Rules of Operation and Use of University Information System of Prague University of Economics and Business (PR 7/2018)
Pursuant to Act No. 101/2000 Coll., as amended, this order with the whole-school scope stipulates the rules of operation and use of the University Information System at the Prague University of Economics and Business and the manner of handling personal data contained therein. The order follows the PR 01/2007. The order replaces the order PR 08/2011, which is canceled by this order.
|Name:||Ing. Milan Nidl, MBA||prof. Ing. Hana Machkova, CSc|
|Department / function:||Director of the Computer Center||Rector|
|Signed by:||Ing. Milan Nidl, MBA||prof. Ing. Hana Machkova, CSc.|
|Valid from:||1 November 2018||Valid until:||appeal|
|Effective from:||1 November 2018||Effective until:||appeal|
- The rules apply to all employees, students of the Prague University of Economics and Business (hereinafter referred to as “VŠE”), legal entities performing activities for the VŠE on a contractual basis and all other users of the University Information System of the University of Economics (hereinafter “IS VŠE”). Related to this order is the Rector’s order PR 01/2007 – Operation and usage of computer equipment and computer network of the Prague University of Economics and Business.
1. VŠE Information System
- VŠE IS in accordance with the Personal Data Protection Act is operated and developed for the purpose of providing information on the school activities. Internally, VŠE IS is divided into subsystems according to the scope of its activities at the university and local levels of various levels, e.g. faculty or departmental. The university-wide information systems include in particular the study information system, the economic and payroll system and the library system of the VŠE. The responsibility for the development and coordination of the subsystems lies with academic officials and senior management to the extent appropriate to their responsibilities.
2. Information basis of VŠE IS
- The information base of the VŠE IS consists of all collected and stored information related to the activities of the University of Economics. The scope, content and technical solution of the information collected and stored is determined by the school’s needs and applicable legislation.
- Information stored in the VŠE IS is divided into internal and public information. Internal information is intended for internal school needs. Public information is intended to inform the public about the school’s activities. The extent and content of the published information is determined by the legal regulations, duties and interest of the school to inform citizens and institutions of its activities in a comprehensive and truthful manner.
3. VŠE IS operation
- The operation of individual parts of the VŠE IS is ensured by individual departments of the school, usually according to their job description (system operators). For the operator, the operated part of the information system is usually its basic working tool. For reasons of fact, in addition to the operator’s staff, also personnel outside the authorized department may participate in the operation of the system. In such a case, the operator methodically manages these workers to the extent resulting from the performed activity and these workers are obliged to follow the instructions of the operator. A foreign legal entity may be appointed by the operator, usually for a temporary period.
- In the case of complex parts of the VŠE IS with cross-departmental powers, the head of the unit operating the information system may appoint a management committee, which is the competent authority for managing the coordination and sub-coordination of participating departments and administrators. The Steering Committee shall report to and be responsible to the person who appointed it.
- In the case of university-wide systems, the Rector shall appoint one of the departments involved, usually one which uses the largest part of the system’s functionality, as the operator. In this case, the competence of appointing the Steering Committee remains with the Rector.
- The operator is obliged to create conditions for fulfilling the legal obligations related to the operation of the information system and within the VŠE is fully responsible for the proper operation of the system. For this purpose, the operator is obliged to provide the necessary professional services of other departments of the school or external organizations (e.g. software maintenance and updates). Operating includes:
- maintaining system functionality,
- timely updating of its functions when legislation, internal rules, etc. are changed,
- adherence to the schedule for the acquisition, processing and provision of input information to users,
- guaranteeing the correctness and security of stored data, proper archiving and destruction of information, provision of information services to users within the specified scope,
- management and revision of access rights,
- ongoing monitoring of compliance with these rules and the measures taken;
- effective management of financial resources intended for the operation and development of the VŠE IS.
- n this context, changes or enhancements to the functions of the information system may only be made with the approval of the body competent in the area concerned and with the knowledge of the operator. The operator is obliged to take measures in this direction. Violation of this principle is classified as a breach of duties. When making changes or expanding functions, the adjustments should be done with the care of a good manager and, in particular, consider whether the desired effect cannot be achieved by organizational changes rather than costly system modifications.
