ICT Resource Usage Policy - goldcoast.qld.gov.au · according to the ICT Resource Usage Policy, other relevant policies, and associated policy instruments. • Engaging Officer –

Information and Communication Technology (ICT) Resource Usage Policy

Printed copies are uncontrolled. It is the responsibility of each user to ensure that any copies of policy documents are the current issue

Page 1 of 4

DETAILS Council Admin

Effective from: 30 October 2018 Contact officer: ICT Governance and Policy Officer, Business Innovation and

Technology Services Next review date: October 2020 File reference: IM634/171/06 iSpot #

This policy 22850062 Value Proposition 43575227

OBJECTIVES AND MEASURES Objectives To ensure that Council of the City of Gold Coast (Council) ICT

resources are used: • Appropriately and efficiently; • To assist Council to effectively deliver quality, value for money

services; • To not create or increase risk to Council, Council employees,

Councillors, contractors and third parties; • In accordance with other policies, legislation, standards, and

business best practice; and • Managed with sound consistent governance across Council.

Performance measures • Telephony, remote access and mobile device usage and cost patterns are monitored and reviewed to produce measurable management of costs.

• Satisfactory compliance with software audits with regard to software licensing and device compliance.

• Incidence of attacks upon Council systems and malicious software introduced through inappropriate or unauthorised usage is minimised through user awareness of responsibilities and obligations.

Risk assessment Medium

POLICY STATEMENT Council ICT Resources are to be used in an ethical and efficient manner within a sound governance framework, thereby enabling Council’s assets to be appropriately managed within acceptable risk tolerances. A key underpinning goal of this approach is to ensure users of ICT resources behave in ways that support the business activities of Council. This policy aligns with Queensland Governments Information Standard - IS 38 – Use of ICT Facilities and Devices. The provision of Council owned ICT resources including Internet, email facilities, telephony and devices are to be used for officially approved purposes. Limited personal use of ICT resources is available only in accordance with the uses outlined in this policy. Council employees, consultants, contracted external service providers and Councillors are all required to use Council ICT resources in accordance with this policy and the applicable Code of Conduct. All access to ICT resources is granted on the basis of business need and may be revoked at Management discretion.

All ICT resource users must be aware of: • Types of ICT resources (as defined in Appendix I); • Authorised, unauthorised, and unlawful/criminal use of Council resources (as defined in Appendix C);

and • Business rules regarding use of each resource (as defined in Appendices D – H).



Page 2 of 4

Serious breaches of this policy will be referred to Integrity and Ethical Standards Unit & Security for consideration and action taken in accordance with Council’s Disciplinary Policy and Procedures. Reference is also made to the Portable and Attractive Items Policy for employee obligations regarding management of applicable items, as described in this related policy.

SCOPE This policy applies to all Council employees, consultants, Councillors, contracted external staff, patrons and/or service providers. Note while the policy is now Administrative any amendments to the policy as it applies to the Councillors will need to be considered by Council. See Council Decision GA16.0125.007

EXEMPTIONS Access to Council owned or provided public computers by Council patrons is beyond the scope of this policy and is covered in the document Library Services Operational Guidelines: Use of Public Access Computers. Usage of Council public access kiosks is beyond the scope of this policy.

DEFINITIONS See Appendix I - Definitions

RELATED POLICIES AND DELEGATIONS This policy is aligned with the Queensland Government’s approach to use of ICT resources provided through Information Standard 38 – Use of ICT Facilities and Devices. Other related polices and legislation is listed below.

LEGISLATION Commonwealth Legislation

• Australian Copyright Act 1968 - proscribes the copying of software or data files (including text, sound and images) in the absence of a licensing arrangement;

• Crimes Act 1914 - describes procedures related to dealing with a crime; • Cybercrime Act 2001 - deals with a range of computer related offences; • Privacy Act 1988 - introduces principles related to protection of personal information; and • SPAM Act 2003 – which proscribes the sending of SPAM messages.

Queensland Government Legislation • Crime and Corruption Act 2001 - establishes a commission to reduce the incidence of corruption in the

public sector. Council must preserve and make information available for this Commission so that it can be effective in its investigations;

• Copyright Act 1968 - is an Act relating to copyright law; • Criminal Code Act 1995 - proscribes computer hacking and general misuse; • Electronic Transactions (Queensland) Act 2001 - refers to the integrity of information and requirements

to keep information associated with the need for businesses and the community to use electronic communications when dealing with government bodies;

• Evidence Act 1977 - defines what must be preserved as evidence related to government activities; • Information Privacy Act 2009 - ensures the security and protection of personal information and restricts

the collection, use and disclosure of information about an individual; • Right to Information Act 2009 - makes particular types of information concerning government

documents available to members of the community in order to ensure such information is timely and accurate;

• Local Government Act 2009 - requires local government employees not to willfully destroy or damage Council records;



Page 3 of 4

• Public Records Act 2002 - states the responsibilities of government in the management of corporate

records - particularly with regards to security; and • Public Sector Ethics Act 1994 - states the responsibilities public officials have in ensuring that public

resources are not wasted, abused or improperly used.

SUPPORTING DOCUMENTS Council Policies and Reference Documents

• Code of Conduct for Employees – states Council’s standard for ethical behaviour for employees; • Disciplinary Policy - provides a fair and reasonable process for the investigation and management

of unacceptable performance and suspected breaches of Council’s Code of Conduct for Employees Policy.

