Provision and Acceptable Use of IT Policy (MPF1314)


1. Objectives

The objectives of this policy are to:

(a) outline the principles that apply to the management and use of computing and network facilities across the University;

(b) support efficient University processes and enhance staff and student experience with IT tools;

(c) define the expectations of users of University computing & network facilities and restrictions on use; and

(d) provide authority for the University to investigate and act on allegations of misuse.

2. Scope

2.1. This policy applies to the provision of, and all users of, University information technology services, equipment and connectivity, including:

(a) students;

(b) staff;

(c) honoraries and affiliates;

(d) contractors and consultants; and

(e) visitors.

2.2. This policy applies to all uses of University networks or connectivity services including using a user-owned device (Bring Your Own Device - BYOD) to connect to University systems.

3. Authority

4. Policy

Provision of University information technology

4.1. University computing and network facilities support and enable research, learning and teaching, and engagement, through provision of cost-effective world class infrastructure and customer services.

4.2. Computing and network facilities and related services are responsive to the needs of students and staff.

4.3. Environmental impact is a key consideration in selecting and deploying computing solutions for the University.

4.4. University computing and network facilities complement and inter-operate with other information technology in the lives of students and staff.

Use of University information technology

4.5. All users of University information technology services, equipment and connectivity are required to use these facilities and services in an appropriate and responsible manner.

4.6. Users may be exempt from aspects of this policy where it is required for their role, studies or research. Prior written permission from the head of the relevant division and the Executive Director, Business Services and Chief Technology Officer must be obtained.

4.7. Users who are alleged to have misused University information technology services, equipment and connectivity are subject to investigation and, if misuse is established, will have penalties applied, as detailed in this policy.

Compliance with law and policy

4.8. All users must use and manage University computing and network facilities in accordance with relevant law and other University policies, including the Information Security Policy, Privacy Policy, Records Management Policy, Student Conduct Policy and Appropriate Workplace Behaviour Policy.

4.9. To the extent allowed by law, the University is not liable for loss, damage, or consequential loss or damage, arising directly or indirectly from:

(a) use or misuse of any facilities;

(b) loss of data or interference with data stored on any facilities;

(c) interference with or damage to equipment used in conjunction with any facilities; or

(d) any acts taken or decisions made not in accordance with this or any other policy.

4.10. All actions and usage of the University IT facilities may be logged, monitored, recorded and analysed by authorised staff to facilitate the investigation of an activity that may be contrary to University policy, or to substantiate an allegation of misuse. Information collected as part of any preliminary enquiries or investigation will be managed in accordance with relevant law and other University policies, including the Information Security Policy, Privacy Policy, Records Management Policy, and Appropriate Workplace Behaviour Policy.

4.11. The Executive Director, Business Services and Chief Technology Officer monitors compliance with this policy and supporting processes.

4.12. An authorised deviation from this policy may be granted if, following risk assessment, the impact of non-compliance is outweighed by the benefit of non-compliance. Users must ensure they do not deviate from this policy, unless the deviation has been approved by the Executive Director, Business Services and Chief Technology Officer.

4.13. The Chief Technology Officer ensures that:

(a) a register of policy deviations is maintained;

(b) remediation is tracked, and effectiveness reviewed;

(c) assessment is performed to check if nonconformities similar to the registered deviation may exist or may potentially occur; and

(d) changes are recommended based on identified nonconformities.

4.14. For all deviations from this policy, asset owners should ensure that:

(a) a risk assessment is performed to understand the impact of nonconformity;

(b) a remediation plan is documented, and is time bound;

(c) the deviation, and the actions to be taken to control and correct it, are formally approved by all relevant asset owners, service owners and the Chief Technology Officer; and

(d) advice is provided to the Director of Cybersecurity to maintain the deviations register.

4.15. Any record created as a result of this policy must be managed in accordance with the Privacy Policy and Records Management Policy

5. Procedural principles

University provision of services

5.1. Business Services, in collaboration with stakeholder representatives including representatives of each division, develops and maintains appropriate IT Processes and Guidelines.

