University Computing and Communications Facilities Conditions of Use Policy

Document Number000817
Date Approved23 April 2007
Date Last Amended12 April 2013
    

1.      Introduction

The University of Newcastle (The University) provides students, staff and the community with access to computing and communications services in support of its teaching, learning, research and administrative activities.

The University has a responsibility to ensure the appropriate use of its computing and communications facilities and to protect itself from any legal liabilities arising from their inappropriate use.

This document sets out the terms governing the use of these facilities.

2.      Scope

This Policy applies to:

  • all University staff, conjoints, students, volunteers, and members of advisory and governing bodies, in all campuses and locations of the University and at all times while engaged in University business or otherwise representing the University;
  • all University computing and communication facilities

The University requires that each user comply with these terms as a condition of access to University systems. Use of any University  systems, services or facilities indicates that the user understands and accepts these terms. Any user who is unsure of the meaning of any of these terms, should seek advice from the IT Service Desk prior to use - phone extension 17000 or email 17000@newcastle.edu.au 

3.      Relevant Definitions

Account means an established relationship between a user and the University’s computing and communication facilities.

Access details means the University allocated identification credentials which allows a user access to University IT systems, services and facilities.

CIO means the Chief Information Officer, who is also the Director of IT Services.

Computing and Communications Facilities means all computing and communication services operated by the University – whether owned, leased, used under license or by agreement – including, but not limited to:

  • telephones (including mobile devices) and telephone equipment, voice mail, SMS
  • mobile data devices
  • desktop and laptop computers
  • tablet computers
  • workstation computers
  • any connection to the University's network, or use of any part of the University's network to access other networks
  • all hardware, including printers, scanners, facsimile machines
  • any communication or computing devices in laboratories or other facilities
  • any off-campus computers and associated peripherals and equipment provided for the purpose of University work or associated activities
  • usage of remote systems accessed via University IT facilities.

Delegate (noun) means the staff member, officer, committee or body of the University to whom or to which a delegation of authority has been made under this policy.

Delegate (verb) means to authorise or entrust an officer or committee of the University with decision-making power or authority to decide to take action in a specified area.

Information Owners will be senior business or faculty unit managers who have been given the authority to collect, create, retain and maintain information and information systems within their assigned area of control.

Records means any document or information compiled, created, sent, received, recorded or stored in written form or on film, or by electronic process, or in any other manner or by any other means in the course of carrying out the business of the University.

User means any person using any of the University's computing and communications facilities, including, but not limited to:

  • staff
  • students
  • clinical and adjunct title holders
  • associates, honorary and visiting staff
  • alumni
  • consultants
  • contractors
  • third parties
  • other users who are authorised by the University to access its systems and/or network
  • anyone connecting non- University owned equipment (e.g. laptop computers) to the University network. 

4.      Policy Principles

Usage

4.1        User Responsibilities

  • A user is required to accept full responsibility for their use of computing and communications facilities.
  • Use must be in accordance with University policies and all relevant Commonwealth and State legislation. Users must also ensure they comply with requirements in the University’s Code of Conduct. Please see sections 5 and 6 for a full list of Essential Supporting and Related Documents.
  • A user is responsible for all activities originating from their account(s), including all information sent from, intentionally requested, solicited or viewed from their account(s) as well as publicly accessible information placed on a computer using their account(s).
  • A user is not permitted to provide another person with their access details for any facility protected by user identification or password.
  • Users may only use computing and communications facilities for authorised purposes namely for University business, academic or student related activities except as otherwise defined in this policy.
  •  Users have a responsibility to be ethical and efficient in their use of computing and communications facilities.
  • Computing and communications facilities cannot be used for private or commercial gain or for gain to a third party without the written permission of the Vice-Chancellor (or nominee) and must be within the limitations of licences and Agreements.
  • A user is required to take due care when using computing and communications facilities and take reasonable steps to cause no damage.
  • A user is required to refrain from using computing and communications facilities if they have reason to believe it is dangerous to themselves or others.
  • A user is required to report any damage to computing and communications facilities services to the IT Service Desk - phone extension 17000 or email 17000@newcastle.edu.au 

4.2        Incidental Personal Use

Incidental personal use (e.g. occasional emails and web browsing during work breaks) is permissible within reasonable limits and as long as the cumulative impact on the University of Newcastle is inconsequential.  This provision is at the sole discretion of the CIO, and may be rescinded at any time.

