[CQM follows the University of Madeira's Information Security Policy - originally published here, also available in PDF]
Acceptable Use Policy
The University of Madeira (UMa) recognizes the citizen’s right of personal data protection, ensuring that all personal data holders whose data are entrusted to UMa are aware of the purpose of the provided information, as well as of their rights in this matter and how to exercise them, under the terms of and in accordance with the article 8, nr.1 of the Charter of Fundamental Rights of the European Union (“Charter”), with the article 16, nr.1 of the Treaty on the Functioning of the European Union (TFEU), and with the General Data Protection Regulation (GDPR).
In this context, and bearing in mind that the pursuit of such plans depends on a solid combination of responsible users, adequate technologies and safe processes, the University of Madeira, under the terms of the Article 24, nr. 2 of the GDPR, and in strict compliance with the requirements legally established by the Articles 136, nr.1, and 136 nr. 4 of the Code of Administrative Procedure (approved by the Decree-law 4/2015 of the 7th of January), establishes this Acceptable Use Policy to facilitate the effective application of the GDPR within the framework of its specific characteristics and specificities placed on University of Madeira as a Public Higher Education Institution.
1. Object and scope of Application
The Acceptable Use Policy (hereinafter referred to as “AUP”) of the information and communication technologies of University of Madeira aims to establish the guiding principles for the correct and responsible use of the informatic services and of telecommunication networks, in view of the safety of the institution, of the protection of its users’ interests and of the pursuit of University of Madeira’s mission.
This policy is subsidiarily applied to the specific regulation that has been approved by the competent authorities of the organic units of University of Madeira, being applied to all users mentioned in item 2. UMa reserves the right, when the rules of this AUP are infringed, to proceed immediately with the removal or prevention of access to illegal content or any other content that constitutes a violation of the AUP, or that obstruct the normal operation of the services provided. The AUP is of a non-contractual nature and will be periodically revised by UMa without prior notice to its users. However, its updated version is permanently available online at uma.pt.
One may define the users of University of Madeira’s information and communication technologies as those with a contractual relationship, namely: teaching staff, researchers, scholarship holders, non-teaching staff and other service providers. Additionally, students, alumni, retirees, and retired or emeritus professors are also considered users. The creation of accounts for others with an occasional or temporary connection to University of Madeira is also a possibility, and the registration of these users requires the accountability of a current user with a contractual link and with the needed competences for that to be done.
It also applies to users without a link to the University, and that occasionally use its technological infrastructures for various purposes, such as to submit applications, to enrol in courses or degrees, or to use services provided by the University through electronic means. The access to technological infrastructures may be provided in a differentiated manner, depending on the type, profile and needs of the user.
3. General principles
The use of the information and communication technologies of University of Madeira should be carried out in strict accordance with the University of Madeira’s statutes, bearing in mind the pursuance of the mission to which the University is attached, under the terms of the article 2 of the law no. 62/2007 of 10th of September (which approves the legal framework of Higher Education institutions), as a public higher education institution.
The principle of responsible use stated in this document is applied in the use of information and communication technologies of University of Madeira, being applicable to all its users. The University reserves the right to change these conditions, and to apply containment measures when it is believed that the use of its technological resources is not in accordance with what has been stated above.
The use of information and communication technologies of University of Madeira for commercial purposes or for purposes not compatible with the University’s institutional intent is not allowed. The use of information and communication technologies for advertising purposes is only allowed for the promotion of activities framed in the University’s mission.
Users’ conduct is expected to be in accordance with the applicable laws and with this policy’s provisions, as the lack of knowledge about them does not justify its violation.
Being University of Madeira a user entity of the Science, Technology and Society Network (“RCTS - Rede para a Ciência, Tecnologia e Sociedade”, managed by the Foundation for National Scientific Computing or “FCCN - Fundação para a Computação Científica Nacional”), any use of the information and communication technologies of University of Madeira, that infringes the rules established in the user’s letter of the said network, is not allowed (available at www.fccn.pt).
When using University of Madeira’s information and communication technologies, any actions that infringe the rules established in this document or the ruling legal provisions are not allowed, with special focus on the provisions consigned in the applicable legislation on cyberspace security, personal data protection and computer crime.
The use of university’s resources should be done in a responsible manner, not being considered as such situations that may interfere, in a harmful manner, with other users or services, whether those are internal or external to the University of Madeira.
The resources made available through University of Madeira’s information and communication technologies cannot be made available to third parties – whether it is by selling, renting or assignment – by the organic units, autonomous services, rectory or other users that are connected to it.
