Introduction
These Guidelines are intended to assist Berkeley Campus departments or units to ensure appropriate use of their computing and network services and to respond correctly to allegations of misuse.
Berkeley Campus departments or units may choose to provide or not provide computing and network services to defined categories of users, and may limit the types of services they do choose to provide. These decisions are based upon consideration of campus or local department or unit missions, available resources, or other academic or business needs and priorities.
Berkeley Campus departments or units who do provide computing and network services (hereinafter referred to as "Providers") must ensure that their services are administered in compliance with any applicable regulations and principles. To this end, they must keep themselves informed regarding current regulations and practices, consulting with campus authorities or documentation resources as required.
Since the Campus may be viewed as one legal entity, actions taken by Providers in response to allegations of misuse must be as consistent as possible for similar situations, both within a particular department or unit as well as in comparison to others on campus. To help Providers meet this requirement, various campus resource offices are available for consultation and/or referral for action. (See Appendix)
Guidelines
A. Defining Appropriate Use:
Providers must create written statements which clearly describe the purposes for which their particular computing and network services are provided, must notify their users of these purposes, and must require that users conform to these purposes. In addition to statements of uses which are allowed, these statements also may indicate any uses which are specifically precluded, such as commercial use, downloading software, or playing computer games.
B. Ensuring Compliance:
As a required condition for use of their services, Providers must require compliance with provisions of the University of California Electronic Communications Policy (ECP) and the Berkeley Campus Computer Use Policy. Providers should educate their users regarding the fact that University policies such as those pertaining to personal conduct, use of University name and logo, or sexual harassment apply to the use of campus computing and network resources. For more information see the Campus IT Policies website.
1) Regular Authorizations:
Providers must have in place a process for authorizing any use of their services. (The mechanism for providing access will be referred to in these Guidelines as an Account). For each Account, an individual who is affiliated with UCB must be identified as the User. The Provider must notify Users:
1. that they are responsible for any use of the service by means of that Account;
2. that they must use the Account only for the defined purposes;
3. that they must abide by applicable regulations including the University of California Electronic Communications Policy (ECP), the Berkeley Campus Computer Use Policy, and any other regulations the Provider includes in written policies,
4. and of the possible consequences which they may face if the Account is not use appropriately
and must obtain the User's agreement with these conditions. (1)
2) Group Accounts:
In the case of a group Account, a Designate must be identified for each Account. The Provider must notify these Designates that they are responsible for any use of the service by means of that Account, that any use of the Account by themselves or by other members of their groups must comply with the conditions listed in section B.1) ii) and iii) above, and of the possible consequences which they may face if the Account is not used appropriately. The Provider must obtain the Designate's agreement with these conditions. (1)
3) Guest Accounts:
Providers who wish to grant Accounts to non-campus individuals (or groups) who have operational or academic associations with the Berkeley Campus must have criteria justifying use of University resources, such as describing the compelling academic or business reasons for granting service to unaffiliated entities. (2) Criteria also must include Account sponsorship by a Designate who is affiliated with UCB. The Provider must notify these Designates that they are responsible for any use of the service by means of that Account and that any use of the Account by themselves or by anyone whom they sponsor to use the Account must comply with the conditions listed in section B.1) ii) and iii) above, and of the possible consequences which they may face if the Account is not used appropriately. Providers must obtain the Designate's agreement that they and any of the individuals who use the account have been informed and agree to comply with these conditions. (1)
C. Termination of Accounts:
Providers should have procedures in place for timely closure of Accounts when Users are no longer eligible for services. Service termination procedures should include notification to the user.
D. Responding to Allegations of Misuse:
General Principles:
Providers must have written local procedures which outline steps for responding to alleged misuse of their services. The procedures should describe considerations used to determine the actions that will be taken. They need not specify the exact actions for every circumstance, but should outline the range of possible actions, such as a simple educational message, the temporary or permanent restriction of service, or referral to other Offices of authority, such as for student conduct cases. Allegations in specifically-regulated areas such as employee performance issues or sexual harassment cases must be referred for processing under existing campus procedures in those areas. (See section 3, below, for more examples of areas where referrals are required.)