Authorised ‘incidental personal use’ of University computing and communications facilities precludes any activity which may:-

  • cause disruption to computing and communications services;
  • burden the University with significant costs; and/or
  • impede one’s work or other obligations to the University.

‘Incidental personal use’ does not extend to:

  • intentionally downloading, transmitting or storing:
    • unauthorised software
    • computer games
    • music files
    • video files
    • photographic files. 
  • accessing of streaming radio or television stations broadcasting via the Internet.

Downloading, transmitting or storage of such files increases the load on the network and could degrade the service to other staff and students with genuine need to use the resources.

The CIO reserves the right to prevent access to or delete any files contained on University systems that are deemed to be for personal use and excessive in nature.

4.3        University Property

Unless third parties have clearly noted copyright or some other rights on the information and messages handled by University computing and communications facilities, all information and messages generated on or handled by University computing and communications facilities are considered to be the property of the University of Newcastle.

4.4        Authorised Access

Access to University computing and communications facilities must be based on the concept of least privilege (need to know basis).

All access to University computing and communications facilities must be authorised by the appropriate faculty or division manager who has the role of Information Owner.

No user of University computing and communications facilities may ever knowingly exceed their authorised access level.  If additional access is required for a user to perform their duties then this access must be granted by the information owner or their delegate. This additional access includes administration rights on a machine.

The University reserves the right at its discretion to grant, limit or withdraw access to some or all of its computing and communications facilities either temporarily or permanently.

Access to email accounts – Staff

In the event of a staff member being absent on either unexpected or approved leave, the University may arrange access to the person’s email by their supervisor, in order to ensure that the business of the University is not disrupted.

A request to arrange access to an absent staff member’s email must be made to the CIO by the Head of School or Division.

Termination - Post-Appointment

The University will terminate access to computing and communications facilities when a user ceases to qualify as a user or is no longer associated with the University.

Extended Access

Where it is in the interests of the University, approval may be given for access to computing and communications facilities after a person ceases to qualify as a user, as defined above.  Such access may be provided at the discretion of the appropriate Deputy Vice-Chancellor.

4.5        Password Security

Users must actively defend access to University computing and communications facilities from unauthorised use by others.  Where access is protected by a username and password, users must choose passwords based on the rules set under the NUaccess computer account management system http://www.newcastle.edu.au/service/computer-accounts/nuaccess/

Passwords must not be disclosed to any other user including IT support staff.

Users must not use any account which has been set up for another user except as outlined in Clause 4.4, nor may they attempt to find out the user credentials of another user.

4.6        Proxy Use

Proxy use of another users account is permissible where both parties agree and there is a legitimate business need for such access. 

4.7        Inappropriate, Offensive and Illegal Material

It is not acceptable to intentionally create, send or access information that could

  • damage the University's reputation;
  • be misleading or deceptive;
  • result in victimisation or harassment;
  • lead to criminal penalty or civil liability; or
  • be reasonably found to be offensive, obscene, threatening, abusive or defamatory.

The CIO reserves the right to audit and remove any such material from its computing and communications facilities without notice.

Where a genuine reason exists (i.e. to support teaching, learning or research activities) for accessing sites that would be normally regarded as inappropriate, the written authorisation of the Head of School or Division is required.

Pornography

The intentional accessing, storage, display or distribution of pornography is strictly prohibited, and will be considered serious misconduct by the University. All users should be aware that possession and distribution of pornographic images of children is a criminal offence and, if discovered on University computing and communications facilities, will be referred to the Police.

Academics or students whose legitimate area of research may involve collection and analysis of materials which are, or may be construed as, pornographic (e.g. cultural studies, gender studies, etc) should seek clearance in writing from their Head of School and should exercise caution, including the use of a secure drive (not a shared faculty drive) to avoid undue circulation or accessing of files.

Diversity and Inclusiveness

It is inappropriate to transmit, communicate or access any material which constitutes any form of bullying, harassment (including sexual harassment), discrimination, victimisation or vilification by any member of the University community in their interactions with other members of the University community or whilst involved in University related activities.  This includes any unlawful discrimination of an individual or a group of people on the basis of race, colour, nationality or ethnicity, religion, sex, pregnancy (actual, presumed and/or breastfeeding) or parental responsibilities, marital status, age, disability, homosexuality, transgender status or sexual preference, carer’s responsibilities, trade union activity or association, political opinion or irrelevant criminal record or some other characteristic specified under anti-discrimination or human rights legislation.

See Promoting a Respectful and Collaborative University: Diversity and Inclusiveness Policy 000941 http://www.newcastle.edu.au/policy/000941.html.