In many cases, and always depending on previous authorisation of the Rector of University of Madeira or of someone assigned by him, the access may be granted to third parties, only in the case of institutions of the educational, scientific, technology and culture system, with which the University of Madeira has partnership.
Any non-authorised use of the resources provided by the University of Madeira’s information and communication technologies is considered as improper use and, as such, is subject to disciplinary and criminal proceedings.
5. Rules about Network and Sytem Security
1. It is not allowed for the information and communication technologies’ users to violate (or attempt to) any authentication or security system that protects access accounts, servers, services or networks. As violation one may consider:
a) The unauthorised access to other people’s data (breach of privacy);
The unauthorised search of vulnerabilities in servers, services or networks, namely the systematic detection of service response (scan);
The entry or attempt to enter machines without the express authorisation of those responsible for them (Break in);
2. It is not allowed for users to intentionally interfere with the proper operation of the servers, services or networks. In these cases it is included:
a) Overloading actions, either combined or not with the exploration of vulnerabilities of the systems, aiming to compromise the functioning of services (Denial of Service);
b) Sending excessive number of packets (Flooding);
c) Any attempt to hinder or disrupt servers, services or networks;
d) The installation, use or provision of use PROXYS of the provided connectivity for purposes other than the use of the contracted services;
e) The maintenance of OPEN RELAY servers;
f) The introduction of computer viruses, “worms”, harmful code and/or “Trojan horses”
3. Data interception is not allowed in any network or server without the express authorisation of its legitimate owners;
4. It is forbidden to falsify data (introduce, modify, supress or delete, completely or partially) after its production, with the intent of deceiving data receivers. In the case of falsification, it is included but not limited to:
a) IP address alteration (IP Spoofing);
b) Alteration the identification of e-mails.
The access to the networks entails the responsibilities that are inherent in the use of any of University of Madeira’s resources, and may be revoked when its inadequate use is verified.
In order to protect the integrity of computer systems, the administrators authorised by the rectory may, when necessary, suspend or remove the access to the University of Madeira’s network or computers.
6. Rules about e-mail service security
E-mail is a mean of communication primarily intended to facilitate academic, administrative, research and management processes. Its use conforms to the principles of ethical use of resources and networks.
The abusive use of e-mail may cause inconvenience and damages to the remaining network users, either directly or indirectly, by jeopardising the normal functioning of the service support systems. Consequently, it is not allowed:
a) to send e-mails to those who have (expressly) declared not wanting to receive them;
b) to spread chain letters, pyramid schemes, or any other intrusive or harassing messages.
7. Rules of the accommodation service
All the material published on webpages on the University of Madeira’s servers must comply with its official policies, such as academic responsibility, intellectual property, the right to privacy, among others.
1. UMa provides its faculties and research centres with hosting space in its servers and a personalised address, with or without its own domain, to access the hosted pages.
2. The hosted pages’ content is of the sole responsibility of its faculties and research centres and should not, in any case, contain information that:
a) Violates copyright rules, namely by containing counterfeited software, counterfeited audio (music) and video (films) files. This restriction extends to the accommodation, installation, execution, use and/or provision of this types of content and/or applications;
b) is considered as illegal, offensive, pornographic, paedophile or discriminatory based on religion, sex or race;
c) incites the practice of criminal acts;
d) promotes physical or moral damage against any individuals;
e) explores or incites the exploitation of minors.
8. Rules about content
UMa reserves the right to remove any applications or to restrict the provision of services when it becomes aware of the existence of any illegal activities, or of activities that violate national or international laws, developed through those means, namely:
a) The violation of any law, of any applicable jurisdiction, including laws about content or advertising that may be widespread online, and related to: alcohol, competition, protection of minors, illicit substances, exportation, armament, importation, privacy, debt securities, telecommunications, and tobacco;
b) The practice of dishonest or unfair acts, including the promotion or communication of defamatory, scandalous, threatening, injurious, xenophobic, or private information without the consent of the people affected by it, or the promotion of information likely to cause moral damage, either due to its content or to the frequency of its promotion;
c) The promotion, encouragement or defence of violence against any state, organisation, group, individual or property, or the dissemination of information, training or support in order to carry out such violence;
d) The dissemination, sending or receiving of information that violates copyrights, patents, trademarks, trade secrets, software licensing agreements or other third party’s intellectual property rights;
e) The exposure of UMa, its leaders and staff to public contempt and ridicule;
f) Programmes, scripts or applications that may jeopardise the normal functioning of the services provided;
g) The exercise of private activities, including the mining of cryptocurrency and the sale of services and products;
h) To participate or allow the participation of games of chance or gambling;
9. User identification and authorisation
Except for the content publicly available, the access to the University’s resources is made through the attribution of specific access credentials.
