User regulations for the information processing and communication infrastructure of the University of Kassel (IT user regulations)

Stand:

The IT User Regulations of the University of Kassel regulate the use of the information processing and communication infrastructure (ICT infrastructure), which is provided for the fulfillment of the university's tasks in accordance with the Hessian Higher Education Act (HHG).

It specifies the conditions under which the IT systems, IT services and communication networks may be used in order to ensure the availability, integrity and confidentiality of the systems and the proper execution of teaching, research and administration.

The regulations ensure that all users act in accordance with legal and ethical standards and protect both the rights of third parties and the university's data.

It applies to all members of the University of Kassel, including those who use the infrastructure on non-university-owned devices for university purposes.

IT user regulations of the university - full text

User Regulations for the Information Processing and Communication Infrastructure of the University of Kassel (IT User Regulations)

 

Preamble

§ 1 Scope of application
§ 2 User group
§ 3 User authorizations
§ 4 Legal integration
§ 5 Rights and obligations of users
§ 6 Tasks, rights and obligations of the system operator
§ 7 Liability of the system operator and exclusion of liability
§ 8 Consequences of unlawful use
§ 9 Other regulations
§ 10 Entry into force

 

The University of Kassel, its departments and central facilities operate an information processing and communication infrastructure (ICT infrastructure). The IT systems, IT services and internal university communication networks serve to support the University of Kassel's statutory tasks in accordance with Section 3 of the Hessian Higher Education Act (HHG).

The IT infrastructure is connected to the Internet.

 

The IT user regulations regulate the conditions under which the range of services of this infrastructure can be used. They support the following objectives in particular:

  • Ensuring the availability, integrity and confidentiality of the IT systems used at the University of Kassel and the data processed and stored on them,
  • Ensuring smooth teaching, research and administrative operations,
  • Ensuring the proper operation of the IT infrastructure,
  • Protection of third-party rights and data to be protected (copyright, software licenses, network operator requirements, data protection aspects),
  • Obligation of users to behave lawfully and to use the resources offered economically,
  • Obligation of system operators to operate the system correctly,
  • Prevention of violations of the IT user regulations.

 

§ 1 Scope of application

These IT user regulations apply to the IT infrastructure operated by the University of Kassel, consisting of information processing systems, communication systems, other auxiliary facilities, the IT services offered and, when used on non-university-owned devices, for purposes in accordance with § 2 paragraph 1.

 

§ 2 User group

  1. The resources named in § 1 are available to members and affiliates of the University of Kassel in accordance with § 32 of the Hessian Higher Education Act (HHG) for the fulfillment of their tasks in research, studies, teaching, administration, training and further education and public relations.
  2. Other persons and institutions may be permitted to use the IT Service Center if this is in the interests of the University of Kassel.
    Other persons and institutions include in particular
    1. Members and affiliates of other universities of the State of Hesse or state universities outside the State of Hesse on the basis of special agreements;
    2. other state research and educational institutions and authorities of the State of Hesse on the basis of special agreements and the associated persons;
    3. Members and affiliates of cooperating universities;
    4. cooperating external institutions (e.g. Studentenwerk, AStA) and the associated persons.

 

