IT Acceptable Use – Operational Policy

1. Purpose

1.1 This policy outlines the University’s approach to ensuring acceptable use of information technology (IT) resources and the University’s expectations of all users when accessing and using IT resources to ensure that information security risks are identified, prioritised and managed in a coordinated manner.

1.2 This policy must be read in accordance with the linked Information Security – Operational Policy, Staff Code of Conduct – Governing Policy and Student Conduct – Governing Policy.

2. Scope and application

2.1 This policy applies to all University staff, students, approved third parties, alumni, contractors, sub-contractors, and any other individuals when accessing or using University IT resources.

2.2 This policy applies to all University IT resources (e.g. computers, laptops, mobile phones, tablet devices, emails, networks, hardware, software) at all times, regardless of whether such use occurs during business hours or on University premises.

3. Definitions

3.1 Refer to the University’s Glossary of Terms for definitions as they specifically relate to procedure documents.

Technology-facilitated abuse includes behaviours such as using digital platforms, email, or other electronic means to harass, intimidate, monitor, threaten, or control another person.

1. Policy statement

4.1 The University provides IT resources to support its academic programs, research endeavours, community engagement and administrative services. These are provided for legitimate University activities, and usage should be consistent with this purpose.

4.2 The University makes every effort to ensure the availability and integrity of its IT resources, it cannot guarantee that these are always available or free of any defects, including malicious software. Users must therefore exercise due diligence and use sound judgement when accessing these resources.

1. Principles

5.1 Principle 1: Respect intellectual property and copyright.

5.1.1 The University expects that IT resources are used in manner that respects its intellectual property and copyright requirements, in accordance with the Intellectual Property – Academic Policy and Copyright – Academic Policy.

5.1.2 To achieve this, University IT resources must not be used to copy, download, store or transmit any material that infringes copyright. These materials include but are not limited to:

(a) information;

(b) images;

(c) musical recordings;

(d) films;

(e) videos;

(f) software; and

(g) other intellectual property.

5.1.3 All acquisition and use of software must be in line with its licenced terms and conditions and in accordance with the internal Standard Operating Procedure (restricted).

5.1.4 University IT resources must not be used for unauthorised commercial activities or unauthorised personal gain and must not cause loss of service, or risk loss of reputation to the University.

5.2 Principle 2: Use IT resources efficiently and professionally.

5.2.1 The University acknowledges that computing resources are finite and shared by many, to ensure that IT resources can be used efficiently and professionally in their use of network facilities, services and applications. This includes: 

1. maintaining professionalism in digital communications;
2. only using authorised applications and software;
3. being appropriately trained in applications used; and
4. reporting any suspicious activity to the IT Service Desk immediately.

5.2.2 The University implements IT security controls to maintain the security and integrity of its IT resources in accordance with the Information Security - Operational Policy. Users must not circumvent or interfere with these controls.

5.2.3 Clients must not use University IT resources or software to create, store, distribute, or access material that constitutes unlawful discrimination, bullying, harassment (including sexual harassment), victimisation, vilification, violence (including threats of violence), gender-based violence, or technology-facilitated abuse.

5.2.4 Breaches will be referred for investigation under relevant misconduct procedures, and interim measures (such as restriction of IT access) may be applied to protect individuals and the University community.

5.3 Principle 3: Use IT resources in a legal and ethical manner.

5.3.1 The use of University IT resources is subject to the full range of state and federal legislation, as well as with the University policies and procedures. Users must ensure that their use of these resources is always legal and ethical. University IT resources must not be used for or in relation to corrupt conduct, unauthorised personal financial or commercial gain, or for the unauthorised financial or commercial gain of a third party.

5.3.2 Electronic messages must not contain material that constitutes or may reasonably be perceived as unlawful discrimination, bullying, harassment (including sexual harassment), victimisation, vilification, violence (including threats of violence), and gender-based violence, including technology-facilitated abuse. Users must abide by the Staff Code of Conduct – Governing Policy and Student Conduct – Governing Policy.

5.3.3 Users who have authorised access to systems and data containing personal information or confidential information of the University must maintain the confidentiality of this information in accordance with the Privacy and Right to Information – Operational Policy and relevant contractual obligations.

