3.1 Overview
IT Services recognises that there are two broad types of content and resources that must be considered when applying and enforcing IT policies. While all IT policies apply in each case the governance and oversight may differ.
- There is user generated content that relates to the university websites and social media presence. The activity and content under this definition will primarily be governed and guided by the Digital Estate Working Group.
- There is corporate (or university) content and resources relating to the operational, administrative, academic and research activities of the university. This activity and content will primarily be governed and guided by the External Hosting Group.
The diagram below provides a summary of how this content is governed and the various stakeholders across the university.

Figure 1
The following roles and responsibilities apply in relation to this Policy:
3.2 Digital Estate Working Group (DEWG)
With representation from IT Services, Marketing & Communications, Academic Affairs & Registry, and Audio Visual, the Digital Estate Working Group (DEWG) provides guidance and direction for the day to day running of the universities websites and social media presence. The group implements policy, defines standards and agrees content for the university homepage and other web pages. The DEWG also have a key role in ensuring compliance with IT Policies and responding to breaches of same. In terms of IT policies, the DEWG will:
- Assess incidents/policy breaches and action next steps;
- Escalate more serious issues where appropriate to IT Policy Breach Emergency Management Team (EMT);
- Manage any operational risk to the University, from breaches of approved IT policies.
3.3 External Hosting Group
The External Hosting Group chaired by the University IT Security Officer is responsible for approving the hosting of corporate data and information off-premise and in third party data centres. Included in this group is the Data Protection Officer and the Legal Secretary who will advise data owners on matters of data protection and legal matters. This group is also tasked with advising and directing a response to any IT Policy breach relating to corporate data or resources. In the event of a policy or data breach this group will:
- Assess incidents/policy breaches and to agree the next steps;
- Escalate more serious issues where appropriate;
- Manage any operational risk to the University, from breaches of approved IT policies;
- Advise data owners on appropriate hosting options and controls.
3.4 IT Policy Breach Emergency Management Team
The IT Policy Emergency Management Team (EMT) will meet in response to a breach in IT Policy that has been escalated from the DEWG or the External Hosting Group and decide if the University Emergency Response Plan needs to be invoked (https://www.ucc.ie/en/ocla/emergencyplan/) This team will include the Director of IT Services and the Corporate Secretary. Other relevant stakeholders will be invited to any meetings called by this team based on the details of any IT Policy breach. This team will act as an escalation point for serious incidents or breaches of policy relating to user generated or corporate data and resources, examples of these include:
- Incidents that may result in disciplinary action against Staff or Students.
- Incidents that may result in the invocation of the University Emergency Response Plan https://www.ucc.ie/en/ocla/emergencyplan/
- Incidents that may result in a legal action, where there are clear legal implications, or where An Garda Síochána are involved.
- Incidents that may warrant a communication plan for internal or external stakeholders.
3.5 Staff/Students/External Parties
All staff, students, and external parties or users authorised to use university data or university IT resources are expected to adhere to all IT Policies.
4.1 IT Policies and Procedures Overview
The following IT policies have been developed to facilitate and ensure consistent, high quality implementations and management of the University’s IT resources and information.
UCC IT policies are divided into two areas: policies pertaining to IT Service Resource Usage and Security, and policies pertaining to UCC Data.

Acceptable Usage Policy
The purpose of the Acceptable Usage policy is to provide all Users of the University’s IT Resources with clear guidance on the acceptable, safe and legal way in which they can use the University’s IT Resources.
Providing an efficient and reliable computing and networking service, as well as access to communications devices, to Staff, Students and alumni depends on the cooperation of all Users. It is therefore important that Users are aware of their responsibilities as detailed in the Acceptable Usage policy.
IT Security Policy
The purpose of this IT security policy is to protect the information assets of the University from all threats, internal, external, deliberate or accidental. The policy is aimed at safeguarding the availability, confidentiality and integrity of the University’s information and protect the IT assets and services of the University against unauthorised access, intrusion, disruption or other damage. The policy has been written to provide a mechanism to establish procedures to protect against security threats, minimise the impact of security incidents and ensure compliance with applicable legislation and regulations.
Web and Social Media Policy
The University recognises that the Internet provides unique opportunities to participate in interactive discussions and to share information on topics of interest via a wide variety of social media platforms, such as Facebook, Twitter, YouTube, blogs, etc. However, as the content of such media is largely user-generated, this poses a unique set of legal and reputational risks for the University.
