Appropriate Use Policy for Information Technology
March 1, 2022

PURPOSE

This Appropriate Use Policy for Information Technology document (the “Policy” or “Document”) establishes general guidelines that apply to all users of Information Technology resources owned or managed by Pacific University (“Pacific,” “Pacific University,” or the “University”) , including but not limited to: Pacific students, faculty, staff, external individuals (such as Pacific contractors) or organizations and individuals accessing external network services, such as the Internet, via Pacific’s Information Technology facilities.

The policies described in this Document apply to all information technology owned or managed by Pacific University and represent the minimum appropriate use policies for information technology. Individual departments may have additional (and more restrictive) policies regarding information technology resources held in those departments. Users should contact the specific departments for questions about each department’s specific policies.

These policies and guidelines have been designed with three guiding principles in mind:

1. Academic Freedom: Pacific University endorses and honors the “1940 Statement of Principles and 1970 Interpretive Comments on Academic Freedom and Tenure.” Please see chapter 4.1 of the University Handbook for more details.
2. Equity, Diversity and Inclusion: All information technology policies and practices are reviewed to ensure that they provide equitable treatment for all members of the Pacific community, promote diversity, and give access to technology resources to all, regardless of factors such as disabilities, home or work location, and level of technological skills. For more information see Equity, Diversity and Inclusion at Pacific.
3. Primary and Secondary Use: IT R esources are provided to support and enhance the mission of Pacific University. Pacific University encourages the use of information technology resources for this primary activity and supports such activity to the extent that resources permit. Other activities are considered to be secondary. As such they are not necessarily prohibited or even discouraged. However, should such secondary activities in any way interfere with primary activities, they may be terminated or limited, whether or not such activities are explicitly detailed in the information technology policy statements.

Examples of primary uses: a) Communication with others in support of teaching, scholarly, service, and administrative activities (professional email and associated applications, web page management, social networking applications, etc.) b) Completion of coursework and course management activities c) Preparation of academic papers and projects and conducting scholarly activities

Examples of secondary uses: a) Non-academic activities such as personal electronic mail (email) and online entertainment media b) Online gaming (including game consoles such as Microsoft® Xbox, Playstation®, etc)

POLICY

Individual Rights

Pacific University respects and promotes individual rights to privacy, equitable and fair access to resources, inclusion, intellectual property, real property, and civil rights. Activities which threaten these rights are prohibited and may be terminated, whether or not such activities are explicitly detailed in the information technology policy statements.

Information Technology Resources at Pacific University

Information Technology at Pacific University encompasses the use of all campus computing, telecommunications, document services, educational media, audiovisual technology, cloud services where University Information Services (“UIS”) controls or pays for access and management information systems technologies (the “IT Resources”). These IT Resources support the instructional, research, and administrative activities of the university. Examples of these IT Resources include, but are not limited to, the central administrative, academic and library computing facilities; the campus-wide data, video and voice networks; electronic mail; access to the Internet; voice mail; the university switchboard; fax machines; photocopiers; classroom audio-video; departmental and general use computing facilities and related services.

Appropriate Use of IT Resources

Pacific University campus computing facilities and network are provided as a service to students, faculty, staff, administration, and other members of the University community to support the mission of the University. The University strives to provide fair and equitable access to computing and network facilities for a large number of users. Proper use follows the same standards of common sense, courtesy, and restraint in the consumption of shared resources that govern the use of other campus facilities. Improper use violates those standards by preventing others from accessing shared facilities.

Guidelines for Appropriate Pacific IT Use

The following list, while not exhaustive, provides some specific guidelines for appropriate use of IT Resources:

