Responsible Use of University Computing and Network Resources
1. Why doesn't the policy prohibit all personal use of university computing resources? Why doesn't the policy permit unrestricted personal use of university computing resources?
The general guiding principle behind the policy is that "cyberspace is not a separate legal jurisdiction," that existing, generally applicable laws, rules, and policies apply equally to the use of university computing resources; and that new rules and policies are therefore necessary only in those rare instances when the use of university computing resources implicates unique new issues. In accordance with that principle, the provisions concerning personal use of university computing resources are intended to mirror existing policies and practices concerning personal use of other university resources. Thus, the policy provides that university-provided computing resources, like university-provided telephones, photocopiers, stationery, office supplies, tools, and so forth, are provided for "university-related purposes."
Use of such resources for personal commercial purposes or for personal financial or other gain is clearly improper and, under some circumstances, may be illegal. Recognizing, the difficulty of drawing a bright line between other types of personal uses and "university-related" uses, the minimal costs typically associated with occasional personal use, the typically inordinate costs associated with attempting to enforce a flat prohibition, and the benefits that may accrue to the university from increased experience and familiarity of its users with available computing resources, the policy also provides that "incidental" personal use of university computing resources is, in general, permitted "” just as it typically is with other types of university resources. "Incidental" uses of university computing resources are defined as uses that do not consume a significant amount of those resources, do not interfere with the performance of the user's job or other university responsibilities, are not made for personal commercial purposes or for personal financial or other gain, and are otherwise in compliance with applicable laws, rules, policies, contracts, and licenses.
Circumstances vary among different administrative units. The personal use provisions of the policy are set forth as "default" guidance. The policy expressly provides that further limits may be imposed on personal use in accordance with normal supervisory procedures. Colleges and administrative units may impose additional use restrictions on, or prohibit all personal use of, the university computing resources under their control.
2. Does the restriction on use of university computing resources for personal commercial purposes or personal financial or other gain restrict my use of the OnCampus Bulletin Board?
The OnCampus Bulletin Board is an online community supported by the university to support faculty and staff exchange of goods, services, information, and ideas. It provides forums for posting meeting notices, awards, classifieds, photos, services, and events and is limited to employee use and access. Using these facilities appropriately does not violate the policy.
3. Does the restriction on use of university computing resources for personal commercial purposes or personal financial or other gain prohibit faculty, staff and students from using such resources in connection with their consulting work?
The use of university computing resources in connection with consulting work is subject to the same requirements and limitations as is the use of any other university resources in connection with consulting work.
Technology Commercialization and Knowledge Transfer office policies must be followed and the office can be contacted for consultation, when applicable.
Faculty use of university resources, including university computing resources, is governed by Ohio Ethics Laws as well as the university Policy on Paid External Consulting, which recognizes that appropriate professional service by faculty outside the university is both part of the university's mission and is of benefit to the university as well. In accordance with the Policy on Paid External Consulting, the use of university resources in connection with consulting work, and the consulting work itself, must be approved, in advance, by the relevant department chair and dean, and arrangements must be made to compensate the university if the use of its resources will be significant. Use of university computing resources in connection with consulting that has not been approved in accordance with this procedure is prohibited.
Staff use of university resources is governed by Ohio Ethics Laws as well as the Conflict of Interest and Work Outside university policy. Staff is expected to devote their work activities primarily to university functions. They may engage in external work provided that such work does not detract from the performance of their duties and responsibilities to the university and/or create conflict of interest with their assigned university responsibilities and must be approved in advance. It is expected that such external work will take place outside of the staff member's designated work time. Authorization may be granted to staff members who want to perform work outside of the university during their designated work time; staff members who wish to engage in external work which may be a conflict of interest must obtain authorization prior to starting the activity. Any such time will be charged to accrued vacation and/or leave without pay. Use of university computing resources in connection with consulting that has not been approved in accordance with this policy is prohibited.
4. Why must individual monitoring be authorized by the Chief Information Officer (CIO) or designee? How do I request authorization? When and how may a designee be appointed?
The purpose of the advance authorization provision of the policy is to make clear that authority to engage in investigatory monitoring of university computing resources is not implied or inherent in any job position, to ensure consistency in the development and application of the standards for monitoring, and to enable the university to monitor the effectiveness of the policy itself, not to require that all authorizations be made by a single person. Major administrative units within the university may request their own designees if they feel that the volume of incidents or other concerns warrant.
To request authorization contact Gary Clark, Associate Director of Information Risk Management, in the Office of the CIO. He serves as the university-wide CIO's designee and you can reach him at Columbus campus phone (614) 292-1508 or by e-mail at ITpolicy@osu.edu. Authorization requests can also be initiated through HR Employee and Labor Relations, Legal Affairs, and University Police; who will then seek authorization from the Associate Director of Information Risk Management.
