This is the core document that describes the ways that information technology (IT) resources may or may not be used at the University. This document applies to everyone who makes use of the University’s IT resources, including students, staff, and visitors to the University.

You can find the FAQ's below.

• Open Framework Document (PDF, 285KB, 5 pages)

This is the core document that describes the ways that information technology (IT) resources may or may not be used at the University. This document applies to everyone who makes use of the University’s IT resources, including students, staff, and visitors to the University.

• Open Framework Document (PDF, 285KB, 5 pages)

This is the core document that describes the ways that information technology (IT) resources may or may not be used at the University. This document applies to everyone who makes use of the University’s IT resources, including students, staff, and visitors to the University.

• Open Framework Document (PDF, 285KB, 5 pages)

This is the core document that describes the ways that information technology (IT) resources may or may not be used at the University. This document applies to everyone who makes use of the University’s IT resources, including students, staff, and visitors to the University.

• Open Framework Document (PDF, 285KB, 5 pages)

This is the core document that describes the ways that information technology (IT) resources may or may not be used at the University. This document applies to everyone who makes use of the University’s IT resources, including students, staff, and visitors to the University.

• Open Framework Document (PDF, 285KB, 5 pages)

This is the core document that describes the ways that information technology (IT) resources may or may not be used at the University. This document applies to everyone who makes use of the University’s IT resources, including students, staff, and visitors to the University.

• Open Framework Document (PDF, 285KB, 5 pages)

This is the core document that describes the ways that information technology (IT) resources may or may not be used at the University. This document applies to everyone who makes use of the University’s IT resources, including students, staff, and visitors to the University.

• Open Framework Document (PDF, 285KB, 5 pages)

• Copyright Policy (PDF, 548KB, 5 pages)

• Intellectual Property Policy (PDF, 538KB, 5 pages)

• Prevention of Harassment and Bullying Policy (PDF, 305KB, 5 pages)

• Staff Code of Conduct (PDF, 481KB, 5 pages)

• Student Code of Conduct (PDF, 303KB, 5 pages)

• Web Policy (applicable to Staff only) (PDF, 205KB, 5 pages)

• Emails to Enrolled Students Policy and Guidelines (, , pages)

Monitoring is the series of day-to-day processes and activities that are used to ensure good operation of the relevant University systems. This is an automatic and ongoing process that is uniformly applied across the applications and devices that are connected to the University’s network. The output of monitoring is generally event notifications.

Under the monitoring regime, file and email content is processed by software systems in an automated manner for purposes such as virus protection, malware detection, and spam prevention. The content is not examined by human eyes.

Metadata (“metadata” – data about data) is generated and collected from all emails sent and received. This includes time and date, sender, recipient(s), subject and message-ID where available. The metadata collected is used for spam and phishing activity detection. This metadata is queried and analysed to find events of interest.

An example might be an email sent to several hundred recipients, which would cause an automated alert to be generated. If the subject (which is an item of metadata) is “ABCADC Annual Conference and Workshop 2019” then administrators would believe that this is a valid email, and no further action should be taken. However, should the subject be “Your password has expirred“ (yes, with the spelling error) then IT would reasonably infer that this was a suspicious email, probably a phishing email. It is probable that a “search and destroy” action would be initiated to rid all mailboxes of the offending email. IT Services never see the content of mailboxes in this process.

Monitoring also includes network connectivity, particularly to the Internet. For many years the University has captured the metadata from all Internet connections, including source and destination IP addresses, ports, the user code responsible for the connection, and the volume of data transferred. For example, the metadata captures a level of detail that can identify user abc123 connected to the TSB bank at 10:21am yesterday; or that user abc123 connected to a phishing site.

The UC firewall¹ currently examines some traffic types in a more detailed way, as they are more likely to be used for cyberattacks; however the firewall does not make the results of the inspection of this type of content available for manual examination. It is expected that there will be both automated and manual packet capturing² tools added to UC connections in the future. However, as much internet traffic is encrypted, the details of most actual communications are not seen. Taking the above example of the connection to the TSB bank, IT Services cannot identify any personal detail (banking username or password), as all this content is encrypted.

The automated versions of this packet capture and analysis is often known as IPS for Intrusion Protection System, and DLP, for Data Leakage Prevention.

¹ A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. More at Wikipedia

² Packet capture, sometimes called packet sniffing or just sniffing, is the technique of capturing a network packet “off the wire” and storing it for further analysis by a tool called a packet analyser. More at Wikipedia.

