This is the current version of this document. To view historic versions, click the link in the document's navigation bar.
Section 1 - Audience
(1) This policy applies to all users of the University's Information and Communications Technology resources (ICT resources), connected systems, data and information assets, including users of network connections in University-provided student accommodation facilities.
Top of PageSection 2 - Purpose
(2) The University provides a wide range of ICT services to help ensure the delivery of world-class learning and research outcomes.
(3) The University has a responsibility to ensure the appropriate use of its ICT resources and to protect itself from any operational, financial, reputational, legal and compliance risks that could arise from their inappropriate use.
(4) This policy informs users of the University's ICT resources of their rights and responsibilities, and the University requires users to comply with this policy as a condition of use.
(5) In support of these objectives, this policy defines conditions of use to help ensure the confidentiality, integrity, and availability of University systems and information.
Top of PageSection 3 - General Principles
(6) The University's ICT resources exist and are maintained to support the achievement of the University's objectives. Access to, and use of the University's ICT resources comes at a cost to the University and is not provided to users unconditionally. The University reserves the right to:
- continuously monitor (subject to section 7 below) the use of its ICT resources;
- deal appropriately with anyone who uses ICT resources in ways contrary to this policy or contrary to law; and
- undertake or perform any actions as required by any and all applicable laws, legislation and regulations.
(7) Materials and data produced, stored and destroyed using the University's ICT resources must be managed subject to the relevant University policies, including but not limited to the Records Governance Policy, Privacy Policy, Intellectual Property Policy and Research Data and Primary Materials Management Procedure.
(8) The University accepts no responsibility for loss or damage, consequentially or otherwise, or loss of data arising from the use or the maintenance of its ICT resources.
(9) All users must comply with this policy with respect to the University's ICT resources. A failure to comply with this policy may result in, without limitation:
- for students, disciplinary action taken under the Student Conduct Rule for student misconduct;
- for employees, disciplinary action taken under the relevant enterprise agreement, University policy and/or employment contract;
- for service providers, termination of the contract with the University;
- for all users (including those categories above), restriction or cancellation of access to the University's ICT resources; and
- for all users, where a failure to comply could also amount to criminal conduct, referral to the relevant external authority.
Top of PageSection 4 - Conditions of Use
Permissible Use
(10) Users may access and use the University's ICT resources for legitimate work, study and research purposes.
(11) Users under 18 must have parental/guardian permission to access the internet using their University of Newcastle user account.
(12) Minimal personal use of ICT resources by authorised Users is permitted. Access and use of the University's ICT resources may be restricted or canceled by the University at any time if a user's personal use interferes with the operation of the University's ICT resources, burdens the University with incremental costs, or interferes with the user's obligations to the University.
(13) Personal use must not include activities that are in breach of State, Federal or International law or legislation; University Rules or Policies; or, that may introduce unacceptable risk to the University.
(14) Minimal personal use does not extend to:
- intentionally downloading, transmitting or storing unauthorised copyright material;
- the use of peer-to-peer file sharing software or other software, as defined in “What applications are forbidden on the University network?” (as amended from time to time), that does not align with a business, research or teaching requirement of the University;
- the use of unapproved Virtual Private Networking (VPN) services or network anonymisers while connected to, or connecting to, the University ICT network; or
- the use of cryptocurrency mining software and hardware.
(15) Users should be aware that personal use of the University's ICT resources may result in the University holding personal information about the user and/or others which may then be accessed and used by the University to ensure compliance with this, and other policies.
Requirements
(16) Users must take reasonable steps to ensure the security of University information when it is stored or processed, and to prevent the loss or leakage of account credentials.
(17) Users must, when using the University's ICT resources, do so in a responsible, ethical and equitable manner, in accordance with the University's Student Code of Conduct or Staff Code of Conduct (whichever is relevant) and all applicable policies, laws, legislation and regulations.
(18) All users must take care to only access the University's ICT resources, including email, from secure or trusted computers or other devices; and to lock computers or log out of sessions before leaving any device unattended.
Restrictions on Use
(19) Users must not use the University's ICT resources in a manner that is harassing, discriminatory, defamatory, vilifying, abusive, rude, insulting, threatening, obscene or otherwise inappropriate.
(20) Users must not use the University's ICT resources in such a way to cause embarrassment or loss of reputation to the University.
(21) Users must not use the University's ICT resources to impersonate or falsify information about other persons. This includes but is not limited to altering, removing, or forging email headers, addresses, or messages; or otherwise impersonating or attempting to pass oneself off as another person.