• Fraud and Corruption Control Policy - assists Council to minimise the risk and consequences of unethical practice or fraud in or on Council or its programs;

• Expenses Reimbursement and Provision of Facilities for Councillors and Mayor 2009; • Good Working Relationship Policy – establishes Council’s standards to limit discrimination

(sexual, disability, racist) and harassment; • ICT Security Policy – states Council’s position with respect to securing access to Council systems

including reference to private or confidential information; • Information Management and Information Privacy Policy – defines Council’s requirements for

recordkeeping and managing personal information; • Right to Information and Information Provision Policy – defines Council’s position on the release and

provision of information and the requirements under the Right to Information Act 2009. • Library Services Operational Guidelines: Use of Public Access Computers. • Portable and Attractive Items Policy – establishes policy, standards and guidelines for the ethical use

and protection of portable and attractive items; • Corporate Security Policy – formalises key protective security measures; and • Working From Home Policy – provides flexible working arrangements to assist employees to balance

the demands of work with their family and/or personal responsibilities. • Excluded Call Types – provides detail on the current list of call types excluded from Council’s current

mobile access fees.

Mandatory Queensland Government Information Standards Records Governance Policy – sets out foundational principles of recordkeeping for Queensland Government agencies and public authorities to meet minimum recordkeeping requirements.

Other related Queensland Government Information Standards • IS18 Information Security - outlines Queensland Government’s mandatory information security

principles (which are not yet mandatory for local government); • IS26 Internet – deals with the provision of information via web-based systems and the need to keep

adequate records of this business activity; • IS34 Metadata – deals with the use and management of information metadata; • IS38 Use of ICT Facilities and Devices – deals with the usage of provided ICT equipment; and • IS46 Use of Copyrighted Materials – deals with use of information currently under copyright.

Related Documents Appendix A – Responsibilities; Appendix B – ICT Resource Usage Policy Guidelines; Appendix C – Conditions of Use; Appendix D – Electronic Mail, Intranet and Internet Usage; Appendix E – Standard Operating Environment for End-User Devices; Appendix F – Telephone, Facsimile and Mobile Telephone Usage;



Page 4 of 4

Appendix G – Software and Data Set Usage; Appendix H – Usage of Remote Access; Appendix I – Definitions Appendix J – ICT Resource Usage Framework.

RESPONSIBILITIES Sponsor Director Organisational Services Owner Chief Information Officer

VERSION CONTROL Document Date Approved

Amendment

22850062 v8 30.10.18 COO iSpot #72055916 22850062 v7 19.08.16 COO iSpot #57427379 22850062 v6 18.06.14 CEO iSpot #44117435 22850062 v5 05.11.13 GA12.0201.003/G12.0206.016 Council 22850062 v4 13.02.12 GA12.0201.003 Council 22850062 v3 31.08.11 GA12.0201.003/G12.0206.016 Council iSpot #27104024 22850062 v2 02.07.09 CEO Minor amendment regarding

Councillor mobile phone costs 22850062 v1 22.04.09 GF08.0430.005/G08.0502.018 CEO iSpot #2535471

Information and Communication Technology (ICT) Resource Usage Policy Appendix A – Responsibilities


Page 1 of 1

Appendix A – Responsibilities

• Chief Executive Officer (CEO) – ensures a strategy is in place to reduce the risk of employees breaching security through unauthorised or unintentional unauthorised use of ICT resources and establishes a culture of awareness of the efficient and effective use of ICT resources. The CEO is ultimately accountable for the usage of ICT resources in GCCC.

• Chief Information Officer – is accountable for ensuring the coordination, implementation and alignment of this policy with Commonwealth, Queensland and Local Government legislation, Queensland Government Information Standards, and other Council Policies. Communicates and ensures awareness of this policy among ICT resource users. Provide recommendations to areas covered in this policy and supporting documentation. Responsible for policy review and maintenance and the application of this policy as part of the Council’s IM Strategy. Ensures employees understand their responsibilities in the use of ICT resources through the communication of policies and procedures. Also ensures issues are addressed relating to record keeping, archiving, Right to Information and audit requirements for monitoring the use of ICT resources. Chief Information Officer is responsible for the deployment, monitoring, operation and management of ICT resources within Council (excluding Directorate specific ICT resources).

• Chief Procurement Officer – procures (in conjunction with business representatives and with reference to standards) ICT resources within Council. Identifies and defines Excluded Call Types for mobile telephony. Provides reports on usage of mobile voice and mobile data so that Directors can monitor and review access and use.

• Director Organisational Services – is responsible for all areas affected by this policy for which delegation powers are in place.

• Directors – provide leadership, and within their Directorate, ensure a culture of awareness of efficient and effective use of ICT resources is promoted through corporate and on the job training. Responsible for monitoring of Limited Authorised Personal use. Responsible for authorising access to excluded call types via mobile telephones and handheld devices, ensuring that usage of excluded call types is monitored and that a continued business need for access to these services exist.

• End Users – are to ensure that Council’s ICT resources are used in an efficient and effective manner according to the ICT Resource Usage Policy, other relevant policies, and associated policy instruments.

• Engaging Officer – is the responsible person who engages a third party and is required to ensure the third party and its agents are aware of, and abide by, the provisions of this policy when working with Council’s equipment or systems.

• Executive Coordinator, Integrity and Ethical Standards, Corporate Assurance – develops and provides advice on fraud and security issues relating to the ICT Resource Usage Policy and related policies, monitors and reports on compliance and performance as required, and coordinates awareness of corporate policy and ICT incident management.

• Corporate Assurance – will act in accordance with the Internal Audit Policy and the Audit Committee Policy and will be engaged by the policy owner and areas of Council to ensure compliance to principles and standards referred to in the ICT Resource Usage Policy on a cyclical/risk basis. Corporate Assurance is not responsible for monitoring usage of ICT resources.

