ISP-09 Acceptable use policy

This is a sub-policy of the ISP-01 Information security policy.

Summary

This policy sets out the expected behaviours and responsibilities for using the University’s information systems, networks, and computers. It ensures that those who have been provisioned access to these resources use these resources responsibly, protecting against misuse, security risks, and legal violations. The policy promotes the secure use of digital services while outlining the consequences of unacceptable activities, helping maintain a safe, secure and efficient working environment.
 

Control information Control detail
Owner Chief Information Security Officer, IT Services
Author Information Security Manager, IT Services
Sponsor Chief Information Security Officer, IT Services
Consulted Associate Director of People, Information Governance Manager and Data Protection Officer, Information Governance and Security Advisory Board (IGSAB) 
Approved by Information Governance and Security Advisory Board (IGSAB)
Responsible area IT Services
Version 4
Approval date 27 June 2025
Effective date 27 June 2025
Interim review effective date 30 July 2025
Full review period 1 year
Date of next full review 31 May 2026
EIA completion date Not applicable
DPIA completion date Not applicable
SIA completion date Not applicable
Reporting requirements In cases involving potential legal violations, the matter may be reported to law enforcement through the University’s Legal Services.
Applicable statutory, legal or best practice requirements
  • Computer Misuse Act 1990  
  • Janet Acceptable Use and Security Policies  
  • Counter Terrorism and Security Act 2015
  • Software Licensing Agreements
  • Communications Act 2003
  • Data Protection Act 2018 
Keywords acceptable use, authentication methods, Computer Misuse Act 1990, data protection, email accounts, information systems, Janet security policies, legal compliance, Multi-Factor Authentication (MFA), network security, personal use, prevent duty, reporting breaches, software licensing, university facilities, unacceptable use

On this page

  1. Updates to this policy
  2. Introduction
  3. Scope
  4. Definitions
  5. Responsibilities
  6. User identification and authentication
  7. Use of email accounts
  8. Personal use of facilities
  9. Connecting devices to university networks
  10. Use of services provided by third parties
  11. Unattended equipment
  12. Unacceptable use
  13. Penalties for misuse

1. Updates to this policy

1.1. Following an interim review in July 2025, the following updates were made:

  • User identification and authentication (section 6.2): Additional content added for when an account could be compromised.

  • Unacceptable use (section 12.3, f): Updated to include both directions of remote access.

  • Unacceptable use (section 12.5): Responsibility to report policy breaches expanded to include breaches involving personal data.

  • Minor context clarifications.

1.2. This policy has been updated to align to the new University of Bristol policy management framework. 

Back to top

2. Introduction

2.1. This Acceptable use policy is a sub-policy of the ISP-01 Information security policy and sets out the responsibilities and required behaviour of users of the University’s information systems, networks and computers.

2.2. The policy is designed to establish clear guidelines for the appropriate use of the University’s information systems, networks, and computing resources. It outlines the responsibilities of users to ensure these resources are used securely, responsibly, and in compliance with relevant laws and regulations. The policy supports the University’s commitment to protecting its digital infrastructure, maintaining data security, and adhering to legal requirements such as the Computer Misuse Act 1990 and the Prevent Duty under the Counter Terrorism and Security Act 2015. 

Back to top

3. Scope

3.1. All members of the University (as defined in the University Constitution: Ordinance 9, section 7), together with any others who may have been granted permission to use the University provided information and communication technology facilities, are subject to this policy. 

Back to top

4. Definitions

4.1. A member of the University: This is defined in the University's Constitution: Ordinance 9, section 7.

4.2. Anonymised data: Data that has been stripped of any identifiable information, making it impossible to trace back to an individual. 

4.3. Information security policies: Rules and guidelines set to ensure the confidentiality, integrity, and availability of the University’s information assets. 

4.4. Janet acceptable use policy: A set of standards governing the use of the Janet network, which the University must follow for network security and usage. 

4.5. Multi-Factor Authentication (MFA): A security process that requires users to provide two or more verification factors - something they know (password) and something they have (code, token, or biometric) - to access systems. 

4.6. Prevent duty: A legal requirement for educational institutions to take measures to prevent people from being drawn into terrorism. 

4.7. Pseudonymised data: Data where identifying information is replaced with artificial identifiers to protect privacy while maintaining usability for analysis. 

4.8. Remote access: The ability to connect to University systems from outside the University network or vice versa. 

4.9. Role-based email: Email addresses assigned to specific roles or functions within the University, rather than to individuals. 

4.10. Software licensing agreements: Legal contracts with suppliers of software, outlining compliant use of their products. 

