Policy

IT Regulations

Version 5.4
Date of next review: 07/2028
Last updated: 14/11/2025
Download this document (Word, 56.7 KB)

For queries on these regulations please contact:

IT Support:

Email: it-support@cardiff.ac.uk

Tel:02922 511111 (ext. 11111 internally)

Purpose and scope

The aim of these regulations is to help ensure that Cardiff University’s IT facilities and services can be used safely, lawfully, and equitably. They cover the use of all IT facilities and services administered by or provided through Cardiff University.

They are applicable to any user who is authorised to use any of the IT facilities and services, including but not limited to staff, workers, honorary title holders, visiting academics, and students.

It is not the intention of Cardiff University that these regulations should be used unreasonably to limit recognised academic freedom (Education Reform Act 1988, s202), as defined in the University’s Statute XV.

Related policies and procedures

In addition to these regulations, all users must abide by other policies and codes where they are relevant.

These include internal Cardiff University codes, policies and related documents:

And external policies and codes, such as:

the Acceptable Use Policy of the Joint Academic Network (JANET)
the Connection Policy for connecting to the Joint Academic Network (JANET)
any user obligation set out in licence terms and conditions for the IT facilities and services.
the IT Regulations or similar codes imposed by remote sites and external partners, where their IT facilities or services are accessed or used by Cardiff University users.

Definitions

Definitions used within these regulations as are follows:

Term	Definition
“Chief Digital and Information Officer” or “Director of People & Culture”	means the holders of these roles but also includes any member of university staff authorised to act on their behalf.
“connected to”	means connected either physically or virtually.
“files”	means any file in digital format (data and software) but does not include any file that is not in a digital format (e.g. paper, microfiche).
“IT facilities and services”	means the IT and Digital service provided by or through Cardiff University and includes: Core IT services. computers, computing equipment and mobile devices for the colleges, schools and Professional Services of Cardiff University. personally owned computers or mobile devices and any associated peripherals when connected to, accessed from or via Cardiff University provided IT facilities and services. use of remote networks and services, when accessed from or via Cardiff University IT facilities and services. all programmable equipment including Smart/Connected/IoT devices; any associated software and data, including data created by persons other than users, and the networking elements which link IT facilities and services.
“users”	means anyone authorised to use the IT facilities and services, as defined by the Entitlements summary, and includes but is not limited to all staff, workers, honorary title holders, visiting academics, and students.
“workers”	means all members of the University and employees of any contractor or third-party using the IT facilities and services or handling information on behalf of the university.

Regulation 1 – Use of IT facilities and services

IT facilities and services are provided solely for use by staff in accordance with their normal duties of employment, and by students in connection with their university education.

All other use is considered private. Private use is permitted, as a privilege and not a right, but if abused will be treated as a breach of these regulations and the appropriate disciplinary procedures will apply.

Private use for academic consultancy or commercial purposes shall comply with regulation 6.

Private business use is not permitted in university Hall of Residence under the Residential Terms and Conditions.

Information and data storage facilities are provided and scaled for university business use only. Private use is permitted, but information and data for private use must be removed where it breaches storage quotas or interferes with university business.

Any information or data for private use held on university-owned IT facilities and services is held at the user’s own risk. In addition to the right of access set out in regulations 4 and 10, and the exclusions on liability referred to in regulation 7, the University does not accept any responsibility for the integrity or availability of information or data held for private use.

Users and their next of kin will not have any right of access to private use information or data in the event that the user is no longer able to access the university-provided IT facilities and services.

Users may use personally owned IT-equipment to access the University-provided IT facilities and services, subject to the device meeting the security requirements of the IT Bring Your Own Device (BYOD) policy. The access provided will be sufficient for students to pursue their studies and research. However, for security purposes, BYOD IT equipment will not have full access to university data and systems. For full access, University staff are recommended to use university-owned IT equipment with a secure configuration managed by University IT.

Users are responsible for any university-owned IT equipment that is allocated to them and must ensure the equipment is handled in line with the requirements of the IT Asset Management Policy.

All use, including private use, must comply with the University’s IT Acceptable Use Policy and note the IT Monitoring notice. Any use which does not breach any other regulation herein, but nonetheless brings the University into disrepute, may also be treated as a breach of these regulations.

Regulation 2 – Compliance with UK Civil and Criminal Law

Users must comply with the provisions of any current UK law, including but not restricted to:

the Computer Misuse Act 1990 and Police and Justice Act 2006 amendments (Part 5)
the Copyright Design and Patents Act 1988 and amendments
the Defamation Act 1996
the Data Protection Act 2018
the Terrorism Act 2006
the Regulation of Investigatory Powers Act 2000

Regulation 3 – Software installation and licences

Users are not permitted to install software on university-owned IT equipment without prior authorisation from University IT. Users will be required to remove unauthorised software if found on university-owned IT equipment. Personally licensed software is not permitted to be installed on a university-owned device under any circumstances.

