Acceptable Use Policy

Introduction

The New School maintains and provides IT Resources to support the educational, instructional, research, and administrative activities of the university. The use of these resources is a privilege that is extended to members of the New School community. Users of these services and facilities have access to valuable university resources, to sensitive data, and to internal and external networks. Consequently, it is important for all users to behave in a responsible, ethical, and legal manner.

Purpose

This policy establishes guidelines for the acceptable use of New School IT Resources based on the following principles:

1. The New School community is encouraged to make innovative and creative use of IT Resources in support of educational, scholarly, and administrative purposes. The university supports access to information representing a multitude of views for the interest, information, and enlightenment of students, faculty, and staff. Consistent with this policy, The New School supports the use of IT Resources in a manner that recognizes both the rights and the obligations of academic freedom.
2. The New School recognizes the importance of copyright and other protections afforded to the creators of intellectual property. Users are responsible for making use of software and other information resources in accordance with copyright and licensing restrictions and applicable university policies. Using IT Resources in a manner violating these protections, or furthering the unauthorized use or sale of protected intellectual property, is prohibited.
3. The New School cannot fully protect individuals against the receipt of potentially offensive material. Those who use electronic communications may occasionally receive material that they might find offensive. Those who make personal information available about themselves through the Internet or other electronic media may expose themselves to potential invasions of privacy.
4. IT Resources are provided to support The New School’s academic, research, and public service mission. IT Resources are limited, and should be used wisely and with consideration for the rights and needs of others.

This policy is intended to:

• promote the mission of The New School by encouraging responsible conduct and use of university IT Resources;
• protect the instructional and operational integrity of the university and the rights of individuals;
• prevent the misuse of, or damage to, IT Resources and Institutional Information; and
• support compliance with contractual, legal, and regulatory obligations.

Scope

This policy applies to all university Institutional Information and IT Resources, irrespective of whether they are maintained by The New School or a third party on the university’s behalf or whether they are accessed from on-campus or off-campus locations, and to any individual who accesses or in any way makes use of them, regardless of affiliation. This includes, but is not limited to, Workforce Members, students, and alumni.

Definitions

Special terms used in this document will be Capitalized and underlined, signifying that they have special meaning. A comprehensive glossary of terms, with examples, can be found at https://ispo.newschool.edu/glossary/.

General rules for all users

Users of The New School’s IT Resources must comply with state, federal, and international laws and regulations, university policies and rules, and the terms of applicable contracts including software licenses while using those resources. Examples of applicable laws, policies, and rules include, but are not limited to:

• the U.S. Electronic Communications Privacy Act, U.S. Computer Fraud and Abuse Act, French Law No. 2004-575 regarding Confidence in the Digital Economy (Parsons Paris users), and Article 156 of the New York Penal Code, which prohibit “hacking,” “cracking,” and similar activities;
• laws governing identity theft, privacy, libel, copyright, trademark, right of publicity, obscenity, and child pornography;
• the university’s Policy on Harassment, Discrimination, Prohibited Relationships, and Title IX and Non-Title IX Sexual Harassment and Misconduct;
• the university’s Policy on the Free Exchange of Ideas and its Statement on the Freedom of Academic Expression;
• the university’s Academic Honesty and Integrity Policy and Intellectual Property Rights Policy;
• the university’s Student Code of Conduct and Employee Code of Conduct;
• the university’s Social Media Policy;
• the university’s Privacy and Data Protection Policy; and
• the university’s Information Security Policy.

Users who engage in electronic communications with persons in other states or countries or make use of systems and networks located in other states or countries may also be subject to the laws of those jurisdictions and the policies and rules of those other systems and networks.

All users of New School IT Resources are required to have a valid, authorized account (typically a username and password) or other form of officially approved access, and may use only those IT Resources for which they have been specifically authorized. Use of another person’s account, password, or other access control device to access an IT Resource without official approval or authorization is prohibited.

Users are responsible for any activity originating from their accounts that they can reasonably be expected to control, and are expected to take reasonable precautions including password security and file protection measures to prevent use of their accounts and files by unauthorized persons. Sharing of accounts, passwords, or other access control devices with others is prohibited. Users who disclose their passwords to others are solely responsible for all consequences arising from such disclosure. In cases when unauthorized use of accounts or resources is detected or suspected, the account owner should change the account password immediately and report the incident to IT Central or the Information Security and Privacy Office.

Personal, commercial, and political use

Authorized users may make incidental personal use of New School IT Resources, provided that such use is subject to and consistent with this policy. Incidental personal use of university IT Resources by New School Workforce Members may not interfere with the fulfillment of their job responsibilities or disrupt the work environment. Incidental personal use that inaccurately creates the appearance that the university is endorsing, supporting, or affiliated with any organization, product, service, statement, or position is prohibited.

