Policy statement

NOC IT systems, services and facilities are provided to enable employees and other authorised individuals to perform their jobs effectively and efficiently. All normal use of these systems in pursuit of NOC business within an employee’s authority to act is allowed. Illegal activity is not allowed.

The purpose of this policy is to identify proper usage and behaviour for NOC ICT (Information and communication technology) systems with the overall aim of protecting the rights and privacy of all employees, and the integrity and reputation of NOC. It should be read in conjunction with the NOC Personal Use of Social Media Policy.

Some limited and reasonable personal use of NOC’s ICT systems by employees is allowed provided that it is not excessive and does not:

  • interfere with normal work or the work of others
  • involve more than minimal amounts of working time
  • involve NOC in significant expense
  • expose NOC to legal action or risk bringing NOC into disrepute
  • relate to running a private business.

This policy applies to all employees of NOC. The principles of the policy will also be applied, as far as is reasonably practicable, to non-employees working at NOC locations and making use NOC ICT systems (e.g., facilities users, Panel Members, contractors, visitors).

The policy sets the minimum common standards of ICT acceptable use. Where additional organisational, institute, local, site or project standards of acceptable use are set, these must be consistent with the minimum standards set by this policy.

Breaches of the policy will be dealt with under the Disciplinary Policy and/or, as appropriate, Fraud Policy. Examples of unacceptable activities are set out in Annex A. Sensitive or personal information must be appropriately protected in line with NOC policy.

Contents

  1. Principles

    1. NOC relies on its computer and communications facilities to carry out its business. All these facilities can be put at risk through improper or ill-informed use, and result in consequences which may be damaging to individuals and their research, NOC community and to reputations.
    2. The policy aims to provide clear guidance to all employees concerning the use of NOC computer and communications facilities. It provides a framework to:
      • enable employees to use NOC facilities with security and confidence,
      • help maintain the security, integrity and performance of NOC ICT systems;
      • minimise both NOC and individual users’ exposure to possible legal action arising from unauthorised use of the ICT systems;
      • help ensure that NOC can demonstrate effective and appropriate use of publicly funded resources; and
      • set the minimum standard for acceptable use across all NOC ICT systems.
    3. It is NOC’s responsibility to ensure that employees have access to this policy, both on joining and during their employment. It is each employee’s responsibility to read, make themselves fully familiar with, and abide by the policy, JANET Acceptable Use Policy (see 6.1) and any relevant local policies.
    4. The policy covers use of all ICT systems and facilities provided either directly or indirectly by NOC or used to conduct NOC business, whether accessed from a NOC site or remotely, in particular:
      • the Internet
      • Electronic communications (in all forms) for example email, social media used for business related communication, etc.
      • electronic bulletin boards and social media
      • file sharing by whatever means
      • Computing devices (e.g., desktops, laptops, printers, mobile devices, etc.) and servers
      • Communications equipment (e.g., telephones (land-line and mobiles), faxes and video conferencing)
    5. Sensitive or personal information must be appropriately protected in line with the Government Security Classification Scheme. Security classifications indicate the sensitivity of information (in terms of the likely impact resulting from compromise, loss or misuse) and the need to defend against a broad profile of applicable threats. There are three levels of classification OFFICIAL, SECRET and TOP SECRET.
    6. The classifications of OFFICIAL, SECRET and TOP SECRET should be used in place of any and all of the previous protective markings.
    7. All information that is created, processed, generated, stored or shared within UKRI is, at a minimum, OFFICIAL. The vast majority of such information falls under the OFFICIAL classification and does not need to be marked. OFFICIAL-SENSITIVE information is of a particularly sensitive nature and must be clearly marked. This classification should only be used in limited circumstances where there is a clear and justifiable requirement to reinforce the “need to know”. OFFICIAL-SENSITIVE descriptors may also be added to identify the sensitivity of the information. Only three descriptors can be used with the SENSITIVE caveat and these are: PERSONAL, COMMERCIAL, and LOCALLY SENSITIVE (LOCSEN). No other descriptors are to be used.
    8. Further information about the scheme can be found on the Government Security Classifications page.
    9. Any activity that falls outside acceptable use (see Annex A) may result in disciplinary action (see NOC’s Disciplinary Policy). Where the activity is deemed to amount to gross misconduct, this will normally lead to summary dismissal. Where relevant the NOC Fraud policy may also be invoked. For non-employees any action will be discussed with the individual’s management (as appropriate); this may include being denied access to NOC sites. Any suspected illegal action will be reported to the police.
    10. Non-employees will be made aware of the principles of the Policy, and any restrictions/guidance, before they have access to NOC ICT systems and services. This will include a statement on private/personal use (which should be in line with the restrictions placed on NOC staff but may be more restrictive if required).

