This policy is for staff, contractors, volunteers, fellows, vendors, and members of the Library Council of NSW to know their responsibilities when using State Library ICT resources.
Policy Document No: PD/53
Policy owner/sponsor: Director, Digital Experience, & CIO
Branch contact: Manager, Digital Strategy & Innovation
Prepared by: Strategy & Policy Coordinator, Digital Innovation & Strategy
Approved by: Executive Committee
Date approved: 24/09/2019
Next review: 24/09/2022
The purpose of this policy is for staff, contractors, volunteers, fellows, vendors, and members of the Library Council of NSW (hereafter referred as users) to know their responsibilities when using State Library ICT resources. It ensures that the use remains legal, ethical and consistent with the aims, values and objectives of the Library. It is designed to protect the Library and users from negative consequences resulting from unauthorised usage.
This policy applies to all staff, contractors, vendors, fellows and volunteers. They apply to the use of Library’s ICT resources on-site or remotely. A separate policy governs the use of Library ICT by readers and visitors.
State Library ICT resources are for work use, and their usage should be legal, ethical, efficient and economical. Users are accountable for their use of ICT resources and are responsible for the security of sensitive, confidential or personal information when using ICT resources.
This policy must be read in conjunction with the Library’s Code of Ethics & Conduct, Social Media Policy, and the Information Security Policy.
1. Use of State Library’s ICT resources
The Library is committed to enabling users to do their work as effectively as possible by providing ICT resources that are fit for purpose.
Users must not use the Library’s ICT resources in a way that:
- damages the Library’s reputation;
- damages data, equipment, or network services;
- is misleading or deceptive;
- results in victimisation, discrimination or harassment;
- may lead to criminal penalty or civil liability (e.g. unauthorised access or breach of
- copyright); or
- may be found to be offensive, obscene, threatening, abusive or defamatory.
The Library allows limited personal use of ICT resources and services, provided it is infrequent, brief, involves minimal cost and does not interfere with work performance. Users must take full responsibility for any personal loss or damages that may occur whilst using ICT resources for personal purposes.
Users must not use Library ICT resources for non-Library commercial activities, including any approved secondary employment.
2. Identity Management and Passwords
Access to essential services including network access, email, calendar, and documents require universal and centralised identity management. Single Sign-On is used to improve security and reduce the burden for users to remember or record many passwords. Multi- factor authentication should be required to access essential services.
Passwords should be created according to guidelines attached to this policy. Passwords may not be written down and kept in an accessible location, e.g. sticky note under the monitor. Passwords must not be shared. If shared access to Library accounts is required (e.g. social media and applications), a Library provided password management tool must be used to avoid sharing personal passwords.
Emails providing evidence of decisions are official records under the State Records Act, 1998. These emails must not be deleted until they are added as a record in the Library’s records management system.
- must not use private email accounts to carry out the business of the Library;
- must not use their Library email address to register for or manage personal matters, for example, social media, banking or online dating; and
- should know that external emails sent will automatically append the Library’s standard signature.
Users may delegate access to their email and calendar to another user, and are responsible for monitoring and removing access when it is no longer required.
Only approved users may send emails using the All Staff email list. This list must not be used for personal or social use, other than by the Social Club.
4. Access to another User’s Office 365 Accounts
Users may provide other staff with access to their documents and information using share and delegation functions within their Office 365 accounts. Users are responsible for monitoring and removing access whenever such access is no longer required.
Staff requiring access to another user’s Office 365 account without the account owner’s consent will require State Librarian approval.
ICT Service Desk staff do not have access to contents in users’ Office 365 accounts, such as email, calendar details or OneDrive documents.
5. Installing and Updating Applications on Library Devices
The Library uses a centralised software management system to install and update applications on Library devices. Staff do not have administrative access to install or update applications on Library computers and should submit requests to Service Desk when needed. Some applications can avoid or circumvent these installation restrictions. If users download or install any applications on Library devices, they are responsible for these applications which are unsupported by Service Desk.
Some Library devices, such as mobile phones, may permit users to install and update applications. In these cases, users should only install from trusted app stores and should consider app permission requested to the device and the data before downloading and installing. Users are similarly responsible for these applications which are unsupported by Service Desk. If in doubt, users should seek assistance from ICT ServiceDesk.
The State Library'scomputerised systems record information necessary to deliver services. These include device usage, telephone logs and internet traffic. These system logs are not routinely used for surveillance, although they are accessed regularly to maintain systems, ensure information integrity, protect staff accounts from compromise, plan for and implement improvements, troubleshoot reported system issues and other regular ICT management activities. The content of emails and documents are not viewable via these logs.
However, the Library may use this information in extreme cases, such as directed in a law- enforcement led investigation, to monitor a user's ICT usage. Any surveillance undertaken will be in strict compliance with the NSW Workplace Surveillance Act 2005.
7. ICT Acquisition
The acquisition and purchasing of ICT must be mediated by ICT Services to maximise value for money; meet probity, fairness, and legal compliance requirements; capitalise on past investments; ensure that support, maintenance and end-of-life is practicable; complies with privacy, information security and management requirements; complies with NSW ICT procurement directives; enables data and information to be leveraged appropriately; and offers staff a more consistently-designed user experience.
Acquisition of ICT is often procured through formal request for quotation procedures but may also be “free” or purchased through a subscription using a credit card.