Users making personal use of New School IT Resources do so at their own risk. The university is not responsible for the security, integrity, availability, or backing up of personal data stored on university IT Resources. The university does not guarantee that users will be able to retrieve personal data stored on university IT Resources upon graduation, transfer, resignation, or termination.

Commercial activities may be conducted using New School IT Resources only under the auspices of officially recognized and sanctioned campus organizations or academic and administrative programs. Personal use of university IT Resources may not result in commercial gain or private profit, except as allowed under the university Intellectual Property Rights Policy.

As a 501(c)(3) organization, The New School is prohibited from participating or intervening in any political campaign on behalf of or in opposition to a candidate for public office, and no substantial part of the university’s activities may be directed to influencing legislation. Individuals may not use university IT Resources for political purposes in a manner that suggests the university itself is participating in campaign or political activity or fund raising, or for influencing legislation. Any other use with respect to political activity must be permitted by applicable university policy and consistent with applicable laws.

Prohibited and inappropriate use

Users of The New School’s IT Resources are prohibited from engaging in any activity that is illegal under local, state, federal, or international law or in violation of university policies or rules. Users may not knowingly or intentionally engage in activities that could negatively affect the functionality, security, integrity, or legitimate use of New School IT Resources. Examples of activities in this category include, but are not limited to:

• attempting to disable, alter, or circumvent physical or logical protections, user authentication and access control mechanisms, or other restrictions placed on computers, networks, software, applications, or files, including university-installed anti-malware programs;
• attempting to develop or use any mechanism to alter or avoid charges or fees levied by the university;
• attempting to intercept network communications for purposes of rerouting packets, forging packets, packet “sniffing,” or reading communications content;
• attempting to intercept, compromise, or tamper with user account passwords and other access methods;
• launching attacks, probes, scans, or other attempts to identify security vulnerabilities, subvert security, or overload capacity of any system or network (including systems and networks not owned or operated by The New School);
• introducing, creating, or propagating any malicious programs, including, without limitation, viruses, worms, Trojans, spyware, ransomware, or other malicious code;
• sending unsolicited email messages, including “spam,” “chain letters,” and other mass mailings, or posting similar messages to discussion forums, website/blog comment sections, or collaborative document comment areas, except as approved by Marketing and Communications;
• using unauthorized file sharing applications or illegally downloading or sharing copyrighted, licensed, or otherwise protected intellectual property, including, without limitation, movies, music, books, applications, and other software; or
• allowing unauthorized access to New School IT Resources through any computer or network device, including wireless access points.

Above all, users are expected to use New School IT Resources in a legal, ethical, responsible, and civil manner at all times.

Additional rules for Workforce Members

In addition to general-purpose IT Resources to which all members of the New School community have access, New School Workforce Members have access to “administrative” IT Resources that are used to conduct official university business. Examples of administrative IT Resources include, but are not limited to, systems such as Banner, Workday, Canvas, and Starfish, and Institutional Information such as student records, employee records, and financial records. The use of administrative IT Resources is subject to additional rules and prohibitions.

Ownership and classification of Institutional Information

The New School Information Security Policy establishes information security roles and responsibilities for all individuals with access to New School IT Resources. It also requires that Institutional Information be identified, Classified, and protected with appropriate security controls.

Key Institutional Information datasets must have an assigned Data Owner. Data Owners must assign a Classification to each Institutional Information dataset for which they are responsible. The Classification reflects the information security and privacy safeguards needed to protect the dataset and dictates the procedures to follow when acquiring, storing, using, transmitting, archiving, and destroying that information. The Standard for Handling Institutional Information and the Data Protection Handbook describe these safeguards and procedures in detail.

State, federal, and international laws and regulations, as well as certain industry regulations, often require specific safeguards and procedures (in addition to those required by university policies) to be implemented when working with protected categories of information. Protected information categories include, but are not limited to, student Education Records, Personal Financial Information, Protected Health Information, Social Security Numbers, and Cardholder Data. Laws and regulations protecting these information categories include the European Union General Data Protection Regulation (GDPR), Family Educational Rights and Privacy Act (FERPA), Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), New York State General Business Law, and the Payment Card Industry Data Security Standard (PCI DSS).

Access to administrative Institutional Information datasets is authorized by Data Owners subject to an individual’s job-related need-to-know. Data Owners are responsible for communicating the information security safeguards and handling procedures that apply to these datasets, via documentation, training, or other means, to the users they have authorized to access them. Users of these datasets are responsible for applying the safeguards and handling procedures specified by the Data Owner.

