In this context, and bearing in mind that the pursuit of such purposes depends on a solid combination of responsible users, appropriate technologies and secure processes, the University of Porto, under the provisions of Article 24, paragraph 2 of the RGPD, and in close compliance with the legal requirements prescribed by Articles 136, paragraph 1, and 136, paragraph 4 of the Administrative Procedure Code (approved by Decree-Law No. 4/2015, 07 January), establishes this Acceptable Use Policy for Technological Infrastructures, with a view to facilitating the application of the provisions of Article 24, paragraph 2, of the RGPD. º 4 of the Administrative Procedure Code (approved by Decree-Law no. 4/2015, of 07 January), establishes the present Policy for the Acceptable Use of Technological Infrastructures, in order to facilitate the effective application of the RGPD within the framework of its own characteristics and specificities as a Public Higher Education Institution.
Subject matter and scope
The Acceptable Use Policy (AUP) of the technological infrastructures of the University of Porto aims to establish the guiding principles for a correct and responsible use of the University's technological resources, in order to safeguard the reputation of the institution, the safety of the organization and its users and the pursuit of the Mission of the University of Porto.
This policy is subsidiary to the specific regulations approved by the competent entities of the organic units of the University of Porto, being applicable to all users referred to in the following point.
Users of the technological infrastructures of the University of Porto are considered to be the following users with a contractual relationship, namely: teachers, researchers, grant holders, non-teaching staff and other service providers. Besides these, students, U. Porto alumni, retired and Emeritus or Retired professors are also considered as users. It is also possible to create accounts for others with casual or temporary connection to the University of Porto, and the registration of these users requires the accountability of a user with contractual bond and skills for that.
It also applies to users with no connection to the University and who occasionally use the technological infrastructures for various purposes such as submitting applications, enrolling in courses, or even to enjoy a service provided by the University through electronic means.
Depending on the type and profile of users and their needs, the access to technological infrastructures may be granted in different ways.
The use of the technological infrastructures of the University of Porto should be carried out in close accordance with the Statutes of the University of Porto, in order to fulfil its Mission, under the terms of art. 2 of Law no. 62/2007, of September 10th (which approves the Legal Regime of Higher Education Institutions), as a Public Higher Education Institution.
In using the infrastructures of the University of Porto the principle of responsible use, applicable to all its users, established in this document, applies. The University reserves the right to change the conditions expressed herein and to apply restraining measures in situations where it believes that the use of its technological resources is not in accordance with the above mentioned.
The use of the technological infrastructures of the University of Porto is not allowed, namely for commercial purposes or, in general, for purposes not compatible with the institutional purpose of the University of Porto. The use of the technological infrastructures for publicity purposes is only allowed for the dissemination of activities within the Mission of the University of Porto.
Users are expected to conduct themselves in accordance with the applicable laws and with the provisions of this policy, the ignorance of which does not justify their violation.
User Identification and Authorisation
With the exception of publicly available contents, the access to the University's resources is made through the attribution of specific access credentials.
The basic principle of creating user accounts for accessing the University's technological infrastructures takes into account the user's profile as well as the resource and/or service that the user needs to access. Taking also into account that the University of Porto as an Identity provider has the responsibility of providing reliable and accurate identity assertions, to its own services and to third parties, it becomes essential to ensure a credential assignment process with a high degree of reliability and security, requiring a greater accountability of those involved in the whole process.
The users identified in point 2, with a contractual or eventual link, are eligible for the attribution of access accounts to resources. The person responsible for the attribution of the account is in charge of identifying the citizen, guaranteeing the existence of a legitimate reason, clearly distinguishing the types of identity registered in the systems (users, generic, non-human accounts, etc.).
The University of Porto in the process of assigning identity to users collects at least the following data: name, email and U. PORTO identification number (assigned by SIGARRA) of the holder. The accounts associated with a user are always accompanied by an expiration date appropriate to the profile and reason that justifies its creation, embodying the right of access, being at the most aligned with the terminus of the link or reason for creation.
The user accounts are created by those responsible for the technological infrastructures of the U. PORTO under the scope of their attributions.
In cases where the access to resources by a user requires an authorization, this attribution should be duly justified that meets the profile and functions, being granted by the University entity responsible for the service.
Thus, besides the situations identified above, user accounts of temporary nature and with limited permissions may be created for access to wireless networks, SIGARRA and other electronic services exposed on the Internet.
Authorization to access resources presupposes the express acceptance of this policy, and will remain valid while the right of access subsists. It may be suspended or cancelled in the event of non-compliance or for security reasons.
The authorisations granted are personal and non-transferable, and the user is responsible for maintaining the confidentiality and protection of the credentials granted.
Privacy and processing of personal data
The University of Porto in the pursuit of its Mission and duties collects some personal data of users during the use of its infrastructures.
The University of Porto ensures strict compliance with current legislation on data protection and privacy, and its activity is guided by the guarantee of the rights and freedoms of users, in accordance with its Data Protection Policy and Code of Ethics.
Monitoring and record keeping
In compliance with the respective legal and statutory obligations, the University of Porto monitors and records the use of the technological infrastructures under its management, namely with the purpose of keeping the records considered necessary for the correct technical support of the equipment and to ensure the security of the University's infrastructures. Such monitoring will be carried out in line with the minimum requirements of the Networks and Information Systems set out in the Council of Ministers Resolution 41/2018, in strict compliance with the interest of the organization and its users.
Within the monitoring scope, the University of Porto guarantees the non-interference in electronic communications protected by cryptographic algorithms, respecting the rights, as well as the privacy and freedom of its users.
The University collects data regarding the use of infrastructures in a pseudonymized way, comprising only the necessary data for the purposes previously identified, namely IP addresses, ports, protocols, date, time, browser user-agent and metadata related to layers 3 and 4 of the Open System Interconnection (OSI) model. Within the scope of some services, more data may be processed, the user being previously informed of the additional data in the conditions of use of each service.
In the absence of another conservation period defined in the service's own conditions of use or by legal imposition, the records will be kept for a maximum period of 24 months.
The access to these records by any person external to the University of Porto is strictly forbidden. The access by University of Porto technicians is only authorized within the infrastructures security monitoring process or in exceptional and justified situations for technical inspections or to comply with legal obligations.
Non-compliance and incident response
The access to these records by any person external to the University of Porto is strictly forbidden. The access by University technicians is only authorized within the infrastructures security monitoring process or in exceptional and justified situations for technical inspections or compliance with legal obligations.
- Non-compliance and incident response
Within the scope of its competencies in response to security incidents and vulnerability detection, the University of Porto team responsible (CSIRT.UPORTO) analyses the cases of non-compliance with the present provisions.
For each case, it notifies the infrastructure manager, the Director of the Entity and the offender, if identified, and assesses the decision of temporary suspension of access to the technological infrastructures or other measures to mitigate the impacts. In situations involving personal data, the Data Protection Officer shall be notified.
The University of Porto does not assume any responsibility for the use of its infrastructures when this involves any action contrary to the law, to the statutes and regulations and to the present provisions, such responsibility falling on the users.
Changes to the acceptable use policy for technological infrastructures
The University of Porto reserves the right to, at any time, make readjustments or changes to this Acceptable Use Policy of the Technological Infrastructures, and these changes shall be duly advertised.
Technical information will only be used for statistical purposes.
Changes to the U.Porto personal data protection policy
Questions and suggestions
To find out more about how the University of Porto handles your personal data, or to clarify any doubt, present a complaint or comment on matters concerning the Technology Infrastructure Acceptable Use Policy, use the following contacts: