© Uni MS IT

IT Usage Regulations of the University of Münster of 2 September 2024

PDF-Download "IT Usage Regulations of the University of Münster of 2 September 2024"

In accordance with  §§ 2 (4) and 22 (1) sentence 1 no. 3 of the Higher Education Act of the Federal State of North Rhine-Westphalia (Higher Education Act – HG) in the version published on 16 September 2014 (GV. NRW p. 547), last amended by the Act of 5 December 2023 (GV. NRW p. 1278), the University of Münster has issued the following regulations.

Preamble

The purpose of these usage regulations is to establish general rules which apply to the usage of all IT infrastructures and services of the University of Münster. The rules specified below ensure that these resources can be used safely and without disruption. On the basis of proper operation of central IT infrastructures and services, the following regulations serve to guarantee their unimpeded use based on the relationship between the IT operators of the University of Münster and authorised users.

§1 Definition of Terminology

  1. Authentication refers to the clear verification of a user’s claimed identity. Identity verification is largely carried out across source systems (i.e. single sign-on). Authentication features include user IDs with passwords, private digital keys, private certificates and biometric identifiers.
  2. Authorisation refers to the verification of access rights to services and data.
  3. The Chief Information Officer (CIO) is the person appointed by the Rectorate to oversee control, coordination of existing IT processes, and the integration and implementation of new information processing systems and media.
  4. A third party is any natural or legal person who is not among the authorised users under § 3.
  5. IT operators are the organisational units commissioned by the Rectorate and the faculties to provide IT services at the University of Münster.
  6. IT infrastructures comprise all systems (hardware and software) used for electronic data processing.

§2 Scope

  1. These regulations apply to the use of all IT infrastructures and services of the University of Münster that fall under the responsibility of the IT operators.
  2. To ensure proper operation, the heads of the respective IT operators may establish specific rules and guidelines for individual services within their area of responsibility. These are published on the websites of the respective IT operators. Such specific rules apply in addition to these usage regulations. In the event of a conflict, these usage regulations take precedence over the subsequently issued specific rules and services.

§3 User Authorisation and Approval

  1. All members and affiliates of the University of Münster, as defined in § 9 of the Higher Education Act of North Rhine-Westphalia (HG NRW), are authorised to use the IT infrastructures and services.
    The following persons may also be authorised by decision of the Rectorate:
    1. employees of Münster University Hospital working at Faculty of Medicine institutions or involved in university research and/or teaching,
    2. members and affiliates of other universities in NRW or outside NRW with contractual agreements,
    3. members and affiliates of cooperation partners and internationally affiliated institutions, such as partner universities,
    4. external staff in University of Münster-affiliated research alliances, as well as participants of special degree programmes or continuing education or professional training seminars
    5. external service providers in the scope of their assigned tasks.
    6. Other individuals may be authorised by the CIO in justified cases.
  2. The purpose of the authorization to use the IT infrastructure and services of the University of Münster is the performance of tasks in scientific research, teaching and studies, the ULB, university administration, for training and further education as well as for the fulfillment of other tasks of the University of Münster. Minor use deviating from this is permitted provided 
    1. the intended purpose of the systems and services
    2. the interests of other users
    3. the security of the IT system or individual components of the IT system
    4. the application and implementation of regulations and measures in the context of information security and data protection   

does not impair or conflict with them, significantly impedes their implementation or has not been explicitly prohibited. 

