Acceptable Use Policy

Acceptable Use Policy

Purpose of Policy

This policy establishes guidelines for the appropriate use of Information Technology Resource at Gettysburg College so that all users utilize technology resources in a manner that supports the College's educational, research, and administrative missions while protecting the security, integrity, and availability of these resources. This policy aims to promote responsible use, protect individual privacy rights (including the protection and privacy of Personally Identifiable Information), comply with applicable laws and regulations, and maintain the College's reputation and operational effectiveness.

Scope of Policy

This policy applies to all members of the Gettysburg College community, including but not limited to students, faculty, staff, administrators, contractors, consultants, temporary employees, volunteers, retirees, and guests who access or use any College Information Technology Resources. This includes both on-campus and remote access to College Systems, Networks, and services. The policy covers all College-owned, leased, or managed technology resources, as well as personal devices when connected to College Networks or used to access College Data and Systems.

This Policy prohibits the use of non-College owned/contracted Systems for College business or College-owned PII-related information and Data.

Definitions

College Data: Any information, other than that covered by the College’s Intellectual Property Policy, that was created, received, maintained, or transmitted by or on behalf of Gettysburg College. This includes but is not limited to student records, user information, Personally Identifiable Information (as defined herein), financial data, and administrative records.

College-owned or Contracted System: Any system that has been vetted by the College’s Data Security Due Diligence and Contract Review Processes and any system that has been bought or subscribed to as a service paid for by College funds and approved by Information Technology and the Office of Risk Management.

Information Technology Resources: All computing and networking equipment, software, systems, services, and infrastructure owned, leased, licensed, or managed by Gettysburg College, including but not limited to computers, servers, networks, mobile devices, telecommunications equipment, software applications, databases, websites, email systems, cloud services, and electronic storage media.

Network: The College's wired and wireless computer networks, internet connections, and any systems that provide access to College information technology resources.

Personal Use: Use of College information technology resources for activities that are not directly related to College business, education, or research.

Personally Identifiable Information (PII): PII refers to any data that can be used to identify, contact, or locate a specific individual, either directly or indirectly. PII includes, but is not limited to, information like name, social security number, email address, phone number, or a combination of data points that can be linked back to a specific person.  For the purposes of this policy, Personally Identifiable Information also includes information and data specifically addressed by laws with which Gettysburg College must comply, including but not limited to education records under the Family Educational Rights and Privacy Act (FERPA).

Student Employee Accounts: Accounts that students are provided to support their role as a student employee. These accounts are provided subject to the terms of the Student Employee Access to Administrative Systems Policy.

System: A combination of hardware, software, networks, and data that work together to manage and process information within an organization or for a specific purpose.

User: Any individual who accesses or uses College information technology resources, including students, faculty, staff, administrators, contractors, retirees, and authorized guests.

Policy Description

General Principles

Gettysburg College provides Information Technology Resources to enable and support the College’s education, research, and administrative mission.  All Users of Gettysburg College Information Technology Resources must use these resources responsibly, ethically, and in compliance with applicable laws, regulations, and College policies. Users are expected to respect the rights of others, protect the security and integrity of Systems and Data, and use resources efficiently and appropriately. 

Acceptable Use

Information Technology Resources are provided primarily to support the College's educational, research, and administrative functions. Acceptable uses include:

• Educational activities such as coursework, research, and academic collaboration
• Official College business and administrative functions
• Scholarly research and creative activities
• Professional development and continuing education
• Fostering respectful dialogue and responsible participation in the digital community
• Limited personal use that does not interfere with College operations or violate this policy

Prohibited Activities

The following activities are strictly prohibited when using College Information Technology Resources:

Illegal Activities: Users may not use College resources for any activity that violates federal, state, or local laws, including but not limited to copyright infringement, software piracy, unauthorized access to computer systems, fraud, identity theft, or distribution of illegal materials.

Harassment and Discrimination: Users may not use College resources to harass, threaten, intimidate, or discriminate against any individual or group based on race, color, religion, sex, national origin, age, disability, sexual orientation, gender identity, or any other protected characteristic.

Unauthorized Access: Users may not attempt to gain unauthorized access to College systems, networks, or data, or to data or systems belonging to other organizations or third parties, including data or records owned or maintained by other Network Users. This includes attempting to bypass security measures, sharing login credentials, or accessing areas of systems for which they lack authorization.

Student Storage or Transmission of College-Owned Personally Identifiable Information: A students may  never access, store, or transmit Personally identifiable information, of any other person, using their student account.  A student employee may use a Student Employee Account for this activity only when directed to do so for a purpose related to the Student’s employment.

Malicious Activities: Users may not engage in activities that could damage, disable, or impair College Systems or the Network, including but not limited to introducing viruses, worms, or other malicious code, conducting denial-of-service attacks, or engaging in any form of cyber-attack.

Privacy Violations: Users may not intercept, monitor, or access communications or data belonging to other Users without proper authorization, except as required by law or College policy.

Commercial Use: Users may not use College resources or Systems for commercial purposes, including advertising, selling goods or services, or operating a business, except as specifically authorized by the College.  Use of the For Sale Digests is authorized, consistent with applicable policies and limitations.  For additional information, see the Gettysburg College Network Use Policy.

