ICT Regulations for NHH
Adopted by the Executive Board of NHH on 16 May 2002. Corresponding regulations have been adopted by the University of Bergen and the Bergen University College.
The Norwegian text IKT-reglement is the official and authoritative text. This translation is for convenience only.
§ 1 The scope of these regulations; organisation
- These regulations pertain to the use of the ICT facilities (Information and Communication Technology systems) at the Norwegian School of Economics and Business Administration (NHH).
The term "ICT systems" encompasses computers, end user equipment (including mobile phones and pocket PCs), networks, programs, data, etc. made available by NHH - including local, national and international networks or other systems which are accessed via such resources.
These regulations also cover, if applicable, the user's own ICT system or other ICT systems as long as they are used for performing tasks for the institution. This rule applies regardless of whether these systems are installed on NHH premises or in other places.
- These regulations apply to NHH's employees, students and others who are given access to NHH's ICT systems, hereinafter referred to as "users".
- NHH can assign the responsibility for the institution's ICT systems to various units or persons, called systems managers and systems administrators. The list of systems managers and systems administrators is available on NHH's Web pages. NHH can provide additional rules for the use of the ICT systems and/or for users assigned to carry out special tasks.
§ 2 The purpose of NHH's ICT systems
- NHH's ICT systems shall be used to perform tasks in connection with research, education and communication, in addition to necessary operation and administration.
All provisions of these regulations shall be interpreted in view of this purpose.
§ 3 Loyal and responsible use
- The systems manager may require the user to identify himself/herself by name, personal user identity, password or in other authorised ways.
- The user has joint responsibility to utilise the ICT systems in the best possible way. He/She shall cause the least possible inconvenience to others when using the systems and shall not abuse joint resources. Use not directly related to the purpose of the institution, including advertising and commercial use, is only allowed with authorisation from NHH.
- The user is obliged to follow the systems manager's and/or systems administrator's instructions when using the systems or the services connected to the systems.
- It is the user's responsibility to ensure that the information created, saved or communicated on NHH's ICT systems is not in breach of these regulations or the rules of law in general (e.g. making defamatory or discriminative statements, distributing pornographic material or confidential information, violating the right of privacy, or encouraging others to carry out or participate in acts illegal under Norwegian law).
Furthermore, the user shall refrain from such use of the local ICT systems that would put NHH at a considerable risk of loss of reputation.
- The user himself/herself is responsible for the statements and information he/she communicates via the ICT systems. It shall be made obvious who is responsible for the information in question. Information not concerning NHH activities shall have a form that will preclude its being mistaken for official NHH information.
- The user shall not alter or modify the ICT systems without proper authorisation or cause the systems to operate in other unauthorised ways.
- Any user who ceases to be a member of staff, student or user of the ICT systems is responsible for ensuring that copies of data, programs, etc. owned/used by NHH are secured and handed over to the systems administrator.
Other files, etc., stored under the user's name, user identity or the like shall be deleted by the user himself/herself. If such deletion is not carried out within a reasonable period of time and within three months at the latest, the systems administrator may open and delete such files, etc. The same applies if the user dies, but in such cases the next of kin shall be notified and given the opportunity to receive a copy of the material before any deletion takes place. If the user has not used the ICT systems or services for 12 months, the institution will assume that the user relationship has been terminated, unless otherwise stipulated.
§ 4 Information, training and information requirements for users
- These regulations and any supplementary provisions shall be available on NHH's Web pages. Users of the ICT systems are obliged to keep informed of the ICT regulations currently in force and of any supplementary provisions.
- Users are obliged to familiarise themselves with user guides, documentation, etc. in a satisfactory manner in order to minimalise the risk of system breakdowns or loss of data, programs or equipment.
§ 5 Data security
- The user must take the necessary measures to make sure that loss of data, programs, etc. will have the minimum negative consequences by making back-up copies, securing the proper storage of media, adhering to recommended routines for use of the network, etc. The systems administrator shall provide information on NHH's routines and measures to protect the users' data. The user shall be aware that no ICT systems can be entirely secure and any security measure taken is to be based on this fact.
- The user must never reveal passwords or other security elements to others.
- The user must prevent unauthorised persons from gaining access to the network, the ICT systems or to rooms where equipment is available, and contribute in general to preventing unauthorised persons from gaining access to the equipment.
