OVERVIEW

Computing resources and electronic information are provided to members of the Southwestern University faculty, staff and student body, and to authorized guests in order to accomplish the work and mission of the university. These computing and information resources are intended for University-related uses including direct and indirect support of the University’s instruction, research, and service missions; of University administrative functions; of student and campus life activities; and of the free exchange of ideas. The rights of free expression and academic freedom apply to the use of University computing and information resources. So, too, however, do the responsibilities and limits associated with those rights.

Legitimate use of computing and information resources does not extend to whatever is technically possible. Although some rules may be built into technology systems, these restrictions cannot limit completely what an individual can do or can see. In any event, each member of the Southwestern University community is responsible for his/her actions whether or not rules are built in, and whether or not they can be circumvented.

Computing and information resources are shared by all Southwestern users. You must not alter the normal functioning of the computing systems or engage in activities that impair the operation or security of the university’s network or computer systems or those contracted to by the university. The university may take any action required to protect the integrity of its systems and information, to prevent or stop illegal use of its systems and information, or to prevent or stop users from impeding the use of the systems and information by others. When necessary, the university may block access from any computer, system, network, or other access point.

Southwestern University extends these policies and guidelines to systems outside the University that are accessed via the University’s facilities (e.g., remote logins using the University’s Internet connections) and to third-party systems that are contracted to provide services to the Southwestern community. 

The University does not monitor contents of messages or files as a matter of course, but does monitor network and other computer usage. The University may become aware of violations of the law or university policy. If violations are discovered or suspected, university personnel will report the activity to appropriate university officials or external authorities or take other action, including, but not limited to: warning the user, removing the material, terminating access to the material, terminating network access to the computer, and/or initiating disciplinary action.

USER RESPONSIBILITIES

All Southwestern University computing and information resource users must:

1. Comply with all federal, state and other applicable law; all generally applicable University rules and policies; and all applicable contracts and licenses.

Examples of such laws, rules, policies, contracts, and licenses include: the laws of libel, privacy, trademark, obscenity, and child pornography; the Copyright Act, the Digital Millennium Copyright Act, the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, the Texas Computer Crimes Law and the Texas Identity Theft Enforcement and Protection Act; Southwestern University’s Staff and Faculty Handbooks; the Student Code of Conduct; the University’s sexual harassment policy; and all applicable software and information resource licenses.

2. Respect the right of others to be free from harassment or intimidation to the same extent that this right is recognized in the use of other communication.

3. Respect copyrights, intellectual-property rights, ownership of files and passwords.

Unauthorized copying of files, documents or passwords belonging to others or to the University may constitute plagiarism or theft. Accessing or modifying files without authorization (including altering information, introducing viruses or Trojan horses, or damaging files) is unethical, may be illegal, and may lead to sanctions.

4. Protect the security of their individual information resources and University information resources by using effective passwords, never sharing a password or login credentials, and by safeguarding those passwords and credentials to prevent misuse.

Accounts, passwords, and other authentication mechanisms, may not, under any circumstances, be shared with, or used by, persons other than those to whom they have been assigned by the University.

5. Use only those computing resources that they are authorized to use and use them only in the manner and to the extent authorized. Ability to access computing resources does not, by itself, imply authorization to do so. Users are responsible for ascertaining what authorizations are necessary and for obtaining them before proceeding.  

6. Respect the finite capacity of computing and network resources and limit use so as not to consume an unreasonable amount of those resources or to interfere unreasonably with the activity of other users.

Although there is no individually-set bandwidth, disk space, CPU time, or other limit applicable to all uses of University computing resources, the University may require users of those resources to limit or refrain from specific uses in accordance with this principle. The reasonableness of any particular use will be judged in the context of all of the relevant circumstances.  

7. Limit the personal use of University computing resources and refrain from using those resources for personal commercial purposes or for personal financial or other gain. Personal use of University computing resources is permitted when it does not consume a significant amount of those resources, does not interfere with the performance of the user’s job or other University responsibilities, and is otherwise in compliance with this and other University policies.

