ISP-05 Human resources policy
This is a sub-policy of the ISP-01 Information security policy.
Summary
This policy outlines the procedures to ensure that staff, contractors and third parties are equipped to protect the University's information assets. It covers recruitment, training, IT access, and employee conduct. The policy seeks to ensure that individuals follow clear protocols, with mandatory security training, access restrictions, and accountability for any misconduct.
| Control information | Control detail |
|---|---|
| Owner | Chief Information Security Officer, IT Services |
| Author | Information Security Manager, IT Services |
| Sponsor | Chief Information Security Officer, IT Services |
| Consulted | Associate Director of People, Information Governance and Security Advisory Board (IGSAB) |
| Approved by | Information Governance and Security Advisory Board (IGSAB) |
| Responsible area | IT Services |
| Version | 5 |
| Approval date | 01 December 2025 |
| Effective date | 01 December 2025 |
| Interim review effective date | Not applicable |
| Full review period | 1 year |
| Date of next full review | 01 December 2026 |
| EIA completion date | Not applicable |
| DPIA completion date | Not applicable |
| SIA completion date | Not applicable |
| Reporting requirements | Not applicable |
| Applicable statutory, legal or best practice requirements |
|
| Keywords | best practice, computer misuse, data protection regulations, investigation of computer use policy, IT system monitoring, legal compliance, misconduct investigation, Ordinance 10, outsourcing and third party compliance policy, rules of conduct, statutory requirements |
On this page
- Updates to this policy
- Introduction
- Scope
- Definitions
- Responsibilities
- Recruitment, references and screening
- Employment contract terms
- Information security education and training
- Employee termination, suspension or change of appointment
- IT usage monitoring and access
- Suspected misconduct
- Interns and student hires
- Honorary and associate staff
- Third party compliance
- Further guidance
1. Updates to this policy
1.1. This policy has been updated to align to the new University of Bristol policy management framework.
2. Introduction
2.1. This policy, a sub-policy of the ISP-01 Information Security Policy, outlines the necessary processes to ensure that all staff members are adequately trained and equipped to protect the University’s information assets.
3. Scope
3.1. This policy applies to all members of the University who have been given Staff status (this includes any contractors, students, interns, honorary and associate or temporary members with a contractual agreement to work for the University).
4. Definitions
4.1. A member of the University: This is defined in University Constitution: Ordinance 9, section 7.
4.2. Honorary and Associate Staff: Individuals who hold positions at the University without the same contractual status as full-time employees, often for specific expertise or temporary assignments.
4.3. Misconduct: Behaviour that breaches University policies or employment terms, which may result in disciplinary action, including misuse of IT resources.
4.4. Ordinance 10: A University regulation outlining rules of conduct for staff, including expectations for behaviour and disciplinary procedures.
4.5. Pre-employment screening: A process used to assess candidates’ suitability for roles involving sensitive data, through background checks and reference reviews.
4.6. Rules of conduct for members of staff: A set of standards and behavioural expectations that staff must adhere to, forming part of their employment contract.
4.7. Security vetting: A formal process used to assess candidates’ suitability for roles involving UK Government classified data, through external background checks and reference reviews.
4.8. Staff induction: The process through which new employees are introduced to the University, its policies, and their specific roles and responsibilities, including security training.
5. Responsibilities
5.1. University staff: All employees are responsible for complying with the University’s information security policies, participating in mandatory security training, and safeguarding University data and IT systems, ensuring they follow rules regarding IT access and proper conduct.
5.2. Honorary and Associate staff: Must comply with the same information security and access control policies as other employees, ensuring that data access is appropriate to their role and responsibilities within the University.
5.3. Contractors: Are responsible for adhering to the same information security protocols as staff, ensuring they protect University data and return all assets upon termination, while also undergoing the necessary security screenings as per the policy.
5.4. Interns and student hires: Must access only the information relevant to their role, with restrictions on personal data access, and comply with the University's data protection and security guidelines.
5.5. Supervisors and Line Managers: Are responsible for ensuring their teams undergo mandatory Information Security training and for ensuring that access to IT systems is removed and IT assets returned when staff leave or change roles. They are also required to support the enforcement of policy, overseeing investigation processes for any breaches within their team, and ensuring the appropriate HR processes are followed.
5.6. Human Resources: Are responsible for implementing the recruitment, termination, and screening processes, ensuring that staff records are properly managed, and triggering necessary actions for access control when an employee leaves or changes roles. They are also responsible for supporting Supervisors and Line Managers through the disciplinary and misconduct processes.
5.7. IT Services: Are responsible for managing and securing the University's IT infrastructure, implementing monitoring and account management procedures, and supporting investigations into suspected misuse of IT systems, ensuring compliance with Information Security policies.
