XClose

Information Security

Menu

Acceptable Use Policy

Introduction

The Acceptable Use Policy applies to all UCL IT systems, regardless of ownership, when being used for UCL related purposes, connected to UCL’s network or storing UCL related data.  Please read the policy before reading any of the other information on this page, which is designed to help you understand the policy and how to comply with it.  

Summary of Policy Requirements 

Use systems only for their intended purposes, in a lawful way that is respectful of other users and doesn’t breach any UCL policies, codes of practice or regulations. 

How to Comply 

The following sections don’t address every detail in the policy statements, only those about which questions are most likely to arise or for which supporting information is most helpful.  Much of the policy is hopefully self explanatory, but if you do have any questions that aren’t answered by the following information, please don’t hesitate to ask the Information Security Group

Related UCL Policies, Codes of Practice and Guidance 

The following UCL policies, codes of practice and guidance facilitate compliance with the Acceptable Use Policy. 

  1. Data Protection Policy 

  1. UCL Publications Policy 

  1. Prevention of Bullying, Harassment and Sexual Misconduct Policy 

  1. Equal Opportunities Policy Statement 

  1. Safeguarding policies 

  1. Software License Management Policy 

  2. UCL Research Ethics Policy

  3. Guidance and Procedures on Engaging Employees, Workers and Third-Party Suppliers 

  4. Equality, Diversity and Inclusion guidance for managers 

  5. Code of Practice on Freedom of Speech 

  6. Using AI Tools at UCL 

Government Regulations and Legislation 

Information about how to comply with data protection regulations and legislation can be found at https://www.ucl.ac.uk/data-protection.  

Information about other government regulations and acts of parliament can be found at https://www.legislation.gov.uk.  For most regulations and legislation published after 1999, an accompanying Explanatory Note or Explanatory Memorandum provides a useful summary. 

The risk of breaking the law while using UCL’s systems should be very small if you comply with policy statements in the Acceptable Use Policy, and the other UCL policies, codes of practice and guidance referred to above.  However, if you are unsure if any aspect of your use of UCL systems might be illegal, guidance on the correct team at UCL to contact in the first instance can be found under Engagement with Legal Services at https://www.ucl.ac.uk/legal-services

Software licensing 

Information about software licensing and terms and conditions of use can be found in the Software License Management Policy . 

Policy breaches and exceptions 

Suspected or confirmed breaches of the Acceptable Use Policy should be reported to the Information Security Group, by creating an Information Security request in MyServices

Before carrying out any legitimate research activities that breach, or risk breaching, the Acceptable Use Policy, a researcher must obtain written approval from their head of department and the Information Security Group. 

If in doubt, ask 

If you are unsure if your use of UCL systems may be in breach of the Acceptable Use Policy, please ask the Information Security Group for advice via MyServices

Policy 

1. Purpose 

1.1. The purpose of this policy, which focuses on the use of UCL’s systems, is to augment the UCL Information Security Policy.  The Information Security Policy should be read in conjunction with the Acceptable Use Policy. 

2. Scope 

2.1. All systems, regardless of ownership, when being used for UCL related purposes, connected to UCL’s network or storing UCL related data. 

3. Definitions 

3.1. System: Any environment that is used in relation to data, such as: network; application; infrastructure; platform; system; appliance; device; service. 

3.2. System Custodian: A technical administrator for a System. Responsible for ensuring security risk are managed within the system. 

3.3. System user: Anyone using a system in scope of this policy. 

3.4. Jisc: Jisc Services Limited, the provider of the UK’s national research and education network that connects UCL to other institutions and the Internet. 

3.5. Janet: (Source: Janet Acceptable Use Policy) The communications network operated by Jisc Services Ltd (Jisc) to serve UK education, research, and other public sector purposes. Its primary purpose is to enable organisations in these communities to fulfil their missions of providing education, research, of supporting innovation, and of civic engagement more widely. 

3.6. VPN: Virtual Private Network. UCL’s VPN service securely connects remote devices to the UCL network. 

3.7. Password: Any authentication credential issued by UCL, including hardware tokens and cryptographic keys.  

3.8. Authorised use of systems: The following types of use are authorised. 

  • Use properly associated with a UCL course of study, employment, appointment, registration, trades union business or student union societies. 
  • Reasonable personal use. 

3.9. Reasonable personal use of systems: incidental and occasional use which does not involve or result in any of the following. 

  • Disruption or distraction of the system user from the efficient conduct of UCL business, due to volume, frequency, time expended or time of day used.  
  • Significantly increased running costs.  

  • Breach of any policy statements. 

