Acceptable Use Policy
Purpose
The University provides information resources to the members of the University community to support and enable the University’s mission. This policy (the “Policy”) sets forth the requirements for the acceptable use of information technology resources at the University of Chicago.
The University’s Acceptable Use Policy aims to establish acceptable practices regarding using the University of Chicago’s information technology and digital resources to protect the confidentiality, integrity, and availability of information created, collected, and maintained.
In general, acceptable use means ensuring that the information technology resources of the University are used for their intended purposes, including respecting the rights of other information technology end users, the integrity of the physical facilities, the confidentiality of data, information, and information assets, and all pertinent license and contractual agreements. Inappropriate use potentially exposes the organization to security risks, inaccessible or compromised networks, systems, and services, and issues with legal and regulatory compliance.
Applicability
This Policy applies to all University information technology resources owned or operated by or on behalf of the University, including the University network, University software and applications, University mobile and removable devices, or and non-University devices that store Covered Data or information. This includes data processed or stored and applications used by the University in hosted environments where the University does not operate the technology infrastructure. This policy also applies to personal computers and other devices to the extent that they connect to or use University information technology to store or process Covered Data.
All University faculty, other academic appointees, students, post-doctoral researchers, staff, associates, volunteers, and contractors (“Covered Persons”) must adhere to this policy.
Policy Ownership
Responsible University Officer(s): Chief Information Officer
Responsible Office: IT Services
Effective date: 04-12-2024
Policy
The University provides information technology to advance its educational, research, scholarship, and healthcare missions.
University of Chicago (“University”) information technology and digital resources and the data contained in those resources are provided for University-related purposes. This policy governs the access and use of University information technology and digital resources.
Acceptable Use
The individuals covered by this policy, “Covered Persons,” must comply with University policies, contractual obligations, and Federal, State, and local law when using University information technology resources. The use of University information technology resources should be for purposes consistent with the University’s missions and with its policies and legal requirements (including license agreements and terms of service) and not for commercial purposes. Individuals must also protect the University’s confidential information from unauthorized use or disclosure.
Prohibited Use
The individuals covered by this policy, “Covered Persons,” must not use the University’s information technology systems and services in the following ways:
a) To violate laws, University policies, contractual obligations, or to violate the safety, security, privacy, and intellectual property rights of others.
b) To send or distribute messages or material that is fraudulent, harassing, threatening (as described in the Policy on Harassment, Discrimination, and Sexual Conduct), or otherwise in violation of law or University policies, standards, procedures, guidelines, and codes of conduct.
c) To conduct a political campaign or any other activity that violates the Political Campaign Activity Memorandum issued by the Office of Legal Counsel.
d) For the benefit of individuals or external organizations except as permitted by the University’s Conflict of Interest Policy for Staff and Conflict of Interest Policy for Faculty or other Academic Appointees.
Personal Use
Incidental personal use of the University’s information technology and digital resources is permitted, provided such use is consistent with this policy.
Institutional Use and Privacy
The University has the legal right to access, preserve and review all information stored or transmitted through its information technology networks, systems and services. Except to the extent necessary to comply with the University’s legal obligations, the University will maintain the confidentiality of all privileged communications and work product.
The University works to afford reasonable privacy for users. It does not access information created and stored by users on its IT Systems except when it determines that it has a legitimate operational need in accordance with the process set forth in the Policy on Information Technology Resources and Account Privacy. In limited circumstances and with the approval of the Provost, the University may permit University researchers to access Covered Data for the purpose of conducting research.
Consequences of Violating the Policy
Violations of the policy may result in disciplinary action, up to and including the suspension of network privileges, suspension or expulsion from further study and termination of employment.
Definitions
Associate – An associate is an individual who requires access to information technology resources to work in conjunction with the University but is not a University of Chicago Covered Person (e.g., is not faculty, other academic appointees, students, staff, post-doctoral researchers, volunteers, and contractors).
Confidential Information – Generally consists of non-public information about a person or an entity that, if disclosed, could reasonably be expected to place either the person or the entity at risk of criminal or civil liability or damage to the person or entity’s financial standing, employability, privacy, or reputation. Reference University HR policy 601 Treatment of Confidential Information for more information (http://humanresources.uchicago.edu/fpg/policies/600/p601.shtml).
Covered Persons – All University faculty, other academic appointees, students, staff, post-doctoral researchers, volunteers, and contractors.
Information Security Program (“The Program”) – The Information Security Program is a set of coordinated services and activities designed to protect Covered Data and information technology and manage the risks to the University associated with those resources, including the regulations below, as well as the procedures, standards, assessments, protocols to govern information resources’ storage, accessibility, and security.
Information Technology Resources – Information technology resources are:
- Computers or electronic resources that are used in the search, access, acquisition, transmission, storage, retrieval, or dissemination of Covered Data.
