1. Summary
This Acceptable Use Policy (AUP) sets out the purpose of the University Card, the University Card System and the University Card API and identifies how and by whom these may be used. Collectively these constitute the University Card Service. This policy also outlines who may use the University Card and University Card System and how the University Card Service is governed and audited.
2. The Policy
University Cards in both digital and physical formats and the University Card API may only be used by the Cardholder to whom it is issued and for the following purposes:
- To confirm an entitlement to access certain University facilities and services.
- To confirm that a Cardholder has a current standing at the University of Cambridge.
- To provide Cardholders with a valid form of identification for use within the University.
University Cards are issued and may be renewed or revoked at the University’s sole discretion. Physical cards remain the property of the University at all times. Access to the Card API is granted solely for the purpose of managing access to services and facilities in accordance with the University Card eligibility policy.
The University Card System is used to issue, manage and revoke University Cards.
3. Eligibility
University Cards are issued on an individual basis to all current staff and students of the University and those affiliated organisations that are entitled to use the University Card Service in line with the Card Eligibility Policy. University Cards may also be issued to contractors and visitors for the duration that they are working at the University in a host institution. University Cards are issued and may be renewed or revoked at the University’s discretion.
4. Access
There are four levels of access:
Individual: All cardholders can log into the system and view their own card. At present no data is viewable when logged in with this access.
- Card Representative: Card representatives can view cards, create and manage card requests, upload photos and revoke cards.
- Data readers: Data readers can log in to the card system but only have view access to records.
- Administrator: Designated staff at UIS, including card office staff and the development team which maintain the card system, have additional access to enable them to print cards, approve photos and investigate any issues relating to the operation of the Card system.
API gateway credentials are required to access and use the Card API. Access is granted to teams rather than individuals and is determined on a case-by-case basis.
5. Responsibilities
All University Cardholders are responsible for:
- Safeguarding their University Cards. These are issued for personal use in relation to their role at the University only.
- Ensuring that their University card is not shared with, or lent to, anyone. If Cardholders are hosting a day visitor who needs to use a card to access facilities or services, they should arrange for a temporary access card to be issued for the visitor’s use from their local card representative and/or reception.
- Reporting the loss or theft of their University Card to their Institutional Card Representative as soon as possible after they become aware of the loss or theft.
- University Cards remain the property of the University and must be surrendered to the Institutional Card Representative when the cardholder leaves the University.
It is the responsibility of all University Card Representatives to:
- Provide information to the Card Office about students, staff and other individuals who are eligible for a card within their institution in accordance with the UCAM Card Eligibility Policy.
- Distribute UCAM Cards to Cardholders, first ensuring their identity has been confirmed, e.g. where their photographic likeness has been confirmed.
- Request replacements when a card is lost, stolen, damaged or expired.
- Where possible ensure that damaged cards are produced as evidence before new ones are ordered. Damaged cards should be disposed of securely.
- Inform the Card Office in the event a cardholder in their institution leaves before their expected end date
- Where possible, collect cards from staff and students on leaving the University and dispose of them securely.
- Ensure that communication with the Card Office relating to requests for cards is only done by the registered Card Representatives, or in their absence a designated deputy whose details should be communicated to the Card Office in advance.
- Where relevant, help their Building Manager (the person who controls any local access system) to obtain relevant information about cardholders from the Card Management System, in order to set up access and service rights for cardholders.
- Act as the point of contact between the Card Office and cardholders within their institution throughout the year. For instance, if a replacement card is needed, the cardholder should report this to the Card Representative who will request and distribute the new card.
- Respond to requests from the Card Office for information required to renew cards reaching their expiration date
- Pass on any messages from the Card Office (for example if it finds Student or Personnel records to be out of date) to the relevant person within their institution, so that the institution updates its own records and informs Student Records or Personnel Records (CHRIS) of the need for an update.
- Respond to questions from the Card Office about better working practice, policy or procedures.
- Notify the Card Office should they no longer hold the role of Card Representative and provide details of the new Representative if known (even during long leave or maternity leave). The Card Office email is universitycard@admin.cam.ac.uk.
When notified of the handover of the Card Representatives role, access to the Card Management System will be given to the new Card Representative and removed from the old one. In addition to Card Representatives, Building Managers can request access to the Card Management System and associated tools in order to view and export card details.
Card details contain personal data of some sensitivity and by accessing these systems Card Representatives and Building Managers agree that:
- they will only view, or export data as is required for the purposes of managing access to buildings and other card-based services within their institution, and
- they will inform the Card Office as soon as they cease to hold the Card Representative or Building Manager role
All access and use must comply with data protection legislation and University data protection policies.
All Card Office Staff are responsible for:
- Processing all requests for the University Card from Institutional Card Representatives.
- Checking the information provided regarding prospective Cardholders against information held on University systems e.g. CamSIS and CHRIS.
- Ensuring that photographs submitted for use on University Cards meet the Card Photo Policy
- Dispatching University Cards. Please note that Cards are sent through the UMS and may only be delivered to addresses served by that service.
- Secure destruction of cancelled or invalid University Cards in the Card Office’s possession.
Anyone issued with a temporary access card is responsible for returning that access card at the end of their visit.
Institutional Computer Officers are responsible for:
- Supporting their local Card Representatives in the use of the University Card System
- Supporting their institution in adopting and using the Card and Photo APIs
- Supporting their institution in managing and updating access management systems and other local card based services
- Liaising with UIS staff to resolve any technical issues experienced
6. Data Use
The information held for the University Card will only be used by the University of Cambridge and Colleges to:
- Manage access to University and Card services and facilities
- Confirm an association with the University of Cambridge or a College.
- Provide or confirm identification (for example, in the case of visitors such as short-term Academic Visitors).
- Confirm an entitlement to use University facilities.
- Identify Cardholders (if appropriate) in CamCORS, the online supervision reporting system.
Cardholder information will not be used for any other purpose unless the Cardholder is notified first. It will not be passed to any organisation outside the University or Colleges.
Card data is retained for 2 years once a Card holder has left the University, please refer to the Card Data Retention Policy for further details.
7. Governance and Auditing
The University Card Committee is responsible for approving all policies that relate to the University Card.
8. Policy Review
This policy was approved by the University Card Committee on [date]. It will be reviewed annually by the Card Office Manager to ensure that it accurately reflects current practice and reviewed biannually by the University Card Committee to confirm that the Policy is appropriate.
Last reviewed by Card Office Manager 6 April 2023.
Last reviewed by University Card Committee on 6 April 2023.
9. Changes to this policy
Minor changes such as updates to administrative processes for the issue of cards will be approved by the Service Manager.
Major changes such as changes to the scope of who may check details held by the Card System or on the Card will be approved by the University Card Committee.
Published: 23 May 2023