4. Framework 

4.1. This policy is part of the same framework as the Information Security Policy, which it augments. 

5. Objectives 

5.1. The objectives of this policy are to minimise the risks associated with breaches of information security and UCL’s legal obligations, by: 

  • Defining what constitutes acceptable use. 
  • ​​​​​​​Encouraging the responsible use of systems. 
  • Maximising the availability of resources (including systems and staff) for legitimate purposes. 
  • ​​​​​​​Minimising the likelihood of system misuse from inside or outside UCL.

6. Policy Statements 

6.1. UCL system users must do the following: 

  • Comply with all relevant UK legislation, including but not limited, to all legislation listed in 9.1. 
  • ​​​​​​​Respect the copyright of all materials and software that are made available by UCL system providers and third parties for authorised use. 
  • Carry out any specified actions, or cease any specified activities, when requested to do so by an authorised system custodian. 
  • ​​​​​​​Report any breaches of this policy or the Information Security Policy. 

6.2. UCL system users must not do the following: 

  • Use systems in any way that falls outside the definition of authorised use in this policy. 
  • ​​​​​​​Run, use, or make copies of unlicensed software, or use software in any that is outside the licensing terms and conditions. 
  • Download data or datasets unless explicitly permitted to do so by their owners. 
  • ​​​​​​​Publish, create, store, use, distribute or transmit data or software in a way which is unlawful, offensive, obscene, indecent, defamatory, libellous, discriminatory, harassing, threatening, extremist, supportive of terrorism or invasive of another's privacy, or with the intention of annoying, inconveniencing, upsetting, radicalising, deceiving, defrauding, victimising or bullying other individuals or organisations. 
  • Cause or risk causing loss, damage or destruction of data or breaches of confidentiality of data.  
  • ​​​​​​​Use systems in a way which infringes any patent, trademark, trade secret, copyright, moral right, confidentiality, or other proprietary right of any third party. 
  • Use systems to create or distribute promotional, marketing or advertising materials on behalf of commercial organisations, or pursue commercial objectives in any other way.  
  • ​​​​​​​Use systems in a way that brings or could bring UCL or Jisc into disrepute. This includes associating UCL or Jisc with external facilities such as Web sites that could bring UCL or Jisc into disrepute by association. 
  • Use systems in any way that restricts or impedes their use by others or wastes the effort of system custodians. 
  • ​​​​​​​Disclose or share passwords, or circumvent registration procedures by any means, such as using accounts or passwords belonging to others. 
  • Attempt to undermine UCL’s security by using password cracking or port scanning software, conducting unauthorised vulnerability scans or penetration tests, exploiting known vulnerabilities or by any other means. 
  • ​​​​​​​Intentionally or carelessly store, distribute, transmit, introduce, or install harmful software such as viruses and ransomware. 
  • Access or attempt to access any systems for which permission has not been granted or facilitate such unauthorised access by others.  
  • ​​​​​​​Set up or modify systems of which they are not authorised system custodians.  

7. Policy Owner  

7.1. This Policy is owned by UCL’s Chief Information Security Officer. 

8. Breach of Policy  

8.1. Any breach or suspected breach of this policy may be investigated and treated as a disciplinary matter or lead to court proceedings attracting both criminal and civil liability. 

8.2. Users will be held responsible for any claims brought against UCL and any legal action to which UCL is, or might be, exposed as a result of breaches of this policy. 

9. Legal Compliance 

9.1. Staff and Students have an obligation to abide by all UK legislation. Of particular importance in this respect are: 

  • Legislation referred to in the Information Security Policy and 
  • ​​​​​​​the Computer Misuse Act 1990, UK General Data Protection Regulation, the Data Protection Act 2018, the Data Use and Access Act 2025, the Copyright, Designs and Patents Act 1988, the Obscene Publications Act 1959, the Sex Discrimination Act 1975, the Race Relations Act 1976, the Disability Discrimination Act 1995, the Part-Time Workers (Prevention of Less Favourable Treatment) Regulations 2000, the Fixed-Term Employees (Prevention of Less Favourable Treatment) Regulations 2002, the Employment Equality (Sexual Orientation) Regulations 2003, the Employment Equality (Religion or Belief) Regulations 2003, the Harassment Act 1997, the Employment Equality (Age) Regulations 2006, the Protection of Children Act 1978, the Public Order Act 1986, the Criminal Justice and Public Order Act 1994, the Terrorism Act 2006 and the Counter Terrorism and Security Act 2015. 

10. Review 

10.1. This Policy shall be reviewed at least every three years.  

11. Related/Supporting documents 

11.1. Being a diverse community means being a place where a wide variety of conflicting opinion and ideas exist and are expressed. Free speech attracts a high level of protection in UK law, and UCL is committed to upholding all speech unless it is restricted by law. More information on UCL’s approach to free speech on campus can be found in UCL’s Code of Practice on Freedom of Speech

12. Version Control and Approvals  

To be added on publication.