IT Code of Practice guidance notes
This guidance expands on the principles set out in the core regulations. Find examples of specific situations to help you relate your everyday use of the IT facilities to the dos and don'ts in the IT Code of Practice.
- Version and ownership
-
Version Date Author(s) Comments 1.00 N/A N/A Webpage guidance from core code 1.1 10/05/2023 Matthew Doxey Draft copy created, full review, section 4 updated to reflect policy change regarding personal use 1.1 10/05/2023 CISO and Director of IT Services Approved 1.1 11/05/2023 SPB Approved by Service Performance Board 1.2 06/06/2024 Stefano Mori Reviewed, minor updates 1.2 06/06/2024 Tom Griffin Approved by Head of Information Security
Read the full IT Code of Practice regulations
Lists of examples give some of the most common instances, and they aren't intended to be exhaustive.
Terms such as "authority", "authorised", "approved" or "approval" refer to authority or approval from
- the person or body identified in Section 3, Authority
- anyone with authority delegated to them by that person or body
1. Scope
1.1 Users
These regulations apply to anyone using University of Sheffield IT facilities. This means more than students and staff.
For example, it could include
- visitors to the University website and people accessing the University's online services from off-campus
- external partners, contractors and agents based on-site and using University network, or off-site and accessing the University's systems
- tenants of the University using the University's computers, servers or network
- visitors using the University's guest services
- students and staff from other institutions logging on using eduroam
1.2 IT facilities
The term "IT facilities" includes the below:
IT hardware that the University provides, such as
- desktop computers
- laptops
- tablets
- smartphones
- printers
Software that the University provides, such as
- operating systems
- office application software
- web browsers
It also includes software that the University has arranged for you to have access to, such as special deals for students on commercial application packages.
Data that the University provides, or arranges access to.This might include:
- online journals
- data sets
- citation databases
Access to the network provided or arranged by the University. For example, this would cover:
- network connections in halls of residence
- on-campus WiFi
- connectivity to the internet from University computers
Online services arranged by the University, such as Google Apps and Turnitin.
IT credentials, such as the use of your University login or any other token, like your email address, smart card or dongle, issued by the University to identify yourself when using IT facilities.
For example, you may be able to use drop-in facilities or WiFi connectivity at other institutions using your usual username and password through the eduroam system. While doing so, you are subject to these regulations, as well as the regulations at the institution you are visiting.
2. Governance
Remember that using IT has consequences in the physical world.
Your use of IT is governed by IT-specific laws and regulations such as these, but it is also subject to general laws and regulations, such as the University's general policies.
2.1 Domestic law
Your behaviour is subject to the laws of the land, even those that aren't obviously related to IT, such as the laws on fraud, theft and harassment.
There are many items of legislation that are particularly relevant to the use of IT, including the below:
- Obscene Publications Act 1959 and 1964
- Protection of Children Act 1978
- Police and Criminal Evidence Act 1984
- Copyright, Designs and Patents Act 1988
- Criminal Justice and Immigration Act 2008
- Computer Misuse Act 1990
- Human Rights Act 1998
- Data Protection Act 2018
- General Data Protection Regulation (GDPR)
- Regulation of Investigatory Powers Act 2000
- Prevention of Terrorism Act 2005
- Terrorism Act 2006
- Counter-Terrorism and Security Act 2015
- Police and Justice Act 2006
- Freedom of Information Act 2000
- Freedom of Information (Scotland) Act 2002
- Equality Act 2010
- Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended)
- Defamation Act 1996 and 2013
So, for example, you can't
- create or transmit, or cause the transmission, of any offensive, obscene or indecent images, data or other material, or any data capable of being made into obscene or indecent images or material
- create or transmit material with the intent to cause annoyance, inconvenience or needless anxiety
- create or transmit material with the intent to defraud
- create or transmit defamatory material
- create or transmit material that infringes the copyright of another person or organisation
- create or transmit unsolicited bulk or marketing material to users of networked facilities or services, except where that material is embedded within, or is otherwise part of, a service that the user or their user organisation has chosen to subscribe to
- deliberately access networked facilities or services without authorisation
2.2 Foreign law
If you're using services hosted in a different part of the world, you may also be subject to their laws. It can be difficult to know where any particular service is hosted and what the applicable laws are in that locality.
In general, if you apply common sense, obey domestic laws and adhere to the regulations of the service you are using, you're unlikely to go astray.
2.3 General University regulations
You should already be familiar with the University's general regulations and policies.
View the Univerversity's general regulations
2.4 Third-party regulations
If you use University IT facilities to access third-party services or resources, you're bound by the regulations associated with that service or resource. The association can be through something as simple as using your University username and password.
Very often, these regulations will be presented to you the first time you use the service. In some cases, the service is so widespread that you will not even know that you are using it.
