IT Code of Practice regulations

Read through our IT Code of Practice regulations, which aim to make sure that the University's IT facilities can be used safely, lawfully and equitably.

Version and ownership
Version Date Author(s) Comments
1.00 13/09/2015 Chris Willis Approved by the CiCS Executive - Director of CiCS (Chris Sexton) and the three Assistant Directors (John McAuley, David Surtees and Kath Winter)
1.01 11/09/2018 Carl Dean Aligned to policy format and grammatical corrections
1.02 19/08/2019 Carl Dean Annual review - URL links updated and minor grammatical amendments 
1.03 30/01/2020 Ross Prendergast Minor changes, CiCS updated to IT Services
1.03 02/03/2020 Technical Design Authority (TDA) Approved by IT Services TDA
1.03 09/03/2020 IT Services Strategy Board (ITSSB) Approved by ITSSB
1.03 17/03/2020 Information Management and Security Group (IM&SG) Approved by IM&SG
1.04 28/01/2022 Ross Prendergast Added section around monitoring and access to data
1.1 09/05/2023 Richard Brown and Matthew Doxey Updated template and full review. Edit to clause 6 to reflect personal use policy change.
1.2 09/05/2023 Chief Information Security Officer (CISO) and Director of IT Services Approved
1.2 11/05/2023 Service Performance Board (SPB) Approved by SPB
1.2 27/06/2023 ITSSB Approved by ITSSB
1.3 21/05/2024 Jessica Stanton Annual review (broken link updated and addition of ‘school’)
1.3 30/05/2024 Tom Griffin Minor changes approved by Head of Information Security

These are the core regulations, the wording is improved but the underlying message has not changed, our rules are still the same.

The aim of these regulations is to help ensure that the University of Sheffield IT facilities can be used safely, lawfully, and equitably.

The issues covered by these regulations are complex; if you require further information you are strongly urged to read the accompanying guidance documentation. This gives more detailed information that we hope you will find useful. If this does not contain the information you require please contact IT help and support.

1. Scope

These regulations apply to anyone using the IT facilities provided or arranged by the University of Sheffield.

Facilities include

  • hardware
  • software
  • data
  • network access
  • third-party services
  • online services
  • IT credentials

2. Governance

When using IT facilities, you remain subject to the same laws and regulations as in the physical world.


It is expected that your conduct is lawful. Furthermore, ignorance of the law is not considered to be an adequate defence for unlawful conduct.

When accessing services from another jurisdiction, you must abide by all relevant local laws, as well as those applicable to the location of the service.

University regulations

You are bound by University of Sheffield general regulations, and the 'Regulations on the Use of IT Facilities', when using any IT facilities.

Read the University's general regulations

Where additional policies or processes are required for specific IT facilities (such as those with privileged access) these will be communicated to you and you must abide by them.

Third-party regulations

You must abide by the regulations applicable to any other organisation whose services you access such as Janet, Eduserv, and Jisc Collections. When using services via eduroam, you are subject to both the regulations of the University of Sheffield and the institution where you are accessing services.

Some software licences procured by the University of Sheffield will set out obligations for the user – these should be adhered to.  If you use any software or resources covered by a Chest agreement, you are deemed to have accepted the Eduserv User Acknowledgement of Third Party Rights.

See the accompanying IT Code of Practice guidance for more detail.

Breach of any applicable law or third-party regulation will be regarded as a breach of these IT regulations.

3. Authority

These regulations are issued under the authority of the Director of IT Services acting on behalf of the University Executive Board IT sub-group who is also responsible for their interpretation and enforcement, and who may also delegate such authority to other people.

You must not use the IT facilities without the permission of the Director of IT Services or the person or body to whom the facilities belong.

You must comply with any reasonable written or verbal instructions issued by people with delegated authority in support of these regulations. If you feel that any such instructions are unreasonable or are not in support of these regulations, you may appeal to the Director of IT Services or the Head of Department/School to whom the facilities belong.

4. Intended use

University IT facilities and accounts are provided for use in furtherance of the mission of the University of Sheffield, for example, to support a course of study, research or in connection with your employment by the University.

The use of IT facilities and accounts for personal activities that are not in furtherance of the mission of the University of Sheffield shall not be permitted or supported.

Use of these IT facilities for non-University commercial purposes requires the approval of the Director of IT Services.

