IT Monitoring Notice

The University is required by law to bring to the attention of all users the following notices.

(1) Regulation of Investigatory Powers Act 2000

As required by UK legislation, Cardiff University draws to the attention of all users of the University's Data and Telecommunication Networks the fact that their communications may be intercepted as permitted by legislation.

The legislation (including the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000) provides that interceptions are authorised for:

• monitoring or recording communications: 
  • to establish the existence of facts, to ascertain compliance with regulatory or self-regulatory practices or procedures or to ascertain or demonstrate standards which are or ought to be achieved (quality control and training)
  • in the interests of national security (in which case, only certain specified public officials may make the interception)
  • to prevent or detect crime
  • to investigate or detect unauthorised use of telecommunication systems
  • to secure, or as an inherent part of, effective system operation
• monitoring received communications to determine whether they are business or personal communications
• monitoring communications made to anonymous telephone helplines

The University does not need to gain consent before intercepting for these purposes, although we need to inform staff and students that interceptions may take place.

(2) Data Protection Act 2018 - Monitoring

IT Services hold user registration data and various information on the use of the university's computer systems and network; this includes log-in and log-out times and locations, printing logs, World Wide Web logs and network traffic logging.

While normally only used for operational purposes, such as monitoring the proper performance of systems or resolving problems, these logs may be analysed (under paragraphs 8 and 9of the university's IT Regulations) down to the individual user under the following circumstances:

1. where a breach of the Regulations or other university rules is suspected
2. to audit system access in the case of an information security incident
3. to assess their relevance in evidence for other university procedures, e.g. conduct, disciplinary or grievance.
4. to communicate with individuals to alert them to malfunctions within the Cardiff University IT facilities or to request action to correct the malfunctions, which may be putting the normal operation of the IT facilities in jeopardy
5. to deploy the use of manual or automatic searches to ascertain compliance with software licensing as well as terms and conditions relating to software usage. This may entail a search of all software programs installed on university IT equipment in both the physical and virtual environment. This data may be used for the investigation of breaches of the university's IT Regulations in addition to the management of the university’s IT facilities
6. to carry out statistical analysis to provide management information on teaching space, footfall, laboratory, software, printing, cache, network and general computer usage for the purposes of management of the university’s facilities

The University may place a legal hold on information held on its systems where there is the potential for it to be required for legal proceedings.

The University does not need to gain consent from data subjects to do so. This action will only be taken where authorised by the Director of People and Culture or their nominated deputy (for staff accounts), the Academic Registrar or their deputy (for student accounts) or the Senior Information Risk Owner.

Further information about your rights under data protection legislation can be found on our website.

(3) Web Content Filtering

In accordance with the Website Filtering Policy, Cardiff University filters web content into the university as it passes through the university firewalls for the purpose of protecting the reputation of the university and ensuring that the acceptable use policy of our network provider (JANET) is safeguarded.

Logging and Access

Access to log data will be restricted. In accordance with (2) above, these logs will be analysed (under paragraphs 8 and 9 of the university's IT Regulations) down to the individual user where a breach of the IT Regulations is suspected. All allegations relating to the use of the university’s IT facilities in connection with the possession of indecent images of children, or other illegal material in connection with children, shall be reported to the Designated Officer under the Safeguarding Children and Vulnerable Adults Policy. Web content filtering data may also be provided to law enforcement bodies where it is necessary for the prevention or detection of crime, prosecution or apprehension of offenders or national security.

High-level data provided by the logs for the provisioning of metrics for management information purposes will be anonymised.

(4) Accessing an individual’s files and University email account

For the purposes of recovering university systems and information that fall within their remit, Schools and Professional Services Departments have the ability to request that University IT access a user’s filestore and share files/emails. On occasion, it may also be necessary for business purposes to enable/edit out-of-office messages in email accounts. Where necessary, these actions may be taken without the account owner’s consent.

All such requests must be approved by the Heads of School/Professional Services Department. Where there is any concern over the nature of the request, Compliance and Risk will advise on the appropriateness of the request. The activity will be carried out by authorised individuals from within University IT. University IT will carry out its search in a way that will limit access to the business data identified within the request. Therefore, all users should store any personal records held on university IT facilities in a folder clearly marked ‘Personal’.