Information Technology (IT) Policy on Computing Resources, Privacy, and Copyright

This Information Technology (IT) Policy (“Policy”) applies to all Authorized Users of Technology Resources owned, managed, or otherwise provided by the University. All capitalized terms within this Policy not defined within an applicable section are defined in Section IV below. 

The University’s technology infrastructure exists to support the academic and administrative activities needed to fulfill the University’s mission. Access to Technology Resources is valuable for community members to communicate and conduct business, as well as to retain and exchange knowledge. Access to these resources, however, is a privilege that should be exercised responsibly, ethically, and lawfully.

The purpose of this Policy is to provide guidelines to protect the security of the Technology Resources that are available for members of the University community. It also establishes each member’s role in protecting its information assets, and to communicate minimum expectations for meeting these requirements. Fulfilling these objectives will enable the University to implement a comprehensive system-wide information security program. 

The University will make reasonable efforts to respect Users’ privacy. However, Users do not have, and should not expect, any right to privacy for communications transmitted or stored on the University’s Technology Resources, except as provided by applicable law. Additionally, in response to a judicial order or any other action required by law or permitted by University policy or as otherwise considered reasonably necessary to protect or promote the legitimate interests of the University, the University may authorize a University official or an authorized agent, to access, review, monitor, and/or disclose computer files associated with a User’s account. Examples of situations where the exercise of this authority would be warranted include, but are not limited to, the investigation of violations of law or the University’s rules, regulations, or policies, or when access is considered necessary to conduct University business due to the unexpected absence of a User or to respond to health or safety emergencies.

Account Management applies to the account assigned to you when you first become affiliated with the University. The University generates and assigns unique authentication credentials to Users at the University. This account provides electronic access to services. Only one account is provided to an individual at the time the individual initially assumes or resumes a relationship with the University. The account remains the property of the University and the University reserves the right to change, delete, or add credentials. Obtaining an account is a prerequisite for accessing Technology Resources and is used to identify and authenticate an individual.

Any hardware or devices provided by the University to any University employee are to be returned on the last day of employment.

The University provides internet and network access only. The University does not provide hardware or software for personally owned devices. Personally owned devices may have limited access to Technology Resources compared to using a University-owned device.

Access to University owned data from personally owned devices is permissible when appropriate safeguards are utilized. For the security of University owned data, the following usages are not permitted:

Faculty or staff who connect a personally owned device to the University network must take responsibility for their own device and its use, which includes:

The University reserves the right to prevent access of a personally owned device to the campus network or system if the device poses a threat to the integrity of the University’s Technology Resources. The University also reserves the right to retrieve and remove University owned data from unapproved devices.

Technical Support for your Device

All maintenance for a personally owned device, including software installations and updates and apps purchased will be the responsibility of the owner. Staff at the University Help Desk, available at 215-572-2898, will be able to offer help connecting to the network and can assist with other general troubleshooting queries. Staff at the Help Desk will not be able to provide support for complex problems with personally owned devices.

All Authorized Users must employ a unique password that meets the following criteria:

Passwords must not be shared, written down, or recorded in an unsecured state. If a password needs to be recorded, the owner of the account must use the University owned and approved tool for password management.  For information about the current University owned and approved password management tool, Authorized Users may contact the HelpDesk.

If a password is forgotten or needs to be reset, then the User must provide additional information to verify their identity. The Help Desk will ask to confirm at least two of the following before resetting your password:

Resetting your password will result in a temporary password that must be changed again by the User before it can be used.

Your University password is valid for 365 days.  You will be required to change your password when this period is over. Information technology staff at the University may ask you to reset your password outside of the regularly scheduled interval if account compromise is suspected.

Human Resources is the only approved party for requesting accounts of new employees to the University or asking for accounts to be terminated.  Email is available for all full time faculty and staff, part time faculty and staff, adjunct faculty, student workers, and interns who are assigned a work account to conduct and communicate Arcadia business. 

In all circumstances, student workers and interns will be provisioned a separate account in order to complete their work for the University (accounts can be requested through this form). All correspondence related to their work must be completed using this account and not their original student account. The account will be provisioned upon request from the student worker’s supervisor and will remain active until the end of the academic year, after which it will be automatically deactivated. If an account needs to be used for a longer period of time, the supervisor must submit a request for an extension of the use of the student account using the above form.

Email is available for all undergraduate, graduate, dual-enrollment, and international students to support learning and for communication between the University and themselves. 

Individuals such as visitors, board members, emeritus/retired faculty and staff, alumni, vendors and contractors, or others who are not employees or students of the University, can be granted an email address which may be discontinued by the University at any time. For additional details on each relationship, please see the Technology Resource User Table as defined in Section III. A of this Policy.

