There are circumstances where UCL may monitor or record communications made using its computer and telecommunication systems.
Communications on or through UCL's computer and telephone systems may be monitored or recorded to secure effective system operation and for other lawful purposes.
Routine monitoring, carried out to ensure our systems are performing properly, normally involves only aggregate anonymous data and does not identify individuals or the contents of their communications (counting the number of e-mail messages we relay every day, for example). However, there are circumstances where UCL may collect information which can be associated with an individual's communications. This may be done, for instance, to prevent or detect crime; to investigate or detect unauthorised use, including the use of systems outside UCL; or if it is necessary to ensure the effective operation of our systems.
Monitoring may only be carried out with the written authority of the Director of Information Systems, the Director of Management Information Systems, the Head of the UCL Computer Security Team, or Head of Department (in connection with the relevant departmental facilities); the Data Protection Officer should also be informed if personal information is to be gathered. Records should be maintained documenting:
- the reason for monitoring
- the scope of the monitoring
- the intended duration
- the names or job titles of those who will be carrying out the monitoring
Unauthorised monitoring may give rise to civil or criminal liability.
A very clear document containing examples of how the legislation applies in practice has been produced by the Joint Information Systems Committee (JISC), which promotes the use of information systems and information technology in Higher and Further education across the UK.
Note also that telephone calls to UCL's emergency number 222 are recorded. Other calls are not normally recorded, but telephone traffic is logged in order to provide departments with cost information. Lists of individual telephone numbers called from any line may be provided to departments on the request of an authorised person within that department.
Relevant legislation includes:
- Regulation of Investigatory Powers Act 2000
- Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000
Monitoring of UCL website usage
Many sites in the UCL domain are based on an Apache server, and logs are kept of requests made to this server. Some of this logged data is used to analyse website usage, such as some websites web page hits, site errors, and other anonymous data. Many sites in the UCL domain also use Google Analytics to analyse website usage. Google Analytics uses 1st party cookies to collect visitor activity on a website, but will only collect anonymous information. Error logs based within the Silva content management system are also used to track problems experienced with the system, and in some cases the UCL userids of site editors are recorded.