Center for Information Technology Services
University of Maryland
Information Technology Acceptable Use Policy
Effective Date: 8/1/2005
I. Purposes
The purposes of this policy are to state what constitutes the acceptable use and what constitutes the misuse of UM IT Resources (as defined below). This policy also states responsibilities and procedures for administering and enforcing this policy, reporting violations, and initiating disciplinary actions against those who violate this policy.
II. Definitions
"Affiliate": an organization located at the UM campus which has IT Resources connected to UM IT Resources, or which has IT Resources used by Authorized Users; also, an organization located off campus which provides IT Resources used by Authorized Users in the course of their activities in relation to their affiliation with UM or an Affiliate; also, does not include a business entity which contracts with UM for IT services.
"Authorized Users": students, faculty, staff, visitors, and guests of UM who use UM IT Resources, on-campus or off-campus, in the course of UM employment, educational activities, or other purposes related to their UM affiliation; also, employees of Affiliates who use UM IT Resources to fulfill their employment responsibilities, and any other persons authorized to use UM IT Resources. Any person who receives a password ID from UM or who uses an e-mail address that ends in "umaryland.edu" is an Authorized User. All Authorized Users are subject to this policy.
"CIO": the Vice President of Information Technology and Chief Information Officer of UM.
"IT Administrator": the administrator or academic officer of a UM unit or school who, as determined by the applicable vice president or dean, is responsible for management and oversight of the IT Resources located in, or used by Authorized Users affiliated with that unit or school.
"IT Resources": all information technology resources, including, but not limited to, computerized information, computing facilities, computer networks, hardware, software, systems, programs and devices.
"UM IT Resources": IT Resources owned, leased, or used by UM or its Affiliates, or by USM, and used by Authorized Users.
"UM": University of Maryland (including all its schools and administrative units).
"USM": University System of Maryland.
III. Scope
This policy applies to all Authorized Users.
IV. Acceptable Use
In general, acceptable use of UM IT Resources is use in support of the research, education, service, and administrative activities of UM or of an Affiliate. Authorized Users should always use IT Resources in accordance with UM, USM, and Affiliate policies, procedures, and guidelines, software licenses, and applicable laws. UM depends upon a spirit of mutual respect and cooperation to create and maintain an open community of responsible users of UM IT Resources. Use of UM IT Resources must be responsible and professional. Acceptable use balances limits necessitated by law, economy, security and privacy with the principles of academic freedom and constitutional rights of free speech.
Authorized Users are responsible for safeguarding their own identification (ID) codes and passwords, and for using them for their intended purposes only. Authorized Users are solely responsible for all transactions made under the authorization of their ID, and for activity involving IT Resources which originate from computing devices owned by or assigned to them. Authorized Users may not represent or imply that personal electronic publications (e.g. web pages) or personal communications reflect the views or policies of UM.
Authorized Users may not state or imply that links provided from web pages hosted on UM IT Resources constitute or imply a UM endorsement of those sites, their content, or products and services associated with those sites.
Direct and indirect use of UM IT Resources made available to an Authorized User is a privilege granted by UM. The privilege is subject to compliance with this policy, other applicable UM and USM policies, Affiliate policies and State and federal laws.
V. Misuse
Misuse is use of UM IT Resources in a manner not consistent with standards for acceptable use. Misuse includes, but is not limited to:
A. Securing unauthorized access to or unauthorized use of UM IT Resources, or facilitating such use or access by another person.
B. Accessing or attempting to access UM IT Resources on or off the UM campus without authority. This is also referred to as hacking.
C. Any deliberate or reckless act that denies or interferes with the access and use of UM IT Resources by others.
D. Use of UM IT Resources in violation of the law, the policies of UM, USM, or an Affiliate, or the policies or guidelines of any UM school or unit. Examples of such prohibited use include violations of anti-discrimination or harassment policies, and a school’s honor code.
E. Personal communication, or other personal use, that interferes with the use of UM IT Resources by Authorized Users for official UM purposes and for academic responsibilities, or that interferes with or indicates neglect of employment responsibilities (e.g. use of internet auction sites such as eBay, internet gaming, chat rooms, instant messaging, and web surfing during work hours).
F. Software theft or piracy, data theft, copyright violations, illegal peer-to-peer file sharing, and other actions that violate intellectual property rights of others.
G. Inappropriate access, use or disclosure of data including social security numbers, birth dates, or addresses; unauthorized sale or transfer of such information.