- The user shall keep in mind that programs or data may contain unwanted elements ("virus" or the like) and must take the necessary precautions for controlling such elements.
- The user must report immediately all circumstances which may have significance for the security or integrity of the ICT systems to their closest superior or the systems administrator.
§ 6 Respect for other users, privacy
- The user must not attempt to gain unauthorised access to other persons' data, programs, etc., nor try to obtain the passwords, etc. of other users.
- The user is responsible for being familiar with the laws, rules and regulations pertaining to the use of ICT systems, particularly the management of personal information. The systems administrator can provide guidance for users on how to proceed.
- In order to fulfil the purpose of these regulations (cf. Section 2) the ICT systems include tracking (logging) and back-up functions. The user shall be aware that other type of use, including private use, may also lead to the registration of personal information.
§ 7 Rights
- The user is obliged to respect copyrights or similar rights pertaining to computer programs and data (texts as well as collections of information such as databases, music, pictures, films, etc.). The user is responsible for being familiar with the regulations in force concerning these rights, whether they are laid down in law or in an agreement with the copyright licensee (licence agreement). Such agreements can be obtained from the systems manager or the systems administrator.
§ 8 Service quality, liability for damages
- The users themselves are responsible for the use of information, programs, etc. which are made available through the ICT systems. NHH disclaims all responsibility for any financial loss or other inconvenience resulting from errors or defects in programs, data, use of information from available databases or other information obtained through the network, etc.
§ 9 The systems administrator's right to access restricted areas
- The systems administrator has the right, in person, to seek access to the individual user's restricted areas within the ICT systems. The decision on this matter is made after consulting the leader of the unit concerned.
The conditions for seeking such access are the following:
- It is considered necessary to secure the proper functioning of the computer resources, or
- It is considered essential for the operation of the systems or for NHH's responsibility or reputation, or to ensure that the user does not violate or has not violated the provisions of these regulations, and
- Other measures
- have been tried and proved to be insufficient, or
- there is no time for taking other measures, or
- other measures are considered obviously insufficient.
- In cases described under section 9.1, the user must be notified as soon as possible. If it is possible and advisable, the notification shall be made in advance. Nevertheless, prior notification may be omitted if it can be feared that the necessary measures cannot be taken in time. A report shall always be made concerning the steps taken. A copy of the report shall be sent to the user as soon as possible.
- If the use of a workstation, terminal or other end user equipment is monitored by the systems administrator or others due to operational reliability or for other reasons, the equipment shall be clearly marked with a label or by other adequate means.
- The systems administrator has a duty of maintaining confidentiality with respect to information about the user or the user's activities which the systems administrator gains access to in this way, cf. the rules in section 13 (13) (f) of 'forvaltningsloven' (the Norwegian Public Administration Act).
§ 10 Sanctions
- Violation of these regulations may lead to the user being denied access to the whole or parts of the ICT systems at NHH. Moreover, it may result in sanctions based on other regulations, such as disciplinary measures based on 'tjenestemannslovgivningen' (the Norwegian Civil Servants Act), warning or exclusion from studies and examinations in accordance with 'universitets- og høgskoleloven' (the Norwegian Universities and Colleges Act), liability for damages, criminal liability, etc.
- Temporary exclusion for up to five workdays due to the violation or suspected violation of the regulations may be inflicted by the systems administrator himself/herself, without prior notification. Such exclusion may only take place if there is good reason to assume that
- the user has committed serious violations, or
- the user represents a considerable threat to ICT security (breach of confidentiality, integrity or availability), or
- the user's ICT equipment constitutes a considerable threat to ICT security.
- In other cases, exclusion may be approved by the Board. The decision on exclusion for more than six months is made by the Board itself. The emphasis shall be laid on the seriousness of the violation, whether the user has previously violated the regulations, what consequences an exclusion will have for the user, and any other conditions.
If the sanctions of these regulations are used to such an extent that they must be regarded as equal to disciplinary punishment or other disciplinary sanctions in accordance with 'tjenestemannslovgivningen', or with a possible warning or exclusion based on section 42 of 'universitets- og høgskoleloven', the case shall be handled in accordance with the provisions of these Acts concerning case preparation, etc.
- NHH may establish rules for simplified proceedings for more frequent and less serious violations of the regulations. Such rules shall be available on NHH's Web pages.
- Any decisions made on the basis of this section can be appealed within three weeks to the closest superior forum, cf. section 1.3.