Acceptable Use of Information Technology Resources Policy
On this page
Purpose | Scope | Principles | Policy statements | Roles and responsibilities | Definitions | Approval information | Version history | References
1. Purpose
1.1 The Acceptable Use of Information Technology Resources Policy (the policy) outlines the responsibilities for the management and acceptable use of UTS information technology (IT) resources and information assets.
1.2 This policy, along with the Information Security Policy, works to manage and protect UTS’s IT resources, information assets and information security infrastructure.
1.3 These policies form part of the Information Security Policy Framework (ISP framework) published at Beyond the firewall: UTS Cybersecurity (SharePoint).
2. Scope
2.1 This policy applies to all:
- staff, students, participants, affiliates and visitors as well as any other person (hereafter users) provided with access to UTS IT resources, connected systems, data and information assets, and
- UTS IT resources and information assets (hereafter IT resources).
2.2 The policies and practices of controlled entities must be equivalent to the standards and expectations outlined in this policy and the Information Security Policy. Controlled entities that use UTS IT resources must use this policy or develop their own policy that ensures the requirements of this policy are met.
2.3 This policy applies in all cases where UTS IT resources are used (for example, the UTS Housing Service).
3. Principles
3.1 IT resources are considered vital UTS assets, critical to the effectiveness and success of the university’s core business. UTS will apply appropriate security measures and protections to its IT resources in line with the Information Security Policy and the ISP framework (refer Beyond the firewall: UTS Cybersecurity (SharePoint)).
3.2 UTS requires users to act with integrity and respect at all times in line with the Code of Conduct, the Equity, Inclusion and Respect Policy and the Student Rights and Responsibilities Policy.
3.3 This policy does not seek to put restrictions on the types of IT resources used at UTS but, rather, aims to ensure that the use of IT resources is legal, legitimate and consistent with the requirements of this and other UTS policies.
4. Policy statements
Acquisition, management and provision
4.1 The Information and Technology Unit (ITU) under the Chief Information Officer (CIO) is responsible for the acquisition, management and oversight of IT and IT resources at UTS.
4.2 Staff and students (and other users where appropriate) are provided with the following IT resources (which remain the property of UTS):
- UTS email accounts (automatically issued on appointment or enrolment)
- access to collaborative technologies, shared mailboxes, specialised programs and software, and other resources, and
- access to necessary and appropriate information (through storage systems, databases and other IT resources).
4.3 Access to UTS IT resources is provided for the purposes of work, study and research and, where appropriate, incidental personal use, noting that:
- provision, allocation and access will reflect the users’ level, work area and access requirements, and
- IT resources may be unavailable from time to time for either planned or unforeseen circumstances.
4.4 The use of UTS IT resources for personal use (incidental or otherwise) may result in UTS holding personal information about the user (and/or others) and other personal data which may then be:
- accessed and used by UTS as part of its reporting and compliance activities (refer the Privacy Policy and the Records Management Policy), and
- vulnerable in the event of a successful cyber attack against UTS.
4.5 When acquiring, developing, operationalising and maintaining new and existing IT resources, security risks and all other risks must be identified, assessed and mitigated by ITU, to the extent possible, in line with the Information Security Policy, the Privacy Policy, the Records Management Policy, the Risk Management Policy and the Artificial Intelligence Operations Policy. No user may acquire or develop IT resources without ITU input and authorisation.
4.6 In addition, IT procurements must be risk assessed, managed and approved in line with the Procurement Policy, the Supplier Management CIO Information Security Directive (available at Beyond the firewall: UTS Cybersecurity (SharePoint)) and the UTS Delegations.
4.7 ITU will provide training to implement this policy and the ISP framework and to ensure appropriate use of centrally managed IT resources. ITU may also support or provide input into the development of local-level guidance and business processes for specific applications as appropriate.
User obligations
4.8 Users must:
- follow the requirements of the Information Security Policy and the ISP framework and other procedures, directives, guidelines and conditions of use approved by the CIO and published by ITU (refer ISP framework at Beyond the firewall: UTS Cybersecurity (SharePoint))
- undertake all mandatory training
- access, share, disclose and manage information and data with security front of mind in line with the Information Security Policy, the Records Management Policy, the Data Governance Policy, the Privacy Policy and/or the Guidelines to counter foreign interference in the Australian university sector
- notify their supervisor of any IT resources that will be taken overseas as part of university travel (refer the Staff Travel, Expenses and Credit Card Policy and the Student Travel and Expenses Policy)
- behave in line with the university’s policies on Conduct, behaviour and integrity, including when participating in online lectures, classes, meetings and examinations, and
- maintain professional and respectful communication (for example, when using email or other collaboration tools such as Microsoft Teams or Canvas) and behave in a manner conducive to a safe working and learning environment.
