Policy University Management Digital Technologies Acceptable Use Policy

Digital Technologies Acceptable Use Policy


Print Friendly and PDFPrint Friendly

Intent

This policy directs Authorised Users in the acceptable use of James Cook University's (JCU) the University) Digital Technologies and Digital Technology Assets, emphasising the collective responsibility of all Authorised Users to uphold the University’s secure Digital Environment.

Scope

This policy applies to all Authorised Users of the University’s Digital Technologies including:

(a) JCU Australian Tropical Campuses;

(b) JCU controlled entities;

(c) JCU Singapore;

(d) JCU Brisbane

regardless of location, whether during or after business hours or whether on JCU-owned or privately owned devices.

Definitions

Acceptable Use - Refers to the appropriate and permitted use of the University's digital technologies and digital technology assets, as outlined in the guiding principles of the Digital Technologies Acceptable Use Policy.

Authentication Credentials - Refers to the unique identifiers such as user identification and password, or username and passcode, used to verify a user's identity and authorise access to the University's Digital Technologies, Digital Technology Assets, Digital Resources, and Data and Information Assets. These credentials play a critical role in maintaining the security of these assets by ensuring that only authorised individuals or entities have access.

Authorised Users - These are individuals or entities that have been granted permission (authentication credentials) by the University to access and use its Digital Technology Assets, Digital Resources, Data and Information Assets, and Digital Communications Systems within the University's Digital Environments. This includes members of the University Community (students, staff, affiliates) as well as HDR candidates, adjuncts, visitors, volunteers, and Third-Party Service Providers (contractors, suppliers, consultants, partners, vendors). Authorised Users are expected to comply with the University's policies and guidelines while accessing and using these assets and systems. They play a crucial role in maintaining the security of these assets by using them responsibly and reporting any security issues they encounter.

Breach(es) - Any action that breaches the University's Digital Technologies Acceptable Use Policy, whether intentional or unintentional. This includes but is not limited to Unauthorised access to or use of Digital Technologies, Digital Technology Assets, or Data and Information Assets, misuse of resources, inappropriate behaviour, and other actions or omissions that breach Information Security policies and their supporting documentation.

Business Owner - This is a both a governance and operational responsibilities associated with digital technology assets. The Business Owner is the primary stakeholder and is typically a senior business employee, such as a department head or manager. They have ultimate responsibility for a specific business function and the digital technology asset. The Business Owner provides a bridge between the business strategy and technology, ensuring alignment between the two. They are responsible for understanding the importance of the Information Security Management System (ISMS) and communicating its relevance and benefits to their specific business function. As part of their role, they ensure that the digital technology assets under their purview are managed and used in accordance with the ISMS, contributing to the overall information security of the University.

Data Protection - This pertains to the measures and safeguards implemented to prevent unauthorised access to, or manipulation of, the University's Data and Information Assets and Digital Technology Assets. It involves maintaining data integrity by preventing corruption and loss, and ensuring that, in the event of a data breach or loss, the data can be restored. Data protection strategies often include encryption, backup and recovery procedures, data masking, and other security techniques. The goal of data protection is to deliver a comprehensive approach to securing sensitive data and digital technology assets from a variety of threats, including data breaches, data corruption, and data loss, within the University's Digital Environment.

Digital Communications System -These are the digital platforms and technologies that enable the exchange, transmission, and reception of information between individuals or groups. This includes, but is not limited to, email systems, messaging platforms, voice and video systems and collaborative workspaces. While these systems do handle information as part of their function, they are primarily designed to facilitate communication and collaboration in a digital environment.

Digital Environment -This term refers to the specific settings or contexts where digital technologies are deployed for the University. This includes devices, software, services, network architecture, as well as physical and virtual environments where digital technology assets are used and managed. It represents the overall landscape of digital technology use for the University.

Digital Infrastructure -This term refers to the foundational infrastructure of digital and network systems that support the entire digital technology environment. This includes hardware (like servers and networks), software, and services that are critical for the functioning and operation of all other digital technology assets. This infrastructure forms the backbone of the University’s digital operations, enabling the use and management of digital technologies.

