Chapter 6: Acceptable Use of Information Technology
I. Introduction
The mission of Vanderbilt University is to be a center of scholarly research, informed and creative teaching, and service to the community and society at large. The University upholds the highest standards and is a leader in the quest for new knowledge through scholarship, dissemination of knowledge through teaching and outreach, and creative experimentation of ideas and concepts. In pursuit of these goals, Vanderbilt values most highly intellectual freedom that supports open inquiry, and equality, compassion, and excellence in all endeavors.
To achieve its mission, the University applies substantial financial and personnel assets toward operating a reliable, available, and secure network computing infrastructure. The mass adoption of digital technologies in the everyday lives of members of our community requires that Vanderbilt establish clear policies that guide how community members may use the University’s information technology resources. This Acceptable Use Policy (AUP) communicates the respective policies associated with our role in the Vanderbilt community as students, faculty, staff or other authorized users.
The guiding purpose of the AUP is to ensure that the University’s information technology resources are used to promote the core mission of Vanderbilt in education, research and scholarship, patient care, and service, either directly or through the various administrative entities and services that enable Vanderbilt’s core mission. To that end, the policy has the following goals:
1. First and foremost, that information technology resources are used for their intended purposes
2. that the use of information technology resources is consistent with the principles and values that govern use of other University facilities and services; and
3. that the integrity, reliability, availability and performance of information technology resources are protected.
II. Scope
This policy applies to all Vanderbilt University students, faculty and staff and to all others granted use of Vanderbilt’s information technology (IT) resources whether individually controlled or shared, stand-alone or networked. It applies to all computer and communication facilities owned, leased, operated, or contracted for by Vanderbilt University. Information technology resources include but are not limited to Vanderbilt’s Internet 1, Internet 2, private networks, telephone, fax, voice mail, electronic mail, instant messaging, electronic collaboration, content management, or other applications that attach, utilize, or otherwise interface with Vanderbilt’s data and voice network computing infrastructure. Electronic communications include but are not limited to any information—data, text, graphics, audio, video, or other artifact—that can be sent or received via an electronic system or manipulated or transferred via the network computing infrastructure or an attached device or peripheral.
III. Policies
A: Privacy, Integrity and Operational Security
The privacy of all users and the integrity and operational security of Vanderbilt’s information technology system must be respected by all. Vanderbilt’s IT resources must not be used by anyone to gain or attempt to gain unauthorized access to private information, even if that information is not securely protected or is otherwise available. The fact that an individual account and its data may be unprotected does not confer either an ethical or legal right to access it.
Investigations of misuse, unauthorized use, or illegal activity, compliance with federal, state or local laws or regulations, as well as routine or emergency maintenance of the IT system, may require observation of electronic information by appropriate and authorized University officials, employees, or their authorized agents. Such activities are not in violation of this principle so long as these activities are conducted by authorized individuals on behalf of Vanderbilt University and are governed by professional IT forensic protocols. Vanderbilt uses automated systems to monitor data transmissions entering and leaving the Vanderbilt networks to detect the presence of viruses, malicious software, or privileged information.
Consistent with the University’s commitment to academic freedom (see “A Statement of Principles,” Part III, Chapter 1), specific safeguards protect the privacy and academic freedom of the Vanderbilt faculty in the event that a faculty member’s electronic communications or records must be inspected without their/her/his express consent:
1. Conditions
The University shall inspect electronic communications or records of a faculty member only in response to an external legal process (a judicial or administrative subpoena, or a document request from a governmental agency, e.g. Equal Employment Opportunity Commission or U.S. Department of Labor, in regard to a complaint filed with the agency to which the University would be responding) or to
investigate a specific allegation of a violation of an internal University policy. Except as may be required by law, the scope of the inspection shall be limited to the specific legal complaint or specific policy violation and access to electronic communications shall be granted only to those who must have access
to complete their University duties (“need to know”).
2. Authorized Parties
Only the Chancellor, the University General Counsel, the Provost and Vice Chancellor for Academic Affairs, or for the clinical department in the School of Medicine, the Dean of the School of Medicine may authorize inspection of a faculty member’s electronic communications or records. Unauthorized inspections are in violation of this policy.
3. Reporting
The University shall provide to the Faculty Senate an annual report recording the number and general nature of such inspections concluded in the previous fiscal year.
Unauthorized access to private information constitutes a violation of this policy, and may result in disciplinary actions under the Faculty Manual, Student Handbook, HR policies, or other applicable policy statements. Violation of this principle may also constitute a violation of state or federal law.
B: Use
Use of Vanderbilt’s network computing and electronic communications infrastructure comes with certain responsibilities and obligations.