Information and Communication Technology (ICT) Resource Usage Policy Appendix B – ICT Resource Usage Policy Guidelines


Page 1 of 2

Appendix B – ICT Resource Usage Policy Guidelines This Appendix supports the Information and Communication Technology ICT Resource Usage Policy and defines how Council will approach compliance with Queensland’s Whole-of-Government Information Standard 38 (IS38) – Use of ICT Facilities and Devices. The purpose of IS38 is to ensure the implementation of consistent policies and practices in the management of information and communication technology (ICT) resources including Internet and electronic mail (email). The Council approach to its ICT resource usage is based on meeting the principles in IS38: Principle 1 – Council1 responsibilities; Principle 2 – Council policy; and Principle 3 – Council responsibilities to employees. The development and endorsement of the ICT Resource Usage Policy and associated Implementation Framework will ensure that Council complies with the IS38 standard for the Use of ICT Facilities and Devices. Principle 1 – Council Responsibilities

The provision of Council ICT facilities and devices including Internet and email are for officially approved purposes. When managing and monitoring the use of ICT facilities and devices, Council must:

• Ensure users are aware of and understand Council policies, practices and their responsibilities;

• Ensure disciplinary procedures and penalties imposed on users for breaches of use are clear, unambiguous, proportionate to the offence and are applied in a manner which is in accordance with the principles of natural justice;

• Ensure that employees are aware that intentionally accessing, downloading, storing or distributing pornography or other material which could be reasonably expected to cause offence, or breaches the principles contained in the Code of Conduct or Good Working Relationships Policy is a matter for which disciplinary action may be taken;

• Minimise security risks including disruption to Council operations and unauthorised use (intentional or unintentional) by employees;

• Address issues relating to record keeping, archiving, right to information, privacy and audit requirements;

• Ensure any breaches discovered are thoroughly investigated and all issues identified and addressed;

• Develop and implement procedures for reporting potential breaches of Council policy or the law to the relevant authority; and

• Ensure that sufficient resources are made available for the above to be carried out effectively.

1 For the purposes of applying the principle to Council, the term ‘Agency’ has been replaced by the term ‘Council’

Information and Communication Technology (ICT) Resource Usage Policy Appendix B – ICT Resource Usage Policy Guidelines


Page 2 of 2

Principle 2 – Council Policy

Council must develop, implement and communicate clear and unambiguous policies and guidelines addressing the use and monitoring of ICT facilities and devices within the Council. At a minimum, Council must ensure that these policies and guidelines:

• Are consistent with the Local Government Act 2009, Council’s approved Code of Conduct for Employees and all other relevant legislative or statutory obligations under which Council operates;

• Are reviewed on an ongoing basis, are readily accessible and regularly communicated to all users;

• Define which users within the Council are authorised to use ICT facilities and devices, and the conditions and constraints relating to their use in terms of Council security, privacy, copyright, confidentiality and delegation polices;

• Define what is considered authorised and unauthorised use and provide clear definitions, comprehensive examples and permitted levels of such use;

• Clearly state that unauthorised use of Internet and email including having intentionally accessed, downloaded, stored or distributed pornography using Council owned ICT facilities and devices will be treated seriously and may result in disciplinary action.

• Define what ICT facilities and devices will be monitored and the conditions under which this monitoring will take place;

• Expressly state the kinds of personal information Council will record in the course of intercepting incoming emails and Internet usage, and the purposes for which the information will be used; and

• Define who has access to intercepted emails and Internet usage, monitoring reports and the delegation chain of authority and actions for dealing with reports or information collected or generated from this activity.

Principle 3 – Council Responsibilities to Employees

Council must provide appropriate training to ensure that all users are made aware of their responsibilities and obligations when using ICT resources. At a minimum, Council must make reasonable efforts to ensure that employees are:

• Aware of, understand, acknowledge, and have access to the relevant Council policies on use of ICT facilities and devices including Internet and email;

• Aware of, and acknowledge what is authorised and unauthorised use of ICT facilities and devices;

• Informed that systems and processes will be used to monitor, audit and report on employee use and/or access;

• Aware that penalties may be imposed following disciplinary actions arising from a breach of these policies; and

• Aware that, when receiving unsolicited inappropriate material from the Internet or through email, they immediately delete such material from Council systems. As required, the incident can be brought to the attention of management prior to deletion. Action to delete this material would not constitute unauthorised use.

Information and Communication Technology (ICT) Resource Usage Policy Appendix C – Conditions of Use


Page 1 of 5

The Council's ICT resources are: • Provided to Councillors, staff and contractors to conduct official business and professional

development more effectively and efficiently; • To be utilised only for defined use outlined in this policy; • To be authorised by the relevant Director/Manager and used in accordance with Council

policies and procedures, applicable laws and regulations; • Provided to employees and Councillors and able to survive public scrutiny and/or disclosure; • Not to be used to bypass established and/or official channels of communication as defined by

Council reporting relationships; • Monitored and logged by Business Innovation and Technology Services branch in line with

Council's policies and procedures, except for mobile data and voice which is monitored and logged by the Office of the Chief Procurement Officer in conjunction with Directors.

• Subject to the Council's recordkeeping, archiving, right to information, information privacy and auditing requirements; and

• Able to be restricted or revoked at any time.

Authorised Official Use Official use of Council owned or provided ICT resources means usage undertaken for a business need to assist in carrying out the work of Council.

Official use includes in general: • Conduct of work related business; • Access to work related information; • Communication with colleagues on work related matters; and • Communication outside the work environment on work related matters.

Official use is permitted under the following conditions and limitations: • Usage takes place while you are either employed, contracted or are an elected official in the

service of Council; • Established and/or official channels of communication as defined by Council reporting

relationships are observed at all times; and • Usage that could interfere with day-to-day operations must receive the appropriate authorisation

from the relevant Director or Manager.

See below - for examples of official use.

Authorised Professional Use Professional use of Council owned or provided ICT resources means permitted activities that support professional development with authority from the relevant Director or Manager.

