View Current

Acceptable Use of IT Resources Policy

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Purpose 

(1) The University of Wollongong (the University) is committed to the appropriate use of Information Technology (IT) Resources to support its learning, teaching, research, administrative, and service functions and to comply with its legal obligations.

(2) This Policy sets out the expectations for the acceptable, legitimate, secure and optimal use of the University’s IT Resources.

Top of Page

Section 2 - Application and Scope

(3) This Policy applies to all users of University IT resources, including students, staff, suppliers, affiliates and individuals involved in supporting those Resources.

(4) Users must accept and comply with this Policy as a condition of use of the University’s IT Resources.

(5) The use of remote systems accessed via the University’s IT Resources is also covered in this Policy. Remote services may have additional local rules and regulations.

(6) This Policy should be read in conjunction with the following policy documents:

  1. University Code of Conduct;
  2. Privacy Policy;
  3. Records Management Policy;
  4. Data Governance and Management Policy;
  5. Data Classification and Handling Procedure;
  6. Research Data Management Policy;
  7. Information Security Policy;
  8. Gender-based Violence Prevention and Response Policy; and
  9. Student Conduct Rules.
Top of Page

Section 3 - Principles

(7) The University’s IT Resources are provided to users to support and facilitate the effective implementation of University functions.

(8) Users must take responsibility for using the University’s IT Resources in an ethical, respectful, secure and legal manner, having regard for the objectives of the University and the privacy, rights and sensitivities of other users.

(9) Users have a responsibility to be vigilant, knowing how to protect themselves, and the University’s IT Resources.

Top of Page

Section 4 - Use of the University’s IT Resources

User Responsibilities

(10) Users must only use accounts designated to them and must not make their account credentials accessible or useable by other users.

(11) Users are responsible for the following whilst using the University’s IT Resources:

  1. all activities that originate from their user account;
  2. all information sent from, intentionally requested from, solicited by, or viewed from their user account; and
  3. information placed on any device, system or storage platform using their user account.

(12) Users are required to:

  1. maintain the security and confidentiality of data collected or generated by the University in accordance with the Data Classification and Handling Procedure;
  2. lock devices when not in use;
  3. only use University IT Resources in the manner intended for the role of the user;
  4. regularly check their devices for signs of tampering. This may include something appearing broken or unusual, or an unknown device plugged in;
  5. report suspected and confirmed IT security scams, events and incidents to IMTS Service Delivery (IMTS) in a timely manner;
  6. complete all mandatory assigned cyber security awareness and training within an acceptable timeframe in consultation with their line manager;
  7. comply with rules, signs, and instructions from IT support staff when using computer laboratories; and
  8. provide identification to IT support staff if requested.

(13) Users will be held responsible for cost of repair if damage is caused to IT Resources through misuse or negligence.

Prohibitions

(14) Users must not use the University’s IT Resources for the following activities:

  1. the creation or transmission (other than for properly supervised and lawful teaching or research) of any material or information that could reasonably be deemed abusive, offensive, defamatory, obscene or indecent;
  2. the creation or transmission of material that could reasonably be deemed likely to harass, sexually harass, bully, intimidate, harm or distress any other person;
  3. the unauthorised transmission of material that is labelled confidential or commercial in confidence;
  4. breach of copyright, or software or digital content licence conditions;
  5. collecting, use or disclosure of personal information not permitted per the Privacy Policy; and/or
  6. deliberate unauthorised access to the University’s IT Resources.

(15) Users must not:

  1. access University IT Resources from public or untrusted networks;
  2. leave IT Resources containing University data unattended, even if they are locked. The IT Resources should be stored in a secure place when not in use;
  3. tamper with the University’s IT Resources or move them without authorisation;
  4. attempt to subvert or undermine any security controls implemented by the University. If a security control is believed to interfere with functions related to a user's role, a request must be made by that user to IMTS Helpdesk explaining the need for that function; or
  5. send, store or backup University data with externally hosted services, including Artificial Intelligence tools, other than those provided and approved by IMTS.

Personal Use

(16) Users may only use the University’s IT Resources for personal use if that use does not:

  1. interfere with the operation of University IT Resources;
  2. interfere with other users’ access to University IT Resources;
  3. store data classified as “Unofficial” on University managed devices;
  4. burden the University with additional costs;
  5. interfere with their employment or other obligations to the University;
  6. include conducting unauthorised commercial activities;
  7. use University IT Resources for unauthorised personal gain;
  8. include providing access to an unauthorised third party; and/or
  9. include conducting personal banking, using social media, shopping, or signing up to private subscriptions that are not related to their role.

