These policies have been approved by Council and therefore form part of the Terms and Conditions of Employment for the University. Heads of department, college, or other unit are responsible for ensuring that information systems within their unit are implemented in compliance with these policies.
The PRAC ICT Sub-committee is responsible for ensuring that all members of the collegiate University are aware of the University's information security policy and for monitoring compliance within all units of the University. Units should ensure that all new staff, students, contractors and others with access to the unit or its network or computer systems or data, are given a copy of the University's information security policy, and of any associated unit policies and procedures. They should be reminded of these on a regular basis. Compliance with these policies should form part of any contract with a third-party that may involve access to network or computer systems or data. All users should be made aware that the requirement for compliance is devolved to them, and that they will be held individually responsible for any breach of law. Information security incidents resulting from non-compliance may result in appropriate disciplinary action.
Other statutory obligations on all members of the University are defined in the "Regulations Relating to the use of Information Technology Facilities" as approved by Council. This includes the definition of the circumstances under which the University may monitor use of its ICT systems, and the levels of authorisation required for this to be done. Guidelines can be found at http://www.ict.ox.ac.uk/oxford/rules. Procedures should be implemented to ensure the privacy of data belonging to users is maintained, and system administrators do not access a user's data without the user's permission, except as laid out in the "Regulations Relating to the use of Information Technology Facilities". If routine monitoring or recording is carried out of data or web sites accessed, etc., this should be made clear to all users of the system.
Procedures must exist to ensure data protection and privacy laws are upheld as required in relevant legislation, regulations and, if applicable, contractual clauses. If data are to be transferred outside the European Economic Area, appropriate controls must be implemented to ensure the provisions of the Data Protection Act 1998. Cryptographic controls must be used in compliance with all relevant agreements, laws and regulations. When dealing with incidents involving potentially illegal material the following guidelines should be observed: http://www.ict.ox.ac.uk/oxford/rules/soaguidelines.xml.
Individual units should ensure that all relevant statutory, regulatory and contractual requirements and the unit's approach to meet these requirements are explicitly defined, documented and kept up to date. Procedures must be implemented to ensure the unit abides by all UK legislation and relevant legislation of the European Union.
- The Computer Misuse Act (1990)
- The Data Protection Act (1998)
- The Regulation of Investigatory Powers Act (2000)
- The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations (2000)
- The Freedom of Information Act (2000)
- The Special Educational Needs and Disability Act (2001).