The basic principle in user account creation to access the information and communication technologies of University of Madeira meets the user’s profile, as well as the resource and/or service the user needs to access. Bearing in mind that the University of Madeira, as identity provider, is responsible for providing identity assertions that are both reliable and accurate to its own and third-party services, it is essential to ensure a process of credential attribution with a high degree of reliability and safety, forcing greater responsibility for those involved in the process.
Users identified in item 2 are eligible for the allocation of resource access accounts, with a contractual or occasional link. In this case, the person responsible for assigning the account is in charge of the citizen identification, ensuring the existence of a legitimate purpose, clearly distinguishing the types of identity registered in the systems (users, generic, non-human accounts, among others).
In the identity attribution process to users, the university of Madeira collects, at least, data such as the name and identification number of the holder. User accounts are always accompanied by an expiration date that fits the user’s profile and the purpose of the creation of the account, being the right of access aligned with the termination of the link or reason for creation.
In the cases that the user’s access to resources needs to be authorised, this attribution should be properly justified as fitting the profile and functions, being done by the entity of University of Madeira that is responsible for the service.
In addition to then situations previously mentioned, temporary user accounts with limited permissions may be created to gain access to wireless networks and other electronic services displayed online.
The access authorisation to resources assumes the acceptance of this policy, which is valid as long as the access right remains. It can be suspended or cancelled in case of infringement or for safety reasons.
The attributed authorisations are personal and untransferable, and the user is responsible for maintaining the confidentiality and protection of the credentials to him/her assigned.
10. Privacy and personal data treatment
The University of Madeira, in the pursuit of its mission and attributions, collects some personal data from users during the use of its infrastructures.
The University of Madeira ensures strict compliance with the current legislation in terms of data protection and privacy, establishing its activity by guaranteeing the users’ rights and freedoms, according to its Data Protection Policy and its Ethical Code.
11. Monitoring and record keeping
In compliance with the legal and statutory obligations, University of Madeira monitors and records the use of its information and communication technologies, aiming to store the records considered to be necessary for the correct technical support of the equipment, and ensure the safety of the University’s infrastructures. The monitoring will be carried out according to the minimum requirements of Networks and Information Systems established by the Resolution of the Council of Ministers 41/2018, in strict compliance with the interests of the organisation and its users.
University of Madeira guarantees that, during monitoring, there will not be interference in the electronic communication protected by cryptographic algorithms, respecting its users’ rights, privacy and freedom.
The University collects data referring to the use of the infrastructures in a pseudonymized manner, including only the needed data for the previously mentioned purposes, namely IP addresses, ports, protocols, date, hour, user-agent browser, and metadata related to the layers 3 and 4 of the Open System Interconnection (OSI) model. Other data may be collected, with the user being previously informed of the additional data in the conditions of use of the services.
In the absence of any other retention period defined in the conditions of use of certain services or by legal requirement, records are kept for a maximum period of 24 months.
It is forbidden for individuals outside University of Madeira to access these records. Technicians may be authorized to access these records due to infrastructure security monitoring processes, or in exceptional and justified situations of technical screening or to comply with legal requirements.
12. Infringement and incident response
When it comes to the response to safety incidents and vulnerability detection, the University of Madeira’s team responsible for computer security analyses infringement cases according to the mentioned provisions.
To each case, it notifies both the person responsible for data security and the offender, if identified, and then evaluates the decision of a temporary access suspension to the information and communication technologies, or other measures that allow impact minimization. When personal data are involved, the Data Protection officer is notified.
University of Madeira does not take any responsibility for the use of its infrastructures when it involves any actions that violate the law, statutes, regulations, and these provisions, being of the sole responsibility of the users.
14. Alterations to the acceptable use policy of information and communication technologies
University of Madeira reserves the right to, at any time, readjust or change the present Acceptable Use Policy of the information and communication technologies. Any changes will be properly advertised.
15. Questions and Suggestions
To get more information on the way University of Madeira deals with personal data, or to clarify any questions regarding this issue, complaints or comments can be submitted regarding the Acceptable Use Policy of the information and communication technologies.
16. More Information
To learn more about information security, consult the UMa Information Security Policy document [PDF format].
Universidade da Madeira - Edifício da Reitoria
Colégio dos Jesuítas - Rua dos Ferreiros
9000-082 Funchal - Portugal
Telephone: (+351) 291 209 400
Universidade da Madeira - Campus da Penteada
Campus Universitário da Penteada
9020-105 Funchal - Portugal
Telephone: (+351) 291 705 000