- Technologies or services that are owned, contracted by, or managed by the University that connect to the University network or link to another University technology or service, or store Covered Data or information.
- Services or applications used by the University in hosted environments where the University does not own or operate the technology infrastructure.
Service – IT infrastructure, platforms, or software hosted by third-party providers and made available to users through a network.
Third-Party – An organization or partner that the University contracts with to perform certain services on behalf of the University.
Covered Data – Data created, stored, or maintained, by or on behalf of the University.
Roles and Responsibilities
Chief Information Officer (CIO) – The CIO is responsible for providing guidance to University leadership concerning the appropriate use of information technology resources.
Chief Information Security Officer (CISO) – The CISO shall be responsible for leading the development, execution, monitoring, and enforcement of the University Information Security Program.
Related Information
Policy on Information Technology Resources and Account Privacy
Contacts
| Title/Office | Phone | |
| Associate Vice President and Chief Information Officer | cio@uchicago.edu | 773.702.5800 |
| IT Services Information Security Office | security@uchicago.edu | 773.702.2378 |
| Executive Director and Chief Information Security Officer (CISO) | ciso@uchicago.edu | 773.702.2378 |
| Revision Authority: | Associate Vice President and Chief Information Officer |
Please see the frequently asked questions below for more information.
Category: Eligibility and Acceptable Use
Policy Owner: Chief Information Security Officer
Frequently Asked Questions
What are examples of “University information technology resources"?
The following are all examples of University information technology resources:
- The University’s network
- University-provided software and applications
- University-provided cell phones, laptops, tablets
- University-provided servers
- University-provided cloud services such as Google Docs and Drive, Google Sites, Box and Box Assured Apps, Microsoft O365 platform (OneDrive, Sharepoint, Office Online, etc. ), Microsoft Azure (Microsoft Cloud platform), Amazon Web Services (AWS) (Amazon Cloud platform), Zoom, other University funded cloud storage
- University-provided mobile and removable devices
- Data processed or stored in documents, files, emails and attachments, research data, voice mails, text messages, and associated metadata.
What is “Covered Data”?
Data created, stored, or maintained by or on behalf of the University. Data created, stored, or maintained by or on behalf of the University.
What are examples of “non-University devices that store Covered Data”?
Non-University devices that store Covered Data are devices not owned by the University that handle or store Covered Data or information. For example, personal laptops or cell phones that process or store University documents, files, emails and attachments, research data, voice mails, text messages, and associated metadata. In some circumstances, the University may be required to access data on a personal device.
Does it matter if the resource is on the university network? Does it matter where the resource is being used, such as off-campus, home, on campus?
The geographic location or type of network does not change the applicability of the University Information Technology policies. The policies apply to all University-funded devices and all devices and services that handle or store Covered Data or information. The geographic location or network ownership of the device does not change the policy’s applicability.
What are examples of incidental personal use of information technology resources?
Some examples of the incidental personal use of information technology resources include the following:
- Sending and receiving emails to friends and family
- Taking personal phone calls using a University phone
- Preparing a personal tax return on a University laptop
- Visiting web pages or streaming videos using your University laptop or over the University network
Can university-owned computers and services be used to operate an external business (including products or services like consulting)?
No. The University of Chicago is a non-profit organization, and its assets are to be used in furtherance of its research and education missions. In addition, most University software and services are licensed only for non-profit use for University purposes. Limited incidental use of office space and equipment for personal purposes or in connection with permitted consulting activities is permissible so long as such use is modest and does not interfere with the conduct of University business. Examples of permitted uses include sending a personal email, working on a personal document, or taking a personal phone call. If an individual runs a business that routinely sells goods or services, then they should purchase separate technology resources for or on behalf of the business.
What are examples of activities that are not incidental personal use of information technology resources?
Some examples of activities that are not “incidental personal use” are:
- Using University resources to operate a personal file-sharing server.
- Using University-provided technology to operate or sell goods or services for a commercial business.
- Hosting a website on the University web servers for non-UChicago organizations (e.g., a business or unaffiliated not-for-profit entity), for political functions, or for other activities unrelated to the mission of the University.
- Using a university-provided server or information technology service for non-university tasks.
How does the University “determine that it has a legitimate operational need” to access or review data?
These details are covered in the FAQ for Policy on Information Technology Resources and Account Privacy (ITS-003).
What are examples of when the University would need to access, preserve, and review information stored in or on an individual’s University information technology resources?
The following are examples of when the University may need to access, preserve, or review information in University information technology resources:
- If the University receives a subpoena for an individual’s records in connection with a lawsuit
- If a student makes a request for their education records stored on University computers
- If the University has a legal or regulatory obligation to preserve or disclose information stored on University computers
- If the University must respond to an imminent threat to other users or to the University’s technology infrastructure. For example, if the University is responding to an information security incident or physical security threat, it may be necessary to access information on information technology resources.