  1. For systems with restricted access, authorisation to use the respective University of Münster IT infrastructure and services is granted by issuing a clearly defined form of user identification. Some parts of the IT infrastructure and services are accessible to groups of persons specified in paragraph 1 without authentication.
  2. The IT operators employ automated authentication systems for the purpose of managing and organising access rights for University of Münster members and other authorised users as put forth in § 3.
  3. Usage permission is limited to the purposes stated in § 3 paragraph 2 and can be restricted in terms of duration and scope. To ensure proper and disruption-free operation, the IT operators may restrict usage permission, e.g. by limiting available resources or issuing other conditions and requirements.
  4. The IT operators have the right to partially or entirely deny, revoke or subsequently restrict usage permission especially in the following cases.
    1. The user has not properly registered for services which are accessible via registration only, or the information provided therein is not or no longer applicable.
    2. The prerequisites put forth in paragraph 1 on user authorisation do not or no longer exist.
    3. The user has failed to meet the conditions and requirements put forth in paragraph 5.
    4. The user is denied access to the IT systems and services in accordance with § 5 of these usage regulations.
    5. The user’s planned action conflicts with the purposes put forth in § 3 paragraph 2.
    6. The existing IT infrastructures and services are not suited to the request for usage or cannot be provided for the required period of usage.
    7. The available resources are insufficient for the planned usage due to existing capacity.
    8. Usage would inappropriately endanger the security of the University of Münster IT systems or that of third parties.
    9. Usage could potentially and inappropriately impede the usage of other authorised actions.
    10. The user group must be restricted due to contractual obligations.
    11. Usage would require a disproportionately large amount of effort for the IT operators.
    12. Usage would affect the legal or contractual obligations of the University of Münster or the IT operators.
    13. Usage by certain individuals is prohibited due to foreign trade law (e.g. embargo).
    14. the user fails to meet obligations regarding information security and data protection.

§4 Rights and Obligations of the User

  1. Authorised users have the right to use the IT infrastructures and services within the scope of approval and in accordance with these usage regulations.
  2. Users are obliged to:
    1. comply with the provisions of the usage regulations and observe the terms of usage permission, particularly the purposes of usage as put forth in § 3 paragraph 2.
    2. refrain from engaging in activities which disrupt the proper operation of IT infrastructures and services provided by the IT operators.
    3. handle all data processing systems, IT and communication devices and other equipment of the IT operators with care.
    4. only employ the authentication features for which the user was originally granted approval.
    5. never share authentication features with others, ensure that no other persons gain access to these authentication features, and take precautions to ensure that unauthorised parties are refused access to the University of Münster IT infrastructures and services.
    6. notify the IT operators if one should learn that his/her authentication features are being improperly used by third parties.
    7. neither attempt to obtain nor use another’s authentication features.
    8. neither access other users’ personal information, nor share other users’ known information with third parties without express permission, nor alter or use such information as one’s own.
    9. to comply with the legal requirements when using software, documentation and other data, in particular with regard to copyright protection, and to observe the license conditions under which software, documentation and data are made available by the University of Münster,
    10. in particular when using AI software developed or provided by the University of Münster, to refrain from intentionally generating or disseminating discriminatory, inflammatory, fraudulent or pornographic content and content that promotes, glorifies or threatens violence,
    11. to protect the national and international copyright, trademark, patent, name and labeling rights as well as other industrial property rights and personal rights of third parties when using the services,
    12. to refrain from retrieving, offering, uploading or distributing illegal content, in particular content that violates criminal law, data protection law, personal rights, licensing law or copyright law,
    13. not to copy the software provided by the University of Münster or the software used to operate the services, their documentation and data, nor to pass them on to third parties, unless this is expressly permitted, nor to use them for purposes other than those permitted,
    14. follow the instructions issued by the staff in the rooms of the IT operators.
    15. present proof of usage authorisation upon request.
    16. promptly notify the IT operators in case of disruption of, damage to and errors within the IT infrastructures and services.
    17. make no changes to the hardware and software installations, operating system configurations, system files, system-relevant user files or the network without the permission of the responsible IT operator.
    18.  to comply with the statutory and internal regulations of the University of Münster with regard to data protection, to observe any special regulations for the protection of patient data and to take appropriate data protection and data security precautions,
    19. observe the IT-relevant security guidelines and recommendations of the University of Münster, (in particular as part of the onboarding process of the University of Münster) on information security and to take advantage of recurring training opportunities,

    20. to immediately report IT security incidents and the compromising of access data and methods and to undergo further training in IT use within the framework of the regulations.