You are not permitted to use Southwestern University computing or information resources to support commercial enterprises you may have, your work on behalf of political candidates or as an elected official, or for not-for-profit activities unrelated to the educational goals of the University, or any activity that could compromise the tax-exempt status of the University. Further limits may be imposed upon personal use in accordance with normal supervisory procedures.

8. If you take computer hardware or software abroad, you are responsible for complying with any applicable export controls or other federal regulations. If you plan to travel with a university-owned computer, Southwestern may be able to provide you with a temporary laptop or mobile device or prepare your assigned laptop or mobile device so that US export restrictions are respected. 

Users who engage in electronic communications with persons in other states or countries or on other systems or networks should be aware that they may also be subject to the laws of those other states and countries and the rules and policies of those other systems and networks. It is possible that the computer or software you regularly use may be prohibited. Users are responsible for ascertaining, understanding, and complying with the laws, rules, policies, contracts, and licenses applicable to their particular uses. Concerns and questions about international use of computers should be directed to the Southwestern University Office of Intercultural Learning. 

Whenever it becomes necessary to enforce University rules or policies, the Vice President for Information Services/Chief Information Officer or an authorized administrator may: disallow network connections by certain computers (even departmental and personal ones); require adequate identification of computers and users on the network; undertake audits of software, information or activities on individual or shared systems where policy violations are possible; take steps to secure compromised computers that are connected to the network; or deny access to computers, other devices, the network, and institutional software, services and databases.

CONFIDENTIAL DATA

Southwestern University faculty, staff, and student employees have varying access to electronic information that is sensitive and confidential. Southwestern University considers the protection of such information and its electronic infrastructure from unauthorized use to be a key responsibility of all faculty, staff, and student employees. Failure to act in accordance with these guidelines may result in disciplinary and/or legal action.

Confidential information must be stewarded in an ethical, professional, and legal manner at all times. All institutional data, whether maintained in a central database, on a local workstation or elsewhere, remain the property of the University and are governed by this statement.

By law, certain institutional data, such as, but not limited to, FERPA data may not be released without proper authorization. You must adhere to all applicable federal and state laws concerning storage, retention, use, release, and destruction of data. Users are encouraged to seek guidance from an appropriate supervisor, senior officer, or the chief information officer if it is unclear whether or not specific information is confidential. 

Confidential data shall be used only as required in the performance of university duties. You may not inspect, copy, alter, delete, share, grant access to, or in any other manner use such information, except as required in the performance of your job duties.

Data Security

You are responsible for the security, privacy, and control of data in your care, access privileges entrusted to you, and your SUeID/password.  If you have reason to believe that your SUeID/password is known by or has been used by another person, you must immediately notify an appropriate supervisor, senior officer, or the chief information officer.

You must take every reasonable precaution to prevent unauthorized access to confidential data. Such data shall not be presented or shared inside or outside the University without prior approval from the appropriate supervisor or senior officer of the University. Confidential data should never be left on any computer to which access is not controlled.

When using Southwestern University’s electronic information systems, you must exercise care to protect data from unauthorized use, disclosure, alteration, or destruction. You must understand the definition of confidential information in the context of your job responsibilities and take steps to ensure that your co-workers, staff, and student employees understand existing statutes and policies (such as FERPA, HIPAA, Donor Bill of Rights, Digital Millennium Copyright Act, etc., and University departmental guidelines that may supplement this list). Before granting access to confidential information you should be satisfied that a “need to know” is clearly demonstrated. You must seek guidance from an appropriate supervisor, senior officer, or the chief information officer when the appropriate use of, or the granting of access to, such information is unclear.

It is a violation of University policy, and may be a crime pursuant to the Texas Computer Crime law, for individuals to attempt to gain access to University electronic data that they do not need in the performance of their job or to which they are not authorized to have access.

The use of a cloud computing service for any University function or job responsibility must be approved IN ADVANCE by the Vice President for Information Services/CIO. Confidential or otherwise sensitive University information must not be stored, shared, or otherwise processed by a cloud computing service unless the service enters into a legally binding agreement with Southwestern University to protect and manage the data according to standards and procedures acceptable to the University. 