Users may be individually liable if they aid or abet others who bully, discriminate against, harass, victimise or vilify colleagues, students or any member of the public.

4.8        Copyright/Licence Conditions

Users must not copy, download, store or transmit material which infringes:

  • copyright (for example but not limited to: music files, movies or videos);
  • software licence conditions; and/or
  • hardware licence conditions

and must only install, distribute or use software for which they have a current licence.

The CIO reserves the right to prevent access to or to delete any information contained on its systems that is suspected to have breached copyright or licence conditions. .

Copyright Guidelines for staff and students of the University of Newcastle are available at  Copyright Law Guideline 000073 http://www.newcastle.edu.au/policy/000073.html.

4.9        Statutory Compliance

Users of computing and communications facilities are required to comply with statutory requirements. Users who have access to personal and health information must abide by the tenets specified in the University’s Privacy Management Plan in relation to the collection, storage, access, use and disclosure of personal and health information. For further information: See Privacy Management Plan 000258 http://www.newcastle.edu.au/policy/000258.html.

While the University seeks to ensure privacy it cannot guarantee the confidentiality of any records stored on any computing and communications facility or transmitted through its network. Messages conveyed via information networks are capable of being intercepted, traced or recorded by others. Although such practices may be illegal, users should not have an expectation of privacy and must take care with confidential documents.

All information, data or files created by users on computing and communications facilities are subject to scrutiny. Users of computing and communications facilities should be aware that records stored on  these facilities are legally considered to be documents of the University under the Government Information (Public Access) Act 2009 and can be subpoenaed or "discovered" during legal processes.

These documents must comply with the University’s record management policies and are subject to statutory record keeping requirements.

4.10       Security

4.10.1     Configuration Security

On University supplied computer hardware, users must not change operating system configurations, upgrade existing operating systems, or install new operating systems. If such changes are required, they must be performed by IT Services or appropriate IT support staff.

Computer equipment supplied by the University must not be altered or added to in any way without prior authorisation via the IT Service Desk.

Components of the University’s information security infrastructure must not be disabled, bypassed, turned off, or disconnected without prior approval from the Information Owner.

4.10.2     Hacking and Cracking Activities

Users must not use computing and communications facilities to engage in attempts to subvert security measures in any way. This includes but is not limited to:

  • gaining unauthorised access;
  • altering, or disrupting the operations of any computing and communications facility; and
  • capturing or otherwise obtaining user credentials, encryption keys, or any other access control mechanism that could permit unauthorised access.

Unless it forms part of their authorised duties, users must not test, or attempt to compromise any security controls.

4.10.3     Security Instructions

Users must abide by any relevant instructions given by the CIO or nominated officers. Such instructions may be issued by notice displayed in the vicinity of computing facilities, by letter, by electronic communication, in person or otherwise.

4.10.4     Security Breaches

Users must report breaches or suspected breaches of any terms specified in these conditions of use to their supervisor, lecturer or an appropriate senior officer of the University. Users have an obligation under the University's Code of Conduct Policy 000059 http://www.newcastle.edu.au/policy/000059.html and the Ethical and Accountable Conduct - Public Interest Disclosures Policy 000969 http://www.newcastle.edu.au/policy/000969.html to report misuse of University resources.

4.10.5     Monitoring

Consistent with generally-accepted business practice, IT Services collects statistical data regarding the operations of its computing and communications facilities. Using such information, technical support personnel monitor user activity to ensure the ongoing availability, reliability, and security of these facilities. This monitoring is used to detect unauthorised usage and potentially malicious network activity.

Where unauthorised activity is detected, or a complaint has been made, users may be called upon to explain their use of computing and communications facilities. . Access to these facilities may be withdrawn pending investigation of the complaint (see Clause 4.11 Investigations and 4.12 Complaints).

The University may inspect, monitor or disclose information including electronic mail or other electronic files without the consent of the user, to the extent permitted by law. IT personnel must not review the content of an individual user’s communications out of personal curiosity or at the request of any individual who has not gone through proper approval channels. Advance written approval by the CIO (or delegate) that has been authorised by the appropriate DVC   is required for any such investigation or monitoring activity.  

