Governance

Policies and procedures

Policy No.
UP07/45
Function
Information Management
Authoring Organisational Unit
Information Technology - Central Unit
Date Approved
Revised 20/02/2014
Next Review Date
20/02/2016
Approving Body
Vice-Chancellor

The University of Western Australia

University Policy on: Privacy of Electronic Material

Purpose of the policy and summary of issues it addresses:

This policy outlines the principles and procedures regarding the privacy of electronic material on University computers and networks. It informs users of privacy, confidentiality and security issues and describes scenarios where electronic material may be disclosed, either by accident or intention.

Definitions:

Authorised person for an IT facility is a person designated with authority in accordance with the Computer and Software Use Regulations.

Disclosure is that which is exposed, seen or revealed.

Electronic Material is material such as email and files located on, or sent to and from, computers and networks.

Members of the University include staff, students and visitors.

TRIM is Total Records and Information Management, the University's records management system for electronic documentation.

Policy statement:

The University respects the privacy of staff, students and visitors in their use of University IT systems. However, no user can be guaranteed absolute privacy. The University retains the right to exercise control over its IT operations and, as such, personal information may be viewed by an authorised person for an IT facility, staff with special privileges; or may be viewed by other users accidentally (e.g. a wrongly addressed email). In all cases, confidentiality is expected and disclosure of material should only take place in approved circumstances.

The following principles and procedures define the underlying rules regarding the privacy and disclosure of electronic material.

1. Privacy is respected.

1.1 The University respects the privacy of all its members. This extends to the respectful and confidential practice regarding private electronic material.

1.2 The University expects all its members to respect the privacy of other members of the University.

2. Privacy cannot be guaranteed where electronic material is created, held, or transmitted on University facilities and users should recognise there may be occasions when even the most private of their material may become disclosed.

2.1 Users should be aware of privacy and security issues surrounding electronic material, particularly when transmitted by email or other forms of online communication, and are urged to minimise the risk of disclosure.

2.2 Users should normally assume that all data held on an IT facility is insecure and potentially accessible by others.

2.3 It is recommended that highly sensitive or confidential electronic material is stored elsewhere unless appropriate action is taken to secure the content against disclosure, alteration and forgery. If no suitable electronic filing system is available, then consideration should be given to printing and filing confidential documents instead.

2.4 Confidential electronic documents are required to be archived using an approved electronic archiving system such as TRIM and need to comply with the University Archivist's requirements regarding classification, identification, etc.

2.5 Appropriate backup facilities should be used to safeguard the security of information. Guidelines for securing email transmissions are set out in Appendix C of the University's Electronic Mail Policy.

2.6 IT system operators and administrators are required to protect users from privacy violation and to ensure appropriate systems are put in place to provide a suitable level of privacy and security.

2.7 The University retains the right to exercise control of its IT operations.

3. University staff, students and visitors are obliged to respect the privacy of any information they may encounter during the course of their work.

3.1 Authorised IT staff from University departments and units may encounter users' electronic material when performing authorised IT procedures.

All authorised staff with privileged access to an IT facility must accept responsibility for the privacy and confidentiality of information that may be disclosed to them in the legitimate course of their work.

3.2 Where a member of staff is absent or unreachable and inaccessibility to their electronic files impedes the business of the University, a colleague may access the staff member's electronic material with authorisation from the Head of Department or equivalent.

3.3 Where there is reason to believe that certain electronic material may infringe the University's Regulations or other applicable laws or policies, a user's files may be examined, with appropriate permission.

3.4 All departments and units providing local IT facilities must comply with the general principles outlined in this policy. If some other system applies where more or less privacy is provided (ie default 'world read' access created in department Unix systems) then users must be informed.

3.5 Any University member who has viewed private electronic material is required to treat the content as strictly confidential.

4. Deliberate disclosure of personal material may only take place in approved circumstances.

4.1 There are a number of intentional and accidental disclosure types that are provided in Appendix A. Guidelines for dealing with disclosure are also set out in the appendix.