I. Unlawful Use
Tennessee and federal laws provide for civil and criminal penalties for violations of the law of systems use. Examples of unlawful actions include, but are not limited to, defamatory remarks, destruction of Vanderbilt University data or equipment, unauthorized copying of copyrighted material and the transportation of obscene materials across state lines. Any use of Vanderbilt network computing assets by anyone in the organization that violates state, federal, or local laws is prohibited.
2. Violation of Institutional Policies
Vanderbilt University’s academic departments, clinical operations, and administrative areas maintain policies that govern and inform our day-to-day lives in the conduct of our Vanderbilt experience. Any use of Vanderbilt network computing assets that violates applicable institutional policies is prohibited.
3. Violation of Student Honor and Conduct Codes
Vanderbilt University maintains high standards for its students and various codes and policies govern and inform a student’s day-to-day life in the conduct of their/her/his Vanderbilt experience. Students are prohibited from using the Vanderbilt network computing assets for activities that violate the conduct code, the honor code, or other policies and regulations delineated by the Student Handboo
C: Fiduciary Responsibilities
1. Vanderbilt Community Members
Members of the Vanderbilt community possess a great personal responsibility to themselves and to other community members to utilize technology while maintaining their fiduciary responsibilities. These responsibilities include, but are not limited to:
- Being responsible for the security of one’s personal information
- Protecting personal and private information of others
- Taking care to minimize risks of various undesirable events, such as disclosure of sensitive personal information, identify theft, and even threats to personal safety when using Vanderbilt information technology assets.
2. Information Technology Professionals
Vanderbilt IT personnel are granted elevated or privileged access to Vanderbilt University’s
information and information systems. This privileged access places the Vanderbilt IT professional in a higher level of trust. To maintain this level of trust, Vanderbilt IT professionals must develop, maintain, and continually enhance their skills and abilities on behalf of those they serve. IT professionals employed by Vanderbilt University must strive to be trusted and highly skilled custodians through:
- Preserving confidentiality
- Protecting data and information integrity
- Establishing and maintaining availability of information systems
- Educating those around them about IT and social risks related to information systems
- Enhancing and maintaining technical skills
- Demonstrating an understanding of the areas they serve
D: Intellectual Property
At the heart of any academic or research endeavor resides the concept of intellectual property. All copyrighted information (text, images, icons, programs, video, audio, etc.) retrieved from computer or network resources must be used in compliance with applicable copyright and other law. Copied material must be properly attributed. Plagiarism of digital information is subject to the same sanctions as apply to plagiarism in any other media. Acquiring or sharing copyrighted materials without obtaining the appropriate licenses or permissions may be unlawful.
E: Publication or Distribution of Unauthorized Recordings, Photos, Images, Text or Video
With the availability of low cost cameras, smart phones, and consumer electronics, it is possible for someone to acquire voice, video images, still images, multimedia, or text in non-public situations without the knowledge or consent of all parties. Vanderbilt network computing assets must not be used by anyone in the organization to publish or distribute this type of material without the expressed consent of all involved parties.
F: Right to Copy and Inspect for Legal and University Process
Vanderbilt University is committed to protecting the privacy of faculty, students, staff, patients, and other users of its IT resources, and their electronic communications. However, because Vanderbilt operates subject to compliance with various federal and state laws and regulations and must be able to enforce its own policies, Vanderbilt must occasionally inspect, preserve, and produce records to fulfill legal obligations and to carry out internal investigations. Vanderbilt University reserves the right to obtain copy and convey to outside persons any records or electronic transactions completed using Vanderbilt University information systems in the event it is required by law or institutional policy to do so. Vanderbilt University may also in its reasonable discretion, when circumstances require, obtain and review any records relevant to an internal investigation concerning compliance with Vanderbilt University rules or policies applicable to students, faculty, staff, or all others granted use of Vanderbilt’s information technology resources. Users therefore should not expect that records created, stored, or communicated with Vanderbilt information technology or in the conduct of Vanderbilt’s business will necessarily be private. Vanderbilt University reserves its right to any work product generated in the conduct of its business.
G: Locally Specific Policies
Individual units within the University may create additional policies for information resources under their control. These policies may include additional detail, guidelines, and further restrictions but must be consistent with principles stated in this policy document. Individual units adopting more specific policies are responsible for establishing, publicizing, and enforcing such policies, as well as any rules governing the authorized and appropriate use of equipment for which those units are responsible.
All members of the Vanderbilt University community are given notice of this policy by virtue of its publication and are subject to it on the same basis. Ignorance of this policy does not relieve any user of their/her/his responsibilities under the policy. All users are expected to familiarize themselves with the contents of this policy and act in conformance with these principles regarding any use of the University’s IT resources.
Due to the rapid nature of change in both information technologies and their applications, the University may amend this policy whenever deemed necessary or appropriate. Users are encouraged to periodically review this policy in order to understand their rights and responsibilities under it.