1. Purpose
The purpose of the IT Acceptable Use Policy (Policy) is to safeguard, manage and control AICD information, computer systems, and networks in an effective, safe, ethical and lawful manner. It is the responsibility of every workplace participant to know these requirements and to comply with them.
Workplace participants are defined in section 6 and for the purpose of this Policy will be referred to as “Users”.
2. Policy
2.1. Access Control
a) Users are only permitted to access information, applications and systems to which they have been granted access rights. Access rights are granted on the basis of business needs and job roles.
b) Personal mobile phones, tablets, portable computers, laptops or any other devices must not be connected to AICD computer systems and networks unless approved by Digital.
c) Damaging, altering, or disrupting the operations of AICD computer systems and networks is not permitted.
d) Users must not carry out any activity with the intention of capturing or obtaining passwords, encryption keys, or anything that could facilitate unauthorised access by themselves or anyone else.
e) AICD may revoke the access or privileges of any User at any time. Any user activity that interferes with the normal operations of information systems resources or user productivity that may be construed as misuse, excessive use or as being harmful or offensive to others is not permitted.
f) Users are not permitted to transfer or share AICD data or information that is not publicly available with external parties, particularly AICD confidential and sensitive data and information (including AICD intellectual property) (collectively referred to as “AICD Information”). The below are some examples of such scenarios but is not exhaustive:
- Emailing or sharing AICD Information with a third party;
- Copying AICD Information to a personal external data storage device or mobile computing device;
- Uploading AICD Information to an external website, personal email service or file server;
Taking or sending paper-based printouts AICD Information outside of the AICD’s premises, unless required for the purposes of a User’s role;
- If there is a legitimate business need to transfer or share AICD Information with external parties, the user or department must seek approval from their relevant manager, the Chief Digital & Information Officer, and the Privacy Officer.
2.2. Anti-Virus
a) Users must not intentionally or recklessly write, generate, compile, copy, collect, propagate, execute, or attempt to introduce any computer code designed to self- replicate, damage, or otherwise affect the performance of, or access to any AICD computer system or network.
b) Users must not attempt to remove viruses and other malicious code and instead notify the IT Service Desk and IT Security teams.
c) If users suspect their computer has been infected, they must notify the IT Service Desk and IT Security teams immediately.
d) Users must not try to download and install software or any executable code from any system including the Internet and instead, users must notify the IT Service Desk to request this service.
e) Users must be extremely cautious and take best security practices into account while browsing the Internet, opening email attachments and clicking on links in emails, particularly when the website or email source is unknown or looks suspicious. Keeping the AICD secure and compliant is the responsibility of all Users.
2.3. AICD Communication and Mobile Devices
a) Mobile devices (as defined in section 6 of this Policy) and communication systems supplied by the AICD are provided to facilitate business activities. Reasonable and appropriate personal use is expected.
b) Head of Departments may monitor user’s usage. Unreasonable personal use may be required to be reimbursed by a user.
c) A mobile device supplied by the AICD may not be used in connection with any other commercial business activities. The mobile number may not be published in any publication or business card that is not related to the AICD's business.
d) Mobile devices and communication systems are to be used in an effective, safe, ethical and lawful manner.
e) Mobile devices supplied by the AICD must not be altered or added to in any way including:
- addition or removal of components;
- altering configuration or security settings; and
- jailbreaking (remove restriction imposed by the factory) the device.
f) All mobile devices are centrally managed, and any necessary changes or maintenance will be carried out by Digital.
g) The AICD reserves the right to conduct maintenance of mobile devices that it owns or manages. The device must be returned to the AICD upon request for maintenance and when a user ceases to be employed by the AICD.
h) With the exception of purchases made from an approved online application store (e.g. Apple's App Store or Google's Google Play), games, freeware, shareware, movie clips or music may not be downloaded onto any AICD mobile device unless its use is legal (e.g. does not breach copyright laws).
i) When traveling overseas, users must turn global roaming functionality off (both data and call) unless the user has the approval to keep it active. Any charges associated with unauthorised global roaming may need to be reimbursed by the user.
j) Users are permitted to add an AICD email account onto their personal mobile device subject to approval and relevant terms of acceptance by the user. The AICD reserves the right to remotely wipe data from the device if it is lost or stolen, or the user no longer works for the AICD.
k) The AICD uses a Mobile Device Management (MDM) tool to monitor and manage AICD mobile devices. MDM can be used to remotely wipe data from devices in the event the device is lost or stolen, identify the device’s location, and see a list of all applications stored on the device.
l) Users must immediately inform the IT Service Desk and their business unit’s Privacy Champion, the Legal team or the Privacy Officer if their device is lost or stolen. This will allow Digital to wipe data remotely and suspend the phone number.
m) A user’s personal phone number can be ported to an AICD account, subject to the reporting manager’s approval. The AICD is not obliged to pay any charges owed on any existing personal mobile phone plan.
n) Mobile devices, SIM cards and its accessories remain the property of the AICD.
o) Users must take reasonable care of assigned mobile devices and its accessories. Repetitive damage or loss may result in the user being responsible for replacing the device at their own cost.
p) Users must return mobile devices and all accessories provided by Digital before departing the AICD.
q) Users must seek approval if they wish to take a mobile device or port a mobile number on their departure from the AICD.
r) Users are responsible to keep assigned mobile devices up to date with the latest security patches that are released by its vendors.