The following are all categories of special email account types or groups. Each of these are implemented under specific use cases which are detailed in the sections below. All requests for these types of accounts must be submitted to and approved by the Information Technology department. If you would like to discuss different account and group solutions to meet your needs, please contact Information Technology.

Arcadia is free to discontinue the use of these accounts at any time.

Shared and generic accounts are in opposition to common security best practices. They will be approved on a case-by-case basis by the University’s Information Technology department. These requests can be submitted through the Help Desk. Each of these accounts will require a staff member to be the account sponsor. This sponsor will be responsible for ensuring the appropriate individuals have access to the account and will approve or deny requests for modifications or additions to the account. 

Service accounts have the ability to sign in to systems/services and are to be used only for automated processes and services. Provisioned service accounts must not be used by an individual to login or to complete daily or recurring tasks. These accounts are not assigned to a specific individual, but require a named account administrator. This staff member will be responsible for information regarding usage and continued existence of the service account.

Distribution groups are to be used for receiving email and distributing it to multiple users. They do not have the ability to authenticate to resources, meaning it cannot sign in to Gmail as it does not have an inbox. In addition, these groups cannot access Google Drive and other Google resources. The group also has the ability to reply to received emails as long as the individual has authorized access to send from this group.

Similar to shared and generic accounts, distribution groups are typically designated to a department or subset of a department but can also be allocated to a committee, club/organization, or other group of people. Distribution groups require an account administrator who is responsible for ensuring that the appropriate individuals are included in the group and will approve or deny requests for modifications or additions to the group. 

These accounts are only provisioned under specific circumstances:

All use of University email accounts must comply with the University’s Acceptable Use Policy. 

This section applies to all University email accounts provided through the University’s email service. The purpose of this section is to establish the University’s policy regarding the retention of University emails. Authorized Users of the University’s email service are responsible for maintaining their email accounts in accordance with this Policy. 

The University respects the privacy of its email users. It does not routinely inspect, monitor, or disclose email. Nonetheless, subject to the requirements for authorization, notification, and other conditions specified in this section, the University may deny access to its email services and may inspect, monitor, or disclose email in accordance with the University Acceptable Use Policy. Email, whether or not created or stored on University Technology Resources, may constitute a University record subject to disclosure or other laws, or as a result of litigation. However, the University does not automatically comply with all requests for disclosure, but evaluates all such requests against the precise provisions of laws concerning disclosure and privacy, or other applicable law. 

Authorized Users of the University’s Technology Resources whose actions violate this or any University policy may be subject to revocation or limitation of email privileges as well as other disciplinary actions or may be referred to appropriate external authorities.

Virtual Private Network (VPN) service is managed and provided by the Information Technology department for Authorized Users at the University who require remote and secure access. 

VPN access is provided for the campus community provided Users adhere to all established policies relating to the use of the University network and associated Technology Resources as well as applicable local, state and federal laws.

VPN access will require authentication by username, password, and a two-factor token (not an email or short message service (SMS) or text passcode). All traffic will be encrypted using standard protocols. All authentication attempts will be logged.

Current University employees, excluding student workers, have permission to access the VPN solely for the purpose of conducting University business. Access by student workers and consultants is permitted on a case by case basis as assessed by IT.

If an individual is issued a University computer for performing a job function, that is the device that should be use for connecting to the VPN and not a personally owned device. All non-University owned computers and mobile devices connecting to the University’s VPN must adhere to the requirements set forth in section B2 of this Policy. Authorized Users acknowledge that their machines are a de facto extension of the University’s network, and as such are subject to the same rules and regulations that apply to University-owned equipment, i.e., their machines must be configured to comply with University policies. 

VPN users will be automatically disconnected from the University’s network after a set period of time for security reasons. This period is updated to adhere to current security standards.

Only IT approved VPN clients may be used.

The purpose of this section is to address the University’s compliance with the Digital Millennium Copyright Act (DMCA) and specifically 17 U.S.C. Section 512(c), as amended. The University respects the rights of copyright holders, their agents and representatives, and implements appropriate policies and procedures to support these rights without infringing upon the legal use, by individuals, of those materials. All individuals who use University Technology Resources are responsible for their compliance with applicable copyright laws, University policies, and other applicable provisions. Under appropriate circumstances, the University may terminate authorization of users of its system or network who are found to intentionally or repeatedly violate the copyright rights of others. 

The University’s designated registered DMCA Agent (defined below) shall receive all claims of infringement under the DMCA. Claims may come from inside or outside the University. The DMCA Agent shall promptly acknowledge receipt of each infringement claim, process, investigate, and take appropriate actions under the DMCA. The DMCA Agent shall coordinate activities, keep required records, and assure proper adjudication of incidents in conformity with University policies and procedures and applicable legal provisions. 