The purpose of the Web and Social Media Policy is to inform Staff and Students of the University what the University deems to be acceptable use of these platforms; and to offer Staff and Students a level of protection from any misuse of this medium.
Data Policies and Procedures
University Information Assets are of important value to the University. The following policies and procedures provide clear guidance on the acceptable, safe and legal way in which Users should use and manage the University’s Information Assets:
Title
|
Description
|
Data Classification Procedure
|
The Data Management Policy requires Data Owners to classify their data according to its sensitivity and criticality. This procedure sets out how this classification is to be performed.
|
Data Management Policy
|
The purpose of this policy is to enable access to data and information held by UCC, to the greatest extent possible, consistent with legislation and relevant UCC policies, whilst ensuring that electronic data is protected from unauthorised use, access and breaches of privacy.
|
Data Protection Policy
|
This policy is a statement of the University's commitment to protect the rights and privacy of individuals in accordance with the Data Protection Acts.
|
Externally Hosted Data policy
|
The purpose of this policy is to ensure the safekeeping of data which is controlled by UCC, when it is hosted externally and that UCC fulfils all its obligations under the Data Protection Acts.
|
Personal Data Security Breach Management process
|
The purpose of these procedures is to provide a framework for reporting and managing data security breaches affecting personal or sensitive personal data held by the University. These procedures are a supplement to the University’s Data Protection Policy which affirms its commitment to protect the privacy rights of individuals in accordance with Data Protection legislation.
|
Version Control Information
The University requires that all IT documents within the scope of this Policy are version controlled and, as such, each separate document includes a control sheet which must be completed as in Appendix 1.
In addition, the footer of the document will clearly indicate the current version number/ revision number. Where the document is in draft or going through a review cycle it will be numbered as version number/ revision number – for example 1.02 is the second revision of version 1.0 prior to finalisation of version 2.0. When a final version is agreed, it should be version 1.0, 2.0 and so on.
All IT policy documentation will be held in one secure central location to which access is restricted to “READ ONLY”. Once finalized, changes to documents are not allowed. To amend a document a new version needs to be created and reviewed. The IT policy documentation custodian (IT Director) will be the only person with full access to upload new documents/new versions and will only do so following the appropriate review cycle (Review and Approval section). This access restriction is critical to ensure appropriate documentation change control.
4.2 Monitoring
4.2.1 Network Usage
The University network usage is logged using multiple IT tools to protect the University IT Resources and provide forensic methods for problem solving. Logging can come from various sources including but not limited to:
- server system auditing;
- network security monitoring;
- firewall intrusion detection;
- web and network file sharing activity.
IT Services will monitor and investigate these logs in the following circumstances:
- there is reason to suspect that an IT Policy is being breached;
- bandwidth trouble shooting;
- problem solving;
- the University has other legitimate reasons for doing so.
You must therefore be aware that such logging and monitoring is taking place and the data being logged may be used if requested by an authorised officer of the University or the appropriate legal authority (Gardaí, Judiciary, etc.).
4.2.2 University Data
Data in the University’s systems (including documents, other electronic files, e-mail and recorded voicemail messages) is normally considered the property of the University, except where this data is received from an external source in the course of academic business and therefore may be the property of the sender. The University may inspect and monitor such data at any time in the following circumstances:
- there is reason to suspect that an IT Policy is being breached;
- for the purposes of backup and problem solving;
- there are other legitimate reasons for doing so;
- it is required to do so by law.
Therefore, no individual should have any expectation of privacy for messages or other data recorded in the University’s systems. This includes documents or messages marked “private”, which may be inaccessible to most Users. Likewise, the deletion of a document or message may not prevent the University from subsequently accessing the item in question.
4.2.3 Email
The email account of a Staff member and of Students, and any information contained in it including content, headers, directories and email system logs, remains the property of the University. In general, the University will respect the privacy of a Staff member’s email account. However, the University reserves the right to review, audit, intercept, access and disclose messages created, received or sent in the following circumstances:
- where there is reason to suspect that an IT Policy is being breached;
- for the purposes of back-up and/or problem-solving or where there are other legitimate reasons for doing so;
- when the University is required to do so by law;
- where, without access to the information in the account, the operations or functions of the University or a University department are likely to be seriously obstructed or impeded or where there could be serious safety or financial implications;
- where the account holder is no longer a member of Staff or retired Staff; and
- when an e-mail message is undeliverable (this is normally due to an incorrect address in which case the e-mail is redirected to the e-mail administrator who has to either open or redirect it accordingly or discard it).
