You are here

Data Protection and Interception Statement for Informatics Managed Systems

Printer-friendly versionPrinter-friendly version

This statement relates to the automatic collection, storage and use of Personal Data by the managed systems of the School of Informatics, other than the teaching and HR databases and their associated systems.

This page should be read in conjunction with the University privacy notices which are maintained by Records Management

Personal Data (under the terms of the Data Protection Act 2018) are collected and processed by the School's managed systems for the following purposes:

  1. To enable the University's core functions of teaching, research and outreach.
  2. To ensure that the School's resources are accessible only to authorised users.
  3. For fault-finding and debugging.
  4. For auditing and security investigations.
  5. For planning and resource allocation.
  6. For accounting and charging.
  7. With the Head of School's explicit permission.

We do not automatically collect any Special Categories of Personal Data as part of this process. Note, however, that such data may exist within the Support and ISS RT systems as a result of having been entered there by users themselves. In such cases, processing will be on the basis of explicit consent.

Our managed Linux desktops generally store data for 4 weeks, with mail logs retained for 6 weeks. These retention periods also apply to our multi-user machines such as the staff and student login machines, and most servers. Logs which contain Personal Data are accessible only to computing staff. Retention periods are set based on the above purposes, guided by industry best practice.

Some services have specific additional retention periods:

  • Our account mangement, authentication and directory servers necessarily hold Personal Data relating to user accounts for the entire time the accounts are valid. These are deleted after users leave, in accordance with University policy.
  • Our VPN endpoints retain connection data for 13 weeks, to aid with fault-finding and debugging.
  • Web logs are retained for 26 weeks.
  • Our mail relays retain traffic logs for 2 months. Individual mail messages are not retained after they are delivered to their destinations. (Mail messages sent to the RT systems are kept for 1 month by those systems, and to the Informatics Database for 3 months for the purposes of fault-finding and debugging.)
  • Per-user printing statistics are kept for 6 months. Anonymous per-queue statistics are kept indefinitely
  • Content and version management systems will normally retain meta-information regarding pages and files for as long as they are managed by the system.
  • The Support Request Tracker page describes the processing of support tickets.
  • The ISS Request Tracker is separate to the Support Request Tracker. It stores tickets that are managed by ISS. The retention policy for ISSRT is based on a queue by queue basis and has been agreed with the Head of Knowledge Management. In summary, the intention is to keep all ISSRT tickets for approximately one year after a student has left his or her current course of study or one year after an application has been made.
  • AFS volume-use statistics are kept for planning and resource-allocation for a period of 6 months.
  • The allocation of equipment (eg laptops) to individuals is recorded in the School asset management system. This information is retained until the equipment is returned to the University.

Most machines also send data to our central loghosts for further processing, where they are accessible only to computing staff, and where the retention period is 120 days. Summaries are available to authenticated users. During this period, some data are extracted and anonymised for research and planning purposes.

All non-anonymous data are automatically deleted at the end of their retention periods.

Some of the collected data may include URLs, or otherwise identify web pages. This "interception" takes place under the terms of section 3(3) of the Regulation of Investigatory Powers Act 2000 for fault-finding and debugging, or under the associated "Lawful Business Practice" regulations with the Head of School's permission.

In addition to data on the use of MAC and IP addresses on the School's network, which are retained for 120 days, we also collect packet and error counts for all connected wall- and floor-ports, for fault-finding, planning and resource allocation. These are consolidated daily and then weekly, and can be viewed by following the links on our monitoring pages, available only to internal Informatics users.

Our teaching and HR databases and associated systems are operated in conformance with the University's central policies, available on the Records Management and Human Resources sites.

Self-managed machines are required to follow the School's logging policy. Please contact these machines' managers for details.

Services which are provided centrally (for example, staffmail, wireless) follow University-wide policies, and the corresponding documentation should be consulted regarding their use of personal data.

See also the School's statement on "cookies and logging" in relation to our web pages.

Useful Links

Last reviewed: 

System Status

Home dirs (AFS)
Other services
Scheduled downtime

Choose a topic