UWA Logo
  Prospective Students | Current Students | Staff | Alumni | Visitors | About    
           
IT Services (ITS)
Home
Students
Staff
IT Support Staff
IT Service Desk
Contact ITS
Status & Notices
Forms
Policies
University Information Technology Regulations University Information Technology Regulations IT Regulations
University Information Technology and Communications Policies University Information Technology and Communications Policies ITC Policies
Appropriate UseAppropriate Use Appropriate Use Appropriate Use
Management, Support and TrainingManagement, Support and Training Management, Support and Training Management, Support and...
Security and ComplianceSecurity and Compliance Security and Compliance Security and Compliance
Privacy of Electronic MaterialPrivacy of Electronic MaterialPrivacy of Electronic Material Privacy of Electronic Material Privacy of Electronic M...
Online Credit Card TransactionsOnline Credit Card TransactionsOnline Credit Card Transactions Online Credit Card Transactions Online Credit Card Tran...
SPAM PolicySPAM PolicySPAM Policy SPAM Policy SPAM Policy
Take-Down ProceduresTake-Down ProceduresTake-Down Procedures Take-Down Procedures Take-Down Procedures
Guidance on Web Page Compliance with ESOS Act 2000Guidance on Web Page Compliance with ESOS Act 2000Guidance on Web Page Compliance with ESOS Act 2000 Guidance on Web Page Compliance with ESOS Act 2000 Guide on Web Compliance...
Policy on Security Contact ResponsibilitiesPolicy on Security Contact ResponsibilitiesPolicy on Security Contact Responsibilities Policy on Security Contact Responsibilities Security Contact Respon...
Software, Applications and InfrastructureSoftware, Applications and Infrastructure Software, Applications and Infrastructure Software, Applications ...
Other Relevant Policies, Information and GuidelinesOther Relevant Policies, Information and Guidelines Other Relevant Policies, Information and Guidelines Other Relevant Policies...
ITS Local Information Technology and Communications Policies ITS Local Information Technology and Communications Policies ITS Local ITC Policies
Audio Visual Unit Audio Visual Unit Audio Visual Unit
IT Governance (Intranet) IT Governance (Intranet) IT Governance (Intranet)
Strategy
Site Map

Privacy of Electronic Material

Approved by IT Policy Committee on 27-Feb-02, endorsed by Academic Council on 15-May-02.

Summary

1. The University will respect the privacy of individuals’ electronic material (eg email, disk files), using University computers and networks, and expects others to do likewise.
2. However, no-one has the right to absolute privacy of material on University IT systems.
3. Be sure you know just how much you can rely on the privacy of material on the IT systems you use (it can vary quite a bit).
4. Users should recognise that there may be occasions when even the most private of their material may become disclosed.
5. Staff with special privileges on IT systems should take special care to preserve the confidentiality of material they may see in the course of their duties.
6. Deliberate disclosure of anyone’s material should only take place in properly approved circumstances.

Details

1. The University respects and is committed to protecting the personal privacy of all members of the University (staff, students and visitors).  It intends to operate on the basis that any necessary disclosures of personal information will normally be made only with the informed consent of the individual.

2. The University requires all its members to adopt the same approach to the personal privacy of other members of the University.  In particular, all users of IT facilities, including staff involved in running IT facilities, must respect the privacy of any information they might encounter.

3. Notwithstanding the above, no-one within the University has an absolute right to prevent disclosure of electronic material where it is created by, held on or transmitted via University facilities.  As a responsible employer and corporate body, the University must retain the right to exercise control over its own affairs and those facilities, which may include at times the disclosure of any and all material relating to its operation or involving its property.  However, this right will only be exercised in keeping with this policy and the Guidelines set out in Appendix A.

4. The above general principles apply to general-purpose University IT infrastructure.  All departments and units providing local IT facilities must comply with them, unless they make it absolutely clear to users of those facilities that some other regime applies (which may provide more or less individual privacy on those facilities).  For example, if the default access to files created by users of a departmental Unix system is “world read” access, then this must be clearly communicated to all its users, especially new ones.

5. The University encourages users to be aware of the degree of privacy and security that can be attached to electronic material, especially when transmitted (eg via email), and of the measures that can be taken to minimise risk of disclosure or alteration.  Users of an IT facility should normally assume that all their data held on or processed by that facility are insecure and potentially accessible by others.  Indeed, electronic systems should not normally be used for holding highly sensitive or confidential information, unless appropriate actions (such as the use of encryption) are taken to secure the contents against disclosure, alteration and forgery.  Similarly, appropriate backup facilities should be used to safeguard the security of that information.  Guidelines for securing email transmissions are set out in Appendix C of the University’s Electronic Mail Policy.

6. In general, all electronic material of any consequence, and especially confidential material, should be properly filed and safeguarded;  if no suitably secure electronic filing system is available, then consideration should be given to printing out important documents and filing them in the normal fashion.  Archiving such documents is also important, and use of an approved electronic archiving system such as TRIM is recommended, including complying with the University Archivist’s requirements regarding classification and identification, etc.

7. Those responsible for an IT facility (eg systems administrators) must take seriously the need to protect users from violations of the privacy of their information held on or processed or transmitted by that facility.  They should ensure that there are appropriate regimes and systems in place to provide a suitable level of privacy and security, ensure that users are made aware of such systems, provide advice and/or assistance to users in making use of them, and monitor the overall security of the systems under their control to ensure breaches are avoided (as far as possible) and promptly addressed should they occur.

