Appendix 13: Network Acceptable Use Regulations

1. Purpose

This policy outlines Merton College’s approach to the acceptable use of the College and University networks to ensure that the College’s security objectives are met. Anyone who connects a computer or other device to the College network must abide by the Regulations provided here.

In these Regulations “College network” means a physical or virtual data network service where the configuration and gateway are within the control of Merton College or a suitably connected third party.

2. Scope
  1. These Regulations are applicable across the College and individually apply to all individuals who connect their computers and other devices to the College network.
  2. The following definitions shall apply to these Regulations:
    1. ‘MUST’, the verb ‘REQUIRE’ in any of its forms, and ‘SHALL’ mean that the item is an absolute requirement.
    2. ‘MUST NOT’ and ‘SHALL NOT’ mean that the item is absolutely prohibited.
    3. ‘SHOULD’ and ‘RECOMMENDED’ mean that there may exist valid reasons in particular circumstances not to comply with a particular item, but the full implications must be understood and carefully weighed before choosing a different course.
    4. ‘SHOULD NOT’ and ‘NOT RECOMMENDED’ mean that there may exist valid reasons in particular circumstances when particular behaviour is acceptable or even useful, but the full implications should be understood and the case carefully weighed before implementing any behaviour described with this label.
3. General
  1. Anyone who connects a computer or other device to the College network shall comply with the University’s Regulations Relating to the Use of Information Technology Facilities (ICTC Regulations 1 of 2002) as amended from time to time.
  2. In particular, users must not use IT or network facilities for any of the following:
    1. any unlawful activity
    2. the creation, transmission, storage, downloading, or display of any offensive, obscene, indecent, or menacing images, data, or other material, or any data capable of being resolved into such images or material unless specifically approved for academic related reasons
    3. the creation, transmission, or display of material which is designed or likely to harass another person in breach of the University's Code of Practice on Harassment
    4. the creation or transmission of defamatory material about any individual or organisation
    5. the sending of any e-mail that does not correctly identify the sender of that e-mail or attempts to disguise the identity of the computer from which it was sent
    6. the sending of any message appearing to originate from another legal or natural person, or otherwise attempting to impersonate another person
    7. the transmission, without proper authorisation, of e-mail to a large number of recipients, unless those recipients have indicated an interest in receiving such e-mail, or the sending or forwarding of e-mail which is intended to encourage the propagation of copies of itself;
    8. the creation or transmission of or access to material in such a way as to infringe a copyright, moral right, trade mark, or other intellectual property right
    9. private profit, except to the extent authorised under the user's conditions of employment or other agreement with the University or a college; or commercial purposes without specific authorisation
    10. gaining or attempting to gain unauthorised access to any facility or service within or outside the University, or making any attempt to disrupt or impair such a service
    11. the deliberate or reckless undertaking of activities such as may result in any of the following: (a) the waste of staff effort or network resources, including time on any system accessible via the university network; (b) the corruption or disruption of other users' data; (c) the violation of the privacy of other users; (d) the disruption of the work of other users; (e) the introduction or transmission of a virus into the network.
  3. Any password, authorisation code, etc. given to a user shall be for that user’s use only, and must be kept secure and not disclosed to or used by any other person.
  4. Distributed file sharing programs which are commonly used to distribute copyrighted material must not be used, including but not limited to (BitTorrent, Kazaa, eMule, uTorrent, Limewire, Thunder, Vuze and Ares).
4. Mobile Devices
  1. The security of mobile devices shall be the responsibility of the user. If purchased by the College the responsibility shall be that of the assigned user.
  2. The College shall not be responsible for the payment of any mobile fines (roaming, data charges) incurred, which shall be the responsibility of the user.
  3. Users of mobile devices connected to the College network or used to access College data shall comply with the College’s Mobile Device Security Policy.
5. Responsibilities

The following bodies and individuals have specific information security responsibilities as provided in the College’s Information Security Policy:

  • The Finance Bursar is accountable to the Governing Body for management of the information security risks to the College’s Fellows, employees, Junior Members and other members.
  • The Finance Committee has responsibility for overseeing the management of the information security risks to the College's Fellows, employees, Junior Members and other members.
  • The Domestic Bursar is responsible for establishing and maintaining such arrangements as may be necessary to ensure the availability, integrity and confidentiality of the College’s information.
  • The Head of IT is responsible for the implementation of information security arrangements for the computer and digital information systems operated internally by the College. The Head of IT is responsible for the provision of expert technical advice in relation to computer and digital information security arrangements with any third party partners or suppliers.
  • Users are responsible for making informed decisions to protect the information that they process.
6. Compliance

The College regards any breach of data privacy legislation, of these Regulations or of any other policies or regulations introduced by the College from time to time to comply with data privacy legislation as a serious matter which may result in disciplinary action.

7. Review and Development

These Regulations shall be reviewed and updated annually by the Finance Bursar and the Data Protection Officer to take account of guidance from the Information Commissioner’s Office and national legislation and shall be approved by the Governing Body after review by the Finance Committee and the Statutes and Bylaws Committee.

8. Related policies and regulations

These Regulations should be read in conjunction with related policies and regulations, including the:

  • Data Protection Policy;
  • Information Security Policy;
  • Mobile Device Security Regulations; and
  • Data Protection Breach Regulations.