Use of University Managed Devices

(17) University managed devices must not be loaned, leased or used by unauthorised users.

(18) Users must notify IMTS immediately if their University managed device has been lost, stolen or tampered with.

(19) University managed devices that are lost or stolen will be remotely wiped as soon as possible.

(20) University managed devices that are tampered with or compromised will be reset to the standard image and software reinstalled by IMTS.

(21) Users must return all University managed devices if they are no longer employed by the University, the device is no longer needed or if directed by the relevant Senior Executive, Executive Dean or Director/Chief Officer.

Use of University Managed Devices for Overseas Travel

(22) Users must use a clean travel device for overseas travel, unless approval has been granted in accordance with the Travelling Overseas with Devices Procedure.

(23) Users should refer to the Travelling Overseas with Devices Procedure for exceptions and before travelling overseas with University managed devices.

Use of Personally Owned Devices (BYODs)

(24) Users may use a BYOD to access University IT Resources. Users must comply with this Policy and the following terms:

  1. connect to the University Wi-Fi network or remotely access services via internet;
  2. only use University supplied VPN services to access University IT resources. Non-University supplied VPN services or anonymisation technologies include, but are not limited to, MobileVPN, ExpressVPN and TOR.

(25) Users must maintain good security hygiene of their personally owned device, which includes:

  1. ensuring all software and personally owned devices have the latest updates applied;
  2. using security software and configure security features such as firewall and anti-virus/anti-malware; and
  3. password protecting their BYOD;
  4. only using operating systems and software from trustworthy sources;
  5. not connecting a BYOD to a wired network port without authorisation;
  6. regularly checking their BYOD for signs of tampering;
  7. not using a BYOD where it is known to have a security compromise;
  8. not storing University data on a BYOD.

(26) If a BYOD with University data has been lost, stolen or tampered with, the user must notify IMTS immediately. 

(27) Users should refer to Section 2 of the Travelling Overseas with Devices Procedure for guidance on travelling overseas with BYOD’s.

Accessing University IT Resources Remotely

(28) Users must exercise caution when accessing the University’s IT resources remotely, both from University managed devices and their BYOD’s.

(29) Public Wi-Fi connectivity use must be minimised. This includes even “reputable” Wi-Fi networks such as brand-name hotels, cafes or airports. Wi-Fi networks that require a specific password may not be secure. When connecting to a public Wi-Fi network, users should activate their Virtual Private Network (VPN) to enhance the security of your connection to University IT Resources.

(30) Users should refrain from working in public spaces for extended periods to minimise the risk of unauthorised observation or data exposure, commonly referred to as 'shoulder surfing', which is defined in the definitions section.

Security Requirements

(31) All devices, software and systems must be kept up to date and secure by the user. This includes:

  1. ensuring security features, programs and tools protect those devices, such as firewalls, anti-malware programs, and authentication, where available;
  2. managing vulnerabilities, updates and patches of those devices; and
  3. appropriate logging and monitoring, for managing security events, incidents, and anomalous activity.

(32) University IT Resources require authentication to access, and most require multi factor authentication (MFA). Access is further controlled based on roles, which are linked with the username of a user account. 

(33) Users should take the following actions help protect against cyber attacks:

  1. keep all browsers and all plugins up to date with security fixes;
  2. avoid unnecessary browser plugins;
  3. before authenticating to online applications, downloading content or providing University data (including personal information), ensure the connection is secure and the site is secure (look out for a secure padlock symbol or the letters “https” at the start of a website URL); and
  4. do not install software immediately if prompted. Software must only be installed on University Managed devices if the user is authorised to do so, by IMTS Support. For non-University-managed devices, users should make every effort to verify a software’s trustworthiness before installing it.

(34) Any person who suspects or identifies a cyber security threat should report it immediately to IMTS.

(35) Access to a user account may be temporarily suspended if the account is suspected to be compromised and is posing an unacceptable risk. If the user had University data on their device during that suspension, or was in the middle of a vital task, the user must notify IMTS Support as soon as possible. 

(36) The University may conduct threat simulations designed to enable the University to assess vulnerabilities and raise awareness regarding common attacks and how to deal with them.

Copyrighted Software and Content

(37) Users are responsible for making use of software and electronic materials in accordance with the Copyright Act 1968 (Commonwealth), software licensing agreements, and any applicable University policies, including the Copyright Policy.

(38) Unauthorised copying or communication of copyright protected material (including music and videos) violates the law and is contrary to the University’s standards of conduct and business practices. The University may enforce controls to prevent the copying or use of unauthorised music, videos and software.