2.4. Computer, Printing, Telephony, Fax Systems, and Equipment Use
a) Users must not use AICD computer, printing, telephony, fax systems, and networks to engage in any activity which causes, or could be construed as causing, any form of harassment, discrimination or victimisation of another person including:
- Race;
- Religious belief or activity;
- Age;
- Disability;
- Industrial association;
- Sexual activity/sexual orientation;
- Marital, parental or carer status;
- Physical features;
- Political beliefs or activity;
- Pregnancy;
- Gender;
- Criminal convictions; or
- Personal association with a person who has any of these personal characteristics.
b) Users must use AICD computer, printing, telephony, fax systems, and networks in an effective, safe, ethical and lawful manner. Misuse of AICD resources will be handled in accordance with HR disciplinary procedures.
c) AICD computer, printing, telephony, fax systems, and networks are to be used for business purposes in the course of normal day to day operations. Users are not permitted to use AICD data for personal reasons in any way.
d) Users who have a legitimate business need to copy information onto a USB storage device must take extra care, including adding password protection and/or data encryption when storing information on these devices due to their portability. Confidential information should not be copied to or stored on a USB storage device.
e) Users must not lend computers, portable devices, tablets, mobile phones, laptops or any other equipment that has been allocated to them by the AICD for business activities to anyone external to the AICD.
f) Any actions or activities, whether intended or accidental which cause, or could cause, the computer systems, information or networks of the AICD to be compromised in any way is considered serious misconduct and will be handled in accordance with HR disciplinary procedures.
g) Laptops must not be left on desks after hours and are to be securely locked away or taken home at night.
2.5. Incident Reporting
a) Users must report all information security alerts, warnings or suspected vulnerabilities to the IT Service Desk and IT Security teams.
b) Any attempt to interfere with, prevent, obstruct or dissuade users that want to report a suspected information security risk or breach of this Policy is strictly prohibited and will result in disciplinary action.
2.6. Email and Communication Tools
a) The email system and other communication tools are predominantly for business use. Personal use must be reasonable and appropriate and not impact a user’s productivity, system performance or bring the AICD into disrepute.
b) Users must not use personal email accounts for business use. All business-related emails must be sent from the AICD domain.
c) Users must not send emails containing AICD business matters or data to personal email addresses unless specific approval is provided.
d) Users sending or receiving email or collaboration tool messages with another user’s account or reading another user’s email without that user’s permission is prohibited. If there is a need to read another user’s email (e.g. while they are away or as part of a supporting role). delegated authority functions must be initiated by the owner of the email account or their manager and rescinded when no longer required.
e) The email system or collaboration tools must not be used for any unlawful activity and must not be used to compromise the security or operation of any computer system or network whether it is owned or managed by the AICD or not.
f) Users may not add personal email accounts (e.g. Gmail, Yahoo etc) to the corporate email application installed on their workstation.
g) Emails or messages sent through our collaboration tools may be monitored for compliance with this Policy and for system management purposes. The email system or collaboration tools should not be considered "private" and an authorised AICD user or management may, at any time, view emails, messages or content on the collaboration tools.
h) The email system and other communication tools are the property of the AICD and all messages sent or received by it, or stored within it, are owned by the AICD. The AICD reserves the right to access and disclose all messages sent over these systems if required by law or for valid business purposes.
i) Should users of the email system receive unwanted and unsolicited email (also known as Spam), they must not reply to the sender.
j) If a user has access to an AICD email account on his or her personal device and leaves the AICD without notifying the AICD to remove the email account manually, the AICD has the right to remotely wipe the device to destroy any AICD data. This command will wipe the entire device which includes a user’s personal data. The AICD is not responsible for any damage caused by this action including personal data loss.
2.7. Information Management
a) Information and intellectual property created, modified, saved, transmitted or archived using AICD systems remain the property of the AICD.
b) All work information and data must be stored in an approved system (internal or cloud) or file server (individual or team folder). All work-related documents, where ever possible, should be saved in the corporate Document Management System using the correct libraries, security settings and naming conventions.
c) Users must immediately report an actual or suspected data breach or loss in accordance with the AICD Data Breach Response Plan. The Data Breach Response Plan sets out the procedures and clear lines of authority for staff in the event that the AICD experiences a data breach (or suspects that a data breach has occurred).
d) Users must not delete or dispose of AICD data or information without the approval of the information owner.
e) Deliberately deleting the AICD's records with the intention to cause damage to the AICD is considered a serious breach of staff obligations. Such actions will be handled in accordance with HR disciplinary procedures.
