barred from STFC sites and appropriate additional sanctions may apply. Any suspected illegal action will be reported to the police.

A3 STFC employees' private / personal use of ICT systems, services and facilities

At management discretion, STFC employees are allowed limited and reasonable personal use of the STFC ICT systems, services and facilities provided that such use:

• does not interfere with their (or others') work; and/or
• does not involve more than minimal amounts of working time;
• does not incur any significant expense for the STFC and/or tie up a significant amount of resource.

Personal use should not be undertaken in working time and be limited to non-working time e.g. at lunchtime; or before/after normal working hours; or when 'clocked out' for members of flexi schemes. Very limited, occasional personal use during normal working time will be tolerated - e.g. to respond briefly to an incoming personal e-mail or telephone call or to deal with a non-work related emergency. However, spending significant amounts of time making personal use of the internet, e-mail, communication equipment, etc. is not acceptable and may lead to disciplinary action.

Before undertaking personal use, all staff should ask themselves the following questions.

• Would my actions be considered unacceptable if viewed by a member of the public?
• Would managers, auditors or others in similar positions call into question the cost effectiveness of either my use of work time or my use of the STFC ICT systems and facilities?
• Will my personal use have a negative impact upon the work of my colleagues (e.g. in terms of their motivation and morale)?
• Could my personal use bring the STFC directly or indirectly into disrepute?

Personal use should not be undertaken if the answer to any of these questions is yes.

Responsibility for ensuring that any personal use is acceptable rests with the individual. Staff should seek guidance from their line manager if they have any doubts concerning the acceptability of their personal use. If any doubt still remains, then that form of personal use should not be undertaken.

A4 Non 'staff' private / personal use of ICT systems, services and facilities

It is expected that non-staff (such as Facilities users, contractors, visitors, etc.) will be made aware of the general STFC AUP restrictions and guidance before they have access to STFC ICT systems and services. This should include a statement on private/personal use that should be in line with the restrictions placed on STFC staff but may be more restrictive if required.

Additional notes

1. Unsolicited receipt of discriminatory, abusive, pornographic, obscene, illegal, offensive or defamatory messages (e.g. e-mail SPAM/text messages) will not be treated as a disciplinary offence. With the exception of illegal material, anyone who receives such material should, where possible, file this in the #SPAM public folder in Exchange.
2. Anyone accidentally accessing a pornographic or other inappropriate web page should report the matter to their line manager. No disciplinary action will be taken in such cases. If the line manager is unavailable, contact your Information Security Group (ISG) representative either directly or via your local IT Service Desk.
3. Anyone accidentally viewing what they believe is illegal material (e.g. child pornography) must immediately stop what they are doing, take a note of where they found the illegal material and close the software application displaying the material. This includes e-mail. They must not view the illegal material again and must take appropriate measures to ensure that others cannot view the material. They must then inform their line manager and the STFC IS Security Officer who will decide how to proceed. It is a criminal offence to continue to view, allow others to view, or not to report some illegal material.
4. IT Service Desk, security teams, and others, as part of an approved programme of work, may occasionally need to undertake activities that are excluded above in order to carry out their work. When doing so they are required to follow designated procedures (see the STFC Information Systems Privacy & Security Policy), including obtaining advanced authorisation (usually from the STFC Director responsible for HR and the STFC IS Security Officer but in some cases from line management as part of their normal duties).

Annex B

B1 STFC acceptable use policy - monitoring statement

The STFC employs monitoring techniques on its ICT systems and services, including e-mail and Internet access, to enable usage trends to be identified and to ensure that these facilities are not being misused.

Monitoring is limited, as far as practicable, to the recording and analysis of network traffic data. To this end, the STFC keeps logs of calls made on communications equipment such as telephones and fax machine; of e-mails sent by e-mail address; and of internet sites visited by computer system address. In some cases, this means that the identity of the individuals involved in the communication is readily available.

These logs are not routinely monitored on a continuous basis but spot-checks are carried out from time to time to help ensure compliance with this policy. Further authorised investigations may be necessary where there is reasonable suspicion of misuse of facilities.

Since the STFC owns and is liable for data held on its communications equipment and systems, it reserves the right, as part of such investigations, to inspect the contents of any e-mails or any other form of communications that are sent or received and of Internet sites accessed, for compliance with this policy. This will only be done where the volume of traffic or the amount of material being downloaded is excessive, or there are grounds to suspect that use is for ‘unacceptable' or ‘forbidden' activities. Exceptionally, where there is a defined and valid reason for doing so, the inspection of e-mail contents may include items marked ‘private' or ‘personal'. Individuals' e-mail and voice-mail accounts may also be accessed by management when they are absent from work to ensure official business matters can be effectively dealt with.

Monitoring/investigations of individuals' use of the STFC communications systems may also happen in the following circumstances:

• To detect or prevent crime e.g. detecting unauthorised use of systems, protecting against viruses and hackers, fraud investigation etc.
• As part of occasional training and quality control exercises e.g. how incoming calls are handled.
• To assist in maintaining the security, performance, integrity and availability of the ICT systems, services and facilities.
• To provide evidence e.g. of a commercial transaction, to establish regulatory compliance, audit, debt recovery, dispute resolution.

Where monitoring is used, only STFC staff trained in data protection compliance will investigate the recorded data. Confidentiality will be ensured for all investigations involving personal data, except to the extent that wider disclosure is required to follow up breaches, to comply with court orders or to facilitate criminal investigation. Logged data will not normally be retained for more than one year unless required by regulatory compliance.

In addition, members of the STFC Information Security Group (ISG) (details available on the STFC Intranet), IT Security Team and Network Security Group will conduct random audits on the security of the Council's ICT systems. These audits include examination of a small, randomly selected set of desktop and server systems. The audit checks that these systems have correctly licensed software, do not contain inappropriate material and have not been used to access or view inappropriate material that may violate the STFC AUP.

Where monitoring reveals instances of suspected misuse of the STFC ICT systems (e.g. where pornography or other inappropriate material is found, or where substantial time-wasting or other unacceptable/forbidden use is found), they will be investigated through the disciplinary procedures and may lead to summary dismissal.

Personal files, documents and e-mails

To help safeguard their privacy it is suggested that individuals mark any personal e-mails they send with the word ‘Personal' or ‘Private' in the 'subject' line and to ask those they correspond with to similarly mark any personal e-mails being sent.

Personal files, documents and e-mails can be stored in STFC ICT systems provided they are in a folder clearly marked as ‘Personal' or ‘Private'. Note that STFC's corporate electronic document or record management facilities (ERMS) do not include a facility for personal data so should not be used for this.

Where possible, staff monitoring or inspecting the STFC IT and communications systems will respect e-mails and folders which are marked ‘Personal' or ‘Private'.