1. The University provides an Information Infrastructure and Services environment (IIS) to enable all members of the University Community to carry out their teaching, learning, research and administration functions securely and effectively.  Access to the IIS is made available from University provided computing and communications equipment and, for some services, is made available from privately owned, personal computing and communications equipment. 
2. The University maintains the integrity, security, confidentiality and availability of its information, and protects the IIS through ensuring appropriate access procedures and practices are undertaken by each member of the University Community. 
3. Each member of the University Community is expected to use the IIS responsibly, efficiently, ethically and legally. 
4. Each member of the University Community is expected to assure him or herself that systems and procedures are in place to maintain the integrity, security, confidentiality and availability of the University's information that they access. 
5. Each member of the University Community is expected to access the IIS and use the University's information within the limits of the authority under which he or she has been allocated access and for the purposes for which he or she has been granted access. 

Context

The University Community generates and sources research, teaching, learning and administrative information, data, records and transactions, both digital and in-print, which forms the University's "information".   The University's Information Infrastructure and Services (IIS) includes the computing and networking infrastructure, technologies and services involved in acquiring, creating, accessing, using, exchanging, transmitting and managing the University's information.  As well as enabling access to the University's information, the IIS facilitates communications, collaboration and interchange between members of the University Community and provides communications gateways to external contacts. 

To enable all members of the University Community to pursue their best work and within the ANU values of collegiality, academic freedom in the pursuit of knowledge, and the engagement with the scholarly world and wider community, access to and use of the University's information and IIS requires each member to meet the obligations set out in this Policy. 

This Policy addresses legal requirements to be met, both the internal University Rules and Statutes and, externally, the Laws relating to copyright, privacy, confidentiality, discrimination, archiving and specific areas such as anti-spam legislation.  Additionally, there are a number of other University Policies which have complementary obligations. 

This Policy is made under, and in accordance with, the University's Information Infrastructure and Services Rules, as amended from time to time.
 

User Responsibilities:

Each member of the University Community is permitted to use University's information and IIS subject to the following user obligations, which may be subject to qualification or modification either by authorisation by the University or a Responsible Officer, or as required by law:

1. using the IIS within the directions, limits and obligations of University Policies, Rules and Statutes.
2. using the IIS within relevant Federal, State and Territory law. Use of IIS may raise compliance issues around the following areas, including but not limited to, copyright, spam, privacy, discrimination, archiving, telecommunications, broadcasting, criminal law, freedom of information, and human rights and equal opportunity. A list of relevant external legislation is in the Appendix.
3. using software within the conditions of use specified in the software licence or within any licence agreement between the University and a software vendor. In particular, users shall not intentionally use illegal or pirated software; shall not copy software, except as permitted by the agreement, the licence or by law; shall not infringe copyright; and shall not distribute, share, broadcast, unicast or multicast content (such as music and other audio materials and video materials) or software.
4. not intentionally using another person's credentials, or impersonating or falsely representing oneself as another user.
5. not intentionally breaching , through the use of the IIS, the confidential information of others or the University. Note: information may still be considered confidential, whether or not protected by the computer operating system.
6. not intentionally breaching the privacy of others.
7. not intentionally spamming others for commercial purposes (eg, forwarding unsolicited mass e-mails or text messages, or harvesting e-mail addresses or other contact details). Note: "commercial purpose" is a legal term in the Spam Act, 2003 and users should contact the ANU Legal Office for guidance on this issue as required.
8. not using the IIS to harass, threaten, defame, vilify or discriminate on unlawful grounds.
9. not using the IIS to create, transmit, access, solicit publish or store electronic material that is obscene according to law. Where the use of the IIS involves use of potentially obscene material as a part of a program of education or research, users should consult the ANU Legal Office for guidance. It may be necessary for users to submit material which has literary, artistic or educational merit to the Office of Film and Literature Classification under the National Classification Code.
10. not intentionally damaging or destroying equipment used to access the IIS or any part of the IIS.
11. not intentionally attempting to breach IIS security to access information or other parts of the IIS which are outside the bounds of the assigned credentials.
12. not intentionally infecting or embedding the University's information and the software and systems within the IIS with malicious software (malware - including but not limited to viruses, trojans, worms, spyware, adware, botnets).
13. not intentionally connecting compromised or unapproved computer or communications equipment to the IIS.
14. not using the IIS for academic dishonesty, including but not limited to, plagiarism.
15. not using the IIS for personal business use or profit unless authorised to do so by the University's 52 day rule or other University consultancy policy.
16. not using the IIS in a manner which is inconsistent with the provisions of the ANU Code of Conduct.
17. not using the IIS for advertising, sponsoring or acknowledging non-ANU activities, without University authorisation to so do.

