Computers and other information technology resources are essential tools in accomplishing the University's mission. Information technology resources are valuable assets to be used and managed responsibly to ensure their integrity, confidentiality, and availability for appropriate research, education, outreach and administrative objectives of the University of Minnesota. University community members are granted access to these resources in support of accomplishing the University’s mission.
All users of University information technology resources, whether or not affiliated with the University, are responsible for their appropriate use, and by their use, agree to comply with all applicable Board of Regents policies; University Administrative policies; federal, state and local laws; and contractual obligations. These include but are not limited to information security, data privacy, commercial use, and those that prohibit harassment, theft, copyright and licensing infringement, and unlawful intrusion and unethical conduct.
Units that grant guest access to information technology resources must make their guests aware of their acceptable use responsibilities. The University accepts no responsibility or liability for any personal or unauthorized use of its resources by users.
Acceptable use includes, but is not limited to, respecting the rights of other users, avoiding actions that jeopardize the integrity and security of information technology resources, and complying with all pertinent licensing and legal requirements. Users with access to University of Minnesota information technology resources must agree to and accept the following:
- Only use information technology resources they are authorized to use and only in the manner and to the extent authorized. Ability to access information technology resources does not, by itself, imply authorization to do so.
- Only use accounts, passwords, and/or authentication credentials that they have been authorized to use for their role at the University.
- Protect their University-assigned accounts and authentication (e.g., password, and/or authentication credentials) from unauthorized use.
- Only share data with others as allowed by applicable policies and procedures, and dependent on their assigned role.
- Comply with the security controls on all information technology resources used for University business, including but not limited to mobile and computing devices, whether University or personally owned.
- Comply with licensing and contractual agreements related to information technology resources.
- Comply with intellectual property rights (e.g., as reflected in licenses and copyrights).
- Accept responsibility for the content of their personal communications and may be subject to any personal liability resulting from that use.
Unacceptable use includes and is not limited to the following list. Users are not permitted to
- Share authentication details or provide access to their University accounts with anyone else (e.g., sharing the password).
- Circumvent, attempt to circumvent, or assist another in circumventing the security controls in place to protect information technology resources and data.
- Knowingly download or install software onto University information technology resources, or use software applications, which do not meet University security requirement, or may interfere or disrupt service, or do not have a clear business or academic use.
- Engage in activities that interfere with or disrupt users, equipment or service; intentionally distribute viruses or other malicious code; or install software, applications, or hardware that permits unauthorized access to information technology resources.
- Access information technology resources for which authorization may be erroneous or inadvertent.
- Conduct unauthorized scanning of University information technology resources.
- Engage in inappropriate use, including but not limited to:
- Activities that violate state or federal laws, regulations, or University policies.
- Widespread dissemination of unsolicited and unauthorized electronic communications.
- Engage in excessive use of system information technology, including but not limited to network capacity. Excessive use means use that is disproportionate to that of other users, or is unrelated to academic or employment-related needs, or that interferes with other authorized uses. Units may require users to limit or refrain from certain activities in accordance with this provision.
Privacy and Security Measures
Users must not violate the privacy of other users. Technical ability to access others’ accounts does not, by itself, imply authorization to do so.
Users play an important role in the protection of their personal information. All faculty, staff and students are required to use all available user specific security controls provided by the University (including multi-/two-factor authentication) and meet the user specific controls in Administrative Policy: Information Security to assist in the protection of University assets and the protection of their personal information and assets. Failure on the part of faculty, staff or students to employ in good faith the available security controls and to secure their personal information appropriately will mean that the University will not reimburse the faculty, staff or student for the loss of misdirected salary, expense reimbursements, financial aid or any other assets.
Employees must understand that any records and communications they create related to University business, electronic or otherwise, on a University or personally owned device, may be subject to disclosure under the Minnesota Government Data Practices Act.
The University takes reasonable measures to protect the privacy of its information technology resources and accounts assigned to individuals. However, the University does not guarantee absolute security and privacy. Users should be aware that any activity on information technology resources may be monitored, logged and reviewed by University-approved personnel or may be discovered in legal proceedings. The University assigns responsibility for protecting its resources and data to technical staff, data owners, and data custodians, who treat the contents of individual assigned accounts and personal communications as private and do not examine or disclose the content except:
- as required for system maintenance including security measures;
- when there exists reason to believe an individual is violating the law or University policy; and/or
- as permitted by applicable policy or law.
The University reserves the right to employ security measures. When it becomes aware of violations, either through routine system administration activities or from a complaint, it is the University's responsibility to investigate as needed or directed, and to take necessary actions to protect its resources and/or to provide information relevant to an investigation.
Individuals who use information technology resources that violate a University policy, law(s), regulations, contractual agreement(s), or violate an individual’s rights, may be subject to limitation or termination of user privileges and appropriate disciplinary action, legal action, or both. Alleged violations will be referred to the appropriate University office or law enforcement agency.
The University may temporarily deny access to information technology resources if it appears necessary to protect the integrity, security, or continued operation of these resources or to protect itself from liability.
Individuals or units should report non-compliance with this policy to University Information Security ([email protected]). To report anonymously, use the University UReport confidential reporting system.
Units within the University may define additional conditions of use for information technology resources or facilities under their control. Such additional conditions must be consistent with or at least as restrictive as any governing Board of Regents or Administrative policy, and may contain additional details or guidelines.
Reason for Policy
The purpose of this policy is to outline the acceptable use of information technology resources at the University of Minnesota in order to:
- Comply with legal, regulatory, and contractual requirements.
- Protect the University against damaging legal consequences.
- Safeguard these resources.