(updated 14 November 2008)
The College Computing Regulations provide guidance to all users on the acceptable use of College computing facilities. Legislation such as the Human Rights Act 1998, the Data Protection Act 1998, and the Regulation of Investigatory Powers Act 2000 have highlighted issues relating to employee's privacy and the employer's right to monitor, intercept and or retain copies of communications on its telecommunications systems.
The purpose of this policy is to set out what is regarded as acceptable use by College staff of email, internet and telecommunication facilities and the general circumstances under which interception and or retention of copies of communications or monitoring of an individual's use of these facilities may occur. The policy is intended to make staff aware of their obligation to use such IT services responsibly, professionally, ethically and lawfully and to make them aware of the rights and activities of the College with regard monitoring such systems. The guidance provided should help to safeguard the interests of both members of staff and the College.
The College encourages the use of electronic information systems such as the Internet and email systems and recognises that these facilities are essential to the work of the College. The IT and telecommunication facilities are the property of the College and primarily provided for official College business. Such College systems are therefore not to be considered private by its users, and the whole of this policy must be read in the context of this point, albeit that the College attempts wherever practicable and reasonable in all the circumstances to safeguard the privacy of its employees and users. It is accordingly recognised that there are occasions when employees might legitimately make reasonable use of their telephone, email or Internet access for personal purposes. Such reasonable personal use is permitted as long as it does not interfere with the performance of the employee's duties, does not incur unreasonable cost to the College, nor cause damage or difficulty to the College's IT facilities, nor any difficulty or distress to others. Guidance on what constitutes 'reasonable' use is given in the sections below.
The College's Central Computing Services (ITS) routinely monitor the overall patterns of usage of the College's IT and telecommunication services. It does not, in the normal course of events, specifically identify the use made of facilities (with the exception of telephone usage for departmental recharging purposes) by any individual member of staff. However, all staff should be aware that the College will undertake monitoring of an individual's email, internet or telephone usage, and where duly authorised in accordance with this policy, the associated content, in order to investigate potential misuse or abuse of these facilities. The circumstances under which such interception and or monitoring is undertaken are outlined in Section 6. Cases of computing or telecommunication misuse by College staff will be referred to the College authorities to be dealt with according to the relevant staff disciplinary procedures.
The College is fully aware and has carefully considered its obligations under the Data Protection Act 1998 and the other relevant legislation which governs the College’s use and monitoring of its electronic information systems, and the interception of the same more generally, and has reviewed its business practices in the light of these legal obligations together with the guidance provided by the Government’s Information Commissioner. Certain interception and monitoring is both lawful and necessary as set out in Section 6. We aim to be as open as possible about the monitoring that the College carries out. In all cases it is our aim that monitoring should be as unintrusive as possible, and we try to ensure that we provide or direct you to alternative methods of communication in order that you can keep your personal life private, and to afford you a reasonable level of privacy within the workplace.
College staff should be aware that this policy on the acceptable use of email, internet and telephone facilities complements existing guidelines relating to the use of College IT facilities. Such guidelines include the College Computing Regulations and the College Network Security Policy. Both of these are available from the HR pages on the College Intranet at: http://www.bbk.ac.uk/hr/policies_services/policies_az/computing_regulations and http://www.bbk.ac.uk/hr/policies_services/policies_az/networksecurity.
This policy applies whenever a member of staff accesses the College systems using on-site facilities or remotely. The College reserves the right to update this policy from time to time. Any amended policy will be made available on the College intranet and staff will be informed of the change via an all-staff message.
Email is an important and efficient means of communication which is used to conduct much of the College’s business. It is therefore important that all College staff have, and regularly use, an email account. All College staff in the HR system are provided with a ITS username and email address of the standard form: @bbk.ac.uk. This does not preclude the use of other email systems in Schools to which incoming email may be forwarded.
You should note that centrally maintained distribution lists (such as email@example.com) operate on the standard address assigned to staff.
You must ensure that emails that you are sending internally or externally comply with College policies. In particular, you must not:
Where the College has reasonable grounds to suspect misuse of email in terms of either the scale of use, or the content or nature of messages, it reserves the right to intercept (if necessary) and to monitor the email including but not limited to the destination, source and content of email (refer to Section 6). The use of email (for either personal or business purposes) to send or forward messages or attachments which are in any way defamatory, obscene, or otherwise inappropriate will be treated as misconduct under the appropriate disciplinary procedure.
You may make reasonable use of the College's facilities for personal emails, provided that this does not have more than a minimal impact on resources and does not adversely affect your work and the work of others. If an email is personal, you may wish to make this clear by using the word 'personal' in the subject line. Any member of staff found to be spending lengthy periods of their working day using the email system for non-work related purposes will be subject to disciplinary action.
