Digital - Acceptable Use Policy

1.2. Purpose
This policy defines the acceptable use of University digital and information technology.

1.3. Scope of Policy
This policy, its principles and obligations apply to:

• All University digital and information technology.
• All users of University digital and information technology.
• All devices making use of University digital and information technology, including personally owned and University provided devices, connecting to both the wired and wireless networks.
• Digital and information technology administered on behalf of the University.
• All electronic communications residing on, or distributed, sent or received using, University digital and information technology.
• Internet access provided via University digital and information technology.
• Social media operated on behalf of, or referring to, the University.
• New University digital and information technology and uses, which may not yet be explicitly identified.

1.4. Policy Exemptions
The inability to comply with the Digital Acceptable Use Policy will occur from time to time for a variety of reasons. In this instance an exemption from the policy will be required.

This policy ensures that an appropriate level of risk is maintained by the University and any exemption must therefore be fully assessed to ensure that the altered risk levels are understood and approved.

See section 6 of this policy for more details about the Cyber and Information Security Exemption Process.

Users are defined as anyone who connects to the University digital and information technology, including staff, students and third parties. Third parties include, but are not limited to, contractors, visitors and members of the public.

2.1. Confidentiality
The nature of Swansea University’s activities means that our staff, students and third parties may handle significant volumes of data and information which includes personal data. The success of the University is dependent on the trust that others including external parties, students etc have. Users must treat all information (digital and physical) in a confidential and professional manner.

Users must not disclose personal or sensitive information to colleagues or third parties who do not have a legitimate business need to know.

When discussing Swansea University related business, all users are responsible for taking reasonable steps to ensure their discussions cannot be overheard or seen by unauthorised individuals.

2.2. Integrity
Users must make all reasonable efforts to ensure that the information that they process is accurate. Where they discover inaccuracies, they should highlight these inaccuracies to the appropriate person. The appropriate person will vary depending on the information and the inaccuracy, and may be:

• Line manager.
• Head of department or school.
• Data Guardian.
• Data Protection Officer.
• Executive Dean of the Faculty (for academics and students) or
• Registrar/Chief Operations Officer. (for professional services and third parties)
• Chief Digital and Information Officer.

2.3. Availability
Users must ensure that all University business information (digital and physical) is available to all authorised individuals within a reasonable timeframe. University business information is defined as information that holds meaning, value or significance for the University, Users must not engage in any activities which are likely to adversely impact the availability of Swansea University’s systems or information.

2.4. User Awareness
Users need to be aware of Swansea University’s Information Security policies as well as their obligations under the current Data Protection legislation and other regulations that apply to Swansea University. Swansea University provides mandatory training for both Information Security and Data Protection which all users must complete when they join the University and at regular intervals throughout their employment, when prompted.

Swansea University requires all users to take responsibility for being aware of the risks involved in using digital technology, particularly as social engineering is a major source of attack, and these attacks are increasingly sophisticated making them much harder to recognise.

Swansea University accepts that users may be tricked into and/or make mistakes. Whilst users need to take responsibility for their actions, Swansea University operates a ‘no blame’ culture where a genuine mistake has been made. Users are expected to report such incidents in a timely manner, by contacting the IT Service Desk, so any potential harm can be minimised and mitigated. The IT Service Desk can be accessed by clicking this link: https://suprod.service-now.com/sp/.

2.5. Access to Swansea University Buildings
Swansea University controls physical access to its offices using building access cards and keys which are issued to all staff, students and contractors. Some visitors and occasional staff will be issued with temporary passes.

All users are responsible for:

• Ensuring that they wear their Access Card, so that it is visible at all times whilst in Swansea University’s offices.
• Keeping their Access Card safe at all times.
• Avoiding unauthorised copies from being made.
• Reporting that an Access Card has been lost or stolen to Estates and Campus Services in a timely manner.

