Guidelines for the use of the university’s IT resources

Content:
1.0 Definition of terms
2.0 Objective
3.0 Scope
4.0 Loyalty
5.0 Data security
6.0 Respect for other users, privacy protection
7.0 Proper use
8.0 Awareness of the purposes for the use of resources 
9.0 Rights
10.0 Liability for damages
11.0 Private use
12.0 Logging
13.0 Confidentiality requirements
14.0 Distribution and deletion of data on termination of the user contract
15.0 Sanctions
16.0 Appeal body

1.0 Definition of terms

Definitions of words and terms used in these guidelines:

Users
All who receive access to and use the IT resources at the university. This covers employees, students and others who receive access to the IT resources.

User contract
A contract between the user and the department(s) at the university that regulate the user’s right of access to the IT resources. The user contract is also a confirmation that these guidelines have been accepted by the user.

Data
Information stored in the university’s IT system, including the content of both data files and software

Computer network
Hardware and/or software that enables connection between two or more computers, including private, local, national and international computer networks that may be accessed through the university’s IT resources 

Operational interruptions
Interruptions and/or abnormalities that to an unacceptable degree hinder the users’ use of the IT systems

IT resources
Includes hardware, data, services and the computer network 

Hardware
Computer hardware that may be used for data processing

Private data
Data located in an area marked as private

2.0 Objective

The objective of these guidelines is to contribute to a stimulating IT environment where the opportunities that the IT resources offer may be utilised in the best manner possible, in relation to both the community and fellowship at the university, to promote education and research, as well as spread knowledge about the scientific methods and results.

3.0 Scope

These guidelines pertain to use of the university’s IT resources, and apply to all users who receive access to these resources. Use of the IT resources also requires that the user is also familiar with any supplementary regulations.

4.0 Loyalty

The user shall always identify himself/herself using his/her full name and there shall be no doubt about the user’s identity. In addition, the user shall explain his/her affiliation with the university. The user shall consequently always identify himself/herself by name, user identity, password or in another authorised way when using services in the computer network.  Using the university’s IT resources without prior approval is prohibited. Being a user at the university implies permission is given for appropriate use.

External environments shall not be misused by users acquiring information not intended for them, or by using the services for other purposes than those intended. Users must show special care with confidential information.

The user shall follow instructions given by the systems administrator regarding the use of the IT resources. Users are expected to familiarise themselves with the user guides, documentation etc., in order to reduce the possibility that ignorance will lead to operational interruptions or the loss of data or equipment.

On termination of the employment or study relationship, the user is responsible for ensuring that copies of data owned/used by the university is secured by the university.

5.0 Data security

The user is obliged to take the necessary measures to ensure that the loss of data or similar shall have the least possible consequences by taking back-up copies, careful storage of data etc. This may be achieved by ensuring that the systems administrator has performed these tasks.

The user’s own files are considered personal. However, these files should be protected so they cannot be accessed by other users.

The user is obliged to not share their password or other security elements with other users, and to prevent unauthorised people from gaining access to the IT resources. This also covers the entering of the university’s internal user name and password on computers that do not belong to the university or storing the university’s user name/password in browsers on external computers.

The entry of data involves a risk of unwanted elements, such as viruses, worms and Trojan horses. The user is obliged to carry out measures that protect the IT resources against such. All computers (including home computers and laptops) that will use the university’s IT resources shall be protected with relevant security mechanisms (antivirus programs, firewalls and systems for regular updates etc.).

The user is obliged to report incidents that may affect the security or integrity of the computer system to their immediate superior or to the person in charge of IT security.

6.0 Respect for other users, privacy protection

The user must not attempt to obtain the passwords etc of others or try to gain unauthorised access to other people’s data. This applies regardless of whether the computers are protected or not. It is important to emphasise that the use of IT resources in other people’s name is strictly forbidden. There are many actions which may be committed in or by using IT resources that are subject to criminal liability or liability for damages. Consequently, carrying out such actions in other people’s names can be extremely expensive.

A user who handles or has considered starting with the electronic handling of personal data and administrative, research or student projects is obliged to familiarise himself/herself with the Personal Data Act and Personal Data Regulations, as well as studying the university’s own guidelines for the handling of personal data. Prior to handling personal data in research or student projects, such handling shall be reported to the Norwegian Social Science Data Services (NSD). The user shall send a copy of the report to his/her faculty. 