Providers' local procedures must give Users the opportunity to respond or explain their activities. Such opportunity should be provided prior to taking any actions to restrict service, unless there is risk of harm to the system or of other serious consequences.
In order to maximize consistency of responses throughout the campus, Providers should obtain a review of their local procedures from Berkeley IT's IT Policy Services group. Other resource offices available for additional review are listed in the Appendix to these Guidelines.
In addition to responses by Providers, the consequences of misuse may also include separate and independent sanctions under other applicable regulations (for example, those for sexual harassment or student conduct.)
How to Respond:
1) Routine Situations:
The Provider's primary objective in responding to routine, first-time, misuse should be educational. For example:
- reiterating the terms and conditions for use of the service and reminding Users they were informed of these and they agreed to abide by them as a requirement for getting an Account; and
- warning Users of possible future consequences, such as an escalation of seriousness of response and/or specific possible penalties if there are repeat violations.
More serious misuse, or repeated misuse, may warrant responses involving more severe consequences.
2) Short-Term, Temporary, Restrictions of Service:
It may be appropriate for Providers to temporarily restrict services pending investigations. Restrictions should not be a routine initial action, but may be made after considering:
- the effect and implications of continued service, such as a possibility that further inappropriate activity may occur before the User is contacted;
- the seriousness of the alleged activity; and
- comparison with practices for restriction of services by other Providers.
When services are restricted, Providers should notify the User of the restriction, including:
- when it has occurred or will occur;
- the reason for the restriction;
- what other related actions, if any, have been or will be taken;
- the probable next steps; and
- avenues for appeal.
Providers should ensure that their practices for restrictions of service are consistent with those of other Providers in similar situations by seeking review of their procedures by the Berkeley IT IT Policy Services group.
3) More Serious Actions:
Investigations that may lead to a long-term or permanent restriction of service or other penalty which significantly impacts a User's relationship with the campus must include discussions with the appropriate resource office, such as:
- Berkeley IT's IT Policy Services group;
- the Center for Student Conduct (formerly "Office of Student Judicial Affairs"); or
- the supervisor, departmental authority, Berkeley Campus Human Resource Office, or Academic Compliance Office (for employees).
Allegations regarding copyright and other areas of civil law such as trademark, defamation, libel, etc. must be referred to Berkeley IT's IT Policy Services group with whom campus legal advisors will coordinate appropriate responses.
Allegations of sexual harassment must be coordinated with the campus Title IX Office.
Alleged violations of criminal law must be coordinated with the UCPD. Contacts with outside law enforcement authorities, such as federal agencies, should be coordinated with the UCPD.
Improper activities by University employees (misuse of resources, such as fraud and other financial irregularities) should be referred to the Campus Internal Audit Department in accordance with the Whistleblower Policy and Providers should assist the auditors as needed. Providers must not conduct their own investigations of such situations independently.
Appeals:
Providers must inform Users what procedures are available to appeal decisions. Such procedures may be local or, if Providers do not have local provisions for appeals, existing procedures applying to the User's affiliation with the University may be used. Many of the affiliation documents with such available appeal procedures are listed in the "Selected Regulations" section of the Appendix to these Guidelines.
Confidentiality:
Disclosure of any information related to investigations of allegations of misuse must comply with applicable governing regulations, which may include but are not limited to: the Family Educational Rights and Privacy Act (FERPA), the Information Practices Act, the Public Records Act, the Campus Whistleblower Policy, and Personnel Policies, Contracts, and Administrative Manuals.
E. Access Warning Statements:
Computer system and service administrators may choose to display a "warning statement" at the points where individuals can gain access to a computer, service, or network. This would provide notification to both authorized and unauthorized entities of the conditions governing access to the resource. For sample language and additional information see "Access Warning Statements".