5.3.4 Staff receiving inappropriate material, including material that may constitute unlawful discrimination, bullying, harassment (including sexual harassment), victimisation, vilification, violence (including threats of violence), and gender-based violence, or technology-facilitated abuse, should delete such material from University systems immediately and notify their supervisor/manager of their actions. Such an action should not constitute misuse. However, for all clients, copying, forwarding, or distributing inappropriate or unacceptable material by any means constitutes unauthorised use and may be referred under the University’s Student Conduct or Staff Conduct frameworks.

6. Personal use of IT resources 

6.1 University IT resources are provided to users for performing legitimate University activities. These IT resources can be used for limited personal provided that the use: 

1. is lawful and compliant with University policies and external legislation;
2. does not negatively impact upon the user’s performance of University activities;
3. does not hinder the use of the resource by others or interfere with the normal operations of the network; and
4. does not damage the reputation or operations of the University.

7. Monitoring usage of IT resources 

7.1 The University takes reasonable precautions to protect the security and privacy of its users’ IT accounts. This includes activity logging and monitoring of general usage patterns in accordance with the internal Standard Operating Procedure (restricted).

7.2 The University monitors individual usage of University IT resources on a continuing and ongoing basis to ensure data and system security and integrity.

7.2 Staff must not use University-provided email accounts or mailboxes to engage in unlawful discrimination, bullying, harassment (including sexual harassment), victimisation, vilification, violence (including threats of violence), and gender-based violence, or technology-facilitated abuse. Where misuse is identified, matters will be referred to People and Culture or Safer Communities and managed in line with Staff or Student Conduct procedures.

7.3 The University can also monitor and access a user’s individual records and usage where it is believed there is a reasonable basis to do so. Information obtained can include personal information, which is managed in accordance with Privacy and Right to Information – Operational Policy.

7.4 A user’s individual records can only be accessed with approval from People and Culture and the Manager, Cyber Security and in the following circumstances: 

(a) when a staff member is unexpectedly absent from work and access is required for:

(i) legitimate business purposes; or

(ii) health, safety and wellbeing concerns in accordance with Health, Safety and Wellbeing – Governing Policy;

(b) when the University reasonably suspects that an individual is not complying with University policy documents, or legislation;

(c) for use in legal proceedings or as required by law; or

(d) for IT security purposes in accordance with Information Security – Operational Policy.

7.5 When approved, access to a user’s individual records is only provided to a designated officer nominated by People and Culture.

8. Termination of employment

8.1 When a staff member’s employment ends, managers must ensure that all access to University IT resources, is removed or amended in accordance with Information Security Access Controls – Procedures.

8.2 It can be necessary for a manager to access work files or email accounts after a staff member’s departure to preserve continuity of work. In these circumstances, a departing staff member is normally be given the opportunity to remove any personal files or emails from University computers prior to their departure.

9. Monitoring and reporting

9.1 Regular monitoring and reporting on the application of this policy is reported by the Chief Information Officer on a quarterly basis to the Cyber Security Governance Committee.

9.2 The Chief Information Officer monitors and reports on University compliance with this policy in accordance with the Compliance Management Framework - Governing Policy.

10. Authorities and responsibilities

10.1 As the Approval Authority, the Vice-Chancellor and President approves this policy in accordance with the University of the Sunshine Coast Act 1998 (Qld).

10.2 As the Responsible Executive Member the Chief Operating Officer can approve procedures and guidelines to operationalise this policy. All procedures and guidelines must be compatible with the provisions of this policy.

10.3 As the Designated Officer the Chief Information Officer can approve associated documents to support the application of this policy. All associated documents must be compatible with the provisions of the policy.

10.4 This policy operates from the last amended date, all previous iterations of policies related to the acceptable use of IT resources are replaced and have no further operation from this date.

10.5 All records relating to IT resource access and use must be stored and managed in accordance with the Records Management - Procedures.

10.6 This policy must be maintained in accordance with the University Policy Documents – Procedures and reviewed on a standard 5-year policy review cycle.

10.7 Any exception to this policy to enable a more appropriate result must be approved in accordance with the University Policy Documents – Procedures prior to deviation from the policy.

10.8 Refer to Schedule C of the Delegations Manual about the approved delegations detailed within this policy.

10.9 Responsibilities summary

END