Acceptable Use Policy for ICT Resources

Use of Department ICT resources

Business purposes

Department ICT resources are provided to users for business purposes. Other than limited personal use, Department ICT resources must be:

• used for business purposes, or where authorised or required by law, or with the express permission of an authorised person
• used like other business resources and users must comply with any codes of conduct, ministerial orders or legislative requirements that apply to the user, for example, the Code of Conduct for the Victorian Public Sector, the Education and Training Reform Act 2006 (Vic) and the Public Administration Act 2004 (Vic)

Users are allowed reasonable access to electronic communications using Department ICT resources to facilitate communication between employees and their representatives, provided that use is not unlawful, offensive or otherwise improper. This may include a union on matters pertaining to the employer or employee relationship.

Large data downloads or transmissions should be minimised to ensure the performance of Department ICT resources for other users is not adversely affected.

Personal use

Users may use Department ICT resources for personal reasons provided the use is not excessive and does not breach this policy. Excessive personal use during working hours covers personal use which satisfies the following criteria:

• it occurs during normal working hours (but excluding an employee’s lunch or other official breaks)
• it adversely affects, or could reasonably be expected to adversely affect, the performance of the employee’s duties, and
• the use is not insignificant

The Department may seek reimbursement or compensation from a user for all or part of any costs where the user has caused the Department to incur costs due to excessive downloading of non-work related material in breach of this policy.

Subject to limited personal use, social networking, on-line conferences, discussion groups or other similar services or tools using Department ICT resources must be relevant and used only for Department purposes or professional development activities. Users must conduct themselves professionally and appropriately when using such tools.

Unless otherwise approved, for ICT security reasons Department email addresses should not be used to subscribe to private subscriptions and other like services (for example, online ticket services, bill payments) and should never be used as 'recovery email' addresses for any other services. Subscribing to mailing lists and other like services using Department ICT resources must be for Department purposes or professional development reasons only and a different password must be used for all such purposes.

Users should be aware that the provisions applying to access and monitoring of Department ICT resources also apply to personal use.

Defamation

Department ICT resources must not be used to send material that defames an individual, organisation, association, company or business.

The consequences of a defamatory comment may be severe and give rise to personal or Department liability. Electronic communications may be easily copied, forwarded, saved, intercepted or archived. The audience of an electronic message may be unexpected and widespread.

Copyright infringement

The copyright material of third parties must not be used without authorisation. This includes software, database files, documentation, cartoons, articles, graphic files, music files, video files, books, text and downloaded information.

The ability to forward, distribute and share electronic messages, attachments and files greatly increases the risk of copyright infringement. Copying material to electronic storage, or printing, distributing or sharing copyright material by electronic means may give rise to personal or Department liability, despite the belief that the use of such material was permitted.

Users of Department ICT resources should be familiar with any relevant intellectual property and copyright guidelines issued by the Department.

For the avoidance of doubt, 'copyright' does not include moral rights under the Copyright Act 1968 (Cth).

Illegal use and material

Department ICT resources must not be used in any manner contrary to law or likely to contravene the law. Any suspected offender may be referred to the police or other relevant authority and their employment may be terminated.

Certain inappropriate, unauthorised and non work-related use of Department ICT resources may constitute a criminal offence under the Crimes Act 1958 (Vic). Examples include computer ‘hacking’, unauthorised release of data, Department material or leaking of information or documents and the distribution of malware. Illegal or unlawful use includes but is not limited to:

• use of certain types of pornography under the Crimes Act 1958 (Vic), such as child pornography
• offences under the Classification (Publications, Films and Computer Games) (Enforcement) Act 1995 (Vic)
• defamatory material
• material that could constitute racial or religious vilification, or unlawfully discriminatory material
• stalking
• blackmail and threats under the Crimes Act 1958 (Vic)
• use that breaches copyright laws, fraudulent activity, computer crimes and other computer offences under the Cybercrime Act 2001 (Cth) or Crimes Act 1958 (Vic)
• breaches under any other relevant legislation

In particular, child abuse materials represents the antithesis of Department responsibilities with regard to the safety and education of children. Any suspected offender will be referred to the police and their employment will be terminated if the allegations are substantiated.

Offensive or inappropriate material

Use of Department ICT resources must be appropriate to a workplace environment and aligned to Department values. This includes, but is not limited to, the content of all electronic communications, whether sent internally or externally.

Department ICT resources must not be used for material that is pornographic, harassing, hateful, racist, sexist, abusive, obscene, discriminatory, offensive or threatening. This includes sexually-oriented messages or images and messages that could constitute sexual harassment.

All users of Department ICT resources should be familiar with Department policies including anti-discrimination, human rights, equal opportunity and bullying and harassment.

Users of Department ICT resources who receive unsolicited, offensive or inappropriate material electronically should delete it immediately and may choose to notify their principal or immediate manager of such instances. Where the sender of this material is known to the user, the user should notify the sender to refrain from sending such material again.

Offensive or inappropriate material must not be forwarded internally or externally, or saved onto Department ICT resources, except where the material is required for the purposes of investigating a breach of Department policies.

Malware

Electronic and web communications are potential delivery systems for computer malware. An anti-virus and threat protection program should scan all data, programs and files downloaded electronically or attached to messages before being launched, opened, accessed or sent.

Malware has the potential to seriously damage Department ICT resources and lead to a breach of privacy legislation. Users should not open any attachments or click on any links embedded in an email unless they have confidence in the identity of the sender.

Social engineering

Social engineering is (in the context of information security) the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.

Phishing, vishing and whaling and other forms of social engineering are used to obtain information from users that could result in unauthorised access to Department ICT resources, or to fraudulently obtain money from the Department.

Attribution

There is always a risk that an employee may be in breach of this policy due to false attribution. It is possible that communications may be modified to reflect a false message, sender or recipient. In these instances, an individual may be unaware that he or she is communicating with an impostor or receiving fraudulent information.

If a user has a concern with the contents of a message received or the identity of the publisher of the electronic information, action should be taken to verify their identity by other means. Users should inform their immediate manager or principal if they believe an electronic communication has been intercepted or modified.

Users are accountable for all use of Department ICT resources that have been made available to them for work purposes and for all use of Department ICT resources performed with their user identification. Users must maintain full supervision and physical control of Department ICT resources at all times including mobile phones, tablets and notebook computers.

User identification and passwords must be kept secure and confidential. Users must not allow or facilitate unauthorised access to Department ICT resources through the disclosure or sharing of passwords or other information designed for security purposes.

Active sessions are to be terminated when access is no longer required and computers secured by password when not in use.

Mass distribution and spam

The use of Department ICT resources for sending ‘junk mail’, for-profit messages or chain letters is strictly prohibited.

The use of electronic communications for sending unsolicited commercial electronic messages (‘spam’) is strictly prohibited and may constitute a breach of the Spam Act 2003 (Cth).

Mass electronic communications should only be sent in accordance with normal Department procedures.