IT Code of Practice guidance notes

This guidance expands on the principles set out in the core regulations. Find examples of specific situations to help you relate your everyday use of the IT facilities to the dos and don'ts in the IT Code of Practice.

Read the full IT Code of Practice regulations

Lists of examples give some of the most common instances, and they aren't intended to be exhaustive.

Terms such as "authority", "authorised", "approved" or "approval" refer to authority or approval from

the person or body identified in Section 3, Authority
anyone with authority delegated to them by that person or body

1. Scope

1.1 Users

These regulations apply to anyone using University of Sheffield IT facilities. This means more than students and staff.

For example, it could include

visitors to the University website and people accessing the University's online services from off-campus
external partners, contractors and agents based on-site and using University network, or off-site and accessing the University's systems
tenants of the University using the University's computers, servers or network
visitors using the University's guest services
students and staff from other institutions logging on using eduroam

1.2 IT facilities

The term "IT facilities" includes the below:

IT hardware that the University provides, such as

desktop computers
laptops
tablets
smartphones
printers

Software that the University provides, such as

operating systems
office application software
web browsers

It also includes software that the University has arranged for you to have access to, such as special deals for students on commercial application packages.

Data that the University provides, or arranges access to.This might include:

online journals
data sets
citation databases

Access to the network provided or arranged by the University. For example, this would cover:

network connections in halls of residence
on-campus WiFi
connectivity to the internet from University computers

Online services arranged by the University, such as Google Apps and Turnitin.

IT credentials, such as the use of your University login or any other token, like your email address, smart card or dongle, issued by the University to identify yourself when using IT facilities.

For example, you may be able to use drop-in facilities or WiFi connectivity at other institutions using your usual username and password through the eduroam system. While doing so, you are subject to these regulations, as well as the regulations at the institution you are visiting.

2. Governance

Remember that using IT has consequences in the physical world.

Your use of IT is governed by IT-specific laws and regulations such as these, but it is also subject to general laws and regulations, such as the University's general policies.

2.1 Domestic law

Your behaviour is subject to the laws of the land, even those that aren't obviously related to IT, such as the laws on fraud, theft and harassment.

There are many items of legislation that are particularly relevant to the use of IT, including the below:

So, for example, you can't

create or transmit, or cause the transmission, of any offensive, obscene or indecent images, data or other material, or any data capable of being made into obscene or indecent images or material
create or transmit material with the intent to cause annoyance, inconvenience or needless anxiety
create or transmit material with the intent to defraud
create or transmit defamatory material
create or transmit material that infringes the copyright of another person or organisation
create or transmit unsolicited bulk or marketing material to users of networked facilities or services, except where that material is embedded within, or is otherwise part of, a service that the user or their user organisation has chosen to subscribe to
deliberately access networked facilities or services without authorisation

2.2 Foreign law

If you're using services hosted in a different part of the world, you may also be subject to their laws. It can be difficult to know where any particular service is hosted and what the applicable laws are in that locality.

In general, if you apply common sense, obey domestic laws and adhere to the regulations of the service you are using, you're unlikely to go astray.

2.3 General University regulations

You should already be familiar with the University's general regulations and policies.

View the Univerversity's general regulations

2.4 Third-party regulations

If you use University IT facilities to access third-party services or resources, you're bound by the regulations associated with that service or resource. The association can be through something as simple as using your University username and password.

Very often, these regulations will be presented to you the first time you use the service. In some cases, the service is so widespread that you will not even know that you are using it.

Two examples of this are the below:

a) Janet

Janet is the IT network that connects all UK higher education and research institutions to each other and the internet.

When connecting to any site outside the University, you'll be using Janet and will be subject to the Janet Acceptable Use Policy, the Janet Security Policy and the Janet Network Connection Policy.

We've incorporated the requirements of the policies into these regulations. If you follow these regulations, you shouldn't infringe the Janet policies.

b) Chest agreements

Eduserv is an organisation that has negotiated many deals for software and online resources on behalf of the UK higher education community, under the common banner of Chest agreements.

These agreements have certain restrictions, summarised below:

Non-academic use is not permitted.
Copyright must be respected.
Privileges granted under Chest agreements must not be passed on to third parties.
Users must accept the Chest User Acknowledgement of Third-Party Rights.

There will be other instances where the University has provided you with a piece of software or a resource. Users can only use software and other resources in compliance with all applicable licences, terms and conditions.