Use of certain licences is only permitted for academic use.

See the accompanying IT Code of Practice guidance for more detail.

5. Identity

You must take all reasonable precautions to safeguard any IT credentials (for example a username and password, email address, smartcard, or other identity hardware) issued to you.

You must not

  • allow anyone else to use your IT credentials. No one has the authority to ask you for your password, and you must not disclose it to anyone
  • attempt to obtain or use anyone else's credentials
  • impersonate someone else or otherwise disguise your identity when using the IT facilities
  • reuse your University credentials on any external service, such as your University username and password

6. Infrastructure

You must not do anything to jeopardise the integrity of the IT infrastructure. For example, you must not do any of the following without approval:

  • Damage, reconfigure or move equipment.
  • Load software onto University equipment other than in approved circumstances.
  • Reconfiguring or connecting equipment to the network other than by approved methods.
  • Set up servers or services on the network.
  • Deliberately or recklessly introduce malware.
  • Attempt to disrupt or circumvent IT security measures of any device, network, system or account, including authentication controls.

You must abide by the University's IT Code of Connection when connecting devices to the University network.

7. Information

You must abide by the University's policies and procedures when using the IT facilities to publish information.

Handling personal data

If you handle personal, confidential or sensitive information, you must take all reasonable steps to safeguard it and must observe University Data Protection and Information Security policies and guidance (student or staff login required), particularly with regard to removable media, mobile and privately owned devices.


You must not infringe copyright or break the terms of licences for software or other material.

You must not attempt to access, delete, modify or disclose information belonging to other people without their permission. Where this is not possible you must gain explicit approval from the Director of IT Services and the Head of Department/School concerned.

Inappropriate material

You must not create, download, store or transmit unlawful material, or material that is indecent, offensive, threatening, discriminatory or extremist.

The University has procedures to approve and manage valid activities involving such material; these are available via the University's Ethics Policy notes (student or staff login required), and must be observed.

When we may share your information

The University, when there is a legislative and regulatory need such as a Subject Access Request under the Data Protection Act 2018, reserves the right to access and share information held against University accounts. Only information pertaining to valid Subject Access Requests will be shared.

When there is a legitimate administrative need, the University reserves the right to access and modify information held against University accounts. This will only be performed where there is a lawful and approved justification, such as to comply with data retention requirements of the Data Protection Act 2018.

You must abide by the University’s policies and procedures when using the IT facilities to publish information.

8. Behaviour

Real world standards of behaviour apply online and on social networking platforms, such as Facebook, Blogger and Twitter.

You should also adhere to University, and where necessary departmental/school, guidelines on social media.

You must not

  • cause needless offence, concern or annoyance to others
  • send spam (unsolicited bulk email)
  • deliberately or recklessly consume excessive IT resources, such as processing power, bandwidth or consumables
  • use the IT facilities in a way that interferes with others' valid use of them

9. Monitoring

The University monitors and records the use of its IT facilities for the purposes of:

  • performing academic and administrative functions.
  • meeting legal and regulatory obligations to sector bodies and government.
  • facilitating the effective and efficient planning and operation of the IT facilities.
  • detecting and preventing infringements of these regulations.
  • investigate alleged misconduct.

The University will comply with lawful requests for information from government and law enforcement agencies.

You must not attempt to monitor the use of the IT facilities without explicit authority from the Director of IT Services.

10. Infringement

Infringing these regulations may result in sanctions under the University’s disciplinary processes.

Penalties may include the temporary or permanent withdrawal of services. Offending material will be taken down.

Information about infringement may be passed to

  • appropriate law enforcement agencies
  • any other organisations whose regulations you have breached

The University reserves the right to recover any costs from you that were incurred as a result of your infringement.

You must inform us if you become aware of any infringement of these regulations.

How to let us know about an IT incident

Supporting Information Security policies, procedures and guidance

Supporting information security policies for the principles listed above can be found on the Information Security policies web page (student or staff login required).

View the University’s Information Security Incident Reporting web page.

See the Information Security Glossary of Terms web page (student or staff login required).

The issues covered by these regulations are complex. If you need further information, we'd encourage you to read the accompanying guidance notes. These give more detailed information that we hope you will find useful.

If these don't contain the information you need, contact IT help and support.