Institutional Information, regardless of where it is stored, how it is used, or who may access it, is the property of The New School. Users with access to Institutional Information Classified above Protection Level PL-1 may not publish, give away, sell, or disclose that information to unauthorized persons without proper authorization or use that information for personal or non-university purposes.

Use of email

The New School-branded version of Gmail (reachable through MyNewSchool or mail.newschool.edu) is the official university email system. Google provides this version of Gmail to The New School under a specially negotiated end-user license agreement designed to protect the privacy and security of information owned by The New School and the members of its community. This license agreement also includes special protections for information subject to the Family Educational Rights and Privacy Act (FERPA). Workforce Members should use their official university email address for all university business-related email (provided it does not contain Institutional Information Classified at Protection Levels PL-3 or PL-4—see below).

The New School secure file transfer service (reachable through securesend.newschool.edu) is the official university system for sending Institutional Information Classified at Protection Levels PL-3 and PL-4. PL-4 information must never be sent through regular email; securesend must be used instead (see the Standard for Handling Institutional Information for details, including certain exceptions to this rule). In certain circumstances, when specifically authorized by the Data Owner, PL-3 information may be sent internally through New School Gmail (from one @newschool.edu address to another) when operationally necessary and there is no better alternative, but securesend should be used whenever feasible.

External email service providers, including Google’s consumer Gmail platform (@gmail.com), do not provide legal protection or accountability for New School administrative information, and they generally do not comply with the information security and privacy safeguards required by state, federal, and international laws and regulations or university policies. New School Workforce Members may not automatically forward or redirect messages from an official university email address (containing @newschool.edu) to a non-university email address (containing anything other than @newschool.edu). Doing so may put that individual and The New School at risk of violating GDPR, FERPA, GLBA, HIPAA, or other laws and regulations. Workforce Members may manually forward individual messages (i.e., one at a time) only if they do not contain Sensitive Institutional Information and such forwarding is permitted by applicable laws and regulations.

Use of cloud storage and collaboration providers

The New School-branded version of Google’s G Suite (formerly Google Apps) applications (reachable through MyNewSchool or {calendar,drive,docs}.newschool.edu) is the official university general-purpose cloud storage and collaboration platform. Canvas and Starfish are the official university learning management system and student success network, respectively. The companies offering these services provide them to The New School under specially negotiated end-user license agreements designed to protect the privacy and security of information owned by The New School and the members of its community. These license agreements also include special protections for information subject to the Family Educational Rights and Privacy Act (FERPA). Most other cloud services offered through The New School (including, for example, Office 365 and Adobe Creative Cloud) do not include these protections.

Generally, the New School G Suite platform is acceptable for use with Institutional Information Classified at Protection Levels PL-1 and PL-2. The other two platforms are only acceptable for use with Institutional Information Classified at Protection Level PL-1. Additionally, all three platforms may be used with FERPA-protected PL-3 (but not PL-4) information, provided that information is not also subject to other laws and regulations. Information subject to other laws and regulations (GDPR, HIPAA, GLBA, PCI DSS, etc.) should not be stored, processed, transmitted, or shared through any of these platforms. See the Standard for Handling Institutional Information for details.

Before using any other cloud service offered through The New School to store, process, transmit, or share Institutional Information Classified at Protection Level PL-3 or PL-4, Workforce Members are responsible for ascertaining whether that service is appropriate for such use by consulting with IT Central or the Information Security and Privacy Office.

The license agreements for external cloud services not offered through The New School do not provide legal protection or accountability for New School administrative information, and they generally do not comply with the information security and privacy safeguards required by state, federal, and international laws and regulations or university policies. Commonly used services in this category include, but are not limited to, Dropbox.com, Box.com, Apple iCloud, Microsoft OneDrive, and the consumer Google G Suite platform. New School Workforce Members may not use these services to store, process, transmit, or share Institutional Information Classified above Protection Level PL-1, because doing so may put that person and The New School at risk of violating GDPR, FERPA, GLBA, HIPAA, PCI DSS, or other laws and regulations.

Additional rules for users with privileged access

Because of their job responsibilities, certain individuals (“privileged users”) may be granted privileged access to IT Resources, including computing systems, applications, databases, network monitoring tools, and other equipment, that may contain records and information that are private and confidential in nature. Typically, but not exclusively, privileged users are either technical system administration or programming personnel, or administrative employees with access to the university’s main databases and systems of record.

The New School requires all privileged users to respect the sensitive and confidential nature of information concerning New School employees, students, alumni, donors, vendors, and/or other members of the New School community to which they may have access, and to disclose such information only with proper authorization and in the exercise of their designated job duties. Privileged users may not use any access or information available to them in the course of their duties to engage in any activity that conflicts with the interests of The New School or use any access available to them to provide information to others engaged in any activity that conflicts with the interests of The New School.