Vice presidents, deans, and directors of schools and larger centers and administrative units may request the Chief Information Officer to designate a specified individual to handle authorization requests within their respective units. Designees should be familiar both with the technology and with general university policy and procedures. They generally should not be technical staff who would conduct or supervise any monitoring that is authorized or persons who would be responsible for the determination or imposition of any disciplinary action that may result. Designees will be expected to report to and be responsible to the OCIO's Director of Information Technology Policy and Services concerning their activities as designees.
5. Can the university review data transmission for institutional data?
To comply with various state and federal regulations and university rules and policies, and to ensure the integrity of institutional data, the university may automatically review transmitted data for patterns that may indicate the unauthorized disclosure of institutional data.
6. Does the restriction on individualized monitoring prohibit a supervisor or co-worker from accessing an employee's computer files for work-related purposes?
The policy's provisions on monitoring govern only the monitoring and investigation of actual or suspected misconduct or misuse of university computing resources, not the ordinary, everyday functioning of an office. To the extent that a computer or network server serves as the functional equivalent of a desk drawer or file cabinet, supervisors and co-workers continue to have the same access to it for normal, noninvestigatory, work-related purposes. A common example of this would be to retrieve a file or document needed while the employee who maintains the file or document is away from the office, such as on medical leave, vacation, has left the university, etc. Obtaining such access is not considered "monitoring" for purposes of the policy and does not require the advance authorization of the Chief Information Officer or designee.
If, however, a supervisor or co-worker discovers evidence of possible misconduct or misuse while accessing university computing resources under the control of another for normal, noninvestigatory, work-related purposes, further monitoring or investigation of those computing resources for purposes of dealing with the suspected misconduct or misuse requires the advance authorization of the Chief Information Officer or designee, unless the monitoring is required by law or is necessary to respond to perceived emergency situations. Evidence discovered in the course of normal, noninvestigatory, work-related activity may be used as a basis for seeking such authorization.
It is the individual's responsibility to store and maintain personal information separately from institutional information regardless of its location (file cabinet, computer, network server, etc.).
7. Does the restriction on individual monitoring prohibit an instructor from observing and recording student class activity in an on-line Course Management System such as Carmen?
The policy's provisions on monitoring govern only the monitoring and investigation of actual or suspected misconduct or misuse of university computing resources, not the normal and intrinsic functions of the teaching and learning environment. For example, an instructor can monitor, observe, and record student participation in on-line class activities just as an instructor could monitor, observe, and record a student's activities in a classroom. Such instructor access is not considered "monitoring" for purposes of the policy and does not require authorization.
8. Does the policy prohibit "spam?"
The problem of "spam" is an extraordinarily complicated one. Few people would agree on a definition of exactly what constitutes "spam." Technical restrictions against it are therefore necessarily imprecise, as well as easily evaded. The university's legal ability to deal with that indefinable and technically insoluble problem is further complicated by the university's status as a public institution subject to the restrictions of the First Amendment and as an instrumentality of the State of Ohio subject to the "interstate commerce clause" of the U.S. Constitution. For all of these reasons, the policy does not prohibit "spam" per se unless it violates either the Ohio Anti-Spam Act or the federal CAN-SPAM law. For example unsolicited email with forged mail headers or which does not clearly identify the sender or which does not provide a clear opt-out message would clearly be in violation of the federal CAN-SPAM law.
The policy prohibits the use of university computing resources for personal commercial purposes or for personal financial or other gain, and it also prohibits uses that consume an unreasonable quantity of those resources or that unreasonably interfere with the activity of other users. Most of what most people consider to be "spam" falls within either or both of these categories and thus is prohibited by the policy. In addition, "spammers" who refuse to honor a recipient's request to be removed from the "spammers" mailing lists could be engaged in what the university considers to be harassment. Under any of these circumstances, the university may attempt to block further incoming messages from persons outside the university who engage in such activities and may restrict or terminate the computing privileges of persons inside the university who engage in such activities. In addition, the Office of The Chief Information Officer can assist members of the university community to establish individual mechanisms to filter out "spam."
9. What "additional policies" may colleges or administrative units adopt for the computing resources under their control?
The policy is intended to serve both as an "umbrella" policy and as a "threshold" policy applicable to all university computing resources. It is expected that many units will find that no further policies are necessary. Individual administrative units may, supplement the policy with additional, complementary guidelines for the computing resources under their control, but they may not "lower the threshold" or override the policy. For example, a college or administrative unit may impose additional restrictions on personal use appropriate for that college/unit or address other, unit-specific issues not covered by the policy, but may not authorize the use of its computing resources for personal commercial gain or authorize individual monitoring in the absence of the required designation by the Chief Information Officer.
10. What are examples of unauthorized use of computing resources?
Examples include but are not limited to such operations as using improperly licensed software, physical modifications of university property without proper authorization, off-campus use without authorization, and use of port scanning, key logging, or packet sniffing software or devices on university networks without authorization.