education.vic.gov.au

Policy last updated

15 June 2020

Scope

  • Schools
  • School councils
  • All Department staff

Date:
January 2020

Overview

Overview

Department Information Communications Technology (ICT) resources are provided to improve and enhance learning and teaching and for the conduct of the business and functions of the Department. Using information technology, accessing information and communicating electronically can be cost-effective, timely and efficient.

All users of Department ICT resources are expected to exercise responsibility, use the resources ethically, respect the rights and privacy of others and operate within the laws of the State and Commonwealth, including anti-discrimination and sexual harassment laws, and the rules and policies of the Department, including occupational health and safety obligations to employees and students.

Department ICT resources should not be used for inappropriate or improper activities. This includes pornography, fraud, defamation, breach of copyright, unlawful discrimination or vilification, harassment, including sexual harassment, stalking, bullying, privacy violations and illegal activity, including illegal peer-to-peer file sharing. The audience of an electronic message may be unexpected and widespread and users should be mindful of this when using ICT resources.

The Department’s Acceptable Use of ICT Resources Policy (this policy) applies to all users of Department ICT resources.

This policy is not intended to apply to students. Schools have their own acceptable use policies for students.

Relevant legislation

Contact information


Policy and Guidelines

Acceptable Use Policy for ICT Resources

This Policy (last updated 11 July 2018) contains the following chapters:

  • Introduction
  • Scope
  • Definitions
  • Non-compliance
  • Breaches of this Policy
  • Use of Department ICT resources:
    • Business purposes
    • Personal use
    • Defamation
    • Copyright infringement
    • Illegal use and material
    • Offensive or inappropriate material
    • Malware
    • Social engineering
    • Attribution
    • Mass distribution and spam
  • Confidentiality and privacy
  • Department property
  • Email disclaimer
  • Access and monitoring
  • Records management
  • Complaints
    • Speak Up Service
  • Further assistance

Introduction

Introduction

This guide outlines the policy regarding the acceptable use of the information and communications technology (ICT) resources of the Department of Education and Training (the Department).

The Department is responsible for ensuring the use of Department ICT resources is legal, ethical and consistent with the aims, values and objectives of the Department and its responsibilities to employees, students and other ICT users.

All users of Department ICT resources are expected to exercise responsibility, use the resources ethically, respect the rights and privacy of others and operate within the laws of the State and Commonwealth, including anti-discrimination and sexual harassment laws, and the rules and policies of the Department, including occupational health and safety obligations to employees and students.

Department ICT resources should not be used for inappropriate or improper activities. This includes pornography, fraud, defamation, breach of copyright, unlawful discrimination or vilification, harassment, including sexual harassment, stalking, bullying, privacy violations and illegal activity, including illegal peer-to-peer file sharing. The audience of an electronic message may be unexpected and widespread and users should be mindful of this when using Department ICT resources.

Department ICT resources are provided to improve and enhance learning and teaching and for the conduct of the business and functions of the Department. Using information technology, accessing information and communicating electronically can be cost-effective, timely and efficient. Users are expected to use and manage these resources in an appropriate manner and in accordance with this policy. As part of ensuring users are aware of this policy, the following will occur:

  • users will be provided access to this policy
  • users will be reminded of the need for compliance with the policy
  • users will be provided notification of updates or developments to the policy

Scope

Scope

This policy applies to all users of Department ICT resources, as defined below, located at corporate offices and schools, and in private homes or at any other location. This policy applies to all use of Department ICT resources, including, but not limited to:

  • copying, saving or distributing files
  • data
  • downloading or accessing files from the internet or other electronic sources
  • electronic bulletins or notice boards
  • electronic discussion or news groups
  • email
  • file sharing
  • file storage
  • file transfer
  • information
  • instant messaging
  • online discussion groups and ‘chat’ facilities
  • printing material
  • publishing and browsing on the internet
  • social networking
  • streaming media
  • subscriptions to list servers, mailing lists or other like services
  • video conferencing
  • viewing material electronically
  • weblogs (‘blogs’)

Definitions

Definitions

Authorised person
Authorised person for the purpose of this policy, includes:

  • the Secretary, a Deputy Secretary, an Assistant Deputy Secretary, a Regional Director, a regional Executive Director, a School Principal, the Executive Director People Division, the Chief Information Officer (CIO) or equivalent roles (or delegate)
  • the manager of the Employee Conduct Branch or the equivalent branch, or an officer of the Employee Conduct Branch authorised by the manager
  • any other person authorised by the Secretary to the Department of Education and Training

Department email systems
Department email systemsis eduMail and any other school or Department email system used for the purpose of school related or other Department electronic communications. Department email systems are part of Department ICT resources.

