Regulations for the use of IT for students at Nord University

This document outlines the guidelines for responsible use of Nord University's IT equipment, network and software. All questions regarding the interpretation of these principles should be directed to IT Helpdesk.

• IT equipment and network provided to the student should be used for private purposes to a limited extent, and private data stored on the machine is not the responsibility of the university.
• IT equipment, network and resources must not be used commercially or for activities unrelated to the university's operations.
• The possibility of shared use of equipment, network and information entails a responsibility to use the systems legally and always act responsibly. It is expected that students at the university respect others' rights and use the resources thoughtfully.

There are several information channels from the IT service to users (internet, email, notices, user support tips, etc.). We assume that all students familiarise themselves with what is written in these channels.

All students are responsible for keeping themselves informed about the university's routines and guidelines for information security and privacy.

Before using computer equipment (such as computers, printers, and software), each individual must familiarize themselves with the use of the relevant equipment and ensure they have the necessary access and competence.

It is not permitted to attempt to gain access to computer systems one should not have access to.

It is not permitted to handle material that may be offensive or provocative to others - e.g., defamatory statements or pornographic material.

The network/internet should not be used to transfer information that is not study-related.

Computer and network resources are limited. All users are responsible for using the resources efficiently, ethically, and legally. It is not permitted for individuals to install programs or make other changes to computer systems without the IT service's approval.

All use of computer resources and networks must comply with Norwegian law. Especially when handling personal data, one should adhere to the Personal Data Act.

All equipment (e.g., private PCs, USB sticks, external drives) used with the university's systems must be checked for viruses and other malware at all times. If in doubt, contact IT Helpdesk.

All equipment (e.g., private PCs, USB sticks, external drives) used with the university's systems must be checked for viruses and other malware at all times. If in doubt, contact IT Helpdesk.

All users are assigned a personal user account with an associated password. The password should be kept secret, chosen carefully, and treated similarly to passwords for, e.g., online banking.

If one suspects that others know the password, it should be changed as soon as possible. It is not permitted to act anonymously, impersonate someone else, or use a false identity.

The university uses two-factor authentication on its Microsoft 365 account.

The university uses cloud storage services. Student data is stored in Microsoft 365 with Microsoft.

No backup is taken of data stored in M365 beyond the 30-day retention period on the account.

When student rights expire, the account and data will be deleted after 60 days.

Emails should only be sent to recipients who can be expected to have some interest in receiving them from you.

Be cautious about opening links and attachments from people you do not usually communicate with, always check the link's address before clicking, and if it is suspicious, check with the sender.

REMEMBER: STOP – THINK – CLICK

Violations of the IT regulations may, in certain cases, result in sanctions such as expulsion and exclusion in accordance with the Act on Universities and University Colleges, Chapter 12. Serious breaches of security provisions and these guidelines, as well as misuse, may result in criminal liability under Norwegian law.

This also applies to misuse that causes the university financial loss or liability (e.g., illegal copying, internet use, etc.). IT services staff may take necessary actions to ensure the availability, functionality, and integrity of Nord University's IT resources.

If actions affect the user's use of IT resources, the user should, if possible, be notified in advance and in any case without undue delay and as soon as practically possible.

The university disclaims responsibility for data loss not stored on the university's computer systems. If in doubt about whether your use of resources is in accordance with good practice, ask the IT department.

Disclosure of Information

Initial comments:

The use of information technology produces many traces and information, some of which are stored in Nord's systems because they are needed to operate IT systems. This may be to detect errors or problems, measure resource usage, or improve performance. Regardless, Nord has some log information.

The logs are created for one purpose: to support the operation of Nord's IT systems. Other purposes, such as monitoring user behavior or proving whether they have committed criminal acts, are irrelevant to Nord and are not a justification for their existence.

Handling them should follow the purpose limitation principle and should not be used for purposes other than the original purpose. Applied to a question of disclosure, this strongly leans towards a negative answer.

The police and prosecution authorities have the right to identify who has used a given IP address at a given time.

Secondly, there are more extensive rules that give them the right to secure logs, i.e., require Nord to retain specifically designated logs (but not disclose them), typically pending a court order.

Nord may provide access to information, logs, and backups to third parties when this is authorized by law or regulation, as well as upon presentation of a legal decision.