When not on Swansea University’s campuses, staff, students and contractors are advised not to wear the access card as it may identify the individual to potential outside threats.

2.6. Swansea University Working Environment
All documentation containing personally identifiable information and mobile equipment (for example: laptops, phones, tablets, other removeable media etc) needs to be cleared away when not in use. In practical terms, this means all users are responsible for ensuring their desks should be cleared at the end of each working day and any materials either securely stored or appropriately disposed of.

2.7. International Travel
When traveling internationally, for both personal and professional purposes, users need to consider the safety and security of:

• University data and information.
• University digital services.
• Both University owned and personal IT equipment and devices.

From time to time the University may issue specific guidance in relation to travel to specific countries. In the absence of such guidance, the user should consult the up-to-date Drum Cussac report for the country being visited and follow the advice found in the Health, Safety & Resilience International Travel Policy Arrangements.

2.8. Swansea University Equipment
Users must only use Swansea University equipment for the purposes that it has been provided to that individual. The individual must ensure that good care is taken of all Swansea University equipment issued to them or which they use.

Users must seek approval from the Chief Digital and Information Officer or their delegate before adding or connecting new servers and network infrastructure to existing University Digital Infrastructure.

All users are responsible for the safe keeping of all equipment issued to them by Swansea University. Care needs to be taken of this equipment so that it is in good working order when returned to Swansea University when no longer required or when the user is leaving the University. If a user has any issues with Swansea University owned equipment, then these issues must be reported to the IT Service Desk or Faculty IT Team as soon as practically possible.

When leaving a computer unattended, users must either lock the computer or log off to ensure that another person cannot gain access to Swansea University’s systems or data. This applies to all users regardless of the location that they are working from (i.e. on a Swansea University campus, at other parties’ sites, whilst travelling, at home, and all other locations).

The loss or theft of Swansea University digital equipment must be reported to the IT Service Desk or Faculty IT Team as soon as this is discovered so that the appropriate actions can be taken. The IT Service Desk can be accessed by clicking this link: https://suprod.service-now.com/sp/.

2.9. Dealing with Others
All users are responsible for acting in a reasonable manner towards all others who they interact with when using University digital and information technology in the performance of their duties and any associated social interactions. The details of these behaviours are set out in:

• University Human Resources policies and procedures.
• Dignity at Work and Study: Combating Harassment Code of Practice.

2.10. Copyright and Intellectual Property
All users are responsible for ensuring that they respect both copyright and the intellectual property of others (individuals and organisations). This includes not using unlicensed images, video or software.

See:
• Policy on Intellectual Property.
• Copyright Overview.

2.11. Leaving Swansea University
When users leave Swansea University, they are required to return all university property. This includes all IT equipment, which must be in good working order. No copies of University data should be made or retained. All digital records and documents that contain University business sensitive or personal information, and access cards and keys that are in their possession must also be returned.

3.1. Overview
All users need to be aware of the rights that Swansea University may exercise to ensure that all users comply with its Information Security policies. These policies are designed to safeguard the confidentiality, integrity and availability of the information held by the University on behalf of its staff, students, third parties and the institution itself.

3.2. Right to Protect
The University has the right to implement all appropriate measures to protect its systems and information and ensure that they are only used in accordance with the Information Security policies. These measures will be implemented through both organisational and technical controls.

3.3. Right to Monitor
The University has the right to monitor all its systems, processes and information to ensure that all users are complying with the Information Security policies.

When the University detects unusual activities, the University has the right to monitor all activities of a specific individual for a set period, without that individual’s knowledge. Such targeted monitoring must be authorised by the Chief Operating Officer and Registrar, or their nominated deputies, prior to the targeted monitoring being conducted. Additionally, this targeted monitoring will be conducted under the supervision of the CISO (Chief Information Security Officer).

The University has the right to conduct social engineering tests to determine the effectiveness of its controls (organisational and technical) and the state of user awareness. Social engineering tests may be conducted without the prior knowledge of the users, having been previously approved by the Cyber Advisory Panel.