4.9 Users must not:
- intentionally steal or damage physical property or equipment
- share, delete, destroy or otherwise manipulate or alter original UTS digital information and records, data or software without appropriate authorisation (refer Records Management Policy for data retention obligations)
- violate licensing agreements or engage in any unauthorised use of software or hardware
- facilitate or permit the use of UTS IT resources by unauthorised individuals
- misuse, attempt to misuse or otherwise compromise the UTS network (approval for connection with non-UTS networks must be sought from the CIO in advance of any such connection occurring)
- exploit any vulnerabilities in systems, use any technology designed to locate such vulnerabilities or circumvent security systems
- attempt to create or install any form of malicious software that may affect computing or network equipment
- change operating system configurations on UTS owned and managed devices without prior approval from the Chief Information Security Officer (CISO) (through an IT Service Desk request)
- seek to gain unauthorised access or engage in hacking or take advantage of any vulnerability that leads to unauthorised access
- create, possess or distribute illegal content (for example, child pornography) or engage in any illegal activities as defined in Australian legislation (for example, the Crimes Act 1900 (NSW) and the Crimes Act 1914 (Cwlth)) or pursuant to local laws
- alter, or make adjustments to, computer equipment supplied by UTS without prior authorisation from the UTS delegate (excluding the connection of external peripherals using standard input and output ports available on the device)
- use any file sharing software that has not been approved by UTS (refer Information Classification Handling Matrix (available at Beyond the firewall: UTS Cybersecurity (SharePoint))
- use virtual private networking (VPN) services or network anonymisers that have not been approved by ITU while connected to, or connecting to, the UTS network
- extend the UTS network by introducing an unauthorised hub, switch, router, wireless access point, or any other service or device that permits more than one device to connect to UTS’s network
- connect a UTS network to a non-UTS network or the internet unless there is an explicit business need and approval from the CISO, and/or
- use software or hardware that causes availability or performance issues for UTS IT resources.
4.10 UTS IT resources must only be used for UTS work, study and activities (hereafter UTS activity) and incidental personal use. Examples of incidental personal use (refer Definitions) include:
- contacting a family member about schedule changes because of a UTS activity or obligation
- making or changing childcare, caring or educational arrangements
- contacting health care professionals, particularly where it relates to UTS activities or absences from these activities, and
- other personal business that has a direct association with, or impact on, UTS activities (for example, UTS club or professional memberships).
4.11 Users are responsible for the maintenance, security and integrity of their individually assigned UTS credentials, access and accounts and must not:
- make their individually assigned UTS credentials available to any other person, and/or
- use another person's login, password or any other authentication without express permission.
Conditions of use
4.12 UTS is not responsible for any inaccuracies in results or output when using IT resources. This precludes obligations relating to accuracy of personal information under the Privacy Policy.
4.13 To protect the university and its users, UTS reserves the right to install and operate filtering and/or network monitoring equipment, software or procedures to prevent unauthorised or unlawful emails or other content that is contrary to legislation, that is incompatible with the objectives of the university or that presents a potential cybersecurity threat.
4.14 Access to and use of UTS IT resources may be restricted or cancelled at the discretion of the university at any time. This may occur, for example, where a user breaches this or other UTS policies, breaches their contract of employment or other obligations to UTS, or where their personal use interferes with the overall operation of UTS IT resources and/or burdens UTS with incremental costs.
4.15 UTS may:
- retain copies of emails and communication via other tools (for example, Microsoft Teams) as part of backup processes for business and recordkeeping needs and as part of any legislated requirements, and/or
- authorise access to emails or other records held in staff allocated accounts where required for the business needs of the university in line with this policy, the Delegations, the Privacy Policy and the Records Management Policy and in accordance with any other procedures, delegations or guidelines approved by the CIO.
4.16 Access to all IT resources will be terminated when a user’s association with UTS ends (refer ISP framework at Beyond the firewall: UTS Cybersecurity (SharePoint)). Any alternative agreement must be negotiated on a case-by-case basis in line with the Delegations before the user leaves UTS.
Bring your own device (BYOD) use
4.17 Users who have been provided with a UTS device are expected to use this device for work and other UTS activities.
4.18 Personal devices (or bring your own device (BYOD)) may be used to undertake UTS activities, however, the requirements of this policy, the Information Security Policy and the BYOD CIO Information Security Directive (available at Beyond the firewall: UTS Cybersecurity (SharePoint)) and guidance at Support (for students) must be followed at all times.
4.19 ITU will provide limited support and information on software issues encountered while using UTS provided applications on personal devices for UTS business purposes. It is the user’s responsibility to support their own personal devices.