Software (including that provisioned in the cloud) for use by staff for any teaching, assessment, research, or administrative purpose must be referred to and sanctioned for use by IT Consultation Group prior to installation or use. Failure to do so may result in access to the software being blocked, the software removed, or university-owned IT equipment being removed from the network until the software has been confirmed as secure for use. Further information for staff can be found on the Using software intranet page and the Supporting your work intranet page.

Users must ensure that software products are maintained in accordance with the IT Software Update Management Policy. Users must ensure that the latest vendor updates and patches are installed as they become available. Critical or high priority patches must be installed within 14 days of issue. Any IT equipment found to have unmitigated vulnerabilities may have access to the IT facilities and services removed or limited until the software is updated or removed.

Users shall comply with the terms of any licence agreement which governs the use of hardware, software, services or access to data.

The University may deploy the use of manual or automatic searches in order to ascertain the use of unsanctioned software products, compliance with software licensing, as well as terms and conditions relating to software usage. Users connecting university-owned IT equipment in both the physical and virtual environment shall be required to download and install software as directed by the University.

Regulation 4 – Integrity of IT Facilities and Services

No person shall, unless appropriately authorised, take any action which damages, restricts, or undermines the security, performance, usability or accessibility of IT facilities and services; "taking action" may include neglect, where action might reasonably have been expected as part of a user's duties.

All connections of equipment to the IT facilities and services must be conducted in accordance with the procedures published in the University intranet. Where viruses or other potentially harmful malware are discovered, University IT may disconnect any physical or virtual IT system that is considered to present a risk to the integrity of the IT facilities and services or the security of information within those facilities and services. University IT may deny permission to reconnect until it can be evidenced that the risk has been mitigated.

Any apparently unauthorised access, removal or modification of IT facilities and services shall be reported as soon as practicable to the IT Service Desk.

Users shall comply with an instruction from the Chief Digital and Information Officer which is issued in respect of a suspected, or actual breach of network security, or a reported breach of the University IT Regulations.

The University shall have powers to take all steps which it may deem reasonable to remove or prevent distribution of any material that is threatening the integrity of the network, or to preserve information or the state of the IT facilities and services which may include removal of any IT facilities or services.

Regulation 5 – Security, confidentiality and passwords

Users shall take all reasonable care to maintain the security of IT facilities, services and files to which they have been given access. All use and allocation of authentication methods must be in accordance with the IT User Password and Authentication Policy. In particular, users shall not transfer authentication methods, or rights to access or use IT facilities or services, without appropriate authority from the relevant Head of School/ Professional Services Department, their nominee or an authorised member of staff.

Accounts with special access privileges have enhanced access to devices, applications and information. Such accounts are only provided to staff with a genuine business need. These accounts must only be used for the activities for which the account was granted, with all other use of the IT Facilities and Services being through allocated user accounts without administrative privileges.

When such accounts are compromised, their greater freedoms can be exploited to facilitate large-scale corruption of information, disruption to business processes and unauthorised access to other devices in the organisation. All use of user accounts and allocation of authentication methods must be in accordance with the IT User Password and Authentication Policy and the IT Entitlements and Rights Policy.

Users shall ensure that any software installed on IT Facilities or Service for which they are responsible is appropriately patched and updated. Software (Operating System and Applications) of Internet facing assets must be patched within 14 days of an update being released, where the patch fixes a vulnerability with a severity the product vendor describes as ‘critical’ or ‘high risk’ (as defined by the Common Vulnerability Scoring System). A risk-based approach shall be taken for other assets, this will consider the accessibility of the asset, sensitivity of data stored, contractual and legislative requirements, and any agreements with third parties.

The access to and use of all personally identifying data originating from Cardiff University systems must comply with the University’s Data Protection Policy and users are under an obligation to maintain the confidentiality, integrity and security of such data. Also see the Process for Accessing a User’s IT Account.

Regulation 6 – Academic consultancy and commercial services

Users may access the University's computers and networks for academic consultancy or commercial purposes only through compliance with the conditions described below and with reference to the Policy for University Services and Private Outside Work.

Users applying for external research grants or contracts must abide by university procedures for obtaining funds for any IT element in their work. All external funds intended to pay for IT facilities or services must be declared to the Chief Digital and Information Officer and all charges paid promptly.

Software supplied through the University is normally licensed for academic use only; this will exclude consultancy and commercial purposes but will often also exclude internal use for, for example, administrative work. Any user engaged in academic consultancy, commercial, or other private work must pay for all computer use and purchase any software licences necessary for this work.

Computer programs developed on the facilities and services provided may not be licensed or sold without the prior authorisation of the Chief Digital and Information Officer or without reference to the Director of the Research and Innovation Services.