3. Authority

These regulations are issued under the authority of the Director of IT Services. The Director is also responsible for their interpretation and enforcement, and they may delegate this authority to others.

Authority to use the University's IT facilities is granted by a variety of means, such as the below:

You may be issued a username and password, or other IT credentials.
You may be explicitly granted access rights to a specific system or resource.
A facility might be provided in an obviously open-access setting, such as a University website, a self-service kiosk in a public area or an open WiFi network on the campus.

If you have any doubt about whether you have the authority to use an IT facility, you should seek further advice from IT help and support.

Attempting to use the IT facilities without the permission of the relevant authority is an offence under the Computer Misuse Act.

4. Intended use

University IT facilities and the Janet network are funded by the tax-paying public. They have a right to know that the facilities are being used for their intended purposes.

4.1 Use to support the aims of the University

The IT facilities are provided to be used to support the aims of the University. For example, they might be used for

learning
teaching
research
knowledge transfer
public outreach
the commercial activities of the University
the administration necessary to support all of the above

4.2 Personal use

The use of IT facilities and accounts for personal activities that are not in furtherance of the mission of the University of Sheffield shall not be permitted or supported.

It is recognised that there is a potential overlap between personal and professional activities, particularly for academic purposes.
Account holders shall not use their University IT account to subscribe/register for online services such as personal social media, personal financial activities and registration with online services. Where account holders are already subscribed/registered to online services they should migrate them to a personal, non-University, account.
Account holders shall not store their own personal information (e.g. personal photos, music, videos) in a University IT account. Where account holders are already storing such information they should transfer it to a personal, non-University, account.
The general usage of University equipment and networks for personal activities is permitted but not supported. Where possible and practical account holders should use their own personal equipment and personal networks for personal activities.
Support for personal usage of University IT facilities may be offered where it is part of an agreed service provided to the account holder. For example, the wired and wireless networks provided in University Accommodation.

Note that all information held within University IT accounts is in scope for legal requests for information such as Freedom of Information (FOI) or Subject Access Request (SAR).

4.3 Commercial use and personal gain

If you wish to use the IT facilities for non-University commercial purposes or for personal gain, you need approval from the Director of IT Services.

The provider of the service may require a fee or a share of the income for this type of use. For more information, contact the IT Service Desk.

Even with such approval, the use of licences under the Chest agreements for anything other than teaching, studying or research, administration or management purposes is prohibited. You must make sure that licences allowing commercial use are in place.

5. Identity

To use many of the IT services provided or arranged by the University, you'll need to identify yourself so that the service knows that you're entitled to use it.

This identification is most commonly a username and password, but other forms of IT credentials may be used, such as

an email address
a smart card
another form of security device

5.1 Protecting your identity

You must take all reasonable precautions to safeguard any IT credentials issued to you.

Choosing a password

Don't share passwords with anyone else, even IT staff, no matter how convenient and harmless it may seem.

If you think someone else has found out what your password is, change it immediately and report the matter to the IT Service Desk.

You must change your password when it's first issued and at regular intervals as instructed.

Don't use obvious passwords, and do not record them where there is any likelihood of someone else finding them. Do not use the same password as you do for personal (i.e. non-University) accounts.

Logging in and out

Do not use your username and password to log in to websites or services you do not recognise, and don't log in to websites that aren't showing the padlock symbol.

Don't leave logged-in computers unattended, and log out properly when you are finished.

Don't allow anyone else to use your smart card or other security hardware. Take care not to lose them, and if you do, report the matter to IT immediately.

5.2 Impersonation

Never use someone else's IT credentials, or attempt to disguise or hide your real identity when using the University's IT facilities.

However, you can choose not to reveal your identity if the system or service clearly allows anonymous use, such as on a public-facing website.

5.3 Attempting to compromise others' identities

You must not attempt to usurp, borrow, corrupt or destroy someone else's IT credentials.

6. Infrastructure

IT infrastructure is all the underlying technology and processes that make IT function. It includes

servers
the network
computers
printers
operating systems
databases
a range of other hardware and software that has to be set up correctly to ensure the reliable, efficient and secure delivery of IT services

You must not do anything to jeopardise the infrastructure.

6.1 Physical damage or risk of damage

Don't damage, or do anything to risk physically damaging, the infrastructure. For example, you should not be careless with food or drink at a computer.

