31 March 1998
On the basis of Art. 5 Section 3 No. 3 of the Bavarian Higher Education Act (Bayerisches Hochschulgesetz, BayHSchG) of 1 December 1993 (published in the law gazette Gesetz und Verordnungsblatt (GVBl) p. 953), Hochschule für angewandte Wissenschaften Augsburg decrees the following policy.
Hochschule für angewandte Wissenschaften Augsburg and its institutions (the "operators" or "system operators") operate an information processing infrastructure, consisting of data processing facilities (computers), communications systems (networks), and other auxiliary devices for information processing.
The information processing infrastructure is integrated into the German National Research and Education Network (Deutsches Wissenschaftsnetz) and thus forms part of the Internet.
This policy governs the conditions under which the services offered may be used.
- is based on the responsibilities of the universities laid down in legislation and their mandate to protect academic freedom,
- lays down rules for the orderly operation of the information processing infrastructure,
- points out rights of third parties which must be observed (e.g. software licenses, conditions of the network operators, matters of data protection),
- informs about the measures which may be taken in the event of violations of this policy.
Section 1 Scope
This acceptable use policy applies to the information processing infrastructure provided by Hochschule für angewandte Wissenschaften Augsburg and its institutions which consists of hardware and software systems (computers), communications systems (networks), and other auxiliary devices for information processing connected to external networks (e.g. the German National Research and Education Network).
Section 2 Access to the infrastructure and responsibilities
- The members of Hochschule für angewandte Wissenschaften Augsburg have access to the information processing resources named in Section 1 to fulfil their responsibilities in the areas of research, administration, training, public relations, and to fulfil the other responsibilities specified in Art. 2 of the Bavarian Higher Education Act (Bayerisches Hochschulgesetz, BayHSchG).
- Other persons and institutions may be given access. This access generally requires a written contract.
- For the purposes of this policy, all persons who are formally authorized to use the German National Research and Education Network (Deutsches Wissenschaftsnetz) and all persons, e.g. in the administration, who are given access to the German National Research and Education Network at closed events, projects, and at workplaces without formal authorization (via personal ID or group ID) are referred to as users.
Section 3 Formal user authorization
- Prospective users of the facilities have to apply for authorization to the system operator responsible. Services equipped for anonymous access (e.g. information services) are excepted from this regulation.
The application must contain the following information:
- the applicant's details: Name, address, student registration number (for students only), and organizational unit of the University;
- purpose of the access request, e.g. research, education, administration;
- the systems they are requesting user authorization for;
- a declaration of acknowledgement of the acceptable use policy and a declaration of consent for the processing of personal data in accordance with Section 5. Applicants can declare their consent in electronic form as the requirements of Art. 2 Section 3 (7) of the Informations- und Kommunikationsdienste Gesetz (information and communication service act; IuKDG) are fulfilled;
- A paragraph informing the user that the consent can be revoked at any time with effect for the future.
- The acceptance or rejection of the application is to be decided by the system operator responsible. The system operator may make the approval of the application dependent on proof of certain skills and knowledge regarding the use of the facilities.
- The user authorization is dependent on the available capacities. The authorization may be subject to limitations of the computing time and other conditions and restrictions.
- The user authorization is generally valid for 2 years and can be renewed. The user authorization for professors, research associates, and non-academic staff is renewed automatically every year unless it is revoked.
- The user ID may only be used by the authorized person. If the user realizes that their user ID has been used by a third party, they must inform the office responsible for the allocation of user IDs immediately so that they can block the compromised user ID. The user is held responsible for all third party actions if they enabled the third party to access the services by gross negligence.
- As soon as the authorized user reported the improper use by a third party, they will not be held responsible for any continued improper use of the user ID by the third party.
