The ICT regulations for the University of Bergen

The ICT regulations for the University of Bergen

Adopted by the University’s Board on 3/12/09, and last amended on 26/11/2015.
This is the unofficial translation. The Norwegian text is the formally applicable version.

1 Purpose
The purpose of the ICT regulations is to regulate the use of the University of Bergen’s (UiB) information and communication technology facilities (ICT facilities).
All the equipment, digital information systems and services used for information management and communication are defined as ICT facilities.

2 Scope
The regulations apply:
• To all students, employees and others (such as external users, hired personnel and guests), from now referred to as users, who are granted access to ICT facilities at UiB.
• To any use of the ICT facilities at the University of Bergen and all the equipment that connects to it.
• To the users private ICT systems and other ICT facilities to the extent that they are used for performing tasks for the institution, irrespective of whether the facilities are located on the premises of the institution or not.
• To private equipment that connects to ICT facilities at UiB.

3 Access to the ICT facilities
Students and staff have a user account at UiB. A user account consists of a username, password, home directory, and an email box. Others can be granted access to ICT facilities as per a sanctioned requirement. The system owner authorizes access to the various systems and services.

The students’ user accounts are inactivated two months after they have completed their studies. A notification of blockage is sent one month in advance. Employees’ user accounts are inactivated upon termination of employment. A notification is sent one month before the end date. Pensioners at UiB can apply to keep their user account with a changed access.
Others with access to the ICT facilities are inactivated when their affiliation with UiB ends, or when the approved time expires.
User accounts are automatically deleted six months after their access to the ICT facilities has been inactivated and the content has been stored in the backup system for one year.

In the case of death, the user account will be inactivated. The account is deleted after six months unless public authorities have demanded access, or the estate of the deceased person upon probate has applied for the right to the material.

4 Use of the ICT facilities
The ICT facilities shall be used to perform tasks related to UiB’s business. The ICT facilities shall be applied in a way that does not violate the law, regulations or UiB’s internal rules.

The users are obliged to prevent others from accessing their user account. Users are not to seek to gain access to the user accounts of others.
Users are obliged to preventing unauthorized persons from gaining access to the ICT facilities at UiB, including access to rooms where ICT equipment is available. Without permission, it is prohibited for users to change, modify or otherwise cause the ICT facilities to operate differently than provided.
Users are obliged to respect copyright or similar rights to software, services and other digital information such as images, music, film etc.
Users are obliged not to use the ICT facilities in a manner, which could expose UiB to a substantial loss of reputation.

Users are obliged to report issues that can affect the ICT facilities security or integrity immediately to the IT department.

5 Activity log and control
The ICT facilities include solutions for logging of activities and backup, among other things, in order to document offences or discrepancies from internal rules and procedures, but also to detect/discover security breaches in ICT facilities. The IT department is primarily responsible for controlling access to network and general ICT services at UiB, as well as for portable equipment and equipment (owned by UiB) used outside of UiB.

6 Access to Information
In certain circumstances, UIB has the right to access an employee's email box, etc. cf. Regulations pertaining to the Work Environment Act, cf. the General Data Protection Regulation article 88. The regulations refer to the employer's right of access to the email of employee’s, and the rules cover, if applicable, the university’s access to students’ email cf. the regulations section 9-1, clause 5. For others who gain access to ICT facilities of UiB, UiB is entitled to the same right of access as that of employees.
The following sections use the term "employee" from the regulations, but the term also includes other users.
The email box means the email box that the employer has made available for the employee’s use in their work at UIB. The rules apply similarly to the employer's access for searching and access in the employee's personal area in UIB’s computer network and other electronic communications media or electronic equipment that the employer has made available for the employee’s use in their work at UIB. The provisions also apply to the employer's access into the information that the employee has deleted from the named areas, but which is stored in backup copies or similar to which the employer has access.
Access can be carried out into ICT facilities that are not at the disposal of UiB but which in general are covered by the ICT regulations. The conditions for – and the procedures on access will form the basis as far as they are appropriate.

6.1 Conditions for access
UiB has the right to search, open or read e-mail in the employee’s email box
• When it is necessary to ensure the daily operations or other legitimate interests of UIB.
• Upon suspicion that the employee's use of the mailbox is leading to a serious breach of their obligations as per their conditions of work or which can provide a basis for termination or dismissal.

6.2 Procedures for access
The employee will as far as possible be notified and given the opportunity to make a statement before UiB conducts their access. In the notification, UiB will justify the reason why the conditions are deemed to be met and will inform the employee, as far as possible, that they will be given the opportunity to be present when the access is being carried out and that the person concerned has the right to assist the spokesperson or another representative.

If the inspection is made without prior notice, the employee will be given a written report as soon as the inspection has been conducted. The information will, in addition to the facts about why UiB considered that the conditions of access have been met, contain particulars about the method of access used, which emails or other documents were opened and the results of the access, cf. the Regulations on Employer's access, section 3.

The exceptions from the right to information in the Personal Data Act Section 16. apply accordingly. The exception also applies to any subsequent notification.

The audit must be conducted in such a way that the data as far as possible is not altered and that the information retrieved can be re-examined.

If access to the email box shows that documentation is not available for which the employer has the right to access, the email box and its documents will be closed immediately. Any copies will be deleted.

A request for access into an employee’s email box will be advanced by the senior manager (of the institute, faculty or section in the central administration) in consultation with the HR Department and the system owner.

An application for access into a student’s email mailbox will be advanced by the head of the faculty in consultation with the Education Department and the current system owner.

The decision for access will be made by the university’s director.

In the case of death, the university director can decide to carry out an access to find the business-related e-mail. Such access will be carried out in cooperation between the unit's manager and the HR Department.

UiB can give access to information, to logs and backup copies, to public authorities when there is a legal basis in law or the regulations, as well as by a decision of the court.

7 Sanctions
Violations of the regulation’s provisions can result in the user being denied access to all or part of UIB’s ICT facilities. In addition, there may be notifications that can lead to sanctions in accordance with other rules, such as disciplinary actions as per the Norwegian Civil Servants Act, or an exclusion from studies and exams in accordance with the Universities and Colleges Act for the liability for damages, criminal liability etc.

Temporary suspensions of up to 14 working days will be able to be decided upon by the senior manager at the unit following consultation with the system owner. The HR Department should be notified immediately if the exclusion applies to an employee. Exclusions beyond 14 working days will be decided upon by the University’s director.

Temporary exclusions can be made on the justified suspicion that:
• The user has committed serious violations or
• The user or the user's ICT equipment constitutes a significant threat to information security.

In the assessment, emphasis will be placed on the seriousness of the violation, and whether the user has previously violated the regulations, which consequences an exclusion will have for the user and the conditions otherwise.

Any complaint of the decision struck under the legal authority of the Civil Servants Act, the Universities and Colleges Act and the Administrative Act is pursuant to these laws concerning the complaint.

Logo for Universitetet i Bergen

©2009 Universitetet i Bergen

Adresse: Postboks 7800 5020 Bergen

Besøksadresse: Nygårdsgaten 5

Telefon: (+47) 55584201 Faks: (+47) 55548299