THE CHINESE UNIVERSITY OF HONG KONG

 

 

Principles and Guidelines on the Use and Monitoring of the University’s Information and Communication Technologies Facilities and Services

 

1.

The University, through the Information Technology Services Centre and various academic and administrative units, provides a rich array of Information and Communication Technologies (ICT) facilities and services (such as desktop PCs, network server accounts and storage space, e-mail function, etc.) to its staff and students.  Such ICT facilities and services are provided by University funds, and are properties of the University, to support activities of staff members and students in teaching, learning, research, administration and communication in the University.  Staff members and students are not expected to use the University’s ICT facilities and services for their personal business or private purposes.  However, it is understood that it is impractical to entirely rule out the need for social communication, such as arranging private lunch/dinner appointments with personal friends.  In principle, ICT facilities and services are provided by the University without any form of monitoring.  But staff and students should take note of the very occasional need for monitoring or special measures as presented in paragraph 4 below.  If they have doubt or any concern about their privacy, they should avoid using the University’s ICT facilities for their personal and private communication.

 

2.

After a staff member or a student has left the service/study of the University, the ICT facilities provided by the University to that staff member/student, if still available, shall become the property of the University, and together with the information contained therein, will be at the disposal of the University, unless otherwise decided.

 

3.

The University respects personal privacy and complies with all relevant legislation.  Under normal circumstances, the ICT facilities and services are provided without any form of monitoring.  However, appropriate measures will be taken under special circumstances to protect the University against potential damages and liabilities caused by inappropriate or abusive uses of ICT facilities and services (e.g. damage to the University’s reputation, alleged illegal activities such as workplace harassment, possible defamatory liability, disclosure of intellectual properties, or copyright and other property infringement).

 

4.

The following guidelines are provided to ensure that the monitoring or special measures, if taken, are handled properly:

 

(a)

Trouble-shooting of technical nature:  In emergency situations (such as system failure, severe virus attack, phishing attack, hacker attack, or data corruption) where the IT support personnel inevitably needs to examine files or e-mails stored on servers or backup media in order to recover or maintain the stability of the computer systems, the concerned user(s) should be contacted before such actions are taken.  In critical and urgent situations where the concerned user(s) is not reachable, such examination has to be authorized by the head of the IT personnel and the concerned user(s) should be notified of the purpose and the action taken as soon as possible thereafter.

 

 

(b)

Monitoring and logging of activities:  Some ICT facilities and services have monitoring and/or logging functions built-in for collection of aggregate usage statistics and analysis of usage patterns and trends.  For information security, reasonable logging of activities is also required to help investigate suspected illegal hacking or ascertain non-repudiation.  Providers of ICT facilities and services should notify the concerned users about the monitoring and logging activities whenever feasible and before the granting of the access privilege.  According to the privacy guidelines issued by the Office of the Privacy Commissioner for Personal Data, providers of ICT facilities and services should inform the users if any of their personal data are captured during the monitoring and logging process.

 

 

(c)

Investigative activities:  In extremely rare situations, it might be necessary for the University to conduct investigation on suspected illegal or inappropriate activities of individual staff or student.  Such requirement might arise from audit, internal review, or law enforcement agencies.  There are possibilities that these investigative activities involve examining, covertly, computer files or e-mails of individuals.  In no circumstance could these examinations be carried out without a proper authorization from senior management.  Such an investigation would have to be authorized by the Vice-Chancellor or an officer/special panel designated by the Vice-Chancellor, having regard to prima facie evidence.

 

 

(d)

Other special circumstances as determined by the Vice-Chancellor:  There might be other circumstances when a University Officer has justifications to recommend accessing a staff member’s or a student’s ICT facilities or the data contained therein.  The Vice-Chancellor will consider such recommendation on a case-by-case basis and authorize the access if he considers it appropriate in the best interest of the University.