4.11. UserID: A unique identifier assigned to each user when their account is created, which must not be reused or recycled (except for guest accounts). 

Back to top

5. Responsibilities

5.1. University Members: Must ensure they understand and comply with information security policies, in particular for the acceptable and unacceptable use of the University’s information and communication technology facilities. They must ensure that their actions do not compromise the security of these facilities, or breach legislation and University policy. Members should report any breach or suspected breach of policy to IT Services.

5.2. IT Services: Are responsible for maintaining security standards and implementing technical safeguards, managing user accounts and authentication systems, and providing guidance on the secure use of IT facilities. They also assist in the onboarding of third party services and respond to suspected breaches and incidents. 

5.3. Supervisors and Line Management: Must ensure that members under their supervision comply with this policy and report any breaches of policy or legislation to IT Services or Legal Services and Secretariat. They are also required to support the enforcement of policy, overseeing investigation processes for any breaches within their team, and ensuring the appropriate HR processes are followed. 

5.4. Research Ethics Committees: Review and grant permissions for accessing or distributing materials that may be restricted due to their nature, ensuring compliance with legal and ethical guidelines. 

Back to top

6. User identification and authentication 

6.1. Each member will be assigned a unique identifier (userID) for their individual use. This userID may not be used by anyone other than the individual user to whom it has been issued.  

6.2. Each member will be assigned an associated account password which must not be divulged to anyone, including IT Services staff, for any reason. This University password must not be used as the password for any other services, including for University accounts providing privileged access (such as administrative accounts for finance or HR systems), or any external services (for example social media sites). Individual members are expected to remember their password and to change it if there is any suspicion that it may have been compromised. Where IT Services suspect or discover that a password has been disclosed (intentionally or otherwise) the account will be treated as compromised. 

6.3. If University members suspect that the credentials of another member or their own credentials have been compromised, this must be reported to the IT Service Desk.  

6.4. University members will be asked to set up Multi-Factor Authentication (MFA) as a requirement to authenticate to University systems.  

6.5. In addition to a password, authentication methods may include use of an authentication app on a mobile phone or another device, such as a USB security key, or a one-time code sent to a phone. Similar to passwords, Multi-Factor Authentication (MFA) tokens, such as one-time passcodes and number matches must not be divulged to anyone, including IT Services staff, for any reason.  

6.6. Information given to the University for MFA will be stored securely and only used for authentication purposes. It will be stored by the University or a contracted IT service provider and will not be provided to any third party without the user’s written consent unless the University is required to do so by law.  

6.7. All administrative or highly privileged accounts must have Multi-Factor Authentication enabled where available. 

Back to top

7. Use of email accounts

7.1. Each member will also be assigned a unique email address for their individual use and some members may also be given authorisation to use one or more generic (role based) email addresses. Members must not use the University email address assigned to anyone else without their explicit permission via the appropriate mailbox delegation process.   

7.2. Email addresses are University owned assets and any use of these email addresses is subject to University policies.   

7.3. Members of staff and research postgraduates should not use a personal (non-University provided) email account to conduct University business and should maintain a separate, personal email account for personal email correspondence.   

7.4. University members must not configure their University email account to automatically forward incoming mail to third party services with which the University has no formal agreement.  

7.5. Where University members are permitted to use non-University supported email clients, these must not synchronise University email data with cloud services with which the University has no formal agreement, for example backing up University email with personal iCloud storage. 

Back to top

8. Personal use of facilities

8.1. University information and communication facilities, including University networks, email addresses and computers, are provided for academic and administrative purposes related to work or study at the University. Very occasional personal use is permitted but only so long as: 

  1. it does not interfere with the member of staff’s work nor the student’s study

  2. it does not contravene any University policies

  3. it is not excessive in its use of resources

  4. it does not undermine the University's security.

8.2. University facilities should not be used for the storage of data unrelated to membership of the University. In particular, University facilities should not be used to store copies of personal photographs, music collections or personal emails. 

8.3. The use of University facilities to mine, harvest or farm cryptocurrency for non-research purposes is specifically prohibited. Any research driven activity must be approved by the appropriate Head of School in writing. 

8.4. All use of University information and communication facilities, including any personal use, is subject to University policies, including the ISP-18 Investigation of computer use policy.

Back to top

9. Connecting devices to university networks

9.1. In order to reduce risks of malware infection and propagation, risks of network disruption and to ensure compliance with the Janet Acceptable Use and Security policies, it is not permitted to connect personally owned equipment to any network socket which has not been provided specifically for the purpose. It is permissible to connect personally owned equipment to the University’s wireless networks. 

