1. Access to Documents Stored Electronically

With the increasing use of information technologies to store, transmit and share documents there is greater potential for people, other than the author or members of a work group, to have access to such documents than would be the case if they were in printed form. This statement has been prepared as a reminder to anyone who, whether in the course of their duty, or accidentally, has or gains access to documents which for one reason or another are confidential, that they should respect the privacy of the author and not read, copy or disclose their contents.

The only exceptions are where there is a suspected offence or where a staff member is absent on leave and colleagues need access to working documents.

a) A Suspected Offence Involving Information Technology Services

Where it is necessary to investigate a suspected offence involving use of Information Technology services, Information Technology staff may be requested to gain access to documents stored on a server or individual machine. (See Item 2 below for reference to statistical information.) In this circumstance the person who is investigating the suspected offence must first obtain the permission of the Vice-Chancellor (or his/her delegate). When such permission is obtained, the member of staff, student or visitor under investigation must be informed in writing of that decision at the time the decision is implemented.

b) Staff Member or Official Visitor Absent

Where a member of staff (or official visitor) is absent and unable to be contacted, and where a work area needs access to a document stored on a server in an area reserved for that person, or on an individual machine, the supervisor of that staff member must be consulted and agree before documents are accessed. If in the course of accessing a document, a staff member sees other documents which are unrelated to the matter in hand or confidential (eg. references, commercial-in-confidence material etc.) they must not read, copy or disclose this information. As a matter of courtesy the staff member should be advised on their return that documents for which they are responsible have been accessed.

2. Network Monitoring

In order to manage the campus network and associated network services (eg. capacity planning, charging), the University monitors traffic volumes on the University Campus Network and use of specific network services. The following are regularly monitored by the providers of such services:

• Usage of caches, both by files accessed and by network addresses accessing the caches. To maintain the privacy of individual web searching, such monitoring does not usually correlate which addresses accessed which files.
  

• Use of news servers, both by accesses to newsgroups and by network address accessing the servers, again not usually correlating particular newsgroups to particular network addresses.
  

• Electronic mail traffic through central servers, recording source and destination addresses of messages, but not message content.
  

• The University also logs items such as access to laboratories by use of a student card, access to buildings by staff using a University security card, logins to and information flow from servers, failures and security reports on all centrally managed systems.

The statistical information in the logs obtained by these monitoring operations is used by many of the University's Information Technology staff as part of their normal duties, principally for capacity planning, performance measurements and accounting. Information Technology staff are required to keep log data secure, retain it only so long as there is a need and dispose of it in a secure manner.

However where there is an offence, or a suspected offence, involving University IT networked services, the University has the right to inspect individual University-owned machines and servers, and privately owned machines connected to a network point in a University building (see 3. below), along with the contents of all files, messages and logs contained on those machines and servers, and make whatever correlation is required to determine if an offence has been committed. The process for obtaining permission to undertake such inspection is the same as outlined under 1(a) above.

3. Private Machines Connected to the University Network

The University allows students, staff and visitors to connect privately-owned machines to University network services, either directly or via a dialin service. However, to protect the network, and users, from security or other breaches it is necessary that the University be able to apply the same conditions of use as it does for University-owned equipment.

By connecting a private machine to the University's network, eg in a Hall of Residence or College, in a University building or via a dialin service, students, staff and visitors have acknowledged that they will be bound by the University's conditions of use of IT Services and, in particular, the network and network services. By so doing the student, staff or visitor acknowledges that the network traffic generated by that private machine is generated in pursuit of their work or studies at the University. While that traffic is traversing the University's network, it is subject to the same monitoring as traffic originating from University-owned machines and servers.

4. Privacy Act 1988

Where there is occasion for the Vice-Chancellor to approve the examination of information stored electronically, the staff member who undertakes the examination is bound by the provisions of the Privacy Act 1988, except in regard to its disclosure for purposes of substantiating a contravention.

5. Comments and Interpretation

Anyone wishing to comment on the Monitoring and Privacy of Electronic Information, to lodge a complaint, or to report a suspected offence, should contact the Director, IT Services; email Director.ITS@anu.edu.au; Telephone 6125 4519.

Notes:

1. If a student, member of staff or official visitor is alleged to have committed a criminal offence the Vice-Chancellor, or his or her delegate, will if appropriate, refer the matter to the police.

2. The Vice-Chancellor has delegated matters concerning members of the academic staff or official visitors to the Deputy Vice-Chancellor. The Director, IT Services has been delegated to deal with matters concerning general staff and students.

3. Associated Documents

The Information Technology Services Rules and Orders contain details of University policy on use of IT services including penalties and appeal provisions. These documents may be viewed on ANU Online under the Policy section on the IT Services page. The University's policy on confidentiality of personal information is defined in the University's "Statement on the Collection, Use and Control of Personal Information" (approved by Council, paper 834/1994) and "Statement to Students on Confidentiality of Personal Information" (326/1993).