1. Authorization: Use only the Information Technology facilities for which you have specific authorization. Do not use another individual’s PUNet ID or account, or attempt to capture other users’ passwords. Users are individually responsible for all use of resources assigned to them; therefore, sharing of PUNet accounts is prohibited.
2. Facilities: Observe established guidelines for any information technology facilities used both inside and outside the university. For example, individuals using Pacific’s labs must adhere to the policies established for those centers; individuals accessing off-campus computers via external networks must abide by the policies established by the owners of those systems as well as policies governing use of those networks.
3. Alter, Delete or Destroy: Do not attempt to inappropriately alter, delete or destroy any hardware or software on any Pacific IT Resource or any other system without permission of the system’s owner or administrator. This constitutes a violation of appropriate use of IT Resources and facilities no matter how weak the protection is on those products.
4. Plagiarism: Violations of authorial integrity, including plagiarism, invasion of privacy, unauthorized access and trade secret and copyright violations, may be grounds for sanctions against members of the academic community.
5. Illegal Downloading: The official Pacific University position on peer-to-peer (P2P) file sharing utilities (e.g., Ares, BitTorrent, Transmission, uTorrent, etc.) is that the software itself is not illegal, nor banned by Pacific University. It is illegal, however, to download or share copyrighted material for which you do not hold the copyright. While Pacific University does not routinely track the downloading of files, in the event the university receives notification of illegal downloading activity, appropriate investigation and disciplinary action to address the violator will be taken. See the University’s statement on copyright f or full details. Members of the Pacific community are encouraged to take advantage of the legitimate sources of digital content found on the EDUCAUSE web site.
6. Appropriate Standards: Use appropriate standards of civility and common sense when using IT systems to communicate with other individuals. Transmission and storage of confidential and protected data should use methods that are considered secure enough for that type of data (see the File Storage Options on the Helpdesk Knowledgebase, helpdesk.pacificu.edu, for more information). Intentionally misrepresenting yourself while using IT Resources and other systems, on any site that requires you to use your true identity, is prohibited. Using Pacific’s IT Resources to harass, threaten, slur, embarrass, libel, or demean other individuals is explicitly prohibited.
7. Volume Usage: Moderate your use of shared IT Resources. Pacific University has a large and growing body of faculty, staff, students, and alumni, all of whom need access to IT Resources. There may be times when these resources are in high demand, and as such, you should limit use of public IT Resources to primary purposes only.
8. Electronic Image Usage: Faculty, staff and students must obtain written consent for the right to reproduce, use, exhibit, display, broadcast, distribute and/or create derivative works of University- related photographs or other recorded images of individuals for use in connection with the activities of the University or for promoting, publicizing or explaining the University or its activities. In addition, the publication and dissemination of images and photographs of Pacific University students through Pacific’s IT equipment and resources must comply with the Family Educational Rights and Privacy Act (FERPA). See FERPA Privacy Guidelines.

Pacific University reserves the right to use any photographs or other recorded images of public events on or off campus for publication and promotional purposes. This grant includes, without limitation, the right to publish such images in the University’s student newspaper, alumni magazine, on the University’s Web site, and public relations/promotional materials, such as marketing and admissions publication. These images may appear in any of the wide variety of formats and media now available to the University and that may be available in the future, including but not limited to print, broadcast, and electronic/online media.

Students and employees may opt-out of some uses of their image or recording via the Image Use Opt-Out Form (go to our Services Portal, services.pacificu.edu, and search for “image use opt-out”). The opt-out applies to uses where the student or employee is the primary subject of a photograph or where their name is linked to the photograph, and not to situations where the student or employee appears in the background or as part of a crowd. The University will make reasonable efforts to avoid applicable use of images of students and employees who have opted out, but the University cannot guarantee that their image will not be used. An opt-out may be superseded by subsequent agreements or notifications. Individuals involved in promotion at Pacific University should follow University Advancement’s Best Practices for Equity, Diversity & Inclusion in Marketing when recording or using images of students, employees or community members.

Users’ Rights

1. Access to Information Technology (IT) Resources

Central IT Resources

Undergraduate and graduate students, faculty, administrators, and staff may obtain IDs for use with the central IT activities related to instruction, research or university administration.

In the event that any faculty, administrator or staff person leaves, resigns or in any way concludes his or her relationship with Pacific University for whatever reason:

1. Access to all IT Resources, including, without limitation, voice mail and email services, will be terminated within 45 days or immediately (if requested by the appropriate parties).
2. All electronic storage will be deleted when access is removed.

Graduates and previous students (including, without limitation, those students not graduating from Pacific University) are entitled to access to the systems necessary to view their academic records and request transcripts. Graduates who maintain their accounts and remain in good standing with the University are also granted the ability to retain a Pacific email address. Access to all other IT Resources, such as library databases, ends upon graduation or other events that end a user’s time with the University, as determined by the University in its sole discretion.