(39) Staff and students can copy and or communicate copyright protected material for teaching or study purposes where they have the permission of the copyright owner. Limited permission may be granted, for example, via website statements, license agreements, or under the statutory license provisions of the Copyright Act 1968 (Commonwealth).

Surveillance and Monitoring

(40) The University is committed to meeting its statutory obligations under the Workplace Surveillance Act 2005 and Government Information (Public Access) Act 2009(NSW). This Policy represents formal notification to users about activities of the University that fall within the definition of computer surveillance.

(41) The University will conduct ongoing and intermittent computer surveillance of all users and devices/BYOD’s which access University IT Resources for the purpose of:

  1. protecting its assets, property and finance from suspected unlawful activities or activities which are in breach of University Rules, Policy, Procedures or Guidelines;
  2. conducting its business and operational requirements;
  3. protecting its reputation;
  4. compliance with legislative requirements; and
  5. meeting the expectations of stakeholders and the general public.

(42) Computer surveillance will be carried out by all means available to the University including but not limited to:

  1. accessing University email accounts or emails;
  2. accessing files;
  3. accessing work devices, including activity logs;
  4. recording internet usage and accessing these records;
  5. accessing telephone usage logs; and
  6. accessing BYOD’s that have been used to conduct University business.

(43) Users acknowledge that computer surveillance may include logging and monitoring of a user’s access and use of wireless and telecommunications systems that form part of the University’s IT Resources, including using University managed devices or BYODs. This may include information which enables identification of the user’s or device’s location when accessing the University’s systems, for example, when a user accesses a wireless access point in a specific location on the University’s premises.

(44) The University has a legitimate right to capture and inspect any data stored or transmitted on the University’s IT Resources and BYOD’s including data of a private or personal nature (regardless of data ownership), when investigating system problems or potential security violations, and to maintain system security and integrity, maintain business continuity, and prevent, detect or minimise unacceptable behaviour on that facility, or in emergency situations including serious or imminent threats to personal safety, life or health. Such data will only be released to authorised University stakeholders, such as IT support staff, in response to:

  1. permission from the user;
  2. a request from a Senior Executive, Executive Dean or Director/Chief Officer to investigate a potential breach of policy;
  3. circumstances where it is deemed appropriate by the University for the purpose of business continuity, a request from a Senior Executive, Executive Dean or Director/Chief Officer; 
  4. circumstances considered by the University to be sufficiently exceptional to warrant the release of the data;
  5. circumstances where it is deemed appropriate by the University in order to uphold the statutory rights of individuals in matters such as privacy, copyright, workplace health and safety, equal employment opportunity, harassment and discrimination;
  6. circumstances where it is deemed appropriate by the University to help prevent or lessen a serious and imminent threat to personal safety, life or health;
  7. a proper request from an appropriate law-enforcement officer investigating an apparently illegal act, including a court order (note, these may only be handled by authorised University stakeholders);
  8. where authorised or permitted under a relevant law or statute; or
  9. a third party that has been contractually engaged by the University to provide IT related services.

(45) Users acknowledge that computer surveillance may result in the prevention of:

  1. delivery of an email sent to or by a user;
  2. access to an internet website and other online content; or
  3. access to software applications.

(46) The University will notify the user as soon as practicable that an email has not been delivered except where:

  1. the email was a commercial electronic message within the meaning of the Spam Act 2003 (Commonwealth);
  2. the content of the email or any attachment to the email would or might have resulted in an unauthorised interference with, damage to or operation of a computer or computer network operated by the University or of any program run by or data stored on such a computer or computer network;
  3. the email or any attachment to the email would be regarded by a reasonable person as being, in all circumstances menacing, harassing or offensive; or
  4. the University was not aware (and could not reasonably be expected to be aware) of the identity of the employee who sent the email or that the email was sent by an employee.

(47) The University will not prevent delivery of an email or access to online content if:

  1. the email was sent by or on behalf of an industrial organisation or employees or an officer of such an organisation; or
  2. the online content or email contains information relating to industrial matters.

(48) Access to information will only be granted following a request from the Senior Executive, Executive Dean or Director/Chief Officer, made in writing, and approved by the Chief Information Digital Officer (CIDO) with the counter signature of the relevant Senior Executive or Executive Dean in accordance with the Delegations of Authority Policy.

(49) Access to any information will always be via network or systems administrators, or via persons nominated by the CIDO or delegated authority in accordance with the Delegations of Authority Policy. The University’s policy and statutory legislation relating to privacy will be upheld in all cases.

Top of Page

Section 5 - Data Governance and Management

(50) Each University data element, as defined in and limited by the scope of the Data Governance and Management Policy and Research Data Management Policy, must have a custodian accountable for data management, including but not limited to, data access, definition and quality.