Examine means to look at the content of network traffic, files and emails within a specific boundary by a deliberate and specific investigative process. The boundaries are one or more of a specific user, file location(s), computer(s), network addresses, a date range, or in the case of email, one or more metadata items, such as subjects, senders, recipients, etc. This process is only undertaken on request from the University Registrar or with appropriate and specific approval, and with the cooperation of the computer user regardless of whether the device is University owned or not.

Examination of content requested by the Registrar is not a routine operation, and does not occur frequently. Examination will take place when there is a suspected breach of the Law, Policy or a contract, as a result of employee misconduct, or for a business reason that is acceptable to the Registrar. It is rare that such an examination is initiated by IT Services outside of the business context. If IT Services were to initiate an examination, it would happen in the context of providing assistance to the device owner in the tracking of viruses, Trojans, and other forms of malware.

In the examination of email(s), the email system permits “discovery” of emails, using a combination of filters, for example, subject, sender, recipient, and keywords. This includes discovery of deleted emails over a certain period.

The Privacy Officer can also require examination of email and files for the purposes of fulfilling information disclosures under the Official Information Act, as detailed in the Official Information Policy.

The University can also be required to investigate and extract file and email data, and metadata, as a result of a police warrant.

Please note where it is necessary to examine a non-UC device, it will be examined in “aeroplane mode” with the permission of the device owner, as such there will be no examination of cloud storage or connected services, unless such an examination has been specifically required by the Registrar.

The UCLive accounts are not directly operated by the University, but by Microsoft, and therefore this system is operated according to Microsoft’s terms and conditions. This system provides the University with similar capabilities to examine mail as the University system, in particular, deleted email can be retrieved, and mailboxes can be searched.

At this time, unlike the standard University mail services, there is no metadata information available for this service. However Microsoft has their own suite of anti-spam and account compromise protections, which is one of the core reasons for metadata collection.

Although the Policy has no prohibition against this, in practice, technology that can remotely scan files on personal devices of which UC does not have administrative privileges over is not widely available, and is not something the University is pursuing.

The University is planning on bringing centralised management to University-owned devices.

See also Q5 and Q17.

The University will not be “infecting” non-University owned devices to undertake monitoring or examination. The concept of “infecting” suggests software is installed onto a device without the device owner’s knowledge or permission to undertake an investigation. There is little difference between a piece of software undertaking an investigation and a piece of malware; it is not an acceptable approach, and is not condoned by the University.

However, technology that the University has used for many years, in particular, the “Firepass” remote access service does have the capability to perform automated analysis of a computer prior to connection being made; the software elements that undertake this examination are part of the standard client, but as of yet the use this feature has not been enabled. This analysis can identify if  an acceptable anti-virus product is installed. Currently, the full list of checks that can be performed are:

• File system checks;
• System service checks;
• Registry checks;
• Browser plug-in checks;
• Antivirus software checks;
• Firewall software checks;
• Hard-disk encryption software checks;
• Patch management software checks;
• Peer-to-peer software checks;
• Hardware certificate checks; and
• OS and client device ID checks.

Although the “Firepass” system can undertake these checks, and can make yes/no decisions based on what it finds, it does not make the content available for further examination.

IT Services does not have the capability to migrate personal emails from the University mail system to other mail systems. The only way to undertake this task is to manually forward emails.

If the destination email system is a Microsoft Outlook client, there may be a way to move mail in bulk, details of which will be published.

Yes, if the visiting academic (or other visitor) has device(s) connected to the University networks, as the Policy applies to all devices. See Q2 about cloud storage and remote connections.

The law requires medical data to be handled in accordance with the Health Information Privacy Code (HIPC)¹, and the Ministry of Health publication HISO 10029:2015 Health Information Security Framework². Medical data is defined as:

1. information about the health of that individual, including his or her medical history; or
2. information about any disabilities that individual has, or has had; or
3. information about any health services or disability services that are being provided, or have been provided, to that individual; or
4. information provided by that individual in connection with the donation, by that individual, of any body part or any bodily substance of that individual or derived from the testing or examination of any body part, or any bodily substance of that individual; or
5. information about that individual which is collected before or in the course of, and incidental to, the provision of any health service or disability service to that individual.

At present only the University Health Centre and its systems are known to be compliant with the relevant provisions.