Footnotes:
(1) The verification mechanism for such agreement may be accomplished by signature on paper or by electronic means chosen by the Provider.
(2) See the UC ECP section III.C Allowable Users and III.D Allowable Uses, which describe university policy limitations on users, purpose, and non-competition with commercial providers.
Examples of categories which Providers may deem eligible for access to campus computing and network services include, but are not limited to: emeriti faculty; faculty at other University of California campuses; individuals in the Visiting Scholar Program, exchange students, or other participants in their educational programs; contractors, independent consultants or other qualifying individuals (for the sole purpose of conducting their business with the University); or groups as defined by the UC Policy on Support Groups, Campus Foundations, and Alumni Associations or by the "Berkeley Campus Guidelines on Student Group Email Accounts" (currently under review).
APPENDIX
A. RESOURCE OFFICES:
Misconduct:
- STUDENTS:
- the Center for Student Conduct
Phone: (510) 643-9069 or Email: studentconduct@berkeley.edu - STAFF:
- the user's Department Human Resource Manager or
the Berkeley Campus Personnel Office
Phone: (510) 642-7163
- FACULTY:
- the user's Department Chair or Unit Head, or the Office of the Executive Vice Chancellor and Provost
Phone: (510) 642-1961
Sexual Harassment:
Office for the Prevention of Harassment and Discrimination
Phone: (510) 643-7985 or Email: ask_ophd@berkeley.edu
Improper Activities (misuse of resources, such as fraud and other financial irregularities):
Internal Audit Department
Phone: (510) 642-8292
Criminal Activities:
Berkeley Campus Police
Phone: (510) 642-6760
(Any communications with outside law enforcement agencies should be coordinated with the UCPD.)
Use of University or Campus name or logos:
Office of Marketing & Business Outreach
Phone: (510) 642-9120
Financial conflict of interest:
Conflict of Interest Coordinator
Phone: (510) 642-6347
Coordination:
IT Policy Manager
Email: security-policy@berkeley.edu
B. SELECTED REGULATIONS AND PROCEDURES:
Regulations which may be relevant to administering the appropriate use of Berkeley Campus computing and network services include, but are not limited to the:
- University of California (UC) Electronic Communications Policy
- Berkeley Campus Implementation of the ECP
- Berkeley Campus Computer Use Policy
- Berkeley Campus Online Activities Policy
- Berkeley Campus Code of Student Conduct
- APM 015 The Faculty Code of Conduct [PDF]
- Berkeley Campus & UC Personnel Policies, Contracts, and Administrative Manuals
- Berkeley Campus Guide to Managing Human Resources
- UC Faculty Handbook section regarding Grievances
- Berkeley Campus Policy on Sexual Harassment and Complaint Resolution Procedures
- Berkeley Campus Policy on the Use of the University's Name, Seals, and Trademarks
- UC Policy on Support Groups, Campus Foundations, and Alumni Associations
- Reporting Improper Governmental Activities and Protection Against Retaliation for Reporting Improper Activities (Whistleblowing Policy)
- Berkeley Campus Policy Governing Disclosure of Information From Student Records
- UC Business and Finance Bulletin RMP-8, Legal Requirements on Privacy of and Access to Information
- Threatening or Inappropriate Communications "reporting criteria" for referrals to the UCPD.
Also see the Campus IT Policies website.
C. DOCUMENT EXAMPLES:
The following may serve as a starting point for Providers to use in preparing or revising their local documents:
- Model Privileged Access Agreement
- Cornell University's Information Technology RIGHTS and RESPONSIBILITIES
D. EDUCATIONAL OPPORTUNITIES:
- Professional organizations and conferences (see Training: Other professional conferences)
- Email Essentials training video presented by Berkeley IT's policy staff
- Campus IT Security Training
- Computer Policy and Law annual seminar at Cornell University
- iNews IT Policy RSS news channel