Professional use includes in general: • Professional development relating to approved study or research; • Approved forum, conference or seminar participation; • To engage with a professional or industrial organisation for membership, registration,

training/education, performance, conduct or safety; • Council approved or supported personal study.



Page 2 of 5

Professional use is permitted under the following conditions and limitations: • Usage has been authorised by the relevant Director or Manager; • Established and/or official channels of communication as defined by Council reporting relationships

are observed at all times; • Use does not threaten or interfere with day-to-day operations of the Council in accordance with

ethical standards explained in Council's Code of Conduct for employees or Councillors; • Unnecessary or excessive burden is not placed on Council resources, e.g., large-scale emailing or

mass storage or transmission of electronic files; and • Access does not require modifications to existing infrastructure.

See below - for examples of professional use.

Authorised Limited Personal Use Limited use of Council owned or provided ICT resources means those activities conducted for purposes other than official business or professional development.

Users who have been issued with a mobile device such as an iPad have been allocated with that specific device and as such it is the responsibility of that user. The user must be mindful that although some limited personal use is authorised, such devices can be reallocated for operational purposes to another user.

Limited use is permitted under the following conditions and limitations: • Incurs minimal additional expense to Council; • Does not interfere with the operation of Council; • Is only permitted where it has a minimal impact upon email, Intranet and Internet resources,

i.e. bandwidth, disk space; • Does not violate any Council policy or related State/Federal legislation; • Use may only occur during an employee's own time; • Privilege of use will be monitored and may be restricted or revoked at any time. Directors are

responsible for monitoring usage; • Use does not place unnecessary or excessive burden on Council resources, e.g. large scale

emailing or mass storage or transmission of electronic files; • Limited personal use of other ICT resources i.e. phone, mobile phone, facsimile and SOE, is

generally expected to take place during the authorised user's non-work time;

• Reasonable personal calls are generally permitted on mobile phones. Some specific call types (‘excluded call types’) which incur an additional charge are not considered to be Limited Personal Use and are not to be made (a full list of excluded call types is available from the Service Desk and is made available to every user). For users with a valid business requirement to access excluded call types, Director’s authorisation is required to be forwarded to the Office of the Chief Procurement Officer. For all exemptions, the user’s Director is responsible for monitoring usage and ensuring suitability of use and continued business need. Directorates will also be responsible for funding all costs incurred from these exemptions. (For Mayor and Councillor mobile phone entitlements, refer to Expenses Reimbursement and Provision of Facilities for Mayor and Councillors Policy 2009);

• Usage of facilities which are provided by third parties at an expense to Council (including Internet, email, mobile telephones and online applications) are subject to reporting to and monitoring by directors, managers, Integrity and Ethical Standards Unit, Legal Services, Office of the CEO (including Corporate Assurance) and the Business Innovation and Technology Services branch to ensure fair and equitable usage and that additional contract costs are not incurred by Council. End users may have their access moderated, restricted or revoked if they are deemed to be excessively utilising services for personal use;



Page 3 of 5

• Will withstand public scrutiny and not bring an employee of the Council, a Councillor or Council into disrepute;

• Use does not include maintaining or supporting a private business enterprise and/or use for personal gain or profit;

• Any information created, transmitted or stored for personal purposes will not be the responsibility of the Council;

• Information resulting from personal usage will be subject to scrutiny and/or audit at any time;

• Any unsolicited inappropriate material from the Internet or through an email is to be deleted immediately from Council systems in line with Appendix B, Principle 3, and point 5.

See below - for examples of limited personal use.

Unauthorised or Inappropriate Use Unauthorised or inappropriate use of Council owned or provided ICT resources:

• Usage which infringes copyright; • Involves creating, downloading, storing, viewing or distributing obscene, indecent, offensive or

sexually explicit material or material unbecoming to propriety; • Contains untrue information that is likely to damage the reputation of a person in their

profession or trade or by which other persons are likely to be induced to shun or avoid or ridicule or despise the person;

• Downloading non-business related digital music (e.g. MP3), video (e.g. MPEG) files, applications or images using Council provided bandwidth;

• Contains material or images that may offend the recipient or others who may view it; • Bullies or harasses another person or is of a violent nature; • Expresses a view or commits Council to a course of action that is outside your delegated

power; • Discriminates against a person on the basis of the person’s age, race, gender, religion,

marital status, sexual preferences or other unlawfully discriminatory attributes; • Contains Internet addresses or links to material or sites that contain any of the unacceptable

content cited above; • Any use that bypasses established and/or official channels of communication as defined by

Council reporting relationships including the settlement of personal disputes; • Includes campaigning for personal gain; • Failing to undertake Council security procedures such as virus checking when downloading files

and/or software and sharing and/or distributing network or application access passwords; • Any use that would interfere with the day-to-day operations of the Council and places an

unnecessary or excessive burden on Council resources, e.g. large-scale emailing or mass storage or transmission of electronic files;

• Council’s call transfer service must not be used to transfer private calls in such a way that Council ends up paying for the cost of the private call;

• On-call employees should not use Council mobile telephones to make personal calls while on-call as this may impact Council business related inbound calls from getting through and therefore Council’s business Service Level provision to its customers;

• Usage of and access to Excluded Call Types as defined by the Office of the Chief Procurement Officer.

• When allocated to sections rather than to individuals, mobile phones are NOT to be used for personal calls; and

• Any unauthorised use that is not lawful, criminal or unethical, including usage outside permitted conditions and limitations for official, professional or limited personal purposes.



Page 4 of 5

Council employees, Councillors and Contractors alleged to have inappropriately used Council ICT resources to create, download, store, view or distribute obscene, indecent, offensive or sexually explicit material or material unbecoming to propriety, e.g., pornography, will be referred to Council's Integrity and Ethical Standards Unit, Executive Coordinator for investigation. This may result in the taking of disciplinary action. Any attempt to subvert existing security controls, both internal and external to Council will be noted and included in any action taken.