UTS account and email management
4.20 Users must manage their UTS email and UTS account responsibly and follow all directions to manage account security in line with the ISP framework.
4.21 When using UTS email and UTS accounts, users must not:
- transfer UTS classified sensitive or confidential information (refer Information Security Classification Standard (available at Records and archives hub: Information security (SharePoint)) to or from personal email accounts (unless explicitly authorised to do so)
- use their personal email address or other personal accounts for official UTS purposes (unless explicitly authorised to do so), and/or
- spread and/or promote fraudulent emails, spam or other undesirable email content.
4.22 Staff emails and other written communications are records of UTS. UTS may access email records without the consent of the user in line with the Delegations and the Privacy Policy.
4.23 UTS may block access to UTS email, accounts or records at its discretion without the consent of the user in line with the Delegations.
4.24 All staff, large group and targeted emails should be used minimally, appropriately and for official university purposes. Guidance on appropriate communications is available from the Marketing and Communications Unit (refer Marketing and communication (Staff Connect)).
Privacy and information management
4.25 To protect IT resources, data, information and to comply with privacy requirements, users must not:
- engage in data breaches, privacy breaches, hacking and/or unauthorised access
- impersonate or falsify information about other people, and/or collect, use or disclose personal information in ways that breach the Privacy Policy
- store UTS classified sensitive or confidential information on a device that has not been approved for such storage (refer Records Management Policy)
- without appropriate authorisation, store or process data in unapproved locations (refer Data Governance Policy for appropriate data management across the data lifecycle)
- breach intellectual property or copyright requirements by downloading, transmitting or storing unauthorised copyright material (refer Intellectual Property Policy)
- access, store or transmit any illegal content (except where approved or requested under legislation (as part of a subpoena or investigation) or when undertaking approved research activities under the Research Policy)
- gain, or attempt to gain, unauthorised access to any non-UTS IT resource or external service, or
- disrupt, corrupt, disclose, damage or destroy data (refer Records Management Policy for normal retention and destruction requirements), software or hardware, either belonging to UTS or to anyone else, whether inside or outside a UTS network.
4.26 Disclosure of any information to an external party (including personal or health information or requests for subpoenas) is only permitted in line with the Records Management Policy, the Privacy Policy and the relevant privacy acts.
4.27 Unless required by law, disclosure of any data or corporate data relating to the UTS information security processes to an external party must be approved by the CISO (refer Records Management Policy for details on the Information Security Classification Standard).
4.28 Data breaches must be managed in line with the Data Breach Policy.
Compliance and monitoring
4.29 All users are responsible for the appropriate use of UTS IT resources in line with this policy and the ISP framework. Non-compliance will be managed as a policy breach (refer Policy breaches).
4.30 As part of UTS’s compliance and monitoring activities, the CIO and CISO are responsible for assessing reports of user activity that may be in breach of this policy and may appoint an investigator to undertake further assessments as part of this process.
4.31 UTS reserves the right to undertake periodic audits to ensure compliance with this policy.
Policy exemptions
4.32 In exceptional circumstances, exemptions to this policy may be submitted by the dean, director or equivalent to the CIO for consideration.
4.33 Exemption requests must outline:
- the nature of the exemption and the specific control that requires adjustment
- the rationale for the exemption and extenuating circumstance
- risks that may arise without the approved exemption
- risks that may arise should an exemption be approved and the relevant controls that will be applied to manage or mitigate these risks
- the privacy impacts where sensitive or confidential information is involved (refer Privacy Policy) and how these will be managed (to be developed with the Privacy Officer and endorsed by the Chief Data Officer), and
- the steps that will be taken to ensure ongoing compliance with this policy and the relevant CIO directives/procedures.
4.34 The CIO may seek advice from the Office of General Counsel, the CISO or other subject matter experts in considering an exemption application.
4.35 Exemptions approved by the CIO will be:
- granted for a specific time period up to one year duration only
- maintained by ITU on a register for reporting to the Audit and Risk Committee as required
- reported to the Cybersecurity Steering Committee where relevant (refer Information Security Policy) as part of the continuous review and improvement process, and
- reviewed annually by the CISO office to ensure compliance and relevancy.
Policy breaches
4.36 Breaches of this policy should be reported to the CIO for management and escalation as appropriate. Reports can be made via a supervisor, the Student Complaints Policy or the Staff Complaints Policy.
4.37 Users who are found to be in breach of this policy will be managed in line with one or more of the following as appropriate:
- Code of Conduct
- Student Rights and Responsibilities Policy
- Concerning Behaviour Intervention Policy
- Child Protection Policy
- Data Breach Policy
- Whistleblowing and Public Interest Disclosures Policy
- Enterprise agreements
- individual contract of employment and the relevant Enterprise agreement
- section 16, Student Rules
- state or federal legislation.