Department ICT resources
Department ICT resources includes but is not limited to all networks, systems, software and hardware including local area networks, wide area networks, wireless networks, intranets, Department email systems, computer systems, software, servers, desktop computers, printers, scanners, personal computers (desktops, notebooks and tablets), mobile phones, portable storage devices including digital cameras and USB memory sticks, handheld devices and other ICT storage devices.

Electronic communications
Electronic communicationsincludes email, instant messaging, virtual conferencing, social media and any other material sent electronically.

Malware
Malware is malicious software programs designed to cause damage and other unwanted actions on a computer system. Common examples include computer viruses, worms, spyware and trojans.

Peer-to-peer file sharing
This is the sharing of files between systems on a peer-to-peer (P2P) network. Files can be shared between computer systems on the network without the requirement of a central server. An example of illegal P2P file sharing is the sharing of copyrighted files without the authorisation of the copyright owner, such as copyrighted film, book and music files.

Personal use
Personal use is all non-work related use of Department ICT resources including internet usage, social networking and private emails.

Phishing
Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and indirectly, money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication.

Ransomware
Ransomware is a type of malicious software that threatens to publish the victim's data or block access to it unless a ransom is paid.

Spam
Spam is unsolicited commercial electronic messages sent over the internet.

User(s)
User(s) is any person using Department ICT resources.

Vishing
Vishing is a form of phishing that uses the phone system or voice over internet protocol (VoIP) technologies. The user may receive an email, a phone message, or even a text encouraging them to call a phone number due to some discrepancy. If they call, an automated recording prompts them to provide detailed information to verify their account such as credit card number, expiration date or birthdate.

Whaling
Whaling is a type of phishing that targets high-profile users such as corporate executives, politicians and celebrities. Whaling emails and websites are highly customised and personalised, often incorporating the target's name, job title or other relevant information gleaned from a variety of sources.


Non-compliance

Non-compliance

Non-compliance with this policy will be regarded as a serious matter and appropriate action will be taken, which may include termination of employment.

Depending on the nature of the inappropriate use of Department ICT resources, non-compliance with this policy may constitute:

  • a breach of employment obligations
  • a criminal offence
  • a threat to the security of Department ICT resources and information
  • an infringement of the privacy of staff and other persons
  • exposure to legal liability
  • serious misconduct
  • sexual harassment
  • unlawful discrimination

Where there is a reasonable belief that illegal activity may have occurred, this may be reported to the police.


Breaches of this Policy

Breaches of this policy

Breaches of this policy may fall into one of the following categories, described in detail below, all of which brings, or has the potential to bring, the employee or the Department into disrepute.

  • Category 1: illegal — criminal use of material
  • Category 2: extreme — non-criminal use of material
  • Category 3: critical — offensive material
  • Category 4: serious

Category 1: illegal — criminal use of material

This category includes but is not limited to:

  • child abuse material offences relating to child pornography covered by the Crimes Act 1958 (Vic).‘Child abuse material’ is defined in section 51A of the Crimes Act 1958 (Vic)
  • objectionable material — offences relating to the exhibition, sale and other illegal acts relating to ‘objectionable films’ and ‘objectionable publications’ covered by the Classification (Publications, Films and Computer Games) (Enforcement) Act 1995 (Vic). Such material has or would attract a classification of X18+ (restricted) or RC (refused classification) under the Guidelines for Classification of Films 2012, Guidelines for the Classification of Computer Games 2012 or National Classification Code scheduled to the Classification (Publications, Films and Computer Games) Act 1995 (Cth)
  • reckless or deliberate copyright infringement
  • any other material or activity that involves or is in furtherance of a breach of criminal law

Category 2: extreme — non-criminal use of material

This category includes non-criminal use of material that has or may attract a classification of RC or X18+ under the Guidelines for Classification of Films 2012, Guidelines for the Classification of Computer Games 2012 or National Classification Code scheduled to the Classification (Publications, Films and Computer Games) Act 1995 (Cth). This includes any material that:

  • depicts, expresses or otherwise deals with matters of sex, drug misuse or addiction, crime, cruelty, violence or revolting or abhorrent phenomena in such a way that they offend against the standards of morality, decency and propriety generally accepted by reasonable adults to the extent that the material should not be classified
  • describes or depicts in a way that is likely to cause offence to a reasonable adult or a person who is, or appears to be, a child under 18 (whether or not the person is engaged in sexual activity or not)
  • promotes, incites or instructs in matters of crime or violence
  • includes sexually explicit material that contains real depictions of actual sexual intercourse and other sexual activity between consenting adults

Category 3: critical — offensive material

This category includes other types of restricted or offensive material, covering any material that:

  • has or may attract a classification of R18+ under the Guidelines for Classification of Films 2012, Guidelines for the Classification of Computer Games 2012 or National Classification Code scheduled to the Classification (Publications, Films and Computer Games) Act 1995 (Cth). Material may contain sex scenes and drug use that are high in impact
  • includes sexualised nudity
  • involves racial or religious vilification
  • is unlawfully discriminatory
  • is defamatory
  • involves sexual harassment or bullying

Category 4: serious

This category includes any use which is offensive or otherwise improper.

The categories do not cover all possible breaches of this policy. Matters not covered by the above categories will be dealt with on an individual basis and on the relevant facts.


Use of Department ICT resources

Use of Department ICT resources

Business purposes

Department ICT resources are provided to users for business purposes. Other than limited personal use, Department ICT resources must be:

  • used for business purposes, or where authorised or required by law, or with the express permission of an authorised person
  • used like other business resources and users must comply with any codes of conduct, ministerial orders or legislative requirements that apply to the user, for example, the Code of Conduct for the Victorian Public Sector, the Education and Training Reform Act 2006 (Vic) and the Public Administration Act 2004 (Vic)

Users are allowed reasonable access to electronic communications using Department ICT resources to facilitate communication between employees and their representatives, provided that use is not unlawful, offensive or otherwise improper. This may include a union on matters pertaining to the employer or employee relationship.

Large data downloads or transmissions should be minimised to ensure the performance of Department ICT resources for other users is not adversely affected.

Personal use

Users may use Department ICT resources for personal reasons provided the use is not excessive and does not breach this policy. Excessive personal use during working hours covers personal use which satisfies the following criteria:

  • it occurs during normal working hours (but excluding an employee’s lunch or other official breaks)
  • it adversely affects, or could reasonably be expected to adversely affect, the performance of the employee’s duties, and
  • the use is not insignificant

The Department may seek reimbursement or compensation from a user for all or part of any costs where the user has caused the Department to incur costs due to excessive downloading of non-work related material in breach of this policy.

Subject to limited personal use, social networking, on-line conferences, discussion groups or other similar services or tools using Department ICT resources must be relevant and used only for Department purposes or professional development activities. Users must conduct themselves professionally and appropriately when using such tools.

Unless otherwise approved, for ICT security reasons Department email addresses should not be used to subscribe to private subscriptions and other like services (for example, online ticket services, bill payments) and should never be used as 'recovery email' addresses for any other services. Subscribing to mailing lists and other like services using Department ICT resources must be for Department purposes or professional development reasons only and a different password must be used for all such purposes.

Users should be aware that the provisions applying to access and monitoring of Department ICT resources also apply to personal use.

Defamation

Department ICT resources must not be used to send material that defames an individual, organisation, association, company or business.

The consequences of a defamatory comment may be severe and give rise to personal or Department liability. Electronic communications may be easily copied, forwarded, saved, intercepted or archived. The audience of an electronic message may be unexpected and widespread.

The copyright material of third parties must not be used without authorisation. This includes software, database files, documentation, cartoons, articles, graphic files, music files, video files, books, text and downloaded information.

The ability to forward, distribute and share electronic messages, attachments and files greatly increases the risk of copyright infringement. Copying material to electronic storage, or printing, distributing or sharing copyright material by electronic means may give rise to personal or Department liability, despite the belief that the use of such material was permitted.

Users of Department ICT resources should be familiar with any relevant intellectual property and copyright guidelines issued by the Department.

For the avoidance of doubt, 'copyright' does not include moral rights under the Copyright Act 1968 (Cth).

Illegal use and material

Department ICT resources must not be used in any manner contrary to law or likely to contravene the law. Any suspected offender may be referred to the police or other relevant authority and their employment may be terminated.

