Diamond IT Acceptable Use Policy

Diamond Information and Communication Technology (ICT) systems, services and facilities are provided to enable individuals to use facilities appropriately, effectively and efficiently. All normal use of these systems, within an individual's authority to act in pursuit of Diamond business, is allowed. 

The purpose of this policy is to identify proper usage and behaviour of individuals using Diamond ICT systems and services. 

 

The policy sets common standards of ICT acceptable use. Where additional organisational or project standards of acceptable use are set, these must be consistent with the standards set by this policy and documented separately. Sensitive or personal information must be appropriately protected in line with other relevant Diamond policies.

 

All parties are expected to conduct themselves in line with Diamond’s values and behaviours of respect, excellence, collaboration, integrity and innovation.

 

The IT AUP replaces an IT Users Guide and Policy, dating from January 2010, available from the intranet, and not designed for the broad range of different types of users defined in Section 2.
 

This document must be read and adhered to by those listed in the Information Technology Information Governance Framework, namely: all individuals working for Diamond or on our behalf in any capacity, including: Diamond employees, joint appointees, seconded workers, collaborators, members of advisory groups or committees, members of review panels, students, volunteers, interns, agents, contractors (specifically including suppliers and casual and agency staff), external consultants, third-party representatives and facility users.

Diamond’s directors have overall responsibility for this policy. The directors have delegated day-to-day responsibility for its operation to the cyber security lead.

This policy should be read in conjunction with the Data Protection Policy, and any privacy notices that Diamond may communicate.

Diamond’s ICT services can be put at risk through improper or ill-informed use and result in consequences which may be damaging to individuals and their research, Diamond operations, the Diamond community and its reputation.

 

The Policy aims to provide clear information concerning the use of Diamond information, information systems and software in all forms. It provides a framework to:

• enable individuals to use Diamond facilities securely and with confidence
• help maintain the security, integrity and performance of Diamond systems and services
• minimise both Diamond’s and individual users’ exposure to possible legal action arising from unauthorised use of the systems and services
• minimise Diamond and individual users’ exposure to unauthorised, excessive or inappropriate expense through business related activities
• help ensure that Diamond can demonstrate effective and appropriate use of publicly funded resources 
• set a standard for acceptable use across all Diamond systems and services

It is Diamond’s responsibility to ensure that individuals have access to this policy. It is each individuals’ responsibility to read, be fully familiar with, and abide by this policy and also the Joint Information Systems Committee (JISC) Acceptable Use Policy. The Jisc AUP covers electronic communications network and associated electronic  communications  networking  services  and  facilities  that  support  the  requirements  of  the  UK  education and research communities.

 

Sensitive or personal information must be protected appropriately in accordance with the Diamond Data Classification policy. Security classifications indicate the sensitivity of information (in terms of the likely impact resulting from compromise, loss or misuse).

 

 

Examples of unacceptable activities are given below in this Section; this list is not exhaustive. Breaches of the policy may: 

• in the case of Diamond Employees, result in disciplinary action up to and including dismissal depending on the nature and severity of the breaches
• in the case of individuals who are not Diamond employees, result in termination of any contract that they may have in place with Diamond and/or termination of their current and future access to Diamond

 
The following activities are unacceptable while using Diamond infrastructure or Diamond accounts:

1. transmitting, downloading or storing any material such that infringes the copyright of the owner

 

2. deliberately creating, storing or transmitting information which infringes the data protection registration of Diamond

 

3. purchasing goods or services or entering into any contract on behalf of Diamond without necessary authority

 

4. unauthorised use or redistribution of email, including blanket/bulk/automatic forwarding or routing of emails received on a Diamond email address to non-Diamond accounts eg university or affiliated organisations, commercial providers such as Gmail

• Access to email inboxes will be revoked when an individual ceases to be a Diamond employee, and will not be reissued if the same individual rejoins Diamond in a different capacity
• Non-employees should not use Diamond email addresses to misrepresent themselves as Diamond employees  

 

5. making your personal device, user account, and password available for other individuals to use on your behalf

 

6. accessing information, systems or services without appropriate authorisation or using another individual’s credentials

7. knowingly allowing the use of Diamond system, services and resources by unauthorised third parties

8. disabling, altering bypassing or circumventing any measures put in place by Diamond to maintain the safe and secure operation of systems, services and information. This includes non-cooperation with investigations or audits

9. failing to follow Diamond requirements on how to protect, store, transmit, share and access information both within and outside Diamond

10. using software that is not appropriately licenced or approved.

• employees should contact IT prior to procuring new software to check if there is already equivalent licensed software available
• facility users should only use software provided they have the appropriate licenses in place for its intended use (in accordance with the Terms and Conditions for Peer Reviewed Facility User Access)

11. attempting to gain or facilitate unauthorised access to a computer system, service or information. 

12. attempting to, or deliberately corrupting, destroying or denying access to another user’s email, data files, information, system or service. 

