You are here

Acceptable use of information technology resources policy

1.0 Objectives

1.1 This policy is designed to:

  • Ensure clear and consistent understanding of an employee’s or contractors responsibilities when working with Academy information technology resources.
  • Outline the restrictions on using personal devices for business purposes.

2.0 Responsibilities and usage requirements

2.1 Responsibilities with Academy information technology resources

Academy Staff who use Academy information technology resources are responsible for:

  • usage of the unique computer accounts which the Academy has authorised for the user's benefit;
  • selecting and keeping a secure password for each of these accounts, including not sharing passwords and logging off after using a computer.
  • using the ICT resources in an ethical and lawful way, in accordance with relevant legal requirements;
  • The Academy’s ICT resources must not be used for unlawful, offensive or otherwise improper activities. For example, they must not be used:
    • for material that is pornographic, hateful, racist, sexist, abusive, obscene, discriminatory, offensive or threatening
    • to stalk, bully, harass, defame or breach copyright.
    • creating or exchanging messages that are offensive, harassing, obscene or threatening
    • visiting web sites containing objectionable (including pornographic) or criminal material
    • creating, storing or exchanging information in violation of copyright laws
    • using internet-enabled activities such as gambling, gaming or conducting illegal activities
    • creating or exchanging advertisements, solicitations, chain letters and other unsolicited or bulk email
    • playing electronic or online games in work time.
  • ensuring that except for limited personal use, IT Resources are only used for authorised purposes.
  • notifying the Chief Information Officer if they become aware that information technology resources are being used by any person to infringe the intellectual property rights of another person or the Academy, or that the effect of any use of any facilities is to infringe such rights.
  • observing the Terms of Service or Acceptable Use policies of third-party products or services that have been engaged by the Academy

2.2 Responsibilities with Academy issued devices

Academy Staff who use Academy issued devices are to adhere to the below requirements:

  1. Whilst in possession of the device, employees will at all times comply with the Academy’s Code of Conduct Policy and all other related policies. It is the employee’s responsibility to ensure that they are familiar with these policies located on the Academy’s staff portal.
  2. Employees will take all reasonable steps to safeguard devices and the information stored on it. This includes but is not limited to:
    • Not modifying the computer’s operating system, installing unauthorised software, obtaining extra resources without authorisation, or allowing modifications or repairs to be taken by anyone other than Academy IT staff.
    • Making the device available to Academy IT staff as requested for periodic audits or upgrades to the hardware and software provided, as well as for other tasks.
    • Keeping the device in a secure location when outside the office and when not in use, to prevent accidental damage. For example, an unattended locked car is not considered secure.
    • Disallowing any other person to use the device unsupervised or passing on to any other unauthorised person any software, licences or resources installed on or associated with it.
    • If at any point you suspect that you may have opened a malicious resource, software, or email you must notify Academy ICT support immediately.

2.3 Misuse of Information Technology resources

Misuse of Academy’s IT Resources is a breach of the Acceptable Use of IT Resources Policy.

Any member of the Academy who becomes aware of possible misuse of Information Technology Resource must report it to either:

  • their supervisor or manager;
  • the Human Resources Manager; or
  • the Chief Information Officer.

In the event that misuse is determined by management, formal disciplinary action for staff will occur in accordance with the Academy’s policies and procedures.

2.4 Liability

To the extent allowed by law, the Academy is not liable for loss, damage or consequential loss or damage arising directly or indirectly from ‐

  • use or misuse of any Information Technology Resources;
  • loss of data or interference with data stored on any Information Technology Resources;
  • interference with or damage to equipment used in conjunction with any Information Technology Resources;
  • loss of data, access to IT Resources or interference with files arising from its efforts to maintain the IT Resources.

2.5 Monitoring and Surveillance of IT Resources

The Chief Information Officer or their delegate may at any time monitor, inspect, access or examine any Academy IT Resources for any purpose permitted by the Acceptable Use of IT Resources Policy, any other Academy policy, rule or regulations and for the purposes of:

  • facilitating the efficient operation and management of the Academy IT Resources;
  • protecting the integrity of IT Resources;
  • investigating alleged misuse;
  • auditing the assets of the Academy; or
  • logging and information security.

3.0 Loss, theft, or damage processes

  1. If a device is damaged, lost or stolen, the employee must report this to the Chief Information Officer as soon as possible, within a maximum of 48 hours from the time of damage or loss. A police report must be obtained if the device is stolen and provided to the Chief Information Officer.
  2. If through no fault of the employee, an Academy device is lost, stolen or damaged, it will be repaired or replaced at the Academy’s expense.
  3. However, if the employee contributed to the loss/theft/damage, then the employee may be asked, at the discretion of the Chief Information Officer, or the Chief Operating Officer, to contribute towards repair or replacement costs.

4.0 Personal devices

  1. To reduce the Academy network’s susceptibility to viruses, malware, and security breaches the Academy does not allow personal devices to remote into the Academy’s server via a VPN or other remote desktop services. As such, it is the Academy’s responsibility to provide a device for staff that need remote access.
  2. The Academy does not recommend working on personal devices beyond the exceptions listed below and as such will not cover any lost, theft, or damage during work-related activities on these devices

Exceptions:

  1. Personal mobile phones can be used for work purposes subject to discussion with the relevant manager however these devices are not covered under the Academy’s insurance policy. As such, it is the employee’s responsibility to ensure the device is insured under an appropriate policy. The Academy can contribute to the costs of insurance subject to your manager’s approval.
  2. Mac based devices can be used to connect to the Academy’s remote environment with approval from the CIO and will be considered on a case-by-case basis.

5.0 Definitions

‘Authorised purposes’ means purposes associated with work at the Academy, provision of services to or by the Academy, which are approved or authorised by the relevant officer or employee of the Academy in accordance with Academy policies and procedures or pursuant to applicable contractual obligations, limited personal use, or any other authorised purpose.

‘Limited personal use’ means use that –

  • is of a purely personal nature and not for financial gain;
  • does not directly or indirectly impose an unreasonable burden on any IT Resources;
  • does not unreasonably deny any other user access to any resources;
  • does not contravene any law in any jurisdiction in Australia or any Academy regulation, policy or procedure; and
  • does not interfere with the execution of duties;

‘devices’ entails any ICT equipment including phones, tablets, laptops, and other computer hardware.

6.0 Relevant legislation

Copyright Act (Cwth) 1968
https://www.legislation.gov.au/Series/C1968A00063

Privacy Act (Cwth) 1988
https://www.legislation.gov.au/Series/C2004A03712

Cybercrime Act (Cwth) 2001
http://www.austlii.edu.au/au/legis/cth/consol_act/ca2001112

Spam Act (Cwth) 2003
http://www.austlii.edu.au/au/legis/cth/consol_act/sa200366

Policy contact Chief Information Officer - Chris Warren
Approval Authority Chief Operating Officer - David Perceval
Date Approved 19/02/2019
Date of Commencement 19/02/2019

© 2024 Australian Academy of Science

Top