User Guidelines for Information Processing Systems of the Technical University of Munich
Stand: 01.07.2011
Preamble
The Technical University of Munich and its institutions ("Operator" or "System Operator") operate an information processing infrastructure (IV Infrastructure) consisting of data processing equipment (computers), communication systems (networks) and other auxiliary information processing equipment.
The IV infrastructure is integrated into the Munich University Network operated by the Leibniz Computing Center of the Bavarian Academy of Sciences and Humanities (LRZ) and thus into the German Scientific Network (WiN) and the worldwide Internet. For services offered by the LRZ, such as network connection, e-mail, file storage, backup, archiving and hosting, the LRZ's usage guidelines also apply.
These usage guidelines regulate the conditions under which the service offer can be used.
The user guidelines:
• are oriented to the legally defined tasks of the universities as well as to their mandate to preserve academic freedom,
• establish basic rules for proper operation of the IV infrastructure,
• point out the rights of third parties that must be protected (e.g., in the case of software licenses, network operator requirements, data protection aspects),
• oblige the user to behave correctly and to use the offered resources economically,
• inform about possible measures of the operator in case of violation of the usage guidelines.
§1 Area of application
These usage guidelines apply to the IV infrastructure provided by the Technical University of Munich and its institutions as well as the LRZ, consisting of computing facilities (computers), communication networks (nets), services, applications and other auxiliary facilities for information processing.
§2 User circle and tasks
1. The IV resources mentioned in §1 are available to the members of the Technical University of Munich for the fulfillment of their tasks in research, teaching, administration, education and training, public relations and external presentation of the university and for other tasks described in Art. 2 of the Bavarian University Act.
2. Other persons and entities may be permitted to use.
3. Members of the Technical University of Munich contact the organizational unit responsible for them (cf. §3 (1)).
§3 Formal user authorization
1. Anyone wishing to use IV resources according to §1 requires formal user authorization from the responsible system operator. Excluded are services that are set up for anonymous access (e.g. information services, library services, short-term guest identifiers at conferences).
2. System operators are the responsible organizational units of the Technical University of Munich such as faculties, institutes, operating units, chairs and other subunits for their systems.
3. The application for a formal user authorization should contain the following information:
a. Operator/institute or organizational unit to which user authorization is requested;
b. Systems for which the user authorization is requested;
c. Applicant: name, address, telephone number (for students also matriculation number), entries for information services and possibly affiliation to an organizational unit of the university;
d. Approximate information on the purpose of use, for example, research, training/teaching, administration;
e. Declaration of consent that the operator may change user authorizations and user data such as passwords to protect the operation. The user must be informed of this without delay;
f. Declaration that the user acknowledges the usage guidelines; the user gives his/her consent either in writing by signature or digitally. In doing so, the user must actively give his/her consent via a checkbox procedure (opt-in declaration of consent).
4. The relevant data protection regulations must be observed. The system operator may request further information only to the extent that it is necessary for a decision on the application. The responsible system operator decides on the application. He may make the granting of the user authorization dependent on the proof of certain knowledge about the use of the system.
5. The right to use may be denied if
a. it does not appear guaranteed that the applicant will fulfill his/her obligations as a user;
b. the capacity of the facility whose use is requested is insufficient for the intended work because of an existing workload;
c. the project is not compatible with the purposes according to §2 (1) and §4 (1);
d. the facility is obviously unsuitable for the intended use or reserved for special purposes;
e. the equipment to be used is connected to a network that has special
data protection requirements and no objective reason for this access request is apparent;
f. it is anticipated that the requested use will not reasonably interfere with other authorized uses.
6. The authorization of use only entitles the user to work in connection with the requested use.
§4 Obligations of the user
1. The IV resources according to §1 may only be used for the purposes stated in §2 (1). Use for other purposes, in particular for commercial purposes, may only be permitted upon application and against payment.
2. The user is obliged to ensure that he/she uses the available operating resources (workstations, CPU capacity, disk storage space, line capacities, peripheral devices and consumables) responsibly and economically. The user is obliged to refrain from impairments of the operation, as far as they are foreseeable, and to avoid to the best of his/her knowledge anything that may cause damage to the IV infrastructure or to other users. Violations may give rise to claims for damages (§7).
3. The user must refrain from any kind of misuse of the IV infrastructure. In particular, he/she is obliged to,
a. to work exclusively with user IDs that he/she has been authorized to use; passing on IDs and passwords is not permitted;
b. protect access to IV resources with a secret password or equivalent;
c. take precautions to prevent unauthorized third parties from accessing IV resources; this includes, in particular, not using primitive, obvious passwords, changing passwords more frequently, and properly logging out via logout at the end of use. The user is responsible, within the limits of the law, for all actions carried out under his/her user ID, even if these actions are carried out by third parties to whom he/she is not responsible.
third parties to whom he/she has given access in a manner for which he/she is responsible. The user is further obliged,
d. to comply with the legal regulations (copyright protection, copyright) when using software (sources, objects), documentation and other data;
e. to inform himself about the conditions under which the software, documentation or data acquired in part under license agreements are made available and to observe these conditions;
f. in particular software, documentation and data, unless expressly permitted, neither to copy nor to pass them on nor to use them for purposes other than those permitted, in particular not for commercial purposes.
