IT user regulations

The IT User Regulations of the University of Kassel regulate the use of the information processing and communication infrastructure (ICT infrastructure), which is provided for the fulfillment of the university's tasks in accordance with the Hessian Higher Education Act (HHG).

It specifies the conditions under which the IT systems, IT services and communication networks may be used in order to ensure the availability, integrity and confidentiality of the systems and the proper execution of teaching, research and administration.

The regulations ensure that all users act in accordance with legal and ethical standards and protect both the rights of third parties and the university's data.

It applies to all members of the University of Kassel, including those who use the infrastructure on non-university-owned devices for university purposes.

User Regulations for the Information Processing and Communication Infrastructure of the University of Kassel (IT User Regulations)

 

Preamble

§ 1 Scope of application
§ 2 User group
§ 3 User authorizations
§ 4 Legal integration
§ 5 Rights and obligations of users
§ 6 Tasks, rights and obligations of the system operator
§ 7 Liability of the system operator and exclusion of liability
§ 8 Consequences of unlawful use
§ 9 Other regulations
§ 10 Entry into force

 

The University of Kassel, its departments and central facilities operate an information processing and communication infrastructure (ICT infrastructure). The IT systems, IT services and internal university communication networks serve to support the tasks of the University of Kassel as defined by law in accordance with Section 3 of the Hessian Higher Education Act (HHG).

The ICT infrastructure is connected to the Internet.

 

The IT user regulations govern the conditions under which the range of services of this infrastructure can be used. They support the following objectives in particular:

  • Ensuring the availability, integrity and confidentiality of the IT systems used at the University of Kassel and the data processed and stored on them,
  • Ensuring smooth teaching, research and administrative operations,
  • Ensuring the proper operation of the ICT infrastructure,
  • Protection of third-party rights and data to be protected (copyright, software licenses, network operator requirements, data protection aspects),
  • Obligation of users to behave lawfully and to use the resources offered economically,
  • Obligation of the system operators to operate the system correctly,
  • Prevention of violations of the IT user regulations.

 

§ 1 Scope of application

These IT user regulations apply to the IT infrastructure operated by the University of Kassel, consisting of information processing systems, communication systems, other auxiliary facilities, the IT services offered and, when used on non-university-owned devices, for purposes in accordance with § 2 paragraph 1.

 

§ 2 User group

  1. The resources specified in § 1 are available to the members and affiliates of the University of Kassel in accordance with § 32 of the Hessian Higher Education Act (HHG) for the fulfillment of their tasks in research, studies, teaching, administration, training and further education and public relations.
  2. Other persons and institutions may be permitted to use the IT Service Center if this is in the interest of the University of Kassel.
    Other persons and institutions include in particular:
    1. Members and affiliates of other universities in the State of Hesse or state universities outside the State of Hesse on the basis of special agreements;
    2. Other state research and educational institutions and authorities of the State of Hesse on the basis of special agreements and the associated persons;
    3. Members and affiliates of cooperating universities;
    4. Cooperating external institutions (e.g. Studentenwerk, AStA) and the associated persons.

 