5.8. Legal Services and Secretariat: Are responsible for authorising the investigation of potential breaches of University policy and legislation, and ensuring that disciplinary actions align with legal standards and University policies in the case of misconduct.
5.9. Students: While students are not directly employed, they must comply with information security policies when accessing University systems, ensuring that their usage does not compromise data protection or the integrity of IT systems.
6. Recruitment, references and screening
6.1. For roles involving handling of data classified as confidential or above, Human Resources may use a pre-employment or change of role screening process to help ensure that employees selected are suited to the requirements of the job.
6.2. Further guidance on pre-employment checks can be found at http://www.bristol.ac.uk/hr/resourcing/practicalguidance/appointment/checks.html
7. Employment contract terms
7.1. The Employees are to sign a contract binding them to comply with the Rules of Conduct for Members of Staff (Disciplinary Rules and Code of Conduct (PDF, 88kB)) and the Terms and conditions of employment.
7.2. An example of behaviour that may constitute gross misconduct as outlined in Disciplinary Rules and Code of Conduct, is: "Unauthorised use or disclosure of confidential information or failure to ensure that confidential information in your possession is kept secure."
7.3. It is a stipulation of the Terms and Conditions of Employment that members of staff are expected to: “Comply with all of the University's employee rules, regulations, statutes, ordinances, procedures, policies and codes of practice (including but not limited to those relating to health and safety, the use of computers and data protection).”
8. Information security education and training
8.1. The University is committed to providing staff with sufficient training to ensure that they are able to fulfil their specific information security responsibilities. The University’s information security training programme is mandatory for all staff and can be accessed from the University's learning management system. This training must form part of staff induction and must be taken by all staff on an annual basis thereafter.
8.2. The University reserves the right to restrict an individual’s access to University resources until the mandatory training has been completed.
8.3. Information system users will be provided with instructions and training to ensure they do not compromise security through lack of awareness or skill.
9. Employee termination, suspension or change of appointment
9.1. Upon termination, suspension or change of appointment, Human Resources will revise the staff records system accordingly. This will trigger associated account management processes on centrally managed IT systems. For IT systems where access is not centrally managed it is the manager’s responsibility to ensure access to these systems is removed at the same time.
9.2. Upon termination, all employees, contractors and third parties must return all University owned information assets and equipment.
9.3. It is stated in the general terms and conditions of employment that:
- "10.1 Any property of the University shall remain the property of the University (except for intellectual property belonging to a member of staff under clause 11) and shall be handed over by staff to the University on demand and in any event on the termination of employment".
9.4. The full list of terms and conditions can be read at: General terms and conditions of employment for all staff.
10. IT usage monitoring and access
10.1. The University's Legal Services and Secretariat may authorise for the legally compliant monitoring of its IT systems to be undertaken for legitimate University purposes. The policy relating to how the University may monitor use of its IT systems is outlined in the ISP-18 Investigation of computer use policy.
11. Suspected misconduct
11.1. Where there are reasonable grounds for suspected misuse of IT facilities, as identified in the ISP-18 Investigation of computer use policy, the University's Legal Services and Secretariat may authorise that account to be suspended and/or investigated by IT Services.
11.2. Employees who, after an investigation, have been found to have breached University Policy or their contract for employment, may be subject to disciplinary action under the Conduct Framework in Ordinance 10: Employment (PDF, 298kB).
11.3. Unless the police are involved from the outset, when different procedures may apply, Human Resources and IT Services will coordinate the investigation of any suspected improper use of University IT facilities. Any resultant disciplinary action will be taken in accordance with Ordinance 10: Employment (PDF, 298kB).
12. Interns and student hires
12.1. If you are employing a University of Bristol undergraduate or taught postgraduate student, consideration must be given to the information they are able to access. Access levels must be appropriate based on the role they are performing. Access to the personal data of other University students and staff is not acceptable.
13. Honorary and associate staff
13.1. If you are sponsoring honorary or associate staff, consideration must be given to the data they are able to access. Access levels must be appropriate based on the capacity in which they are working with the University.
14. Third party compliance
14.1. Guidance on the engagement with third parties is outlined in the ISP-04 Outsourcing and third party compliance policy.
15. Further guidance
15.1. You can read more guidance using the links below.
- Disciplinary Rules and Code of Conduct (PDF, 88kB)
- Ordinance 10: Employment (PDF, 298kB)
- General terms and conditions of employment for all staff
- ‘Develop’ site for mandatory information security staff training (staff access only)
- ISP-04 Outsourcing and third party compliance policy
- ISP-18 Investigation of computer use policy
- Cyber aware guidance (staff and students access only)
Request this policy in an alternative format
If you need this policy in a different format, email uob-policymanager@bristol.ac.uk. In your message, include the format you need, for example: plain text, braille, BSL, large print or audio.