Two examples of this are the below:
a) Janet
Janet is the IT network that connects all UK higher education and research institutions to each other and the internet.
When connecting to any site outside the University, you'll be using Janet and will be subject to the Janet Acceptable Use Policy, the Janet Security Policy and the Janet Network Connection Policy.
We've incorporated the requirements of the policies into these regulations. If you follow these regulations, you shouldn't infringe the Janet policies.
b) Chest agreements
Eduserv is an organisation that has negotiated many deals for software and online resources on behalf of the UK higher education community, under the common banner of Chest agreements.
These agreements have certain restrictions, summarised below:
- Non-academic use is not permitted.
- Copyright must be respected.
- Privileges granted under Chest agreements must not be passed on to third parties.
- Users must accept the Chest User Acknowledgement of Third-Party Rights.
There will be other instances where the University has provided you with a piece of software or a resource. Users can only use software and other resources in compliance with all applicable licences, terms and conditions.
3. Authority
These regulations are issued under the authority of the Director of IT Services. The Director is also responsible for their interpretation and enforcement, and they may delegate this authority to others.
Authority to use the University's IT facilities is granted by a variety of means, such as the below:
- You may be issued a username and password, or other IT credentials.
- You may be explicitly granted access rights to a specific system or resource.
- A facility might be provided in an obviously open-access setting, such as a University website, a self-service kiosk in a public area or an open WiFi network on the campus.
If you have any doubt about whether you have the authority to use an IT facility, you should seek further advice from IT help and support.
Attempting to use the IT facilities without the permission of the relevant authority is an offence under the Computer Misuse Act.
4. Intended use
University IT facilities and the Janet network are funded by the tax-paying public. They have a right to know that the facilities are being used for their intended purposes.
4.1 Use to support the aims of the University
The IT facilities are provided to be used to support the aims of the University. For example, they might be used for
- learning
- teaching
- research
- knowledge transfer
- public outreach
- the commercial activities of the University
- the administration necessary to support all of the above
4.2 Personal use
The use of IT facilities and accounts for personal activities that are not in furtherance of the mission of the University of Sheffield shall not be permitted or supported.
- It is recognised that there is a potential overlap between personal and professional activities, particularly for academic purposes.
- Account holders shall not use their University IT account to subscribe/register for online services such as personal social media, personal financial activities and registration with online services. Where account holders are already subscribed/registered to online services they should migrate them to a personal, non-University, account.
- Account holders shall not store their own personal information (e.g. personal photos, music, videos) in a University IT account. Where account holders are already storing such information they should transfer it to a personal, non-University, account.
- The general usage of University equipment and networks for personal activities is permitted but not supported. Where possible and practical account holders should use their own personal equipment and personal networks for personal activities.
- Support for personal usage of University IT facilities may be offered where it is part of an agreed service provided to the account holder. For example, the wired and wireless networks provided in University Accommodation.
Note that all information held within University IT accounts is in scope for legal requests for information such as Freedom of Information (FOI) or Subject Access Request (SAR).
4.3 Commercial use and personal gain
If you wish to use the IT facilities for non-University commercial purposes or for personal gain, you need approval from the Director of IT Services.
The provider of the service may require a fee or a share of the income for this type of use. For more information, contact the IT Service Desk.
Even with such approval, the use of licences under the Chest agreements for anything other than teaching, studying or research, administration or management purposes is prohibited. You must make sure that licences allowing commercial use are in place.
5. Identity
To use many of the IT services provided or arranged by the University, you'll need to identify yourself so that the service knows that you're entitled to use it.
This identification is most commonly a username and password, but other forms of IT credentials may be used, such as
- an email address
- a smart card
- another form of security device
5.1 Protecting your identity
You must take all reasonable precautions to safeguard any IT credentials issued to you.
Choosing a password
Don't share passwords with anyone else, even IT staff, no matter how convenient and harmless it may seem.
If you think someone else has found out what your password is, change it immediately and report the matter to the IT Service Desk.
You must change your password when it's first issued and at regular intervals as instructed.
Don't use obvious passwords, and do not record them where there is any likelihood of someone else finding them. Do not use the same password as you do for personal (i.e. non-University) accounts.
Logging in and out
Do not use your username and password to log in to websites or services you do not recognise, and don't log in to websites that aren't showing the padlock symbol.
Don't leave logged-in computers unattended, and log out properly when you are finished.
Don't allow anyone else to use your smart card or other security hardware. Take care not to lose them, and if you do, report the matter to IT immediately.
5.2 Impersonation
Never use someone else's IT credentials, or attempt to disguise or hide your real identity when using the University's IT facilities.
However, you can choose not to reveal your identity if the system or service clearly allows anonymous use, such as on a public-facing website.
