Guidelines for staff* on use of IT facilities, including email and the internet

*For the purposes of this policy, the term 'staff' includes postgraduate research degree students

These Guidelines are issued by the Director of Information Strategy and Technology Services (ISTS) under authority of Council.

These guidelines provide clarification for staff on the practical application of the University's Policy on Acceptable Use of IT Facilities and they should be read in conjunction with it.

IT facilities includes all computing and communication equipment, software, services, data and dedicated building space used in connection with information technology, which is owned by, leased by or used under licence or agreement by the University.

1. Responsibilities of staff
2. Unacceptable or prohibited use of IT facilities
3. Privacy
4. Monitoring use of IT facilities
5. Email bulletins and distribution lists
6. Other information

1. Responsibilities of staff

The following sections set out requirements that are particularly significant and provide relevant information about some of the legislation that governs the use of IT facilities. All staff who use University IT facilities must comply with the policy, legislation and principles that are referred to here as well as to other directives from the Director of Information Strategy and Technology Services that may be issued.

1.1 Acceptable Use of IT facilities

Information technology facilities may be used only as set out in the Policy on Acceptable Use of IT Facilities.

Staff members must not use IT facilities for the purpose of personal profit making or for commercial activities other than those of the University. Staff use of University IT facilities including email and the internet is conditional upon compliance with all University policies procedures and guidelines, including the Sexual Harassment Policy & Grievance Procedures (C - 12.2) and Equal Opportunity Policy C - 2.2) as well as with State and Commonwealth law.

A list of relevant documents and Government legislation with which staff must comply is set out in Appendix A of the Policy on Acceptable Use of IT Facilities.

1.2 Copyright Law

Copyright law restricts the copying of software and other material subject to copyright (documents, music, broadcasts, videos etc) except with the express permission of the copyright owner. A more detailed discussion of copyright.

1.2.1 Software

Staff may not make use of, or copy, software contrary to the provisions of any agreement entered into by the University. The onus is on staff to consult with ISTS to clarify the permitted terms of use if they wish to use any software for purposes other than those for which the University has a licence.

1.2.2 Multiple users

Copies of software used in a multi-access or network environment to allow simultaneous access by more than one user can only be provided if specifically permitted in the contract or software licence, or if a copy of the software has been purchased for every simultaneous user.

More information about copyright.

1.2.3 Email and Copyright

The copyright of an email message is owned by the sender, or the sender's employer. Copyright owners have a variety of rights, including the right to reproduce their work and the right of communication to the public. Forwarding something to an email discussion list would be construed as "to the public". Consider the expectations of the originator; did that person set any conditions on the further communication of their email, or expect that it would not be forwarded to anyone else, or would not be forwarded to a particular recipient?

1.2.4 Spam Act 2003

All email messages sent from a University email account must comply with the Spam Act 2003. This Act sets up a scheme for regulating commercial e-mail and other types of commercial electronic messages. The Spam Act refers to spam as "unsolicited commercial electronic messaging". "Electronic messaging" includes emails, instant messaging, SMS and other mobile phone messaging. A single message may be spam. The message does not need to be sent in bulk, or received in bulk.

There are a large number of commercial electronic messages that can be sent legitimately. They are only considered to be spam if they are sent without the prior consent of the recipient - as unsolicited messages. The rules for sending commercial electronic messages are:

• Unsolicited commercial electronic messages must not be sent.
• Commercial electronic messages must include information about the individual or organisation who authorised the sending of the message.
• Commercial electronic messages must contain a functional unsubscribe facility.
• Address-harvesting software must not be supplied, acquired or used.
• An electronic address list produced using address-harvesting software must not be supplied, acquired or used.

1.3 Honesty in representation and identity

1.3.1 User Identification

On request of relevant University managers and supervisors, a member of staff must provide evidence of their eligibility to use the University's IT facilities.

1.3.2 User Misrepresentation

Staff must not under any circumstance, in messages or otherwise, represent themselves as someone else, fictional or real, without providing their real identity or username.

1.3.3 Public statements on behalf of the University

Communications using University IT facilities should not give the impression that the writer is representing, giving opinions or making statements on behalf of the University or any part of it unless appropriately authorised to do so. See the policy on Public Statements by Members of University Staff (C 5.0).

1.4 Security

The following practices should be observed to maintain the security of the University's IT facilities.