§ 3 User authorizations

  1. Use of the ICT infrastructure requires formal user authorization (e.g. user ID, network connection, network access) from the responsible system operator.
  2. A fixed network connection of the computers to the university network can only be requested by staff members. Other members or affiliates of the University of Kassel can only apply to connect a computer if the assumption of the costs is guaranteed by specifying a university cost center and by the signature of the person responsible for the cost center.
  3. System operators
    1. for central systems and services in accordance with Appendix 1 of these user regulations are the IT Service Center, the University Library and the Teaching Service Center.
    2. For decentralized systems, the respective organizational unit of the University of Kassel in which the system is operated (e.g. department).
  4. The application for user authorization must be submitted in a form that enables secure authentication (e.g. written form, de-mail, digital signature, electronic ID card) and must contain the following information:
    • System operator from whom the user authorization is requested,
    • Systems for which the user authorization is requested,
    • Applicant (name, address and telephone/fax number or e-mail address of the applicant, assignment to an organizational unit of the university, matriculation number for students),
    • for a user authorization pursuant to para. 2, additionally the cost center and the signature of the person responsible for the cost center,
    • Details of the computer or connection at the university, requirements for the system for which user authorization is requested,
    • If the user is not a member or affiliate of the University of Kassel within the meaning of Section 2 (1), a declaration that the user recognizes the user regulations and consents to the collection and processing of their own personal data for the purpose of user administration.
  5. The responsible system operator shall decide on the application. He may make the granting of user authorization dependent on proof of certain knowledge about the use of the system.
  6. The granting of user authorization may be refused, revoked or subsequently restricted if
    1. it is not sufficiently likely that the applicant will fulfill his obligations as a user (see § 8),
    2. the system is obviously unsuitable for the intended use or is reserved for special purposes, or
    3. the capacity of the system for which use is requested is insufficient due to existing utilization

 

§ 4 Legal integration

  1. The ICT infrastructure may only be used in a legally correct manner. It is expressly pointed out that the following are punishable under the Criminal Code
    1. Spying on data (§ 202a StGB),
    2. unlawful alteration, deletion, suppression or rendering unusable of data (§ 303a StGB),
    3. computer sabotage (Section 303b StGB) and computer fraud (Section 263a StGB),
    4. the dissemination of propaganda material of unconstitutional organizations (Section 86 StGB) or racist ideas (Section 130 StGB),
    5. the dissemination of pornographic images via media or teleservices (Section 184 d StGB),
    6. defamation offenses such as insult or slander (§ 185 ff. StGB), insults to denominations, religious societies or ideological associations (§ 166 StGB),
    7. Copyright infringements, e.g. by copying software in breach of copyright or entering protected works into a data processing system (Sections 106 et seq. UrhG)
  2. In some cases, even the attempt is punishable
  3. Users and system operators must observe the provisions of the Hessian Data Protection Act

 

§ 5 Rights and obligations of users

  1. The resources specified in § 1 may only be used for the purposes specified in § 2 para. 1.
  2. The user is obliged to observe the provisions of these IT usage regulations and to comply with the limits of the respective usage authorization, in particular
    1. the proper workflow
    2. the protection of IT systems against unauthorized, improper and abusive use
    3. the proper use of passwords (the respective password policy is determined by the system operator),
    4. to refrain from identifying or using third-party user IDs and passwords,
    5. the exclusive use of approved, valid programs and operating systems.
  3. The user is also obliged
    1. to comply with the statutory regulations (copyright protection) when using software, documentation and other data and
    2. to observe the license conditions under which software, documentation or data acquired under license agreements are made available.
  4. The user is not permitted, without the consent of the system operator
    1. interfere with the hardware and software installations or
    2. change the configuration of the operating systems, the network and the software.
  5. The user is obliged to report any plans for the automated processing of personal data to the data protection officer of the University of Kassel and to coordinate these with the respective system operator.
  6. The user is obliged
    1. to provide the person responsible for the system with information about programs and methods used for monitoring purposes in justified individual cases upon request - in particular in the event of justified suspicion of misuse and for troubleshooting purposes.
    2. to inform themselves about the respective local and system-related conditions and regulations before installing software and to comply with these.
  7. The following provisions apply with regard to the user's liability:
    1. The user shall be liable for all disadvantages incurred by the University as a result of misuse or unlawful use of the IT resources and user authorization or as a result of the user culpably failing to comply with his/her obligations under these user regulations. The University may demand that misused resources and other costs be reimbursed by the user in accordance with the Fee Regulations.
    2. The user is also liable for damages caused by third-party use within the scope of the access and usage options made available to him/her, if he/she is responsible for this third-party use, in particular in the event of his/her user ID or password being passed on to third parties. In this case, the University may charge the user a fee for the third-party use in accordance with the Fee Regulations.
    3. The user shall indemnify the University against all claims if third parties assert claims against the University for damages, injunctive relief or in any other way due to improper or unlawful conduct on the part of the user. This includes, in particular, liability for illegal third-party content which the user makes his own.

