Information Technology Use Policy

Responsibility: President 
Authorization: Board of Governors
Approval Date: Mar 19, 2019

The University of Saskatchewan’s information technology (IT) services and infrastructure support the broad range of academic, research and administrative activities. The purpose of this policy is to ensure that these critical services remain available and reliable, and that each user understands and abides by this policy to ensure that the services are used for purposes appropriate to the University's mission.

The university mission, vision, and values inspire all of the principles and responsibilities in this policy. The policy was also developed with the following additional principles in mind:

• Critical Infrastructure. The university’s IT services and infrastructure are critical to the university’s academic, research, and administrative activities. A robust set of IT services and infrastructure is necessary for conducting and administering the operations of the University.
  
  
• Access and Privacy. A user's reasonable expectation of privacy within the university must be balanced with the legal rights and obligations of the university.
  
  
• Service Ownership. The university will choose over time which IT services and infrastructure to provide based on a variety of evolving needs. The services offered and how they are delivered (such as hosted on campus or outsourced to vendors) may change over time at the university’s discretion.
  
  
• Data Management. Protecting the university’s data is a responsibility shared by all members of the university community. The university’s data classifications (restricted, limited, internal, public) need to be considered when determining which IT services and infrastructure to use when storing and transmitting university data as there may be privacy, security, contractual, and regulatory compliance implications.
  
  
• IT Risk Management. The university uses a risk-based approach, and follows IT best practices, to select appropriate security controls to minimize risk to an acceptable level, and to design security and privacy into our IT services and infrastructure.

This policy is applicable to all university community members, any affiliated organizations, and members of the public that make use of university IT services and infrastructure. For definitions, see the Appendix.

This policy applies to all university IT services and infrastructure regardless of:

• How the they are provided (hosted on campus or through vendor services).
• Where they originate or where they are being accessed from (on campus or off campus).
• The type of device used to access them (i.e. desktop, mobile).
• The ownership of the end-point device (university-owned or personally-owned devices).

The policy has been developed in the context of, and is designed to complement:

• Existing university policies, particularly those governing use of university property and services; IT communications; data management, information technology security; privacy; risk management; discrimination and harassment prevention; records management; responsible conduct of research; disciplinary procedures; copyright and intellectual property.
• Legislation such as provincial Local Authority Freedom of Information and Protection of Privacy Act (LAFOIP), provincial Health Information Protection Act (HIPA), and federal Canada’s Anti-Spam Legislation (CASL).
• Legal contracts and agreements with external sponsors, granting agencies, and others.
• Collective agreements.

The university provides information technology (IT) services and infrastructure for use by members of the university community in support of their university duties. The role(s) and affiliation(s) of an individual (such as student, faculty, staff, alumni, etc.) determines which university IT services and infrastructure they can access and their associated responsibilities for use of those services and infrastructure. A change in role or affiliation may change which services are available. Some IT services and infrastructure are available for use by members of the public. Everyone who uses university IT services and infrastructure must comply with this policy.

Access to the university’s IT services and infrastructure is primarily authorized and provided through an account issued to each individual. Accounts and authorization are not transferable. The person to whom authorization is granted is responsible for all use of that account and is expected to take reasonable steps to ensure the security of the account. Public access to IT services and infrastructure typically does not require an account.

University IT services and infrastructure may be used for incidental personal use. Personal use must not compromise the business of the university, increase the university's costs, or expose the University to additional risk. It must not damage the university's reputation or support an activity that is done for personal profit.

The use of IT services and infrastructure may be monitored. This may include, but is not limited to, gathering data for diagnosing service problems, capacity planning, service enhancement planning, and investigating violations of this policy, other policies, regulations, or laws.

A user’s reasonable expectation of privacy when using university IT services must be balanced with the university’s legal rights and obligations to examine systems or electronic records if there is reason to suspect violation of this policy, other university policies, or of other regulations and laws.

• Access to electronic records may be requested under LAFOIP, or by court order. If a request or order is received, all existing records are included. This includes records that may have been deleted by the user but have not yet been deleted from back-up systems.
• Access to electronic records may be required to recover evidence while investigating matters concerning appropriate use or managing actual or potential criminal or civil litigation in which the university is or may become a party.
• Access to electronic records may also be required for exigent business continuity purposes due to the absence of an employee for reasons such as leaves, terminations, or attrition.
• Wherever practicable, users will be notified promptly when their IT services records have been accessed.

To help protect their personal information from inadvertent access, disclosure, or destruction, users are encouraged to store records containing personal information separately from university data and to back those records up on a regular basis.

Everyone who uses university IT services and infrastructure has responsibilities related to their use. Some responsibilities specific to roles are outlined below. In situations needing clarity, matters may be escalated to the appropriate data trustee as identified in the university’s Data Governance Framework.

Members of the public must:

• Use university IT services and infrastructure in a responsible manner and only for the purpose for which use has been authorized. Resources are not to be wasted nor used in such a way as to deny or restrict access to others.
• Behave in a manner that ensures the safety of others in the area around the IT services and infrastructure they are using. Legally available material on the internet may not be appropriate for display in a public place and users may be required to cease displaying.
• Respect the policies of external services, networks, and sites that they access using university resources.