• Staff must not attempt to interfere with or bypass the operation or security of IT facilities including restrictions or quotas relating to usage.
• Staff must keep their user name and password safe and not make their password available to others or use any account set up for another user or make any attempt to find out the password of a facility or an account for which they do not have authorised access.
• Staff must ensure that the confidentiality and privacy of data is maintained.
• Staff who have been granted access to computer systems are responsible for the safe keeping of data within their own area of work.
• Staff must not divulge any confidential information that they may have access to in the normal course of their employment.
• Staff must not seek access to data that is not required as part of their duties as a staff member of the University.
• Staff who inadvertently obtain data to which they are not entitled or who become aware of a breach of security pertaining to data from any information technology facility must immediately report this to the Director of ISTS or local IT personnel. Unauthorised release or use of data inadvertently obtained may lead to legal action.
• Staff must ensure the security of their workstation by logging off or observing other security measures when it is left unattended.

1.5 Non - Interference

1.5.1 Inconvenience and damage

Staff must not behave in a manner which, in the opinion of relevant University managers and supervisors, unduly inconveniences other people or which causes or is likely to cause damage to University IT facilities.

1.5.2 Installation of software

Staff must not install software on any University IT facility unless the installation is designated as part of their authorised work.

2. Unacceptable or prohibited use of IT facilities

2.1 Purpose

IT facilities are provided for use in the University's teaching and learning, research, administrative and business activities. They are not provided for private personal use, although it is recognised that, as with the telephone, there will be limited use for personal purposes (see below section 2.5).

Some types of unacceptable use, for example transmission of material of an obscene nature, are specifically prohibited by the Policy on Acceptable Use of IT Facilities and by State and Commonwealth law. The policy contains an appendix listing relevant legislation and University policy and procedures.

2.2 Examples of unacceptable use

Unacceptable use of IT facilities is set out in section 5.3 of the Policy on Unacceptable Use. Further examples of unacceptable use include:

• circumventing system security provisions or usage quotas
• visiting inappropriate internet sites concerned with pornography and down loading materials that are pornographic or storing or transmitting any such material
• playing computer games or other leisure activities such as joining in chat rooms or surfing the internet in pursuit of personal interests that are not related to work.
• sending or soliciting obscene, profane or offensive material (this includes accessing erotic materials via news groups).
• sending email messages or jokes that contain discriminating or sexually harassing material, or messages that create an intimidating or hostile work environment for others.
• using University IT facilities in the conduct of personal businesses or for commercial purposes that are not directly related to University business.
• using University email facilities to send chain letters.
• unauthorised forwarding of confidential University messages to persons outside the University.
• using another person's mailbox without authorisation.
• using another's identify or concealing or misrepresenting one's name or affiliations or address.
• sending unsolicited personal opinions on social, political, religious or other non-University related matters, where sending such opinions is not a legitimate part of education or research.
• soliciting to buy or sell goods or services, except on mail groups that have been established specifically for that purpose
• using, copying or transmitting copyrighted information in a way that infringes the owner's copyright.

2.3 Inadvertent unacceptable use

In relation to use of the web, it may not always be possible to tell if a web page is relevant until it has been read and web search engines and links can sometimes lead to irrelevant and inappropriate websites. In these cases usage logs may be used to demonstrate that access to inappropriate sites was inadvertent.

2.4 Seeking advice on use

Where staff have doubt concerning their authorisation to use any IT facility or about whether a particular use is acceptable, they should seek the advice of their supervisor, a member of Information Strategy & Technology Services (ISTS) or their Division/School IT officer.

2.5 Use for personal purposes

There may be some use of University IT facilities for personal purposes that are unrelated to work (eg. internet banking). Such use must be limited, reasonable and appropriate and it must not:

• contravene University policy or State or Commonwealth laws
• interfere with official use of IT facilities or
• interfere with a staff member's obligations to the University.

The amount of personal use is at the discretion of a staff member's supervisor or manager and therefore, seek advice from them about using the internet for personal purposes. For information about how use of the internet is monitored, see section 3 on Privacy and Monitoring (below).

