View Current

Information and Communications Technology Acceptable Use procedure

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Preamble

(1) This Procedure is effective from 28 November 2023.

Top of Page

Section 2 - Purpose

(2) This Procedure documents the requirements and conditions for using the University's information and communications technology (ICT) facilities, services and materials.

Top of Page

Section 3 - Scope

(3) This Procedure applies to students, staff and associates and where not already covered, to ICT facilities, services and materials owned, managed or leased by the University or as applicable by commercial or legal arrangement, including Bring your own device (BYOD).

Top of Page

Section 4 - Policy

(4) This Procedure is pursuant to the Information and Communications Technology Acceptable Use Policy.

Top of Page

Section 5 - Procedure

General use and ownership

(5) Users of University ICT facilities, services and materials, have a responsibility to promptly report the theft, loss or unauthorised disclosure of Deakin proprietary information to the Digital Services Service Desk.

(6) ICT Users may access, use or share Deakin proprietary information only to the extent it is authorised and required to carry out activities that relate to the duties of their role.

(7) Access to University ICT facilities, services and materials must be authenticated and comply with credentials and Multi-Factor Authentication (MFA) guidelines set by Digital Services. Passwords, MFA passcodes and access to ICT facilities, services and material must be unique and not be shared. The Enterprise Password Manager is to be used for storing and sharing passwords and access to ICT facilities, services and materials.

(8) ICT users must lock devices (computers, tablets, mobile phones) when not in use.

(9) University web publishing and various media channels including social media have additional requirements which are set out in the Web Publishing Policy and the Media Policy.

Email

(10) The privacy and integrity of information transmitted by email cannot and is not guaranteed by Deakin. These communications should not be regarded as being confidential.

(11) The Deakin Internal Communications team must review and approve the distribution of all broadcast email communications.

(12) Deakin staff must not use personal email services (e.g. Google Mail, Yahoo Mail) for the storage of Deakin data or to undertake any Deakin business transactions without prior approval from Digital Services.

(13) Deakin staff and associates must not automatically forward email, voicemail or other communications accounts to another Deakin ICT user or an email address or service external to Deakin University. 

(14) ICT Users must use extreme caution when opening e-mails received from unknown senders, which may contain malware, viruses or other malicious content. Users should report suspect emails to Digital Services.

(15) Staff must not use their Deakin email address for private use or provide this email as a contact for personal purposes.

Internet

(16) ICT Users who use the University’s ICT facilities and services to access the internet represent Deakin and must act in accordance with the Code for Upholding Freedom of Speech and Academic Freedom

(17) Authorised Digital Services staff members may deny or restrict ICT Users' access to internet sites that are reasonably considered to contain unlawful or malicious content in accordance with the Code for Upholding Freedom of Speech and Academic Freedom.

File shares and data storage

(18) Deakin internal network file storage facilities and Digital Services approved externally hosted (Cloud) storage services are provided for the storage of University related material only.

(19) Use of file storage facilities (e.g. removable media) or unapproved services (Cloud Storage) to store Deakin data and/or information is not allowed unless authorised by Digital Services.

(20) External storage devices (e.g. USB, removable hard drives) used to store Deakin data must be encrypted. Removable storage should not be used as a primary storage facility. 

(21) Deakin staff, associates and research students must not transfer data to external parties unless approved by Digital Services or the data owner. Approval will only be granted where data is transferred using secure mechanisms. Research data must be transferred, stored and shared in accordance with the University’s Research Data Management Procedure.

Monitoring and access

(22) Authorised Digital Services staff will monitor ICT facilities, services and materials, including but not limited to:

  1. protecting the integrity and security of the University’s ICT facilities
  2. checking network traffic and detecting intrusions
  3. auditing the ICT assets of the University
  4. aggregating activity and usage patterns
  5. investigating and repairing system malfunctions
  6. policy and procedure compliance.