9.2. Any device connected to a University network must be managed in accordance with Information Security Policy. Devices that do not comply with IT Services’ standards for effective management are liable to physical or logical disconnection from the network without notice. 

Back to top

10. Use of services provided by third parties 

10.1. Wherever possible, members should only use services provided or endorsed by the University for conducting University business. The University recognises, however, that there are occasions when the services offered by the University are unable to meet the legitimate business requirements of its members. On these occasions, members must liaise with IT Services to identify and onboard third party solutions. 

10.2. Further information is available in the ISP-07 Information handling policy and the ISP-04 Outsourcing and third party compliance policy.

Back to top

11. ​Unattended equipment

11.1. Computers and other equipment used to access University data and facilities must be screen-locked before being left unattended to prevent unauthorised access to data.  

11.2. Particular care should be taken to ensure the physical security of University supplied equipment when in transit. For more guidance on travel and University equipment read the ISP-14 Mobile and remote working policy.

Back to top

12. Unacceptable use

12.1. In addition to the prior examples, the following are also unacceptable uses of University facilities. These restrictions are consistent with the Janet acceptable use policy (by which the University is bound) and the law.      

12.2. Any illegal activity, for example:

  1. Any activity proscribed by the Computer Misuse Act 1990 or Communications Act 2003. 

  2. Creating, storing or transmitting any material that infringes copyright.

  3. Creating, accessing, storing or transmitting defamatory material, obscene material, indecent material, extreme pornographic material, and prohibited images of children. In the unlikely event that there is a genuine academic need to access such material, the University must be made aware of this in advance and prior permission to access must be obtained in writing from the Chief Digital Information Officer. 

  4. Sending unsolicited and unauthorised bulk email (spam). 

  5. Creating, accessing, storing, relaying or transmitting any material with such intent to radicalise themselves or others (having regard to the University’s Prevent Duty under s.26 Counter Terrorism and Security Act 2015 to have due regard to the need to prevent people from being drawn into terrorism). Researchers who intend to access, store or distribute such material legitimately in the course of their work must seek written permission in advance from the appropriate Research Ethics Committee, who may liaise with the Legal Services and Secretariat. Once ethical approval has been granted, Information Security and the Legal Services and Secretariat should be notified of this approval.
    If a member of the University community believes they may have encountered a breach of this provision, they should immediately contact the University Secretary. 

  6. Using software that is only licensed for limited purposes for any other purpose or otherwise breaching software licensing agreements. 

12.3. Any activity which breaches any University policy (see the ISP-03 Compliance policy), for example:

  1. Any attempt to undermine the security of the University’s facilities.

  2. Providing access to facilities or information to those who are not entitled to access. 

  3. Any irresponsible or reckless handling of University data (see the ISP-07 Information handling policy). 

  4. Any use which brings the University into disrepute. 

  5. Any use of University facilities to bully, harass, intimidate or otherwise cause alarm or distress to others. 

  6. Using remote access and remote control computer software that has not been approved by IT Services to remotely connect to or from University devices and networks. 

  7. Using computers as servers unless registered with and authorised by IT Services. 

  8. Failing to comply with a request from an authorised person to desist from any activity which has been deemed detrimental to the operation of the University’s facilities. 

  9. Failing to comply with a request from an authorised person for you to change your password or update your MFA methods.

  10. Attempting to re-identify individuals from pseudonymised or anonymised data except when conducting a legitimate and approved business function.  

12.4. Depending on the severity and context, some items above may constitute illegal activity.  

12.5. Users have a responsibility to report any breach or suspected breach of the University’s information security policies to IT Services. Where this is suspected to involve a breach of personal data this should also be reported to the Information Compliance Team as a data breach: Data breaches and incidents | University Secretary's Office | University of Bristol.

Back to top

13. Penalties for misuse

13.1. The University takes all policy breaches seriously. Incidents will be reviewed to determine the severity and appropriate course of action. This may include guidance, further investigation, or potential restrictions on individuals’ account and access privileges.  

13.2. Repeated minor and all major breaches will follow a defined escalation process for a more thorough review and will be handled in accordance with the ISP-05 Human resources policy.  

13.3. Relevant supervisors and leadership will be kept informed throughout the incident process where appropriate to ensure a coordinated response.  

13.4. In cases where there is a potential legal violation, the matter may be reported to the appropriate law enforcement agency via the University's Legal Services and Secretariat with consideration to the jurisdiction where the breach may have occurred. 

Back to top

Request this policy in an alternative format

If you need this policy in a different format, email uob-policymanager@bristol.ac.uk. In your message, include the format you need, for example: plain text, braille, BSL, large print or audio.

Back to top