Skip to content
Operations Manual The University of Iowa


(Written to conform to Regents Procedural Guide 3/74; amended 9/93; 10/95; 9/97)


(Enacted 6/95; amended 4/99; 8/02; 9/13)

19.1 Preamble
19.2 Scope of Policy
19.3 Security and Privacy
19.4 Individual Responsibilities
19.5 Administration and Enforcement
19.6 Disclaimer
19.7 Other Policies and Rules

The University of Iowa's information technology resources are critical to the University's missions of teaching, research, and service. To ensure a highly robust, continuously available, fair, and effective environment that serves the University's computing needs, institutional and external standards for acceptable use must be applied. Each individual user must therefore comply with institutional and external standards for acceptable use of these shared resources. Although limited personal use of University-supplied technology resources may develop the skills of individual users and otherwise contribute indirectly to the University's mission, these resources should be used primarily for University-related research, educational, and administrative purposes. By using University information technology facilities and resources, users agree to abide by all related University policies and procedures, as well as applicable federal, state, and local law. Violations may result in University disciplinary action or referral to appropriate external authorities.

The use of University information technology resources -- like the use of any other University-provided resource and like any other University-related activity -- is subject to the normal requirements of legal and ethical behavior within the University community. Thus, legitimate use of a computer, computer system, or communication network does not extend to whatever is technically possible. Although some limitations are built into computer operating systems and networks, those limitations are not the sole restrictions on what is permissible. Users must abide by all applicable restrictions, whether or not those restrictions are built into the operating system or network and whether or not they can be circumvented in any way.

This acceptable use policy applies to all uses of University information technology (IT) resources. This includes the resources under the management or control of Information Technology Services (ITS) or other units of The University of Iowa, such as UI Health Care Information Systems (HCIS). A "user" is defined as any individual who uses, logs into, or attempts to use or log into, a system; or who connects to, or attempts to connect to or traverse, a network, whether by hardware or software or both, whether on campus or from remote locations. The term "user" thus includes system sponsors and system managers, faculty, staff, students, visitors, and other customers. "Information technology resources" are those facilities, technologies, and information resources required to accomplish information processing, storage, and communication, whether individually controlled or shared, stand-alone or networked. Included in this definition are all Instructional Technology Centers (ITCs), classroom technologies, electronic resources, and computing and electronic communication devices and services, such as, but not limited to, computers, printers, storage devices, mobile devices, e-mail, fax, video, multi-media, instructional materials, and healthcare, research, and administrative systems. Personal equipment connected to the University network is also subject to this policy.

The same principles of academic freedom and privacy that have long been applicable to written and spoken communications in the University community apply also to electronic information. The University cherishes the diversity of perspectives represented on this campus and, accordingly, does not condone either censorship or the unauthorized inspection of electronic files.

The University employs various measures to protect the security of information technology resources and individual user accounts. Users should be aware, however, that the University cannot guarantee absolute security. Users should therefore engage in "safe computing" practices by safeguarding their accounts, and regularly changing and never sharing their passwords. Backup and recovery systems must be implemented in accordance with University disaster recovery guidelines, and all institutional systems must utilize security controls in accordance with best practices and University policies and procedures. The University respects encryption rights on its networks and may itself encrypt information and transactions when secure confidentiality is an obligation.

Users should also be aware that their uses of University information technology resources are not completely private as the information contained will be subject to the University's obligation to respond to subpoenas or other court orders, reasonable discovery requests, and public requests for documents pursuant to Iowa Code Chapter 22, the Public (Open) Records Law. All University records are subject to public record requests, unless an expressed exception in the law recognizes the confidentiality of the material, such as the exceptions provided for student, medical, or library records. By statute, public records include all "records, documents, tape or other information, stored or preserved in any medium," generated by University faculty or staff.