2.6 What to do when misuse is observed

If the incident is happening Report the incident directly to University Security

If the incident has happened Report it to the IT Help Desk (x25000)

2.7 What happens following a report of alleged misuse

Where an alleged misuse has been reported to the IT Help Desk or brought to the attention of the Director: Information Strategy & Technology Services or staff members responsible for managing any part of the University's information technology facilities, the Director (or nominee) may:

1. act immediately to prevent any continuation of the alleged misuse pending an investigation
2. promptly notify other authorities, including the relevant cost centre manager or supervisor
3. advise the person of the Acceptable Use of IT Facilities policy and direct the person to discontinue immediately the alleged misuse

If an investigation of alleged misuse requires a staff member's use of IT facilities to be examined or monitored they will not necessarily be notified. If the investigation of alleged misuse requires access to the contents of a staff member's computer or e-mail, approval of the Vice Chancellor is required beforehand.

Allegations that constitute misconduct or breaches of the law will be referred to the appropriate authority for investigation. The University will give that authority all reasonable assistance requested including disclosing:

• relevant financial and personal data, and
• data which may be limited by contractual obligation including copyrighted software and software that is patented or which contains trade secrets

2.8 Penalties for misuse of IT facilities

Staff members who do not abide by University policy when using IT facilities, may have their access to IT facilities suspended or be subject to disciplinary action, or civil or criminal legal action. See the Policy on Acceptable Use of IT Facilities.

3. Privacy

3.1 Privacy limitations

A member of staff may expect some privacy in relation to their use of the computer and email and internet resources the University makes available to them at work. Despite the use of individual passwords, privacy is limited in the following ways:

• use of computers, email and the internet can be accessed by IT administrators
• IT systems automatically log the internet sites visited, the downloads made and the time spent at each site as well as information about emails sent and received. This automatically logged information can be accessed by IT administrators.
• while contents of emails and web sites are not routinely recorded, contents may be stored on staff computers or on servers
• it is possible to retrieve deleted records from back ups and archives.

3.2 Privacy legislation

Besides technological limitations on privacy, there are other factors that can impinge on privacy. The Office of the Privacy Commissioner provides information on the privacy legislation and how it applies to use of IT by employees. It shows that there are exemptions to the Privacy Principles and an employer's logging of staff activities (email and internet) is not contrary to the legislation as long as it is done lawfully and fairly.

To ensure fairness, the University has provided these Guidelines to inform staff about its practice of monitoring and accessing records relating to use of University IT facilities, including computers, email and the internet.

For information about how the University protects the privacy of information it holds in relation to its students, see the Policy on Confidentiality of Student Information (A 46.1).

The University also informs members of the public about how the University monitors their use of the University web site. See the Privacy statement.

3.3 Freedom of Information

Another limitation on privacy arises from the University's obligation to comply with Freedom of Information legislation.

Under the Freedom of Information (FOI) Act of South Australia, a document is defined as "anything in which information is stored or from which information may be reproduced". Email messages created in the course of fulfilling duties relating to employment are official records covered by the State Records Act (1997) and the Freedom of Information Act (1991), and are subject to the same requirements as hardcopy records. The content of email messages arising from this use remains the property of the University and may be subject to release in accordance with the FOI Act. For further information or advice, contact the Records and Copyright Officer.

4. Monitoring of use of IT facilities

4.1 Routine monitoring

The University provides IT facilities for use by staff in relation to the University's teaching and learning, research, administrative and business activities. Routine monitoring of the use of IT facilities is conducted to monitor the costs and acceptable use of University resources. The type of information automatically collected includes:

The University routinely monitors the level of usage to control costs. Cost centres contribute towards these costs and cost centre managers receive summary information that allows them to monitor usage by staff in their cost centre. The costs associated with individual use of IT resources, specifically an individual's use of the internet, are recorded. Information about an individual's level of use of the internet.

Under the GST legislation, use of University resources for other than University business requires apportionment to determine what part of the GST paid for the goods or service can be claimed back by the University. This is another reason why use of University internet or email or other IT facilities for personal purposes must only be incidental and why compliance with law (in this case A New Tax System legislation) may require the University to monitor and inspect records of use.

4.2 Other monitoring

In normal circumstances, staff supporting IT services will not monitor the contents of electronic mail messages or other communications or files they access as a result of their work (eg auditing operations). However, whenever the Vice-Chancellor decides it is appropriate, the University will inspect, copy, store and disclose the contents of email to prevent or correct improper use, satisfy a legal obligation, or to ensure proper operation of IT facilities.

5. Email bulletins and distribution lists

5.1 General notices

General notice bulletins to public groups, news groups, or specific work groups can only be sent for the purposes of University business associated with work and staff must comply with the Public Statements by University Staff Policy (C 5.0) as well as with the provisions of the Spam Act outlined above.