The University Policy does not make exceptions for medical data. All systems are subject to automated monitoring, and, with appropriate permission, examination. A request to examine data held would have to come from the Registrar, and as the Registrar is also the Privacy Officer, permission would only be granted where the examination was both necessary and compatible with the elevant law.

Any medical organisation which has a computer system will also have the same requirements and restrictions as the University, in that computer systems require computer systems administrators to operate, and these individuals have significant access to systems holding data.

¹ Health Information Privacy Code (HIPC)

² HISO 10029:2015 Health Information Security Framework

As with medical data, there are no areas of data within the University which cannot be accessed for monitoring or examination. All systems are subject to automated monitoring, and, with appropriate permission, examination. A request to examine data held would have to be approved by the Registrar.

Also see Q10 below.

There have been concerns raised about the confidentiality of data, and that as a result of the updated Policy, data once considered private and/or confidential is now subject to monitoring and/or examination.

The University has had a policy describing the use of IT systems since approximately 2005³, as a result all data held on University computer systems has been subject to possible examination since the Policy’s publishing. The policy that preceded the IT Policy Framework was the “Computer use Policy and Procedures”, which stated, section 6.3:

“Managers may need to examine, move, copy or delete files when there are reasonable grounds to believe, for example:

• that the integrity of the system or the rights of others are under threat;
• the computer policy is being breached;
• laws are being broken;
• dishonest practice is occurring e.g. cheating;
• protocols or rules for the use of external systems are being broken.

Other than in exceptional circumstances, the Manager will undertake such non-routine action only with the prior approval of the Head of Department/School. In all circumstances the Head of Department/School and the affected user will be notified as soon as is practicable.”

As such, neither this Policy update, nor the preceding version give new examination powers to IT Services, rather it now restricts such activities to only being allowed with the approval of the most senior decision-maker.

This situation of confidentiality is not unique to the University. Any business that has an IT system large enough to require IT personnel operates in the same way: there are specific individuals, known as System Administrators who are charged with operating, managing, and securing IT systems. All Systems Administrators have rights and privileges over the systems they manage, that are greater than the rights and privileges of the users and data owners of those systems.

In addition to the policies and codes of conduct that apply to all staff, students and visitors, System Administrators at UC are also bound by a signed confidentiality agreement.

With great power comes great responsibility, and misuse of System Administrator power is contrary to Policy, and would lead to disciplinary action.

³ Formally known as the "Computer use policy and procedures" superseded in 2015 by the IT Policy Framework.

No, the University cannot force you to hand over your password, examination of non-University owned devices will only occur with the cooperation of the device owner. The University will, should circumstances dictate, ask you to unlock your device so it can be examined.

You can, of course, choose to not cooperate in this process; the University has no legal means to mandate you to make the device available for examination. However to not cooperate could be considered a breach of Policy. You are reminded that compliance with University Policy is something agreed to in both student enrolment and staff contract of employment.

Enforcement is an action that can occur as a result of a Policy being breached. For example, in the Policy Framework section a number of unacceptable behaviours are detailed. If through monitoring or examination (or some other mechanism) you are found undertaking one of these behaviours, then, in accordance with the Policy, and the Code of Conduct, the University may bring disciplinary proceedings.

If through monitoring or examination (or some other mechanism) it is discovered that you are breaking the law then the University may consider involving the Police.

This would be a breach of Policy, and may also be a breach of their confidentiality agreement, and enforcement action would be taken against the individual concerned, up to and including dismissal.

This leads to the question who determines if an IT person is acting outside of their scope or authority.

As noted in Q10, there are now more restrictions around System Administrators examining data than in the past, so speculative examination which may have previously been justified would now not be permitted.

IT Services consists of a number of departments and a number of specialisations. Different positions within IT Services have differing permissions and capabilities. Many staff have no special permissions as compared to any University employee, while some have great privilege in specific areas. The monitoring roles are in general undertaken by different individuals to those that have examination capabilities. As such, anyone exploiting their position within IT Services would be discovered by a fellow colleague.

It has been suggested that IT personnel might use monitoring and/or examination to carry out forms of harassment. This would be a breach of the Policy, confidentiality agreement, and the law, and appropriate actions would be taken by the University.

Anyone with any suspicions or evidence of inappropriate behaviour by IT staff should report it to their manager. The Chief Information Officer and the Learning Resources Executive Director are both committed to “doing IT right”, and ensure that any inappropriate behaviour is fully investigated.