(22) Users must not use the University's ICT resources to access, store or transmit pornographic material of any sort other than with specific written approval from an authorised University Officer for research related purposes. Where an approval is granted, users must exercise caution, including the use of a secure storage location (not a shared college drive) to avoid undue circulation or access to files.
(23) Users must not use the University's ICT resources in a manner that constitutes an infringement of copyright or infringes a person's moral rights (as defined under the Copyright Act 1968 (Cth)).
(24) Users must not download and/or store copyright material on University ICT resources (including websites and file shares), transfer copyright material to others or copy copyright material to any removable media using the University's ICT resources, unless the copyright material is appropriately licensed or the copyright owner has provided the appropriate consent. Refer to the University's Copyright Compliance Policy for further information.
(25) Users must not use the University's ICT resources to collect, use or disclose personal information or health information in ways that breach the University's Privacy Management Plan.
(26) Users must not use the University's ICT resources for unauthorised profit making or commercial activities. Employees are referred to the University's Outside Work Policy.
(27) Users must not use the University's ICT resources to distribute unsolicited advertising material from organisations having no connection with the University or involvement in its activities.
(28) Users must not use the University's ICT resources in a manner which is likely to corrupt, damage or destroy data, software or hardware, either belonging to the University or to anyone else, whether inside or outside the University network. Users may only delete and alter data as required by authorised University activities with regard for data retention requirements outlined in the University's Records Governance Policy.
(29) Users must not use the University's ICT resources to gain, or attempt to gain, unauthorised access to any computer service. The use of another person's login, password or any other authentication device is not permitted.
(30) Users must not exploit any vulnerabilities in systems or use any technology designed to locate such vulnerabilities or circumvent security systems, apart from authorised staff in the course of their duties to assess system security.
(31) Users must not attempt to create or install any form of malicious software (for example worms, viruses, sniffers, malware, ransomware) which may affect computing or network equipment, software or data as part of the University's ICT resources, or which seek or gain access to data or user accounts, or eavesdrop on or intercept network transmissions; apart from authorised staff and researchers in the course of University-approved duties.
(32) Users must not extend the University network by introducing an unauthorised hub, switch, router, wireless access point, or any other service or device that permits more than one device to connect to the University's network.
(33) Users must not facilitate or permit the use of University ICT resources by persons not authorised by the University.
(34) Users must not make their individually assigned University password available to any other person. If a password has been disclosed to another individual, or is known or suspected to be compromised, then the password must be changed immediately.
(35) Users must not change operating system configurations, upgrade existing operating systems, or install new operating systems on University owned and managed devices. In exceptional cases, reinstallation of other operating systems may be permitted subject to prior approval by the Chief Digital & Information Officer (CDIO) (or their nominee) through an IT Service Desk request.
(36) Users must not alter, or add to in any way, computer equipment supplied by the University without prior authorisation via the IT Service Desk unless it is the connection of external equipment via externally accessible input and output ports such as USB (Universal Serial Bus), VGA (Video Graphics Array), HDMI (High-Definition Multimedia Interface), Thunderbolt, and DVI (Digital Visual Interface)..
(37) To ensure compliance with state, federal and international data protection legislation, users must not, without appropriate authorisation, store or process University data in “cloud” services other than those provided by the University.
Top of PageSection 5 - Personal Device Usage (including Bring Your Own Device (BYOD))
(38) Personal Device Usage includes any electronic device owned, leased or operated by an employee, contractor, affiliate or student of the University which is capable of storing data and connecting to a network, including but not limited to mobile phones, tablets, laptops, personal computers and notebooks.
(39) Users must ensure that usage of personal devices both on the University network and when handling University data meets all the applicable requirements of this policy and the Information Security BYOD Policy.
(40) When using personal devices to connect to the University network, users shall ensure that such devices have up-to-date security patches and anti-virus software installed. Refer to the Information Security Patch Management Manual and Information Security BYOD Policy for further details.
Top of PageSection 6 - Authorised Access
(41) Access to the University's ICT resources must be based on the concept of least privilege (i.e. access is to be limited on a need-to-know basis).
(42) All access to the University's ICT resources must be authorised by the appropriate System Owner.
(43) No user of University's ICT resources may ever knowingly exceed their authorised access level. If additional access is required for a user to perform their duties then this access must be granted by the System Owner (or their nominee).
(44) The University reserves the right, at its discretion, to grant, limit or withdraw access to some or all of its ICT resources either temporarily or permanently.