Users should be aware that the University logs and stores information on the use of computing and communications facilities in the following areas:

  • Email server performance; logs, backups and archives of emails or information about those emails sent and received through University mail servers;
  • Logs, backups and archives of all internet access and network usage. While individual usage is not routinely monitored, unusual, inappropriate or high volume activity may be investigated further;
  • Phone logs and information relating to incoming and outgoing calls;
  • Overall network performance including workstations, printers and other devices connected to the network as well as servers and other elements of the University’s computing and communications facilities; and
  • Compilation and retention of logs of network activity.

The IT monitoring described above is currently in place, ongoing and continuous.

4.11       Investigations

Any identified use of equipment or services thought to be inconsistent with any terms specified in these conditions of use will be investigated. Inappropriate use will be subject to consideration under relevant disciplinary or misconduct processes and may involve a range of penalties, including but not limited to termination of employment, suspension from a course of study or a fine and/or criminal prosecution. 

Advance written approval by the CIO (or delegate) that has been authorised by the appropriate DVC is required for any investigation or proactive monitoring activity. The CIO (or delegate) may withdraw access to the University’s computing and communications facilities commensurate with managing the risk of the activity pending investigation.

4.12       Complaints

Upon approval by the relevant DVC, the CIO (or delegate) will investigate the alleged activity, and will forward findings to the University Complaints Office.

The Complaints Office will manage the investigation in accordance with relevant University policies and procedures including the Student Misconduct Rule; workplace misconduct processes; and the University’s Code of Conduct.

The University may elect to confiscate computing equipment accessed by the user alleged to have committed the offence.

Where requested by the Complaints Office the CIO or their delegate will provide electronic records and information to the relevant law enforcement agencies within the limits of the law.

Where misconduct is found to have occurred, a range of actions may be taken or penalties imposed which include but are not limited to termination of employment, suspension from a course of study or a fine and/or criminal prosecution.

Systems access will only be restored following advice from the Complaints Office or the relevant DVC.

4.13       Disclaimer

The University accepts no responsibility for any damage to or loss of information, data, hardware or software arising directly or indirectly from use of the University's computing and communications facilities or for any consequential loss or damage. The University makes no warranty, express or implied regarding the facilities offered, or their fitness for any particular purpose.

The University's liability in the event of any loss or damage shall be limited to the fees and charges paid to the University for the use of the computing and communications facilities which resulted in the loss or damage.

5.      Essential Supporting Documents

Information Security Policy 000813

Information Security Classification Policy 000814

Information Security Roles and Responsibilities Policy 000815

Code of Conduct Policy 000059

Privacy Management Plan 000258

Password Management Guidelines http://www.newcastle.edu.au/service/passwords/password-guidelines.html

Promoting a Respectful and Collaborative University: Diversity and Inclusiveness Policy 000941

Copyright Law Guideline 000073

Ethical and Accountable Conduct – Public Interest Disclosures Policy 000969

6.      Related Documents

AS/NZS 7799.2:2003: Information Security Management - Specification for Information Security Management Systems

Information Security Guideline for NSW Government – Part 1 Information Security Risk Management

Privacy and Personal Information Protection Act 1998 No 133

Health Records and Information Privacy Act 2002

State Records Act 1998  

Australian Copyright Act 1968

Copyright Amendment (Digital Agenda) Act 2000

Protected Disclosures Act 1994

NSW State Records Authority Standard on Counter Disaster Strategies for Records and Recordkeeping systems (No. 6)

NSW State Records Authority Standard on Managing a Records Management Program (No. 8)

NSW State Records Authority Standard on Physical Storage of State Records (No. 3)

 

Approval AuthorityVice-Chancellor
Date Approved23 April 2007
Date Last Amended12 April 2013
Date for Review31 October 2013
Policy SponsorChief Operating Officer
Policy OwnerChief Information Officer
Policy ContactAssociate Director, Service Continuity
Amendment History

Amendment to title of Policy 000941 replacing 'Workplace' with 'University'. Approved Vice-Chancellor 12 April 2013.

Hyperlinks added in Section 5, Secretariat, 3 April 2013.

Reviewed and updated including updated definitions, correction of out of date cross references, and additional clarification in some of the procedural elements included in the document. Approved by the Vice-Chancellor 20 February 2013.

23 August 2011 - Administrative amendments due to implementation of Student Misconduct Rule which replaced Student Discipline Rules effective 25 July 2011.

Replacement of Harassment section with Diversity and Inclusiveness section, to reflect new Diversity and Inclusiveness Policy approved by the Deputy Vice-Chancellor (Academic and Global Relations) 23 June 2011; advised by Equity and Diversity Unit, of new wording for this policy, on 11 August 2011.

Links amended March 2009