5.3 Attempting to compromise others' identities
You must not attempt to usurp, borrow, corrupt or destroy someone else's IT credentials.
6. Infrastructure
IT infrastructure is all the underlying technology and processes that make IT function. It includes
- servers
- the network
- computers
- printers
- operating systems
- databases
- a range of other hardware and software that has to be set up correctly to ensure the reliable, efficient and secure delivery of IT services
You must not do anything to jeopardise the infrastructure.
6.1 Physical damage or risk of damage
Don't damage, or do anything to risk physically damaging, the infrastructure. For example, you should not be careless with food or drink at a computer.
6.2 Reconfiguration
Don't attempt to change the setup of the infrastructure without authorisation. This includes
- changing the network point that a computer is plugged in to
- connecting devices to the network, except for WiFi or Ethernet networks specifically provided for this purpose
- altering the configuration of the University's computers
Unless you have been authorised, you must not add software to or remove software from computers.
Do not move equipment without authority.
6.3 Network extension
You must not extend the wired or WiFi network without authorisation. This may involve the use of
- routers
- repeaters
- hubs
- WiFi access points
This can disrupt the network and is likely to be in breach of the Janet Security Policy.
6.4 Setting up servers
You must abide by the University's IT Code of Connection when connecting devices to the University network.
You must not set up any hardware or software that would provide a service to others over the network without following the appropriate processes. Examples include
- games servers
- file-sharing services
- Internet Relay Chat (IRC) servers or websites
6.5 Introducing malware
You must take all reasonable steps to avoid introducing malware to the infrastructure.
The term malware covers many things, such as viruses, worms and trojans. It is basically any software used to disrupt computer operation or subvert security.
Malware is usually spread by
- visiting websites of a dubious nature
- downloading files from untrusted sources
- opening email attachments from people you don't know
- inserting media that has been created on compromised computer
If you avoid these types of behaviour, keep your anti-virus software up to date and switched on, and run scans of your computer regularly, you are much less likely to encounter this problem. It's also possible for malware to spread automatically without any actions on your part.
6.6 Subverting security measures
The University has taken measures to safeguard the security of its IT infrastructure, including things such as
- anti-virus software
- firewalls
- spam filters
- authentication systems
You must not attempt to subvert or circumvent these measures in any way.
7. Information
7.1 Personal, sensitive and confidential information
During their work or studies, staff and students (particularly research students) may handle information that comes under the General Data Protection Regulation (GDPR) or is sensitive or confidential in some other way.
For the rest of this section, these will be grouped together as "protected information".
Safeguarding the security of protected information is a highly complex issue, with organisational, technical and human aspects.
The University has policies on data protection and information security. If your role is likely to involve handling protected information, you must make yourself familiar with these policies and abide by them.
View our Information Security policies (student or staff login required)
If there is a legislative and regulatory need, such as a Subject Access Request under the Data Protection Act 2018, the University reserves the right to access and share information held against University accounts. Only information related to valid Subject Access Requests will be shared.
Read more about GDPR and our compliance
7.1.1 Transmission of protected information
When sending protected information electronically, you must use a method with appropriate security.
Email is not inherently secure.
Advice about how to send protected information electronically is available on our Information Security web pages (student or staff login required).
7.1.2 Removable media and mobile devices
Unless it is encrypted, and the key is kept securely, protected information must not be stored on
- removable media, such as USB storage devices, removable hard drives, CDs or DVDs
- mobile devices, such as laptops, tablets or smartphones
If protected information is sent using removable media, you must use a secure, tracked service so that you know it has arrived safely.
Read more about encrypting removable media and mobile devices for protected information (student or staff login required).
7.1.3 Remote working
If you access protected information from off-campus, you must make sure you are using an approved connection method. It should not be possible for the information to be intercepted between the device you are using and the source of the secure service.
You must also be careful to avoid working in public locations where your screen can be seen.
Get advice on working remotely with protected information (student or staff login required).
7.1.4 Personal or public devices and cloud services
Public computers (like in a cafe or hotel) and personal devices, could contain malicious software. Malicious software could record your keyboard input, including passwords, and capture screenshots, and send them to bad actors.
Don't access or store protected information on personal or public devices without careful assessment of the risks. The same level of security must be applied as would be used on University devices.
Unless it's securely encrypted first, for example, you've added your own layer of encryption, rather than rely on that cloud service's encryption. Don't store or process protected information in personal cloud services such as
- Microsoft 365 (Office)
- iCloud
- Google Apps, with a non-University account
- Dropbox
University provided Google Apps services are covered by a contractual agreement and can be used to process some types of protected information.
Read more about data security and Google.
7.2 Copyright information
Almost all published works are protected by copyright. If you're going to use material, such as images, text, music or software, you need to make sure that you use it within copyright law.