  1. Monitoring

    1. Monitoring statement

      1. NOC reserves the right to monitor communications.
      2. NOC employs monitoring techniques on its ICT systems and services, including email and Internet access, to enable usage trends to be identified and to ensure that these facilities are not being misused.
      3. Monitoring is limited, as far as practicable, to the recording and analysis of network traffic data. To this end, NOC keeps logs of: calls made on communications equipment such as telephones and fax machine; emails sent by email address; internet sites visited by computer system address. In some cases, this means that the identity of the individuals involved in the communication is readily available. These logs are not routinely monitored on a continuous basis but spot-checks are carried out from time to time to help ensure compliance with this policy. Further authorised investigations may be necessary where there is reasonable suspicion of misuse of facilities.
      4. Since NOC owns and is liable for data held on its communications equipment and systems, it reserves the right, as part of any investigations, to inspect the contents of any emails or any other form of communications that are sent or received and of Internet sites accessed, for compliance with this policy. This will only be done where the volume of traffic or the amount of material being downloaded is excessive, or there are grounds to suspect that use is for ‘unacceptable’ or ‘forbidden’ activities (see examples in Annex A).
      5. Exceptionally, where there is a defined and valid reason for doing so, the inspection may include items marked ‘private’ or ‘personal’. An individual’s email and voice-mail accounts may also be accessed by management when the individual is absent from work to ensure official business matters can be effectively dealt with. Authorisation for such access is given by the Senior Information Risk Owner or equivalent Director. Management will make a reasonable attempt to inform and obtain agreement from the user prior to this occurring.
      6. Monitoring/investigations of individuals’ use of NOC’s communications systems may also happen in the following circumstances: To detect or prevent crime including detecting unauthorised use of systems, protecting against viruses and hackers and fraud investigation To assist in maintaining the security, performance, integrity and availability of the ICT systems, services and facilities. To provide evidence, e.g., of a commercial transaction, to establish regulatory compliance, audit, debt recovery, dispute resolution.
      7. Where monitoring is used, only NOC staff trained in data protection compliance will investigate the recorded data. Confidentiality will be ensured for all investigations involving personal data, except to the extent that wider disclosure is required to follow up breaches, to comply with court orders or to facilitate criminal investigation. Logged data will not normally be retained for more than one year unless required by regulatory compliance Please refer to NOC Policy on Data Protection available from Knowledgebase or by contacting NOC HR Team.
      8. In addition, members of the local IT Service Desk, Information Security representatives, Security Teams and Network Security Groups will conduct random audits on the security of NOC’s ICT systems. These audits include examination of a small, randomly selected set of user devices and server systems. The audit checks that these systems have correctly licensed software, do not contain inappropriate material and have not been used to access or view inappropriate material that may violate this Policy.
      9. Where monitoring reveals instances of suspected misuse of the ICT systems (e.g., where pornography or other inappropriate material is found, or where substantial time-wasting or other unacceptable/forbidden use is found), these will be investigated through normal disciplinary procedures and may result in dismissal.

    1. Personal files, documents and emails

      1. To help safeguard their privacy it is suggested that employees mark any personal emails they send with the word ‘Private’ in the “subject” line and to ask those they correspond with to similarly mark any personal emails being sent.
      2. Personal files, documents and emails can be stored in ICT systems provided they are in a folder clearly marked as ‘Personal’ or ‘Private’. Note that corporate electronic document or record management facilities (ERMS etc.) do not include a facility for personal data so should not be used for this.
      3. Where possible, those staff responsible for monitoring or inspecting the IT and communications systems will respect emails and folders which are marked ‘Personal’ or ‘Private’.
      4. In cases where misuse is suspected, all appropriate ICT systems, including emails and folders marked ‘Personal’ or ‘Private’, will be checked to establish whether there may be a case to answer.