§5 Restriction and Exclusion

  1. Users may be temporarily or permanently restricted or excluded from using the IT infrastructures and services if:
    1. they deliberately violate the provisions of these usage regulations, especially their obligations listed in § 4, or
    2. they abuse the central IT infrastructures and services of the University of Münster for illegal activities, or
    3. the University of Münster stands to suffer disadvantages on account of illegal user behaviour or could suffer damage to its reputation or other interests worthy of protection.
  2. Measures resulting in restriction or exclusion are to be taken in consultation with the CIO and should take effect only after a warning has been issued and goes unheeded. In the case of an imminent threat, the responsible IT operator is permitted to implement pre-emptive measures.
  3. The user in question is to be given the opportunity to respond to the accusations unless specific circumstances make this impractical, e.g. in the case of an imminent threat.
  4. Upon the user’s request, which must be submitted within three months following exclusion, the IT operators must decide on whether and to what extent to safeguard the user’s data.
  5. Temporary restriction of usage, which is determined and enforced by the respective IT operator, must be lifted as soon as compliance with the rules has been re-established.
  6. Permanent restriction of usage or indefinite exclusion of a user is permitted in cases of severe or repeated violations as defined in § 5 (1). In this case, the University’s Head of Administration decides on the punitive measure at the request of the head of the IT operator. Potential claims of the University of Münster resulting from the user relationship remain herewith unaffected.

§6 Conclusion of the User Relationship

  1. The permission of usage concludes irrespective of the provisions in § 5 with the loss of status or if the reasons for which permission was granted cease to exist. Loss of status or cessation of reasons, as indicated in sentence 1, occur upon:
    1. de-registration from individual services provided by the IT operators
    2. termination of membership with the University of Münster (e.g. upon graduation) or termination of one’s employment contract with the University of Münster
    3. removal from the student registry (de-registration)
    4. expiration of the usage authorisation period
    5. death of the user
    6. permanent exclusion from IT services in accordance with § 5 paragraph 6.
  2. The IT operators can delete the user’s data three months after conclusion of the user relationship if deletion is not otherwise prohibited by statutory provisions. Following the conclusion of the user relationship, the user’s civil service and employment-related obligations with regard to data transfer and backup, as well as the provisions of the “Research Data Management Policy of the University of Münster” of 14 June 2016 remain hereby unaffected.

§7 Rights and Obligations of the IT Operators

  1. The obligations, tasks and working methods of the IT operators are described in the current version of the IT Strategy of the University of Münster.
  2. The IT operators are responsible for maintaining and managing data related to user identifications and authorisations. They are also required to keep a register of all processing activities.
  3. The IT operators are permitted to temporarily restrict usage of their resources or block individual login IDs or services, or deny access to the IT infrastructures and services if such actions are necessary for purposes of trouble-shooting, system administration and expansion, system security or user data protection. If possible and permissible, the affected users and management staff should be notified in advance of such measures.
  4. If there are credible indications that a user has stored illegal content for usage on the IT systems of the University of Münster, the IT operators – if legally required, reasonable and realistically feasible – can deny the user usage of the system until the legal situation is sufficiently clarified.
  5. The IT operators are permitted in accordance with statutory provisions to document and analyse the usage of the IT infrastructures and services by individual users, especially if required:
    1. to guarantee proper system operation
    2. for resource planning and system administration
    3. to protect the personal data of other users
    4. for accounting purposes
    5. for recognising and eliminating malfunctions
    6. for the detection and prevention of threats to 
      information security,
    7. to investigate and prohibit illegal or improper usage
  6. In accordance with statutory provisions, the IT operators are obliged to maintain telecommunication and data secrecy and to comply with the relevant data protection regulations, in particular the GDPR and the Data Protection Act of North Rhine-Westphalia.

§8 Coming into Force

These regulations (in their original German version [de]) enter into force on the day following their publication in the Official Announcements of the University of Münster. The IT Usage Regulations of 31 January 2020 simultaneously cease to be in effect.