ISP-18 Investigation of computer use policy
This is a sub-policy of the name of the ISP-01 Information security policy.
Summary
This policy outlines the circumstances under which the University may monitor and access the IT accounts, communications, and data of its members. It ensures that monitoring is done lawfully and with appropriate authorisation to maintain data security, comply with regulations, and investigate misuse. This policy balances privacy with the need to protect University assets and ensure compliance with legal and regulatory obligations.
| Control information | Control detail |
|---|---|
| Owner | Chief Information Security Officer, IT Services |
| Author | Information Security Manager, IT Services |
| Sponsor | Chief Information Security Officer, IT Services |
| Consulted | Associate Director of People, Information Governance Manager and Data Protection Officer, Information Governance and Security Advisory Board (IGSAB). |
| Approved by | Information Governance and Security Advisory Board (IGSAB) |
| Responsible area | University Executive Board |
| Version | 5 |
| Approval date | 14 October 2025 |
| Effective date | 14 October 2025 |
| Interim review effective date | Not applicable |
| Full review period | 1 year |
| Date of next full review | 30 September 2026 |
| EIA completion date | Not applicable |
| DPIA completion date | Not applicable |
| SIA completion date | Not applicable |
| Reporting requirements | Network security incidents must be reported to the Information Security Manager or via cert@bristol.ac.uk. Investigation requests should be submitted to Legal Services and Secretariat with relevant details. |
| Applicable statutory, legal or best practice requirements |
The policy complies with UK legislation, including the Regulation of Investigatory Powers Act 2000 (RIPA), Investigatory Powers Act 2016, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000, the Human Rights Act 1998, and the UK Data Protection regime. |
| Keywords | communications interception, compliance, data protection, Human Rights Act, Investigatory Powers Act, IT systems, lawful monitoring, privacy, Regulation of Investigatory Powers Act, Telecommunications (Lawful Business Practice) Regulations |
On this page
1. Updates to this policy
1.1. This policy has been updated to align to the new University of Bristol policy management framework.
2. Introduction
2.1. This Investigation of Computer use policy is a sub-policy of the ISP-01 Information security policy and outlines the circumstances in which it is permissible for the University to monitor and access the IT accounts, communications and other data of its members.
2.2. The University respects the privacy and academic freedom of its staff and students and recognises that investigating the use of IT may be perceived as an invasion of privacy. However, the University may carry out lawful monitoring of its IT systems when there is sufficient justification to do so and when the monitoring has been authorised at an appropriately senior level as defined in ‘Authority’ section of this policy.
2.3. Staff, students and other members should be aware that the University may access records of use of email, telephone and other electronic communications, whether stored or in transit. This is in order to comply with applicable laws regulations, to ensure appropriate operation and use of the University’s IT systems and to ensure compliance with other University policies. Routine monitoring to ensure the security and effective operation of University IT systems occurs at all times, though more targeted monitoring and access to records and logs may also occur. All access and monitoring will comply with UK legislation including the Regulation of Investigatory Powers Act 2000 (RIPA), Investigatory Powers Act 2016, the Telecommunications (lawful business practice) (interception of communications) Regulations 2000 (LBP), the Human Rights Act 1998 (HRA) and the UK Data Protection regime.
3. Scope
3.1. Members of the University (as defined in University Constitution: Ordinance 9, section 7) together with any others who may have been granted permission to use the University provided information and communication technology facilities are subject to this policy.
3.2. Exceptions to this policy may include communications carried out on, or data housed in, areas of the University network that for contractual or legal compliance reasons are exempted, for example autonomous networks specifically obtained for these purposes and for which an agreement has been obtained with IT Services and Legal Services and Secretariat.
4. Definitions
4.1. A member of the University: This is defined in University Constitution: Ordinance 9, section 7.
4.2. Covert monitoring: Monitoring that is carried out without the knowledge of the subject, typically for investigative purposes, authorised in exceptional circumstances.
4.3. Penetration testing: A simulated cyberattack designed to identify and address vulnerabilities in a system.
4.4. Subject Access Request: A request made by an individual to access personal data held about them under the Data Protection Act 2018.
4.5. Vulnerability scanning: The process of identifying weaknesses in a network or system to prevent potential breaches.
4.6. Warrant: A legal document that authorises law enforcement to access communications or data for specific investigative purposes.
5. Responsibilities
5.1. University Members: Must ensure they understand and comply with information security policies, use University systems in accordance with the Acceptable use policy and legislation, and report any security incidents or breaches promptly. University Members have the right to raise a formal request for investigation under this policy. They should also be aware of the University's right to monitor usage as required for compliance and investigation.