§ 3 User authorizations

  1. Use of the ICT infrastructure requires formal user authorization (e.g. user ID, network connection, network access) from the responsible system operator.
  2. Only members of staff can apply for a landline connection of computers to the university network. Other members or affiliates of the University of Kassel can only apply to connect a computer if the assumption of the costs is guaranteed by specifying a university cost center and by the signature of the person responsible for the cost center.
  3. System operator
    1. for central systems and services in accordance with Annex 1 of these Terms of Use are the IT Service Center, the University Library and the Teaching Service Center.
    2. for decentralized systems, the respective organizational unit of the University of Kassel in which the system is operated (e.g. department).
  4. The application for user authorization must be submitted in a form that enables secure authentication (e.g. written form, de-mail, digital signature, electronic ID card) and must contain the following information:
    • System operator from whom the user authorization is requested,
    • Systems for which the user authorization is requested,
    • Applicant (name, address and telephone/fax number or e-mail address of the applicant, assignment to an organizational unit of the university, matriculation number for students),
    • For a user authorization pursuant to para. 2, additionally the cost center and the signature of the person responsible for the cost center,
    • Information about the computer or connection within the university, requirements for the system for which user authorization is requested,
    • If the user is not a member or affiliate of the University of Kassel within the meaning of § 2 paragraph 1, a declaration that the user acknowledges the user regulations and consents to the collection and processing of their personal data for user administration purposes.
  5. The application is decided upon by the responsible system operator. They may make the granting of user authorization dependent on proof of certain knowledge about the use of the system.
  6. The granting of user authorization may be refused, revoked or subsequently restricted if
    1. it is not sufficiently likely that the applicant will fulfill their obligations as a user (cf. § 8),
    2. the system is obviously unsuitable for the intended use or is reserved for special purposes, or
    3. the capacity of the system for which use is requested is insufficient due to existing load.

 

§ 4 Legal integration

  1. The ICT infrastructure may only be used in a legally compliant manner. It is expressly pointed out that the following are punishable offenses under the German Criminal Code:
    1. Spying on data (§ 202a StGB),
    2. Illegal alteration, deletion, suppression or rendering unusable of data (§ 303a StGB),
    3. Computer sabotage (§ 303b StGB) and computer fraud (§ 263a StGB),
    4. Dissemination of propaganda material of unconstitutional organizations (§ 86 StGB) or racist content (§ 130 StGB),
    5. Dissemination of pornographic content via media or telecommunication services (§ 184d StGB),
    6. Offenses against personal honor such as insult or defamation (§ 185 ff. StGB), insults against religious or ideological communities (§ 166 StGB),
    7. Copyright infringements, e.g. by illegal duplication of software or uploading protected works to a data processing system (§§ 106 ff. UrhG).
  2. In some cases, even attempts are punishable.
  3. Users and system operators must comply with the provisions of the Hessian Data Protection Act.

 

§ 5 Rights and obligations of users

  1. The resources mentioned in § 1 may only be used for the purposes specified in § 2 para. 1.
  2. The user is obliged to comply with the provisions of these IT user regulations and to observe the limits of the respective authorization, in particular
    1. to ensure proper operation,
    2. to protect IT systems against unauthorized, improper and abusive use,
    3. to use passwords properly (the respective password policy is determined by the system operator),
    4. to refrain from determining or using other users' IDs and passwords,
    5. to use only approved and valid programs and operating systems.
  3. Furthermore, the user is obliged
    1. to comply with legal regulations (copyright protection) when using software, documentation and other data, and
    2. to observe the license conditions under which software, documentation or data made available through license agreements are provided.
  4. The user is prohibited, without the consent of the system operator,
    1. from making changes to hardware and software installations, or
    2. from changing the configuration of operating systems, the network, and the software.
  5. The user is obliged to report plans for the automated processing of personal data to the data protection officer of the University of Kassel and to coordinate with the respective system operator.
  6. The user is obliged
    1. to provide the system administrator, upon request in justified individual cases — particularly in cases of suspected abuse and for troubleshooting — with information about programs and methods used.
    2. to inform themselves about the respective local and system-related conditions and regulations before installing software and to follow them.
  7. Regarding user liability, the following applies:
    1. The user is liable for all disadvantages to the university resulting from misuse or unlawful use of the IT resources and authorization or from culpable breach of obligations under these regulations. The university may require reimbursement of misused resources and further costs according to the fee schedule.
    2. The user is also liable for damages caused by third parties using the access and usage possibilities provided to them if they are responsible for such third-party use, especially in the event of sharing their user ID or password. In such cases, the university may charge the user a usage fee for third-party use according to the fee schedule.
    3. The user must indemnify the university against all claims if third parties hold the university liable for damages, injunctive relief or in any other way due to the user's misuse or illegal behavior. This includes liability for illegal third-party content appropriated by the user.