- The Operator is obliged to implement procedures and tools ensuring the correct functioning of the system, data security, including measures to prevent unauthorized interference with software and data, and to implement effective methodological and organizational measures in connection therewith. Usual tools in this respect are authorization of access to the system, protection by means of access passwords, organizational measures at workplaces (e.g. disallowing unauthorized persons access to the logged-on computer, securing print reports and data carriers).
- The head of the system operating unit is obliged to appoint an administrator of the operated information system, eventually other, subordinate, administrators of (autonomous) parts of the system. The system administrator ensures the routine operation of the system, coordinates the activity of any subordinate administrators and other personnel involved in the operation, ensures contact with users and professional services staff regarding the correct functioning and maintenance of the system. Regarding the complex parts of the IS VŠE, an integrator is appointed on the site of the administrator who, in addition to the administrator’s duties, coordinates his / her activities according to the instructions of the superior administrator with other administrators of his / her level.
- Allocation of access rights needs to be given increased attention and, for reasons of security of system operation, not to allocate them to an extent higher than necessary, this is particularly urgent when access rights include the right to modify data.
- The head of the system operating unit is responsible for allocating and revoking access rights to administrative staff and other personnel involved in the operation of the system and for adhering to established methodological and organizational measures. In the case of termination of employment or if the reason for the granting of the employee ceases to exist, the manager is obliged to ensure the withdrawal of these rights.
- The system administrator and the staff involved in the operation of the system are responsible for the area entrusted. In case of disclosure of their own accessible rights (passwords), any gain of unauthorized access (e.g. due to a failure or error in the system) are obliged to take urgent corrective measures and report this fact to the system administrator. superior. The principle of access authorization is one of the most effective tools of IS protection, its violation ie any communication of passwords is a serious violation of work duties or study regulations.
- The system operator provides internal information to users to the extent necessary for the fulfillment of employees ‘work tasks and students’ study tasks. In dispute cases, the supervisory authority decides on the provision and use of information. In serious cases the management of the VŠE.
- Information provided to the government under applicable regulations must be authorized by the person responsible for the area.
4. Utilization of VŠE IS
- Users of IS VŠE are:
- VŠE employees who use information in connection with the performance of their work activities,
- VŠE students using information related to their studies,
- the public and persons who are informed by the school about its activities or provide them with other information services.
- Users’ access to information of VŠE IS, its scope, content and method are given by access rights, which are derived from:
- the needs of users depending on the type of user and the nature of the activity performed,
- the need to protect the VŠE IS from damage or abuse,
- from the technical and organizational possibilities of VŠE.
- The User is obliged to handle internal information of VŠE IS only in accordance with the purpose for which he / she has been authorized – access rights, i.e. he / she cannot distribute this information arbitrarily, use it for other purposes, e.g. private purposes, commercial activities etc. without written consent of VŠE.
- The user may not use the functionality of the IS, even though the rights settings make it available to the user if its use interferes with the area of responsibility of another person. The functionality of the IS can be used only to the extent corresponding to the responsibility of the user and only in the framework of work tasks. In cases that go beyond the area of responsibility of the user, it is necessary to proceed in cooperation with users responsible for the area or in other ways.
- If the user believes that he has for some reason in the IS, or in some of its parts, access rights to objects that he should not have, and that does not belong to him in the performance of his work or study duties, he must immediately inform the IS administrator, respectively about its part.
- The user or system operator is not authorized to collect data within the VŠE IS that are not necessary for the performance of the tasks of the VŠE and its departments.
- Similarly to system operators, IS users are obliged to protect the assigned access rights, take immediate measures in case of IS threats (password disclosure, system error, failure) and report the problem to the system administratoror to the supervisor. Failure to comply with these principles is a violation of work and study discipline.
5. Publication of information of the VŠE IS
- It is the interest of the VŠE to provide or make available to the public comprehensive and up-to-date information about its activities. The only limiting factor besides the technical possibilities and capacities is only the duty to observe the laws and protect the legitimate interests of VŠE or other cooperating subjects.
