I. Introduction
To achieve its mission, VUMC applies substantial financial and personnel assets toward operating a reliable, available and secure network-computing infrastructure. The mass adoption of digital technologies in the
everyday lives of members of our community requires VUMC to establish clear policies that guide how community members may use VUMC's information technology resources. This Acceptable Use Policy (AUP) communicates
the respective policies associated with our role in the VUMC community as students, faculty, staff or other authorized users.
II.Scope
This policy applies to all Vanderbilt University Medical Center Workforce Members (See References, IM
SOP - Defined Terms Used in Information Management Policies
) using VUMC computing resources whether individually controlled or shared, stand-alone or networked. It applies to all computer and communication facilities owned, leased, operated, or contracted for by VUMC. Information technology resources
include but are not limited to VUMC's Internet 1, Internet 2, private networks, telephone, fax, voice mail, electronic mail, instant messaging, electronic collaboration, content management, or other applications
that attach, utilize, or otherwise interface with VUMC's data and voice network computing infrastructure. Electronic communications include but are not limited to any information-data, text, graphics, audio,
video, or other artifact-that can be sent or received via an electronic system or manipulated or transferred via the network computing infrastructure or an attached device or peripheral.
III.Policies
| |
A. Privacy, Integrity and Operational
Security |
| |
The privacy of all users and the integrity and operational security of VUMC's information technology system must be respected by all. VUMC's IT resources must not be used by anyone to gain or attempt
to gain unauthorized access to private information, even if that information is not securely protected or is otherwise available. The fact that an individual account and its data may be unprotected
does not confer either an ethical or legal right to access it. |
| |
| |
1. |
Investigations of misuse, unauthorized use, or illegal activity, compliance with federal, state or local laws or regulations, as well as routine or emergency maintenance
of the IT system, may require observation of electronic information by appropriate and authorized VUMC officials, employees, or their authorized agents. Such activities
are not in violation of this principle so long as these activities are conducted by authorized individuals on behalf of VUMC and are governed by professional IT forensic
protocols. VUMC uses automated systems to monitor data transmissions entering and leaving VUMC's networks to detect the presence of viruses, malicious software, or
privileged information. |
| |
2. |
Unauthorized access to private information constitutes a violation of this policy, and may result in disciplinary actions under the Faculty Manual, House Staff Manual,
HR policies, or other applicable policy statements. Violation of this principle may also constitute a violation of state or federal law. |
|
|
| |
B. Use |
| |
Use of VUMC's network computing and electronic communications infrastructure comes with certain responsibilities and obligations. |
| |
| |
1. |
Unlawful Use |
| |
|
Tennessee and federal laws provide for civil and criminal penalties for violations of the law of systems use. Examples of unlawful actions include, but are not limited
to, defamatory remarks, destruction of VUMC data or equipment, unauthorized copying of copyrighted material and the transportation of obscene materials across state
lines. Any use of VUMC network computing assets by anyone in the organization that violates state, federal, or local laws is prohibited.
|
| |
2. |
Violation of Institutional
Policies |
| |
|
VUMC's academic departments, clinical operations, and administrative areas maintain policies that govern and inform our day-to-day lives in the conduct of our VUMC experience.
Any use of VUMC network computing assets that violates applicable institutional policies is prohibited.
|
|
C. Fiduciary Responsibilities
| |
1. |
VUMC Workforce Members |
| |
|
VUMC Workforce Members possess a great personal responsibility to themselves and to other community members to utilize technology while maintaining their fiduciary responsibilities. These
responsibilities include, but are not limited to: |
| |
|
a. Being responsible for the security of one's personal information
|
| |
|
b. Protecting personal and private information of others; and
|
| |
|
c. Taking care to minimize risks of various undesirable events, such as disclosure of sensitive personal information, identity theft, and even
threats to personal safety when using VUMC information technology assets.
|
| |
2. |
Individuals in Trusted Roles |
| |
|
a. Some VUMC Workforce Members are granted elevated or privileged access to VUMC's information and information systems. These Workforce Members'
job duties require access to VUMC Confidential Information in order to:
| |
i.
|
Provide legal or risk management advice to the institution; |
| |
ii.
|
Perform internal audits, investigations, or compliance reviews; |
| |
iii.
|
Perform leadership duties; or |
| |
iv.
|
Design, build, implement, support, or maintain information systems and/or information technology.
|
|
| |
|
b. This privileged access places the VUMC Workforce Member into a Trusted Role, which indicates a higher level of institutional trust and responsibility.
