TECHNOLOGICAL INFRASTRUCTURE POLICY
The Polytechnic Institute of Bragança (hereinafter referred to as IPB) recognizes the right of all citizens to protect their personal data, ensuring that all data subjects, who entrust their processing to IPB, are aware of the purpose and way of processing the information provided, as well as the rights which assist them in this matter and how they are exercised, in accordance with the provisions of article 8 (1) of the Charter of Fundamental Rights of the European Union ‘Charter’), article 16 (1) of the Treaty on the Functioning of the European Union (TFEU) and of the General Data Protection Regulation (GDPR).
In this context and bearing in mind that the pursuit of such goals depends on a strong combination of responsible users, appropriate technologies and secure procedures, the IPB, under the provisions of article 24 (2) of the GDPR, and in strict compliance with the requirements legally prescribed by Articles 136 (1) (4) of the Portuguese Code of Administrative Procedure (approved by Decree-Law No 4/2015, of 07 January), establishes the present Personal Data Protection Policy, with a view to facilitating the effective application of the GDPR within the framework of the specific characteristics and specificities that it is placed to it as a Public Higher Education Institution.
- Subject and scope of application
The Policy for the Use of IPB’s technological infrastructures aims to define the guiding principles for a correct and responsible use of technological resources, with a view to the security of the organization of its users and the pursuit of the IPB Mission.
Users of the IPB technological infrastructures are considered to be the following users under a contractual relation, namely: lecturers, researchers, non-teaching staff, fellows and other service providers. Also considered as users are students, retirees and retired or emeritus teaching staff. It is also possible to create accounts for other elements with possible or temporary connection to the IPB, and the registration of these users needs the accountability of a user with contractual relationship and skills to do so.
It also applies to users who are not connected to the IPB and who occasionally use the technological infrastructures for various purposes, such as the submission of applications, enrollment in courses and degrees or even the use of a service provided by the IPB through electronic means.
Access to technological infrastructures may be granted in a differentiated manner based on the type and profile of users as well as their needs.
- General principles
The use of the technological infrastructures of the IPB should be carried out in strict accordance with the Statutes of the institution, in view of the continuation of the mission to which it is attached, under the terms of article 2 of Law no. 62/2007, of 10 September (which approves the Legal Framework of Higher Education Institutions).
When using the IPB infrastructures, the principle of responsible use applies to all its users. The IPB reserves the right to change the conditions expressed herein and to apply containment measures in situations where it is understood that the use of its technological resources is not in accordance with the foregoing.
The use of IPB's technological infrastructures is not allowed, in particular, for commercial purposes or, in general, for purposes that are not compatible with the IPB's institutional purpose. The use for advertising purposes of technological infrastructures is only authorized for dissemination of activities within the Institute's mission.
Users' conduct is expected to comply with applicable laws and the provisions of this policy, ignorance of which is not a justification for their violation.
The IPB is an entity that uses the RCTS network (Science, Technology and Society Network, of the FCCN), and, as such, it is not allowed to use the technological infrastructures of the IPB, thus violating the rules established in the User's Charter of that network (rules available at www.fccn.pt).
During the use of the IPB's technological infrastructures no action is allowed that violates the norms established in this document or the legal provisions in force, with special emphasis on provisions in the applicable legislation on cyberspace security, personal data protection and computer crime.
The use of IPB resources should be guided by responsible use, and it is not considered as responsible use, situations that interfere or may interfere in an injurious way with other users or services, whether internal or external to the IPB, namely:
- for the purpose of carrying out illegal or illegitimate activities;
- for the purpose of disrespecting the physical and moral integrity of members of the academic community and the general public in acts of promoting harassment, xenophobia, terrorism or defamation;
- for the creation, transmission or access to content without respect for intellectual property, copyright or trademark rights;
- for the exercise of private activities, including crypto-coin mining and sale of services and products;
- to obtain or attempt to obtain unauthorized access or to identify vulnerabilities in systems or technology infrastructures;
- other situations which are not previously discriminated and may interfere with the safety of the infrastructure and its responsible use.
The resources made available through the IPB’s technological infrastructures cannot be made available to third parties - by way of sale, rental or transfer.