6.2 Reconfiguration

Don't attempt to change the setup of the infrastructure without authorisation. This includes

changing the network point that a computer is plugged in to
connecting devices to the network, except for WiFi or Ethernet networks specifically provided for this purpose
altering the configuration of the University's computers

Unless you have been authorised, you must not add software to or remove software from computers.

Do not move equipment without authority.

6.3 Network extension

You must not extend the wired or WiFi network without authorisation. This may involve the use of

routers
repeaters
hubs
WiFi access points

This can disrupt the network and is likely to be in breach of the Janet Security Policy.

6.4 Setting up servers

You must abide by the University's IT Code of Connection when connecting devices to the University network.

You must not set up any hardware or software that would provide a service to others over the network without following the appropriate processes. Examples include

games servers
file-sharing services
Internet Relay Chat (IRC) servers or websites

6.5 Introducing malware

You must take all reasonable steps to avoid introducing malware to the infrastructure.

The term malware covers many things, such as viruses, worms and trojans. It is basically any software used to disrupt computer operation or subvert security.

Malware is usually spread by

visiting websites of a dubious nature
downloading files from untrusted sources
opening email attachments from people you don't know
inserting media that has been created on compromised computers

If you avoid these types of behaviour, keep your anti-virus software up to date and switched on, and run scans of your computer regularly, you should not encounter this problem.

6.6 Subverting security measures

The University has taken measures to safeguard the security of its IT infrastructure, including things such as

anti-virus software
firewalls
spam filters
authentication systems

You must not attempt to subvert or circumvent these measures in any way.

7. Information

7.1 Personal, sensitive and confidential information

During their work or studies, staff and students (particularly research students) may handle information that comes under the General Data Protection Regulation (GDPR) or is sensitive or confidential in some other way.

For the rest of this section, these will be grouped together as "protected information".

Safeguarding the security of protected information is a highly complex issue, with organisational, technical and human aspects.

The University has policies on data protection and information security. If your role is likely to involve handling protected information, you must make yourself familiar with these policies and abide by them.

View our Information Security policies (student or staff login required)

If there is a legislative and regulatory need, such as a Subject Access Request under the Data Protection Act 2018, the University reserves the right to access and share information held against University accounts. Only information related to valid Subject Access Requests will be shared.

7.1.1 Transmission of protected information

When sending protected information electronically, you must use a method with appropriate security.

Email is not inherently secure.

Advice about how to send protected information electronically is available on our Information Security web pages (student or staff login required).

7.1.2 Removable media and mobile devices

Unless it is encrypted, and the key is kept securely, protected information must not be stored on

removable media, such as USB storage devices, removable hard drives, CDs or DVDs
mobile devices, such as laptops, tablets or smartphones

If protected information is sent using removable media, you must use a secure, tracked service so that you know it has arrived safely.

Read more about encrypting removable media and mobile devices for protected information (student or staff login required).

7.1.3 Remote working

If you access protected information from off-campus, you must make sure you are using an approved connection method. It should not be possible for the information to be intercepted between the device you are using and the source of the secure service.

You must also be careful to avoid working in public locations where your screen can be seen.

Get advice on working remotely with protected information (student or staff login required).

7.1.4 Personal or public devices and cloud services

Even if you're using approved connection methods, devices that are not fully managed by University cannot be guaranteed to be free of malicious software. This software could gather keyboard input and screen displays, for example.

Don't store or process protected information on personal or public devices without careful assessment of the risks. The same level of security must be applied as would be used on University devices.

Read about our Information Security measures (student or staff login required).

Unless it's securely encrypted first, don't store or process protected information in personal cloud services such as

Office 365
iCloud
Google Apps, with a non-University account
Dropbox

University provided Google Apps services are covered by a contractual agreement and can be used to process some types of protected information.

Read more about data security and Google.

7.2 Copyright information

Almost all published works are protected by copyright. If you're going to use material, such as images, text, music or software, you need to make sure that you use it within copyright law.

This is a complex area. See copyright training and guidance.

The key point to remember is that the fact that you can see something on the web, download it or otherwise access it doesn't mean that you can do what you want with it.

