Appropriate Use of Computing Resources

Purpose:

To outline the appropriate use of the University's Computing Resources by setting out rights and responsibilities and to establish a framework for consistency in campus practices and processes.

The University's Computing Resources are made available to faculty, staff, students, retirees, alumni, and visitors for the purpose of advancing the academic goals of: learning, teaching, research, and community outreach, for assisting in administrative operations which support these goals, and for assisting with alumni outreach.

Scope:

All users of University Computing Resources, including, but not limited to, faculty, staff, students, retirees, alumni, and visitors. This policy also applies to Separately Incorporated Entities of Memorial University. It covers all uses of University Computing Resources, regardless of where they are located or where they are accessed (on campus or off campus).

Definitions:

Account - A method of establishing a User's identity and providing the authorization for a user to utilize University Computing Resources.

Authorized User - An individual permitted to make use of University Computing Resources. Authorized users include faculty, staff, students, retirees, alumni, and visitors who have an association with the University that grants them access to University Computing Resources.

Electronic Communications - Any electronic method used to communicate or transfer text, images, sounds, signals, or data, including electronic mail, instant messaging, websites, video recordings, voicemail, facsimiles, pagers, and telephones.

Malicious Software - Software programs that damage or perform other unwanted actions on a computer system. Includes viruses, worms, trojan horses, and spyware.

Sensitive electronic data - electronic data that has been designated as private or confidential by law or by the University. Sensitive electronic data includes, but is not limited to, data protected by the Privacy Policy and the Access to Information and Protection of Privacy Act (ATIPPA) of Newfoundland and Labrador, including employment, health, academic and financial records, unpublished research data, third-party business data and all internal or business use only data. To the extent there is any uncertainty as to whether any data constitutes sensitive electronic data, the data in question shall be treated as such until a determination is made by the University or proper legal authority.

Shared Service – A University Computing Resource available to all Authorized Users.

Titled Account - An account which is created to identify a particular role within the University's operation. A titled account does not identify an individual, nor is it owned by an individual.

Unit Head - For the purposes of this policy, unit head is the term used to refer to Deans, Academic, non-Academic and Administrative Directors, Executive Directors, the University Librarian, the University Registrar, Division Heads and the Vice-President (Grenfell Campus) as applicable in the circumstances.

University - Memorial University of Newfoundland.

University Computing Resources - Computers, networks, data storage, software applications, e-mail addresses, websites, domain names and identities that are either owned or funded (in whole or in part) by the University or by funds administered by the University.

University Privacy Officer - The position with overall management responsibility for privacy policy and procedures at the University. This is a functional description, not a title. The University Privacy Officer is appointed by the President of the University. Unless otherwise indicated, the University Privacy Officer is the Information Access and Privacy Protection Coordinator.

Visitor – An individual that is neither faculty, staff, nor student, who has permission to access a University Computing Resource.

Policy:

1.0 General
Authorized Users of any University Computing Resources have a responsibility to use them in a way that is lawful, is in compliance with University policy, and is consistent with the purposes for which they were intended.

The University reserves the right to establish technical standards (hardware and software) as appropriate. All Authorized Users will be required to follow these standards.

2.0 Access
No person shall access University Computing Resources other than those which they are properly authorized to access.

2.1 Accounts and Identities
The University reserves the right to determine the structure and type of usernames, passwords and other identifying authorization mechanisms used to access University Computing Resources.

2.2 Personal Account Responsibility
Accounts which allow users to access the University’s Computing Resources are provided to individuals (Authorized Users) for their exclusive use. Authorized Users are prohibited from sharing such Accounts with others. The Authorized User is at all times responsible for the use of their Account.

2.3 Titled Accounts
All information communicated to a Titled Account will be owned by the University. Use and sharing of information in a Titled Account will be managed by the Unit Head.

2.4 Access by non-account holder
Internal - Under certain circumstances, the failure to permit inspection and/or disclosure of an account could significantly impede the legitimate operations of the University, and it may be either inappropriate, not possible (e.g., In instances where an Authorized User has died), or not feasible to obtain prior approval of the Account holder. The University may access and use information contained in the Authorized User's Account where the Unit Head determines that it is necessary, in accordance with the Procedure for Requesting Access by Non-Account Holder.