There is no specific wording or prohibition on crypto-mining; however such activity would fall under the prohibition “undertake for-profit personal activities using University resources.”

The standard UC Policy template no longer accepts a name in the Contact Officer field.

This question was not considered during the drafting of the policies. It was never an intention to bring off-site personally owned computers into scope. However, the Policy does under some circumstances, bring some home computers into scope.

There are a number of types of remote access. The most commonly used is commonly called “The Firepass”, and this is the system where one logs in to https://go.canterbury.ac.nz, and a menu similar to that shown below is displayed, though almost certainly with less options.

Options that are surrounded by a green box will not bring a connected device into scope, as with the “remote desktop” approach these options use the home computer and does not hold University data. The remote computer is simply acting as a remote screen, keyboard and mouse and printer for a University computer that is already covered.

The options surrounded by red boxes operate in a different manner: using this system of a VPN (virtual private network) the remote computer becomes a part of the University network, in a similar way to every other computer on the University network. As the remote computer is “just another computer on the University network”, it would be hard to argue that such a computer is not in scope of the Policy. However the Policy is not intended to capture such devices, and it would only be under the most exceptional circumstances that such examination would be considered. There has never been an example of such a circumstance.

If one is using a VPN connection to the University, it is important that the computer owner has a responsible attitude towards anti-virus and malware protection, and most importantly, keeps the computer software up-to-date, as this is the number one protection against computer exploitation. Fortunately, the majority of remote access connections are now from Windows/10 machines, for which Microsoft enforces patch updates, or from Macs or Linux machines which have a different and lesser risk profile.

The question was phrased as “Who will be responsible for ensuring that monitoring of email and other communications will not be used by administrators for academic functions (i.e., blocking someone’s promotion because of an email disagreeing with the PVC)?”

To begin the process of examination, the Registrar’s approval would be required to instruct IT Services to discover the relevant emails. Assuming the request is approved, the appropriate System Administrator would be receiving a valid instruction with which must be complied.

However, one could argue that this is “an act, omission, or course of conduct by a public official that is oppressive, improperly discriminatory, or grossly negligent, or that constitutes gross mismanagement” contrary to the University Protected Disclosures Act Internal Procedures and Code Of Conduct policy, that sets out how “whistle-blowers” can make protected disclosures.

In terms of the Protected Disclosures Act of 2000, the University has developed procedures and a Code of Conduct for persons to whom a disclosure may be made. This sets out how “whistleblowers” can make protected disclosures.

No. Accessing services remotely generally does not make the accessing device part of the University network, and thus it does not come into scope. As such accessing email, in this context, is no different to accessing any other service that the University publishes to the internet.

The exception to this is Remote Access VPN services, see Q17.

It is difficult to quantify the benefits as the key driver of all IT security is risk reduction and cost avoidance, rather than traditional financial measures. However, all investments in technology are required to pass through a number of hurdles and are scrutinised at the highest level, and thus arguments for expenditure have to show benefit in one form or another.

A reduction in near-miss events will have a definite cost reduction.

Universities in general spend a tiny fraction of the resources that commercial organisations spend on IT security⁴. Therefore it is necessary to spend what money is available for IT security wisely to get the most in terms of risk reduction.

Most of the security-related monitoring systems in place today are in-house written or open source solutions that target specific points of interest. It is anticipated that as the University cyber posture improves, the scope of automated monitoring will increase, and thus provide better visibility of cyber-related problems and threats.

⁴ From Budget Conscious Strategies for Information Security Building Resources on a Budget. HEISC Working Group Paper. APRIL 2018: The most recent EDUCAUSE Information Security Almanac reported that among responding institutions, only 3% of central IT spending is on information security and identity and access management activities; the almanac also noted that colleges and universities have an average of just two central IT information security personnel per 10,000 institutional FTEs. And those are the median numbers many colleges and universities operate their institutional information security programs with far fewer resources. By contrast, SANS found that only 15% of businesses responding had security IT spend of 3% or less.

There is no single answer to this question, but because this data is collected automatically the volume rapidly becomes unmanageable, the general answer is months.

This quote is from the Internet Usage Policy; this policy has not changed since the previous version was published, other than to update the section “Monitoring and Enforcement”, as the words of this section should be the same in both policy documents.

Steps that have been taken to manage the costs of provision of the internet service include blocking peer-to-peer “bit-torrent” type traffic⁵ unless authorised by a specific exception.