H. Altering system hardware configurations without authorization; installing or deleting system software without authorization; installing or removing system hardware without authorization.
I. Intercepting or monitoring communications, user dialog, or password input intended for another recipient, except when this is done as part of authorized IT resource management, when authorized by the CIO, or if required by law.
J. Collecting or storing information about users of UM IT Resources without user authorization, except as necessary for official UM activities and functions.
K. Illegal activity.
L. Business or commercial activity not carried out on behalf of UM or an Affiliate.
M. Access to or use of electronic distribution lists and email accounts created by UM, a school or unit of UM, or an Affiliate, for purposes not authorized by UM, the school, or the unit; permitting others access to such distribution lists for unauthorized purposes.
N. Transmitting messages that are threatening, obscene, vulgar, derogatory or harassing; messages that attack another individual or group of individuals; or messages that violate the policies of UMB or USM, any school or unit of UM, or any Affiliate of UM.
O. Anomalous (unusual or unexpected) computing activity that is illegal or wasteful of UM IT Resources or that violates the terms of use of the licenses and agreements through which UM obtains or uses UM IT Resources.
VI. Security and Monitoring
The maintenance, operation, and security of UM IT Resources require UM and Affiliates to monitor and access IT Resources. UM and its Affiliates monitor UM IT Resources as part of normal operations and maintenance. Normal monitoring includes, but is not limited to, logging activity and monitoring usage patterns. In special situations, communications including internet activity of specific individuals or systems are subject to monitoring by UM and Affiliates for other purposes, e.g., investigation of complaints of violation of work rules, allegations of violation of law, or allegations of unauthorized use of UM IT Resources.
To the extent feasible, as determined by UM, and taking into account the electronic environment and the public agency status of UM, UM will protect the confidentiality of academic information, student information, medical information, attorney-client and patient-provider communications, attorney work product and information developed from or exchanged with clients and patients which is stored and transmitted through UM IT Resources. Authorized Users may only access confidential information with UM permission and only to the extent authorized. Access to and disclosure of confidential information to others in any manner not permitted by law, UM policy and procedure, and the applicable policies of the school, unit or Affiliate that maintains the information, is prohibited. UM will not disclose privileged or confidential communications from legal clients, attorney work product, student information, employee information, or medical or health care record information unless permitted by law, authorized by the client or patient, or approved by the school, unit or Affiliate that maintains the information
There is no assurance of confidentiality or privacy for much of the information transmitted or stored by UM IT Resources. The Maryland Access to Public Records law applies to electronic data, including archived electronic messages. Other state and federal laws, and the needs of UM to meet its administrative, business, and legal obligations, require UM to routinely monitor activities involving UM IT Resources and may require UM to access and view stored data.
UM seeks to maintain the security of UM IT Resources, but cannot guarantee security. Authorized Users have no expectation of privacy as to information stored or transmitted using UM IT Resources, and generally should not maintain or transmit sensitive personal information about themselves or others using UM IT Resources. However, UM IT Resources which have appropriate security measures in place can be used for personal information of clients, research subjects, and patients.
Related security policies of UM, its schools, units and Affiliates apply to certain categories of personal information (e.g., medical records, UM Law Clinic records, records of Affiliate health care organizations) stored or transmitted using UM IT Resources. Authorized Users must comply with these policies.
UM may monitor the specific activity and accounts of any Authorized User without notice to the Authorized User in situations when it is necessary or appropriate in the judgment of the CIO or a school, unit or Affiliate IT Administrator, e.g.:
• The user has voluntarily made the activity or account information available to the public, as by posting to an electronic list or web page.
• Monitoring is necessary to preserve the security, integrity, or functionality of IT Resources.
• UM or an Affiliate has a reasonable basis to suspect an Authorized User may be violating this policy.
• A user of UM IT Resources, or an account, is demonstrating anomalous activity based on usage patterns.
• UM or an Affiliate has a reasonable basis to suspect that a person using UM IT Resources is doing so without authorization.
• Otherwise necessary, as permitted by law, required by lawful directive to UM or an Affiliate, or required to investigate allegations of misuse of UM IT Resources.
When monitoring of specific activity and accounts is required, the CIO or designee, or the IT Administrator, will consult with an academic or administrative unit's Dean or Vice President, or designee, prior to monitoring activities of specific Authorized Users, and prior to disclosing patient or client information as permitted by law or authorized by the patient or client. If a matter directly involves a Dean or Vice President, the President may waive this consultation requirement.