5.2. Business Services supports IT environments which are consistent with agreed standards.

5.3. Support for non-standard environments may be subject to additional charges.

5.4. The University does not necessarily provide user support or funding for software licensing for a proposed non-standard use of facilities.

5.5. Divisions should not make purchases or commitments which have the effect of hindering or preventing transition to common IT products and services.

Provider powers and responsibilities

5.6. Providers are expected to offer their services in a professional manner with appropriate efficiency, reliability and security, considering the needs of their own users and wider user communities within and beyond the University. Staff of providers must be properly qualified and appropriately trained.

5.7. Providers must impose appropriate security controls on access to facilities under their control.

5.8. Providers must take reasonable steps to ensure that their officers, employees and agents use facilities only for authorised purposes and do not use facilities in a way that constitutes misuse.

5.9. Providers and their officers, employees and agents must not access information stored on or passing through facilities unless that information is required for the proper performance of their duties.

5.10. Providers must maintain and retain for at least six months a record of users who have used facilities under their control and may use those records for purposes such as monitoring and managing the performance of facilities, cost recovery and load management.

5.11. The Executive Director, Business Services and Chief Technology Officer may request that providers furnish records for the purposes of investigating alleged misuse of facilities, and providers must comply with any such requests.

5.12. Providers may, without prior notice, suspend or withdraw any service or the access of any user to facilities, for:

(a) maintenance and upgrading of facilities;

(b) preventing misuse of facilities;

(c) preserving files or data; or

(d) other purposes that the provider considers necessary to maintain or improve the operation, integrity or security of any facilities.

5.13. Providers may impose and collect proper charges for the use of facilities under their control or the provision of related services.

5.14. Providers must obtain approval from the Executive Director, Business Services and Chief Technology Officer for any computer or network naming or numbering system, or management practice, which has an impact beyond the facilities under the control of the provider.

Privileges and responsibilities of users

5.15. No user may engage in any act or practice, or omit to do any act or practice, which constitutes a misuse of any of the facilities.

5.16. Any user who becomes aware that facilities are being used by any person to infringe the intellectual property rights of another person, or that the effect of any use of any facilities is to infringe such rights, must notify the University copyright officer immediately.

5.17. Any user who becomes aware that facilities are being used by any person to infringe the privacy rights of another person, or that the effect of any use of any facilities is to infringe such rights, must notify the University's Privacy and Data Protection Officer (PDPO) immediately.

5.18. All users must report any lost or stolen University owned or managed computing devices immediately to their Line Manager or the IT Service Centre.

5.19. Users are to logout or lock systems connected to the university network when not in use, including when unattended.

5.20. Users must exchange information only through University-supported channels and in line with the Information Security Policy and Privacy Policy.

Misuse

5.21. Use for any purpose other than an authorised purpose is considered to be misuse, for example:

(a) use that causes or contributes to a breach of any provision of a law, statute, regulation, subordinate instrument, code of practice or conduct applying to the University or to which users are subject;

(b) use that contravenes a University statute, regulation, rule or terms and conditions, policy or process;

(c) creating, transmitting, storing, downloading or possessing illegal material;

(d) the deliberate or reckless creation, transmission, storage, downloading, or display of any objectionable, defamatory, offensive or menacing images, data or other material which may incur legal liability to the University, or any data capable of being resolved into such images or material. An exception can be made in the case of the appropriate use of facilities for properly supervised University work or study purposes, for which a prior written approval must be obtained in accordance with exception clause 4.6;

(e) use which constitutes an infringement of any intellectual property rights of another entity;

(f) communications which would be actionable under the law of defamation;

(g) communications which misrepresent a personal view as the view of the University, including unauthorised use of the University crest; and

(h) deliberate or reckless undertaking of activities resulting in:

i. the imposition of an unreasonable burden or abuse of a University facility, for example:

• using applications or programs that abuse system resources, such as cryptocurrency miners and similar applications,

• using excessive capacity on shared infrastructure,

• unauthorised file-sharing; 

ii. corruption of or disruption to data on a University facility, or to the data of another person;

iii. disruption to other users; and/or

iv. use, distribution or introduction of hacking tools or malicious software (eg viruses, worms, trojan horses etc.) on university IT environments. Such tools will be considered malicious even if they are used within an approved course of study, unless they are used within isolated testing networks.

