• Section 1 - Audience
• Section 2 - Purpose
• Section 3 - General Principles
• Section 4 - Conditions of Use
• Permissible Use
• Requirements
• Restrictions on Use
• Section 5 - Personal Device Usage (including Bring Your Own Device (BYOD))
• Section 6 - Authorised Access
• Access to Email, Calendar and Related Services - Staff
• Proxy Access
• Termination – Post-Appointment
• Extended Access
• Section 7 - Monitoring
• Section 8 - Investigations
• Section 9 - Confidentiality and Privacy
• Section 10 - Reporting
• Section 11 - Security Instructions
• Section 12 - Enforcement
• Section 13 - Exceptions
• Section 14 - Roles and Responsibilities
• Council
• Chief Information Officer (CIO)
• IT Security
• All Users

Section 1 - Audience

(1) This Policy applies to all users of the University's  ICT resources, connected systems, data and information assets.

Section 2 - Purpose

(2) This Policy informs users of the University's ICT resources of their rights and responsibilities and the University requires users to comply with this Policy as a condition of their use.

Section 3 - General Principles

(3) The University's ICT resources exist and are maintained to support the work of the organisation. Access to the University's ICT resources through the University network is a cost to the University and is not provided to users unconditionally. The University reserves the right to:

1. continuously monitor (subject to section 7 below) the use of its ICT resources in compliance with this Policy;
2. deal appropriately with users who use its ICT resources in ways contrary to this policy or contrary to law; and
3. undertake or perform any actions as required by any and all applicable laws, legislation and regulations.

(4) Materials and data produced, stored and destroyed using the University's ICT resources are to be managed subject to the relevant University policies, including the Records and Information Management Policy, Privacy and Information Access Policy, Intellectual Property Policy and Research Data and Materials Management Guideline.

(5) The University accepts no responsibility for loss or damage, consequential loss or damage, or loss of data arising from the use of its ICT resources or the maintenance of its ICT resources.

(6) All users must comply with this policy with respect to the University's ICT resources. A failure to comply with this policy may result in, without limitation:

1. for students, disciplinary action taken under the Student Conduct Rule for student misconduct;
2. for employees, disciplinary action taken under the relevant enterprise agreement, University policy and/or employment contract;
3. for service providers, termination of the contract with the University; and
4. for all users (including those categories above), restriction or cancellation of access to the University's ICT resources; and
5. for all users, where a failure to comply could also amount to criminal conduct, referral to the relevant external authority.

Section 4 - Conditions of Use

Permissible Use

(7) Users may access and use the University's ICT resourcesfor legitimate work, study and research purposes.

(8) Users are permitted to use the University's ICT resources for minor and incidental personal use. Access and use of the University's ICT resources is a privilege which can be restricted or cancelled by the University at any time if a user's personal use interferes with the operation of the University's ICT resources, burdens the University with incremental costs, or interferes with the user's obligations to the University.

(9) Incidental personal use does not extend to:

1. intentionally downloading, transmitting or storing unauthorised copyright material; and
2. the use of peer to peer Bit Torrent software or other software as defined here in “Forbidden Applications on the UON Network” (as amended from time to time) that does not align with a business, research or teaching requirements of the University.

(10) Users should be aware that personal use of the University's ICT resources may result in the University holding personal information about the user and/or others which may then be accessed and used by the University to ensure compliance with this, and other policies.

Requirements

(11) Users must take reasonable steps to ensure the security, confidentiality, integrity and availability of all University related information and data stored or received, including measures to prevent loss of information and loss or leakage of account credentials.

(12) Users must, when using the University's ICT resources, do so in a responsible, ethical and equitable manner, in accordance with the University's Code of Conduct and all applicable laws, legislation and regulations.

(13) All users must take care to access University's ICT resources, including email, only from secure or trusted computers, and to lock computers or log out of sessions before leaving any computer unattended.

Restrictions on Use

(14) Users must not use the University's ICT resources in a manner that is harassing, discriminatory, defamatory, vilifying, abusive, rude, insulting, threatening, obscene or otherwise inappropriate.

(15) Users must not use the University's ICT resources in such a way to cause embarrassment or loss of reputation to the University.

(16) Users must not use the University's ICT resources to impersonate, or falsify information about, other persons. This includes altering, removing, or forging email headers, addresses, or messages, or otherwise impersonating or attempting to pass oneself off as another person.