VII. Electronic Mail (E-Mail)
Copyright laws, license agreements, USM and UM policies, and state and federal law apply to e-mail. E-mail sent with the intent of disrupting communication or other system services is not allowed. The proliferation of unsolicited commercial e-mail (also known as UCE or “spam”), virus warnings, urban legends and electronic chain letters are not acceptable uses of UM IT Resources.
Broadcast e-mail, i.e., e-mail messages sent to a list of users in all schools and units of UM, is forbidden unless approved by the President or his designee. Broadcast e-mail to users in a particular school or unit is prohibited unless permitted by the Dean of the school or Vice President of the unit, or that administrator’s designee.
The primary purpose, and primary use, of e-mail using UM IT Resources is for UM-related activities. Occasional use of e-mail for personal communications during the business day is acceptable. Users are advised; however, that they have no right of privacy in personal communications sent or received using campus email. Such messages, like all other messages, are subject to monitoring and disclosure as stated above.
VIII. Web Pages
Any Authorized User who creates, maintains or hosts a web page using UM IT Resources is responsible for the integrity of the information contained on the page and for compliance with USM and UM policies, and federal and state laws, including laws governing copyright, obscenity, defamation, and software piracy.
Personal web pages and commercial web pages may not be posted using UM IT Resources unless expressly authorized by a UM school, unit or Affiliate and then only if the web page is related to the academic activities of the school or the operational activities of the unit or Affiliate. Web pages that are not in good taste are not allowed. Anyone who wants a web page primarily or exclusively for personal or commercial purposes, rather than academic activities or the operational activities of UM or an Affiliate, should not use UM IT Resources to create or host the web page.
IX. Administration and Enforcement of Policy
The CIO is responsible for the administration of this policy. Each school, unit, and Affiliate of UM, and the IT Administrator of each UM School, unit, or Affiliate may provide additional guidelines for appropriate use of UM IT Resources in that school, unit, or Affiliate.
Enforcement of this policy is delegated to the heads of the UM schools and administrative units, i.e., deans and vice presidents. In cases where there is a question about authority to enforce this policy a determination shall be made by the UM President or a designee, normally the CIO.
X. Violations
Suspected violations of this policy shall be reported to the CIO, the IT Administrator of any school or unit involved, and the IT Administrator of any Affiliate involved. Within a school or unit, the IT Administrator will report the suspected violation to those responsible for supervision of the Authorized Users involved, unless complete confidentiality is required during an investigation of the violation, and to those responsible for administration of disciplinary policies applicable to the Authorized Users involved. Authorized Users who are accused of violating this policy and who have a student or employment relationship, or an academic appointment with UM, will be subject to disciplinary actions or other proceedings consistent with an accusation of misconduct.
The CIO and/or IT Administrator shall investigate thoroughly the issues concerning use of UM IT Resources, provide a complete report to the School or employing unit, and cooperate in disciplinary proceedings.
Allegations of violations by Authorized Users other than students, employees or appointees will be resolved by the CIO in consultation with the applicable school, unit or Affiliate. The CIO may suspend an accused user’s access to some or all UM IT Resources until an investigation is completed and, if required, a hearing has been held to determine the validity of the allegations involved.
Authorized Users who commit serious or repeated violations of this policy are subject to additional sanctions. Such additional sanctions may include permanent termination of access to UM IT Resources, use restrictions, or special monitoring of activities involving UM IT Resources.
The CIO or any IT Administrator shall refer suspected criminal violations of law to the University Police and concurrently advise University Counsel of the matter.
Immediate action may be taken by the CIO or an IT Administrator in response to potential or ongoing threats to UM IT Resource security, the health or safety of persons, the privacy rights of students, employees, patients, clients, research subjects or others, compliance with the law, or the security of confidential or proprietary information.
Violations of this policy may result in actions under Human Resource policies, faculty policies, or student policies, in addition to actions under this policy. Termination of enrollment, employment or appointment may follow from violations of this policy.
XI. School and Unit Responsibilities
Schools and units may require their Authorized Users to follow additional guidelines for appropriate use of school and unit UM IT Resources. Such guidelines shall be no less restrictive than this policy and do not supplant this policy.
When Authorized Users change status, e.g., upon resignation, termination, graduation, retirement, imposition of a disciplinary sanction, or a change in position, role or responsibilities within UM, the school or unit responsible for initiating a change in status must coordinate with central support units (e.g., Center for Information Technology Services, Human Resource Services, Payroll) to discontinue or change access and authorization to UM IT Resources accessible to the Authorized User before the change of status.