Specifically prohibited activities

5.22. Users must not:

(a) circumvent user authentication or access control measures, security or restrictions on the use of any facilities or account, including the use of tools that compromises security;

(b) engage in gambling on‐line, other than participation in approved football‐tipping and like competitions, where the primary purpose is social rather than financial;

(c) engage in unauthorised reserving of, or exclusion of others from using any facilities;

(d) use any facilities for the purposes of any private business whether for profit or not, or for any business purpose other than University business, without prior approval from the division head; 

(e) make any use of the IT facilities that contravenes the University’s IT and Wireless terms of use, as approved and amended from time to time by the Executive Director, Business Services and Chief Technology Officer; or

(f) access information stored on or passing through facilities unless that information is required for the proper performance of their duties.

Removal of material

5.23. A provider may at any time, without prior notice, remove or disable access to any material stored on or accessible via any facilities where it considers this may constitute, or be in furtherance of, the misuse or possible misuse of any facilities.

5.24. Without limiting, a provider may at any time, without prior notice, remove or disable access to any material stored on or accessible via any facilities which it considers infringes or may infringe the privacy rights of any entity.

5.25. Where a person is aggrieved by a decision to remove or disable access to material under this section:

(a) they may make a written submission to the Executive Director, Business Services and Chief Technology Officer in response to the decision;

(b) the Executive Director, Business Services and Chief Technology Officer, or delegate must consider any such submission, investigate the matter, and decide as soon as practicable whether to uphold, revoke or alter the decision, and then advise the aggrieved person of the outcome; and

(c) in making a decision, the Executive Director, Business Services and Chief Technology Officer, or delegate, must have regard to the purpose of this policy and the interests of the University.

5.26. Any action taken under clauses 5.24–5.26 must take into account any relevant requirements of the Privacy Policy or Records Management Policy.

Investigation

5.27. In this section, ‘investigator’ means an authorised representative of a provider or the Executive Director, Business Services and Chief Technology Officer, or delegate.

5.28. If an investigator considers that an allegation of misuse which is brought to their attention would, if substantiated, constitute a significant and unacceptable abuse of any facilities, then they must do one of the following:

(a) investigate the allegation under this section; or

(b) if the investigator is a person other than the Executive Director, Business Services and Chief Technology Officer, refer the allegation to the Executive Director, Business Services and Chief Technology Officer for investigation under this section; or

(c) if the user is a student, refer the allegation to be dealt with as an allegation of general misconduct under the Student Conduct Policy; or

(d) if the user is a member of staff, recommend that the allegation be dealt with under the Appropriate Workplace Behaviour Policy or other relevant procedures or policies; or

(e) recommend that the allegation be dealt with under the provisions of any applicable contract.

5.29. An investigator may, at their discretion, investigate or refer any other allegation of misuse which is brought to their attention. 

Outcomes of investigation - reporting

5.30. If, as a result of an investigation under section 5.29, an investigator is satisfied on the balance of probabilities that misuse of any facilities has taken place, they must:

(a) prepare a written report setting out particulars of the misuse and of the investigation undertaken, and any action taken by the investigator;

(b) if the investigator is a person other than the Executive Director, Business Services and Chief Technology Officer, provide a copy of that report to the Executive Director, Business Services and Chief Technology Officer;

(c) if the investigation concerned alleged misuse of a facility, and the investigator does not have the role with responsibility for that facility, provide a copy of the report to that relevant role;

(d) if the allegation of misuse was made against a member of staff or an honorary, provide a copy of that report to the Vice-President (Administration & Finance) and Chief Operating Officer and the Executive Director, Human Resources and OH&S; and

(e) if the allegation of misuse was made against a student, provide a copy of that report to the Academic Registrar.