See below - for examples of unauthorised or inappropriate use.

Unlawful and Criminal Use Unlawful and/or criminal use of Council owned or provided ICT resources is use which violates State or Federal law and/or the Criminal Code Act 1899.

Unlawful and/or criminal use of Council owned or provided ICT resources by users will be subject to either criminal, official misconduct or other disciplinary proceedings against them.

See below - for examples of unlawful and criminal use. Examples of Use Examples of use include, but are not limited to, the use of Council ICT resources for:

Authorised Official Use • Phoning other Government agencies for the purpose of acquiring or sharing information; • Printing documents relating to a Council training course; • Using the Internet to perform Council related case/project research; • Using email to communicate new Council directives or policies; • Informing employees of new Council initiatives and/or staff movements; and • Utilising facsimile services for Council procurement purposes.

Authorised Professional Use • Using the Internet/email to book and confirm a professional membership seminar/conference; • Enabling staff to access information from their professional bodies website; • Using a facsimile to apply for professional body membership; • Printing and distributing information relating to professional training/conference/seminar

events; and • Enabling third parties to call professional bodies for advice when working for Council.

Authorised Limited Personal Use (some activities are subject to Director/Manager approval)

• Completing a job application; • Using the Internet to access white/yellow pages online; • Using the Internet for personal online banking. This excludes any activities relating to a

private business enterprise and/or online share trading; • Conducting searches over the Internet on appropriate and ethical topics that will not cause

embarrassment or harm to the Council; • Reading personal Internet based email is open to scrutiny and must not be inappropriate,

unlawful, or criminal, and must not relate to a private business enterprise; • Printing a copy of an Internet web page or email; • Using a facsimile to change personal banking details; • Local calls made from Council telephones for domestic purposes; and • Storing small job applications and resumes on a personal network drive.



Page 5 of 5

Unauthorised or Inappropriate Use May Include: • Viewing, creating, downloading, storing or distributing materials in the workplace which are

inappropriate, indecent, obscene or sexually explicit, e.g., pornography; • Taking inappropriate pictures with cameras or mobile phone cameras; • Using Council phones to call private mobile phone numbers where it is not an emergency

situation; • Any use that incurs additional data charges to Council including but not limited to ‘tethering’ of non-

Blackberry data devices and using Council-supplied mobile data as a replacement for a private Internet connection;

• Forwarding inappropriate jokes, image/sound/movie files, e.g., .WAV and .MPG files; • Conducting private business enterprises for personal gain or profit; • Downloading, storing or distributing material such as chain letters or information pertaining to

pyramid schemes; • Creating and/or maintaining personal websites; • Knowingly downloading files from the Internet or storage media containing malicious code,

viruses, Trojan horses, worms or Spyware that may cause harm to Council; • Making telephone or mobile telephone calls to subscription numbers (e.g., 1900 numbers) or

overseas/IDD numbers where specific exemption has not been authorised; • Failing to keep Council passwords secure; • Expressing a view to the media outside of an authorised delegation; • Disrupting other ICT resources through such means as mass mailing, storage or transmission

of large files or any other unnecessary activity that may place a burden on Council resources; and

• Sending unauthorised Global emails.

Criminal and/or Unlawful Use May Include: • Publicly selling inappropriate/indecent/obscene/sexually explicit material such as

pornography; • Exposing any inappropriate/indecent/obscene/sexually explicit material to an area where it

may be publicly viewed; • Breaching copyright laws such as illegally copying movies, music, software programs or

storing any files which you do not have explicit rights to copy, modify or store on the Council’s network or using a Council supplied device or connection such as but not limited to MP3 music files;

• Attempting to intercept, alter or steal data in order to harm Council or for personal gain; • Leaking confidential Council information to the media; • Creating or assisting in creating a computer virus; • Creating or assisting in causing a denial of service attack; • Sending unsolicited commercial emails (spamming); • Downloading and/or storing inappropriate defamatory material; • Committing other offences whilst using Council ICT resources such as illegal gambling,

defamation, fraud and copyright infringements; and • Using a hand held mobile phone whilst driving.

FURTHER INFORMATION For further information on policy matters contact the Coordinator Security, Governance, Compliance and Policy, Business Innovation and Technology Solutions Branch. For further information on operational matters contact Service Desk.

Information and Communication Technology (ICT) Resource Usage Policy Appendix D – Electronic Mail, Intranet and Internet Usage


Page 1 of 1

Council’s corporate Intranet, Internet and Email systems are available only for authorised users. Email sent or held on the Council Network is owned by Council forms part of the corporate memory, and must be managed and dealt with in accordance with recordkeeping and privacy principles in the Information Management and Information Privacy Policy. There are risks and costs associated with email, Intranet and Internet usage, which Council seeks to minimise. There are also established corporate standards related to the way this aspect of the ‘face of Council’ is portrayed to the general community.

• Authorised officers, for reasons of performance and compliance with legal obligations, will monitor general and personal usage of Council’s Intranet, Internet and corporate email to ensure systems are appropriately used and that the system has the capacity to meet Council's business needs. Additionally, during the course of problem resolution, authorised officers may need to view the content of email in order to identify causes related to performance issues.

• Council management or its delegated officers will also regularly monitor and audit email stored or sent on Council's email, Intranet and Internet and email systems in order to ensure that authorised users are using the service in compliance with Council policy.

• Email coded or marked as ‘confidential’ or ‘private’ by a Council source shall be treated the same as any other confidential document. However, users should be aware that system monitoring and incident management may result in some messages having to be viewed from time to time by other authorised Council staff.

