IT Code of Practice

This code of practice should be read in conjunction with the Regulations on the use of Computing Facilities, links to this and further guidance are available at the bottom of this document.

1. Introduction
2. Access to Facilities
3. Storage and Publication of Information
   1. Data Protection
   2. Publication of Information
   3. Copyright Material
   4. Electronic Mail
4. Misuse of Facilities
5. Discipline
6. Use of Open Access Areas
7. Security
8. Passwords
9. Software Licences
10. Departmental Records
11. Decommissioning of IT Equipment and Removal of Access to Computing Facilities
12. University Liability
13. Further Guidance

1. Introduction

Throughout this document, reference to any computing equipment, facilities or resources means any computing facilities: controlled by the University's central computing service; or owned by the University or by any University company; or situated on University premises (see Regulations on the Use of Computing Facilities, regulation 1). It also covers information stored on the campus network, the campus management and administrative computing facilities, networked and standalone personal computers on campus, and any facilities used for processing such information off campus (including laptop computers, mobile devices and home-based facilities).

The University of Sheffield has a dynamic IT environment, characterised by the free sharing of information. The purpose of this IT Code of Practice is not to restrict the general openness experienced in a creative institution, but merely to safeguard certain essential activities of the University.

2. Access to Facilities

The use of computing facilities requires authorisation in accordance with the Regulations on the Use of Computing Facilities (regulations 1, 2 and 3). Any equipment connected to the network should follow the appropriate network registration process.

Users are responsible for the activities and security of their user account and any equipment they have connected to, or registered on, the University network.

3. Storage and Publication of Information

Users must recognise that the University network is a shared resource and should ensure that their activities do not have a detrimental impact on other users.

3.i. Data Protection

Where personal data is to be stored, a user must comply with the Data Protection Act 1998.

The Data Protection Act 1998 concerns information about living, identifiable individuals that is processed automatically, or held in structured manual files. The Act gives individuals the right to have access to information stored about them and requires that this information is maintained and is correct. Organisations holding personal data must be registered with the Data Protection Registrar (an independent officer who reports directly to Parliament).

In addition, data users must comply with eight Data Protection Principles established by the Act. The Data Protection Principles are intended to protect the rights of the individuals about whom personal data is recorded. Guidance as to compliance with the principles may be obtained from the University's Data Protection Officer.

A user must ensure that the use of University-related personal data is restricted to the minimum consistent with the achievement of academic purposes; and contact the University's Data Protection Officer before conducting any activity that involves any form of processing of personal data.

Further information is available on the "Data Protection Policies" webpage.

3.ii. Publication of Information

The dissemination of information through the University's network or the Internet is in law the 'publication' of that information, and all legal rules governing publication (for example as to defamation) apply. Similarly, publication may have other legal effects; it may, for example, bar a subsequent application for a patent.

No user may create, store, exchange, display, print, publicise or circulate offensive or illegal material in any form, this includes:

• any material that is pornographic, excessively violent or which comes with the provisions of the Obscene Publications Act 1959 or the Protection of Children Act 1978 (Any such publication will be regarded as a very serious matter, which will be reported to the police);
• any material which may encourage discrimination on grounds of sex, gender, sexual orientation, race or ethnic origin, or which would contravene the Sex Discrimination Act 1975 or the Race Relations Act 1976; particular care is needed in the advertising of posts;
• any material in the form of an advertisement (even in specific Usenet newsgroups) which does not comply with the Code of Practice issued by the Advertising Standards Authority, requiring that all advertisements should be "legal, decent, truthful and honest".

Users must not use the computing facilities to originate or forward chain letters, "for-profit" messages, or for the purposes of a pyramid selling scheme.

3.iii. Copyright Material

A user must not copy any copyright material without the written permission of the owner of the copyright, unless copying is covered by some other provision such as that in a software licence. The University reserves its rights to the crest and logos which are its property; they, and departmental addresses, may be used only for official purposes. The policy "Unauthorised Copying and Distribution of Copyright Material" contains further guidance.

3.iv. Electronic Mail

A user is responsible for all electronic mail sent from his or her account. Care should be taken to ensure that e-mail is sent only to the intended recipients and the content of messages should be checked before sending. It should be considered that e‑mail may not be the best medium for sensitive information. It is prohibited to forge (or attempt to forge) e-mail messages, or to read, delete, copy, or modify the electronic mail of other users.