Appropriate university procedures shall be followed in reporting any breach of security or compromise of safeguards.

EXPECTATION OF PRIVACY

Southwestern University takes great care to protect the privacy and confidentiality of information created, accessed and stored on its computer systems, but the university can not guarantee confidentiality. The University retains the right to use data protection and information security measures as necessary to reduce the risk of a security breach or other disclosure of protected information.

Employees should have no expectation of absolute privacy for files, documents, web sites, and/or messages sent, received, transmitted or stored, or to the activity logs on the College-owned or contracted network, services, or equipment.

All information that is created by Southwestern employees, students or guests, and information owned by the University or stored on equipment controlled by the University is subject to discovery and disclosure according to state and federal law and University policy.  Except as limited by relevant state and federal law, and by the University’s Intellectual Property policy, Southwestern University reserves the right to access, monitor, copy, store, remove, and disclose communications or other data stored on university computer and telecommunication systems, whether owned or contracted through a service provider. This right includes the remote erasure of data on a mobile device capable of access to university data.

Users should be aware that even when a file, message, or bookmark is deleted, it may still be archived in the University’s backup systems and may still be retrievable.  If users add security protection to computer resources owned or controlled by the university, such as hardware, folders or files, or to university data in any format or location, they must give Southwestern University access to those resources upon request. 

Requests for Access to Email and other Files by Third Parties

From time to time, Information Services may receive internal or external requests for access to employee’s or student’s electronic mail and other files, including system, network, and user audit logs. In cases where a request is made as part of an eDiscovery process, Information Services response shall be governed by the guidelines set forth in the Southwestern University eDiscovery Guidelines. Requests that are made by subpoena will be handled according to guidelines provided by counsel.

Requests that do not fall under eDiscovery or subpoena shall be governed by the following guidelines.

1. Access by third parties to email and other files assigned to an employee, student alumni or guest of Southwestern University generally will be not be granted unless such access is to satisfy legal compliance or is a matter of health and safety. Business processes exist and can be implemented to ensure that Southwestern can continue to provide its business functions after the departure, planned or unplanned, of an employee without granting a third party access to the employee’s email and files.
2. In all cases of a request for access to email, electronic information or logs, the Vice President for Information Services and Chief Information Officer should be notified immediately.The VP/CIO may obtain guidance from legal counsel regarding the legitimacy of providing access to the requested material. If a request involves file of a staff member, the VP for Fiscal Affairs and/or the AVP for Human Resources will be notified. If a request involves files of a student, the VP of Student Affairs will be notified. If the request involves file of a faculty member, the Dean of the Faculty will be notified. 
3. The VP/CIO, in consultation with appropriate senior officers on the University and with guidance from legal counsel as needed, shall determine the need for someone to review the material before access is granted and, if a review is required, will identify the individual(s) who will conduct the review. In the event of a review, the VP/CIO will contact the reviewer(s) to determine the technical format for delivering the electronic materials to expedite the review while minimizing or eliminating any impact upon the content (for example: emails may be downloaded in chronological sequence and formatted as a .pdf, .txt or other type of searchable file without altering heading or body information).
4. Upon completion of a review, the reviewer(s) will notify the VP/CIO in writing as to whether or not the request for access should be granted and, if so, the manner in which the electronic materials should be delivered to the individual(s) who initiated the request. At no time shall Information Services staff members examine the contents of email or other user files in response to an access request by a third party unless so required in order to fulfill their normal job responsibilities or directed to do so by the VP/CIO.

SANCTIONS

Users of Southwestern University information systems are expected to act responsibly, in accordance with the highest standard of ethical and legal behavior and conduct themselves in a manner consistent with this policy, all other university policies, and state and federal law. If violations of law or Southwestern University policy are discovered or suspected, university personnel will report the activity to appropriate university officials or external authorities or take other action including, but not limited to, suspension of user accounts or initiation of disciplinary or legal action.

 

This policy is subject to change without prior notice.