Code of Practice
One of the principal roles of the Computer Centre is to manage the IT infrastructure of the College and in this role it is, in effect, managing many of the College's repositories of information. Much of this information may be of a personal or confidential nature. Also, there is a great deal of information in system logs etc. which may indicate behaviour patterns of users. It is important that users can have full confidence in the Computer Centre to protect the privacy of such information and this Code of Practise is intended to underpin that confidence. Also, it is intended that the Code will support and protect staff within the Computer Centre by providing clear guidance at the appropriate times.
In general, it is expected of each member of staff that they will protect the confidentiality of any information entrusted to them and will access information belonging or relating to users only when it is absolutely necessary for the performance of their duties. Any such information accessed deliberately or inadvertently will be treated as personal and confidential and will not be divulged except where deemed necessary through the invoking of one of the official procedures of the College.
Staff will ensure that they comply at all times with the legal requirements relating to electronic information.
All staff must observe and, where necessary, enforce the security regulations within the Computer Centre. They must therefore ensure that:
- Every effort is made to protect any information, data, or equipment entrusted to them by users against access by unauthorised personnel.
- Any information or data entrusted to them is not disclosed or used for any purposes other than those for which it was provided by the user except in the particular cases which are covered by 3 below.
- Every effort is made to secure offices and other rooms with sensitive information in electronic or hardcopy form against unauthorised access.
- Physical access restrictions within the Computer Centre are enforced and observed. These apply in particular to the Computer Room where, only in exceptional circumstances should staff other than those specifically nominated, have a reason to enter the Room.
Providing Access to or Disclosure of Information to a Third Party
Disclosing information from a user's files or email account or providing access to them for a third party without the user's consent can be done only in accordance with the procedure defined in the Procedure Relating to Access by or Disclosure to a Third Party of Information in a Staff Member's Files or Email Account or the Procedure Relating to Access by or Disclosure to a Third Party of Information in a Student's Files or Email Account, except where legal requirements direct otherwise.
Accessing System Logs or Other Transactional Information
From time to time it is necessary for staff to monitor traffic flows on the network, observe traffic patterns or examine system logs or other transactional information in order to ensure the proper functioning and security of the College's IT infrastructure. Also, they may have to access such information when undertaking a formal investigation which would be covered by 3 above. They must not at any time intentionally seek information to determine a behavioural pattern of an identifiable individual or individuals where this is not relevant to the foregoing purposes. The information obtained must be the minimum deemed necessary to address the issue to hand and it must not be disclosed or used for any other purposes.
Occasionally when undertaking other tasks, staff will inadvertently see transactional and other system information which could indicate behavioural patterns of users. They must not at any time disclose or use information received in this manner.
Accessing Users' Workstations
When a user requests assistance from a member of staff in the Computer Centre to solve a problem with his/her workstation, they are implicitly giving that staff member permission to access any files or other data on the workstation as is necessary to solve the problem. In such cases where the contents of personal files (as against system files) have been accessed, Computer Centre staff must ensure that:
- Only the minimum information necessary to solve the problem to hand is accessed.
- Such personal information must not be disclosed or used in any way other than to solve the problem.
- Any copies of files made in the process must be secured against access by others and must be destroyed or handed to the user once they are no longer required for the purpose of assisting the same user.
Sometimes in managing the IT infrastructure a member of staff may trace the source of a problem to a particular computer, file or email message, (for example an undeliverable email), and may have to inspect its contents immediately. In the case of a computer compromised by the presence of a particular file, it may not be possible to contact or identify the owner of the file who may be different to the owner of the computer. In such cases only the minimum information necessary should be accessed and it must not be disclosed or used in any way other than that deemed necessary in good faith to solve the problem.
This code of practise is designed to assure users that their rights to privacy and the confidentiality of their information is respected at all times. Any breaches of the code will be regarded as disciplinary matters.
Approved by the I.T. Policy Committee - 7th April 2004