IT- Regulations

Regulations for the use of IT-resources at the University of Agder

1 Scope of Regulations

1.1  These regulations apply to the use of IT-services at the University of Agder. “IT-services” include UiA computers and IT-systems, end user equipment, networks, programs, data etc. that is put at the disposal of employees and students by the University of Agder. Local, national and international networks, or other computers and systems that may be accessed through these resources, are also included.

The regulations apply to employees, students and all others who are given access to IT-services, hereafter termed ‘users’.

1.2  Regulations are to be clearly visible in relevant locations as for instance terminal rooms and must also be available electronically. Copies of the regulations are available at the ICT – department. When registering for the first time, users should be informed about or given a copy of the regulations.

1.3  All users have a duty to keep themselves informed about the most recent version of the regulations.

1.4  Changes in the regulations must be adopted by the University Board. The University Director has the authority to adopt minor changes to the regulations. In such cases the University Board should be fully informed about the Director’s decision.

2      Loyal use of IT-resources

2.1  When a service requires user identification, the person in question has to authenticate his/her identity by way of user name, password or in another regular manner.

2.2  Users have a duty to comply with operating staff’s instructions concerning the use of IT-services. Users also have a duty to familiarize themselves with available manuals in order to minimize the risk of operational disruptions or loss of data due to ignorance.

2.3  When the user’s formal connection with the university is at an end, he /she is responsible for ensuring that copies of data, programs etc. that belong to the university is not deleted, but turned over to the IT-department centrally or to a local IT-officer. Private files/data should be deleted by the user within a period of three months. If this is not done, the material may be deleted by the IT department. In cases of death, the inheritors can take over the material by agreement.

3      Security

3.1  No user must take actions which result in operational disruptions in any part of the system or in any other way may cause inconveniences for other users.

3.2  Users who make use of other storage devices than those allocated by the IT-department are themselves responsible for securing these devices against data loss. Such devices include local hard disk, external hard disk, USB drives etc.

3.3  It is the duty of the user to keep the password and other security elements secure and confidential.

3.4   If a user discovers that his/her password can be identified by using computerized control routines, the user must change password as soon as possible.

3.5  A user must, as far as possible, prevent unauthorized persons from gaining access to the net and it-services or to rooms where it-equipment is available. User name and password must never be shared with others.

3.6  It is the duty of the user to be aware that programs or data may contain unwanted elements (“virus”) and make sure that the advice issued by the IT-department concerning such elements are being followed.

3.7  It is the duty of the user to report matters that may be of significance to the security of the IT-department or the integrity of the supervisor, to the local IT-officer or the IT-department.

4      Respect for other users and privacy protection

4.1  A user must not seek to achieve unauthorized access to the data, programs etc. of other users, or attempt to gain knowledge of other users’ password/security details.

4.2  Users must be familiar with regulations which concern personal information. Computer based files which contain information about individuals or about companies or organizations (juristic persons and corporate bodies) will normally only be created after getting permission from The Norwegian Data Protection Authority. If a user should wish to register information about persons, the user in question needs to ascertain that permission to do so have been granted by the authority of the Personal Data Act or regulations pursuant to this act or according to concession given to the University of Agder. If the register will not be permitted pursuant to these regulations, the user has a duty to apply for the required permission. The operations manager will be able give advice to users on how to obtain the necessary permissions.

4.3  A duty of secrecy applies to any personal information concerning other people that users may come across through their IT activities.

5      Proper use and resource awareness

5.1  Users are jointly responsible for ensuring that the university’s IT-resources are used in the best possible manner. The term ‘resources’ here refers to time and capacity for both computers and networks as well as the capacity of the personnel involved in the various activities of the IT-services.

5.2  A user should as far as possible refrain from using IT-resources for other purposes than those directly linked to academic work, administration, own research, studies or organizational activities for university associations or unions.

5.3  Users must not use IT-resources for issuing defamatory or discriminatory statements, to spread pornography or confidential information, to intrude on the privacy of others or encourage or contribute to illegal or non-sanctioned activities.

6      Rights

6.1  Normally there are rights attached to both computer programs and to data (texts as well as collections of information such as databases) that make the use of such data or programs conditional on agreement with the person holding the rights. Users have a duty to respect the rights of other persons. This applies to the use of musical works and other information that is subject to copyright, both on the Internet and in other electronic information systems.

6.2  When the university makes software, data or other material available, users have a duty to respect such limitations on use as follow from the agreement. The agreement will be available from the local IT-officer or the IT-department.

6.3  Users are not entitled to copy programs by means of the university’s equipment beyond what is laid down in license agreements. It is under no circumstance permitted to copy licensed software beyond what is laid down in the Select-agreement (Microsoft products) or in similar agreements.

7      Quality of services and liability for damages

7.1  Users are themselves responsible for the use of information, programs etc. made available through the IT-services. The university does not accept any responsibility for financial loss as a result of errors or defects in programs, data, and the use of information from available databases or other information obtained from the Internet etc.

8      The University and the IT-department’s right of access

8.1  The university/the IT-department has a right to apply for access to the individual user’s reserved areas in the system when the intention is to (i) ensure the functionality of the system, or (ii) to check if the user is acting in a manner contrary to provisions of these regulations or has done so in the past. Access to a user’s reserved areas is granted only when there are substantial reasons for suspicion and when the user’s action may have significant impact on IT-operations or the liability of the university. The IT-department must not access a user’s reserved areas without permission from the University Director.

8.2  It is assumed that the IT-department’s checks to ensure stability of operations and to prevent unauthorized access to data takes place within the framework set out by laws and regulations. Checks that may be seen as directed against individuals should be logged and a report on such checks sent to the University Director.

8.3  Where the use of a work station, terminal or other end user equipment is subject to surveillance by the IT-department for reasons of operations security or for other reasons, this is to be made known by the placing of a mark on the unit or in any appropriate manner.

8.4  IT-department personnel have a duty of secrecy with respect to any information about users or user activity obtained in the manner described above. However, any matter that may constitute a breach of these regulations can be reported to a higher authority.

9      Sanctions

9.1  In cases where users fail to comply with these regulations, the Head of the IT-department or his/her deputy may deprive students of their accounts with immediate effect and withdraw the right to use the university’s IT-services for a period of up to one week. Similar sanctions against staff must be decided by the University Director or his/her deputy. The case must without delay be reported to a senior manager, i.e. at department or office-level in case of employees or to the Director of Studies when students are involved.

9.2  In cases of repeated or serious breaches of these regulations a decision may be made to withdraw user rights to the university’s IT-services for an extended period of time. Such decisions must be made by the University Director in cases concerning staff and by the Director of Studies if students are involved. The University Director and the Director of Studies are also responsible for assessing whether further sanctions should be applied. Decisions concerning access to IT-services may be appealed pursuant to the regulations of the Public Administration Act.

9.3  The University Board is the appellate authority in cases concerning employees and students.

Adopted by the Board of Agder University College 5 February 1997 and amended 18 June 1997 (Board Matters 113/97). Terminology revised in connection with transition to university status 2007. Language revision 9 September 2011.Minor change 9. April 2014.

This is an English translation of the IT- regulations in Norwegian. The Norwegian version is formally adopted