5.2. Legal Services and Secretariat: Are responsible for providing authority to initiate any investigation into IT accounts, communications or other data pertaining to University members. They must also ensure that any monitoring or investigation complies with legal requirements and regulations.
5.3. IT Services: When an investigation involves the IT accounts, communications, and data of University members, IT Services are responsible for investigating and gathering data upon receiving authorisation and defined parameters from Legal Services and the Secretariat. IT Services are also responsible for monitoring and maintaining logs of IT system usage for security and compliance purposes.
5.4. Third Party Providers: May monitor and maintain logs of system usage for the services they provide, which IT Services may use for the purpose of investigation.
6. Authority
6.1. Decisions to access the IT accounts, communications or other data of members will not be taken by IT Services nor any member of the faculty/division of the individual to be investigated in order to ensure that such requests are free of bias and are not malicious. Decisions to undertake such investigations will therefore be made by the General Counsel, or the Information Compliance Manager, or an appropriate nominee of either position, who will also determine the most appropriate approach.
7. The University's powers to access communications
7.1. Authorised University staff may access files and communications, including but not limited to email, stored on any IT facilities owned, managed or provided by the University and may examine the content of these files and any relevant traffic data.
7.2. The University may monitor use of IT facilities, access files and communications for the following reasons:
- To ensure the confidentiality, integrity and availability of its data (for example the University may take measures to protect systems from, and actively monitor for, viruses and other threats to information security).
- To establish the existence of facts relevant to the business of the institution when it has been appropriately authorised, for the purpose of an investigation carried out under any relevant University policy or Ordinance.
- To investigate or detect unauthorised use of its systems.
- To investigate or detect unacceptable use of its systems as defined by the ISP-09 Acceptable use policy.
- To ascertain compliance with regulatory or self-regulatory practices or procedures relevant to the University's business.
- To gain access to communications relevant to the business of the University (for example, checking email accounts when staff are absent, on holiday or on sick leave).
- To comply with subject access requests under the Data Protection legislation or information requests under the Freedom of Information Act 2000 (individuals would under normal circumstances be notified).
- Or for any other reason to ascertain compliance with regulatory or self-regulatory practices or procedures relevant to the University's business when appropriately authorised.
8. The powers of law enforcement authorities to access communications
8.1. A number of other non-University bodies and persons may be allowed access to user communications under certain circumstances. Where the University is compelled to provide access to communications by virtue of a Court Order or other competent authority, the University will disclose information to these noninstitutional bodies/persons when required and in response to legitimate requests as allowed under the UK data protection regime.
8.2. For example, under the Regulation of Investigatory Powers Act 2000 and Investigatory Powers Act 2016 or other relevant legislation, a warrant may be obtained by a number of law enforcement bodies for the purposes of ensuring national security, the prevention and detection of serious crime or the safeguarding of the economic well-being of the UK.
9. Other third parties
9.1. The University makes use of third parties in delivering some of its IT services. These third parties may intercept communications for the purpose of ensuring the security and effective operation of their service. For example, a third party which provides email services to the University may scan incoming and outgoing email for viruses and spam.
9.2. Information on our current email provider for staff, Microsoft, can be found on Microsoft's website.
9.3. The University may also make use of third party services to ensure the security of its information and IT assets. For example, this may include monitoring of University network traffic and device activity, vulnerability scanning, or penetration testing being carried out by a third party on behalf of the University.
10. Covert monitoring
10.1. Covert monitoring of computer use will only be authorised in exceptional circumstances where there is reason to suspect criminal activity or a serious breach of University regulations and notification of the monitoring would be likely to prejudice the prevention or detection of that activity. The period and scope of the monitoring will be as narrow as possible to be able to investigate the alleged offence and the monitoring will cease as soon as the investigation is complete.
11. Procedure
11.1. Requests for investigation under this policy may be made by any member of the University, although typically the request will come from a head of department, school or division. Occasionally requests are made from outside of the University, for example by the police. The request should be made to University's Legal Services and Secretariat. Legal Services and Secretariat will liaise with the appropriate teams which may include Human Resources and Student Services, depending on the subject of the investigation.
11.2. The request should include the following information:
- the name and department of the student or staff member whose computer or computing activity you wish to be investigated;
- the reasons for the request;
- where computer misuse is alleged, the evidence on which this is based;
- the nature of the information sought;
- how the requested information will be used;
- any other relevant information, for example, that the request relates to ongoing disciplinary or grievance procedure.
11.3. In order to monitor the number and type of requests made, the University's Legal Services and Secretariat will keep a record of the requests that have been made and those which were acceded to.
Request this policy in an alternative format
If you need this policy in a different format, email uob-policymanager@bristol.ac.uk. In your message, include the format you need, for example: plain text, braille, BSL, large print or audio.