User Responsibilities All users must:

• Comply with this policy, other relevant policies and supporting policy instruments with particular reference to the Code of Conduct.

• Conduct correspondence in line with all delegations and authorities. These apply equally to email through usage of telephones, mobile devices, desktop and laptop/notebook computers.

• Not send electronic correspondence using the identity of another person, unless authorised to act on the senders behalf.

• Not Send ‘Chain Mail’ or forward it under any circumstances using Council’s corporate email system, and repetitive or disruptive incidences should be reported to management for further action.

• Not send SPAM email forward it under any circumstances using Council’s corporate email system. Instances of SPAM should be reported to management for further action.

• Only send ‘Global’ email o With the prior approval of a Director. Approval may be given for particular employees to

send certain types of global email due to the nature of their duties. o Being mindful of data duplication and pointing to web site links where appropriate as

opposed to unnecessarily attaching large files. o Under the Global size limit specified by IT Operations, with any email exceeding this limit

needing authorisation in advance by the Director Organisational Services.

• Email mailboxes have a size restriction placed on them to maintain effective and efficient mail transfer and storage of business related email. Users will manage their individual mailboxes to maintain the size limitation as specified by authorised officers.

FURTHER INFORMATION For further information on policy matters contact the Coordinator, Security, Governance, Compliance and Policy, Business Innovation and Technology Solutions Branch. For further information on operational matters contact Service Desk.

Information and Communication Technology (ICT) Resource Usage Policy Appendix E – Standard Operating Environment for End-User Devices


Page 1 of 1

The GCCC Standard Operating Environment (SOE) for end-user devices is a group of configurable hardware, software and services designed to provide Councillors, employees, contractors with a secure, functional and cost effective platform to perform their duties.

The SOE is in place to optimise support for users to carry out their required functions for business purposes balanced against an excessive support burden. User Responsibilities

• All users must comply with this policy, other relevant policies and supporting policy instruments.

• Council owned2 end-user and peripheral devices may only be connected to the corporate network via access methods authorised by the Business Innovation and Technology Services Branch.

• Legacy and other non-SOE equipment which is Council owned but not a current SOE component may only be used with the prior approval of Business Innovation and Technology Services Branch. Conditions may be attached to such use including an approved expiry date and reduced support levels.

• Any relocation of computer equipment must be advised in advance of the move and an assigned move date set with Business Innovation and Technology Services who are tasked with the responsibility of asset management, life-cycling, device disconnection and reconnection. The physical moves and any ergonomic enhancements are the responsibility of the end-user’s business unit or Branch.

• Use of the SOE by third parties (e.g. community groups, outsourced GCCC service delivery organisations, alliances, etc.) may only occur with the prior approval of the. Chief Information Officer (Excludes public PCs at libraries and public access kiosks).

• Council supports sustainable business practices. Unless there is a valid operational reason for the equipment remaining on, Council PCs, laptops/notebooks and other computing devices must be powered off at close of business to minimise power usage and to ensure daily update.

• Council laptops/notebooks should be stored in a lockable draw or at minimum removed from public view at the end of the business day, if they remain overnight at a Council location.

• Council laptops/notebooks used outside Council premises are to be kept secure. FURTHER INFORMATION For further information on policy matters contact the Coordinator Security, Governance, Compliance and Policy, Business Innovation and Technology Solutions Branch. For further information on operational matters contact Service Desk.

2 Council owned assets can include leased, hired, loaned equipment

Information and Communication Technology (ICT) Resource Usage Policy Appendix F – Telephone, Facsimile and Mobile Telephone Usage


Page 1 of 1

Authorised users of the Council telephone, facsimile and mobile phones may additionally include employees and others engaged in activities on Council’s behalf, as well as external business entities and their employees. For the purposes of this policy, smart phones i.e. Blackberrys are considered as end-user devices. However the provisions of this appendix also apply to smart phones. Council owned equipment means owned, leased, hired, or loaned equipment. This appendix acknowledges that there are risks and costs associated with telephone, facsimile and mobile phone usage, which Council seeks to minimise, such as loss of reputation and financial risk. They also establish corporate standards related to the way this aspect of the ‘face of Council’ is portrayed to the general community. Councillors’ mobile phone entitlements are described in the Expenses Reimbursement and Provision of Facilities for Councillors and Mayor Policy. Employees required to be available for after-hours call-outs, will be issued with a mobile phone on either a permanent or temporary basis. Initial installation of Pay Phones on Council premises (subject to business case approval), or the removal or relocation of Pay Phones requires the approval of the Chief Information Officer. All associated costs are payable by the requesting Branch which will conduct an annual review of usage and cost to Council and report findings to the Chief Information Officer.

Telephone Features Requiring Approval:

• International Direct Dialling (IDD) and ‘Voice Mail’, ‘Call Diversion to an external number’ and Mobile Extension must be approved by the requestor’s Director.

Mobile Features Requiring Approval:

• IDD, mobile data services, Multimedia Message Service (MMS) and / or Global Roaming must be approved by the requesting officer’s Director.

User Responsibilities • All users must comply with this policy, other relevant policies and supporting policy

instruments.

• Mobile telephone SIM cards must not be removed or transferred to other phones.

• Any relocation of Telephone or Facsimile equipment must be advised in advance of the move and an assigned move date set with Business Innovation and Technology Services who are tasked with the responsibility of asset management, life-cycling, device disconnection and reconnection.

• Mobile phone devices are not be to be left unattended in motor vehicles unless mounted to the vehicle.

• Users may be held personally responsible for the cost of any loss or damage of phones and accessories when such loss or damage exceeds normal wear and tear and can be attributed to negligence. All loss or damage is first to be reported to the Service Desk and then in line with requirements of the Portable and Attractive Items Policy as applicable.