Insofar as the user is an employee, civil servant or trainee of the university, claims for damages are governed by the relevant civil service or collective agreement regulations.

 

§ 6 Tasks, rights and obligations of the system operator

  1. The system operator may maintain a user file with the users' master data based on granted authorizations. The application documents for user authorizations are to be kept for two years after the authorization expires.
  2. The system operator announces the persons responsible for the administration of its systems. The system operator and administrators are obliged to maintain confidentiality. In particular, all passwords must be processed in accordance with current security standards.
  3. The system operator may temporarily restrict the use of its resources or temporarily block individual user IDs if necessary for troubleshooting, system administration and expansion, or for security reasons and to protect user data. Affected users must be informed immediately.
  4. If there are justified indications that a user is providing illegal content on the system operator’s systems, the system operator may prevent further use until the legal situation has been sufficiently clarified.
  5. The system operator is entitled to check the security of user passwords and user data through regular manual or automated measures and to take necessary protective measures, for example, to change easily guessed or outdated passwords, in order to protect IT resources and user data from unauthorized access by third parties. Users must be immediately informed about required changes to passwords, access rights to user files and other usage-relevant protective measures.
  6. The system operator is entitled to document and evaluate the traffic data of individual users for the following purposes:
    1. to ensure proper system operation,
    2. for resource planning and system administration,
    3. to protect the personal data of other users,
    4. for billing purposes,
    5. for detecting and eliminating malfunctions, and
    6. for investigating and preventing illegal or abusive use.
  7. For the purposes listed in paragraph 6, the system operator is also entitled to access content data insofar as this is necessary for troubleshooting or for investigating and preventing violations of these user regulations and there are actual indications for this. The confidentiality of data and the four-eyes principle must be observed. In any case, access must be documented, and the affected user must be informed immediately after the purpose has been achieved.
    Access to e-mail inboxes is only permissible insofar as it is indispensable for troubleshooting in messaging services. No access to e-mail contents takes place.
    In case of justified suspicion of criminal offenses, the system operator acts in coordination with the university management and in consultation with the competent authorities and will, if necessary, take measures to secure evidence.
  8. In accordance with legal provisions, the system operator is obliged to maintain telecommunications and data confidentiality. The logging of connection data (e.g., access to a web server’s data) may only contain personal data during the time necessary to remedy a fault.

 

§ 7 Liability of the system operator and exclusion of liability

  1. The system operator does not guarantee that the system runs error-free and without interruption at all times. The respective system operator cannot guarantee the integrity (regarding destruction, manipulation) and confidentiality of the data stored.
  2. The system operator is not liable for any damages of any kind incurred by the user as a result of using the ICT resources according to § 1, unless otherwise required by statutory provisions.

 

§ 8 Consequences of unlawful use

In the case of actual indications or violations of legal provisions or these IT user regulations, in particular the rights and obligations of users pursuant to § 5, the user authorization may be restricted or revoked. It is irrelevant whether the violation caused material damage or not. Measures to restrict or revoke user authorization should only take place after a prior unsuccessful warning. The user must be given the opportunity to comment. After the user's statement and the respective supervisor's opinion, the decision on measures to restrict or revoke authorization is made by the Chancellor.

 

§ 9 Other regulations

  1. Fees or charges may be set for the use of the ICT infrastructure.
  2. Additional or deviating usage rules may be established for individual systems if required.

 

§ 10 Entry into force

  1. These IT user regulations were discussed by the CIO committee on 25.10.2011 and adopted by the Executive Board of the University of Kassel on 23.04.2012.
  2. The IT user regulations enter into force on 01.02.2013. They will be published in the online information services of the University of Kassel.

 

Kassel, 30.01.2013

 

On behalf

 

Signed

Dr. Robert Kuhn

- Chancellor -