The University will use a three-pronged approach to address DMCA related activities. The University will: 

The DMCA provides an opportunity for colleges and universities to shield themselves from liability for the actions of users that infringe on the copyrights of others. Any use of the Technology Resources to illegally transfer copyrighted material including, but not limited to, software, text, images, audio and video is strictly prohibited. 

Under the DMCA, the University will not be liable to the individual using electronic information for any harm they might suffer because of its actions in disabling access so long as it: 

In accordance with the DMCA, the University has designated the Chief Information Officer (CIO) as the DMCA Agent to receive and respond to reports of alleged copyright infringement. This designation is listed on the University’s public facing website. DMCA notices and takedown requests must be routed to the University’s DMCA Agent. 

The DMCA specifies that any DMCA notice or takedown requests must be in writing (either on paper or electronic mail) and must include the following elements: a physical or electronic signature; description of the work claimed to be infringed; description of the allegedly infringing work and the location on the University’s public facing website; contact information for the complaining party; a statement that the complaining party has a good faith belief that the use of the material in the manner complained of is not authorized by the copyright owner or law; and a statement that the information contained in the notification is accurate, under penalty of perjury, and that the complaining party is authorized to act on behalf of the copyright owner. Failure to include information required by the DMCA in the notice of alleged infringement may result in a delay of the processing of the DMCA notification. The University reveals names of alleged offenders only when provided a valid subpoena.

Upon receipt of a DMCA notice or takedown request, the University’s DMCA Agent or designee will follow the takedown procedure outlined in the Digital Millennium Copyright Act, U.S. Copyright Law, Chapter 5, Section 512(c)(3). In addition, the DMCA Agent or designee will notify the individual responsible for the content that the takedown has taken place, and inform them of their rights regarding counter-notice and put back procedures, which are outlined in the Digital Millennium Copyright Act, U.S. Copyright Law, Chapter 5, Section 512(g). 

The University reserves the right to protect, repair, and maintain the University’s Technology Resources and network integrity. In accomplishing this goal, University IT personnel or their agents must do their utmost to maintain user privacy, including the content of personal files and internet activities. Any information obtained by IT personnel about a user through routine maintenance of the institution’s computing equipment or network should remain confidential, unless the information pertains to activities that are not compliant with acceptable use of Arcadia University’s Technology Resources.

Users who violate this Policy may be denied access to the University’s Technology Resources and may be subject to penalties and disciplinary action both within the University, up to and including separation from the University, and external to the University, including investigation and/or prosecution by local, state, or federal authorities. The University may temporarily suspend or block access to an account, prior to the initiation or completion of disciplinary procedures, when it reasonably appears necessary to do so in order to protect the integrity, security, or functionality of the University’s or other Technology Resources, or to protect the University from liability. The University is not liable for the actions of anyone connected to the internet through the University’s Technology Resources. All Users will assume full liability—legal, financial, or otherwise—for their actions in violation of the Policy. Users are subject to disciplinary rules described in the Staff Handbook, Faculty Handbook, Student Handbook and Code of Conduct, and other policies and procedures governing acceptable behavior.

Exceptions to this Policy may be granted by the CIO, or by the CIO’s designee. All exceptions must be reviewed annually or more frequently if deemed necessary and/or appropriate by the CIO.

Alumni: individuals who have been granted a degree from the University.

Authorized Users or Users: all users of Technology Resources including, but not limited to, employees, temporary employees, faculty, students, alumni, campus visitors, contractors, vendors, consultants and their related personnel, and other users authorized by the University to access its systems and networks.

Technology Resources: assigned computer accounts, email services, and the shared University network which includes resources and facilities operated by the University, whether owned, leased, used under license or by agreement, including, but not limited to: telephones (including mobile devices) and telephone equipment, voice mail, SMS (text), mobile data devices, desktop and laptop computers. Email, chat, facsimiles, mail, any connection to the University’s network or use of any part of the University’s network to access other networks, connections to the internet that are intended to fulfill information processing and communications functions, communication services, hardware, including printers, scanners, facsimile machines, any off-campus computers and associated equipment provided for the purpose of University work or associated activities.

Information Systems: any system that creates, collects, stores, and processes data.

Information Technology Department: the department at the University that is responsible for managing the University’s Technology Resources.

University: Arcadia University, its colleges, schools, affiliates, divisions, and subsidiaries.

This Policy is effective on the date that it is signed by the President.

Ajay Nair, President

November 4, 2022