Acquisition of ICT Resources (see definition), including the following, must be requested or mediated through the ICT Servicedesk:
- ICT infrastructure, e.g. telecoms, data centre, storage, networking, compute
- Hardware, e.g. PCs, laptops, mobile phones, printers, tablets
- Software, e.g. applications, online or downloadable apps, software-as-a-service
- Systems, e.g. computer-based training, survey systems, resource management and workflow systems, ERP or corporate shared services, analytics
- Digital or IT professional services or contingent workers, e.g. designers, developers, user experience, audit, digital agency, architecture, solutions
- Connected devices – devices with the ability to transfer data, e.g. wireless sensors, network-connected displays, smart lighting and speakers, smart building automation, and Internet of Things (IOT)
8. Remote access
Users can remotely access Library systems initially designed only for onsite access, such as the intranet, enterprise resource planning system and file sharing services, through a Library-provided remote access service. This service enables a secure connection remotely from any device.
9. Bring your own device
Users can access their work email, calendar, and documents using their own private device to access the Library’s Office 365 suite and require multi-factor authentication.
10. Relocation of Technology and ICT equipment
The relocation of desktop PCs and landline telephone handsets should only be carried out by the Service Desk.
11. Care of Technology and ICT Equipment
Users are responsible for the physical condition and security of Library equipment assigned to them. Portable devices should not be left unattended. Users should shut down their computers at the end of their workday for security and maintenance purposes.
Staff must report loss or damage to ICT equipment to the Service Desk immediately.
12. Clean Desk / Clear Screen
Users should remember that Library accounts and devices may provide access to sensitive, confidential or personal information and should therefore adopt a clear desk and clear screen practice. Computers should be “locked” when unoccupied. Refer to the Information Security Policy.
Use of communication devices must comply with the Privacy and Personal Information Protection Act 1998 and the Health Records and Information Privacy Act 2002.
Users are responsible for understanding and complying with the privacy principles in both Acts and the State Library’s Privacy Management Plan.
14. Right to information
Information pertaining to the provision or use of ICT resources may be released, subject to consultation, in response to an application request made in accordance with the Government Information (Public Access) Act 2009.
The State Library is required to comply with the State Records Act 1998 including Standards and Disposal Authorities issued under the Act.
Electronic files that constitute a decision, online forms, all electronic business transactions and messages are corporate records.
Legitimate work activities that would likely breach this policy, for example, working with defamatory or obscene materials for collection purposes, require prior approval from their director.
Breaches of Policy
A breach of this policy may amount to misconduct. Action may include counselling, the removal of access to ICT resources, and bearing costs arising from the breach. Serious breaches may constitute misconduct and will be dealt with under sections 69 of the Government Sector Employment Act 2013.
Unlawful conduct will be reported to the relevant authorities and legal proceedings may be undertaken against the user.
A breach of this policy by a contractor or consultant may be regarded as grounds for immediate termination of contractual arrangements with the Library.
All Library users, contractors, vendors, fellows and volunteers are responsible for complying with this policy
Managers and People Leaders are responsible for:
- ensuring users members comply with the policy;
- reviewing relevant approval requests;
- reporting all policy breaches to the Manager, ICT Services;
- informing the Privacy Contact Officer of any breach of privacy.
Directors are responsible for:
- reviewing, approving and recording exceptions to this policy; • ensuring users members comply with the policy;
- reviewing relevant approval requests
The Manager, ICT Services, is responsible for:
- effectively communicating the policy to all users;
- reviewing relevant approval requests;
- implementing procedures and managing resources to support this policy;
- taking action on reported breaches including escalation to the Director, Digital Experience & CIO.
The Director, Digital Experience & CIO is responsible for:
- reviewing the policy to support the corporate strategy and meet business needs;
- reviewing the policy to comply with NSW Government ICT policies and strategies, and industry best practices;
- assessing and acting on breaches of the policy, including tabling serious breaches to the Executive Committee.
The Executive Committee is responsible for:
- endorsing the policy;
- reviewing serious breaches of the policy and determining the plan of action or recourse.
Relevant Legislation and Policy
The most relevant legislation follows:
- Copyright Act 1968 (Cth)
- Electronic Transactions Act 2000
- Evidence Act 1995
- Government Information (Public Access) Act 2009 (NSW)
- Government Sector Employment Act 2013 (NSW)
- Government Sector Employment Rules 2014 (NSW)
- Health Records and Information Privacy Act 2002 (NSW)
- Privacy and Personal Information Protection Act 1998 (NSW)
- Public Sector Employment and Management Act 2002
- State Records Act 1998 (NSW)
- Workplace Surveillance Act 2005 (NSW).
Related State Library policies are:
- Code of Ethics & Conduct
- Information Security Policy
- Social Media Policy
- Privacy Management Plan
- Records Management Policy.
Definitions, abbreviations and acronyms
1. ICT (Information and Communications Technology) is an umbrella term for any technology that provides functions for computing, information, and communications.
2. The term ‘State Library ICT resources’ includes but is not limited to the following categories:
- software and applications (including desktop and cloud services)
- corporate and business systems (email, library systems, security systems, ERP)
- computers and desktop devices (user workstations or in common areas)
- mobility devices such as laptops, tablets, mobile phones and mobile Wi-Fi / broadband
- multifunction devices, printers, scanners, videoconferencing units and telephones
- internet and network access, both wired and wireless
- connected resources and equipment (e.g. network drive, intranet, digital storage, databases, APIs and internet-connected appliances)
- computing devices with special functions such as digitisation and 3D printing.
3. Personal use means all non-work-related use of State Library ICT resources and includes internet usage and private emails.
4. Cloud services are ICT services provided via the Internet as opposed to being provided from the organisation’s own on-premise servers. They include the Microsoft O365 suite, and a wide range of software and services: e.g. analytics, file sharing and storage, scheduling tools, project management software, videoconferencing and social networking. Common cloud service resources are categories such as Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS).