Guidelines for Staff on Use of IT Facilities including Email and the Internet

Responsible Officer	Chief Information Officer
Last Updated	November 2016
Date of Review	November 2018
Audience/Application	Staff
Related Documents	Acceptable Use of Information Technology (C-22) Information Security Policy Privacy Policy (M1) Sexual Harassment (C-12.5) Equal Opportunity (C-2) Public Statements and Representation by Members of University Staff and Students (C-5)

1.    Terms of Use

These guidelines are issued by the Chief Information Officer under the authority of Council and provide clarification on the practical application of the University's Policy on Acceptable Use of IT Facilities.  These Guidelines apply to Staff and Postgraduate research degree students.

Staff use of University IT facilities including email and the internet is conditional upon compliance with all University policies, procedures and guidelines, including the Sexual Harassment (C-12.5) and Equal Opportunity (C-2) as well as with State and Commonwealth law.

2.    Staff Conduct

2.1    Staff must:

Identity & Representation

• provide evidence (e.g. a current staff ID card) of their eligibility to use the University's IT facilities, on request from relevant University managers and supervisors.

Security of Facilities

• keep their username and password safe and not make their password available to others or use any account set up for another user or make any attempt to find out the password of a facility or an account for which they do not have authorised access.
• ensure that the confidentiality and privacy of data is maintained.
• ensure the security of their workstation by logging off or observing other security measures when it is left unattended.
• be responsible for the safe keeping of the data they access as part of being granted access to use corporate information systems.
• report immediately to the Chief Information Officer any breach of security pertaining to data from any information technology facility. Unauthorised release or use of data inadvertently obtained may lead to legal action.

Personal Use of University IT Facilities

• ensure that IT facilities are utilised for the University's teaching and learning, research, administrative and business activities that they are provided for.
• ensure that personal use unrelated to work is limited, reasonable and appropriate and must not:
  • contravene University policy or State and Commonwealth laws,
  • interfere with official use of IT facilities, or
  • interfere with a staff member's obligations to the University.
• recognise that the amount of personal use is at the discretion of a staff member's supervisor or manager and that advice should be sought from them before using the internet for personal purposes.

Advice

• seek advice from their supervisor or the IT Help Desk if they have doubt concerning their authorisation to use any IT facility or about whether a particular use is acceptable.

Email Bulletins & Notices

• only send general notice bulletins to public groups, news groups, or specific work groups for the purposes of University business associated with work.
• comply with the Public Statements and Representation by Members of University Staff and Students (C-5) as well as with the provisions of the Spam Act outlined in this document.

2.2    Staff must not:

Personal Profit

• use University provided IT facilities for the purpose of personal profit making or for commercial activities other than those of the University

Software

• make use of, or copy, software contrary to the provisions of any licensing agreement entered into by the University.  The onus is on staff to consult with ISTS to clarify the permitted terms of use if they wish to use any software for purposes other than those for which the University has a licence.
• install software on any University IT facility unless the installation is designated as part of their authorised work.
• install University licensed software on any non-University owned facility unless the license specifically permits it.

Identity & Representation

• represent themselves, in messages or otherwise, as someone else, fictional or real, without providing their real identity or username.
• give the impression that the writer is representing, giving opinions or making statements on behalf of the University or any part of it unless appropriately authorised to do so via communications using University IT facilities.

Security of Facilities

• divulge any confidential information that they may have access to in the normal course of their employment.
• seek access to data that is not required as part of their duties as a staff member of the University.
• behave in a manner which, in the opinion of relevant University managers and supervisors, unduly inconveniences other people or which causes or is likely to cause damage to University IT facilities.
• store University data on personally owned devices or any other device not owned by the University where such device can be used by another person, unless such devices are locked down to the staff member via password, pin or biometric access and the device locks itself after no more than 5 minutes of inactivity

Personal Use

• some types of unacceptable use, for example transmission of material of an obscene natures, are specifically prohibited by the Acceptable Use of Information Technology (C-22) and by State and Commonwealth law.  The policy contains an appendix listing relevant legislation and University policy and procedures.

3.    Relevant Legislation

3.1    Copyright

Copyright law restricts the copying of software and other material subject to copyright (documents, emails, music, broadcasts, videos etc.) except with the express permission of the copyright owner. (The copyright of an email is owned by the sender, or the sender's employer.)

Refer to the Copyright at UniSA webpage.

Email & Copyright

The copyright of an email message is owned by the sender, or the sender's employer.  Copyright owners have a variety of rights, including the right to reproduce their work and the right of communication to the public.  Forwarding something to an email discussion list would be construed as 'to the public'.

Consider the expectations of the originator:

• did that person set any conditions on the further communication of their email?
• expect that it would not be forwarded to anyone else? or
• would not be forwarded to a particular recipient?

3.2    Privacy

A member of staff may expect some privacy in relation to their use of the computer and email and internet resources the University makes available to them at work.  Despite the use of individual passwords, privacy is limited in the following ways:

• use of computers, email and the internet as well as data on internet sites visited, downloads made and emails sent/received, can be accessed by IT administrators.
• it is possible to retrieve deleted records from back ups and archives.

Privacy Legislation

Besides technological limitations on privacy, there are other factors that can impinge on privacy.  The Office of the Privacy Commissioner provides information on the privacy legislation and how it applies to use of IT by employees.  It shows that there are exemptions to the Privacy Principles and an employer's logging of staff activities (email and internet) is not contrary to the legislation as long as it is done lawfully and fairly.

To ensure fairness, the University has provided these Guidelines to inform staff about its practice of monitoring and accessing records relating tho the use of University IT facilities, including computers, email and the internet.

For information on how the University protects the privacy of information it holds in relation to its students, see the Privacy Policy (M1)

The University also informs members of the public about how the University monitors their use of the University web site.

Refer to the Privacy webpage.

3.3    Freedom of Information

Under the Freedom of Information (FOI) Act of South Australia, a document is defined as "anything in which information is stored or from which information may be reproduced".  Email messages created in the course of fulfilling duties relating to employment are official records covered by the State Records Act (1997) and the Freedom of Information Act (1991) and are subject to the same requirements as hard copy records. 

The content of these emails remains the property of the University and may be subject to release in accordance with the FOI Act.

For further information or advice, contact the Records and Copyright Officer or refer to the Freedom of Information webpage.

3.4    Spam Act 2003

All email messages sent from a University email account must comply with the Spam Act 2003.  This Act dictates the regulation of commercial e-mail and other types of commercial electronic messages.

The Spam Act makes allowance for the University, which is classified as an "educational institution", to send messages to current or previously enrolled students about its goods or services.  Therefore an unsubscribe facility is not required in these cases.

Other electronic messaging, including emails, instant messaging, SMS and other mobile phone messaging may be identified as spam if it does not fall into this category.

4.    Alleged Misuse

Where an alleged misuse has been reported, the Chief Information Officer (or nominee) may:

• act immediately to prevent any continuation of the alleged misuse pending an investigation.
• promptly notify other authorities, including the Central Unit Director, Executive Dean, or Research Institute Director.
• advise the staff member of the Acceptable Use of IT Facilities policy and direct the staff member to discontinue the alleged misuse immediately.

If an investigation of alleged misuse requires a staff members use of IT facilities to be examined or monitored they will not necessarily be notified.

Allegations that constitute misconduct or breaches of the law will be referred to the appropriate authority for investigation.  The University will give that authority all reasonable assistance requested, including disclosing:

• relevant financial and personal data which may be held by the University; and
• data which may be limited by contractual obligation including copyrighted software and software that is patented or which contains trade secrets.

When misuse is observed:

• If the incident is happening report the incident directly to University Security
• If the incident has happened report the incident to the IT Help Desk (x25000)

4.1    Monitoring

Routine monitoring of the use of IT facilities is conducted to monitor the costs and acceptable use of University resources will take place.

In normal circumstances, University and third party staff supporting IT services will not monitor the contents of electronic mail messages or other communications or files they access as a result of their work (e.g. auditing operations).  However, the University and third party staff supporting IT services will inspect, copy, store and disclose the contents of email when appropriate to prevent or correct improper use, satisfy a legal obligation, or to ensure proper operation of IT facilities.

Appendix A: Additional Information

To help staff use IT resources responsibly, the following information is provided:

Mailbox Management

• To maintain the performance and reliability of the University's email environment, size limits will be placed on the storage capacity for the on-line mailboxes for each user.
• All staff can reduce their Exchange server demands by monitoring their storage usage, deleting unwanted mail or archiving email to other storage media (e.g. desktop drives, CD-R, DVD-R).   Archiving will still permit easy access to material for retrieval. ISTS recommends that staff liaise with their IT support staff to ensure that local conventions for archive storage are followed and appropriate backup procedures are undertaken.
• Allocated quotas will be reviewed to ensure that 'normal' functions of staff can be performed within the quotas allocated.

When a Staff Member Leaves

• When a staff member's email account is to be deleted (because they are leaving the University), the person requesting the deletion must complete the appropriate form and have it authorised by the relevant Central Unit Director, Executive Dean, or Research Institute Director. Email accounts for staff who have recently left, are shown in the address book with "Left" after their name.
• It is the responsibility of the departing staff member to tidy up their email account prior to their departure. Messages which relate to University business should be retained or archived appropriately. Messages which remain in the email account will be viewed by other staff once the departing staff member has left.
• Deleted email accounts actually remain active for a period of three months. During this time all email addressed to the mailbox is redirected to the member of staff who requested the deletion. This person then has the responsibility for managing that mail.
• New messages which arrive for a deleted email account in the three month period will not be automatically redirected to an email account external to the University. Personal mail messages for the former staff member will be on forwarded (if a forwarding e-mail address is known) on request of the departing staff member. University related e-mail messages will not be disclosed nor forwarded to the former staff member.
• After three months, the entire mailbox for the former staff member will be archived and then deleted from the address book.
• Archived messages may be recovered for up to 12 months by submitting a formal request to the IT Help Desk stating the reasons for recovery and the date/period of the mail messages to be recovered.

Use of Shared Mailboxes

• Shared mailboxes are provided as part of the email service. New shared mailboxes must
  be formally requested through the IT Help Desk.
• Shared mailboxes are not to be used for archiving personal email data.
• Requests for shared mailboxes to facilitate shared calendars must also be formally requested through the IT Help Desk.
• Owners of shared mailboxes/calendars are responsible for adding and removing other staff members access.

Use of Email Signatures

• Staff should include a signature file on all email. The signature should include the name of the sender, organisation, title, e-mail address, phone number, fax number and the university or cost centre URL and the University's CRICOS provider number (00121B).
• An appropriate picture, graphic or link to promote your business unit, team or department or an upcoming University event may be included in the signature block however drawings, pictures, maps, graphics or an inspirational or other type of quotation are unnecessary in a business communication.

Restoration of email

• The restoration of a deleted email(s) will be provided only in special circumstances.
• A formal request can be submitted to the IT Help Desk, only after the staff member has checked recover Deleted Items options.

Inadvertent Use

• In relation to use of the web, it may not always be possible to tell if a web page is relevant until it has been read and web search engines and links can sometimes lead to irrelevant and inappropriate websites. In these cases usage logs may be used to demonstrate that access to inappropriate sites was inadvertent.

All staff and student notices

To reduce the amount of unwanted and unsolicited email received by staff, approval of the intended message must be obtained from a manager who has approval to send to these lists. The following approvals are required:

• Staff must not circumvent this approval process by intentionally combining many smaller distribution lists to achieve a recipient list similar to All Staff, All Academic Staff or All General Staff.
• Owners of distribution lists are responsible for their accuracy.