All email is intrinsically insecure unless it is encrypted, therefore you should use discretion if information of a confidential or sensitive nature is being considered for transmission by email. You should note that email messages may be seen by system managers and other IT support staff in the course of their duties, just as postcards may be seen by postal workers.
Subject always to the College’s rights and the statement about the qualified nature of the privacy afforded to employees and users of the College’s electronic information systems, a user’s email account and the data associated with it is principally private. You must not attempt to access or read another user’s email unless specifically authorised by the owner of the account to do so. In the case of permission being given, for example to a personal secretary to access email for a member of staff, care must be taken to ensure that third party personal data is not comprised, whether by breach of confidentiality or otherwise.
Requests for access to a user’s account, for example in the case of absence of the user where information of importance to the business of the College is likely to be in the account, must be made to the Director of ITS by the Head of School or Administrative Department concerned. Such access should, in normal circumstances, be carried out with the prior knowledge of the employee. However, where impracticable, inappropriate or if the employee is not readily contactable, then the College reserves the right to access the employee's email account for business related information.
Staff leaving the College should ensure that any non-business-related messages have been removed from their College email accounts. ITS will normally cancel the email account of staff leavers following their last day of service so that senders of new messages receive an error message informing them that the email account is no longer active. Staff with a continuing association with the College (usually academic or research staff) can request ITS (via their Head of School) for continued access to their accounts or forwarding of messages to an external account (usually for a period of 3 months).
All email messages sent from or received by user accounts of the standard format <a href="mailto:firstname.lastname@example.org">email@example.com</a> pass through central mail hubs. A log is kept of the transaction (sender, receiver, date/time, subject, etc.) but not the content. This data is kept for a minimum of 1 year. ITS, as part of its data storage policy, automatically backs up all user files on central systems on a daily basis and retains backed up data for business continuity purposes (with daily weekday backups being retained for a month, and monthly backups retained for one year).
All emails sent or received through the College’s electronic information systems relating to College business should be stored for a minimum period of seven years. This period is likely in most but not all circumstances, to represent the end of the period of statutory limitation together with a safety period of one year, after which it should no longer be possible for a third party to bring a claim against the College and so necessitate the disclosure of relevant emails. Staff should consult ITS or Faculty/School support staff with advice on the archiving of such email communication if they wish to retain such data outside of their active email systems.
ITS will retain email accounts on central systems of staff leavers for a period of seven years. These may include personal email messages if these have not been deleted prior to the departure of the staff member. The reason for the retention of all email is that it is not practicable to differentiate between personal and business emails using current back-up and archiving technology, and even though an email may have been marked as ‘Personal’ or ‘Private’, it may contain material which is relevant to future claims made against the College or other employees, and facts relevant to the potential liability of you or the College. All retained emails are stored securely, with access limited by the Head of School or Administrative Department or his/her designate.
Some of the incoming emails received by College users may be unsolicited (spam), some may be unwanted and some may be dangerous in containing viruses, worms, etc. The College recognises that spam is a significant problem and ITS have taken various precautions to minimise the impact of spam by applying various filters and virus protection software at the mail hubs and central servers to reduce the incidents of unwanted mail. In addition all incoming messages are checked for spam and viruses by an external message filtering service provided by MessageLabs. Messages identified as spam are quarantined by MessageLabs for a period of 14 days. Users are provided with the option of reviewing these messages to ensure that they have been correctly identified and to release any of the messages for forwarding to their College email accounts. The policy of spam identification and removal will be kept in review. However the following guidelines should be observed by all users:
College users should be aware of best practice guidelines for when sending emails. These are available on the ITS website at
The College is committed to allowing its staff the freedom to access the Internet and the Web for the easy retrieval of information in order to carry out their learning & teaching, research or administrative role within the College.
You may make reasonable use of the Internet for other than strictly work purposes provided it does not adversely affect your work and the work of others and has a minimal effect on the College's resources. Limited, occasional or incidental use of the Internet for personal purposes is understandable and it is recognised that there can be times where it is sensible for the employee to make occasional use of the Internet for personal reasons such as a private transaction (e.g. carrying out a bank transaction or booking a holiday), rather than having to spend considerably more time out of the office. Such personal use should be confined to non-working hours and must not interfere, either by its timing or extent, with the performance of your duties.
Staff who abuse this privilege will be subject to disciplinary action.
For centrally provided systems ITS keep records of account logins and web activity logs may be held locally on individual systems. ITS retain account login information on use of central systems for a period of 1 year.