2.8. Internet Use
a) The Internet is primarily available for business use. Personal use must be reasonable and appropriate, not impact user productivity or system performance or bring the AICD into disrepute. A web content control system monitors and controls website visits.
b) The AICD monitors and logs websites visited, files downloaded, and social networking accounts managed by the AICD.
c) Internet connections must not be used for any illegal or unethical activity or personal business activity and must not be used to compromise the security of AICD computer systems and networks.
d) Users must not subscribe to cloud computing services for business use without prior approval.
e) Internet security settings are configured in accordance with the AICD's security requirements and must not be changed by users.
f) The Internet shall not be accessed using another user’s login credentials.
g) Personal use of social media sites is permitted if use is reasonable, appropriate and does not impact a user’s productivity or system performance.
h) When using the AICD internet connection, users must not use social media to cause annoyance or anxiety, to harass, to defame or to transmit unsolicited commercial or advertising material.
i) Users are not permitted to create or maintain a blog, wiki or social media or networking site on behalf of the AICD without approval.
2.9. Legal Compliance
a) All intellectual property (including patents, copyrights, trademarks, inventions, designs or other intellectual property) created and/or developed by AICD's users in the course of their employment with the AICD is the exclusive property of the AICD.
b) AICD owns the contents of all data and information stored on its computer devices, systems and networks. The AICD has the right to access this information without prior notice to users.
c) The AICD and users are subject to Privacy and Spam legislation and users should be aware of their obligations in respect of managing and using information held in the AICD computer systems and networks, providing information to third parties, and sending commercial electronic messages.
d) This Policy must be read in conjunction with the AICD’s Privacy Policy and users acknowledge that they must not unlawfully disclose personal information about AICD members and other users at any time with external parties.
2.10. Login Password Requirement
a) Users must create their password in line with the following requirements:
• Minimum 8 character in length contains at least 3 out of 4 below requirements:
- At least one uppercase letter;
- At least one lowercase letter;
- At least one number;
- At least one special character.
b) Users must change their login password when prompted by system (every 270 days). Users will receive a notification to update their password 14 days in advance.
c) Users can not create new password that is identical to the previous twenty-four passwords.
d) User IDs and passwords must not be disclosed or shared with anyone.
e) Users must not write down their password and leave in a place where unauthorised persons might discover them.
f) A forced password change will be initiated if there has been a compromise (or a suspected compromise) of computer systems or networks. If the user suspects that their password has been discovered, they must immediately change their password.
g) The maximum failed login attempts prior to an account being automatically locked is 3.
h) Locked accounts will remain locked for 120 minutes or can be unlocked by the Service Desk.
i) Users are responsible for all activity performed with their personal user IDs and passwords. Users must not allow others to perform any activity with their user IDs.
j) It is the responsibility of all staff to lock their computers and mobile devices when away from their desks or non-attended. A screensaver will be automatically enabled for all devices with no activity after 15 minutes.
2.11. Personnel Management
a) All breaches of the AICD’s policies and procedures will be handled in accordance with HR disciplinary procedures.
2.12. Remote Access
Staff working from home or other remote working environment, must take responsibility for protecting AICD Information from non-authorised parties. When using personal devices to access AICD cloud applications, such as email (MS Outlook) and collaboration tools (MS Teams, MS OneDrive), staff must take reasonable care and responsibility in handling AICD Information.
a) Remote users must not permit unauthorised persons, including members of their family, to access the AICD's computing or information resources from computers under their control.
b) All remote access must use two factor identification in addition to user ID and password.
2.13. Working from home
a) Work-related information is to be adequately secured at all times.
b) Family and visitors must not have access to any work-related information and files.
c) Any work-related information removed from the office remains the property of the AICD.
d) Users are required to take all reasonable precautions to secure AICD equipment and information (both paper and electronic) located within their home.
e) A user’s obligation to maintain confidentiality in relation to AICD information continues while working from home and is the same as if working in the office. However, given the potential physical security, a user is required to take extra care to protect data under their control.
2.14. Right to Disable Access
a) The AICD has the right to disable a user’s access immediately and when requested by other authorised personnel.
2.15. Right to Investigate Users Access and Data
a) As needed or requested, and without notifying a user in advance, Digital has the right to access user data and/or emails within AICD computer systems and networks to investigate any suspicious activity. As such, users should avoid storing personal files, emails and other data on AICD computer systems and networks. The AICD has no obligation if a user’s personal files have been discovered or disclosed because of an investigation.
2.16. Third-Party Access to the AICD Network
a) Third-party access to AICD computer systems and networks will only be granted once approved by IT Security. Users must seek this approval before allowing third parties to access AICD data\information.
2.17. Breaches of this Policy
a) Failure to comply with this Policy may lead to disciplinary action, including dismissal. The AICD may terminate a user’s access immediately without notice.
3. Scope
This Policy relates to Workplace Participants as defined in Section 6.
4. Objectives
The objectives of this Policy are described in Section 1.
5. Responsibilities
All Workplace Participants are responsible for compliance with this policy.
6. Definitions
Word/Term | Explanation (with examples if required) |
Workplace Participants or “User” | Contractor (including Faculty), Consultant, Full-time employee, Part-time employee, Casual Facilitator |
Mobile devices | Includes any portable devices such as mobile phone, tablet, and laptop |
Already a member?
Login to view this content