This is a complex area. See copyright training and guidance.
The key point to remember is that just because you can see something on the web, and download it or otherwise access it, that doesn't mean that you can do what you want with it.
7.3 Others' information
You must not attempt to access, delete, modify or disclose restricted information belonging to other people without their permission, unless
- it's obvious that they intend others to do this
- you have approval from the Director of IT Services and relevant director or head of department/school
If information has been produced in the course of employment by the University and the person who created or manages it is unavailable, the responsible head of department/school can give permission for it to be retrieved for work purposes. If you're doing this, you must take care not to retrieve any private information in the account or compromise the security of the account concerned.
Private information may only be accessed by someone other than the owner under very specific circumstances governed by University and legal processes.
7.4 Inappropriate material
You must not create, download, store or transmit material that is
- unlawful
- indecent
- offensive
- defamatory
- threatening
- discriminatory
- extremist
The University has a statutory duty to prevent people from being drawn into terrorism. This comes under the Counter-Terrorism and Security Act 2015, termed "prevent". The University reserves the right to block or monitor access to such material.
We have procedures to approve and manage valid activities involving such material for valid research purposes, where it is legal and has the appropriate ethical approval.
Ethics policy guidance (student or staff login required).
There is also an exemption covering authorised IT staff involved in the preservation of evidence for investigating breaches of the regulations or the law.
7.5 Publishing information
Publishing means the act of making information available to the general public. This includes through
- websites
- social networks
- news feeds
While the University generally encourages publication, you should be mindful of University policy and procedure. View our toolkits on social media, media and marketing (staff login required).
7.5.1 Representing the University
You must not make statements that purport to represent the University without the approval of the relevant authority.
7.5.2 Publishing for others
You must not publish information on behalf of third parties using the University's IT facilities without the approval of the relevant authority.
8. Behaviour
The way you behave when using IT should be no different to how you would behave under other circumstances. Abusive, inconsiderate or discriminatory behaviour is unacceptable.
8.1 Conduct online and on social media
University policies concerning staff and students also apply to the use of social media. These include
- human resource policies
- codes of conduct
- acceptable use of IT facilities
- disciplinary procedures
8.2 Spam
You must not send unsolicited bulk emails or chain emails, except in specific circumstances.
8.3 Denying others access
If you are using shared IT facilities for personal or social purposes, you should vacate them if they are needed by others with work to do. Similarly, don't occupy specialist facilities unnecessarily if someone else needs them.
8.4 Disturbing others
When using shared spaces, remember that others have a right to work without undue disturbance.
You should
- keep noise down, such as by turning your mobile device to silent if you're in a silent study area
- not obstruct passageways
- be sensitive to what others around you might find offensive
8.5 Excessive consumption of bandwidth or resources
Use resources wisely. Don't consume excessive bandwidth by uploading or downloading more material, particularly videos, than is necessary.
Don't waste paper by printing more than is needed or printing single-sided when double-sided would do.
Don't waste electricity by leaving equipment needlessly switched on.
9. Monitoring
9.1 University monitoring
The University monitors and records the use of its IT facilities for the purposes of:
- performing academic and administrative functions
- meeting legal and regulatory obligations to sector bodies and government
- the effective and efficient planning and operation of the IT facilities.
- detection and prevention of infringement of these regulations.
- investigating alleged misconduct.
- complying with lawful requests for information from law enforcement and government agencies, for detecting, investigating or preventing crime, and ensuring national security
Read more about Information Security (student or staff login required).
9.2 Unauthorised monitoring
You must not attempt to monitor the use of the IT facilities without explicit permission from the Director of IT Services.
This would include
- monitoring network traffic
- network or device discovery
- WiFi traffic capture
- installing key-logging or screen-grabbing software that may affect users other than yourself
- attempting to access system logs or servers or network equipment
If IT is the subject of study or research, special arrangements will have been made. You should contact your course leader or research supervisor for more information.
10. Infringement
10.1 Disciplinary process and sanctions
Breaches of these regulations will be handled by the University's disciplinary processes. View the University's general regulations.
This could have a bearing on your future studies or employment with the University and beyond.
Sanctions may be imposed if the disciplinary process finds that you have indeed breached the regulations.
For example, we may
- restrict your use of IT facilities
- remove services
- withdraw offending material
- fine and recover any costs from you that the University incurred as a result of the breach
10.2 Reporting to other authorities
If the University believes that unlawful activity has taken place, it may refer the matter to the police or other enforcement agency.
10.3 Reporting to other organisations
If the University believes that a breach of a third party's regulations has taken place, it may report the matter to that organisation.
10.4 Reporting infringements
If you become aware of an infringement of these regulations, you must report the matter to the relevant authorities.