Authorization and Approval
Responsibility: Associate Vice-President, Information and Communications Technology
Authorization: Board of Governors
Approval Date: Jun 26, 2018
The University of Saskatchewan’s information technology (IT) communications services support the academic and administrative activities of the University and serve as a means of official communication by and between users and the university. The purpose of this policy is to ensure that these critical services remain available and reliable, and that each user understands and abides by this policy to ensure that the services are used for purposes appropriate to the University's mission.
The university mission, vision, and values inspire all of the principles and responsibilities in this policy. It was also developed with the following principles in mind:
- Critical Infrastructure. The university’s IT communications services are critical to the university’s academic, research, and administrative activities. A robust communication infrastructure is necessary for conducting and administering the operations of the University.
- Access and Privacy. A user's reasonable expectation of privacy must be balanced with the business needs of the university.
- Service Ownership. The university will choose over time which IT communications services to provide based on a variety of evolving needs. The services offered and how they are delivered (such as hosted on campus or outsourced to vendors) will change over time at the university’s discretion.
- Data Management. Protecting the university’s data is a responsibility shared by all members of the university community. The university’s data classifications (restricted, limited, internal, public) need to be considered when determining which IT communications services to use if transmitting university data as there may be privacy and security implications.
Scope of this Policy
This policy is applicable to all university community members and any affiliated organizations that make use of university-provided IT communications services.
This policy applies to all university-related IT communications services regardless of:
- How the services are provided (hosted on campus or through vendor services).
- Where the services originate (on campus or off campus).
- Where they are being accessed from (on campus or off campus).
- The type of device used to access the services (i.e. desktop, mobile).
- The ownership of the device (university-provided or personally-owned devices).
The policy has been developed in the context of, and is designed to complement:
- Existing university policies, particularly those governing use of university property and services; computer use; data management, information technology security; privacy; risk management; records management; responsible conduct of research; disciplinary procedures; copyright and intellectual property.
- Legislation such as provincial Local Authority Freedom of Information and Protection of Privacy Act (LAFOIP), provincial Health Information Protection Act (HIPA), and federal Canada’s Anti-Spam Legislation (CASL).
- Legal contracts and agreements with external sponsors, granting agencies, and others.
- Collective agreements.
The university provides IT communications services for use by members of the university community in conjunction with their university duties. The role(s) and affiliation(s) of an individual (such as student, faculty, staff, alumni, etc.) determines which university-provided IT communications services they can access and their associated responsibilities for use of the services. A change in role or affiliation may change which services are available.
Artifacts of communications sent or received through the university-provided IT communications services, whether official or unofficial, are university records and are subject to the Management of University Records policy.
- Access to these records can be requested under LAFOIP, or by court order. If a request is received, all existing records are included. This includes records that may have been deleted by the account holder but have not yet been deleted from back-up systems.
- Access to these records may be required to recover evidence while investigating matters concerning appropriate use or managing actual or potential criminal or civil litigation in which the university is or may become a party.
- Access to these records may also be required for exigent business continuity purposes due to the absence of an employee for reasons such as leaves, terminations, or attrition.
- Wherever practicable, account holders will be notified promptly when their IT communications services records have been accessed.
University-provided IT communications services may be used for incidental personal use, but all messages stored on university-provided IT communications services are university records and therefore are subject to the above.
Personal use must not compromise the business of the university, increase the university's costs, or expose the University to additional risk. It must not damage the university's reputation or support an activity that the account holder does for personal profit.
The content of electronic messages sent using any university account and/or stored on any university server is subject to the Computer Use policy, the Data Management policy, Use of Materials Protected by Copyright policy, and the intellectual property provisions of copyright law.
Everyone in the university community has responsibilities related to IT communications services. Some of the major responsibilities specific to roles are outlined below and are detailed in the IT Communications Governance document.
University community members are responsible for the following:
- Accessing their IT communications services using only their own individual, password protected account.
- Protecting their account by keeping their password secret and only granting access to others though delegated access permissions.
- Protecting the data that they access and use. IT communications services should not be regarded as a secure medium for the communication of confidential or restricted data.
- Keeping the devices that they use to access university-provided IT communications services secure.
- Treating IT communications services in the same manner as university letterhead since it bears the identification marks of the University of Saskatchewan.
- Conducting IT communications with professionalism and courtesy.
- Understanding the role-specific responsibilities they have with respect to using IT communications services and that these responsibilities may change if their affiliation or role with the university changes.