All persons who have attended classes at Pacific University, and for whom electronic records of their classes have been kept, are entitled to access to the systems necessary to view their academic records and request transcripts. Graduates are extended the privilege of keeping their email accounts, but all other IT Resources are revoked after graduation. For persons no longer attending classes at the University nor employed by the University, access to IT Resources can be revoked at any time, as determined by the University in its sole discretion and without prior notice.

Other IT Resources

Most of Pacific’s IT facilities and services—such as the computer-equipped classrooms, video conferencing rooms, consulting services, voice mail, and training—are available only to members of the University community and authorized guests. UIS is responsible for planning and budgeting for central IT services. For more detailed information about access to any facility or service, visit the UIS home page.

Departmental IT Resources

For information concerning access to departmental information technology resources, contact your department chair.

Remote Access to IT Resources

Secure access to University information from off-campus locations using Virtual Private Network (VPN) connections to the Pacific University internal network are allowed when browser-based access is not available. For more detailed information about VPN Policy and access, see our VPN Remote Access service catalog entry.

Residence Hall IT Resources

For many undergraduate students, campus residence halls represent their primary living quarters during part or all of their time at Pacific University. While it is important to address recreational needs of Internet usage, such as online computer gaming, networked game consoles, streaming entertainment content, and other social activities, these are secondary to the academic needs of the University. UIS will work to maintain these resources to the best of its ability; however academic needs, including bandwidth usage, will take priority. UIS may limit, curtail, or end access for these secondary purposes in its sole discretion. For questions, please contact the Technology Helpdesk or Student Life.

2. Data Security and Integrity

UIS-Maintained Equipment

UIS provides reasonable security against intrusion and damage to files stored on central IT facilities, but the IT Resources are provided on an “as is” basis with no warranty or representation of any kind, including for protection of your computer, data, or other information or property. Neither the University nor any IT staff member can guarantee protection against media failure, fire, floods, etc. Neither can UIS guarantee protection from unauthorized access of personal data on University IT Resources or facilities. Users are solely responsible to and should use all available methods to protect their files and property, including following best practices for passwords and storing back-up copies of information by appropriately secure backup methods. In the event that data has been corrupted, UIS should be notified immediately. UIS may make reasonable attempts to restore files to their status prior to corruption; however, UIS cannot guarantee restoration.

Department IT Equipment

Although UIS provides consultation and assistance when requested, departments are responsible for the security and reliability of those information technology resources maintained by those departments. UIS cannot guarantee that these resources meet UIS standards for reliability, security or restorability of lost/corrupted data. Departments are responsible to implement all University information security and privacy policies in the purchase and operation of department-funded technology equipment.

University Bandwidth Management

University Information Services reserves the right to manage the University’s voice, data and video bandwidth allocation as they see fit. Criteria for bandwidth management involves the integrity and robustness of University-owned equipment, data, and services, equitable access to bandwidth, as well as the appropriateness of bandwidth use when compared to the University’s academic goals, administrative missions, and appropriate use policy for information technology.

3. Privacy

Access by IT Staff on Behalf of the University

This Policy (including Appendix A) sets out the privacy policy for users of the IT Resources. UIS staff do not have the ability to see user’s passwords, and university employees and students should not give their passwords to anyone else, including UIS staff. See the Pacific University Password Policy for more. If at any point UIS staff do come into possession of a user’s password, they are required to arrange for the user to change that password as soon as possible.

*Appendix A describes in further detail privacy provisions and limitations regarding use of and access to the IT Resources.

Access by Administrators of Departmental IT Systems

Individual departments may have guidelines consistent with University policies and federal law that deal with access issues of that department’s information technology resources. This Document does not govern such department’s resources.

Incidental Access

Private data may also be seen unintentionally by UIS staff in the course of their normal duties, such as transferring data from one computer to another, or maintaining university mailboxes. Private data may also be seen if it is accidentally misaddressed or shared with the wrong people. In those cases where UIS staff do see private data, they are required to keep it confidential, except where such data gives reasonable belief that there may be a violation of University policy, a violation of state or federal laws, or an ongoing threat to the safety of an individual.