  1. Private/personal use of ICT systems, services and facilities

    1. At management discretion, NOC employees are allowed limited and reasonable personal use of NOC ICT systems, services and facilities provided that such use does not: interfere with their (or others’) work; and/or involve more than minimal amounts of working time; incur any significant expense for NOC and/or tie up a significant amount of resource.
    2. Personal use should be limited to non-working time, e.g., at lunchtime, before/after normal working hours, or when “clocked out” for members of flexi schemes. Very limited, occasional personal use during normal working time will be tolerated (e.g., to respond briefly to an incoming personal email or telephone call or to deal with a non-work related emergency). However, spending significant amounts of time making personal use of the internet, email, communication equipment, etc. is not acceptable and may lead to disciplinary action.
    3. Before undertaking personal use, employees should ask themselves the following questions. Would the actions be considered unacceptable if viewed by a member of the public? Would managers, auditors or others in similar positions call into question the cost effectiveness of use of work time or use of NOC ICT systems and facilities? Will personal use have a negative impact upon the work of colleagues (e.g., in terms of their motivation and morale)? Could personal use bring NOC directly or indirectly into disrepute? Personal use should not be undertaken if the answer to any of these questions is yes.
    4. Responsibility for ensuring that any personal use is acceptable rests with the individual. Employees should seek guidance from their line manager if they have any doubts concerning the acceptability of their personal use. If any doubt still remains, then that form of personal use should not be undertaken.

  1. Social media

    1. NOC recognises the value of using social media in work related communication. It can be an effective way to respond to queries, keep stakeholders informed, and track and respond to mentions of NOC. Employees should have line manager approval before using social media for work related communication, and must read and comply with any local rules before using social media for NOC related work.
    2. Personal use of social media is covered in a separate policy.

  1. Use of NOC network infrastructure and services

    1. Where an Ethernet connection is required for a device, only one device is to be connected directly to a socket, or through the provided socket on a VOIP connected telephone. Use of network switches other than those provided by NOCIT is prohibited.
    2. The use of internet connection sharing (enabling one network-connected computer to share its network connection with other computers on a local area network (LAN)) is prohibited and this functionality should be disabled on any device connecting to the NOC network either via Ethernet or WiFi. WiFi capability must be disabled on a device whilst using an ethernet connection. Failure to do either is a security risk and contravenes best practice guidance.
    3. NOC recognised that there may be occasional need to connect personal devices to the NOC network. Personally owned devices should not be connected to the wired network, unless by prior arrangement with NOCIT. Use of the guest WiFi services and eduroam only, are allowed for personally owned devices.
    4. Any personal devices granted access to the NOC network must have current anti-virus and anti-malware software installed
    5. The use of WiFi access points other than those provided by NOC is prohibited, unless a specific business case and deployment plan has been presented and accepted by NOCIT.
    6. Any resulting access point installed must be configured and secured according to the agreed deployment plan. Failure to do so will result in the device being blocked or removed from the network.

  1. Related policies and procedures

    1. Where an external network connection is provided as part of the Joint Academic Network (JANET), the JANET Acceptable Use Policy applies.
    2. Employees must familiarise themselves with NOC’s data protection policies, relevant organisational, institute, local, site or project Information Security Policy, standards, best practice and guidance.

  1. Disciplinary action

    1. Failure to comply with this Policy may lead to action in line with NOC’s Disciplinary Policy; misuse of social media could also lead to legal or criminal prosecution.

  1. Policy review

    1. This policy will be regularly reviewed to incorporate any legislation or regulatory changes. The TUS may request that a policy is reviewed.

Version history

VersionDateAuthorChange
V0.113-Aug-2019Graham Allen (NOC CIO)Created from Research Council Policy with find and replace: Research Council to NOC. No content changes made. Circulated to Jon Ward for consultation with trade unions
V0.2   

ANNEX A: Unacceptable activities and penalties

This policy sets the common minimum standards for the acceptable use of ICT systems and services. Set out below are examples of activities and uses which are specifically excluded. The list is not comprehensive and is divided into two sections (“Unacceptable” and “Forbidden”) to help highlight the most serious activities. The consequences of undertaking any of the activities listed below (or other instances) will be determined through the normal disciplinary procedures. All such activities are considered to be serious and are likely to be viewed as misconduct. It is likely that undertaking a forbidden activity, or repeating an unacceptable activity, will be viewed as gross misconduct.

