You are here

Privacy and Interception Statement for Informatics Managed Systems

Printer-friendly versionPrinter-friendly version

This privacy statement relates to the automatic collection, storage and use of Personal Data by the managed systems of the School of Informatics, other than the teaching and HR databases and their associated systems.

This page should be read in conjunction with the University privacy notices which are maintained by Records Management

Personal Data (under the terms of the Data Protection Act 2018 and the General Data Protection Regulation) are collected and processed by the School's managed systems for the following purposes:

  1. To enable the University's core functions of teaching, research and outreach.
  2. To ensure that the School's resources are accessible only to authorised users.
  3. For fault-finding and debugging.
  4. For auditing and security investigations.
  5. For planning and resource allocation.
  6. For accounting and charging.
  7. With the Head of School's explicit permission.

Except as noted below, the basis for processing by these systems will be either "Contract" where the processing is an essential part of the service provision, or "Legitimate Interest" for tasks concerned with the security or general management of the systems. We do not use the Personal Data for any form of automated individual decision-making or profiling, other than to control access to the School's resources.

We do not collect any Special Categories of Personal Data as part of this process. Note, however, that such data may exist within the Support and ISS RT systems as a result of having been entered there by users themselves. In such cases, processing will be on the basis of explicit Consent.

Note that users' "entitlements" (including group, course and module membership) are accessible to all of the School's systems. This is necessary to allow systems to grant access to resources only to properly authorized users. This information is not visible outside the School at all.

Our managed Linux desktops generally store data for 4 weeks, with mail logs retained for 6 weeks. These retention periods also apply to our multi-user machines such as the staff and student login machines, and most servers. Logs which contain Personal Data are accessible only to computing staff. Retention periods are set based on the above purposes, guided by industry best practice.

Some services have specific additional retention periods:

  • Our account mangement, authentication and directory servers necessarily hold Personal Data relating to user accounts for the entire time the accounts are valid. These are deleted after users leave, in accordance with University policy.
  • Our VPN endpoints retain connection data for 13 weeks, to aid with fault-finding and debugging.
  • Web logs are retained for 26 weeks.
  • Our mail relays retain traffic logs for 2 months. Individual mail messages are not retained after they are delivered to their destinations. (Mail messages sent to the RT systems are kept for 1 month by those systems, and to the Informatics Database for 3 months for the purposes of fault-finding and debugging.)
  • Per-user printing statistics are kept for 6 months. Anonymous per-queue statistics are kept indefinitely
  • Content and version management systems will normally retain meta-information regarding pages and files for as long as they are managed by the systems. This provides an audit trail and a change history.
  • The Support Request Tracker page describes the processing of support tickets.
  • The ISS Request Tracker is separate to the Support Request Tracker. It stores tickets that are managed by ISS. The retention policy for ISSRT is based on a queue by queue basis and has been agreed with the Head of Knowledge Management. In summary, the intention is to keep all ISSRT tickets for approximately one year after a student has left his or her current course of study or one year after an application has been made.
  • AFS volume-use statistics are kept for planning and resource-allocation for a period of 6 months.
  • The allocation of equipment (eg laptops) to individuals is recorded in the School asset management system. This information is retained until the equipment is returned to the University.

Most machines also send data to our central loghosts for further processing, where they are accessible only to Computing staff, and where the retention period is 120 days. Per-user summaries are available to authenticated users. During this period, some data are extracted and anonymised for research and planning purposes.

All non-anonymous data are automatically deleted at the end of their retention periods.

Some of the collected data may include URLs, or otherwise identify web pages. This "interception" takes place under the terms of section 3(3) of the Regulation of Investigatory Powers Act 2000 for fault-finding and debugging, or under the associated "Lawful Business Practice" regulations with the Head of School's permission.

In addition to data on the use of MAC and IP addresses on the School's network, which are retained for 120 days, we also collect packet and error counts for all connected wall- and floor-ports, for fault-finding, planning and resource allocation. These are consolidated daily and then weekly, and can be viewed by following the links on our monitoring pages, available only to internal Informatics users.

Our teaching and HR databases and associated systems are operated in conformance with the University's central policies, available on the Records Management and Human Resources sites.

Self-managed machines are required to follow the School's logging policy. Please contact these machines' managers for details.

Services which are provided centrally (for example, staffmail, wireless) follow University-wide policies, and the corresponding documentation should be consulted regarding their use of Personal Data.

See also the School's statement on "cookies and logging" in relation to our web pages.

Useful Links

Last reviewed: 
04/06/2020

System Status

Home dirs (AFS)
Network
Mail
Other services
Scheduled downtime

Choose a topic