8. All staff with privileged access to an IT facility (eg systems administrators) must accept responsibility for the privacy and confidentiality of information that may be disclosed to them in the legitimate course of their work.

9. All owners of electronic material held on or processed or transmitted by a University IT facility should understand that there are some circumstances in which that electronic material may be disclosed to others;  sometimes this may be accidental, at other times it may be incidental to investigating some technical problem, and at other times may be deliberate and conscious.  All actions resulting in such disclosure must comply with the Guidelines set out in Appendix A.

Appendix A:  Guidelines for Disclosure of Electronic Material:

There will be occasions when electronic material (email, computer files, etc) may be seen by someone other than the owner or a person to whom the owner passes a copy.  In what follows, an “authorised person” for an IT facility is a person so designated in accordance with the Computer and Software Use Regulations.  There are several different possible scenarios in which electronic material may be disclosed, as follows:

Disclosure types:
(i) Email and/or its attachments gets accidentally routed to the wrong person (eg when replying to a list rather than an individual, or mistyping an email address, or a system malfunction occurs);
(ii) Files are seen accidentally by the authorised person of an IT facility in the course of monitoring network traffic or computer system behaviour (it would normally not be the contents of the files that are being examined, but the location, storage, volume, integrity, etc);
(iii) Files are seen or examined by the authorised person of an IT facility in the course of investigating a systems malfunction or suspected malfunction (sometimes it is only fragments of files that may be seen, and the owner’s identity may not be known – indeed, part of the investigation may involve a search for the owner);
(iv) A member of the University is absent and unreachable, and the business of the University is being impeded because relevant computer files are under the control of this member and normally inaccessible to colleagues;
(v) The files of a specific individual are examined in the course of investigating some breach or suspected breach of Regulations by that individual;
(vi) Other situations in which files are disclosed.

The following guidelines govern the actions of anyone who sees other people’s computer files under such conditions.

1. For all types of disclosure:

Except as provided for below, all members of the University, including authorised persons who possess special privileges in connection with certain computer or network systems under their control, must treat the contents of all files of other people as strictly confidential (except where the context clearly indicates that public viewing is expected);  this applies equally to any accidental disclosure of the contents.

2. For type (i) disclosure:

Anyone accidentally coming across or seeing apparently confidential electronic material should endeavour to notify the owner (if known) and should always treat its contents in strict confidence.

3. For types (ii) and (iii) disclosure:

(a) Normally, only properly authorised persons for a particular IT facility may undertake this activity.  Such persons have delegated authority to undertake this activity upon appointment;  sometimes this is made explicit in their duty statements, but in other situations it is implicit as part of their duties.
(b) All such persons must agree to abide by the confidentiality requirement in 1. above.
(c) Where someone other than the persons identified in (a) above has reason to carry out such work, then the explicit authority of that person’s Head of Department or equivalent must be obtained, except there the work is carried out in emergency conditions, when the Head must be notified as soon as possible thereafter.
(d) Duly authorised persons for particular IT facilities should normally confine their investigations to those facilities, except where explicitly invited by another Head to undertake such activity within that Head’s department or unit.
(e) For type (ii) and (iii) disclosure, it will not normally be necessary for relevant authorised persons to notify the owner of the material, if indeed they can be identified at all.  Authorised persons are expected to use their discretion and only need notify the owner where the circumstances seem to warrant it.

4. For type (iv) disclosure:

(a) In this situation, the Head of Department or equivalent of the missing person must explicitly authorise the examination of computer files by authorised persons.
(b) Detailed records of files examined or copied must be kept, and the missing University member notified as soon as possible on their return.
(c) Every reasonable effort must be made to contact the missing University member before this action is taken, and such efforts should be continued until they have been located or they return.

5. For type (v) disclosure:

(a) In the situation where there is reason to believe that certain electronic material may infringe the University’s Regulations or other applicable laws or policies, or in the pursuit of some other suspected infringement, then only the Registrar (in the case of students) or the Deputy Vice-Chancellor (in the case of staff and others) may authorise the computer files of an identified individual to be examined or copied, with or without the knowledge of the individual in question.
(b) The person undertaking the examination of those computer files must keep full records of all files examined and copied, and the names of anyone else who sees them or to whom they have been passed.
(c) In this situation, the normal procedures applicable to such suspected misconduct investigations will be observed.
(d) No investigation of this kind may be prolonged unduly.
(e) In circumstances where some external authority has required the disclosure (eg the Police, acting with proper authorisation), then the above procedures will be modified to comply with the normal procedures applicable to such actions.
(f) If a suspected case of infringement that requires urgent action is brought to the attention of authorised persons, they may undertake a preliminary examination of the user’s files in order to determine if there is sufficient evidence to warrant a full investigation as provided for in (a) to (e) above.  The procedures for obtaining authorisation for this preliminary investigation must follow those set out in (a) above, but if a timely response cannot be obtained from the relevant authority, then the authorised person’s Head of Department or equivalent or that person’s delegate may give authorisation.
(g) Note that none of the above shall be taken to abrogate the qualified privilege that applies to the correspondence and files of employee Unions.

6. For type (vi) disclosure:

In all other cases where disclosure may happen or be required, then action should be taken which is in keeping with the principles set out in the above five cases.


 
Top of Page