Chapter 19 – Acceptable Use of Information Technology Resources
The University of Iowa's information technology resources are critical to the University's missions of teaching, research, and service. To ensure a highly robust, continuously available, fair, and effective environment that serves the University's computing needs, institutional and external standards for acceptable use must be applied. Each individual user must therefore comply with institutional and external standards for acceptable use of these shared resources. Although limited personal use of University-supplied technology resources may develop the skills of individual users and otherwise contribute indirectly to the University's mission, these resources should be used primarily for University-related research, educational, and administrative purposes. By using University information technology facilities and resources, users agree to abide by all related University policies and procedures, as well as applicable federal, state, and local law. Violations may result in University disciplinary action or referral to appropriate external authorities.
The use of University information technology resources — like the use of any other University-provided resource and like any other University-related activity — is subject to the normal requirements of legal and ethical behavior within the University community. Thus, legitimate use of a computer, computer system, or communication network does not extend to whatever is technically possible. Although some limitations are built into computer operating systems and networks, those limitations are not the sole restrictions on what is permissible. Users must abide by all applicable restrictions, whether or not those restrictions are built into the operating system or network and whether or not they can be circumvented in any way.
This acceptable use policy applies to all uses of University information technology (IT) resources. This includes the resources under the management or control of Information Technology Services (ITS) or other units of The University of Iowa, such as UI Health Care Information Systems (HCIS). A "user" is defined as any individual who uses, logs into, or attempts to use or log into, a system; or who connects to, or attempts to connect to or traverse, a network, whether by hardware or software or both, whether on campus or from remote locations. The term "user" thus includes system sponsors and system managers, faculty, staff, students, visitors, and other customers. "Information technology resources" are those facilities, technologies, and information resources required to accomplish information processing, storage, and communication, whether individually controlled or shared, stand-alone or networked. Included in this definition are all Instructional Technology Centers (ITCs), classroom technologies, electronic resources, and computing and electronic communication devices and services, such as, but not limited to, computers, printers, storage devices, mobile devices, email, fax, video, multi-media, instructional materials, and healthcare, research, and administrative systems. Personal equipment connected to the University network is also subject to this policy.
The same principles of academic freedom and privacy that have long been applicable to written and spoken communications in the University community apply also to electronic information. The University cherishes the diversity of perspectives represented on this campus and, accordingly, does not condone either censorship or the unauthorized inspection of electronic files.
The University employs various measures to protect the security of information technology resources and individual user accounts. Users should be aware, however, that the University cannot guarantee absolute security. Users should therefore engage in "safe computing" practices by safeguarding their accounts, and regularly changing and never sharing their passwords. Backup and recovery systems must be implemented in accordance with University disaster recovery guidelines, and all institutional systems must utilize security controls in accordance with best practices and University policies and procedures. The University respects encryption rights on its networks and may itself encrypt information and transactions when secure confidentiality is an obligation.
Users should also be aware that their uses of University information technology resources are not completely private as the information contained will be subject to the University's obligation to respond to subpoenas or other court orders, reasonable discovery requests, and public requests for documents pursuant to Iowa Code Chapter 22, the Public (Open) Records Law. All University records are subject to public record requests, unless an expressed exception in the law recognizes the confidentiality of the material, such as the exceptions provided for student, medical, or library records. By statute, public records include all "records, documents, tape or other information, stored or preserved in any medium," generated by University faculty or staff.
The Public Records statute contains no general exception for documents generated by faculty or staff in the course of their employment. As a result, the University recommends that faculty and staff refrain from keeping personal information on University systems, and utilize a personal email account for their personal communications. Additionally, users should be aware that University records that are otherwise subject to open records requests do not become confidential if they are created or stored on personally owned devices or in personal accounts. Disputes over the applicability of any confidentiality exceptions may ultimately be decided by a court of law, not by the University. While the University does not routinely monitor individual usage of its information technology resources, the normal operation and maintenance of the University's information technology resources require the backup of data and communication records, the logging of activity, the monitoring of general usage patterns, and other such activities that are necessary for the rendition of service. The University may also inspect account contents and electronic files, or monitor usage for a limited time when, and only when, there is probable cause to believe a user has violated this or other University policies. Inspections or monitoring related to violations of policy or law must be authorized in advance by the University Chief Information Officer (CIO) or a designee, or, within the UI Hospitals and Clinics, the CIO of Health Care Information Systems or a designee, in consultation with University counsel and other appropriate University officials. These investigations will be conducted with advance notice to the user, unless, after consultation with University counsel, it is determined that notice would seriously jeopardize substantial interests of the University or of third parties. In addition, a supervisor or principal investigator may request access to retrieve assigned work without notice to the employee if the employee is unavailable for timely response.