The following use obligations apply to all members of the University Community, except as otherwise authorised by the University as part of their support and management of the IIS:

1. not allowing or providing access to the IIS to persons outside the University Community.
2. not intentionally modifying or removing University information from the IIS.
3. not intentionally using the IIS to impede access and use for other University Community members.
4. not intentionally installing software on other persons' computers or communications equipment or the IIS.
5. not intercepting, monitoring or redirecting other users' information exchanges or transmissions.
6. not connecting any network devices to the IIS (whether wireless access points or fixed networking hub, switch or router).

Where a member of the University Community identifies a breach of this policy on unacceptable use, they should immediately notify his or her local Responsible Officer.
 

Disciplinary Procedures and Penalties for Unacceptable Use:

Disciplinary procedures, penalties and appeals procedures for unacceptable use are detailed in the University's Information Infrastructure and Services Rules, as amended from time to time.
 

University and Heads of Budget Unit Responsibilities:

The University and, where separately managed, Heads of Budget Units are responsible for:

1. designing, operating and managing the IIS to meet the needs of the University and the University Community.
2. ensuring the security, integrity, accessibility, authority and fitness for purpose of the University's information and IIS.
3. ensuring software used by the University Community is licensed.
4. backing up University data in University provided data storage repositories and taking appropriate actions to protect, preserve and maintain accessibility, the University's information and IIS.
5. optimising storage and deleting unwanted data, subject to any requirements under the Records and Archives Management Policy.
6. investigating non-permitted use of the University's information and IIS in accordance with the University's Monitoring & Privacy of Electronic Information Policy.
7. initiating procedures for disciplinary action detailed in the University's Information Infrastructure and Services Rules, as amended from time to time.
8. applying the security management, systems management and network management protection strategies identified in the University's Information Infrastructure Security and Network Access Policies, including the monitoring of traffic and the application of access blocks for suspected unacceptable use.
   

Vestment of Responsibility:

The University responsibilities identified in this Policy are vested with the Division of Information.  Responsibilities identified in this Policy that are authoritatively provided by Heads of Budget Units are the responsibility of each Head of Budget Unit.

Definitions:

Accounts: are services created on computing facilities, from desktop to centralised facilities, allowing an authorised user to access that facility via a login process, and possibly modify information on that facility. 

Attributes: are items of information about a user, describing features such as:

• personal information (for example, birthday, gender, postal address);
• role-based information (for example, staff, student, tutor, Convenor, College, courses, group membership);
• University information (for example, campus address, email-alias (first.last@anu.edu.au) telephone number, videoconferencing identifier);
• Accreditation information (for example, degrees conferred, course results).

Attributes have authoritative sources within the University, with associated responsibilities and delegations.

Authentication: is the process of testing for the identity of a user, usually through possession of knowledge, such as a password, or possession of an item, such as a smartcard, one-time-key generator or similar.

Authorised user:  is a person defined under Rule 6 of the Information Infrastructure and Services Rules, and includes University staff, students, visitors with a currently active user account. 

Computer and communications equipment: is equipment, whether University owned or personally owned which is used to access the IIS (both via fixed communications or via wireless communications) and includes, but is not limited to desktop computers, laptops, PDA's, mobile phones, telephones, facsimile machines and networked computer peripherals such as printers, scanners, photocopiers.  

Credentials: are a set of information elements that are linked to a known user's identity. These elements may include passwords, one-time-keys, biometrics, etc, attributes associated with the identity, and their relation to specific system accounts and service interface points.

Identity: refers to a particular user, indicating a particular person who is associated with that user's identifiers, attributes and accounts. 

IIS:  (Information Infrastructure and Services) includes the University's computing, data storage and networking infrastructures, technologies and services involved in acquiring, creating, accessing, using, exchanging, transmitting and managing the University's information. 

Responsible Officer:  is a person or persons in whom the University has vested the authority to make certain decisions and/or undertake certain activities relevant to this Policy.

University Community:  includes staff, students and visitors of the University and are, according to their credentials, authorised users to all or part of the University's information and IIS.

Visitors: are authorised users who are within the University Community, but who are not ANU staff or students, who have been approved by a Head of Budget Unit to have access to specific information infrastructure and services. This term replaces the term Affiliate.

Appendix of Relevant Legislation:

Copyright Act 1968 (Cth)

Discrimination Act 1991 (ACT)

Freedom of Information Act 1982 (Cth)

Privacy Act 1988 (Cth)

Spam Act 2003 (Cth)

Telecommunications Act 1997 (Cth)

Telecommunications (Interception and Access) Act, 1979 (Cth)

Note: users should contact the ANU Legal Office for further guidance on the nature and extent obligations in relation to lawful use of IIS.