Outcomes of investigation - penalties

5.31. If, as a result of an investigation under section 5.30, an investigator is satisfied on the balance of probabilities that there has been misuse of any facilities by any staff user, they may, at their discretion, do one or more of the following:

(a) decide to take no further action on the alleged misuse;

(b) counsel the user on appropriate use of the facilities;

(c) if the user is a student, recommend that the allegation be dealt with as an allegation of general misconduct under the Student Conduct Policy;

(d) if the user is a member of staff, recommend that the allegation be dealt with under the Appropriate Workplace Behaviour Policy or other relevant procedures or policies;

(e) if the user is an external user, recommend that the allegation be dealt with under applicable provisions of any contract or otherwise as determined by the Vice-President (Administration & Finance) and Chief Operating Officer, or Executive Director, Business Service and Chief Technology Officer;

(f) decide to suspend or withdraw any service, or the access of any user to any facilities, except where the user is a student and access to facilities is necessary for the student to continue their studies, in which case the decision can only be made with the approval of the Academic Registrar or delegate, or pursuant to the penalty provisions in the Academic Board Regulation following investigation of the allegation;

(g) require the user to indemnify or compensate the University or a provider for the reasonable loss and damage occasioned by reason of the misuse; or

(h) if the misuse constitutes a potential breach of privacy, refer to and manage this in accordance with the University’s Responding to a Privacy Incident process.

User responses and appeals

5.32. Where a decision has been made regarding an allegation of misuse:

(a) the investigator must notify the affected user, in writing, as soon as practicable, of the decision, with reasonable particulars, and of the right of appeal; and

(b) the investigator must provide the Executive Director, Business Services and Chief Technology Officer with a copy of the notice as soon as practicable or, if the investigator is the Executive Director, Business Services and Chief Technology Officer, they must provide the notice to the role in charge of the local facility, if relevant.

5.33. If the affected user is a staff member:

(a) the affected user may, within seven days of receiving the notice, make a written submission in response to the decision to the Executive Director, Business Services and Chief Technology Officer, or, in the case of the Executive Director, Business Services and Chief Technology Officer being the investigator, make this submission to the Vice-President (Administration & Finance) and Chief Operating Officer;

(b) the Executive Director, Business Services and Chief Technology Officer or the Vice-President (Administration & Finance) and Chief Operating Officer, as appropriate, shall consider the decision and any submission made in response and decide, within seven days of receipt, whether to uphold, revoke or alter the decision, and advise the affected user of the outcome as soon as practicable; and

(c) a decision by the Executive Director, Business Services and Chief Technology Officer or Vice-President (Administration & Finance) and Chief Operating Officer, or delegate is final. Where an allegation of misuse has been made against a member of staff or an honorary, the Executive Director, Human Resources & OH&S, or delegate, will be consulted before making a decision if practicable to do so.

5.34. If the affected user is a student, the student should be referred to the Student Appeals to the Academic Board Policy and associated process, and advised of their right to present an appeal under that policy.

6. Roles and responsibilities

Role/Decision/Action

Responsibility

Conditions and limitations

Use all IT facilities appropriately, lawfully and in compliance with this and other relevant policies and rules of the University

Users

 

Provide reliable, secure access to the IT services or facilities in their control 

Ensure they and their staff do not access data or information passing through the system except as required by policy, rule or law 

Perform all required maintenance on systems, including imposing restrictions on use to facilitate maintenance 

Investigate, or cause to have investigated, allegations of system misuse 

Impose penalties or refer to other disciplinary processes if misuse is substantiated 

Report on all investigations to the Executive Director, Business Services and Chief Technology Offier

Providers

Obtain approval from the Director, Cybersecurity and Director, Applications & Technology Management for any computer or network naming or numbering system, or management practice, which has an impact beyond the facilities under the control of the provider

Consider provider requests for non-standard numbering or naming systems and give or deny permission 

Establish, publish and maintain IT standards which prescribe standard services 

Establish and publish conditions of information technology system use 

Investigate, or cause to have investigated, allegations of system misuse 

Impose penalties or refer to other disciplinary/breach processes if misuse is substantiated 

