The ICT regulations for the University of Bergen ================================================ :doc:`Norwegian version ` +------------------------------------------------------------------------+ | UiB takes data protection and data security seriously. All our | | employees and students shall complete a basic course in these topics. | | | | `Click here to start the course `__ | +------------------------------------------------------------------------+ **The ICT regulations for the University of Bergen** | Adopted by the University’s Board on 3.12.09, amended on 29. May 2019. | Part of the Management System for Information Security and Privacy. 1 Purpose ~~~~~~~~~ The purpose of the ICT regulations is to regulate the use of ICT systems at the University of Bergen (UiB). 2 Scope ~~~~~~~ "ICT systems" in the context of these regulations refers to all software, computers, infrastructure, and equipment used for digital information and data processing, as well as information and data stored in these. Digital communication related to these is also included, as well as ICT systems embedded in other infrastructure and equipment. ICT systems “at UiB” means ICT systems located at UiB, owned or managed by UiB, or made available to UiB’s users from external parties, suppliers or others on assignment, agreement or in understanding with UiB, and used by UiB’s users or partners for purposes related to UiB’s activities. The regulations apply: - Employees, students, guests and others who have been given access to ICT systems at UiB, hereafter called users. - All use of UiB’s ICT systems. In addition, the regulations apply to - Users’ and third party ICT systems, to the extent that these are used to perform tasks related to UiB’s activities, whether the system is located onsite at UiB or not. - Private and third-party ICT equipment connected to UiB’s ICT infrastructure (e.g. network) regardless of its purpose. 3 Access to UiB's ICT services and systems ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Students and employees must have a user account at UiB that provides access to ICT systems. Others can be given access to ICT systems dependent on role requirements. Access to the various systems and services are authorized by the system owner. Students’ user accounts are deactivated two months after the right to study ceased. Students will be notified one month in advance. Employees’ user accounts are deactivated at the end of the employment. Notice is sent one month before the end date. The employees’ e-mail accounts are deactivated upon termination of employment, unless it is necessary to keep the e-mail account open for a short period after end of employment, due to special requirements. Pensioners at UiB can apply to retain their user account with limited access. This is approved by the manager of the department where the pensioner was last employed. Other users’ user account at UiB are deactivated when their connection to UiB expires, or the approved time period for access expires. Data related to the user account is automatically deleted six months after that user account was deactivated. Data can be stored in backup systems beyond this period, but not for longer than one year. In the event of a user’s death, the user’s account is deactivated immediately. The user account is deleted after six months unless there is an inspection requirement, or a need for rights to stored material as described in these regulations. 4 Use of UiB’s ICT services and systems ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ UiB’s ICT systems shall be used to perform tasks related to UiB’s business. The use must not be contrary to law, regulations or UiB’s guidelines. Users must prevent others from accessing their user account. Users must not seek to gain access to other users’ accounts. Users must prevent unauthorised persons from gaining access to UiB’s ICT systems. Users must not change or modify UiB’s ICT systems without permission, or otherwise cause them to work in other ways than intended Users are obliged to respect copyright and similar rights to software, data and other digital information such as publications, images, music, videos etc. Users should avoid uses of ICT systems that can expose UiB to significant loss of reputation. Users are obliged to immediately report breaches or other matters relevant to data protection and information security to the IT division. Such reporting should be done in UiBhjelp (hjelp.uib.no). 5 Activity log and control ~~~~~~~~~~~~~~~~~~~~~~~~~~ UiB’s ICT systems have mechanisms for registering activities (logging) and for backup. These mechanisms may, among other things, be used to document offenses or deviations from UiB rules and regulations, and to detect security breaches in the ICT systems. The IT division under the IT Director has the main responsibility for controlling access to UiB’s network and general ICT systems, as well as for portable equipment and equipment used outside UiB, and has the authority to exercise this control in accordance with UiB’s management system for information security. 6 Employer’s inspection ~~~~~~~~~~~~~~~~~~~~~~~ 6.1 Scope of regulations on the employer’s access ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ In certain circumstances, UiB has the right to access the employee’s e-mail mailbox etc., cf. The Working Environment Act § 9-5 and regulations on the employer’s access to e-mail and other electronically stored material. These regulations apply to both current and former employees. E-mail mailbox refers to the e-mail mailbox the employer has provided for the employee for work use. The provisions apply also to the employer’s right to search and access the employee’s personal storage areas in the company’s computer network, ICT systems or other electronic equipment provided by the employer for work use. The provisions also apply to access to information deleted from the areas mentioned above, but which can be found in backups or similar. 6.2 Conditions for access ^^^^^^^^^^^^^^^^^^^^^^^^^ UiB only has the right to access information stored in areas mentioned under point 6.1. a) when it is required to maintain regular operations or for other legitimate business interests, or b) in the event of justified suspicion that the employee’s use of the e-mail system or other electronic equipment is a serious breach of the duties that follow from the employment or may provide grounds for dismissal or termination of employment. UiB does not have the right to monitor the employee’s use of electronic equipment, including the use of the Internet, unless the purpose of the monitoring is a) to manage the enterprise’s computer network or b) to detect or resolve security breaches in the network. 6.3 Procedures for inspection ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The employee shall as far as possible be notified and given the opportunity to comment before UiB carries out an inspection. In the notice, UiB must give reasons why the conditions for inspection are considered to be met and include information about employee rights. The employee has the right to object under the Privacy Ordinance Article 21. The employee shall, as far as possible, be given the opportunity to be present during the inspection and has the right to be assisted by a union representative or other ombudsman. If inspection is performed without prior notice or without the employee present, the employee shall be notified in writing as soon as the inspection is completed. The notification shall, in addition to information about why UiB considered the conditions for access to be met, contain information about which method of access was used, which e-mails or other documents were opened as well as the outcome of the inspection. The exceptions from the right to information in the Personal Data Act § 16 apply. Inspection must, as far as possible, be carried out in such a way that the information does not change and that the inspected information can be verified. Opened e-mails, documents or similar turning out not to be required or relevant for the purpose of the inspection, shall immediately be closed. Any copies must be deleted. Requests for access are made by the head of the unit (department, faculty or division in the central administration) in consultation with the HR division and system owner. Decision on inspection is made by the University Director. In the event of death, the University Director may decide to carry put an inspection - when it is necessary to take care of the daily operations or other legitimate business interests, or - when the deceased's estate has asserted rights to material Requests for such inspection is made by the head of the unit (department, faculty or division in the central administration) in consultation with the HR division and system owner. The University Director can provide access to information, logs and backups to public authorities when authorized by law or regulation, or by decision of the court. 7 Sanctions ~~~~~~~~~~~ Violation of these regulations can lead to the user being denied access to all or part of the institution’s ICT systems. In addition, it may lead to sanctions under other rules, such as disciplinary actions according to the The Civil Service Act, warning or exclusion from studies and exams according to the Universities and University Colleges Act, liability for damages, criminal liability, etc. Temporary exclusion for up to 14 working days can be decided by the head of the unit (department, faculty or division in central administration) after consultation with the system owner. The HR division should be notified immediately if the exclusion applies to an employee. Exclusion for more than 14 working days is decided by the University Director. Temporary exclusions can be made if there is a legitimate suspicion that: - The user has committed serious offenses or - The user or the user's ICT equipment constitutes a significant threat to information security. In the assessment, emphasis shall be placed on the seriousness of the offence, whether the user previously has violated the regulations, what consequences exclusion may have for the user and other circumstances. Appeals against decisions made according to the The Civil Service Act, The Colleges Act and The Public Administration Act follow these laws’ complaint rules.