7.3 Others' information

You must not attempt to access, delete, modify or disclose restricted information belonging to other people without their permission, unless

it's obvious that they intend others to do this
you have approval from the Director of IT Services and relevant director or head of department

If information has been produced in the course of employment by the University and the person who created or manages it is unavailable, the responsible head of department can give permission for it to be retrieved for work purposes. If you're doing this, you must take care not to retrieve any private information in the account or compromise the security of the account concerned.

Private information may only be accessed by someone other than the owner under very specific circumstances governed by University and legal processes.

7.4 Inappropriate material

You must not create, download, store or transmit material that is

unlawful
indecent
offensive
defamatory
threatening
discriminatory
extremist

The University has a statutory duty to prevent people from being drawn into terrorism. This comes under the Counter-Terrorism and Security Act 2015, termed "prevent". The University reserves the right to block or monitor access to such material.

We have procedures to approve and manage valid activities involving such material for valid research purposes, where it is legal and has the appropriate ethical approval.

Refer to our ethics policy

Ethics policy guidance (student or staff login required).

There is also an exemption covering authorised IT staff involved in the preservation of evidence for investigating breaches of the regulations or the law.

7.5 Publishing information

Publishing means the act of making information available to the general public. This includes through

websites
social networks
news feeds

While the University generally encourages publication, you should be mindful of University policy and procedure. View our toolkits on social media, media and marketing (staff login required).

7.5.1 Representing the University

You must not make statements that purport to represent the University without the approval of the relevant authority.

7.5.2 Publishing for others

You must not publish information on behalf of third parties using the University's IT facilities without the approval of the relevant authority.

8. Behaviour

The way you behave when using IT should be no different to how you would behave under other circumstances. Abusive, inconsiderate or discriminatory behaviour is unacceptable.

8.1 Conduct online and on social media

University policies concerning staff and students also apply to the use of social media. These include

human resource policies
codes of conduct
acceptable use of IT facilities
disciplinary procedures

8.2 Spam

You must not send unsolicited bulk emails or chain emails, except in specific circumstances.

8.3 Denying others access

If you are using shared IT facilities for personal or social purposes, you should vacate them if they are needed by others with work to do. Similarly, don't occupy specialist facilities unnecessarily if someone else needs them.

8.4 Disturbing others

When using shared spaces, remember that others have a right to work without undue disturbance.

You should

keep noise down, such as by turning your mobile device to silent if you're in a silent study area
not obstruct passageways
be sensitive to what others around you might find offensive

8.5 Excessive consumption of bandwidth or resources

Use resources wisely. Don't consume excessive bandwidth by uploading or downloading more material, particularly videos, than is necessary.

Don't waste paper by printing more than is needed or printing single-sided when double-sided would do.

Don't waste electricity by leaving equipment needlessly switched on.

9. Monitoring

9.1 University monitoring

The University monitors and records the use of its IT facilities for the purposes of:

performing academic and administrative functions
meeting legal and regulatory obligations to sector bodies and government
the effective and efficient planning and operation of the IT facilities.
detection and prevention of infringement of these regulations.
investigating alleged misconduct.
complying with lawful requests for information from law enforcement and government agencies, for detecting, investigating or preventing crime, and ensuring national security

Read more about Information Security (student or staff login required).

9.2 Unauthorised monitoring

You must not attempt to monitor the use of the IT facilities without explicit permission from the Director of IT Services.

This would include

monitoring network traffic
network or device discovery
WiFi traffic capture
installing key-logging or screen-grabbing software that may affect users other than yourself
attempting to access system logs or servers or network equipment

If IT is the subject of study or research, special arrangements will have been made. You should contact your course leader or research supervisor for more information.

10. Infringement

10.1 Disciplinary process and sanctions

Breaches of these regulations will be handled by the University's disciplinary processes. View the University's general regulations.

This could have a bearing on your future studies or employment with the University and beyond.

Sanctions may be imposed if the disciplinary process finds that you have indeed breached the regulations.

For example, we may

restrict your use of IT facilities
remove services
withdraw offending material
fine and recover any costs from you that the University incurred as a result of the breach

10.2 Reporting to other authorities

If the University believes that unlawful activity has taken place, it may refer the matter to the police or other enforcement agency.

10.3 Reporting to other organisations

If the University believes that a breach of a third party's regulations has taken place, it may report the matter to that organisation.

10.4 Reporting infringements

If you become aware of an infringement of these regulations, you must report the matter to the relevant authorities.

How to report a security incident