Table of Contents
REVISION HISTORY: July 1, 2020
1. Purpose and Background
All users of University information technology (IT) resources are required to use them in an ethical, professional, and legal manner as detailed in the University's Acceptable Use of the University’s Information Technology Resources (IRM-002) policy. In addition, the University is committed to the privacy of individuals and safeguarding information about individuals subject to limitations imposed by local, state, and federal law and other provisions described herein. It also holds as core values the principles of academic freedom and free expression. All users of the University of Virginia’s information technology (IT) resources also play a critical role in maintaining the security, integrity, privacy, and confidentiality of each other’s electronically stored information as well as of University data. The purpose of this standard is to ensure that all users of UVA IT resources are aware of their obligations to protect the information to which they have been given access. In addition, the requirements listed below are compliant with both of the Unversity's Privacy and Confidentiality of University Information (IRM-012) and Data Protection of University Information (IRM-003) policies. This standard applies to all users of UVA IT resources.
The following requirements are listed on the University’s Electronic Access Agreement, to which all users of UVA IT resources must sign and agree to abide by as a condition of that access.
Anyone who accesses or makes use of UVA’s information technology (IT) resources is defined as a user and must abide by the following at all times and in all circumstances.
- Users will not obtain or attempt to obtain unauthorized access to UVA’s IT resources, circumvent or attempt to circumvent security controls on UVA’s IT resources, nor allow unauthorized users access to UVA’s IT resources.
- Users will not divulge or share their passwords, PINs, private keys, hardware tokens, or similar authentication elements (“electronic credentials”) to or with other individuals, including their supervisor or superior, nor allow others to use an account that has been logged into using their electronic credential.
- Users acknowledge that the combination of their UVA computing ID and electronic credential (or use of a hardware token) is considered equal to their electronic signature.
- Users understand that they will be held responsible for the consequences of any misuse occurring under their electronic credential due to any action or neglect on their part.
- Users will not use another user’s electronic credential.
- If a user has reason to believe that his/her electronic credential, or those of another individual have been compromised or is being used by a person other than the individual to whom it was issued, the user will immediately report the suspected compromise to the appropriate Information Security office in the UVA Academic Division, UVA Medical Center, or UVA Physicians Group.
- Users must immediately report any suspected breaches of confidentiality of highly sensitive data, including patient information, to the appropriate Information Security and Compliance offices via the online Security Incident Report form.
- Users agree to access or alter only the information for which they have responsibility and authorization, and not to view information that the user has no need to see as part of his/her responsibilities.
- Access to, or use of, any UVA IT resource and/or the data it contains (that was not already intentional made public) for the user’s own personal gain or profit, for the personal gain or profit of others, or to satisfy personal curiosity is strictly forbidden.
- Users will respect the privacy and confidentiality of individuals to whose information they have been given access. Users must not view or disclose that information except as required by their responsibilities and as allowed by UVA Academic Division, UVA Medical Center, and UVA Physicians Group policies and applicable law.
- Users will not use UVA IT resources to access or disclose the address, email address or phone number of a student unless they have a legitimate educational interest in that information.
- Users understand that the transactions processed with their electronic access may be audited, and appropriate action will be taken if improper uses are detected.
- Users agree to follow the privacy, security, and other computing policies, standards, and procedures established by UVA Wise, UVA Academic Division, UVA Medical Center, and UVA Physicians Group, as well as all local, state, and federal laws, including security and privacy laws and regulations, that apply to the use of their electronic credential and to the UVA IT resources they access.
- Users understand these concepts apply to all UVA IT resources, both fixed and mobile devices (such as, but not limited to desktop computers, laptops, tablets, smartphones and text-enabled pagers).
- Users agree to safeguard the information they access and the devices assigned to them and report any losses promptly to the appropriate Information Security office.
- Users are responsible for reading, understanding and abiding by these requirements and applicable policies. Failure to do so may result in the limitation or revocation of their access to UVA IT resources and/or disciplinary action, up to and including termination or expulsion in accordance with relevant University policies.
See the list of definitions for the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies.
4. Related Links
- Acceptable Use of the University’s Information Technology Resources (IRM-002)
- Data Protection of University Information (IRM-003)
- Privacy and Confidentiality of University Information (IRM-012)
- Electronic Access Agreement (PDF)
If you think you need to request an exception to these requirements, please refer to the Exceptions Process.