5.2 All staff notices and all student notices

To reduce the amount of unwanted and unsolicited email received by staff, approval of the intended message must be obtained from a manager who has approval to send to these lists. The following approvals are required:

All staff:

• Executive Officer to the Vice-Chancellor
• Senior Management Group
• Heads of Schools
• Directors
• Select staff (eg Deputy Director ISTS)

All Academic Staff:

• Executive Officer to the Vice Chancellor
• Senior Management Group
• Heads of Schools
• Directors
• Select staff (eg Deputy Director ISTS)

All General Staff:

• Executive Officer to the Vice Chancellor
• Senior Management Group
• Heads of Schools
• Directors
• Select staff (eg Deputy Director ISTS)

All students:

• Executive Officer to the Vice-Chancellor
• Director, Student and Academic Services

Staff must not circumvent this approval process by intentionally combining many smaller distribution lists to achieve a recipient list similar to All Staff, All Academic Staff or All General Staff.

5.3 Distribution list management

Distribution lists containing email Addresses are provided as part of the email service. Cost centres each designate a distribution list manager who is responsible for maintaining the accuracy of the cost centre's General Staff and Academic Staff distribution lists. Global Distribution Lists may be created with the approval of cost centre managers. The owners of these lists are responsible for their accuracy.

6. Other information

To help staff use IT resources responsibly, the following information is provided.

6.1 Charging for Internet Use

Generally, the University is charged for use of the internet involving external (non UniSA) internet sites. It is not charged for use involving only sites within the University. Each area of the University pays for the internet use of staff. The more internet sites a staff member views and the more material downloaded, the more an organisational area pays.

As a result, heads or managers of areas have online access to information regarding the amount and cost of internet use for each individual or group of computers in their area. If a member of staff has used the internet more than a manager expects given the staff member's role, the manager can request ISTS to provide the details of the internet sites the individual has accessed. If the manager believes the amount of use and /or the content of some sites is inappropriate, the matter may be raised with the individual.

More information on level of use.

6.2 How to reduce the cost of internet use

The most common use of the internet is for accessing world wide web sites. Cost can be minimised by following this advice:

• Do not leave a web browser open on a page that automatically refreshes content, particularly pictures and images.
• Some web pages continually update themselves, usually with advertisements. Search engines, web-cams, the White Pages and Yellow Pages are typical examples. Do not leave a browser on these pages any longer than necessary.
• Note that if a page is minimised, or hidden behind another window on the screen, the material is still being downloaded and the University is paying for it. It is better to close all browser windows.
• Some web sites open additional windows behind the main one. While surfing the web, check for unwanted web browser windows, and close them.
• Use the University provided email account, instead of services like Yahoo! or Hotmail, for University-related email. The inbox on the University email account uses the University's internal network. Consequently, the University is not charged for that use. Reading an inbox on most other commercial email services (including Hotmail and Yahoo!) uses the internet, and the University will be charged for the use.
• Consider the content of the sites visited. Web pages that contain images, movies and sound are larger, and cost more to download, than pages which are more text-oriented.
• Configure the browser so that, by default, it does not display images.
• Logout from the computer when finished working.
• Use secure passwords to prevent others using the computer.

6.3 Procedures relating to email when a staff member leaves

• When a staff member's email account is to be deleted (because they are leaving the University), the person requesting the deletion must complete the appropriate form and have it authorised by the relevant Head of School or Unit. Email accounts for people who have recently left, are shown in the address book with "Left" after their name.
• It is the responsibility of the departing staff member to tidy up their email account prior to their departure. Messages which relate to University business should be retained or archived appropriately. Messages which remain in the email account will be viewed by other staff once the departing staff member has left.
• Deleted email accounts actually remain active for a period of three months. During this time all email addressed to the mailbox is redirected to the member of staff who person who requested the deletion or their delegate. This person then has the responsibility for managing that mail.
• New messages which arrive for a deleted email account in the three month period will not be automatically redirected to an email account external to the University. Personal mail messages for the former staff member will be on forwarded (if a forwarding e-mail address is known) on request of the departing staff member. University related e-mail messages will not be disclosed nor forwarded to the former staff member.
• After three months, the entire mailbox for the former staff member will be archived and then deleted from the address book.
• Archived messages may be recovered for up to 12 months by submitting a formal request to the IT Help Desk stating the reasons for recovery and the date/period of the mail messages to be recovered. This service may incur a fee depending on how much work is required to archive the required messages.