Information and Communication Technology (ICT) Resource Usage Policy Appendix G – Software and Data Set Usage


Page 1 of 2

Copying of any software program or data sets that are subject to a licence agreement is prohibited, except for the purposes of backup or installation by Council authorised officers. No user of licensed software or data sets may move beyond the provisions of the licensing arrangement when using these software or data sets. No software program or data set that could be subject to a licence agreement and which exists on a device that is not owned or leased by Council may be copied to any programmable device that is owned or leased by Council, except where this is done by persons who have been authorised to carry out these tasks. Software or data sets that relate to the configuration of any programmable device that is owned or leased by Council may only be modified or in any way changed by Council officers who have been authorised to perform these tasks. Exceptions include:

• Where the changes are authorised changes to the personalisation of the programmable device; or

• Software application within the functionality of the application and accessible to the user. Where software and data set configurations represent part of Council’s Corporate Memory, those authorised to install and maintain these files must ensure that a system is in place to preserve this Corporate Information. The software and data set provisions of this policy are concerned with managing copyright and corruption and security risks to Council’s software and data, where this software and data is operated on any Council owned or leased programmable device. User Responsibilities


• No Council employee, Councillor or contractor shall knowingly breach a software licensing agreement for any software or data that is owned or leased by Council. It is the responsibility of the user concerned to ensure that no breach of licensing or copyright arrangement occurs.

• Only authorised officers can install software that is to run on any of Council’s leased or owned programmable devices. For Council owned or leased programmable devices that run the Standard Operating Environment for desktop or mobile communications devices, software and data files will be installed from a central location by an authorised person from Business Innovation and Technology Services..

o Staff may be granted special authorisation as Power Users of specific applications to install executable files for their specific applications. Under no circumstances are Power Users permitted to download software from external sites unless authorised by the Chief Information Officer.

o Only the Chief Information Officer.

• may authorise the installation and modification of software on a programmable device that does not run the Standard Operating Environment.

• Council owned or licensed software or licensed data must only be stored on a programmable device or electronic storage device that is authorised by Council. This does not apply to a Microsoft® Work at home (WAH) license purchased through Business Innovation and Technology Services Branch and Microsoft®.

o Staff purchasing a Microsoft® Work at home (WAH) license must abide by the Microsoft® Work at home (WAH) license agreement and any Council guidelines and procedures pertaining to the Microsoft® Work at home (WAH) license. The installation of WAH software is not supported by IT Operations.

Information and Communication Technology (ICT) Resource Usage Policy Appendix G – Software and Data Set Usage


Page 2 of 2

• Software and data can be made available on a licensed basis, for example, operating system software or on a non-licensed basis, for example, Internet cookies.

• All data leased, licensed or owned by Council must be backed up through a means which complies with Enterprise Architecture standards.

• Some data files on a programmable device represent personalised customisations, such as Desktop Icons, Internet Favourites or other preferences and usability settings that are available to various applications. There are also transient files that applications create at different stages. Users may create, change or delete icons with a black arrow in the bottom left hand corner (but not a red arrow in this location) as well as favourites, usability settings and transient files.

• Only an authorised person may make changes to the Operating Software or Application Software configuration. No downloads of screensavers or other programs from the Internet are permitted. No unauthorised deletions, additions or customisations may be made to the software on programmable devices that are owned or leased by Council.

o The Director of Organisational Services and the Chief Information Officer will ensure that an authorised person is available to make any necessary changes to the configuration of any of Council’s programmable devices that run the Standard Operating Environment. This service can be accessed by logging a call with the Service Desk.


Information and Communication Technology (ICT) Resource Usage Policy Appendix H – Usage of Remote Access


Page 1 of 1

Remote Access Service (RAS) is the ability to access the Council network from another location (i.e. home or non-networked site). It is used by a number of Council staff (across all directorates) to access their network files, applications and email. This policy supports the delivery of business needs covered in the Mobile Computing Strategy, Working from Home Policy and Expenses Reimbursement and Provision of Facilities for Mayor and Councillors Policy. The remote access provisions of this policy set the parameters within which access to Council’s data network via remote connection can be achieved. The purpose is to keep operational costs to a minimum and reduce risk to council.

• Remote access will be made available: o On a business needs basis; o Using Council’s corporately provided remote access solutions.

User Responsibilities


• All remote users are required to notify their manager and the Chief Information Officer, immediately they no longer require access privileges.

• Under no circumstances will an unauthorised user be permitted to use an authorised user’s end-user device and authentication key.

• Council laptops/notebooks should be switched off when not in use, to prevent unauthorised access to the Council network and to support sustainable business practices.

• When outside Council premises laptops/notebooks must be out of public view while a vehicle is unattended.

• Users may be held personally responsible for the cost of any loss or damage of laptop/notebooks and accessories when such loss or damage exceeds normal wear and tear and can be attributed to negligence. All loss or damage is first to be reported to the Service Desk and then in line with requirements of the Portable and Attractive Items Policy as applicable.


Information and Communication Technology (ICT) Resource Usage Policy Appendix I – Definitions


Page 1 of 3

Term Meaning

Authorised Officers Staff within Business Innovation and Technology Services and Corporate Assurance performing duties authorised by management.

Call Diversion An automatic diversion of a call from the called extension to another number.

Business Use

Council’s corporate Internet, and email systems and associated services are established and maintained solely for Council related business purposes.

Call Pickup The ability to dial a number to pick up a call on another extension.

Chain Email An email directing recipients to send out multiple copies of it so its circulation increases exponentially. Such messages typically promise rewards for compliance, e.g. blessings, good luck, money or merchandise. Some types of chain letters - specifically, those asking people to send money to other participants - are illegal and not in accordance with Council policy.