3.4. Right to Access
User Accounts are provided for work and study purposes. They are not private. User accounts created by staff independently for the primary or substantial purpose of conducting University business are deemed to be University User Accounts.

All electronic communications using University User Accounts are deemed to represent communications sent or received for and on behalf of the University. For the purpose of ensuring compliance with the Information Security policies, or for any other valid business purpose, the University has the right to access all information that it holds digitally at any time.

In the case of digitally held information, this includes any personal information held by individuals on the University systems, including cloud-based systems used by the University.

Access to monitoring information, including personal information, will be restricted to authorised staff who have specific approval, for limited periods of time. These monitoring activities will be in accordance with all applicable privacy laws and data protection regulations at all times and records will be kept when such monitoring takes place.

3.5. Right to Request Removal
The University reserves the right to request the removal of any content published on social media by a University user if it:

• Contravenes the University’s regulations or policies, which include the Dignity at Work and Study Policy and the Strategic Equality Plan.
• Disclosing confidential information relating to the University, its students, its staff, its partners or its suppliers.

When a request to remove content from social media is made by the University, it must be complied with as soon as is practical, and in any event within a reasonable time, having followed the approval process.

4.1. User Accounts
Swansea University will provide users with individually identifiable accounts with the appropriate access to the University’s systems and data in order to perform their duties. Users are responsible for all activities conducted from the accounts assigned to them and must take appropriate measures to protect them. This includes not sharing their login details with any other user, including IT Support staff.

Electronic messages may be disclosed in various circumstances including, but not limited to, legal proceedings, Data Subject Access Requests (DSARs), and disciplinary investigations.

Electronic messages may be recovered even where a user has deleted them.

4.2. Passwords
All passwords must meet the password requirements set out in Password Guidelines.

Multi Factor Authentication (MFA) should be set up and used where technically possible, to supplement the use of passwords.

4.3. Software Usage
All software used on Swansea University infrastructure must be appropriately licensed, supported by the vendor, and in receipt of critical updates/vulnerability fixes when needed.

4.4. Removable Media
Removeable media may be used if the stored data is appropriately encrypted.

4.5. Swansea University Email
Swansea University provides university email addresses to its staff, students and some third parties for business communications. Email must be treated as a formal method of communications. All emails are recorded.

Social engineering is one of the major methods used in cyber-attacks and all users could be targeted. Users need to be cautious when they receive emails from senders they do not recognise and are not expecting to receive emails from. Additionally, users should be suspicious if they receive an email from a known user, which uses unusual language or makes an unexpected request. This is especially true if the email contains links to websites or attachments, so care must be exercised when clicking on links or opening attachments. Users should be particularly cautious when accessing email on a mobile phone or tablet.

Additionally, users should be aware that they may receive phishing or social engineering emails from colleagues they trust after their colleague’s email account has been compromised.

Care must also be taken when sending information by email. It is strongly recommended that personal details or a large amount of information should not be sent by email, but rather shared by sending a link to a document held on Swansea University OneDrive or SharePoint, so that access can be controlled and rescinded. If there is no option other than to send information by email, the information must be encrypted prior to being sent.

Occasional and appropriate use of university email for personal use is permitted but this must not unduly impact the performance of an individual’s role. This includes arranging social activities with colleagues within Swansea University. It is a line management responsibility to control personal use of email by their staff.

Access to university email is a privilege and may be withdrawn by Swansea University if its use is abused, in accordance with the appropriate approval process.

4.6. Internet Usage
Whilst the University has implemented measures to monitor internet connectivity and activity to comply with the Prevent duties to protect its staff and users from radicalising content, there may be occasions out of the University’s control which lead to content deemed “potentially harmful” being accessed through the Internet. The University does not accept responsibility for inadvertent exposure to potentially offensive material accessed by internet users using University digital and information technology, except to the extent that it is obliged to in law.