Excessive Personal Use: While limited personal use is permitted, Users may not engage in personal activities that consume excessive network bandwidth, storage space, or system resources, or that interfere with College operations.  Examples of unacceptable use include but are not limited to the use of bit torrents.  For additional information, see the Gettysburg College Network Use Policy.

Use of Non-College Systems: Users are prohibited from using personal accounts, consumer-grade applications, or unauthorized third-party services to collect, store, process, use, share, or disclose College Data or PII. This includes but is not limited to: storing Personally Identifiable Information about students, alumni, employees, or other members of the Gettysburg College community on the following services:

• Personal cloud storage services (Dropbox, Google Drive, OneDrive personal accounts, iCloud, etc.)
• Personal email accounts for official College communications (Microsoft, Gmail, Yahoo, Apple, etc.)
• Non-approved file sharing platforms (WeTransfer, SendAnywhere, etc.)
• Personal communication tools (WhatsApp, Signal, Telegram, Discord, etc.) for official business
• Personal collaboration platforms (Slack, Microsoft Teams personal accounts)
• Personal video conferencing accounts (Zoom, Skype, etc.) for official meetings or College business
• Personal survey tools or data collection services.
• Personal social media accounts for official College announcements or data storage
• Personal AI Accounts (ChatGPT, Claude AI, Microsoft CoPilot, etc.)
• Any software or service where personally identifying information is not protected by contractual terms that meet the College’s standards.

This is a representative, but not exhaustive, list of prohibited services.

All College Data must be stored, processed, and transmitted using only College-approved and College-contracted systems and services. Users requiring access to third-party services for legitimate College business must obtain prior approval from the Data Governance Council by using the form below:

• https://gettysburg.kualihub.com/app/68b9e37107672d027f15aa2e/run

Responsibilities of Users 

All Users of College information technology resources, Systems, and Networks have the following responsibilities:

Account Security: Users must protect their login credentials and are responsible for all activities conducted under their accounts. Passwords should be strong and unique, consistent with Network password complexity requirements, and kept strictly confidential.

Software Compliance: Users must comply with all software licensing agreements and when handling College Data may only install and use software that is properly licensed and authorized by the College.

Data Protection: Users must protect College Data and Personally Identifiable Information in accordance with applicable laws and College policies. This includes proper handling of particularly sensitive College Data, secure storage practices, and appropriate disposal of College Data when no longer needed and in accordance with Gettysburg College’s data retention and destruction policies and procedures.

Reporting Incidents: Users must report suspected security incidents, policy violations, or system problems to Information Technology promptly.  Incidents should be reported Information Technology Help Desk at helpdesk@gettysburg.edu.

Compliance: Users must comply with all applicable laws, regulations, and College policies when using Information Technology Resources.

Privacy and Monitoring: While the College respects User privacy, Users should be aware that:

• The College reserves the right to monitor network traffic, system usage, and communications to promote compliance with this policy, investigate suspected violations of College policies or applicable laws, maintain the security and integrity of College Systems and Networks, and support College operations
• Users should have no expectation of privacy when using College Information Technology Resources, whether for personal purposes or for College business and operations
• The College may access, review, or disclose information stored on or transmitted through College Systems and Networks as required by law, College policy, or operational necessity
• Personal use of College Systems and Networks does not create a reasonable expectation of privacy, and all personal use is subject to this and all other applicable College policies

Enforcement and Consequences: Violations of this policy may result in disciplinary action, including but not limited to:

• Temporary or permanent suspension of access to Information Technology Resources
• Disciplinary action in accordance with applicable student, faculty, or staff policies
• Referral to law enforcement agencies when criminal activity is suspected
• Civil action to recover damages or costs incurred by the College
• The specific consequences for policy violations will depend on the nature and severity of the violation, the User's history of compliance, and other relevant factors.

Personal Devices and BYOD (Bring Your Own Device)

Personal devices used to access College Networks or Data must comply with security requirements established by Information Technology. The College reserves the right to require security software, configuration settings, or other measures on personal devices that access College resources. 

Policy Management

This policy is owned by the Chief Information Officer and implemented by Information Technology. Information Technology is responsible for:

• Maintaining and updating this policy as needed
• Providing guidance and training on policy requirements
• Investigating suspected policy violations
• Recommending appropriate enforcement actions
• Coordinating with other College departments on policy implementation

Questions about this policy should be directed to Information Technology using the contact information below.

Related Materials

Federal Laws and Regulations:

• Computer Fraud and Abuse Act (18 U.S.C. § 1030)
• Digital Millennium Copyright Act (17 U.S.C. § 512)
• Family Educational Rights and Privacy Act (FERPA)
• Health Insurance Portability and Accountability Act (HIPAA)
• Gramm-Leach-Bliley Act (GLBA)

Additional Resources:

• Information Technology Website
• http://gettysburg.edu/it

• Data Classification Standards

https://csrc.nist.gov/glossary/term/personally_identifiable_information

For questions or additional information about this policy, please contact Information Technology at helpdesk@gettysburg.edu or (717) 337-7000.