This policy sets forth the manner in which Tufts’ institutional systems are to be used in general, and particularly when creating, using, disseminating, retaining, and disposing of institutional data.
All members of the Tufts community.
The electronic and physical systems owned or licensed by Tufts University used to store or access institutional data are institutional systems. These systems support the University’s instructional, research, and service mission, including all university related activities. Use of these systems, like those of other university resources and activities, is subject to all applicable laws and regulations; university policies, procedures, and standards; and contracts and licenses. All operation of institutional systems should therefore represent Tufts’ values and mission and management expectations for ethical behavior.
Authorized Individual Access
Tufts institutional systems are provided to authorized individuals for University-related purposes. All access and use must be properly controlled in a manner defined by management, and consistent with individual roles and job responsibilities.
Members of the Tufts community are entrusted with access to institutional systems on an individual basis. Members of the Tufts community are not permitted to extend access further to any other person by any means, including sharing access, providing unauthorized redistribution of services, or otherwise obfuscating the true identity of the user. Users are expected to take reasonable steps to prevent unauthorized access. Authorized access to institutional systems is generally expected to end when a user no longer has an official connection to the Tufts community.
Managers have the authority to limit the personal use of institutional systems. Such personal use cannot involve access to confidential data, interfere with work responsibilities, or place an undue burden on institutional systems.
Resource Management, Monitoring, and No Expectation of Privacy in Use
Use of institutional systems is not ultimately private. While Tufts does not routinely monitor individual usage of resources, normal operation and maintenance of resources requires logging of activity, backup and caching of data, and other activities necessary to provide services and ensure adherence to laws and regulations.
The University may, at its sole discretion and without notice to the individual:
- Monitor the activity of individuals without notice whenever there is reasonable cause to believe that a law, contract, or any Tufts policy is being violated.
- Utilize the results of any general or individual monitoring in appropriate university disciplinary proceedings or in litigation; and
- Disclose the results of any such monitoring, including the contents and records of individual communications, to appropriate University personnel, local, state, or federal law enforcement agencies, and pursuant to legal process (such as a subpoena).
Security and Local Policies/Practices
The University employs various administrative, technical, and physical controls to reduce inherent risks associated with using institutional systems and to safeguard institutional data. However, security cannot be guaranteed solely with centralized controls. School, division, departmental, and individual controls, policies, and practice should establish and maintain appropriate access control and security, including the use of anti-virus software, personal firewalls, secure storage areas for physical media, user accounts, and authorized forms of encryption for institutional data and institutional systems.
Administrative, physical, and technical controls serve to reinforce Tufts’ interpretations of responsible use, verify trust placed in individuals, and limit their authorization to institutional systems and institutional data. Disabling, deliberately circumventing, or probing or testing such controls threatens the entire network of institutional systems, and is a violation of this policy.
When an institutional system has been compromised or may not be operating under appropriate management control—and in order to protect the confidentiality, integrity, or availability of institutional systems, institutional data or to otherwise protect the University—management may temporarily disable, disconnect, or contain any account, device or system, prior to, during, or upon completion of an investigation.
Resource Exhaustion and Disruption of Others
Operation of institutional systems must respect the finite capacity of those systems and limit use so as not to consume an unreasonable amount of systems capacity or to interfere unreasonably with the activity of other users. The University may require users of institutional systems to limit, schedule, coordinate, or refrain from specific uses in order to ensure that adequate resources are available to all users.
Depending on the circumstances, and in management’s sole discretion, members of the Tufts community who violate this policy may be denied access to institutional data and systems, and may be subject to other penalties and disciplinary action, both within and outside of the University. The University may refer suspected violations of applicable law to appropriate law enforcement agencies.
Information Stewardship Committee
Information Technology Advisory Council
Information Technology Leadership Forum
University Library Council
Institutional Compliance Executive Committee
September 15, 2011
September 20, 2011; revised December 1, 2012
David Kahle, Vice President for Information Technology and Chief Information Officer
Tufts Technology Services
Digital Collections and Archives
For questions about using electronic institutional systems:
For general questions, contact email@example.com
The University reserves the right to change this policy from time to time. Proposed changes will normally be developed by the policy managers with appropriate stakeholders. The review entities have sole authority to approve changes to this policy.
Information Stewardship Policy
Information Stewardship Policy
Information Classification and Handling Policy
Information Roles and Responsibilities Policy