Specifically, with respect to university computing systems, networks, records, files, email, and other information, privileged users agree to treat all confidential information as such by respecting the privacy of individuals, the integrity of the systems, and the related physical resources, and that they will:

1. access, copy, or store data solely in performance of their job responsibilities, limiting perusal of contents and actions taken to the minimum necessary to accomplish the task;
2. when providing direct services to others, copy or store data or information only with the user’s consent and only to complete a specified task, and only to copy and store user data for long enough to complete the specified task;
3. not seek personal benefit or permit others to benefit personally from any data or information that has come to them through their work assignments;
4. not make or permit unauthorized use of any information in the university’s information systems or records;
5. not enter, change, delete or add data to any information system or file outside of the scope of their job responsibilities;
6. not intentionally or knowingly include or cause to be included in any record or report a false, inaccurate, or misleading entry;
7. not intentionally or knowingly alter or delete or cause to be altered or deleted from any record, report, or information system, a true and correct entry;
8. not release university data other than what is required for the completion of their job responsibilities;
9. not exhibit or divulge the contents of any record, file, or information system to any person except as required for the completion of their job responsibilities;
10. take every reasonable precaution to prevent unauthorized access to any passwords, user identifiers, or other information that may be used to access university information systems or records;
11. limit access to information contained in or obtained from the systems to authorized persons;
12. not make any changes to system hardware, software, or configuration settings that have not been reviewed and approved through relevant change management processes; and
13. report any incidents of non-compliance with these rules to their supervisor or other appropriate university official.

Monitoring

The New School considers the data processed by and stored on administrative computer systems (both those operated locally and those hosted by a third party) to be the property of the university. The personal contents of user accounts are considered to be the property of the authorized user, subject to applicable university copyright and intellectual property policies and applicable state, federal, and international laws and regulations.

Individuals should be aware that their privacy is not guaranteed when using university IT Resources, including accessing the Internet or using university-provided electronic mail, telephone, or voice mail. While The New School does not routinely monitor individual usage of its IT Resources, the normal operation and maintenance of these resources require the backup and caching of data and communications, the logging of activity, the monitoring of general usage patterns, and other such activities that are necessary for the provision of service. Additionally, system and application administrators may become aware of the contents of communications or stored information while dealing with specific operational problems. Furthermore, the university may use automated tools to detect, alert, and respond to improper storage, sharing, or transmission of Personal Data or other confidential information that could result in such information being disclosed to unauthorized persons. The university may also specifically monitor the activity and accounts of individual users of university IT Resources, including individual login sessions, the content of individual communications, and the contents of stored information, with or without notice, when:

• it reasonably appears necessary to do so to protect the integrity, security, or functionality of university IT Resources or to protect the university from liability;
• a written complaint has been received, or there is reasonable cause to believe, that the individual has violated or is violating this policy;
• an account appears to be engaged in unusual or unusually excessive activity; or
• it is otherwise required or permitted by law.

Any such monitoring of communications or stored information, other than what is made accessible by the individual, required by law, or necessary to respond to perceived emergency situations, must be authorized in advance by the Provost and Chief Academic Officer, the Chief Legal and Human Resources Officer, the Chief Enrollment and Success Officer, or the Chief Information Officer, as appropriate, in consultation with the Office of the General Counsel. The university, in its discretion, may disclose the results of any such general or individual monitoring, including the contents and records of individual communications or stored information, to appropriate university personnel or law enforcement agencies and may use those results in appropriate university disciplinary proceedings. The university may also, from time to time, be required to comply with the lawful orders of courts, such as subpoenas and search warrants. Such compliance may include providing, when required, copies of monitoring data, system and/or user files, email content, or other information ordered by the court.

Compliance and review

Failure to comply with this policy, whether deliberate or due to careless disregard, will be treated as serious misconduct and may result in actions including (but not limited to) disciplinary action, dismissal, and civil and/or criminal proceedings.

This policy is reviewed on a periodic basis and updated as necessary by the Information Security and Privacy Office to ensure it remains accurate, relevant, and fit for purpose.

Document history

Date	Author	Description
Jun 2007	Safeguarding Data Committee	First university information security/acceptable use policy
Nov 2011	D. Curry	Rewritten to separate security and acceptable use policies
Jun 2020	D. Curry	Substantial changes to fit into new Information Security & Privacy Program Expanded and clarified the language on use of external email systems and cloud services Incorporated the formerly separate Privileged Access to Computer Systems Agreement Separated rules into “all users,” “faculty and staff,” “privileged users”
Sep 2020	D. Curry	Replaced references to obsolete “sendfiles” service with “securesend”
Jun 2021	D. Curry	Corrected links to some university policies that had moved or been replaced