Certain inappropriate, unauthorised and non work-related use of Department ICT resources may constitute a criminal offence under the Crimes Act 1958 (Vic). Examples include computer ‘hacking’, unauthorised release of data, Department material or leaking of information or documents and the distribution of malware. Illegal or unlawful use includes but is not limited to:

  • use of certain types of pornography under the Crimes Act 1958 (Vic), such as child pornography
  • offences under the Classification (Publications, Films and Computer Games) (Enforcement) Act 1995 (Vic)
  • defamatory material
  • material that could constitute racial or religious vilification, or unlawfully discriminatory material
  • stalking
  • blackmail and threats under the Crimes Act 1958 (Vic)
  • use that breaches copyright laws, fraudulent activity, computer crimes and other computer offences under the Cybercrime Act 2001 (Cth) or Crimes Act 1958 (Vic)
  • breaches under any other relevant legislation

In particular, child abuse materials represents the antithesis of Department responsibilities with regard to the safety and education of children. Any suspected offender will be referred to the police and their employment will be terminated if the allegations are substantiated.

Offensive or inappropriate material

Use of Department ICT resources must be appropriate to a workplace environment and aligned to Department values. This includes, but is not limited to, the content of all electronic communications, whether sent internally or externally.

Department ICT resources must not be used for material that is pornographic, harassing, hateful, racist, sexist, abusive, obscene, discriminatory, offensive or threatening. This includes sexually-oriented messages or images and messages that could constitute sexual harassment.

All users of Department ICT resources should be familiar with Department policies including anti-discrimination, human rights, equal opportunity and bullying and harassment.

Users of Department ICT resources who receive unsolicited, offensive or inappropriate material electronically should delete it immediately and may choose to notify their principal or immediate manager of such instances. Where the sender of this material is known to the user, the user should notify the sender to refrain from sending such material again.

Offensive or inappropriate material must not be forwarded internally or externally, or saved onto Department ICT resources, except where the material is required for the purposes of investigating a breach of Department policies.

Malware

Electronic and web communications are potential delivery systems for computer malware. An anti-virus and threat protection program should scan all data, programs and files downloaded electronically or attached to messages before being launched, opened, accessed or sent.

Malware has the potential to seriously damage Department ICT resources and lead to a breach of privacy legislation. Users should not open any attachments or click on any links embedded in an email unless they have confidence in the identity of the sender.

Social engineering

Social engineering is (in the context of information security) the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.

Phishing, vishing and whaling and other forms of social engineering are used to obtain information from users that could result in unauthorised access to Department ICT resources, or to fraudulently obtain money from the Department.

Attribution

There is always a risk that an employee may be in breach of this policy due to false attribution. It is possible that communications may be modified to reflect a false message, sender or recipient. In these instances, an individual may be unaware that he or she is communicating with an impostor or receiving fraudulent information.

If a user has a concern with the contents of a message received or the identity of the publisher of the electronic information, action should be taken to verify their identity by other means. Users should inform their immediate manager or principal if they believe an electronic communication has been intercepted or modified.

Users are accountable for all use of Department ICT resources that have been made available to them for work purposes and for all use of Department ICT resources performed with their user identification. Users must maintain full supervision and physical control of Department ICT resources at all times including mobile phones, tablets and notebook computers.

User identification and passwords must be kept secure and confidential. Users must not allow or facilitate unauthorised access to Department ICT resources through the disclosure or sharing of passwords or other information designed for security purposes.

Active sessions are to be terminated when access is no longer required and computers secured by password when not in use.

Mass distribution and spam

The use of Department ICT resources for sending ‘junk mail’, for-profit messages or chain letters is strictly prohibited.

The use of electronic communications for sending unsolicited commercial electronic messages (‘spam’) is strictly prohibited and may constitute a breach of the Spam Act 2003 (Cth).

Mass electronic communications should only be sent in accordance with normal Department procedures.


Confidentiality and privacy

Confidentiality and privacy

Electronic communication is not a secure means of communication. While every attempt is made to ensure the security of Department ICT resources, this security is not guaranteed, particularly when communicated to an external party. The sender should consider the confidentiality of the material they intend to send when choosing the appropriate means of communication.

To ensure their confidentiality is maintained, employees are advised to use personal, rather than Department email accounts when disclosing improper conduct, either as part of an audit or as contemplated by the Public Interest Disclosures Act 2012 (Vic).

