IT Usage Regulations of the University of Münster of 31 January 2020
Preamble
In accordance with § 2 (4) and § 29 (2) of the Higher Education Act of the Federal State of North Rhine-Westphalia (HG NRW) in the version issued on 16 September 2014 (GV. NRW p. 547) and most recently amended by Art. 1 of the Amendment of the Higher Education Act of 17 July 2019 (GV.NRW. p. 425, corr. p. 593), the University of Münster has issued the following regulations.
The purpose of these usage regulations is to establish general rules which apply to the usage of all IT infrastructures and services of the University of Münster. The rules specified below ensure that these resources can be used safely and without disruption. On the basis of proper operation of central IT infrastructures and services, the following regulations serve to guarantee their unimpeded use based on the relationship between the IT operators of the University of Münster and authorised users.
§1 Definition of Terminology
- Authentication is the clear evidence of the user’s asserted identity. The process for determining the user’s identity is usually conducted for the source system in a comprehensive manner, i.e. in the sense of a single sign-on. Authentication features include login identifications with passwords, private digital keys, private certificates and biometric features.
- Authorisation refers to the verification of access rights to services and data.
- The Chief Information Officer (CIO) is the representative appointed by the Rectorate who is responsible for IT monitoring, coordinating existing IT processing, and integrating and implementing new IT processing systems and media.
- A third party is any natural person or legal entity who/which does not hold usage authorisation in accordance with § 3.
- IT operators are commissioned by the Rectorate and the faculties to provide IT services to the organisational units of the University of Münster.
- IT infrastructures are all systems (hardware and software) which are required for electronic data processing.
§2 Scope
- These usage regulations apply to all University of Münster infrastructures and services which fall under the scope of responsibility of the IT operators.
- In order to ensure proper operation, the heads of the respective IT operators may issue further rules and guidelines of usage for individual services within their scope of responsibility. These rules are to be posted on the corresponding websites of the IT operators and apply in addition to the general usage regulations. In the case of contradictory provisions between specific rules and services as put forth in § 2 (2) sentence 1 and these usage regulations, the usage regulations are given precedence over subsequently issued specific rules and services.
§3 User Authorisation and Approval
- All members of the WWU, as defined by § 9 of the NRW Higher Education Act (HG NRW), are permitted to use the central IT infrastructures and services. Furthermore, the following individuals may be granted usage authorisation by resolution of the Rectorate:
- employees of the University Hospital Münster (UKM) who work at facilities of the Faculty of Medicine of the University of Münster or conduct university research and/or provide instruction
- members of other universities of the state of North Rhine-Westphalia (NRW), as well as universities outside NRW which have concluded corresponding agreements
- members of cooperation partners and other international institutions affiliated with the University of Münster, e.g. partner universities
- external staff in University of Münster-affiliated research alliances, as well as participants of special degree programmes or continuing education or professional training seminars
- other persons in justified cases who are granted authorisation by the CIO of the University of Münster
- The purpose of granting authorisation to use the University of Münster IT infrastructures and services is to facilitate the execution of tasks in academic research, teaching and study, and to enable the University Library (ULB), the University administration, and continuing education and professional training programmes to carry out their respective tasks. Other uses which minimally deviate from the above are permitted, provided these do not adversely impact the purpose of the IT systems and services, the interests of the other users, or are otherwise explicitly prohibited.
- For systems with restricted access, authorisation to use the respective University of Münster IT infrastructure and services is granted by issuing a clearly defined form of user identification. Some parts of the IT infrastructure and services are accessible to groups of persons specified in § 3 (1) without authentication.
- The IT operators employ automated authentication systems for the purpose of managing and organising access rights for University of Münster members and other authorised users as put forth in § 3.
- Usage permission is limited to the purposes stated in § 3 (2) and can be restricted in terms of duration and scope. To ensure proper and disruption-free operation, the IT operators may restrict usage permission, e.g. by limiting available resources or issuing other conditions and requirements.
- The IT operators have the right to partially or entirely deny, revoke or subsequently restrict usage permission especially in the following cases.
- The user has not properly registered for services which are accessible via registration only, or the information provided therein is not or no longer applicable.
- The prerequisites put forth in § 3 (1) on user authorisation do not or no longer exist.
- The user has failed to meet the conditions and requirements put forth in § 3 (5).
- The user is denied access to the IT systems and services in accordance with § 5 of these usage regulations.
- The user’s planned action conflicts with the purposes put forth in § 3 (2).
- The existing IT infrastructures and services are not suited to the request for usage or cannot be provided for the required period of usage.
- The available resources are insufficient for the planned usage due to existing capacity.
- Usage would inappropriately endanger the security of the University of Münster IT systems or that of third parties.
- Usage could potentially and inappropriately impede the usage of other authorised actions.
- The user group must be restricted due to contractual obligations.
- Usage would require a disproportionately large amount of effort for the IT operators.
- Usage would affect the legal or contractual obligations of the University of Münster or the IT operators.
- Usage by certain individuals is prohibited due to foreign trade law (e.g. embargo).
§4 Rights and Obligations of the User
- Authorised users have the right to use the IT infrastructures and services within the scope of approval and in accordance with these usage regulations.
- Users are obliged to:
- comply with the provisions of the usage regulations and observe the terms of usage permission, particularly the purposes of usage as put forth in § 3 (2).
- refrain from engaging in activities which disrupt the proper operation of IT infrastructures and services provided by the IT operators.
- handle all data processing systems, IT and communication devices and other equipment of the IT operators with care.
- only employ the authentication features for which the user was originally granted approval.
- never share authentication features with others, ensure that no other persons gain access to these authentication features, and take precautions to ensure that unauthorised parties are refused access to the University of Münster IT infrastructures and services.
- notify the IT operators if one should learn that his/her authentication features are being improperly used by third parties.
- neither attempt to obtain nor use another’s authentication features.
- neither access other users’ personal information, nor share other users’ known information with third parties without express permission, nor alter or use such information as one’s own.
- comply with all legal regulations when using software, documentation and other data, especially copyrights, licensing terms and conditions attached to software, documentation and data provided for use by the University of Münster.
- when using IT services, respect national and international copyrights, trademarks, patent rights, name rights and labelling rights, as well as other commercial property rights and third-party rights.
- refrain from accessing, offering, uploading or disseminating illegal content, especially that which violates criminal, data protection, personal, licensing or copyright laws.
- when using software provided by the University of Münster or software required for the provision of IT services, to neither copy the software documentation and data nor share it with third parties if explicitly prohibited, nor use these for other purposes than those intended.
- follow the instructions issued by the staff in the rooms of the IT operators.
- present proof of usage authorisation upon request.
- promptly notify the IT operators in case of disruption of, damage to and errors within the IT infrastructures and services.
- make no changes to the hardware and software installations, operating system configurations, system files, system-relevant user files or the network without the permission of the responsible IT operator.
- comply with the legal and WWU-specific data protection regulations and take steps to ensure data protection and data security.
- observe the IT-relevant security guidelines and recommendations of the University of Münster.
§5 Restriction and Exclusion
- Users may be temporarily or permanently restricted or excluded from using the central IT infrastructures and services if:
- they deliberately violate the provisions of these usage regulations, especially their obligations listed in § 4, or
- they abuse the central IT infrastructures and services of the University of Münster for illegal activities, or
- the University of Münster stands to suffer disadvantages on account of illegal user behaviour or could suffer damage to its reputation or other interests worthy of protection.
- Measures resulting in restriction or exclusion are to be taken in consultation with the CIO and should take effect only after a warning has been issued and goes unheeded. In the case of an imminent threat, the responsible IT operator is permitted to implement pre-emptive measures.
- The user in question is to be given the opportunity to respond to the accusations unless specific circumstances make this impractical, e.g. in the case of an imminent threat.
- Upon the user’s request, which must be submitted within three months following exclusion, the IT operators must decide on whether and to what extent to safeguard the user’s data.
- Temporary restriction of usage, which is determined and enforced by the respective IT operator, must be lifted as soon as compliance with the rules has been re-established.
- Permanent restriction of usage or indefinite exclusion of a user is permitted in cases of severe or repeated violations as defined in § 5 (1). In this case, the University’s Head of Administration decides on the punitive measure at the request of the head of the IT operator. Potential claims of the University of Münster resulting from the user relationship remain herewith unaffected.
§6 Conclusion of the User Relationship
- The permission of usage concludes irrespective of the provisions in § 5 with the loss of status or if the reasons for which permission was granted cease to exist. Loss of status or cessation of reasons, as indicated in sentence 1, occur upon:
- de-registration from individual services provided by the IT operators
- termination of membership with the University of Münster (e.g. upon graduation) or termination of one’s employment contract with the University of Münster
- removal from the student registry (de-registration)
- expiration of the usage authorisation period
- death of the user
- permanent exclusion from IT services in accordance with § 5 (6)
- The IT operators can delete the user’s data three months after conclusion of the user relationship if deletion is not otherwise prohibited by statutory provisions. Following the conclusion of the user relationship, the user’s civil service and employment-related obligations with regard to data transfer and backup, as well as the provisions of the “Research Data Management Policy of the University of Münster” of 14 June 2016 remain hereby unaffected.
§7 Rights and Obligations of the IT Operators
- The obligations, tasks and working methods of the IT operators are described in the current version of the IT Strategy of the University of Münster.
- The IT operators are responsible for maintaining and managing data related to user identifications and authorisations. They are also required to keep a register of all processing activities.
- The IT operators are permitted to temporarily restrict usage of their resources or block individual login IDs or services, or deny access to the IT infrastructures and services if such actions are necessary for purposes of trouble-shooting, system administration and expansion, system security or user data protection. If possible and permissible, the affected users and management staff should be notified in advance of such measures.
- If there are credible indications that a user has stored illegal content for usage on the IT systems of the University of Münster, the IT operators – if legally required, reasonable and realistically feasible – can deny the user usage of the system until the legal situation is sufficiently clarified.
- The IT operators are permitted in accordance with statutory provisions to document and analyse the usage of the IT infrastructures and services by individual users, especially if required:
- to guarantee proper system operation
- for resource planning and system administration
- to protect the personal data of other users
- for accounting purposes
- for recognising and eliminating malfunctions
- to investigate and prohibit illegal or improper usage
- In accordance with statutory provisions, the IT operators are obliged to maintain telecommunication and data secrecy and to comply with the relevant data protection regulations, in particular the GDPR and the Data Protection Act of North Rhine-Westphalia.
§8 Coming into Force
These regulations (in their original German version [de]) come into force on the day following their publication in the Official Announcements (Amtliche Bekanntmachungen) of the University of Münster (WWU), at which time the Usage Regulations of 15 November 2010 cease to be valid.