(51) The types and duties of custodians responsible for the governance and management of University data are set out in the Data Governance and Management Policy and Research Data Management Policy.

Data Access and Classification

(52) Users are responsible for appropriately handling University data and must comply with relevant University Policies including but not limited to:

  1. Privacy Policy;
  2. IP Intellectual Property Policy;
  3. Records Management Policy;
  4. Research Data Management Policy;
  5. Travelling Overseas with Devices Procedure;
  6. Data Governance and Management Policy; and
  7. Data Classification and Handling Procedure.

(53) Responsibilities for providing access to data are outlined in following University policies:

  1. Information Security Policy;
  2. Data Governance and Management Policy; and
  3. Delegations of Authority Policy.

(54) University data must be assigned a level of classification as defined in the Data Classification and Handling Procedure to ensure appropriate handling and protection. Data is classified based on potential impact to the University or individuals in the event of a data breach.

Data Storage

(55) University data must be stored securely in accordance with:

  1. Data Governance and Management Policy;
  2. Data Classification and Handling Procedure;
  3. Research Data Management Policy; and
  4. Records Management Policy.

(56) ‘Unofficial’ data must not be stored on University IT Resources (IT Systems), as it may be accessed, inspected and removed.

(57) Only data storage solutions provided by IMTS are suitable for storing University data.

(58) University data must not be stored on external portable storage, BYODs, personal cloud storage or personal email accounts.

(59) Devices which are no longer required, and which contain University data, must be disposed of securely by IMTS in accordance with the the Information Security Management System (ISMS)policies and local protocols, including the Secure Deletion and Disposal Local Protocol. Users must consult IMTS first and not attempt to dispose of the device themselves.

Top of Page

Section 6 - Privacy

(60) The University is committed to complying with privacy requirements and confidentiality in the provision and operation of all IT resources. Users must comply with the Privacy Policy whilst using IT Resources. For further information refer to the Privacy webpage.

(61) Users’ real names and usernames will be listed in directories accessible to other users for the purpose of enabling collaboration.

(62) In the case of an emergency or crisis, personal data, such as email addresses or phone numbers may be accessed by authorised IMTS staff to notify a user of the incident.

Top of Page

Section 7 - Use of Artificial Intelligence(AI)

(63) The use of AI must align with the ethical values of the University, prioritising openness, excellence, empowerment, diversity, and recognition when providing services to students, partnering with government agencies, educational providers, and external vendors.

(64) As with any other tool or solution, the use of any specific AI capability must only be done if it is seen as the best solution for a required issue, and the assessment should be aligned with the NSW AI Assessment Framework. Where non-AI capabilities or tools may provide a more secure or efficient service, they should be considered in favour of AI.

(65) In line with the NSW Government’s Mandatory Ethical Principles for the Use of AI, AI must only be used in line with the concepts of fairness, privacy, security, transparency, and accountability.

(66) All users of AI capabilities are accountable and responsible for reviewing and ensuring the accuracy of AI outputs, reviewing them to be free from bias or incorrect outputs.

(67) The University protects the privacy of users, staff and third parties. Users must take all reasonable steps to anonymise data that is entered into AI capabilities.

(68) Data inputs into AI capabilities must not be racist, sexist, inflammatory, obscene, offensive, or otherwise go against University values and acceptable use.

(69) All data input into an AI capability must not breach the University’s policies, legal, regulatory or contractual requirements.

(70) The classification of data must be considered before it is handled by an AI capability.

(71) AI capabilities that handle the University’s data must do so in accordance with the University’s data governance policies and processes, including the:

  1. Data Governance and Management Policy;
  2. Data Classification and Handling Procedure; and
  3. Research Data Management Policy.
Top of Page

Section 8 - Compliance and Administration

(72) The University treats misuse of its IT Resources seriously. Violations of the conditions of use of University IT Resources may result in temporary or indefinite withdrawal of access, disciplinary action under the University Code of Conduct and other relevant discipline procedures and and/or demand for reimbursement to the University.

(73) Allegations of IT misconduct by students will be dealt with under the Student Conduct Rules. Detailed investigation procedures and the penalties that may be applied to students engaging in IT misconduct can be found in the Student Conduct Rules and the Procedure for Managing Alleged General Misconduct by a Student.

(74) In the case of misuse of the University’s IT resources by a staff member of a controlled entity or affiliate, a user’s access will be withdrawn following a written request from the relevant Director/CEO of the controlled entity or affiliate and approval from the Chief Information Digital Officer per the Delegations of Authority Policy. Access may also be withdrawn by IMTS in response to a suspected policy violation.

