Policy for the investigation of computers

Right to investigate

Investigating a person's e-mail correspondence or usage of the Internet is invasive of that person's privacy and should only be undertaken with good reason. It may also be invasive of the privacy of a third party. Information Services staff and relevant staff in other departments may not routinely access staff and student data held on the University's computer equipment, or routinely inspect the content of e-mail and other electronic data entering, leaving, or within, the University's network, other than to the extent necessary to protect the security and working of the University's network and computer systems. Attempts by any member of staff to implement any such system of monitoring beyond this basic level will be in breach of this policy and may be the subject of disciplinary proceedings.

Notwithstanding this, the University reserves the right to monitor an individual's use of the computing facilities and access data held on such facilities, or e-mail and other electronic data entering, leaving or within, the University's network in the following circumstances:

  1. where, by virtue of carrying out routine computer service tasks, members of Information Services and other members of staff discover data which breaches the University's regulations, the University's contractual obligations to third parties, or UK law, or where the nature of the data suggests such a breach has occurred or will occur;
  2. where the University has been requested, or required, to monitor data by the police as part of a criminal investigation;
  3. where there is other reasonable suspicion that a user or users are storing, transmitting or transferring data which breaches the University's regulations, the University's contractual obligations to third parties, or UK law;
  4. to investigate or detect unauthorised use of the University's computing facilities;
  5. to check whether or not communications are relevant to the University's business, for example when members of staff are on holiday or are unwell.

The University also reserves the right to monitor the nature and extent of data uploaded and downloaded from the Internet. This may be carried out by various means, including random searches.

Procedure

Decisions to investigate should be taken by an independent person in order to ensure that such requests are free of any kind of bias and are not malicious. Investigations of this kind are time-consuming and the decision should be made centrally to justify the use of Information Services staff and to determine the scale of the work to be undertaken. Taking such decisions centrally will also help to ensure consistency of treatment for all members of the University.

Requests may be made by any member of staff or student, although typically the request will come from a head of department or division. Occasionally requests are made from outside the University, for example by the police. The request should be made to the University Secretary and should include the following information:

  1. the name and department of the student or staff member whose computer or computing activity you wish to be investigated,
  2. the reasons for the request,
  3. where computer misuse is alleged, the evidence on which this is based,
  4. the nature of the information sought, for example current or deleted e-mails relating to a particular student, staff member or incident, or evidence of pornography, and
  5. any other relevant information, for example, that the request relates to ongoing disciplinary or grievance procedures.

In order to monitor the number and type of requests made, the University Secretary will keep a record of the requests that have been made and those which were acceded to.