- Managing their IT communications responsibly and retaining any communications required for records retention purposes.
- Adhering to university standards for acceptable use.
Data Trustees/Data Stewards
Data management responsibilities as outlined in the Data Management policy apply to IT communications services. These are further outlined in the IT Communications Governance document. Some of the high-level responsibilities include the following:
- The appropriate Data Trustee determines eligibility for IT communications services for their functional area, including decisions regarding aspects such as naming standards and provisioning or de-provisioning of accounts.
- The appropriate Data Steward determines appropriate access to IT communications services records when required for business continuity due to the absence of an employee for reasons such as leaves, terminations, or attrition.
- For decisions regarding unsolicited communication to the university community, people must consult the designated data trustee that has accountability for communicating to those audiences.
Information and Communications Technology
Information and Communications Technology (ICT) is responsible for the following:
- Providing and maintaining university-provided IT communications services.
- Ensuring the availability, confidentiality, and integrity of university-provided IT communications services.
- Implementing institutional standards for security, user authentication, and access control.
- Establishing disaster recovery mechanisms and related back up procedures that are effective for university IT communications services.
- Monitoring services in support of operations including, but not limited to, gathering data for diagnosing service problems, capacity planning, service enhancement planning, and investigating violations of this policy, other policies, regulations, or laws.
- Providing access to records requested under LAFOIP, under court order, or for exigent business continuity reasons (following due process).
- Implementing appropriate processes and technology to scan for and deal with viruses, spam, phishing and other security risks.
The university reserves the right to reject IT communications that could compromise the university network and any systems connected to it.
The University of Saskatchewan expects that its faculty, staff, students, post-doctoral students, alumni, visitors, contractors and agents will comply with this policy. Should there be reason to suspect that laws or university policies have been or are being violated, and the university may suffer reputational, financial or other harm as a result of non-compliance, this may constitute grounds for disciplinary or legal action in accordance with any applicable agreements, contracts, collective agreements, regulations or policies, legislation or common law principles.
IT communications services to any account holder may be withheld or withdrawn with cause.
Procedures and practices to support this policy include:
- IT Communications Services – Services that provide the ability to communicate electronically. These include, but are not limited to:
- Email and calendar services
- Telephone and voice messaging services
- Text messaging, instant messaging, and group messaging services (i.e. real-time messages)
- University-provided IT Communications Services – IT communications services that the university provides in-house or that the university has arranged from a vendor under a contract. These services may be located on or off premise but the university is always responsible for the security and privacy of information in its control, regardless of the choice of vendors or location of vendor services.
- University owned – Assets purchased by university funds including research grants administered by the university or acquired by the university through some contractual agreement.
- Record – Recorded information in any media or format that is created or received, and retained in the operations of an organization or person as evidence of functions, policies, decisions and other activities of that organization or person. Records include, but are not limited to, documents (e.g. letters, memoranda, email, contracts, invoices, reports, minutes, publications); images (e.g. photographs, maps, drawings); audio and video recordings; and compiled, recorded or stored data (e.g. audit trails).
- University record – A record that is created or received, and retained in the operations of a university unit.
- University data – Data that is created, collected and stored (either electronically or in hard copy) by units and members of the university community, in support of academic, research, and administrative activities.
- Account – An account typically consists of a username—called the Network Services Identifier (NSID)—and a password. This single digital identifier helps to provide a seamless transition between university IT services. The account provides role-based access to university computer and network services. The university sometimes provides access to other types of accounts through a corporate contract or other arrangements.
- Affiliation – Broad categories that define the different types of relationships that an individual may have with the university (e.g. faculty, staff, student, alumni, etc.). An individual may have more than one affiliation.
- University community – All students, employees, faculty, postdoctoral fellows, alumni, agents, contractors, authorized guests, and persons or organizations acting for or on behalf of the university.
- Data Management Policy
- Social Media Guidelines
- Responsible Conduct of Research Policy
- Information Technology Use
- Information Technology Security Policy
- Management of University Records Policy
- Provincial Local Authority Freedom of Information and Protection of Privacy Act (LAFOIPP)
- Intellectual Property Policies
- Enterprise Architecture Principles
*This policy replaces the Electronic Mail (email) Policy approved on June 23, 2006.
If you have questions about this policy please contact:
Contact Person: CIO and Association Vice-President, Information and Communications Technology