In some cases, and always subject to the prior authorization of the IPB’s President or of whom he delegates, access may be granted to third parties, in particular in the case of institutions of the education, science, technology and culture system, with which the IPB collaborates.
Any unauthorized use of the resources made available by the technological infrastructures of the IPB is considered as misuse and, as such, may be subject to disciplinary and criminal procedures.
- User Identification and Authorization
With the exception of publicly available content, access to IPB resources is accomplished through the assignment of specific access credentials.
The basic principle of creation of user accounts for access to the technological infrastructures of the IPB takes account of the profile of the user as well as the resource and/or service that the user needs to access, also taking into account that the IPB, as an identity provider, is responsible for providing reliable and accurate identity assertions to its own and third party services, making it essential to guarantee a process of credential assignment with a high degree of reliability and security, forcing greater accountability of stakeholders throughout the process.
The users identified in point 2, with a contractual or occasional link, are eligible for the allocation of accounts for access to resources, with the person responsible for the account being responsible for identifying the citizen, ensuring the existence of a legitimate reason and clearly distinguishing among the types of identity registered in the systems (users, generic, non-human accounts, etc.)
The IPB, in the process of assigning identity to users, collects at least the data: name, email and institutional identification number of the holder. The accounts associated with a user are always accompanied by an expiration date appropriate to the profile and the reason for its creation, consubstantiating the right of access, being the maximum limit aligned by the end of the link or reason for creation.
User accounts are created by IPB's technological infrastructure managers within the scope of their duties.
In cases where access to resources by a user requires an authorization, this allocation must be duly substantiated so that it meets the profile and functions, being granted by the entity of the Institution responsible for the service.
Thus, in addition to the situations identified above, temporary and limited user accounts can be created for access to wireless networks and other electronic services displayed on the Internet.
The access authorization to the resources presupposes the express acceptance of this policy, remaining valid as long as the right of access subsists. It can be suspended or canceled in case of non-compliance or for safety reasons.
The authorizations granted are personal and non-transferable, and it is the responsibility of the user to maintain the confidentiality and protection of the credentials assigned to him.
- Privacy and processing of personal data
In pursuit of its mission and attributions, the IPB collects some of the personal data of users while using their infrastructures.
- Monitoring and record keeping
In compliance with its legal and statutory obligations, the IPB monitors and registers the use of the technological infrastructures under its management, namely, with the objective of keeping the records considered necessary for the correct technical support of the equipment and guarantee of the security of the Institute's infrastructures. Such monitoring shall be carried out in accordance with the minimum requirements of the Networks and Information Systems established in the Resolution of the Council of Ministers 41/2018, in strict compliance with the interest of the organization and its users.
In the scope of monitoring, the IPB guarantees that there is no interference in electronic communications protected by cryptographic algorithms, respecting the rights, privacy and freedom of its users.
The IPB collects data on the use of the infrastructures in a pseudonymised form, comprising only the necessary data for the previously identified effects, namely IP addresses, ports, protocols, date, time, browser, user-agent and metadata related to layers 3 and 4 of the Open System Interconnection (OSI) model. In the case of some services, more data may be processed, the user being previously informed of the additional data in the conditions of use of each service.
In the absence of another storage period defined in the conditions of use proper to the service or by legal imposition, the records shall be stored for a maximum period of 24 months.
Access to these records is expressly prohibited to anyone outside the IPB. Access by IPB technicians is authorized only in the context of the infrastructure security monitoring process or in exceptional and justified situations for technical tests or compliance with legal obligations.
- Non-compliance and response to incidents
As part of its competence to respond to security incidents and detect vulnerabilities, the responsible IPB team analyzes the cases of non-compliance with these provisions.
In each case, it notifies the infrastructure manager, the head of the respective unit and, if identified, the offender, and assesses the decision to temporarily suspend access to technological infrastructures or other measures to mitigate the impacts. In cases involving personal data, the Data Protection Officer shall be notified.
The IPB assumes no responsibility for the use of its infrastructures when it involves any act contrary to the law, the statutes and regulations and these provisions, imposing such responsibility on the users.
- Changes to the policy on the use of technological infrastructures
The IPB reserves the right to make changes to this Policy on the Use of Technological Infrastructures at any time, these changes being duly publicized.