Digital Operations - Refers to the activities that involve the use and management of digital technologies at the University. This includes but is not limited to everything from deploying new software, managing databases, maintaining network infrastructure, to ensuring the security of digital assets. It encompasses the operational aspects of managing and utilising digital technologies to support the University's functions and objectives.

Digital Resources - Refers to the resources that are consumed or utilised when using digital technologies. This includes network bandwidth, internet access, storage space on servers or in the cloud, processing power of computers and servers, access to software applications and services, and more. These resources are what enable the operation and use of digital technologies for the University.

Digital Technologies -Is a broad term that encompasses both IT (Information Technology) and ICT (Information and Communication Technology). It refers to electronic tools, systems, devices, and resources that generate, store, or process data. This includes a wide range of devices and systems such as computers, software, networks, and the Internet.

Digital Technology Assets - Is a broad term that encompasses all the different types of digital assets whether physical or virtual and are used to support digital operations. This includes but is not limited to computers, servers, data centres, software, and network services. These assets are specifically related to technology and are used to enable the operation and use of digital technologies for the University.

Note:

  • Digital Technology Assets exclude Data and Information Assets.
  • The definition of Digital Technology Assets definition aligns with the term ‘information processing systems’ as described in ISO27002.

Multi-Factor Authentication (MFA) - This is a security measure that requires Authorised Users to provide two or more types of evidence (or factors) to authenticate their identity when accessing the University's Digital Technology Assets, Data and Information Assets, and Digital Communications Systems. Factors can include something the user knows (like a password), something the user has (like a physical token or a smartphone), or something the user is (like a fingerprint or other biometric data).

Personal Information - Has the same meaning as the Information Privacy Policy.

Physical Security - refers to the safeguards implemented to protect the university's hardware and facilities, such as servers, computers, data centres, and labs. These measures range from perimeter security to maintenance protocols, aiming to prevent unauthorised access, theft, and damage to these critical assets.

Public Interest Disclosure - Has the same meaning as the Public Interest Disclosure Procedure.

Security Incident - Any event violating JCU’s security policies or posing a risk to its digital technology assets (physical or digital), ranging from Unauthorised Access or use of systems or data to theft of devices containing sensitive information, malware infections, or denial of service attacks.

Sensitive Information - Has the same meaning as the Information Privacy Policy.

Third-Party Service Providers - These are individuals or organisations that are authorised under a written agreement to provide specific digital technologies-related services or functions to or on behalf of the University. This includes contractors, suppliers, consultants, partners, vendor who are engaged to conduct work, research, or studies. They are expected to comply with the University's policies and guidelines while delivering their services. They hold operational roles within the ISMS, their responsibilities include delivering services in accordance with agreed contracts, adhering to the organisation's digital technology policies and procedures, and reporting any incidents or potential risks. They are expected to comply with the University's ISMS and may have their own internal governance roles responsible for ensuring this compliance.

Unacceptable Use - Refers to the prohibited use of the University's digital technologies and digital technology assets, as outlined in the guiding principles of the Digital Technologies Acceptable Use Policy (Section 2).

Unauthorised Access - refers to actions or usage that has not been officially permitted or sanctioned by the University. This includes, but is not limited to, accessing or using Digital Technologies, Digital Technology Assets, or Data and Information Assets without explicit permission, or in a manner that exceeds granted permissions. Unauthorised Access actions are in breach of Information Security policies and may result in disciplinary action.

Violation - Any action or behaviour by an authorised user that breaches the stipulations laid out in the Digital Technologies Acceptable Use Policy.

Policy

1. Acceptable Use of Digital Technologies

1.1 Access and Communication: Authorised Users may access and communicate information and utilise Digital Technology Assets for legitimate academic, research, business and administrative purposes that align with the University's mission and objectives.

1.2 Collaboration and Sharing: Authorised Users may engage in collaboration and sharing through University-supported tools and platforms, provided the content adheres to the University's policies, procedures and guidelines.

1.3 Personal Development: Authorised Users may access Digital Resources for personal development, such as skill-building, professional networking, or educational resources, within reasonable limits and without interfering with University’s Digital Operations.

1.4 Research and Innovation: Authorised Users may use Digital Resources to conduct research, develop new projects, or engage in innovative activities, provided such activities comply with applicable laws, ethical guidelines, and University policies.

1.5 Social Media and Online Communities: Authorised Users may participate in social media and online communities for professional and academic purposes (limited personal use is permitted in accordance with 1.9), ensuring they uphold the University's reputation and respect others' privacy, confidentiality, and intellectual property rights. Refer to the Social Media Policy.

1.6 Software and Applications: Authorised Users may use and install software and applications on University devices, provided they have appropriate licenses, comply with terms and conditions, and have obtained necessary approvals from relevant University authorities.

1.7 Data Storage and Backup: Authorised Users must store, backup, and retrieve University-related data using JCU-approved storage solutions where provided, to ensure the security and privacy of sensitive information. If an alternative solution is required (i.e. complex research data), users must comply with JCU’s research data storage requirements and ensure that these storage options adhere to applicable Data Protection standards and regulations. For data related to LearnJCU, please refer to the LearnJCU Data Management Procedure.

1.8 Remote Access: Authorised Users may access University Digital Resources remotely, including but not limited to University-owned computers, personal devices, and mobile devices, provided security protocols are adhered to. Remote access must be established through secure connections, such as Virtual Private Network (VPN), and must utilise multi-factor authentication and secure passwords to protect the University's Digital Resources and Data and Information Assets, and must have secure and up-to-date software to mitigate security risks and vulnerabilities.

1.9 Limited Personal Use: Authorised Users may engage in Limited Personal Use of Digital Technologies provided it does not interfere with their job duties, consume excessive Digital Resources, or violate any University policy, legal requirements, or ethical guidelines. Limited Personal Use of University Digital Communication Systems and Digital Resources is a privilege.

1.10 Compliance with Legal Jurisdictions: All use of University Digital Technologies and Digital Resources must comply with laws and regulations applicable in the location from where the resources are being accessed, as well as with all relevant University policies.

2. Unacceptable Use of Digital Technologies

2.1 Unauthorised Access and Misuse: Authorised Users must not access, alter, or share data of Digital Technology Assets without proper authorisation, or use University Digital Technologies for Unauthorised purposes, such as hacking, phishing, or circumventing security measures as outlined on the Web Safety webpage. This includes not accessing, storing, or distributing inappropriate, offensive, or menacing material.

2.2 Harassment and Discrimination: Authorised Users must not engage in any form of harassment, discrimination, or offensive behaviour within the Digital Environment, or through the use of the University Digital Technology Assets and Digital Resources. This includes sending inappropriate messages, images, or materials, or creating hostile online environments. Refer to the Bullying, Discrimination, Harassment and Sexual Misconduct Policy.

2.3 Copyright Infringement and Intellectual Property Violations: Authorised Users must not violate copyright laws, licenses, or other intellectual property rights by downloading, distributing, or using Unauthorised materials, such as software, documents, images, or music through Digital Technologies. Refer to the Intellectual Property Policy.

2.4 Disruptive Activities: Authorised Users must not engage in activities that disrupt the normal functioning of Digital Technologies, such as spreading malware, spamming, intentionally causing system failures, or introducing or distributing security threats like viruses or harmful malware.

2.5 Unethical or Illegal Activities: Authorised Users must not use Digital Technologies to engage in unethical or illegal activities, such as fraud, identity theft, or accessing prohibited content.

2.6 Misrepresentation and Impersonation: Authorised Users must not misrepresent their identity or impersonate others using Digital Technologies, or use University Digital Resources to create fake accounts, profiles, or websites.

2.7 Excessive Personal Use: Authorised Users must not engage in personal use of Digital Technologies that consumes significant Digital Resources, interferes with job duties or academic performance, or violates University policies or legal requirements.