- Disclosure of information is governed by the VŠE SR 10/2007 Provision of information pursuant to Act No. 106/1999 Coll., On Free Access to Information.
6. Protection of personal data
- The basic standard governing the protection of personal data is Regulation (EU) No 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC
- The principles and rules for processing personal data within the University of Economics are defined by SR Directive 05/2018 Protection and Processing of Personal Data
7. Professional services for operators and users of VŠE IS
- Operators and users of VŠE IS are provided with professional services if necessary. These services are provided by:
- The Computer Science Center of the VŠE (or the Information Technology Center for the Faculty of Management in Jindřichův Hradec), which manages and develops a computer network, provides system and technical support, performs or facilitates software development and maintenance where appropriate, it shall, as appropriate, temporarily participate in the operation of newly introduced subsystems and subsystems for which the conditions of operation of the competent service are not fully established,
- authorized staff of other workplaces,
- Foreign legal entities under contracts where the services cannot be secured within the school (maintenance or rental of software, specialized software and technical services).
- Workers providing professional services have access rights derived from the nature of the services provided. These employees are obliged to maintain confidentiality about the information they will come into contact with as part of the performance of the services.
- In cases where professional services will be provided to operators and users of VŠE IS by a third party who will have access to information of VŠE IS, it is necessary to ensure their protection under the relevant contract. The operator and the user to whom they provide the service are obliged to ensure compliance with this measure.
8. Specific provisions for individual IS
A. Integrated Study Information System (InSIS)
A.1 Basic authority and responsibility for the operation and development of InSIS
- InSIS is operated by the Computer Center. It cooperates with faculties, pedagogical department and other specialized departments at the school.
- The Director of the Informatics Center shall appoint an InSIS administrator from among his staff.
- The Vice-Rector for Study and Educational Activities is responsible for changes and developments in the field of study and education.
- The Director of the Computer Center is responsible for system security and data protection.
- The Director of the Computer Center is responsible for the control and audit activities.
A.2 InSIS Steering Committee
- The members of the Steering Committee shall be the Director of the Computer Center (Chairperson), Vice-Rector for Study and Pedagogical Activities, the Head of the Education Department and the Head of the Security and Data Protection Department. The fifth member is appointed by the Rector on the proposal of the RC. The Steering Committee invites other representatives of the school, faculty and the operator as appropriate to its meetings.
- The Steering Committee shall normally meet once a month.
- The Steering Committee resolves disputes according to §3, paragraph 10 of this Regulation, or submits them to the management of the University of Economics for resolution.
- The Steering Committee shall approve guidelines for the proper functioning of InSIS and for data security and data protection. This does not restrict the operator’s right to take measures pursuant to §8 of the Rector’s Order 1/2007.
- The Steering Committee shall discuss and approve changes to InSIS, their prioritization and control of funding. Approval can be solved per rollam.
- The Steering Committee may delegate the approval of minor amendments to one of its members.
- The Steering Committee shall discuss the Quarterly Report on the management and revision of the allocated rights and take appropriate measures to update them.
- The Steering Committee shall discuss the monthly report of the InSIS Coordination Team and approve the measures proposed by the Coordination Team.
- The Steering Committee may instruct the operator to conduct analyzes of the operation and usage of InSIS.
A.3 Partial administrators
- Faculties shall designate the sub-administrator with competence limited to the relevant faculty. These sub-administrators are called faculty system integrators (SIF).
- The head of the pedagogical department shall appoint a sub-administrator for the study agenda area.
- University-wide expert departments may appoint their sub-administrators after approval by the Steering Committee.
A.4 InSIS Coordination Team
- The members of the Coordination Team shall be the Head of the Security and Data Protection Department (Chairperson), the Head of the Education Department, the System Integrators of the Faculties (SIF), the Sub-Administrators from other departments and the InSIS Administrator from the Computer Center.
- The coordination team usually meets once a month.
- The co-ordination team shall ensure the coordination of activities within the ongoing or planned changes to the InSIS and shall also exchange information between the operator and the sub-administrators and between the sub-administrators.