- The user authorization may be denied, revoked, or limited after it has been granted, especially if
- the application does not fulfil the requirements, or the given information is incorrect or no longer correct, or if the consent referred to in Section 1 is
- the requirements for proper use of the services and facilities are not or no longer fulfilled;
- the authorized person has been barred from using the services and facilities;
- the planned use is not in accordance with the purposes laid down in Section 2;
- the facilities are not suitable for the intended use or are reserved for special purposes;
- the capacity of the facility the user is requesting authorization for is insufficient for the planned tasks due to other use that has already been authorized;
- the facilities in question are connected to a network which must fulfil special data protection requirements and no practical reasons for the request for access can be identified;
- it is foreseeable that other users will be inconvenienced to an inappropriate degree by the utilization specified in the application;
- the user authorization is only valid for tasks that are related to the purposes detailed in the application.
- The user authorization is only valid for tasks that are related to the purposes detailed in the application.
Section 4 Responsibilities and obligations of the users
- The authorized persons (users) have the right to use the facilities, computers, and public software and the services provided by the faculties or the computer center within the limits of their authorization and within the limits of this policy. Any use for other purposes (commercial purposes in particular) may only be authorized upon application and against payment.
- Users are obligated
- to comply with the license regulations; endanger the regular workings of the University facilities;
- to present their user identification when asked to;
- to report any malfunctions, damages, and faults of computers or storage devices immediately to the responsible member of staff;
- to comply with the instructions from staff while using the computer rooms;
- to inform the department or the computer center before they process personal data and to comply and use the data protection measures of the department or the computer center, the users own data protection obligations notwithstanding;
- to back up their data and software in a manner that prevents any damage in the case that it should be lost while it is being processed by the department or the computer center;
- to use the data networks only within the limitations of the user policy and to comply with the user policy for the data networks;
- to ensure that their password is protected from third parties;
- to use only those user IDs they are authorized to use, and to take measures to prevent unauthorized third parties from accessing the computing systems of Hochschule für angewandte Wissenschaften Augsburg;
- to protect access to the facilities by a secret password.
- The user is not authorized to copy or to pass on software, documentation, or data without express permission, nor to use the said software for other purposes than those permitted, especially not for commercial purposes. The right to install software is regulated separately depending on the local circumstances and the requirements of the system.
- The user is not authorized to modify the hardware installation or to make changes to the software systems, the system files, or the network without the permission of the system operator responsible.
- The user must not maintain more than one dial-up connection to the access points of
Hochschule für angewandte Wissenschaften Augsburg.
- The user must not read or process messages intended for other users.
- Violations of this policy may result in claims for compensation.
- The following acts constitute criminal offenses:
- Intercepting data (Section 202a of the German criminal code (Strafgesetzbuch))
- changing, deleting, hiding, or destroying data without authorization (Section 303a of the German criminal code (Strafgesetzbuch))
- computer sabotage (Section 303b of the German criminal code (Strafgesetzbuch)) and computer fraud (Section 263a of the German criminal code (Strafgesetzbuch))
- distributing propaganda materials of unconstitutional organisations (Section 86 of the German criminal code (Strafgesetzbuch)) or racist ideas (Section 130 of the German criminal code (Strafgesetzbuch))
- distributing certain types of pornography on the Internet (Section 184 (3) of the German criminal code (Strafgesetzbuch))
- downloading or possessing documents containing child pornography (Section 184 (5) German criminal code (Strafgesetzbuch))
- defamation, libel, slender, and such (Sections 185ff of the German criminal code (Strafgesetzbuch)).
Section 5 Responsibilities and obligations of the system operators
- All system operators keep a log of the granted user authorizations. The logs must be kept for two years after the expiry of the authorizations.
- The system operators have the right to prevent or uncover improper use to an appropriate degree, especially by random sampling. For this purpose, they in particular have the right
- to document and to evaluate the users’ activities where this is necessary for billing purposes, for planning resources, for monitoring the system, or for following up on malfunctions or for violations of this policy or of legal provisions.
- If measures described in a) provide compelling indications of improper use, the user can be temporarily blocked or, once the user has been heard, the authorization may be revoked. Once the matter has been resolved appropriately, the user can be granted authorization once more.
- If the indications of improper use described in b) cannot be dismissed without doubt, and if the user violates these policies again in a way that may cause serious malfunctions in the operation of the system, or if new compelling indications of criminal offenses (as regulated by the German criminal code (Strafgesetzbuch), etc.) arise, it is permissible to review the user data and to log the user’s current activity in the network in detail as long as the two-person rule and the documentation responsibility are observed. In this case, the system operator is not obligated to inform the user in advance if that would hinder the orderly operation of the system or if the user is suspected of improper use and there are no other means to prevent future improper use.