Reasonable precautions will be taken to ensure the reliability of the service, but no guarantee of the correct functioning of program or equipment is given. Where external work involving IT is undertaken this point must be drawn to the attention of the sponsors, unless independent verification of the results of the work has been undertaken.

Any advertising material disseminated via the University's IT facilities and services will be subject to the JANET Acceptable Use and Connections Policies. The University's IT facilities and services must not be used for placing or distributing commercial advertisements relating to any type of business unless expressly permitted by the Chief Digital and Information Officer. This may necessitate a separate 'proxy' licence being obtained by the user to distinguish it from the academic and research JANET service provided by University IT for the University.

Regulation 7 – Liability

By using the IT facilities and services each user agrees that Cardiff University shall have no liability for:

loss or corruption of any, file or files or data.
loss or damage (excluding any liability for personal injury or death) to users or to third parties, or their equipment, operating systems or other assets resulting from the use of Cardiff University-owned IT facilities and services or any withdrawal of the use of said facilities and services at any time by Cardiff University.

Each user agrees that Cardiff University has the right to take legal action against individuals who cause it to suffer loss or damage, including damage to its reputation, or be involved in legal proceedings as a result of their breach of these Regulations, and to seek reimbursement of such loss, or any associated costs including the costs of legal proceedings.

Regulation 8 – Breaches of regulations

Breach of these regulations is a disciplinary offence and may be dealt with under the appropriate disciplinary policy and its related procedures. Where an offence has occurred under UK law, it may also be reported to the police or other appropriate authority. The manner in which breaches or suspected breaches shall be investigated is outlined in regulations 9 and 10.

Regulation 9 – Investigation of breaches of University policy or regulations

The Chief Digital and Information Officer may immediately suspend a user's access to IT facilities and services pending an investigation under university procedures by an Authorised Officer or nominee of the University. The Director of People & Culture shall be informed of this action where the user is a member of staff or honorary title holder. The Academic Registrar shall be informed where the user is a student.

Where no disciplinary code applies the Chief Digital and Information Officer shall have the authority to suspend a user’s account in support of, or in order to conduct, an investigation. In cases where the user’s account is suspended pending investigation Cardiff University reserves the right to notify the user’s employer (including employment agency) or academic institution of this fact with immediate effect.

The University shall have powers to access all relevant IT facilities, services and files and to take all steps which it may deem reasonable to remove or prevent distribution of any material which is in breach of any university policy or regulation, or to preserve information or the state of the IT facilities and services for the purposes of an investigation, which may include removal of any IT facilities and services.

As part of investigatory action, Cardiff University reserves the right to require access to any files held on the IT facilities and services. It may also require that any encrypted data is made available in human-readable form.

Any such investigatory action shall not prejudice any final determination of whether a breach has occurred.

Regulation 10 – Investigation of alleged breaches of the IT regulations

Illegal material relating to children

These allegations will always be treated as non-minor breaches. All allegations relating to use of the University’s IT facilities and services in connection with the possession of indecent images of children, or other illegal material in connection with children, shall be reported to the Designated Officer under the Safeguarding Children and Vulnerable Adults Policy.

Minor breaches (all categories of users)

A preliminary investigation into alleged minor breaches of these regulations shall be conducted by the Chief Digital and Information Officer or nominee.

Following that investigation the Chief Digital and Information Officer shall have the authority to dismiss the complaint, issue an informal warning or take further action as provided for in Regulation 9.

Alleged breaches by staff

Where the alleged perpetrator of a suspected or actual non-minor breach is known to be a Cardiff University member of staff, worker or honorary title holder this shall be reported to, as appropriate, the Head of School/College Registrar/Director of Professional Services Department, and Director of People & Culture and considered in accordance with the applicable staff disciplinary procedure.

Alleged breaches by students

Where the alleged perpetrator of a suspected or actual non-minor breach is known to be a Cardiff University student and the matter is more serious (including repeat occurrences of minor breaches). the Chief Digital and Information Officer shall refer the matter to the Academic Registrar under the Student Disciplinary Code.

Other categories of user

Where the matter is more serious (including repeat occurrences of minor breaches) and no relevant disciplinary procedure applies, the Chief Digital and Information Officer shall take appropriate and proportionate action which may include permanent withdrawal of service from the user and/or recommendation that the University take legal action.

Right of appeal

The disciplinary procedures for staff and students contain appeal processes for matters dealt with under those procedures.

An individual may appeal against the outcome of an investigation conducted under these regulations by writing to the Chief Operating Officer, setting out the reasons for the appeal.

In cases where the user under investigation is not a member of staff at Cardiff University, nor a student, Cardiff University reserves the right to notify the user’s employer (including an employment agency) or academic institution of the outcome of any investigation at its conclusion.

Document control table

Document title:	IT Regulations
Author(s):	Owen Hadall, Director of IT, University IT.
Version number:	5.4
Approved by:	University Executive Board
Date of next review:	July 2028
Superseded version:	5.2