- The Coordination Team evaluates the requests that have been made through the Helpdesk or directly to the members of the Coordination Team.
- The Coordination Team shall submit a regular written report to the Steering Committee.
A.5 Rights in InSIS
- The operator shall be responsible for the administration and revision of rights. Rights are assigned using rights groups for each function and role.
- The operator prepares groups of rights according to the functions and roles at the faculty / department for faculties and other departments with the sub-administrator. The Dean of the Faculty is responsible for assigning and removing a group of rights to a specific person. Head of Unit after prior discussion and approval by the relevant Vice-Rector or Quaestor. A specific assignment of a person to a rights group is performed by the sub-manager.
A.6 Error reporting
- Users from faculties and departments with a sub-administrator shall report errors through their sub-administrator. Students report errors through the appropriate sub-administrator or through the Helpdesk of the Information Center. Other users report errors to the Helpdesk of the Computer Center.
- The Sub-Administrator shall, as far as possible, review and correct the reported error. If he does not have sufficient rights or knowledge to do so, he will document the error properly and forward it to the central integrator or operator, depending on the nature of the reported error.
- Errors requiring supplier intervention are handled by the operator.
A.7 InSIS changes and enhancements
- Proposals for changes InSIS are kept by the Informatics Center. The IT Center verifies the technical feasibility, determines the financial demands and, in case of approval of the proposal, ensures communication with the supplier during its solution.
- The amendment proposal shall include an opinion from the school-wide professional unit or units whose activities are concerned by the change. Changes are usually proposed directly by these departments.
- The proposed amendment shall include the method of financing.
- If a grant, development project or subsidy envisages changes in InSIS, the applicant must obtain the appropriate approval of the InSIS Steering Committee on the proposed change before submitting the application.
A.8 InSIS Users
- The user may not arbitrarily modify, insert or delete data stored in InSIS.
- The user may not use any program, program code or other technical means to automatically execute any InSIS functionality or to compile URL links to run InSIS functionalities. Exceptions are assessed and approved by the InSIS Steering Committee.
- In the event that a user believes that he or she has access for any reason in InSIS to objects which he / she should not have and which do not belong to him / her in carrying out his / her work, activities or study duties, he/she must immediately inform the IS administrator of this fact..
- The user may use (grant rights or accept) delegation of application rights only if the situation does not allow for other solutions, such as personal contact, referral to a higher-level administrator. It is not permitted to delegate rights to systematically or intentionally extend the scope of another user’s rights.
- Acceptance of identity may only be used in the framework of work tasks when personal contact with the user is not possible. It is not allowed in this way to obtain information to which the user does not have access according to their rights settings.
- Taking over the identity of a user with rights settings that exceed the rights of the assignee is only possible with his or her written consent.
- The user may not misuse the takeover of identity to obtain the confidential data of another user, in particular the contents of the mailbox or file node.
B. Office 365
- Office 365 is operated by the Informatics Center, administrators are authorized employees of the Informatics Center. Microsoft’s own servers for Office 365 are operated by Microsoft, and most of the data is stored by Microsoft.
- If a user believes that he or she has, for some reason, access to objects in Office 365 that he / she should not have, and that he / she is not entitled to in the performance of his / her work or work. of study duties, he / she must immediately inform the IS administrator of this fact.
- The administrator has the ability to access the user’s personal site collection without his or her consent in case of suspicion of unauthorized use of Office 365, to solve a problem related to ensuring the smooth running of Office 365, and to resolve incidents reported to him.
- Users may not use or install programs, scripts or other means in the Office 365 environment in such a way as to have a negative impact on this IS, the VŠE computer network, or in violation of law or morality.
The user bears all responsibility for damages caused by his / her actions in connection with the use of Office 365 caused to other users.
This regulation follows PR 01/2007 Operation and use of computer technology and computer network of the Prague University of Economics and Business.
PR 08/2011 Rules for Operation and Use of University Information System of Prague University of Economics and Business
Annexes to this Regulation: This Regulation has no annexes.
Responsible person: Ing. Milan Nidl, MBA Last updated: 1. 11. 2018