- Use resources appropriately. Uses that interfere with the proper functioning of the University's information technology resources are prohibited. Such inappropriate uses would include but are not limited to insertions of viruses into computer systems, tapping a network or running a "sniffer" program, sending e-mail spam or phishing attacks, destruction of another's files, use of software tools that attack IT resources, violation of security standards, and the like.
- Respect the rights of others. Interference with the ability of other users to make appropriate use of resources is prohibited. Such inappropriate uses include, without limitation, invading the privacy of another's files or otherwise gaining unauthorized access to the files of another. Such uses would include but are not limited to denial of service attacks, misrepresentation, forgery, password compromise, or the use of resources that affects the rights of others in violation of University policies.
- Adhere to the EDUCAUSE Code of Software and Intellectual Rights. The EDUCAUSE Code follows: Respect for intellectual labor and creativity is vital to academic discourse and enterprise. This principle applies to works of all authors and publishers in all media. It encompasses respect for the right to acknowledgment, right to privacy, and right to determine the form, manner, and terms of publication and distribution.
Because electronic information is volatile and easily reproduced, respect for the work and personal expression of others is especially critical in computer environments. Violations of authorial integrity, including plagiarism, invasion of privacy, unauthorized access, and trade-secret and copyright violations, may be grounds for sanctions against members of the academic community.
- Adhere to data access policies. Accessing restricted data without permission or need to know is prohibited. Where access to restricted data is permitted, use of such data shall be limited to the purpose for which access was authorized. Secondary use of University data subject to access restriction, without adhering to the restrictions, is also prohibited. Information that carries specific access restrictions, as defined by state or federal law, statute, or other requirements, will be held confidential as needed to comply with such restrictions. Examples include but are not limited to access restrictions for personal health, education, and financial records as defined by the Health Insurance Portability and Accountability Act (HIPAA), Federal Education Rights and Privacy Act (FERPA), federal regulations on the use of human subjects in research, the Gramm-Leach Bliley Act (GLBA), and Payment Card Industry Data Security Standards (PCIDSS).
- Adhere to software licenses. Persons loading software on any University computer or device must adhere to all licensing requirements for the software. Except where allowed by University site licenses, unauthorized copying of software licensed to the University is a violation of this policy. Users are responsible for adhering to agreements for databases licensed by the University. Individual departments are charged with the responsibility of ensuring that licensing requirements are met and for guiding the installation of personal software on departmental computers or devices.
- Avoid excessive personal use. Personal use of information technology resources should be kept to a minimum. Personal use may be excessive if it takes place during regularly scheduled work time, if it adversely affects productivity, if it overburdens a network, if it results in substantial use of system capacity, if it subjects the institution to increased operating costs, or if it is otherwise detrimental to the University or members of the University community. Some uses will be plainly excessive in all environments, but the extent to which other uses become excessive may vary. In all instances, supervisors should provide guidance to individual users on what constitutes excessive personal use.
- Refrain from prohibited personal uses. Information technology resources, including the University's electronic address (e-mail, web), shall not be used for personal commercial gain, for charitable solicitations unless these are authorized by the appropriate University officer, for personal political activities such as campaigning for candidates for public office, or for lobbying of public officials. (For more information on lobbying, please refer to II-32 Office of Governmental Relations and II-34 Lobbying Restrictions Applicable to Public Employees and Officials. Students should refer to the Code of Student Life.)
- Use University name as authorized. Unless authorized to speak for the University, users should avoid creating the impression they are doing so. Electronic exchange of ideas is encouraged. However, users shall take appropriate steps to avoid the possible inference that communication of a message via the University e-mail system or other electronic communication connotes official University authorization or endorsement of the message (see II-33 Use of University Name).