2.8 Unauthorised Commercial Use: Authorised Users must not use Digital Technologies for personal financial gain or non-University commercial activities, such as promoting businesses, soliciting customers, or engaging in Unauthorised sales or advertisements.

2.9 Compromising Privacy and Confidentiality: Authorised Users must not disclose, share, or misuse Personal Information and Sensitive Information, or attempt to access or intercept such information without proper authorisation when using Digital Technologies.

2.10 Offensive Material Restrictions: Authorised Users are prohibited from accessing, transmitting, storing, or displaying offensive materials, including pornography, except when required for legitimate academic or research purposes that have received University approval.

2.11 Unauthorised Surveillance: Unauthorised surveillance or interception of electronic communications by any party other than the University's authorised personnel for legitimate purposes such as security and compliance, is strictly prohibited.

2.12 Misuse of University Credentials: Authorised Users must only use University-provided credentials (i.e., email addresses and passwords) for appropriate University-related activities. They should not be used for personal activities such as online shopping, social media, or any other non-university related activities.

3. Software Licences

3.1 All software provided by the University is licensed primarily to the University, however approval may be granted to Authorised Users for use at home or other locations on non-University owned computers during the course of work or study with the University.

3.2 Authorised Users must adhere to the terms and conditions of these licenses. Any Unauthorised use or failure to comply with contractual obligations and terms of use stated in the software license agreements may lead to the revocation of access. Unauthorised duplication or distribution of licensed software is prohibited.

3.3 Upon termination of employment or completion of study, or upon notification by the University of its termination of the software license agreement, Authorised Users must discontinue use and un-install the software from non-University owned computer(s).

4. Access and Authentication

4.1 Access to the University's Digital Resources is granted based on the role and responsibilities of each Authorised User.

4.2 Authorised Users must strictly prohibit the sharing of their Authentication Credentials with others or attempting to gain Unauthorised Access to Digital Resources. It is essential to emphasise the importance of individual accountability and the strict prohibition against sharing Authentication Credentials to maintain the integrity and security of University Digital Resources.

4.3 Authorised Users must maintain secure passwords, regularly update them and avoid using easily guessable passwords.

4.4 All Authorised Users must use Multi-Factor Authentication (MFA) where supported.

4.5 Authorised Users are granted access to University Digital Resources for legitimate University purposes. Such access should be used responsibly and must not be used to infringe upon others' rights or to violate any laws or University policies. The University reserves the right to restrict or revoke access if this policy is breached.

4.6 Authorised Users must ensure the password used for accessing University Digital Resources is distinct from their personal accounts, including non-university email accounts, online shopping accounts, and social media platforms, to preserve the integrity and security of University resources.

5. Monitoring and Privacy

5.1 The University reserves the right to monitor, access, log, and analyse the activities of Authorised Users on University Digital Resources. This includes conducting periodic reviews and audits to ensure compliance with this policy and to safeguard the University's Digital Technologies.

5.2 The University reserves the right to block, filter, or restrict any use of the University’s Digital Resources that breaches this policy, exceeds acceptable use limits, or poses a security risk to the University’s Digital Infrastructure.

5.3 Subject to the provisions of the University’s Information Privacy Policy and relevant legislation, the University may disclose the contents of electronic communications without permission from the Authorised User in situations deemed necessary, such as investigations of Policy Violations or to ensure the security of the University's Digital Resources.

5.4 The University will not use the Personal Information of Authorised Users for purposes beyond those necessary for the operation of Digital Resources, unless explicitly authorised by the user or as required by law.

5.5 The University may take immediate remedial action to address threats to the University’s Digital Resources that are essential for the operation and use of Digital Technologies. This could include suspending an Authorised User’s access, confiscating University-owned electronic devices, and/or disconnecting or disabling equipment, with or without prior notice.

6. Consequences of breach

6.1 The University views Breaches of this policy very seriously and will evaluate instances on a case by case basis, taking into account the nature and gravity of the offence, its impacts and any prior violations by the Authorised User. Breaches may result in disciplinary action in accordance with the misconduct/serious misconduct processes outlined in the Staff Code of Conduct, Student Code of Conduct, Student General Misconduct Procedure, Bullying, Discrimination, Harassment, and Sexual Misconduct Policy, Copyright Policy, Information Privacy Policy, or any other relevant University policies and procedures. Staff refer to the JCU Enterprise Agreement.