5. Roles and responsibilities
5.1 Policy owner: The Chief Information Officer (CIO) is responsible for policy enforcement and compliance, ensuring that its principles and statements are observed. The CIO is also responsible for the approval, publication and maintenance of the Information Security Policy Framework (available at Beyond the firewall: UTS Cybersecurity (SharePoint)), ensuring continued alignment of this policy with the ISP framework and authorising any training associated with this policy.
5.2 Policy contact: The Chief Information Security Officer (CISO) is responsible for the day-to-day implementation of this policy and the ISP framework and acts as a primary point of contact for advice on fulfilling its provisions.
The Chief Data Officer (CDO) is responsible for university data in line with the Data Governance Policy.
The CDO, in conjunction with the CIO, is responsible for the development of procedures and user guidance in relation to the use and management of UTS data.
5.3 Implementation and governance roles:
Users are responsible for the use of UTS IT resources in line with this policy.
The Chief Operating Officer is responsible for approving mandatory training in support of this policy in consultation with the University Leadership Team as appropriate.
6. Definitions
The following definitions apply for this policy and all associated procedures. These are in addition to the definitions outlined in Schedule 1, Student Rules. Definitions in the singular also include the plural meaning of the word.
Acquisition means the purchase, lease or other attainment of IT resources for university purposes in line with this policy and the Procurement Policy.
Affiliate is defined in the Code of Conduct.
Bring your own device (BYOD) use (also personal device use) means the use of any personal (or non-UTS) electronic device capable of storing data and/or connecting to a network (including but not limited to phones, tablets, laptops and desktop computers) for any UTS-related activity that is owned, leased or operated by staff, students or affiliates.
Corporate data is defined in the Data Governance Policy.
Data is defined in the Data Governance Policy.
Hacking means obtaining or attempting to obtain a higher level of access or privilege to IT resources without appropriate authorisation.
Incidental personal use means the unofficial use of UTS IT resources for minor personal activities that help staff, students and affiliates in undertaking their university work and activities. Incidental use must come at no additional cost to UTS, should be otherwise in line with normal UTS policy requirements and must not interfere with any UTS business.
Information asset means a body of information or a collection of data that is organised and managed (so it can be understood, shared, protected and utilised) and has value to UTS. Research data, corporate data and some bodies of work are all information assets.
Information security is defined in the Information Security Policy.
Information Security Policy Framework (also ISP framework) is defined in the Information Security Policy.
IT resource (also UTS IT resource and resource) means all information and operational technology (IT and OT) hardware, software, cloud services, devices, workstations, servers, storage, equipment, networks, packages, accounts and platforms, either owned, leased or used under licence by UTS.
Outside work is defined in the Outside Work Policy.
Participant is defined in the Short Forms of Learning Policy.
Privacy acts is defined in the Privacy Policy.
Visitor is defined in the Campus Policy.
Approval information
Policy contact | Chief Information Security Officer |
---|---|
Approval authority | Vice-Chancellor |
Review date | 2027 |
File number | UR21/821 |
Superseded documents | Acceptable Use of Information Technology Facilities 2001 (UR06/357) UTS Email Policy 2004 (UR98/76) Guidelines for the Responsible Use of Email 2004 (UR16/1189) |
Version history
Version | Approved by | Approval date | Effective date | Sections modified |
---|---|---|---|---|
1.0 | Vice-Chancellor | 26/07/2021 | 12/08/2021 | New policy. |
1.1 | Vice-Chancellor | 28/04/2022 | 28/04/2022 | Changes and updates to reflect new ownership under portfolio realignment under Fit for 2027 project. |
1.2 | Director, Governance Support Unit (Delegation 3.14.1) | 16/03/2023 | 09/06/2023 | Minor update to reflect the new Artificial Intelligence Operations Policy. |
1.3 | Director, Governance Support Unit (Delegation 3.14.1) | 08/09/2023 | 30/09/2023 | Changes resulting from the development of the Whistleblowing and Public Interest Disclosures Policy. |
1.4 | Director, Governance Support Unit (Delegation 3.14.1) | 16/11/2023 | 12/12/2023 | Change to the definition of IT resource to reflect the new Academic Integrity Policy and Generative AI tools definition in the Student Rules. |
2.0 | Vice-Chancellor | 28/06/2024 | 04/07/2024 | Full review and alignment with the Information Security Policy Framework. |
References
Artificial Intelligence Operations Policy
Beyond the firewall: UTS cybersecurity (SharePoint)
Equity, Inclusion and Respect Policy
Information Security Classification Standard (available at Records and archives hub: Information security (SharePoint))
Information Security Policy Framework (available at Beyond the firewall: UTS Cybersecurity (SharePoint))