- to take measures to preserve evidence if necessary in the case of a strong suspicion of criminal offenses.
- If measures as described in sections 2c) and d) were taken, the user must be informed immediately after the measure has been completed unless this would be contrary to the purpose of the measure or would complicate the achievement of this purpose unduly.
- If measures as described in section 2c) are taken against members of the University as specified in section 17 (1) No. 2, 4, 5, 8, 9, and 10 of the Bavarian Higher Education Act (BayHSchG), the president must approve this measure. If such measures are taken against members of the University as described in section 17 (1) No. 6 of the Bavarian Higher Education Act (BayHSchG), the chancellor and the dean responsible or the head of the central institute or facility concerned must approve.
- If such measures are taken against members as specified in section 17 (1) No. 7 of the Bavarian Higher Education Act (BayHSchG) (students), the measure must be approved by the chancellor and the system operator responsible.
- If a measure as described in section 2c) is to be taken against members as defined by section 17 (1) No. 6 of the Bavarian Higher Education Act (BayHSchG), the staff council must be involved.
- The system operator is obligated to maintain confidentiality.
Section 6 Excluding users and revoking consent
- Persons who violate this policy or who commit offenses can be excluded temporarily or permanently from access to the systems, unless access restrictions are an appropriate measure regarding the violation and are suitable to prevent future improper use. The exclusion does not affect the responsibilities of the user which arise from access authorization. The University maintains their claim for the payment of the agreed fee. The excluded user cannot claim indemnification based on the exclusion.
- The University reserves the right to revoke the user authorization partly or completely if the admission is revoked or restricted. The University is not obligated to compensate the user in this case.
- Regulatory measures regulated by the Bavarian Higher Education Act (Bayerisches Hochschulgesetz, BayHSchG) and disciplinary measures remain unaffected.
- The University reserves the right to instigate criminal proceedings and to take civil action.
Section 7 Priorities and order of priority
The first priority lies with teaching activities. Commissions from internal users (University members) precede those of external users.
Section 8 Costs
- For internal users as defined in Section 2 (1), the services of the University are provided free of charge as long as they are elementary services. For external users as defined in Section 2 (1), the University may charge fees corresponding to the operational costs. For other users (see Section 2 (2)), the University may charge fees corresponding to the full costs.
- The full costs are the total costs incurred in the operation of the system. They include the personnel costs, material costs, amortizations, and overhead costs.
Section 9 Liability
- The University does not guarantee that the system runs free of errors and without interruptions. The University cannot guarantee the integrity and the confidentiality of the data stored in their facilities.
- The University does not assume responsibility for the validity of software, even if it was written by a University employee, and the University does not bear liability for damages or incorrect results caused by technical malfunctions or defect devices unless the damage was caused with intent or due to negligence on the part of an employee or a representative of the University.
- Persons who use the IT facilities of the University illegally without permission or introduction are liable for all damages they cause.
- Users are liable for all damages caused by using the computer rooms. In particular, they are liable for damages caused by not fulfilling their obligations, by providing incorrect information concerning the intended use or the required capacities, and by illegally using user IDs authorized for third parties, protected data, or protected software. The damages can only be settled with a financial payment. Users must not incur damages claims of third parties against the University.
Section 10 Data protection
The provisions of the data protection policy apply.
Section 11 Other regulations
- Fees for the use of information processing systems may be laid down in separate regulations.
- Diverging regulations may be issued for certain systems if required.
Section 12 Coming into effect
These regulations come into effect on the day after they were published.
The President of Hochschule für angewandte Wissenschaften Augsburg
Prof. Dipl.-Ing. H. Benedikt
1 April 1998
These regulations were laid down on 1 April 1998 at Hochschule für angewandte Wissenschaften Augsburg; this fact was made public on 1 April 1998 by means of display on a public noticeboard. Thus, the date of publication is 1 April 1998.