6.2 Consequences of breaches may include, but are not limited to:

  • Referral of the matter to the police and/or other relevant external authority.
  • Grounds for misconduct or serious misconduct, potentially leading to temporary or permanent revocation of access, or termination of employment for severe offenses.
  • Measures to protect a person who has made a Public Interest Disclosure (in consultation with the University’s Public Interest Disclosure Coordinator) or action taken in respect of suspected Corrupt Conduct (in consultation with the University’s Crime and Corruption Commission Liaison Officer).

6.3 Sanctions may vary based on the severity and implications of the breach. These can range from warnings and counselling to more severe actions such as suspension or termination of employment, suspension or exclusion from the University, confiscation of University-owned electronic devices, or disconnecting or disabling equipment with or without notice.

Related policy instruments

Academic Misconduct Procedure

Adaptive Workplace Policy

Blended Learning Policy

Code of Conduct

Code of Conduct – University Council

Copyright Policy and Procedure

Coursework Academia Integrity Procedure

Cybersecurity Policy

Data Governance Policy

Digital Technologies Acceptable Use Procedure

Environmental Policy

Fraud and Corruption Procedure

ICT Access and Account Management Procedures

Information Privacy Policy

Intellectual Property Policy and Procedure

James Cook University Enterprise Agreement 2022

LearnJCU Data Management Procedure

Managing and Investigating Potential Breaches of the JCU Code for the Responsible Conduct of Research Procedure

Personal Information Data Breach Procedure

Public Interest Disclosure Procedure

Records Management Policy

Remote Working Policy

Risk Management Policy

Security Policy

Social Media Policy

Space Allocation and Management Policy

Student Code of Conduct Policy

Student Digital Experience Policy

Student General Misconduct Procedure

Student Professional Misconduct Procedure

Related documents and legislation

Queensland Australia

Criminal Code Act 1899 (Qld)

James Cook University Act 1997 (Qld)

Information Privacy Act 2009 (Qld)

Public Records Act 2002 (Qld)

Telecommunications Interception Act 2009 (Qld)

Queensland Right to Information Act 2009 (Qld)

Public Interest Disclosure Act 2010 (Qld)

Crime and Corruption Act 2001 (Qld)

Crimes Act 1914 (Cth)

Cybercrime Act 2001 (Cth)

Copyright Act 1968 (Cth)

Spam Act 2003 (Cth)

Telecommunications (Interception and Access) Act 1979 (Cth)

The Computer Misuse and Cyber Security Act (Cap 50A) (Singapore)

Copyright Act (Cap 63) (Singapore)

Spam Control Act (Cap 311A) (Singapore)

Undesirable Publications Act (Cap 338) (Singapore)

Administration

NOTE:  Printed copies of this procedure are uncontrolled, and currency can only be assured at the time of printing.

Approval Details

Policy Domain

Digital Infrastructure

Policy Sponsor

Deputy Vice Chancellor, Services and Resources

Approval Authority

Estate Committee

Date for next review

10/10/2028

Revision History

Version

Approval Date

Approved by

Implementation Date

Details

Author

23-110/10/2023Estate Committee27/10/2023Major review. Previously titled ICT Acceptable Use Policy.Chief Information Security Officer

22-1

13/07/2022

DVC SR

18/07/2022

Added para 2.6 directing authorised users to use multi-factor authentication where required.

Manager, Information and Cyber Security

17-1

23/02/2017

 

27/02/2017

Updated and aligned with ICT Acceptable Use Procedures and Access Account Management Procedures.

ICT

14-1

25/11/2014

 

4/12/2014

Policy established at Futures Committee 25/11/2014 – refer to (3/14) minutes for details

ICT

Keywords

acceptable use, authorised users, University ICT services

Contact person

Chief Information Security Officer