External - When an Authorized User has died, or is unable to access his/her account, the University may release information contained in the Authorized User's account upon application by their trustee, executor or administrator to the Unit Head of the unit in which the Authorized User last worked, in accordance with the Procedure for Requesting Access by Non-Account Holder.

Requests will be compliant with all federal and provincial legislation and subject to the relevant provisions of any University Collective Agreement. The privacy of all personal information not pertinent to the issue giving rise to the request for access will be protected to such an extent as reasonably possible.

3.0 Usage
The University provides University Computing Resources as a shared service to all faculty, staff, students, retirees, alumni and visitors.

3.1 Impact on Other Users or the University
The University reserves the right to limit the level of an Authorized User’s resource usage where such use, in the opinion of the University, negatively impacts other users or the University Computing Resources.

3.2 Personal Use
Personal use of University Computing Resources and services is permitted provided such use does not compromise the performance of an employee’s duties, compromise the operation of the University, cause the University to incur costs, damage the University’s reputation or involve activities that are inconsistent with the University's mission, except where otherwise authorized under applicable collective agreements.

3.3 Commercial Use
University Computing Resources shall not be used for commercial purposes or for the benefit of non-University organizations unless these purposes are consistent with University policies and procedures or authorized under applicable collective agreements or duly authorized contracts.

3.4 Campaigning and Lobbying
The University’s Computing Resources shall not be used for political campaigning or similar purposes.

4.0 Legal Use
All use of University Computing Resources shall be in compliance with all federal, provincial, and privacy laws, and all applicable University policies. Illegal use includes but is not limited to violations of copyright, dissemination or storage of material which is in violation of law such as pornography, hate literature, harassment, defamation and discrimination, threats, criminal activities, and the knowing use of viruses or malicious software.

5.0 Memorial University’s Identity
No employee may use University Computing Resources or identities to commit the University to financial or legal obligations unless existing formal policies or procedures have been properly followed.

A disclaimer, as found in the Electronic Communications Disclaimer in this Policy, will be automatically appended to outgoing e-mail.

6.0 Protective Measures
The University has established technical standards for University Computing Resources which all users must follow. These standards include protective software (e.g. antivirus, encryption) and will prevent the use of non-standard equipment in conjunction with University Computing Resources.

6.1 Inspection, use and disclosure
The University may permit inspection, use and/or disclosure of data or information, including Electronic Communications, under the following conditions, subject to relevant provisions of any University Collective Agreement:

The University is required by federal or provincial law, subpoena, or court order to divulge such data or information, or information pertaining to the account itself;
The University reasonably believes that a law or institutional policy has been violated;
Failure to permit inspection, use and/or disclosure would significantly impede the legitimate operations of the University, and it is either inappropriate or not feasible to obtain prior approval of the Account holder.

In such cases, approval of the Vice-President (Administration & Finance), or delegate, in consultation with the University Privacy Officer must be obtained in advance, and the privacy of all personal information not pertinent to the issue giving rise to the access will be protected to such an extent as reasonably possible.

6.2 Enforcement, violations, and discipline
A violation of appropriate use of University Computing Resources refers to any matter in which University Computing Resources are used for purposes that violate this or any University policy, federal or provincial legislation, or relevant provisions of Collective Agreements. Any person who becomes aware of a possible violation of appropriate use may report it, in accordance with the Procedure for Reporting Suspected Violations of Appropriate Use of Computing Resources. If there is a possibility that Sensitive Electronic Data may have been disclosed, altered, or destroyed by an unauthorized individual, a security incident will be reported in accordance with the Procedure for Reporting Suspected Security Incidents.

Any breach of this policy may result in disciplinary action. Violators of this policy may be denied access to University Computing Resources and may also be subject to penalties under University policies, Collective Agreements, provincial and federal law. The University reserves the right to take the appropriate steps to temporarily suspend an Authorized User’s account on the recommendation of the Vice-President (Administration & Finance), or delegate, and in consultation with General Counsel, where appropriate.

6.3 Exemptions

Requests for exemption from this policy should be addressed to the Vice-President (Administration & Finance), or delegate. Requests should detail the section of the policy for which the exemption is being sought, and propose compensating controls if any. Requests for exemption must be endorsed by the Unit Head.

Standards

Approved Operating Systems

Approved Anti-Virus Software

Approved Disk Encryption Software

Approved File Encryption Software

Blackberry Passwords

Connecting To Network

Procedures