Violations may rise to claims for damages (§7)
4. Of course, the IV infrastructure may only be used in a legally correct manner. It is expressly pointed out that the following conduct in particular is punishable under the Criminal Code:
a. Exploring other people's passwords, spying out data (§202 a StGB)
b. unauthorized alteration, deletion, suppression or rendering unusable of data (§303a StGB)
c. Computer sabotage (§303 b StGB) and computer fraud (§263 a StGB)
d. Dissemination of propaganda material of unconstitutional organizations (§86 StGB) or racist ideas (§131 StGB)
e. Dissemination of certain forms of pornography on the net (§184 para. 3 StGB)
f. Retrieval or possession of documents containing child pornography (§184 para. 5 StGB)
g. Honor offenses such as insult, defamation (§§185 ff StGB) the system operator reserves the right to pursue criminal prosecution as well as civil claims (§7).
5. Without the consent of the responsible system operator, the user is prohibited from
a. making interventions in the hardware installation;
b. change the configuration of the operating systems or the network.
The authorization to install software is regulated separately depending on the respective local and system technical conditions.
6. The user is obligated to coordinate a project for processing personal data with the system operator before it begins. This does not affect the obligations arising from the provisions of the Bavarian Data Protection Act. The user is prohibited from taking note of and/or using data and messages intended for other users.
7. The user is obliged to,
a. the supplementary information provided by a system operator terms of use, policies and guidelines for use to be observed;
b. to comply with the usage and access guidelines of other operators when communicating with their computers and networks.
§5 Tasks, rights and obligations of system operators
1. Each system operator must keep documentation on the user authorizations granted. The documentation must be kept for at least two years after the authorization expires.
2. The System Operator shall make an appropriate contribution to preventing or detecting misuse. For this purpose, he is in particular entitled to,
a. to check passwords and user data for their security and to implement protective measures such as changing or blocking easily guessed passwords to protect against unauthorized access. The user must be informed of this without delay;
b. document and evaluate the activities of users for the purposes of billing, resource planning, protecting the personal data of other users, monitoring operations, or tracking error cases and violations of the usage guidelines and legal requirements;
c. in case of suspicion of violations of the usage guideline or of criminal law provisions, observing the dual control principle (for employees, the regulations of the "Framework Service Agreement on the Processing of System-Inherent Data, the Use of Remote Monitoring Measures and the Inspection of User Data at the Technical University of Munich" apply) and the obligation to record user files and mailboxes or to record the network usage by the user in detail, e.g. by means of a network sniffer; the inspection must be documented and the user concerned must be notified immediately after the purpose has been achieved;
d. to use evidence-protection measures such as keystroke logging or network sniffers if suspicions of criminal activities are substantiated.
3. The system operator is obliged to maintain confidentiality.
4. The system operator announces the contact persons for the support of its users.
5. The system operator is obliged to comply with the usage and access guidelines of other operators when dealing with their computers and networks.
6. For operational reasons, the operator may temporarily restrict the use of the IV infrastructure or temporarily block individual user IDs. If possible, the affected users must be informed of this in advance.
7. If there are actual indications that a user is providing illegal content for use on the operator's IV infrastructure, the operator may prevent further use until the legal situation has been adequately clarified.
§6 Liability of the system operator/ exclusion of liability
1. The system operator does not guarantee that the system functions will meet the user's specific requirements or that the system will run error-free and without interruption. The system operator cannot guarantee the integrity (in terms of destruction, manipulation) and confidentiality of the data stored with it.
2. The System Operator shall not be liable for any damages of any kind whatsoever incurred by the User as a result of the use of the IV resources pursuant to §1, except for intentional conduct and gross negligence on the part of the System Operator or the persons it uses to perform its tasks.
§7 User liability
1. The user is liable within the framework of the statutory provisions for all disadvantages incurred by the system operator due to misuse or illegal use of the data processing resources and the usage authorization or due to the fact that the user culpably fails to comply with his/ her obligations under these usage regulations.
2. The user is also liable for damages caused by third party use within the scope of the access and use options made available to him/ her, if he/ she is responsible for this third party use, in particular in the case of passing on his/her user ID to third parties. In this case, the system operator can demand a usage fee from the user for the third-party usage.
3. The User shall indemnify the System Operator, insofar as the User can be held liable, against all claims if third parties assert claims for damages, injunctive relief or otherwise against the System Operator due to abusive or illegal conduct by the User. The system operator will notify the
user of the dispute, if third parties take legal action against him/her.
§8 Consequences of improper or illegal use
1. In the event of violations of legal regulations, of the provisions of these usage guidelines, in particular of §4 (Duties of the user), or if the operator suffers disadvantages due to other unlawful user behavior, the system operator can restrict, completely or partially withdraw the user authorization. It is irrelevant whether the violation resulted in damage or not.
2. In case of serious or repeated violations, a user may be permanently excluded from the use of all IV resources according to §1.
3. The data subject will be given the opportunity to comment and to secure his/her data.
4. Violations of legal, labor or service regulations or of the provisions of these guidelines for use will be investigated for their relevance under criminal law and for civil law claims. Matters that appear to be significant will be passed on to the respective legal department, which will examine the initiation of suitable further steps. The system operator expressly reserves the right to pursue criminal law steps as well as civil law claims.
§9 Other regulations
1. Fees for the use of IV resources may be established in separate regulations.
2. Supplementary or deviating usage regulations can be defined for certain systems if required.
3. Staff members may be subject to supplementary or different usage rules based on service agreements and service/ collective bargaining regulations.
4. Should parts of this user agreement be or become invalid, this shall not affect the validity of the remaining parts.
5. The place of jurisdiction for all legal claims arising from the user relationship is Munich.
http://portal.mytum.de/iuk/service/dokumentation/index_html/Benutzungsrichtlinien_de_01072011