Acceptable use policy

Purpose

This Acceptable Use Policy acts as an agreement between the enterprise and the user receiving Information Technology (IT) assets. Assets are defined as anything that has value to an organization, including, but not limited to, another organization, person, computing device, IT system, IT network, software (both an installed instance and a physical instance), virtual computing platform (common in cloud and virtualized computing), and related hardware (e.g., locks, cabinets, keyboards). This Acceptable Use Policy defines permitted usage of these assets, as well as restricted actions that users must not take in order to reduce risk to the enterprise.

The policy aims to protect University assets from misuse, ensure compliance with legal and regulatory obligations, and promote responsible behaviour among users.

Applicability

This policy applies to all users of the University’s IT resources and digital assets, including:

• Staff, students, contractors, and third-party users or other individuals who have access.
• All devices, systems, and services connected to the University network or used to process University information.
• All data formats and transmission methods.

It is the user’s responsibility to read and understand this policy and to conduct their activities in accordance with its terms. In addition, users must read and understand the enterprise’s Information Security Policy and its associated standards. Users who find the policy statements within this document to be unclear are encouraged to reach out to Digital and Technology Services (DTS) (https://www.dundee.ac.uk/it) to clarify any remaining ambiguities. 

Exceptions

Exceptions to this policy where employees need to use University IT assets in a manner that is inconsistent with policy must be made in writing and approved by your manager. This must contain: 

• The reason for the request,
• Risk to the University of not following the written policy,
• Specific mitigations that will not be implemented,
• Technical and other difficulties, and
• Date of review.

1. All exceptions must be requested to DTS via the University Service Desk Self-Service Portal: https://help4u.dundee.ac.uk.

Policy

User Responsibilities

1. Users must only use approved technology and services.
2. IT resources may only be used for authorised academic, research, administrative, or operational purposes.
3. All University assets are on loan to users so that essential job functions may be performed.
4. Upon separation from the University or contract termination, all supplied IT assets, and the associated data must be returned by the user.
5. Users must secure the physical environment around their workstation and lock their computers when stepping away.
6. Users must ensure that Personally Identifiable Information (PII), confidential, and any sensitive data that may be covered by government or other regulation, is not readily available or accessible on their desks or within their workspace.
   1. All users must take appropriate care to protect information, systems and related assets within their custody or care from loss, damage, or harm. Lost or damaged equipment must be reported to IT as soon as practical.
   2. Users must store their passwords in a secure manner. Password managers must be used to store passwords digitally.
7. Users-assigned accounts must only access assets, operating systems, applications, files, and data to which they have been granted access. The ability to inadvertently read, execute, modify, delete, or copy data does not imply permission to do so.
8. Only authorised users are permitted to post content or create the impression that they are representing, stating opinions, or otherwise making statements on behalf of the University on social networking sites, blogs, or other internet sites.
9. Users must keep knowledge about information and information systems gained during employment confidential and confidentiality must be maintained after employment ceases.
10. Users must comply with:
    1. UK and EU legislation https://www.dundee.ac.uk/corporate-information/it-policies-relevant-legislation
    2. Institutional policies and codes of conduct. https://www.dundee.ac.uk/corporate-information/it
    3. Jisc Acceptable Use Policy https://community.jisc.ac.uk/library/acceptable-use-policy

Prohibited Use

1. Connection to the University network of personal devices that have not been authorised or approved. This includes portable end-user devices and removable devices (e.g., USB sticks)
2. Password sharing with others or allowing the use of their account by other people. Users are responsible for all activity originating from their usernames and accounts.
3. Accessing, creating, or distributing offensive, obscene, or defamatory material.
4. Engaging in harassment, bullying, or discriminatory behaviour via IT systems.
5. Unauthorised access to systems, data, or accounts.
6. Users must not install software, hardware, or modify system configuration settings on any University asset, unless explicitly permitted by the user’s role and responsibility.
7. Use of IT resources for personal economic gain or political campaigning. Breaching copyright, licensing, or intellectual property laws.
8. Users must not engage in any activity with the intent to disrupt University assets or networks. Users must not perform any form of network monitoring, port scanning or security scanning unless this activity is a part of the individual's normal job and is formally authorised.
9. Introducing malware, spyware, or other malicious software.
10. Circumventing security controls of any user account or information system asset.

Expectations of Privacy 

1. When using University resources, the user shall have no expectation of privacy. Access and use of the Internet, including communication by e-mail and instant messaging and the content thereof, are not confidential, except in certain limited cases recognized by law.
2. The University reserves the right to monitor, access, and disclose all information generated and actions performed using University IT assets. Files, messages (including attachments), and logs may be retained and used as evidence in litigation, audits, and investigations.

Personal Use

1. Users must not leverage browser synchronisation or browser profiles that will move a user’s browser history from a personal device to a University asset (or vice versa).
2. Users must not use personally-owned accounts (e.g., Apple ID, Google Account, Microsoft Account) for device-wide accounts (e.g., Android, iOS, Windows) on University devices unless permitted by the University.
3. Users must work with DTS to create University-specific accounts for required assets and third-party services, such as creating a University-owned Apple ID for an Apple device.
4. Users must not use University license keys on personal devices unless authorised by the University.
5. University data must not be stored on non-University, personal cloud provider platforms (e.g., Google Drive, Microsoft OneDrive, Dropbox).

Reporting Violations 

1. Security incidents must be reported immediately to the DTS Service Desk Self-Service Portal https://help4u.dundee.ac.uk.
2. Users are responsible for understanding and complying with this policy.
3. University DTS Department is responsible for enforcing controls and monitoring compliance.
4. Violations may result in suspension or termination of access, disciplinary action under institutional procedures or legal action where applicable.

Remote Work

1. All University work must be performed on University-approved assets.
2. All University data must be stored on approved University assets.
3. Users must not connect University assets to open, unencrypted WiFi networks.
4. Users must be aware of their surroundings when working remotely to ensure others are not eavesdropping, ‘shoulder surfing’ or viewing confidential or sensitive material.

Bring Your Own Device 

1. Personal devices must not be connected to the University network without authorization.
2. University data must not be stored on personal devices without formal authorization.
3. Users leveraging their personal device to store University data may have their device completely wiped. Reasons for device wipe may include:
   1. Lost / stolen device.
   2. Termination of user’s employment.
   3. Compromised / hacked account or device.

Review and Updates

This policy will be reviewed annually by the University and updated as necessary to reflect changes in technology, legislation, or institutional priorities.