Unsolicited receipt of discriminatory, abusive, pornographic, obscene, illegal, offensive or defamatory messages (e.g., email SPAM/text messages) will not be treated as a disciplinary offence. With the exception of illegal material, anyone who receives such material should follow local guidance on how to report it to the appropriate person. An employee who accidentally accesses a pornographic or other inappropriate web page should report the matter to their line manager. No disciplinary action will be taken in such cases. If the line manager is unavailable, the employee should contact their local IT Security Officer.

Anyone accidentally viewing what they believe is illegal material (e.g., child pornography) must immediately stop what they are doing, take a note of where they found the illegal material and close the software application displaying the material; this includes email. The individual must not view the illegal material again and must take appropriate measures to ensure that others cannot view the material. They must inform their line manager and the relevant IT Security Officer, who will decide how to proceed. It may be a criminal offence to continue to view, allow others to view, or not to report some illegal material.

Examples of unacceptable activities

  • Spending more than permitted amounts of working time making personal use of the internet, email, and other ICT Systems and services.
  • Transmitting, downloading or storing any material such that this infringes the copyright of the owner.
  • Purchasing goods or services or entering into any contract via the Internet or any other ICT system on behalf of NOC without the necessary authority.
  • Business advertisements or trade sales*.
  • Trading, i.e., sale of any goods purchased with the sole intention of making a profit*.
  • Using an unauthorised electronic communication mechanism or cloud based service.
  • Using unauthorised external email accounts for NOC businesses.
  • Unauthorised redistribution of email.
  • Sending or forwarding chain emails.
  • Making your personal user name and password (also known as a 'user account’) available for other people to use on your behalf.
  • Accessing another individual’s data, ICT systems or service without appropriate authorisation.
  • Deliberately creating, storing or transmitting information which infringes the data protection registration of the NOC.
  • Using NOC’s provided communication equipment to make unauthorised personal/non-business related calls to premium rate or international numbers; or subscribing to premium rate text messaging services.
  • Knowingly allowing the use of NOC ICT resources (for example Internet bandwidth) by unauthorised third parties*.
  • Disabling, altering bypassing or circumventing any measures put in place by NOC to maintain the safe and secure operation of ICT systems and services. This includes non-cooperation with investigations or audits.
  • Misrepresenting NOC by unauthorised or inappropriate publishing. For example blog posts, tweeting etc.
  • Failing to follow NOC advice on how to protect, store, transmit, share and access sensitive information both within and outside NOC.
  • Failing to purchase and dispose of ICT systems and services in line with NOC policy.
  • Inappropriate messaging to large groups of users. For example, sending emails to all staff, across an institute etc.
  • * Tenant organisations and some third parties may be permitted these activities if they are explicitly included in appropriate tenancy agreements or equivalent.

Forbidden activities

  • Using another person’s identity so as to appear to be someone else.
  • Attempting to gain or facilitate unauthorised access to a computer system or information.
  • Attempting to or deliberately corrupting, destroying or denying access to another user’s email, data files, information, ICT system or service.
  • Deliberately altering, bypassing or circumventing NOC advice on how to protect, store, transmit, share and access sensitive information both within and outside NOC.
  • Deliberately accessing, viewing, receiving, downloading, sending or storing material:
    • with pornographic, offensive, obscene or indecent content;
    • related to criminal skills or terrorist activities;
    • that promote or encourage discrimination, racism or intolerance;
    • that facilitates illegal activity in the UK or the host country;
    • that is illegal in the UK or the host country;
    • that is defamatory, threatening, harassing, offensive or abusive;
    • that will, or is likely to, bring NOC or its staff into disrepute;
    • that is known to be infected with a virus, worm, Trojan or any form of malicious software or code;
    • that infringes the privacy and data protection rights of individuals;
    • that could endanger the health and safety of any other individual.