University community members must:

• Comply with all applicable laws, university policies, regulations and guidelines regarding use of university IT services and infrastructure.
• Access IT services and infrastructure using their individual, password protected account.
• Protect their account by keeping their password secret and only granting access to others though delegated access permissions.
• Protect the university data that they access and use.
• Use university IT services and infrastructure in a responsible manner and only for the purpose for which use has been authorized. Resources are not to be wasted nor used in such a way as to deny or restrict access to others.
• Behave in a manner that ensures the safety of others in the area around the IT services and infrastructure they are using. Legally available material on the internet may not be appropriate for display in a public place and users may be required to cease displaying material.
• Respect the policies of external services, networks, and sites that they access using university resources.

University service providers must:

• Authorize who can access and use the IT services and infrastructure that they provide or maintain.
• Take reasonable steps to ensure that those who use the IT services and infrastructure that they provide or maintain are aware of applicable policies and abide by them.
• Ensure that institutional standards for security, data backup, user authentication, and access control are applied for the IT services and infrastructure that they provide or maintain.
• Support access to records for investigations or when requested under LAFOIP, under court order, or for exigent business continuity reasons (following due process).

Information and Communications Technology (ICT) is responsible for:

• Ensuring the availability, confidentiality, and integrity of university IT services and infrastructure.
• Implementing institutional standards for security, user authentication, and access control.
• Establishing disaster recovery mechanisms and related back up procedures that are effective for university IT services and infrastructure.
• Monitoring services in support of operations including, but not limited to, gathering data for diagnosing service problems, capacity planning, service enhancement planning, and investigating violations of this policy, other policies, regulations, or laws.
• Providing access to records requested under LAFOIP, under court order, or for exigent business continuity reasons (following due process).
• Implementing appropriate processes and technology to scan for and deal with viruses, spam, phishing, and other security risks.

The university reserves the right to block access to or use of any IT services and infrastructure that could compromise the university network and any systems connected to it.

The University of Saskatchewan expects that its faculty, staff, students, post-doctoral students, visitors, contractors and agents will comply with this policy. Should there be reason to suspect that laws or university policies have been or are being violated, and the university may suffer reputational, financial or other harm as a result of non-compliance, this may constitute grounds for disciplinary or legal action in accordance with any applicable agreements, contracts, collective agreements, regulations or policies, legislation or common law principles.

Access to IT services and infrastructure may be withheld or withdrawn with cause.

• Data Governance Framework
• Data Management Policy
• Information Technology Security Policy
• IT Communications Policy
• Mission, Vision and Values of the University Saskatchewan

*This policy replaces the Computer Use Policy that was approved February 1, 1995 with amendments dated June 23, 2006.

Appendix

Appendix: Definitions

• Account – An account typically consists of a username—called the Network Services Identifier (NSID)—and a password. This single digital identifier helps to provide a seamless transition between university IT services. The account provides role-based access to university computer and network services. The university sometimes provides access to other types of accounts through a corporate contract or other arrangements.
• Affiliated organization – In the context of this policy, an affiliated organization is one that the university interacts with regularly and, either formally or informally, is authorized to use university IT services (e.g. student unions, labour unions, retirees association, etc.).
• Affiliation – Broad categories that define the different types of relationships that an individual may have with the university (e.g. faculty, staff, student, alumni, etc.). An individual may have more than one affiliation.
• End-point devices – Network-capable devices such as desktops, laptops, tablets, phones, printers, multimedia equipment, etc. that are used to access university IT services and infrastructure and/or university data.
• IT infrastructure – IT assets including, but not limited to, servers, databases, data, software, end-point devices, the university network, internet connections, central authentication, the telephone system, and data centres, whether provided directly by ICT or contracted.
• IT outsourcing - The use of external service providers to deliver IT-enabled business process, application service and infrastructure solutions. Outsourcing can include, but is not limited to, utility services, software as a service and cloud-enabled outsourcing.
• IT services –Technology-based services managed or hosted by a university community member or the university, or contracted by the university from vendors/contractors.
• Public – Individuals that are not members of the university community.   

• Record – Recorded information in any media or format that is created or received, and retained in the operations of an organization or person as evidence of functions, policies, decisions and other activities of that organization or person. Records include, but are not limited to, documents (e.g. letters, memoranda, email, contracts, invoices, reports, minutes, publications); images (e.g. photographs, maps, drawings); audio and video recordings; and compiled, recorded or stored data (e.g. directories, files, audit trails, or usage logs).

• University-owned – Assets purchased by university funds including research grants administered by the university or acquired by the university through some contractual agreement.
• University community – All students, employees, faculty, postdoctoral fellows, alumni, retirees, agents, contractors, authorized guests, persons or organizations acting for or on behalf of the university.

• University data – Data that is created, collected and stored (either electronically or in hard copy) by units and members of the university community, in support of the university’s academic, research, and administrative activities.

• University IT Services – IT services that the university provides in-house or that the university has arranged from a vendor under a contract. These services may be located on or off premise but the university is always responsible for the security and privacy of information in its control, regardless of the choice of vendors or location of vendor services.
• University service providers – University service units, colleges, and departments/units that provide or maintain IT services and infrastructure for use primarily by members, or a sub-set of members, of the university community to support their university duties.