If the user is in a civil servant, employment or training relationship with the University, claims for damages shall be governed by the relevant civil service or collective bargaining regulations.

 

§ 6 Tasks, rights and obligations of the system operator

  1. The system operator may keep a user file with the user's inventory data on the user authorizations granted. The application documents for the granting of user authorizations must be kept for two years after the authorization expires.
  2. The system operator shall disclose the persons responsible for maintaining its systems. The system operator and the system administrators are obliged to maintain confidentiality. In particular, all passwords must be processed in accordance with current security standards.
  3. The system operator may temporarily restrict the use of its resources or temporarily block individual user IDs if this is necessary to rectify faults, for system administration and expansion or for reasons of system security and to protect user data. The affected users must be informed immediately.
  4. If there are reasonable indications that a user is providing illegal content for use on the system operator's systems, the system operator may prevent further use until the legal situation has been sufficiently clarified.
  5. The system operator is entitled to check the security of the user passwords and user data by means of regular manual or automated measures and to implement necessary protective measures, for example changes to easily guessable or outdated passwords, in order to protect the IT resources and user data from unauthorized access by third parties. The user must be informed immediately of any necessary changes to user passwords, access authorizations to user files and other protective measures relevant to use.
  6. The system operator is authorized to document and evaluate the traffic data of individual users for the following purposes:
    1. to ensure proper system operation,
    2. for resource planning and system administration,
    3. to protect the personal data of other users
    4. for billing purposes,
    5. for the detection and elimination of faults and
    6. to clarify and prevent unlawful or improper use.
  7. For the purposes listed in para. 6, the system operator is also entitled to inspect the content data if this is necessary to eliminate current malfunctions or to clarify and prevent violations of the user regulations and if there are actual indications of this. Data secrecy and the principle of dual control must be observed. In any case, the inspection must be documented and the user concerned must be informed immediately after the purpose has been achieved.
    However, inspection of email inboxes is only permitted if this is essential to rectify current disruptions in the messaging service. The contents of the emails will not be inspected.
    In the event of substantiated evidence of criminal offenses, the system operator will act in consultation with the university management in consultation with the responsible authorities and will - if necessary - take measures to preserve evidence.
  8. In accordance with the statutory provisions, the system operator is obliged to maintain telecommunications and data secrecy. The logging of connection data (e.g. access to the database of a WWW server) may only contain personal data during the time required to rectify a fault.

 

§ 7 Liability of the system operator and exclusion of liability

  1. The system operator does not guarantee that the system will run error-free and without interruption at all times. The respective system operator cannot guarantee the integrity (in terms of destruction, manipulation) and confidentiality of the data stored with him.
  2. The system operator is not liable for damages of any kind incurred by the user from the use of the ICT resources in accordance with § 1, unless otherwise stipulated by law.

 

§ 8 Consequences of unlawful use

If there are factual indications or violations of statutory provisions or of the provisions of these IT user regulations, in particular the rights and obligations of users in accordance with § 5, the authorization to use may be restricted or revoked. It is irrelevant whether the violation resulted in material damage or not. Measures to restrict or revoke user authorization shall only be taken after a prior unsuccessful warning. The user must be given the opportunity to comment. The Chancellor shall decide on measures to restrict or withdraw the user's authorization to use the university after consulting the respective superior.

 

§ 9 Other regulations

  1. Charges or fees may be set for the use of the ICT infrastructure.
  2. For individual systems, supplementary or deviating rules of use can be defined if necessary

 

§ 10 Entry into force

  1. These IT usage regulations were discussed by the CIO committee on 25.10.2011 and approved by the Executive Board of the University of Kassel on 23.04.2012.
  2. The IT user regulations come into force on 01.02.2013. They will be included in the University of Kassel's online information service.

 

Kassel, 30.01.2013

 

By proxy

 

signed.

Dr. Robert Kuhn

- Chancellor -