(23) Staff members may request (via the Chief Information and Digital Officer) that another person's personal information and identifying data is monitored or accessed in the following circumstances:

  1. where access is necessary to prevent the business of the University being obstructed or delayed
  2. to investigate a breach or suspected breach of legislation or Deakin University policy.

(24)  Where the Office of General Counsel request that another person's personal information and identifying data is monitored or accessed in accordance with clause 23 the information may be released without the approval of the Chief Information and Digital Officer.  

Absence of staff members

(25) If a staff member has a planned absence from the University they must ensure that data and information required to conduct the business of the University is accessible and that notification facilities, such as telephone and email out-of-office messages are in place. When a staff member has an unplanned absence, if practical, the staff member should put notifications in place from home or by contacting the Digital Services Service Desk.

Unacceptable use

(26) Unacceptable use includes but is not limited to:

  1. Engaging in any activity that is in breach of the University’s policies or procedures, or illegal under local, state, federal or international law.
  2. Accessing data, network, a server or an account for any purpose other than conducting Deakin business is considered a security breach, even if access is part of the user’s normal job/duty.
  3. Circumventing user authentication or security of any host, network or account.
  4. Network scanning is not allowed unless prior approval from Digital Services is obtained.
  5. Executing any form of network spoofing and monitoring which will intercept data not intended for the user’s host, unless this activity is a part of the user’s normal job/duty.
  6. Intentionally introducing any program or device that would degrade Deakin’s ICT Facilities, Service or Materials unless authorised by Digital Services.
  7. Interfering with or denying service to another user.
  8. Sending unsolicited email messages, including sending of "junk mail" or other advertising material to individuals who did not specifically request such material (email spam).
  9. Acquisition and/or use of cloud–based and third party ICT services without approval from Digital Services.
  10. Effecting security incident(s) in a manner that negatively impacts Deakin University or its staff, students or associates.
  11. Providing information about, or lists of, Deakin ICT users to parties outside Deakin.

Exemptions

(27) Any exemptions to the Information and Communications Technology Acceptable Use Policy and this Procedure must be approved by the Chief Information and Digital Officer or nominee. When determining an exemption, the Chief Information and Digital Officer or nominee will consider whether the proposed use is necessary to undertake legitimate job responsibilities.

Breaches

(28) ICT users must immediately report any suspected breach of the Information and Communications Technology Acceptable Use PolicyInformation and Communications Technology Security policy and this Procedure to the Digital Services Service Desk.

(29) Where there is an allegation of non-compliance and the Chief Information and Digital Officer considers it necessary to act immediately to prevent the business of the University from being disrupted, the Chief Information and Digital Officer may:

  1. remove or disable access to an ICT Facility or Service or data stored on said facility
  2. restrict or remove an ICT User's access to the University's ICT facilities, services and materials pending further investigation, disciplinary and/or judicial action.

(30) The Chief Information and Digital Officer will inform the ICT User of any action in writing within ten (10) working days of the action being taken.

Top of Page

Section 6 - Definitions

(31) For the purpose of this Procedure:

  1. Data: individual facts or items of content, including symbolic representations that may form the basis of information (e.g. a date, a name, a number).
  2. File Share: centrally provided disk space for organisational units, projects and other groups to facilitate storage, sharing and protection of electronic material associated with work activities.
  3. Information: as defined in the Information and Communications Technology Acceptable Use Policy.
  4. Information and Communication Technology (ICT) Facilities, Services and Materials: as defined in the Information and Communications Technology Acceptable Use Policy.
  5. Information and Communications Technology (ICT) User: as defined in the Information and Communications Technology Acceptable Use Policy.
  6. Multi-Factor Authentication (MFA): method of authentication that requires more than one verification method when accessing Deakin applications.
  7. Spam: Spam is unsolicited (unwanted) digital communication often in the form of emails that typically attempts to sell you something. The spammer has no intention of spreading malware or stealing sensitive information which is what happens in the case of phishing. Further information can be found in the Cybersecurity blog.