For many materials, if accessed for research purposes, it will be necessary to first complete a research ethics application before accessing the materials. When approved, to minimise the risk of exposure of offensive material to others, users are required to act in a responsible and considerate manner when accessing the Internet.

4.7. Messaging
Swansea University provides enterprise messaging platforms to assist with business communications, which can be used in conjunction with, or instead of, email. These messages must be treated as a formal method of communications and messages may be recorded.

4.8. Social Media
Specific individuals may be authorised to use social media on behalf of Swansea University and will be assigned University social media accounts.

The University encourages individuals to use personal social media accounts to promote and benefit the University. Individuals need to exercise due care and attention to ensure that they comply with Swansea University’s policies, regulations and ordinances, in particular “Ordinance 11.3 – Conduct and disciplinary proceedings”.

4.9. Remote Working
Users working from locations other than Swansea University’s offices must take additional care to not disclose information either intentionally or accidently to unauthorised people.

When working at home, Swansea University owned computers must only be used by the authorised Swansea University user and not by anyone else.

When working in any remote location, particularly public places, the user needs to take sensible and reasonable measures to ensure that their screen is not overlooked or seen by others. Particular care must be taken when working with sensitive information. Further information can be found in the:

• Agile Working Policy.
• Agile Working Guidelines.

4.10. Screen Sharing
Screen sharing should be used with caution to avoid exposing confidential University information to unauthorised parties.

4.11. Use of Personal Devices
Should a user wish to use a personal device including a mobile phone on the University network, it must meet security compliance requirements:

• The device must be protected by a pin or password.
• It must have a legitimately licensed version of the operating system and must not be rooted or jailbroken. (i.e. the device’s built in security controls designed to protect the user must not removed)
• It must be kept up to date with latest updates within 14 days of release.

4.12. Personal Commercial Use
Using University digital and information technology for commercial work for outside bodies on a personal basis and not as part of university duties or related to relevant professional practice, requires advance and explicit permission from the senior management, as set out in the Policy on Consultancy and Other Outside Services.

5.1. Sharing Usernames and Passwords
Users must not share accounts or passwords. All activity must be traceable back to a single user.

5.2. Inappropriate Content
It is prohibited to access, send, forward, download or print violating content by email, messaging, web browsing or any other means, without explicit and specific ethical approval.

Violating content is defined as anything that is likely to cause distress or offence to any other person including, but not limited to, racist, sexist, obscene, indecent or pornographic content.

Any concern related to inappropriate content should be raised using the Dignity at Work and Study Policy and Procedure.

If required, the CISO (Chief Information Security Officer) can be called on to be involved in the procedure.

5.3. Internet Usage
Jisc manages and operates the Janet network and list unacceptable activities which take current legislation into account. As Swansea University accesses the Internet via Janet, users must not use that network for any of the following:

• The infringement of copyright.
• Hacking, or other deliberately disruptive activity.
• The transmission or creation of obscene or offensive material.
• The transmission or creation of material of a threatening nature, or intended to harass, frighten etc.
• The transmission or creation of material of a libellous nature.
• The transmission of unsolicited commercial or advertising material or similar activities. (spamming)

5.4. Social Media
Users must not use personal social media accounts to post comments which:

• Claim to represent the views of Swansea University.
• Could be construed as being the views of Swansea University.
• Contravene the University’s regulations or policies which include the Dignity at Work and Study Policy and the Strategic Equality Plan.
• Discloses confidential information relating to the University, staff, students or third parties.
• Are illegal under UK law.

5.5. Swansea University Equipment
Users must not alter the configuration of Swansea University supplied equipment and specifically must not disable any security measures, including antivirus, anti-malware, internet filtering and firewall software.

Users must not leave corporate mobile devices (including computers, tablets and phones) unattended in public places or in a visible place inside a vehicle. Additionally, corporate mobile devices must not be left in a vehicle overnight, regardless of where the vehicle is parked.