13. deliberately accessing, viewing, receiving, downloading, sending or storing material that:

• promotes or encourages discrimination, racism or intolerance
• is illegal in the UK
• is defamatory, threatening, harassing, offensive or abusive
• will, or is likely to, bring Diamond its employees or partners into disrepute
• is known to be infected with a virus, worm, Trojan or any form of malicious software or code
• infringes the privacy and data protection rights of individuals
• could endanger the health and safety or wellbeing of any other individual

 
Individuals may be exposed to unsolicited receipt of content, or accidentally view illegal material:

• unsolicited receipt of discriminatory, abusive, pornographic, obscene, offensive or defamatory messages (eg email SPAM or text messages) must be reported to phishing@diamond.ac.uk or using the Report Phishing function on Outlook. 
• anyone accidentally viewing what they believe is illegal material (eg indecent images of children) must immediately stop what they are doing, take a note of where they found the illegal material and close the software application displaying the material; this includes email. The individual must not view the illegal material again and must take appropriate measures to ensure that others cannot view the material. They must immediately inform their line manager, or Diamond host, and send an email to cybersecurity@diamond.ac.uk, who will advise how to proceed. It may be a criminal offence to continue to view, allow others to view, or not to report illegal material and as such Diamond may be required to report the matter to the police or appropriate authorities.

Diamond and STFC employ monitoring techniques on ICT systems and services, including email and Internet access, to enable the continuous improvement of services, detection of illegal activity, and to ensure that these facilities are not being misused.  

 

Monitoring is limited to the minimum data to fulfil the purpose of the monitoring activity (eg security, performance tuning) and will never include gathering of personal information unless specifically instructed to do so by the Executive. Processing is most often through the use of automated tools and access to the logs is restricted to authorised personnel: the Information Security Team or system administrators given this responsibility by the Executive. Investigations of suspected abuse would only be conducted when authorised by the Senior Information Risk Owner (SIRO), or a person with delegated security responsibility, and carried out by appropriately trained employees. Diamond’s SIRO is the Deputy CEO and CFO.

 

Diamond subscribes or uses services provided by third parties (eg Microsoft, STFC, Jisc). These parties may also monitor the access and use of those services to protect them from unauthorised access, improve their service offerings or to determine payment charges. 

 

Since Diamond is liable for data on its systems and services, it reserves the right, as part of any investigation, to inspect the contents of any emails (to diamond.ac.uk) accounts, or any other form of communications that are sent or received, and of Internet sites accessed, to check for compliance with this policy. 

At management discretion, Diamond employees are allowed limited and reasonable personal use of Diamond systems and services provided that such use does not:

 

• Interfere with normal work or the work of others;
• Involve more than minimal amounts of working time;
• Incur any unauthorised expense for Diamond and/or tie up a significant amount of resource;
• Involve access to offensive or illegal material, such as material containing racist terminology or which is sexually explicit;
• Result in illegal activity, expose Diamond to civil legal action, or risk bringing Diamond into disrepute;
• Include intentional use of software or techniques meant to disguise or circumvent detection of unauthorised computing activities;
• Expose Diamond to additional risk or compromise Diamond’s technical integrity.

 

Responsibility for ensuring that any personal use is acceptable rests with the individual. 

 

Whilst Diamond takes steps to ensure the security of all information held on its services, it is not liable for such information stored on its systems should it be lost, destroyed or accessed inappropriately.
Wherever possible, employees responsible for monitoring or inspecting the systems and services will respect emails and folders which are marked ‘Personal’ or ‘Private’; the only exceptions will be when directed by the Executive.

Diamond encourages the use of social media to enhance communication, collaboration, innovation and to engage with third parties in support of Diamond’s objectives. A Social Media policy encourages good practice, clarifies where and how existing policies and guidelines apply to social media, promotes effective and innovative personal use of social media and business use of social media, whilst at the same time minimising any potential risk of damage, whether reputational or otherwise, to Diamond.

Diamond encourages the use of Artificial Intelligence (AI) and Machine Learning (ML) to enhance innovation and improve operational efficiency. This aligns with Diamond’s core vision of being a world leading centre for science. The Diamond AI/ML Guidelines provides principles for acceptable use of AI and ML, whilst minimising risk of damage to Diamond. 

The nature of some forms of work might seem to contravene what would normally be considered appropriate use, for example the study of some medical research. Where this is necessary, it must be restricted to specific approved work identified as necessary for completion of that activity and security professionals consulted who will provide guidance appropriate to the activity and record the exception . Exceptions must be approved by the Information Technology Governance Committee, with provisions made to deprecate high-risk exceptions as soon as practicable.

 

Exceptions are recorded in the IT risk register. A known exception is the use of shared accounts for collecting data during beamline experiments. This practice is only acceptable when use of individual accounts is not feasible or when switching sessions will result in interruption to data collection. 

This Policy will be reviewed every two years by the Information Governance Work Group to incorporate legislation or regulatory changes.

The current version of the Policy is dated 11 June 2025; version 1.1.