Please note that unencrypted email is not considered a secure communication method, and UIS does not suggest highly sensitive or confidential information be sent via unencrypted email. See our article on File Storage Options for more information.

4. Removal of Access to Protect Shared Resources

Any time UIS has a reasonable belief that a user’s device or account is the source of an ongoing threat to the shared IT Resources or security of the University, UIS can remove access of that account or device to those shared resources. This may mean disconnecting a device from the network, powering down a device, or temporarily locking access to an account and requiring a password change for that account.

Examples of situations where this may be necessary include: network switches that are causing problems on the university network, mail accounts that have been compromised and are sending spam messages and devices that are creating a denial of service against a University IT Resource.

5. Ownership of Intellectual Property for Materials Developed with Pacific’s Resources

Pacific University has established guidelines related to ownership of copyright property. Reference the Intellectual Property Policy for more information.

6. Responsibility for Errors in Software, Hardware, and Consulting

UIS, in conjunction with department points of contact, makes its best effort to maintain an error-free IT environment for users and to ensure that the IT staff is properly trained. Nevertheless, it is impossible to ensure that IT system errors will not occur or that IT staff will always give correct advice. Pacific University presents no warranty, either expressly stated or implied, for the services provided or to provide notice of potential errors. Damages resulting directly and indirectly from the use of IT Resources are the sole responsibility of the user. When errors are determined to have occurred on IT Resources, members of the IT staff may make a reasonable attempt to restore lost information to its state prior to the failure, at no cost to the user. As part of maintaining the IT environment, the IT staff applies vendor-supplied or locally developed fixes as appropriate when problems are identified. Given that vendors may be involved and that staff resources are finite, no guarantee can be made as to how long it may take to fix an error once it has been identified.

7. Changes in the Pacific IT Environment

When significant changes in hardware, software or procedures are planned, UIS will notify the affected departments/business units. For more information on change communication, see the article on UIS Mass Communications.

EXCEPTIONS

Requests for exceptions from any of the requirements of this Policy will be submitted via the Pacific University Services Portal f or tracking and must be approved by the Chief Information Officer prior to taking actions that are not allowed under this Policy.

ENFORCEMENT

Material violations of the Appropriate Use Policy for Information Technology including, but not limited to violations of the Appropriate Standards provided in this Policy, will subject faculty, staff and students to disciplinary action which, in addition to termination of access to IT Resources, could lead to dismissal or termination of employment.

REFERENCES

• Faculty and Governance Handbook Chapter 4;
• Student Code of Conduct;
• Staff Code of Conduct, Confidentiality of Records Agreement & Acknowledgment of Pacific University Policies and Procedures;
• Staff Handbook Section A.

CHANGES TO THE POLICY

UIS may update this Policy from time to time. If we make changes, users will be asked to agree to the new policy upon their next login to a Pacific University Single Sign On system or such other resource available to users as UIS deems appropriate, and the new version will be effective upon posting. The dates of revision are provided below, and users are responsible for reviewing this Policy in its current form for use of the IT Resources and acknowledge the current Policy by using the IT Resources.

REVISION HISTORY

Original policy created 3/4/ Revision Approved: 11/17/2011 by University Technology Committee Revision Approved: 02/25/2016 by University Technology Committee Revision Approved: 4/1/21 by University Technology Committee Revision Approved: 3/15/21 by Policy Review Team Reviewed: 11/20/21 by Human Resources and Legal Affairs Reviewed: 1/27/22 by Faculty Senate Revision Approved 3/1/2022 by President’s Cabinet

APPENDIX – PRIVACY EXPANDED

Any capitalized terms herein share the definition provided in the Acceptable Use Policy for Information Technology unless otherwise defined herein

PRIVATE DATA

The following data, although it may reside on university-maintained IT Resources, is considered private to a user:

• The content of emails sent to or from a user’s Pacific email account. This does not include the subject lines, from addresses, to addresses and dates send of emails (the “Address Data”), which are used to track and respond to phishing attacks and other cyberattacks and security threats. Please note that Pacific reserves the right to access, monitor, intercept, review, and disclose, without further notice, the Address Data using Pacific’s IT Resources and communications systems for these security-related purposes, and you consent to such monitoring by your use of such resources and systems.
• Files stored under a user’s personal (PUNet ID and password) login, in folders such as “Desktop” and “Documents” that are generally unavailable to other users, on a Pacific owned computer.
• Files stored on a Pacific-owned tablet (e.g. iPad) that is used solely by that user (not shared amongst multiple users).
• Files stored in cloud storage (e.g. Box, Google Drive) or under network file storage in an area under the sole control of that user or shared privately between colleagues. This does not include shared departmental folders administered by and maintained for use by an organizational unit within the university.
• Files stored in Pacific-owned storage devices, such as portable hard drives or thumb drives, under the sole control of that user.
• Details of a user’s activity on their computer or tablet (e.g. websites visited, keystrokes made). General usage data such as logins and programs installed or used on University owned devices is not considered private data.

PROTECTION OF PRIVATE DATA

Where data is considered private to a user, UIS staff will not access, monitor, intercept, review, or disclose it, or allow others to do so, except in the following circumstances to which you consent by your use of Pacific’s IT Resources and communications systems:

• At the request of, and with the ongoing consent of, the user whose private data it is (typically for purposes of providing technical assistance).
• To fulfill the purpose for which the user provided the data.
• To provide to contractors, service providers, and other third parties we use to support our IT Resources and communications systems and who are bound by contractual obligations to keep personal information confidential and use it only for the purposes for which we disclose it to them. These contracts include Business Associates Agreements that prevent the use or sale of Pacific University user data for marketing purposes.
• Through incidental access, as described in the Policy.
• At the request of the Office of Legal Affairs in order to provide them with data for use in a current or potential legal investigation, lawsuit or trial.
• At the request of the Office of Legal Affairs in order to comply with a valid warrant, subpoena, DMCA takedown notice or discovery request by a government agency or other party.
• At the request of CPS in matters where the safety of a user or member of the community is at stake.
• During an investigation of possible misconduct (including violation of university policies or state or federal laws), data may be subject to discovery in accordance with university processes and procedures at the request of Human Resources (for employees) or the Student Conduct Office (for students) within the scope of the investigation.
• Where an employee is unavailable and access to the data is needed for the ongoing business operations of the university.
• At the request of UIS information security staff, where such access is deemed necessary to stop an ongoing cyberattack against the university.
• To comply with any court order, law, or legal process,
• Where disclosure is necessary or appropriate to protect the rights, property, or safety of Pacific, its community or others.
• To enforce Pacific’s rights arising from any contracts entered into between the user and Pacific.

There is no assumption that UIS will have access to private data on any user’s personally owned devices.

All access to a user’s private data that does not have the user’s express consent will only be made with the approval of the Chief Information Officer (CIO) for the university, or, if the CIO is not available, his or her designee.

When a user’s private data is accessed without a user’s express consent, UIS will make every attempt to contact the user before the data is accessed, and if failing to do so UIS will try to contact the user after the data is accessed. This notification will include: the data that was/will be accessed, when the access did/will take place, who requested it and the reason given. The university Privacy Officer and Chief Information Security Officer will also receive copies of these notifications. An exception of the notification to the user may be made if an appropriate party tells UIS that notification to the user may create a hazard to the safety of individuals or members of the community or otherwise jeopardize the purpose of such access, monitor, intercept, review, and disclosure (for example, a legal or criminal investigation).

Whenever private data is accessed as described above, to be passed on to third parties, UIS will make every attempt to ensure that only the data needed for the requested purpose is transferred. The only exception is where complete copies are requested to be reviewed later by experts, e.g. a complete copy of a hard drive image for possible review in the future by a computer forensics firm.

UIS will not allow any party access to make actions in a user’s account that impersonate that user, e.g. to send an email from a user’s account as that user.

Information obtained in the manner described above is admissible in legal proceedings or in a University hearing.

NON-PRIVATE DATA

UIS may access, monitor, intercept, review, and disclose non-private data without restriction, and this expressly includes aggregated information about IT Resources users and information that does not specifically identify any individual or device.