Monitoring of University IT Systems

University IT and communications systems users should be aware that their usage may be monitored and logged. User data in accounts may also be examined and may in certain circumstances need to be disclosed. University Information Security Policy states what to expect and what is permitted in various situations. It is particularly important for staff, such as IT managers, with privileges that allow them to access the information of others to be aware of what is expected and acceptable.

Routine monitoring and access

Monitoring and logging usage of University IT and communications systems and accessing data in user accounts may only be undertaken by specific members of staff as a recognised part of their normal duties. This work must be:

  • Approved by management
  • For legitimate business reasons
  • Justifiable
  • Fair
  • Proportionate
  • Not unnecessarily intrusive
  • Compliant with UK legislaton

 

Information on University IT equipment and networks, including mobile phones, may be examined on behalf of the University by authorised persons to: 

  • Support detection or prevention activities that are in breach of University policy
  • Comply with legislation
  • Support detection or prevention of activities that are illegal
  • Defend against attacks against its systems or data
  • Identify or investigate an operational problem or monitor for correct operation
  • Investigate suspected unauthorised access to or use of systems
  • Perform monitoring or support activities with consent of the subject

 

User-specific information may be routinely monitored or logged by authorised staff with respect to:

  • Login and logout events and locations
  • System resource usage
  • Software usage
  • Software auditing to support compliance
  • Network bandwidth usage
  • Network bandwidth usage and traffic patterns
  • Power consumption
  • Detection of email spam
  • Detecting security vulnerabilities
  • Identifying and controlling security threats
  • Serving inappropriate content, which may include material which is obscene, violent, illegal, damaging to the University or otherwise in breach of University policy.

Use of automated systems which scan user files and communications for an approved purpose is permitted.

Monitoring and access in special circumstances

In special circumstances authorised University staff may access and examine the content of any data stored in, or being transmitted by, University information systems. This includes examining the content of data files and communications which should otherwise be treated as confidential and therefore goes beyond what is permitted in routine monitoring. Such special circumstances include:

  • When the Registrar considers there are reasonable grounds to suspect a specific breach of University regulations or the terms of an employment contract which justify access
  • The Registrar has agreed to respond to a request from a non-institutional body for information which may otherwise be subject of a court order
  • The University is required by virtue of a Court Order or other competent authority to provide information in relation to taxation, detection and prevention of a specified crime or national security. The Registrar must be made aware of any such orders
  • Access to a personal computer account belonging to an absent member of the University is necessary

In all cases correct procedures must be followed as explained in further detail in Institutional IT Usage Monitoring and Access policy (ISP-I6).

Unauthorised monitoring or access

Routine monitoring does not include examining the contents of files and communications for any purpose which has not been previously approved as a requirement of legitimate University business.

Those with elevated access privileges, such as IT system and network administrators, are not entitled, simply by virtue of having those privileges, to examine the contents of user files and communications on the systems they have access to.

Unapproved information system monitoring or access is a breach of University regulations and may also be illegal; such activities may therefore lead to disciplinary or legal action.

University Policy

This communication is based on the Information Security Policy document:
Institutional IT Usage Monitoring and Access (ISP-I6)

Share this page:

Request Information

To make a Data Subject Access Request, or a Freedom of Information Request, please contact IAS directly.

Data Protection Officer

The Data Protection Officer is:

Elisabeth Taoudi, Data Protection Officer and In-House Commercial Lawyer, University of Leicester, University Road, Leicester, LE1 7RH

0116 229 7640

et177@le.ac.uk