Executive Director, Business Services and Chief Technology Officer, or delegate

Where an allegation of misuse has been made against a member of staff or an honorary, the Executive Director, Human Resources and OH&S, or delegate, should be consulted before making a decision if practicable to do so

 

Determine whether the decision of the Executive Director, Business Services and Chief Technology Officer should be upheld, modified or reversed

Vice-Chancellor or delegate

Where an allegation of misuse has been made against a member of staff or an honorary, the Executive Director, Human Resources and OH&S, or delegate, should be consulted before making a decision if practicable to do so

7. Definitions

Asset owner means an individual who holds accountability for an information asset. Asset owner is the owner of specific data elements, wherever the data resides (eg employee HR data). Asset owner may delegate operational responsibility to many asset custodians.

Authorised purpose means purposes associated with work or study in the University, or provision of services to or by the University, which are approved or authorised by the relevant officer or employee of the University in accordance with University policies and procedures or pursuant to applicable contractual obligations, limited personal use, or any other purpose authorised by the relevant authority.

Bring Your Own Device (BYOD) means the practice of allowing the students and employees of an organisation to use their own computers, smartphones, or other devices for work purposes.

Computing and network facilities means computers, computer systems, data network infrastructure, dial‐in network access facilities, email and other communications and information facilities together with associated equipment, software, files and data storage and retrieval facilities, all of which are owned or operated by the University and form part of the central facilities or the local facilities.

External provider means an external entity that provides computing and network facilities to the University.

Facilities means computing and network facilities.

Hacking tools are software utilities used to probe, test or circumvent security controls for the purposes of identifying and exploiting vulnerabilities or features in softwares or systems that might allow an attacker to gain unauthorised access to systems or data.

Materials means any type of content either physical or digital (i.e. image, sound, writing, web content).

Provider means the University division which provides and manages any part of the facilities.

Unreasonable burden is an activity which a reasonable person would agree and has a disproportional impact on another user's ability to use the UoM network or degrades the performance of core services.

User means any member of staff or a student, or any other person, who is authorised to use the central facilities or a local facility, including a provider and any officer, employee or agent of a provider.

POLICY APPROVER

Vice-President (Administration & Finance) and Chief Operating Officer

POLICY STEWARD

Executive Director, Business Services and Chief Technology Officer

REVIEW

This policy is to be reviewed by 17 December 2024.

VERSION HISTORY

Version

Authorised by

Approval Date

Effective Date

Sections modified

1

Vice-Chancellor

 2 June 2016 21 July 2016 

New policy arising from the review of the Regulatory Framework review and the Policy Consolidation Project. This policy and its supporting processes replace Regulation 8.3.R2 Computing and Network Facilities Rules, Managing University IT Systems and Support Policy (MPF1121), Email Backup Procedure (MPF1122), IP Telephony Procedure (MPF1125) and Provision of IT Services Procedure (MPF1124).


2 Executive Director, Infrastructure Services 8 December 2016 8 December 2016 Editorial amendment, incorporating newly published Appropriate Workplace Behaviour Policy (MPF1328). 
3 Vice-Chancellor 7 March 2019 30 April 2019 Changed Policy Approver to Vice-President (Administration & Finance) and Chief Operating Officer (previously Vice-Chancellor).
4 Vice-President (Administration & Finance) and Chief Operating Officer 18 April 2019 30 April 2019 Editorial amendments to correct minor errors or align with the University’s policy style guide.
5 University Secretary 31 July 2019 1 August 2019 Amended Policy Steward title.
6 Vice-President (Administration & Finance) and Chief Operating Officer 17 December 2019 19 December 2019 Amendments made across various sections to improve internal consistency and clarity, as well as ensure the policy statements and procedural principles align with UoM policies including Student Code of Conduct Policy (MPF1324), Records Management Policy (MPF1106), Privacy Policy (MPF1104), Appropriate Workplace Behaviour Policy (MPF1328) and Information Security Policy (MPF1270).
7 Policy Officer 8 November 2021 8 November 2021 Amended Supporting Processes links.