Electronic mail can be forged. A user who suspects that a message may not have been sent by the apparent originator should seek confirmation, preferably by telephone. Any misuse of electronic mail should be reported to CICS and will be investigated.

4. Misuse of Facilities

Regulation 5 (see Regulations on the Use of Computing Facilities) prohibits the misuse of computing facilities. No user may seek to or secure unauthorised access to any program or data held in any computer wherever located (Regulation 5a); a user must not attempt to decrypt system or user passwords or copy system files.

No user may use computing facilities so as to cause any unauthorised modification of the contents of any computer, wherever located, or in any way which jeopardises the work of others, or the integrity of the equipment or of any programs or data (Regulation 5b,c). This prohibits, inter alia, unsolicited or unauthorised "security tests" or "recovery tests", and the introduction of any viruses, worms, Trojan horses, logic bombs or any other harmful, disruptive, destructive or nuisance program or file on to any of the computing equipment, nor take action to bypass any security precautions installed by an appropriate authority to prevent this.

Careful consideration should be given to the content of any published material (eg e-mail, newsgroup contribution, Web page, images displayed on a screen, computer printout). Material that is unacceptable to the recipient and which creates an intimidating, hostile or offensive environment may constitute harassment under the University's guidelines. Publication of such material outside the University may harm the University´s good name.

Users of University IT facilities must conform to all applicable rules of English law, for example the laws on pornography, defamation, and financial services advice.

The Computer Misuse Act 1990 creates a number of criminal offences:

• Unauthorised access to computer material (‘hacking’) including the illicit copying of software held in any computer. This carries a penalty of up to six months imprisonment or up to a £5000 fine.
• Unauthorised access with intent to commit or facilitate commission of further offences, which covers more serious cases of hacking, with a penalty of up to five years imprisonment and an unlimited fine.
• Unauthorised modification of computer material, which includes the intentional and unauthorised destruction of software or data; the circulation of "infected" materials on-line; and the unauthorised addition of a password to a data file. This offence also carries a penalty of up to five years imprisonment and an unlimited fine.

Anyone wishing to report the misuse of facilities may do so to the Director of CiCS (e-mail c.sexton@sheffield.ac.uk).

5. Discipline

Breach of the Regulations on the Use of Computing Facilities is dealt with under regulation 7. In addition, use of computing facilities in breach of the IT Code of Practice may lead to the restriction of access to or the withdrawal of computing facilities.

Any use or attempted use of facilities by a person debarred from access or by another person acting on that person's behalf constitutes unauthorised use is therefore a breach of the Regulations on the Use of Computing Facilities.

6. Use of Student Computer Rooms

Priority must be given to study-related work at all times. Social e-mail, Internet chat and Web access for leisure are unacceptable when others are waiting to work.

Logged in computers should not be left unattended in open access areas. Only one computer can be used by any individual at a given time. It is not permitted to reserve computers, either physically or by any other means (for example, running a password protected screen saver). Any other individuals who require the use of such a computer are within their rights to reboot and use that computer.

Food and drink is not permitted in any open access facility, and smoking, as within any other part of the University buildings, is prohibited. Noise should be kept to a minimum to encourage a good working environment.

Threatening, harassing or abusive behaviour directed towards staff or fellow users is unacceptable.

Offensive material (abusive, sexist, racist, or pornographic) must not be displayed or printed in an open access area.

Misuse should be brought to the attention of CiCS, with details of the computer used, the date and time. Disciplinary action will be taken where appropriate.

7. Security

All proper precautions should be taken to protect the physical security of equipment and information. Use of physical security devices (such as clamps to secure computer processor units to desks) is recommended on all system equipment. Evidence of recently purchased equipment (for example, packing cases) should not be left on view for potential thieves to see.

Sensitive information can often be left in a vulnerable state merely by others gaining physical access. Office doors should be kept locked when the occupant is away and where this does not conflict with safety regulations. Computer display screens and printers should be positioned strategically to avoid accidental disclosure of sensitive material. A user should always log off from the computer account if leaving the computer unattended.