The Department will handle any personal information collected through the use of Department ICT resources in accordance with the Privacy and Data Protection Act 2014 (Vic).

The Department will not disclose the content of electronic communications created, sent or received using Department ICT resources to third parties outside of the Department unless that disclosure is required for the purposes of:

  • a Department investigation
  • a police investigation
  • for other legal, investigative, audit or compliance reasons

In other circumstances, disclosure should not contravene the Privacy and Data Protection Act 2014 (Vic).


Department property

Department property

Electronic communications created, sent or received using Department email systems are the property of the Department and may be accessed by an authorised person or their delegate in the case of an investigation. This includes investigations following a complaint or investigations into misconduct.

Electronic communications may also be subject to discovery in litigation and criminal investigations. All information produced on users’ computers, including emails, may be accessible under the Freedom of Information Act 1982 (Vic) or Freedom of Information Act 1982 (Cth)

Email messages may be retrieved from back-up systems.


Email disclaimer

Email disclaimer

All emails sent externally from the eduMail service will automatically have a disclaimer attached to them.

The use of the email disclaimer may not necessarily prevent the Department or the sender of the email from being held liable for its contents.

School email systems must also append the same disclaimer to messages sent externally from the school’s email service.


Access and monitoring

Access and monitoring

Authorised persons may access or monitor Department ICT resources at any time without notice to the user. This includes, but is not limited to, use of Department email systems, and other electronic documents and records and applies to the use of Department ICT resources for personal use. However, Authorised persons must have a valid reason for accessing or monitoring the use of Department ICT resources and are required to maintain a log recording relevant details of the access and monitoring activity.

Authorised persons are required to inform the Chief Information Officer (CIO), Information Management and Technology Division (IMTD) before accessing or monitoring Department ICT resources.

Authorised persons may access or monitor the records of Department ICT resources for operational, maintenance, compliance, auditing, legal, security or investigative purposes. Electronic communications that have been sent, received or forwarded using Department ICT resources, may be accessed and logs of websites visited using Department ICT resources may be generated, examined and monitored.

Authorised persons may require assistance of a systems administrator to gain access to records held within Department ICT resources, such as electronic documents, communications or website logs of users. In such cases, the systems administrator will not be in breach of this policy by reason of following the instructions of an authorised person.

If a systems administrator becomes aware of any inappropriate use of Department ICT resources, they must report their concerns to an authorised person.

If there is a reasonable belief that Department ICT resources are being used in breach of this policy, the principal or immediate manager of the person who is suspected of inappropriate use may secure the equipment while the suspected breach is being investigated.

The principal or immediate manager may also request the CIO to suspend a person’s use of Department ICT resources.

Nothing in this policy prevents IMTD or Department agents from monitoring Department ICT resources in the normal course of their duties.


Records management

Records management

Electronic communications are public records and subject to the provisions of the Public Records Act 1973 (Vic).

Department record management practices must comply with Department policies and guidelines on records management and management of electronic communications, as amended from time to time. Department records may either:

  • have no retention requirement and be destroyed as soon as they are no longer required for administrative purposes
  • be retained as a temporary record by the Department and then destroyed when the retention period designated by the Public Record Office Victoria (PROV) is complete
  • be retained as a permanent record by the Department then, when no longer required for administrative use, transferred to PROV

Complaints

Complaints

If an employee has a complaint or report of inappropriate use of Department ICT resources, they should lodge it with the immediate manager or principal of the person who the complaint is about. If the complaint is about the employee’s immediate manager or principal, they should raise it with the manager above.

Complaints arising from the use of Department ICT resources or complaints arising from the application of this policy, may be investigated in accordance with Department guidelines for managing complaints, misconduct and unsatisfactory performance for the teaching service or the public service, as appropriate.

Speak Up Service

Employees, contractors, and consultants are encouraged to report inappropriate conduct. If an employee has any known or suspected concerns about the appropriateness of someone’s ICT use by way of an unlawful act or omission, unethical behavior, or breach of the policy and is unable to raise it with an appropriate manager, disclosures can be made through a third-party service provider. Disclosures will be treated confidentially.


Further assistance

Further assistance

Further information, advice or assistance on any matters related to acceptable use of Department ICT resources is available by:


Resources

Resources

Users of information communications technology (ICT) resources should ensure they are familiar with the following publications:

For information about managing access to internet content on the Department’s corporate network, refer to:


Reviewed 06 March 2020