The Public Records statute contains no general exception for documents generated by faculty or staff in the course of their employment. As a result, the University recommends that faculty and staff refrain from keeping personal information on University systems, and utilize a personal email account for their personal communications. Additionally, users should be aware that University records that are otherwise subject to open records requests do not become confidential if they are created or stored on personally owned devices or in personal accounts. Disputes over the applicability of any confidentiality exceptions may ultimately be decided by a court of law, not by the University. While the University does not routinely monitor individual usage of its information technology resources, the normal operation and maintenance of the University's information technology resources require the backup of data and communication records, the logging of activity, the monitoring of general usage patterns, and other such activities that are necessary for the rendition of service. The University may also inspect account contents and electronic files, or monitor usage for a limited time when, and only when, there is probable cause to believe a user has violated this or other University policies. Inspections or monitoring related to violations of policy or law must be authorized in advance by the University Chief Information Officer (CIO) or a designee, or, within the UI Hospitals and Clinics, the CIO of Health Care Information Systems or a designee, in consultation with University counsel and other appropriate University officials. These investigations will be conducted with advance notice to the user, unless, after consultation with University counsel, it is determined that notice would seriously jeopardize substantial interests of the University or of third parties. In addition, a supervisor or principal investigator may request access to retrieve assigned work without notice to the employee if he or she is unavailable for timely response.


Information Technology Services is charged with communicating this policy to the user community through partnering with major campus Information Technology providers and for providing educational programs to achieve technical proficiency and appropriate use of the resources. Requests for interpretation of the policy as applied to particular situations may be directed to the appropriate University administrator, such as the Offices of the Executive Vice President and Provost, Dean of Students, Vice President for Human Resources, Chief Diversity Officer, Chief Information Officer, Health Care Information Systems, Information Technology Services, or to the Office of the General Counsel.

Members of the University community are strongly encouraged to report violations of this policy to any one of the following: Information Technology Services' Information Security and Policy Office, UI Health Care Information Systems, to an employee's supervisor, or, in the case of a student, to the Office of the Dean of Students. Anonymous reports of misuse of University resources may also be made through the use of the EthicsPoint web site or hotline. Where violations of law are alleged, University Public Safety and/or the Office of General Counsel should be contacted. Good faith disclosures of University-related misconduct are protected by the Anti-Retaliation Policy (see II-11).

Violations of criminal law may result in criminal prosecution. Violations of University policy may result in informal or formal sanctions including, but not limited to, loss of user privileges for a definite or indefinite period, discipline up to and including termination of employment, or, in the case of a student, probation, suspension, or expulsion from the University.

Formal sanctions taken in response to violations of this policy by:

The University makes no warranties of any kind, whether expressed or implied, with respect to the information technology services it provides. The University will not be responsible for damages resulting from the use of information technology facilities and services, including, but not limited to, loss of data resulting from delays, non-deliveries, missed deliveries, service interruptions caused by the negligence of a University employee, or by the user's error or omissions. Use of any information obtained via the Internet is at the user's risk. The University specifically denies any responsibility for the accuracy or quality of information obtained through its information technology facilities and services, except material represented as an official University record. The University also does not accept responsibility for removing material that some users may consider defamatory or otherwise offensive. Users should be advised, however, that dissemination of such material may subject them to liability in other forums.

Individual units within the University may define by written policies conditions of use for information technology resources under their control. Policy statements must be consistent in principle with this and all other University policy, but may provide additional detail, guidelines or restrictions. Such unit or departmental policies should be submitted to the Executive Vice President and Provost (for faculty), Human Resources or Vice Presidents of the University (for staff), the University Chief Information Officer, or to the Hospital Advisory Committee (for UIHC) to review for consistency with University policy. In addition, users are advised that network traffic exiting the University is subject to the acceptable use policies of our national and international network connectivity and long distance providers.

Go forward one step to II-20 Publication Standards
Or return to the Operations Manual Table of Contents, Index, or Search

Page last updated January 2015 by Office of the Senior Vice President for Finance and Operations