You should be aware that the College reserves the right to monitor network traffic in order to ensure that its facilities are not being used for inappropriate purposes. In particular you must not:
You should also be aware of the guidelines relating to the creation of institutional and personal Webpages. These are contained in the Code of Practice for the World Wide Web which is available from the HR pages on the College Intranet at: http://intra.bbk.ac.uk/web/policy/webpractice.pdf
The College telecommunication facilities are provided primarily for business use. However, subject always to the College’s right to change its policy and to inform its employees accordingly, the College does not record or monitor the content of telephone calls made using its equipment, albeit that the destination may be known. If privacy with regard content is therefore required by an employee, you are hereby directed to use the College’s telephone system rather than email or the internet. Staff are normally expected to use their personal mobiles or payphones to make personal calls during non-work hours. However, the College recognises the occasional need for staff to make or receive short personal calls on College telephones (both fixed line and mobiles), but this privilege must not be abused. It should be noted that calls to mobile telephone numbers are particularly expensive and now form a significant proportion of total call costs. These should be kept to an absolute minimum.
Anyone needing to make personal premium rate calls or personal international calls must first seek the permission of their line manager and the College must be reimbursed for the cost of such calls. Alternatively you should use public payphone facilities, personal mobile telephones, or personal charge cards issued by various telephone companies which can be used on College telephones to ensure that the cost of the call is charged to an individual's private account. Where possible, non-urgent personal calls should be made or received during scheduled breaks or outside normal working hours when they do not interfere with work requirements.
You should be aware that summary call usage information from particular extensions is routinely provided to designated telephone representatives in Schools and Administrative Departments for recharging purposes. Telephone call records are retained for a period of 1 year.
Where the College has reasonable grounds to suspect possible misuse of its telecommunication facilities, it reserves the right to monitor the destination and length of out-going calls and the source and length of incoming calls. This would not normally involve the surveillance of calls but in certain rare circumstances, where there are reasonable grounds to suspect serious misconduct, the College reserves the right to record calls (refer to Section 6).
As has been stated above, the College's email, internet and telecommunication systems are provided for business use, and as such the College reserves the right to monitor the use of these facilities. The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (the “Regulations”) are ancillary to the Regulation of Investigatory Powers Act 2000 and allow organisations to intercept, monitor and or retain communications transmitted over their systems without consent, but having notified its users of the circumstances in which such action may take place, which the College is hereby doing, for the following purposes:
The College considers that from time to time each of the above circumstances are relevant to the College’s operation and the use of its electronic and other systems, and as such reserves its rights as afforded to it under the Regulations.
As stated in paragraph 3 above under the section Junk Mail, the College routinely intercepts emails using automated systems and scans them for viruses and other malicious software or code, and to determine whether or not the same appears to be unsolicited mail. It should be noted however that the College does not routinely monitor the content of information stored or transmitted in electronic format. It will normally only undertake monitoring of an individual's email, internet or telephone usage (and content where appropriate) in order to investigate potential misuse or abuse of these facilities. The consent of the individual member of staff, whilst not required where the law and/or this policy specifically permit the College to monitor its email, internet and telecommunications systems, will normally be sought unless, (a) urgent access is required for operational reasons; (b) there is evidence that a member of staff may be misusing facilities to a serious extent which, if corroborated, could result in disciplinary action; or, (c) there is a need to investigate and there is a serious possibility that evidence may be destroyed.
Save as set out in this or other relevant College policy requests for the monitoring of an individual's use of IT and telecommunication services or the content of such communications require the explicit authorisation by a member of the College's Senior Management Team (usually the College Secretary or designate). Following such approval, the monitoring will be undertaken by designated staff within ITS acting, for operational reasons, under the direction of the Director of ITS. These staff are required to observe the strictest confidentially when undertaking these activities and they will record or monitor only to the extent necessary to establish the facts of the case. These reports will be made to the College Secretary who in consultation with the HR Director will determine the actions that need to be taken in any particular case.
Information obtained through monitoring will only be used for the purpose for which the monitoring was carried out, unless the monitoring leads to the discovery of an activity that no employer could reasonably be expected to ignore. By way of example, breaches of health and safety rules that put other workers at risk.
The College does not carry out any covert monitoring of its staff. It would only undertake such covert monitoring of staff if, having taken advice, it considered that it was justified and had been specifically authorised by the College Secretary or designate. The situations in which such monitoring might be justified are where there are grounds for suspecting criminal activity or equivalent malpractice, and that notifying individuals about the monitoring would prejudice its prevention or detection.