Access to Email, Calendar and Related Services - Staff
(45) In the event of a staff member being absent on either unexpected or approved leave, or having left the organisation, that staff member agrees that the University may arrange for their supervisor to obtain access to their email, calendar, or any other ICT resource, in order to ensure that University operations are not disrupted.
(46) A request to arrange access to an absent staff member's email, calendar or other ICT resource must approved in line with the University's delegations of authority (see: Delegations Register). Approved requests should be sent to the CDIO (or their nominee) by the Head of School or Divisional Head.
Proxy Access
(47) Proxy use of another user's account is permissible where both parties agree and where there is a legitimate business need for such access. Proxy access must be configured within the system and not through the sharing of credentials, and must be in accordance with any third party arrangements that the University has entered into.
Removal of Access
(48) The University will disable any user account which it has provided to a user (such as a staff member, student, affiliate, etc) when that user ceases to be an authorised user, e.g. when a staff member ceases to be a member of staff, or a student withdraws from study at the University.
(49) The University may remove access to systems and functions when a user’s role changes within the University, e.g. when a member of staff changes their job role, or a student graduates to become a University Alumni.
Extended Access
(50) Where it is in the interest of the University, approval may be given for access to its ICT resources after a person ceases to qualify as a user, as defined above. Such access must be approved in accordance with the University's delegations of authority (see Delegations Register).
Top of PageSection 7 - Monitoring
(51) Subject to any law or written agreement to the contrary, the University reserves the right to view, modify, copy, move, delete or otherwise handle as it sees fit the data and information assets stored on and accessed through the University's ICT resources, irrespective of any ownership or other rights claimed over the data or information assets.
(52) Consistent with generally-accepted business practice but without limiting the remainder of this section, the University may audit and monitor the use of the University's ICT resources. The University may also look at and copy any information, data or files (including non-University material) created, sent or received by users using, or while connected to, the University's ICT resources. Users are responsible for all activities originating from their account, including all information sent, requested, solicited or viewed from their account as well as publicly accessible information placed on a computer using their account.
(53) The University's electronic communication systems generate detailed logs of all transactions and use. Users should be aware that the University has the ability to access these records and that system administrators have the ability to access the content of electronic communications and files sent and stored using the University's ICT resources.
(54) The University reserves the right to remove or restrict access to any material within the University domain.
(55) The University will conduct computer surveillance continuously on an ongoing basis with respect to its staff who are using the University's ICT resources and connected systems to ensure that its users are complying with their obligations under this policy, the University's other applicable policies, standards, guidelines and procedures and all applicable legislation.
(56) Computer surveillance means surveillance by means of software or other equipment that monitors or records the information input or output, or other use, of a computer (including, but not limited to, the sending and receipt of emails and the accessing of internet websites).
(57) This computer surveillance will be carried out by the University by:
- recording the detailed logs of all transactions and use by its users of the University's ICT resources;
- accessing University email accounts, archives, backups or emails; even where the user has deleted an email, the University may still retain archived and/or backup copies of the email;
- accessing files stored on network drives, computers or in cloud services to which the University has administrative access; even where the user has deleted a file, the University may still retain archived and/or backup copies of the file;
- accessing University owned work computers, including computer security and event logs;
- recording network traffic activity including internet usage (including sites and pages visited, files downloaded, video and audio files accessed and data input) and accessing these records;
- accessing system and event logs and login activity relating to the University's ICT resources; and
- monitoring on a continual basis, through manual analysis and automated correlation activities using the University's Security Information and Event Management (SIEM) solution.
(58) For the purposes of the Workplace Surveillance Act 2005 (Cth), this policy constitutes written notice of the University's computer surveillance of its employees.
(59) The University's users acknowledge that as a result of this computer surveillance, the University may prevent, or cause to be prevented, delivery of an email sent to or by, or access to an internet website by, the user.
(60) As soon as reasonably practicable, the University will notify an employee where an email has not been delivered except where:
- the email was a commercial electronic message within the meaning of the Spam Act 2003 (Cth);
- the content or any attachment to an email would or might result in an unauthorised interference with, damage to or operation of, a computer or computer network of the University or any program run by or data stored on such a computer or computer network;
- the email or any attachment would be regarded by a reasonable person as being (in all circumstances) harassing, menacing or offensive; or
- the University is not aware (or could not reasonably be expected to be aware) of the identity of the employee that sent the email or that the email was sent by an employee.
