- university home
- a-z index
- help
- terms and conditions
- privacy and cookie policy
- © 2002-2012 University of Bristol
System and network administrators, as part of their daily work, need to perform actions which may result in the disclosure of information held by other users in their files, or sent by users over the University's communications networks. This document sets out the actions of this kind which authorised administrators may expect to perform on a routine basis, and the responsibilities which they bear to protect information belonging to others. Administrators also perform other activities, such as disabling machines or their network connections, that have no privacy implications; these are outside the scope of this document and should be the subject of local working arrangements.
On occasion, you may need to take actions beyond those described in this document. Some of these situations are noted in the document itself. In all cases you must seek individual authorisation from the appropriate person in your department for the specific action that you need to take. Such activities may well have legal implications for both the individual and the University, for example under the Human Rights Act. You must therefore obtain such authorisation promptly in all circumstances, and records must be kept to help to protect you and the University from any charge of improper actions.
System and network administrators require formal authorisation from the 'owners' of any equipment they are responsible for. The law refers to "the person with a right to control the operation or the use of the system". In the University this right is delegated to, for example, the head of department or the dean of a faculty. This person is therefore usually the appropriate authority to grant authorisation to network administrators working on a network. Individual systems connected to the network may have more complicated ownership, as they may be formally the property of research groups or other divisions. You have both a right and a duty to be duly authorised by an appropriate person to undertake the activities set out in these guidelines.
If you are ever unsure about the authority you are working under you should stop and seek advice immediately as otherwise there is a risk that your actions may be in breach of the law.
The activities covered by these guidelines can be classified as operational or policy. Operational activities are undertaken to ensure that networks, systems and services are available to users and that information is processed and transferred correctly, preserving its integrity. You are acting to protect the operation of the systems for which you are responsible. For example investigating a denial of service attack or a defaced web server is an operational activity as is the investigation of crime.
You may also play a part in monitoring compliance with policies which apply to the systems. These policies include those implicitly or explicitly set out in the University's Regulations, code of conduct and guidelines for the use of computing facilities, and the JANET Acceptable Use Policy. In these cases the administrator is acting in support of policies, rather than protecting the operation of the system.
The law differentiates between operational and policy actions, for example in section 3(3) of the Regulation of Investigatory Powers Act, so the administrator should be clear, before undertaking any action, whether it is required as part of their operational or policy role. The two types of activity are dealt with separately in the following sections.
Where necessary to ensure the proper operation of networks or computer systems for which you are responsible, you may:
Where the content of a file or communication appears to have been deliberately protected by the owner, for example by encrypting it, you must not attempt to make the content readable without specific authorisation from management or the owner of the file.
You must ensure that these activities do not result in the loss or destruction of information. If a change is made to user filestore then the affected user(s) must be informed of the change and the reason for it as soon as possible after the event.
Administrators must not act to monitor or enforce policy unless they are sure that all reasonable efforts have been made to inform users both that such monitoring will be carried out and the policies to which it will apply. If this has not been done through a general notice to all users then before a file is examined, or a network communication monitored, individual permission must be obtained from all the owner(s) of files or all the parties involved in a network communication.
Provided administrators are satisfied that either a general notice has been given or specific permission granted, they may act as follows to support or enforce policy on computers and networks for which they are responsible:
Where the content of a file or communication appears to have been deliberately protected by the owner, for example by encrypting it, you must not attempt to make the content readable without specific authorisation from management or the owner of the file.
You must ensure that these activities do not result in the loss or destruction of information. If a change is made to user filestore then the affected user(s) must be informed of the change and the reason for it as soon as possible after the event.
You are required to respect the secrecy of files and correspondence.
During the course of their activities, you are likely to become aware of information which is held by, or concerns, other users. Any information obtained must be treated as confidential - it must neither be acted upon, nor disclosed to any other person unless this is required as part of a specific investigation; this means that:
You must be aware of the need to protect the privacy of personal data and sensitive personal data (within the meaning of the Data Protection Act 1998) that is stored on their systems. Such data may become known to authorised administrators during the course of their investigations. Particularly where this affects sensitive personal data, any unexpected disclosure should be reported to the relevant data controller.
For both operational and policy reasons, it may be necessary for you to make changes to user files on computers for which they are responsible. Wherever possible this should be done in such a way that the information in the files is preserved:
Where possible the permission of the owner of the file should be obtained before any change is made, but there may be urgent situations where this is not possible. In every case the user must be informed as soon as possible what change has been made and the reason for it.
You may not, without specific individual authorisation from the appropriate authority modify the contents of any file in such a way as to damage or destroy information.
The JANET CERT site has examples of how these guidelines would apply in a variety of situations.
It is not possible to list all the legislation which applies to the work of system and network administrators. However the following Acts are particularly relevant to the activities covered by this document. The University believes that if you follow these guidelines your activities will not be in breach of any of this legislation.
The Office of the Information Commissioner has published a code of Code of Practice on monitoring at work, including use of computers and networks.
JISC have published Senior Management Briefing Papers which discuss the specific implications of legislation for the education community:
The document A Suggested Charter for System and Network Administrators was adapted to reflect local arrangements, and permission granted by its author, Andrew Cormack, Head of CERT, UKERNA, is gratefully acknowledged.