(75) In the case of misuse of University IT Resources by a staff member of the University, a user’s access will be withdrawn following a written request from the relevant Senior Executive, Executive Dean or Director/Chief Officer and approval from the CIDO per the Delegations of Authority Policy. Access may also be withdrawn by IMTS in response to a suspected policy violation.

(76) Any user whose access has been withdrawn may request reconsideration of the decision by the CIDO who shall consider the withdrawal in consultation with the relevant controlled entity or affiliate. Following this, the CIDO shall confirm the withdrawal or reinstate access.

(77) Misuse or unauthorised use of the University’s IT resources may constitute an offence under the Crimes Act 1914 (Commonwealth) and/or other relevant State or Commonwealth legislation. Nothing in this Policy may be taken as in any way diminishing or removing a person’s obligations to comply with the law or their liability to prosecution and punishment under law. Users are encouraged to report any misuse and any reports will be treated as confidential.

(78) A breach of this Policy may constitute:

  1. a breach of the:
    1. University Code of Conduct;
    2. Workplace Health and Safety Policy;
    3. Bullying Prevention Policy;
    4. Gender-based Violence Prevention and Response Policy;
    5. Code of Practice - Responsible Conduct of Research.
  2. Misconduct under the:
    1. University Code of Conduct;
    2. University of Wollongong Enterprise Agreements 2023;
    3. Student Conduct Rules.
Top of Page

Section 9 - Roles and Responsibilities

(79) Roles and responsibilities are as detailed throughout this Policy, the Information Security Policy, Data Governance and Management Policy, and Research Data Management Policy.

Top of Page

Section 10 - Definitions

Word/Term Definition (with examples if required)
Affiliate
Includes people holding University of Wollongong Honorary Awards including the awards of Emeritus Professor, Honorary Doctor and University Fellow; people appointed in accordance with the University’s Appointment of Visiting and Honorary Academics Policy; and people engaged by the University as agency staff, contractors, volunteers and work experience students.
Clean Travel Device 
A device that has been wiped of any stored data and set to the default University managed device image. 
Computer Surveillance
Surveillance, including by means of software or other equipment that monitors or records the information input or output, or other use, of a computer (including, but not limited to, local or hard drive, public network, internet and email and other electronic technologies).
Crisis
An emergency or series of incidents that seriously threatens the University’s people, assets, continuity (>72hrs), the environment, its long-term prospects and/or reputation and requires strategic management of consequences.
Device/End User Device/Endpoint Device
A laptop, desktop computer, mobile phone or other device that is used to access the University’s information assets.
Email Account
An email account issued to a user to use whilst employed by or enrolled at the University of Wollongong.
Emergency
An event or series of events that arises from internal or external sources, requires an immediate response, poses risk to life, property, or continuity of operations (>1day) and/or requires strategic management of consequences.
Enterprise Storage
Storage provided through IMTS that is protected from data loss; whether that storage be on premise or cloud based.
Information
Any digital or physical raw, processed, organised, presented or structured data created, stored or used by the University.
Information Asset
Any process or technology used to deliver business objectives or services.
An information asset is, but not limited to:
  1. a physical device such as a laptop;
  2. a physical server;
  3. virtual server;
  4. a cloud system;
  5. a database;
  6. an application;
  7. a file.
For the purposes of this policy, information assets are the University’s:
  1. Computing facilities;
  2. Collaboration hardware and software;
  3. Artificial intelligence capabilities; and
  4. Communications facilities. (Examples include, but are not limited to, telephones, facsimiles, mobile telephones, computers, tablets, printers, photocopiers, other devices, email, internet access, network infrastructure, web services and cloud services.)
Information Technology (IT) Resources
IT Resources are also known as the University’s information and information assets.
Personally Owned Device/Bring Your Own Device (BYOD)
Any technology device that was purchased by a user and not issued or managed by the University.
Shoulder Surfing 
The act of monitoring the contents of another person’s device screen or device inputs. 
Staff
All people employed by the University including conjoint appointments, whether on continuing, permanent, fixed term, casual or cadet or traineeship basis
Student
A person enrolled to study or registered for a course at the University. It also includes former students of the University, students on an approved period of leave of absence or students who have been suspended from the University.
Supplier/Third Party/Vendor
Any legal entity that is not the University that the University pays for services to be provided to them.
University Data Data that is classified as “Official” and above in accordance with the Data Classification and Handling Procedure.
University Managed Device Any technology device that is issued and managed by the University.
User
A person assigned a user account by the University or a person who is otherwise authorised to use the University’s IT resources.
User Account
An identity assigned to a user, with an associated username, for the purpose of accessing IT resources that require authentication by the user. Also referred to as account throughout this document.