(17) Users must not use the University's ICT resources to access, store or transmit pornographic material of any sort other than with specific written approval from an authorised University Officer for research related purposes. Where an approval is granted, users must exercise caution, including the use of a secure drive (not a shared faculty drive) to avoid undue circulation or access to files.

(18) Users must not use the University's ICT resources for the purposes of gambling.

(19) Users must not use the University's ICT resources in a manner that constitutes an infringement of copyright or infringes a person's moral rights (as defined under the Copyright Act 1968 (Cth)). Users must not download and/or store copyright material on University ICT resources (including websites and file shares), transfer copyright material to others or copy copyright material to any removable media using the University's ICT resources, unless the copyright material is appropriately licensed or the copyright owner has provided the appropriate consent.

(20) Users must not use the University's ICT resources to collect, use or disclose personal information in ways that breach the University's Privacy and Information Access Policy.

(21) Users must not use the University's ICT resources for unauthorised profit making or commercial activities. Employees are referred to the University's Outside Work Policy.

(22) Users must not use the University's ICT resources to distribute unsolicited advertising material from organisations having no connection with the University or involvement in its activities.

(23) Users must not use the University's ICT resources in a manner which is likely to corrupt, damage or destroy data, software or hardware, either belonging to the University or to anyone else, whether inside or outside the University network. Users may only delete and alter data as required by authorised University activities with regard for data retention requirements outlined in the University's Records and Information Management Policy.

(24) Users must not use the University's ICT resources to attempt to gain unauthorised access to any computer service. The use of another person's login, password or any other security device is not permitted.

(25) Users must not exploit any vulnerabilities in systems (except authorised staff when checking security of systems as part of their duties) or use any technology designed to locate such vulnerabilities or circumvent security systems.

(26) Users must not attempt to create or install any form of malicious software (for example worms, viruses, sniffers, malware, ransomware) which may affect computing or network equipment, software or data as part of the University's ICT resources, or which seek or gain access to data or user accounts for which the user is not authorised, or eavesdrop or intercept transmissions not intended for the user.

(27) Users must not extend the University network by introducing an unauthorised hub, switch, router, wireless access point, or any other service or device that permits more than one device to connect to the University's network.

(28) Users must not facilitate or permit the use of the University's ICT resources by persons not authorised by the University.

(29) Where access to an ICT resource of the University is protected by a password, a user must not make their individually assigned password available to any other person.

(30) Users must not change operating system configurations, upgrade existing operating systems, or install new operating systems on University owned and managed devices. In exceptional cases, or as required by researchers (e.g. Academics or RHD students), reinstallation of other operating systems can be done. In these cases the changes must be performed by IT Services or appropriate IT support staff.

(31) Users must not alter, or add to in any way to, computer equipment supplied by the University without prior authorisation via the IT Service Desk unless it is the connection of external equipment via externally accessible input and output ports such as USB (Universal Serial Bus), VGA (Video Graphics Array) and DVI (Digital Visual Interface).

Section 5 - Personal Device Usage (including Bring Your Own Device (BYOD))

(32) This includes any electronic device owned, leased or operated by an employee, contractor, affiliate or student of the University which is capable of storing data and connecting to a network, including but not limited to mobile phones, smartphones, tablets, laptops, personal computers and netbooks. Users must ensure that usage of personal devices both on the University network and when handling University data meets all the applicable requirements of this Policy and the BYOD Procedure.

(33) When using personal devices to connect to the University network, Users shall ensure that these devices have up-to-date security patches and anti-virus software is installed. Refer to the Patch Management Procedure and BYOD Procedure for further details.

Section 6 - Authorised Access

(34) Access to the University's ICT resources must be based on the concept of least privilege (i.e. access is to be limited on a need to know basis).

(35) All access to the University's ICT resources must be authorised by the appropriate Head of School or System Owner. Refer Delegation of Authority Policy.

(36) No user of University's ICT resources may ever knowingly exceed their authorised access level. If additional access is required for a user to perform their duties then this access must be granted by the information owner or their delegate.

(37) The University reserves the right at its discretion to grant, limit or withdraw access to some or all of its ICT resources either temporarily or permanently.

Access to Email, Calendar and Related Services - Staff

(38) In the event of a staff member being absent on either unexpected or approved leave, or has left the organisation, that staff member agrees that the University may arrange access to the person's email, calendar or related service by their supervisor, in order to ensure that the business of the University is not disrupted.