As private information is only as secure as the security mechanisms employed on the system on which it is maintained, sensitive, and particularly clinical data, should only be stored on an appropriately secured computer. When sensitive information is stored on a backup medium, precautions must be taken to ensure the storage is secure. Particular care should be taken to ensure physical security.

If sensitive information is processed off-campus, the same stringent procedures must be applied as on-campus. Access should be restricted and secure.

When transporting or transferring information, the information on separate media (e.g. CD, DVD or memory stick) should where possible be kept away from the hardware, to reduce the risk of theft. Hardware or media should not be left unattended when travelling; portable computers should be carried as hand luggage. The policy "Personal Information on Portable Devices and Media" contains further guidance.

Access to sensitive information should be strictly controlled when temporary staff or students are employed. Students should not have access to information stored about other students.

Users are responsible for ensuring that their computer is secure. CiCS's "Safe Computing" webpages contain further guidance.

All incidents involving actual or potential breaches of Information Security must be reported in accordance with CiCS's "Security Incident Policy".

8. Passwords

The password to a user's account is the key to the security of information, and more generally the integrity of the network system. A user is responsible for all activities and possible misuse originating from his or her account, and it is important that the password is not disclosed to anyone, whether intentionally or accidentally. It should not be written down or permanently stored on a computer or in a database. If a problem arises with a user's account, the password may be disclosed to a recognised member of CICS; the password should be changed immediately after any such disclosure.

Further advice is available on our "Passwords" webpage.

9. Software Licences

Users must comply with the terms of software licence agreements, copyright and contracts. A user is responsible for ensuring that his or her use of software is covered by a current licence or contract. Software provided on servers and central systems, including site licensed and Microsoft licensed software, must not be copied to hard disk or anywhere else. Software with non-transferrable licences must be removed when computers are decommissioned.

Similarly, use of facilities provided through JANET and CHEST and similar organisations or networks must comply with the relevant conditions and policies.

10. Departmental Records

Every department should;

• maintain a complete register of computing equipment including memory and hard disk capacities, and of all software installed on computers in that department,
• keep all software licences securely locked in a departmental office,
• log and report to CICS all security incidents or suspected incidents and ensure they are investigated.

Appropriate information should be provided to insurers to ensure that they are aware of any changes in the risk covered.

11. Decommissioning of IT Equipment and Removal of Access to Computing Facilities

When equipment is no longer of use it must be fully decommissioned. Software with non-transferrable licences must be removed. Computers that have been used to store sensitive information must have a low level initialisation performed on their hard disk, as deleting files merely removes the index to data stored and information might still be retained on the disk. Particular vigilance should be observed when removing passwords, personal information, etc. from hard disks. Further information regarding decommissioning of hardware is available by contacting CICS.

Staff who are leaving a department to work elsewhere in the University should re-register and have their old account disabled once any relevant files have been transferred. Staff who are leaving the University must inform CICS so that their account can be disabled. If a staff member leaves, or is absent from the University for a time, and his or her account has specific access right to systems or functions that are required by a department, the rights should be transferred to another member of staff rather than the absent staff member's account being used.

12. University Liability

The University can accept no responsibility for the malfunctioning of any computing facility, loss of data, or the failure of any computer security system, or any losses while using University systems. The University does not guarantee the continued availability of any IT facilities and accepts no liability for any loss or damage caused by the temporary or permanent withdrawal thereof.

13. Further Guidance

Further guidance is available from the resources below:

• Data Protection Policies - http://www.sheffield.ac.uk/cics/dataprotection/
• JANET Acceptable Use Policy - http://www.ja.net/company/policies/aup.html
• Passwords - http://www.sheffield.ac.uk/cics/codeofpractice/password
• Personal Information on Portable Computers and Media - http://www.sheffield.ac.uk/cics/remote/information
• Regulations on the use of Computing Facilities - http://calendar.dept.shef.ac.uk/calendar/09_regs_on_the_Use_of_Computing_Facilities.pdf
• Safe Computing - http://www.sheffield.ac.uk/cics/security
• Security Incident Policy - http://www.sheffield.ac.uk/cics/policies/securityincident
• Unauthorised Copying and Distribution of Copyright Material - http://www.sheffield.ac.uk/cics/policies/copyright