To maintain this level of trust, VUMC Workforce Members in a Trusted Role must develop, maintain, and continually enhance their skills and abilities on behalf of those they serve.
These VUMC Workforce Members in a Trusted Role must strive to be trusted and highly skilled custodians through:
| |
i.
|
Preserving confidentiality; |
| |
ii.
|
Protecting data and information integrity; |
| |
iii.
|
Establishing and maintaining availability of information systems; |
| |
iv.
|
Educating those around them about IT and social risks related to information systems; |
| |
v.
|
Enhancing and maintaining technical skills; and
|
| |
vi.
|
Demonstrating an understanding of the areas they serve. |
|
|
| |
|
| |
D. Intellectual Property |
| |
At the heart of any academic or research endeavor resides the concept of intellectual property. All copyrighted information (text, images, icons, programs, video, audio, etc.) retrieved from computer
or network resources must be used in compliance with applicable copyright and other law. Copied material must be properly attributed. Plagiarism of digital information is subject to the same sanctions
as apply to plagiarism in any other media. Acquiring or sharing copyrighted materials without obtaining the appropriate licenses or permissions may be unlawful.
|
| |
|
| |
E. Publication or Distribution of
Unauthorized Recordings, Photos, Images, Text or Video |
| |
With the availability of low cost cameras, smart phones, and consumer electronics, it is possible for someone to acquire voice, video images, still images, multimedia, or text in non-public situations
without the knowledge or consent of all parties. VUMC network computing assets must not be used by anyone in the organization to publish or distribute this type of material without the expressed
consent of all involved parties.
|
| |
|
| |
F. Right to Copy and Inspect for Legal,
Regulatory, and VUMC Purposes |
| |
VUMC is committed to protecting the privacy of faculty, students, staff, patients, and other users of its IT resources, and their electronic communications. However, because VUMC operates subject to
compliance with various federal and state laws and regulations and must be able to enforce its own policies, VUMC must occasionally inspect, preserve and produce records to fulfill legal obligations
and to carry out internal investigations. VUMC reserves the right to obtain, copy, and convey to outside persons any records or electronic transactions completed using VUMC information systems in
the event it is required by law or institutional policy to do so. VUMC may also in its reasonable discretion, when circumstances require, obtain and review any records relevant to an internal investigation
concerning compliance with VUMC rules or policies applicable to faculty, staff, or to all others granted use of VUMC's information technology resources. Users therefore should not expect that records
created, stored or communicated with VUMC information technology or in the conduct of VUMC's business will necessarily be private. VUMC reserves its right to any work product generated in the conduct
of its business. |
| |
|
| |
G. Locally Specific Policies |
| |
Individual units within VUMC may create additional policies for information resources under their control. These policies may include additional detail, guidelines and further restrictions but must be
consistent with principles stated in this policy document. Individual units adopting more specific policies are responsible for establishing, publicizing and enforcing such policies, as well as any
rules governing the authorized and appropriate use of equipment for which those units are responsible. |
IV. Disclosures
| |
A.
|
All members of the VUMC Workforce Members are given notice of this policy by virtue of its publication and are subject to it on the same basis. Ignorance of this policy does not relieve any user of his
or her responsibilities under the policy. All Workforce Members are expected to familiarize themselves with the contents of this policy and act in conformance with these principles regarding any
use of VUMC's IT resources. |
| |
B.
|
Due to the rapid nature of change in both information technologies and their applications, VUMC may amend this policy whenever deemed necessary or appropriate. Users are encouraged to periodically review
this policy in order to understand their rights and responsibilities under it. |
|