(61) The University will not prevent the delivery of an email or access to a website merely because:
- the email was sent by or on behalf of an industrial organisation of the employees or an officer of such an organisation; or
- the website or email contains information relating to industrial matters (as defined in the Industrial Relations Act 1996 (NSW).
(62) Each user acknowledges that the University may be required to produce the records it has obtained (as a result of the monitoring it has undertaken in relation to its ICT resources) as a result of a request made under the Government Information (Public Access) Act 2009.
Top of PageSection 8 - Investigations
(63) Any identified use of equipment or services deemed inconsistent with any terms specified in this policy may be investigated by the University.
(64) Inappropriate use will be subject to consideration under relevant disciplinary or misconduct processes and may involve a range of actions, including but not limited to, suspension of access to the University's systems. See Staff Code of Conduct, Student Code of Conduct and Student Conduct Rule for more information on disciplinary and misconduct processes.
(65) Written approval by an authorised delegate is required for any investigation activity (refer Delegations Register).
(66) The University may withdraw access to the University's ICT resources commensurate with managing the risk of the activity while the investigation is in process.
Top of PageSection 9 - Confidentiality and Privacy
(67) While the University's ICT resources are electronically safeguarded and maintained in accordance with current best practice, no guarantee can be given regarding the confidentiality, integrity and availability of any information.
(68) Email and other records stored in the University's ICT resources may be the subject of a subpoena, search warrant, discovery order or similar legal application.
(69) Disclosure outside the University of any personal information must be in accordance with any relevant legislation, not limited to the Privacy and Personal Information Protection Act 1998 No 133, the Government Information (Public Access) Act 2009, the Health Records and Information Privacy Act 2002 No 71, the University's Privacy Policy and its Privacy Management Plan.
Top of PageSection 10 - Reporting
(70) Users must promptly report breaches of this policy and any information security incidents, breaches or suspected breaches to Digital Technology Solutions through the University IT Service Desk.
(71) Users have an obligation under the University's Student Code of Conduct or Staff Code of Conduct, the Public Interest Disclosures Policy, and the Fraud and Corruption Framework to report misuse of the University's resources.
Top of PageSection 11 - Security Instructions
(72) Users must abide by any relevant instructions given by the CDIO or nominated officers. Such instructions may be issued by notices displayed in the vicinity of computing facilities, by letter, by electronic communication, in person or otherwise.
Top of PageSection 12 - Enforcement
(73) All Users of the University's ICT resources should be aware of this policy, their responsibilities and obligations.
(74) Non-compliance with the provisions of this policy may result in action under the University's policies, Staff Code of Conduct, Student Code of Conduct or enterprise agreements, and may also result in referral to a statutory authority and/or agency.
(75) The CDIO (or nominee) is responsible for monitoring use of the University's ICT resources.
(76) If the CDIO (or nominee) deems that an identified use of equipment or services is inconsistent with any terms specified in this policy, such use may be investigated by the University.
Top of PageSection 13 - Exceptions
(77) Exceptions to this policy may be requested by a user in writing to the CDIO. Exceptions will be assessed based on the business impact, the security risk that the proposed exemption may pose, and any compensating controls that may be implemented in relation to the proposed exemption.
Top of PageSection 14 - Roles and Responsibilities
Chief Digital & Information Officer (CDIO)
(78) The CDIO is responsible for Information Technology Conditions of Use Policy development and manages arrangements for information security.
(79) The CDIO is responsible for:
- ensuring that users are aware of this policy;
- monitoring use of the University's ICT resources, and disconnecting or restricting a user's access if the user has failed to comply with this policy or any of the University's other IT policies, manuals, procedures and guideline;
- maintaining this policy; and
- regularly reviewing and updating this policy to ensure that the policy continues to be suitable, adequate and effective.
Information Security Team
(80) The Information Security Team reports to the Associate Director, Cyber Security and IT GRC who reports to the Chief Digital & Information Officer. The Information Security Team is responsible for:
- performing compliance and audit functions in accordance with this policy; and
- investigating and reporting on suspected breaches of this policy.
All Users
(81) All users of the University's ICT resources are expected to recognise the importance of this policy, and to be familiar with the provisions of this policy and to support the processes that will appropriately manage security and the confidentiality, integrity and availability of the data assets and University information.
(82) The requirements set out in this policy do not in any way authorise a user to disregard any obligations the user is required to comply with by law.
(83) Any user who is unsure of the meaning of any of these terms, should seek advice from the IT Service Desk prior to use, either:
- by phone on +61 2 492 17000; or
- online at IT Service Desk;