Email traffic is monitored by IT Services to ensure efficient system performance and, when necessary, to locate problems/bottlenecks. Monitoring for this purpose may require an examination of the contents of messages.
4.2.4 Internet Usage and Social Media
Internet usage is monitored on a systematic basis by the University in the following circumstances:
- where there is reason to suspect that an IT Policy is being breached;
- for the purpose of back-up and/or problem solving;
- where there are other legitimate reasons for doing so;
- when it is required to do so by law.
Arising out of the need to protect the University’s network, the University cannot guarantee the confidentiality of information stored on any network device belonging to the University.
All Users should be aware that the University monitors the internet and social media on an ongoing basis to keep abreast of matters of general interest, brand presence and third party perception. The University does not specifically monitor social media and other sites of Staff, Students or External Users for content, but reserves the right to utilise for disciplinary purposes any information that could have a negative effect on the University, its Staff or Students which comes to the attention of the University or is brought to the attention of the University by Staff, Students, External Users and/or other third parties.
4.2.5 Access by or Disclosure to a Third Party of Information in a Staff Member's or Student’s Files or Email Account
While the University retains the right to monitor, read or disclose the information in a Staff member's or Student’s files or email account without the User's consent, the need to do so should arise only in exceptional circumstances. The circumstances in question would include the following:
- where there is reasonable evidence that there is or has been a violation of the Acceptable Use Policy.
- when required to do so by law or by the Gardai in accordance with the Data Protection Act[s].
Or, additionally in the case of a Staff member:
- where, without access to the information in the account, the operations or functions of the University are likely to be seriously obstructed or impeded or where there could be serious safety or financial implications.
- where the account holder is no longer a member of Staff or retired Staff.
Any request to IT Services to disclose, or to provide access to, a third party to information in a Staff member’s or Student’s files or email account must be in accordance with the following steps:
- The request must be authorised in writing by
- the Staff member's Head of Department or by two members of the University Management Team Operations (for Staff)
- the Registrar or the Academic Secretary. (for Students)
- The request must indicate the reason for access/disclosure. In the case where the request is from the Head of Department, a copy of the request must be sent to the Staff member's home address.
- Those authorising the access will nominate one or more individuals to be provided with access. Alternatively, the Director will nominate two members of the IT Services Staff to extract the necessary information both of whom will be present at all times when the information is being accessed. They will disclose the information directly to the individual(s) making the request and to no one else.
- Only the minimum information required to satisfy the request should be accessed.
- In an emergency situation where it is not possible to get the necessary authorisation within the time available, approval should be sought by the person requesting access/disclosure as soon as possible thereafter. The IT Services Staff who respond to the request in this case must provide a report for the Director stating the reason for the request, the name of the person who made the request and the name of the User whose information was to be accessed.
- Notwithstanding the above, disclosure in all cases will be in accordance with legal requirements.
The University reserves the right to amend this Policy at any time in any manner in which the University sees fit at the absolute discretion of the University or the President of the University.
Any such revisions will be noted in the revision history of the policy, which are available to you on the website and by continuing to use the University’s IT Resources following any updated you will be deemed to have accepted the revised terms of this Policy.
Approval Date
Wed, 21 Jun 2017 09:29:00 IST
Summary of Policy Changes
Draft Version Number/Revision Number
|
Revision Date
|
Summary of Changes
|
|
|
|
|
|
|
|
|
|
This document requires the following approvals:
Name
|
Title
|
Date
|
Gerard Culley
|
Director of Information Technology
|
|
John Fitzgerald
|
Director of Information Services
|
|
John Morrison
|
Chair of IS & ER committee
|
|
Michael Farrell
|
Corporate Secretary
|
|
Heads of College
|
|
|
Academic Council
|
|
|
8 Further Information
Contact Email:itsecurity@ucc.ie
Contact Name:
Director of IT Services
Contact Telephone Number:
021 4902215
Back To Top