Appendix A: Disclosure of electronic material

There will be occasions when electronic material including email, computer files and other may be seen by someone other than the owner or intended recipient. There are several scenarios in which electronic material may be disclosed. These scenarios follow:

Disclosure types

i. Email is sent accidentally to the wrong person. (This can happen when replying to a list rather than to an individual, by mistyping an email address, or when a system malfunction occurs.)

ii. Files are seen accidentally by the authorised person of an IT facility in the course of monitoring network traffic or computer system behaviour. (In this scenario it would not normally be the contents of the email that is being examined, but the file location, storage, volume, integrity etc.)

iii. Files are seen or examined by the authorised person of an IT facility in the course of investigating a systems malfunction or suspected malfunction. (In this scenario it could be that only fragments of files are seen and the owner's identity may not be known. Part of this investigation may involve a search for the owner.)

iv. A member of the University is absent and unreachable and University business is impeded. A colleague may require access to the absent member's files.

v. The files of a specific individual are examined in the course of investigating some breach or suspected breach of Regulations by that individual.

vi. Other situations in which files are disclosed.

The following governs the actions of anyone who views another's computer files under such conditions.

1. For all types of disclosure

All members of the University, including authorised persons who possess special privileges in connection with certain computer or network systems under their control, must treat the email and file contents of others as strictly confidential. This applies equally to any accidental disclosure of content.

Exceptions apply where the content clearly indicates that public viewing is expected, or in special circumstances as outlined below.

2. For type (i) disclosure

Anyone who receives an email in error should notify the owner (if known) and should treat content as strictly confidential.

3. For types (ii) and (iii) disclosure

a. In usual circumstances, only authorised persons for a particular IT facility may undertake this activity. Such persons have delegated authority to undertake this activity upon appointment: either outlined in their duty statement or as an implicit part of duties.

b. Authorised persons must agree to abide by the confidentially agreement requirement outlined in point 1 above.

c. Where someone other than an authorised person as outlined in (a) above has reason to carry out such work, the Head of Department or equivalent must provide explicit authority. If the work is carried out in emergency conditions, the Head must be notified as soon as possible thereafter.

d. Duly authorised persons for particular IT facilities should confine investigations to those facilities except where explicitly invited by another Head to undertake activity in that Head's department or unit.

e. For type (ii) and (iii) disclosure it would not normally be necessary for relevant authorised persons to notify the owner of the material, if indeed the owner can be identified at all. Authorised persons are expected to use their discretion and only need notify the owner where the circumstances seem to warrant it.

4. For type (iv) disclosure

a. In the situation of an absent member, the Head of Department or equivalent of the absent person must give explicit permission for the examination of computer files by another staff member or authorised person.

b. Detailed records of files examined or copied must be kept, and the absent University member must be notified as soon as possible on their return.

c. Every reasonable effort must be made to contact the absent University member before this action is taken and such efforts should be continued until the member has been located or has returned.

5. For type (v) disclosure

a. In the situation where there is reason to believe that certain email or other electronic material may infringe University Regulation or other applicable laws or policies, or in the pursuit of some other suspected infringement, then only the Registrar (in the case of students) or the Deputy Vice-Chancellor (in the case of staff and others) may authorise the email or computer files of an individual to be examined, with or without the knowledge of the individual in question.

b. The authorised person examining computer files must keep full records of all files examined and copied, in addition to names of others who have viewed or who have been sent the files.

c. In this situation, the normal procedures applicable to such suspected misconduct investigations will be observed.

d. No investigation of this kind may be prolonged unduly.

e. In circumstances where some external authority has required the disclosure (eg. the police, acting with proper authorisation), then the above procedures will be modified to comply with the normal procedures applicable to such actions.

f. If a suspected case of infringement that requires urgent action is brought to the attention of authorised persons, they may undertake a preliminary examination of the user's files in order to determine if there is sufficient evidence to warrant a full investigation as provided for in (a) to (e) above. The procedures for obtaining authorisation for this preliminary investigation should follow those set out in (a) above, but if a timely response cannot be obtained from the relevant authority, then the authorised person's Head of Department or equivalent, or that person's delegate, may give authorisation.

g. Note that section 5 still pertains to the qualified privilege that applies to the correspondence and files of employee Unions.

6. For type (vi) disclosure

In all other cases where accidental or intentional disclosure may occur, then action should be taken which is in keeping with the principles set out in the above five cases.

Related forms: (Link)

TRIM File No:

F3606

Contact position:

Information Services Policy Officer

Related Policies or legislation:

Computer and Software Use Regulations