5.6. Personal Email
Staff should not use substantially private accounts to conduct University business, unless there is no suitable alternative available.

5.7. Third Party access to Swansea University Systems
Users must not allow third parties to access University systems and information without sufficient authorisation prior to access being granted by the Chief Digital and Information Officer or CISO (Chief Information Security Officer).

5.8. Prevent Duty
Promoting activities that are likely to draw people into terrorism or extremist ideologies is contrary to the University’s Prevent duty obligations and policy, and is not permitted.

5.9. Transmission of Unlawful Materials
The creation or transmission of unlawful communications of any kind, including but not limited to threats of violence, obscenity, indecency or child pornography is not permitted without prior ethics approval.

The only exception is if a research team is working with extremist online content and need to share the dataset between themselves. Such activity would need to go through the ethics approval process to ensure suitable safeguards are in place and the process to ensure Digital Services are aware that the research is being carried out.

5.10. Discrimination
Using University digital and information technologies for the purpose of promoting discrimination on the basis of age, sex, disability, gender reassignment, marriage or civil partnership, pregnancy and maternity, race, religion or belief, or sexual orientation, or any other protected characteristic is not permitted under any circumstances.

See section 5.2 for guidance regarding inappropriate content.

Exemptions to this policy require the approval of:

either

• Executive Dean of the Faculty (for academics and students) or
• Registrar/Chief Operating Officer (for professional services and third parties)
and
• Chief Digital and Information Officer (CDIO)

All exemptions will be reviewed by the Cyber Advisory Team every six months to ensure that the exemption is still valid. Full details of the process to obtain an exception can be found on the Exemption Request Page.

Suspected breach of this Policy may be investigated under the University’s Conduct and Disciplinary Proceedings Ordinance. The University may also take the following actions in response to an actual, alleged or suspected breach of this Policy:

• Withdrawal of access to University digital and information technology.
• Disconnection and seizure of equipment.
• Initiation of relevant conduct and/or disciplinary procedures for staff or students.

7.1. Referral to the police or other relevant authority
Where a breach of this policy results in a referral to the police or other relevant authority, the University will co-operate with the investigating authorities and disclose copies of any relevant data stored, appropriate logs and any hardware relevant to the investigation to such authorities in line with current legislation.

The Chief Operating Officer and Registrar may authorise temporary suspension of a user’s access to University digital and information technology where there are actual grounds, alleged grounds or it is suspected that the user has breached this policy, pending an investigation.

The University reserves the right to block, disconnect, suspend, or otherwise prevent activities that it considers to be an unacceptable use of University digital and information technology.

• Cyber and Information Security Policy
• Cyber and Information Security Exemption Process - TBC
• Human Resources policies
• Dignity at Work and Study: Combating Harassment Code of Practice
• Policy on Intellectual Property
• Copyright Overview
• Cyber Advisory Panel: Terms of Reference -  TBC
• Research Integrity Policy Framework
• Security Sensitive Research Policy
• Trusted Research Policy
• Data and Information Classification Policy -  TBC
• Data and Information Handling Policy -  TBC
• Data Protection Policy
• Agile Working Policy
• Agile Working Guidelines
• Social Media Policy
• Swansea University Social Media Guidelines
• Health, Safety & Resilience International Travel Policy Arrangements 
• International Travel Risk Assessment Guidance
• Conduct and Disciplinary Proceedings
• Policy on Consultancy and Other Outside Services
• Password Guidelines 

Digital Acceptable Use Policy
Policy No. DS.CS.POL.001.v1.0

Version: V1.0
Data Classification: Official
Effective Date: 14/05/2024
Last Revised: 14/05/2024
Review Interval: Annual
Review Date: 14/05/2025
Approval Body: Senior Leadership Team
Policy Owner: Chief Information Security Officer
Policy Author: Cyber Governance Manager