(39) A request to arrange access by an absent staff member's email, calendar or related service must be made to the CIO by the Head of School or Division, and in accordance with the University's Delegation of Authority Policy.

Proxy Access

(40) Proxy use of another user's account is permissible where both parties agree and where there is a legitimate business need for such access. Proxy access must be configured within the system, and not through the sharing of credentials and must be in accordance with any third party arrangements that the University has entered into.

Termination – Post-Appointment

(41) The University will disable any unique identification (the user account) which the University previously provided to a user (such as a staff member, student, Affiliate, etc) when that user ceases to be in the particular role (for example, when a staff member ceases to be a member of staff).

Extended Access

(42) Where it is in the interest of the University, approval may be given for access to its ICT resources after a person ceases to qualify as a user, as defined above. Such access may be provided at the discretion of the appropriate Deputy Vice-Chancellor, COO or equivalent in accordance with the University's Delegation of Authority Policy.

Section 7 - Monitoring

(43) Subject to any law or written agreement to the contrary, the University reserves the right to view, modify, copy, move, delete or otherwise handle as it sees fit the data and information assets stored on and accessed through the University's ICT resources, irrespective of any ownership or other rights claimed over the data or information assets.

(44) Consistent with generally-accepted business practice but without limiting the remainder of this section, the University may audit and monitor the use of the University's ICT resources. The University may also look at and copy any information, data or files (including non-University material) created, sent or received by users using, or while connected to, the University's ICT resources. Users are responsible for all activities originating from their account, including all information sent from, requested, solicited or viewed from their account as well as publicly accessible information placed on a computer using their account.

(45) The University's electronic communication systems generate detailed logs of all transactions and use. Users should be aware that the University has the ability to access these records and that system administrators have the ability to access the content of electronic communications and files sent and stored using the University's ICT resources.

(46) The University reserves the right to remove or restrict access to any material within the University domain.

(47) The University will conduct computer surveillance continuously on an ongoing basis with respect to its employees who are using the University's ICT resources and connected systems to ensure that its users are complying with their obligations under this Policy, the University's other applicable policies, guidelines and procedures and all applicable legislation.

(48) Computer surveillance means surveillance by means of software or other equipment that monitors or records the information input or output, or other use, of a computer (including, but not limited to, the sending and receipt of emails and the accessing of internet websites).

(49) This computer surveillance will be carried out by the University by:

1. recording the detailed logs of all transactions and use by its users of the University's ICT resources;
2. accessing University email accounts, archives, backups or emails; even where the user has deleted an email, the University may still retain archived and/or backup copies of the email;
3. accessing files stored on network drives, computers or in cloud services to which the University has administrative access; even where the user has deleted a file, the University may still retain archived and/or backup copies of the file;
4. accessing University owned work computers, including computer security and event logs;
5. recording network traffic activity including internet usage (including sites and pages visited, files downloaded, video and audio files accessed and data input) and accessing these records;
6. accessing system and event logs and login activity relating to the University's ICT resources; and
7. monitoring on a continual basis, through manual analysis and automated correlation activities using the University's Security Information and Event Management (SIEM) solution.

(50) For the purposes of the Workplace Surveillance Act 2005 (Cth), this Policy constitutes written notice of the University's computer surveillance of its employees.

(51) The University's users acknowledge that as a result of this computer surveillance, the University may prevent, or cause to be prevented, delivery of an email sent to or by, or access to an internet website by, the user.

(52) As soon as reasonably practicable, the University will notify an employee where an email has not been delivered except where:

1. the email was a commercial electronic message within the meaning of the Spam Act 2003 (Cth);
2. the content or any attachment to an email would or might result in an unauthorised interference with, damage to or operation of, a Computer or computer network of the University or any program run by or Data stored on such a computer or computer network;
3. the email or any attachment would be regarded by a reasonable person as being (in all circumstances) harassing, menacing or offensive; or
4. the University is not aware (or could not reasonably be expected to be aware) of the identity of the employee that sent the email or that the email was sent by an employee.

(53) The University will not prevent the delivery of an email or access to a website merely because:

1. the email was sent by or on behalf of an industrial organisation of the employees or an officer of such an organisation; or
2. the website or email contains information relating to industrial matters (as defined in the Industrial Relations Act 1996 (NSW)

(54) Each User acknowledges that the University may be required to produce the records it has obtained (as a result of the monitoring it has undertaken in relation to its ICT resources) as a result of a request made under the Government Information (Public Access) Act 2009.

