The purpose of this Policy is to outline the circumstances in which it is permissible for the college to investigate the activity and access the IT accounts, communications and/or other data stored on IT equipment including any peripheral devices or hardware of staff, students, associates and any other authorised users of the colleges IT equipment and facilities.
The college respects the privacy and academic freedom of staff and students. However, the college may carry out lawful monitoring of IT systems. Staff, students, associates and other authorised users should be aware that the college may access email, telephone and any other electronic communications, whether stored or in transit to comply with legislation and to ensure appropriate use of the college IT systems. All access and monitoring will comply with UK legislation, particularly the Regulation of Investigatory Powers Act 2000 (RIPA), the Human Rights Act 1998 (HRA) and the Data Protection Act 1998 (DPA).
College staff authorised by the Head of IT may access files and communications, including electronic mail files, stored on any IT facilities owned, managed or maintained by the college and may examine the content and relevant traffic data.
This policy should be read in conjunction with the colleges Regulations for the Acceptable Use of College Information Technology (“the AUP”).
For the purposes of this policy the “Designated Authority” is the Head of IT, or in his absence any other nominated officer.
The college may access files and communications for the following reasons:
- to prevent and detect crime (including, but not limited to, crimes such as fraud and unauthorised access to a computer system under the Computer Misuse Act1990)
- to establish the existence of facts relevant to the business of the institution (for example where a case of suspected plagiarism is being investigated and there is sufficient evidence, the contents of an individual's communications and/or files may be examined without their consent and with the authority of the Designated Authority.)
- to investigate or detect unauthorised use of the systems (for instance, to ascertain whether the user is breaking college regulations);
- to ascertain compliance with regulatory or self-regulatory practices or procedures relevant to the University's business (i.e. to ascertain whether the college is abiding by its own policies);
For any investigation into a member of staff authorisation must be by both their Head of Department and Principal. The Designated Authority will also require proof that Human Resources are aware of the investigation.
For any investigation into a student, associate or other authorised user authorisation must come from the Registrar.
Law Enforcement Authorities
A number of non-institutional bodies/persons may be allowed access to user communications in certain circumstances. Where the college is compelled to provide access to communications by virtue of a Court Order or other competent authority, the college will disclose information to these non-institutional bodies/persons when required as allowed under the Data Protection Act 1998.
Under the Regulation of Investigatory Powers Act 2000 a warrant may be obtained by a number of law enforcement bodies regarding;
- issues of national security
- the prevention and detection of serious crime
- safeguarding the economic well-being of the UK
In such circumstances, the college will provide necessary assistance with the execution of a lawful warrant.
Access to Accounts – Suspected Illegal Behaviour
Where circumstances brought to the Designated Authority’s attention constitute grounds for reasonable suspicion that any user is using the college IT Facilities for the commission or attempted commission of a criminal offence, HR or the Registrar will contact the police.
The IT account will be frozen and any associated hardware or peripheral devices will be held pending further investigation by the police. No examination or further investigation will be carried out to ensure that there is no compromise of any future police enquiry.
Access to Student and Other Authorised User Accounts – Suspected Breach of Regulations
Where there are reasonable grounds to suspect that a breach of the colleges regulations has taken place in the first instance the student will be contacted, where possible, to request consent for access. Where consent is given, Designated Authority will record that the student's communications are being accessed.
If it is not appropriate to inform the student or the student is not available to give consent or consent is refused, authorisation will be requested as described in paragraph above.
All actions will be taken in line with the Student Disciplinary Procedures.
The relevant communications should be reviewed by the Designated Authority to assess whether the student has breached the colleges Rules and Regulations and he will inform the Registrar
Access to Staff and Associate Accounts – Suspected Breach of Terms of Contract
Where there are reasonable grounds to suspect that a member of staff is using the colleges IT Facilities in breach of the terms of their contract of employment in the first instance the member of staff will be contacted, where possible, to request consent for access. Where consent is given, the Designated Authority will record that the member of staff’s communications is being accessed.
If it is not possible to inform the member of staff, the member of staff is not available to give consent, consent is refused or access is required under paragraph above, authorisation will be requested by the Designated Authority as detailed above.
The relevant communications will be reviewed by the Designated Authority to assess whether the member of staff has breached the terms of their contract of employment and the findings passed to HR.
Any access to the communications of a member of staff, student or authorised user of the college systems will be with as little intrusion and disruption to the communications of third parties that are unconnected to the authorised access as possible.
Any communications collected under this Policy will be treated as confidential and will only be examined by those persons who are so authorised.
Any communications accessed under this Policy will only be retained for as long a period as deemed necessary for the specific purpose and in line with the colleges Records Retention Policy.
Any material collected under this Policy will be stored securely and will be labelled accordingly depending on the sensitivity of the material in question. If accessing communications does not uncover any material requiring further investigation of the member of staff, student, associate or authorised user concerned, all material collected will be destroyed 20 working days after the person has been informed.
The Designated Person will maintain a log of all investigations carried out under these procedures.
Any person collecting communications over a period of time under this Policy will ensure that they have continued authorisation to access communications of a member of staff, student or authorised user.