Table of Contents
1. Purpose and Background
The University is committed to the privacy of individuals and safeguarding information about individuals subject to limitations imposed by local, state, and federal law and other provisions described herein. It also holds as core values the principles of academic freedom and free expression. All users of the University of Virginia’s information technology (IT) resources also play a critical role in maintaining the privacy, confidentiality, and integrity of each other’s electronically stored information as well as of University data. The purpose of this standard is to ensure that all users of UVA IT resources are aware of their obligations to protect the information to which they have been given access. In addition, the requirements listed below are compliant with both the Privacy and Confidentiality of University Information (IRM-012) and the Data Protection of University Information (IRM-003) policies. This standard applies to all users of UVA IT resources.
The following requirements are listed on the University’s Electronic Access Agreement, to which all users of UVA IT resources must sign and agree to abide by as a condition of that access.
- Anyone who accesses or makes use of UVA’s information technology (IT) resources is defined as a user and must abide by the following at all times and in all circumstances.
- Users will not obtain or attempt to obtain unauthorized access to UVA’s IT resources, circumvent or attempt to circumvent security controls on UVA’s IT resources, nor allow unauthorized users access to UVA’s IT resources.
- Users will not divulge or share their passwords, PINs, private keys, hardware tokens, or similar authentication elements (“electronic credentials”) to or with other individuals, including their supervisor or superior, nor allow others to use an account that has been logged into using their electronic credential.
- Users acknowledge that the combination of their UVA computing ID and electronic credential (or use of a hardware token) is considered equal to their electronic signature.
- Users understand that they will be held responsible for the consequences of any misuse occurring under their electronic credential due to any action or neglect on their part.
- Users will not use another user’s electronic credential.
- If a user has reason to believe that his/her electronic credential, or those of another individual have been compromised or is being used by a person other than the individual to whom it was issued, the user will immediately report the suspected compromise to the appropriate Information Security office in the UVA Academic Division, UVA Medical Center, or UVA Physicians Group.
- Users must immediately report any suspected breaches of confidentiality of highly sensitive data, including patient information, to the appropriate Information Security and Compliance offices via the online Security Incident Report form.
- Users agree to access or alter only the information for which they have responsibility and authorization, and not to view information that the user has no need to see as part of his/her responsibilities.
- Access to, or use of, any UVA IT resource and/or the data it contains (that was not already intentional made public) for the user’s own personal gain or profit, for the personal gain or profit of others, or to satisfy personal curiosity is strictly forbidden.
- Users will respect the privacy and confidentiality of individuals to whose information they have been given access. Users must not view or disclose that information except as required by their responsibilities and as allowed by UVA Academic Division, UVA Medical Center, and UVA Physicians Group policies and applicable law.
- Users understand that the transactions processed with their electronic access may be audited, and appropriate action will be taken if improper uses are detected.
- Users agree to follow the privacy, security, and other computing policies, standards, and procedures established by the UVA Academic Division, UVA Medical Center, and UVA Physicians Group, as well as all local, state, and federal laws, including security and privacy laws and regulations, that apply to the use of their electronic credential and to the UVA IT resources they access.
- Users understand these concepts apply to all UVA IT resources, both fixed and mobile devices (such as, but not limited to desktop computers, laptops, tablets, smartphones and text-enabled pagers).
- Users agree to safeguard the information they access and the devices assigned to them and report any losses promptly to the appropriate Information Security office.
- Users are responsible for reading, understanding and abiding by these requirements. Failure to do so may result in the limitation or revocation of their access to UVA IT resources. In addition, failure to comply with these requirements may result in disciplinary action, up to and including termination or expulsion in accordance with relevant University policies and may also violate local, state, or federal laws.
For a comprehensive list of the definitions found in the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies, please click here.
4. Related Links
- Acceptable Use of the University’s Information Technology Resources (IRM-002)
- Electronic Access Agreement (PDF)
If you think you need to request an exception to these requirements, please refer to the Exceptions Process.