Section 8 - Investigations

(55) Any identified use of equipment or services deemed inconsistent with any terms specified in this Policy may be investigated by the University. Inappropriate use will be subject to consideration under relevant disciplinary or misconduct processes and may involve a range of actions, including not limited to, suspension of access to the University's systems. See Code of Conduct and Student Conduct Rule for more information on disciplinary and misconduct processes.

(56) Written approval of the appropriate DVC, COO or equivalent is required for any investigation activity. The CIO (or delegate) may withdraw access to the University's ICT resources commensurate with managing the risk of the activity while the investigation is in process.

Section 9 - Confidentiality and Privacy

(57) While the University's ICT resources are electronically safeguarded and maintained in accordance with current best practice, no guarantee can be given regarding the protection, confidentiality or privacy of any information.

(58) Email and other records stored in the University's ICT resources may be the subject of a subpoena, search warrant, discovery order or similar legal application.

(59) Disclosure outside the University of any personal information must be in accordance with the Privacy and Personal Information Protection Act 1998 No 133, the Government Information (Public Access) Act 2009, the Health Records and Information Privacy Act 2002, the University's Privacy and Information Access Policy and its Privacy Management Plan.

Section 10 - Reporting

(60) Users must promptly report breaches of this Policy and any information security incidents, breaches or suspected breaches to IT Services through the 17000 IT Service Desk. Users have an obligation under the University's Code of Conduct and the Public Interest Disclosures Policy to report misuse of the University's resources.

Section 11 - Security Instructions

(61) Users must abide by any relevant instructions given by the CIO or nominated officers. Such instructions may be issued by notices displayed in the vicinity of computing facilities, by letter, by electronic communication, in person or otherwise.

Section 12 - Enforcement

(62) All Users of the University's ICT resources should be aware of this policy, their responsibilities and legal obligations. Non-compliance with the provisions of this Policy may result in action under the University's policies, code of conduct or enterprise agreements, and may also result in referral to a statutory authority and/or agency. Sanctions may include warning, counselling, disciplinary or legal action.

(63) The CIO (or delegate) is responsible for monitoring use of the University's ICT resources. If the CIO (or delegate) deems that an identified use of equipment or services is inconsistent with any terms specified in this Policy, such use may be investigated by the University. Written approval of the appropriate DVC, COO or equivalent is required for any investigation activity. The CIO (or delegate) may withdraw access to the University's ICT resources commensurate with managing the risk of the activity while the investigation is in process.

Section 13 - Exceptions

(64) Exceptions to this Policy may be requested by a user in writing or via email to the CIO. Exceptions will be assessed based on the business impact, the security risk that the proposed exemption may pose and any compensating controls that may be implemented in relation to the proposed exemption.

Section 14 - Roles and Responsibilities

Council

(65) The Vice-Chancellor is responsible for overseeing the management and implementation of this Policy.

Chief Information Officer (CIO)

(66) The CIO oversees information security policy development and manages arrangements for information security.

(67) The CIO is responsible for:

1. ensuring that users are aware of this Policy;
2. monitoring use of the University's ICT resources, and disconnecting or restricting a user's access if the user has failed to comply with this Policy or any of the University's other IT policies, guidelines and procedures;
3. maintaining this Policy; and
4. regularly reviewing and updating this Policy to ensure that the Policy continues to be suitable, adequate and effective.

IT Security

(68) The IT Security Team reports to the Associate Director, Service Enhancement who reports to the Chief Information Officer. The IT Security Team is responsible for:

1. performing compliance and audit functions in accordance with this Policy; and
2. investigating and reporting on suspected breaches of this Policy.

All Users

(69) All users of the University's ICT resources are expected to recognise the importance of this policy, and to be familiar with the provisions of this policy and to support the processes that will appropriately manage security and the confidentiality, integrity and availability of the data assets and University information. The requirements set out in this Policy do not in any way authorise a user to disregard any obligations the user is required to comply with at law. Any user who is unsure of the meaning of any of these terms, should seek advice from the IT Service Desk prior to use either:

1. by phone on +61 2 492 17000, or
2. by email at 17000@newcastle.edu.au