- Adhere to other University policies. Inappropriate use of information technology resources may violate a number of generally applicable University policies, including, without limitation, III-15 Professional Ethics and Academic Responsibility, III-16 Ethics and Responsibilities for University of Iowa Staff, V-31 Intellectual Property, II-3 Human Rights, II-4 Sexual Harassment, II-10 Violence, II-11 Anti-Retaliation, II-14 Anti-Harassment, V-9 Fund Solicitation, and Section IIA of Policies and Regulations Affecting Students. For example, viewing pornography at work violates several University policies and is therefore prohibited unless being used for a specific academic purpose. In addition, all IT policies under the oversight of the University Chief Information Officer, and published at the location Campus IT Policies are hereby included.
- Obey external laws. Information technology resources shall not be used in a manner that violates federal, state, or local law, including without limitation the federal requirement that the University provide employment and educational environments free from race-based or gender-based hostility (see Titles VI and VII, Civil Rights Act of 1964, and Title IX, Educational Amendments of 1972); and state criminal laws forbidding harassment (IC 708.7), exhibition of obscene materials to minors (IC 728.2), rental or sale of hard core pornography (IC 728.4), official misconduct (IC 721), computer crime (IC 716A), and federal and state copyright and fair use laws. University resources used internationally may also be subject to additional laws, regulations, or treaties. Nothing in this policy prohibits the use of appropriate material for educational purposes in any accredited school, or any public library, or in any educational program in which a minor is participating. Nothing in this policy prohibits the presence of minors at an exhibition or display or the use of any materials in any public library.
Information Technology Services is charged with communicating this policy to the user community through partnering with major campus Information Technology providers and for providing educational programs to achieve technical proficiency and appropriate use of the resources. Requests for interpretation of the policy as applied to particular situations may be directed to the appropriate University administrator, such as the Offices of the Executive Vice President and Provost, Dean of Students, Chief Human Resources Officer, Chief Diversity Officer, Chief Information Officer, Health Care Information Systems, Information Technology Services, or to the Office of the General Counsel.
Members of the University community are strongly encouraged to report violations of this policy to any one of the following: Information Technology Services' Information Security and Policy Office, UI Health Care Information Systems, to an employee's supervisor, or, in the case of a student, to the Office of the Dean of Students. Anonymous reports of misuse of University resources may also be made through the use of the EthicsPoint website or hotline. Where violations of law are alleged, University Public Safety and/or the Office of General Counsel should be contacted. Good faith disclosures of University-related misconduct are protected by the Anti-Retaliation Policy (see II-11).
Violations of criminal law may result in criminal prosecution. Violations of University policy may result in informal or formal sanctions including, but not limited to, loss of user privileges for a definite or indefinite period, discipline up to and including termination of employment, or, in the case of a student, probation, suspension, or expulsion from the University.
Formal sanctions taken in response to violations of this policy by:
- faculty members will be governed by the general Faculty Dispute Procedures (see III-29) and that portion of those procedures dealing with faculty ethics (III-29.7);
- staff members will be governed by applicable Regent Merit System Rules and University policies, including, III-16 Ethics and Responsibility Statement for Staff, and the applicable grievance procedures, including III-28 Conflict Management Resources for University Staff;
- graduate assistants, when dismissal is sought, will be governed by the procedure for dismissal of graduate assistants (III-12.4). When disciplinary action other than dismissal is taken by the dean of the employing college, a graduate assistant may appeal through those procedures established for graduate assistant employees;
- students will be governed by the Student Judicial Procedure.
The University makes no warranties of any kind, whether expressed or implied, with respect to the information technology services it provides. The University will not be responsible for damages resulting from the use of information technology facilities and services, including, but not limited to, loss of data resulting from delays, non-deliveries, missed deliveries, service interruptions caused by the negligence of a University employee, or by the user's error or omissions. Use of any information obtained via the Internet is at the user's risk. The University specifically denies any responsibility for the accuracy or quality of information obtained through its information technology facilities and services, except material represented as an official University record. The University also does not accept responsibility for removing material that some users may consider defamatory or otherwise offensive. Users should be advised, however, that dissemination of such material may subject them to liability in other forums.
Individual units within the University may define by written policies conditions of use for information technology resources under their control. Policy statements must be consistent in principle with this and all other University policy, but may provide additional detail, guidelines or restrictions. Such unit or departmental policies should be submitted to the Executive Vice President and Provost (for faculty), Human Resources or Vice Presidents of the University (for staff), the University Chief Information Officer, or to the Hospital Advisory Committee (for UIHC) to review for consistency with University policy. In addition, users are advised that network traffic exiting the University is subject to the acceptable use policies of our national and international network connectivity and long distance providers.