The user is bound by confidentiality requirements concerning personal matters which the user acquires knowledge of through use of the university’s IT resources (with reference to Section 13 of the Public Administration Act).

7.0 Proper use

The university’s IT resources may not be used to advance slander or discriminating remarks, distribute pornography, spread information subject to confidentiality requirements, violate the peace of private life or to incite or take part in illegal actions. Over and above this, users shall refrain from improper communication on the internet.


The IT resources shall be used in accordance with the objectives of the university. This prevents direct commercial use.

8.0 Awareness of the purpose for the use of the resources

The purpose of the university’s IT resources is to strengthen and support academic activity, administration, research and teaching. The user has a joint responsibility to ensure that the resources are used in the best manner possible. Use that is not justified in the institution’s objectives includes private use. This is common to accept, but not to the extent that it occupies large resources or at the expense of tasks that form part of research, teaching, dissemination and administration.

9.0 Rights

The use of data is usually dependent on agreements with the holder of the rights to the data. The user is obliged to respect the rights of others, including the conditions attached to licence agreements the university has entered into. This also applies when the university makes data available.

The user is only permitted to copy computer programs via the university’s computer network when the user has the right to use the computer program in question.

The user is not permitted to make data files, including music and media files, available on the university’s computer network without the prior approval of the author/instigator. Further, the user is not permitted to publish links, including by using file sharing programmes, on the university’s computer network to illegal material.

10.0 Liability for damages

The user has sole responsibility for the use of data that he/she is given access to when using the IT resources. The university disclaims all responsibility for any economic loss that results from errors or defects in the computer system, including defects in data, the use of information from accessible databases or other data that has been obtained through the computer network etc.

The university is not liable for damages that occur to the user as a result of insufficient protection of their own data.

11.0 Private use

As an employer, the university retains full right of access to all information an employee receives in the execution of his/her duties at the university, including e-mail. Furthermore, the university has the full right of access to university-owned equipment and data that is stored on such equipment. In the event of absence, the university reserves the right to gain access to data that is stored in the employee’s area in order to ensure that tasks are carried out on time and with the best possible basis for the data. If the employee receives private e-mail or stores private data on the university’s equipment, this must be stored in folders marked (named) “Private”. The university will respect such marking and will not gain access to such areas unless specific legal title can be established.

12.0 Logging

Every instance of a user logging on to the university’s IT resources is logged. These logs are used to support the operation of the institution’s IT systems. Distribution of logs of traffic data or the content of communication is made available to the Police, prosecuting authorities or other third parties in accordance with the decision(s) of a Norwegian court of law.

13.0 Confidentiality requirements

The systems administrator is obliged to observe confidentiality requirements concerning data about the user or the user’s activities which the systems administrator obtains in this way, with the exception that conditions which represent a breach of these guidelines may be shared with the systems administrator’s superiors.

14.0 Distribution and deletion of data on termination of the user contract

When the user’s relationship with the university terminates, e.g. on completion of his/her studies or termination of his/her employment contract, the user shall ensure that his/her data has been removed from the university’s IT resources. This data will be deleted three months after termination of the user contract.

In the event of death, the user’s private folder(s) stored on the computer in his/her work place will be deleted after three months. The distribution of private files will not be undertaken unless specific legal title can be established.

15.0 Sanctions

In the event of breaches of the prevailing regulations/guidelines for the use of the university’s IT resources, the university will assess the imposing of a reaction. The form of the reaction and exclusion from or limited access to computer systems/IT resources will be assessed depending on the degree of seriousness of the action or failure to act (secure personal data). For employees, this will vary from an oral briefing on the prevailing regulations (oral official reprimand) to other reactions pursuant to the Civil Service Act. For students, the closing of their user account on a temporary or permanent basis shall be considered. For all user groups, in the instances of serious breaches of the security regulations resulting in significant costs, the reparation of such costs will be assessed.

Sanctions against users must state the grounds, and may be imposed by the person with such authority pursuant to the prevailing rules for the university. A decision to close a student’s user account must be made by the University Director.

16.0 Appeals body

Complaints about sanctions (e.g. exclusion or refusal of user access) shall be directed to the authority that imposed the sanctions. If this complaint is unsuccessful, it shall be forwarded to the university’s Central Appeals Committee for a final decision. Complaints about surveillance follow the same procedure as for sanctions.