Corporate Information Corporate information refers to all records and their associated contextual information that serves to completely depict all details of a particular business activity and its relationship to other business activities.

Corporate Memory A full and accurate record of all the business activities and transactions undertaken by Council in the exercise of its statutory, administrative or other public responsibilities or related purposes.

Council Council of the City of Gold Coast

Councillors Councillors refer to all elected officials in Council including Councillors, Mayor and Deputy Mayor.

Download A mechanism by which a software device or program is copied from a server site to another programmable device.

Dumb Terminal This is a device that cannot load operational software or applications and has a very limited programmatic capability that is used for communications and display services.

Electronic Correspondence Any correspondence facilitated by ICT resources.

Electronic Storage Devices Electronic storage devices include Personal Digital Assistants and handheld devices, USB Drive/Flash Keys, SD Cards, Portable hard drives/CD Burners, Zip Drives, Mobile Phones).

Email The transmission of messages, and attachments in electronic format to an address within an email system. Webmail unless specifically referred to in this policy shall be covered by the term email.



Page 2 of 3

Term Meaning

Email System A software application that provides services related to the transmission and receipt of electronic messages.

End-user Devices End-user devices are defined as Standard desktop computer, Standard notebook (portable) computer, various computer (PC) models, other mobile computing devices, printers, smart phones, Blackberrys, etc.

Excluded Call Types Call types which are not included in Council’s current mobile phone contract access fee and for which additional charges are payable. The Office of the Chief Procurement Officer is responsible for maintaining a list of excluded call types.

External Entity An independent organisation with which Council has a contractual arrangement and which is provided with equipment that is serviced by IT Operations.

Global Email Email communications that are sent out to the entire organisation. Such email must be authorised by a Director.

ICT Resources ICT resources includes but is not limited to: • Computers (including laptops, notebooks, tablet

PCs, Personal Digital Assistants and handheld devices);

• Electronic storage devices; • Telecommunications (including provisioned phone

lines/connections, telephones, mobile phones, pagers, facsimiles, message banks, voice mail, modems, data communication devices and data cabling);

• Radios (or any other frequency devices); • Television sets (including LCD and plasma

screens); • Video and imaging equipment; • Digital or analogue recording devices (including

tape, DVD, video recorders); • Cameras (including mobile phones with cameras); • Printers, copiers and digital scanners; • Internet services (including http, ftp and telnet, peer

to peer, video-streaming); • Email services; • Web based portals; and • Fee based services.

Internet The worldwide loose affiliation of interconnected computer systems, through which users can navigate to obtain services and share information at various levels of detail with globally dispersed organisations and individuals.



Page 3 of 3

Term Meaning

Malicious Software (Malware) Software is considered malware based on the perceived intent of the creator rather than any particular features. Malware includes computer viruses, worms, most rootkits, spyware, dishonest adware, and other malicious and unwanted software.

Peripheral Device A device that is optional in nature, and is attachable to an end-user device e.g. USB Drives, external hard drives, scanners and cameras.

Programmable Devices Any device whose operation is controlled by a stored program that can be changed or replaced. Information may comprise automated software, data files and temporary work files. Such devices would include desktop computers, mobile communications devices, SCADA devices or even a modern refrigerator.

SPAM An unsolicited message that is sent indiscriminately to multiple mailing destinations.

Standard Operating Environment (SOE)

Standard Operating Environment (SOE) for end-user devices is a group of configurable hardware, software and services designed to provide Councillors, employees, contractors with a secure and functional platform to perform their duties.

Tethering/Tethered Connecting a data-enabled mobile telephone or tablet device to a computer or other device via a cable or wireless connection for the purpose of connecting to the Internet via the phone/tablets’ data connection.

Thin Client This is a device that loads a limited version of operational software that cannot be modified by the terminal operator with no local stored persistent data.

User Any authorised Council staff member, Councillor, contractor or third party.

Virus A software agent that uses any programmable device that is available to reproduce itself and spread itself to other programmable devices.

Voice Mail The ability to store a message for an extension that can be replayed at a later time.

Webmail An Internet application that allows users full access to their corporate email using a Web Browser.

Information and Communication Technology (ICT) Resource Usage Policy Appendix J – Framework


Page 1 of 1

ICT RESOURCE USAGE FRAMEWORK Tracks #22638806 v2

Lege

ndPo

licy

Inst

rum

ents

Cou

ncil

Stra

tegi

es a

nd P

olic

ies

Stra

tegi

c Pr

iorit

ies

Old related policies to be retired and replaced by the ICT Resource Usage

Policy ICT Resource Usage Policy

Policy and Main Policy Instruments

Fraud Prevention &

Security Security Incident & Property Loss

Damage Processes

Telstra Geoproducts/ UBD Mapifo Layer Policy

Form Groups

Principle 3Council

Responsibilities to Employees

Library Services Operational

Guidelines: Use of Public Access

Computers

Remote Network Access Policy

Protective Security Policy

Reference outside of

policy scope

Good Working

RelationshipPolicy

Desktop Support Policy

15 People Management

Moves, adds & changes Forms

FACT SHEET Fraud Prevention &

SecurityWarning - use of

computer andcommunications

equipment

Operational guidelines,

fact sheets & processes

Expenses Reimbursement and

Provision of Facilities for

Councillors and Mayor

Referent Council Policy

Mobile Telephone Policy

Code of Conduct for Employees

Relevant Council PoliciesUse and Support of

Electronic Mail Policy

Principle 2Council Policy Telephones Policy

Principle 1Council

Responsibilities

Use and Application of the Internet Services

Policy

Ethics & Fraud Risk

Management Policy

Old policies to be retired

Information Management

and Information Privacy Policy

Portable and Attractive Items

Policy

Email and Internet Forms

Personal Device Forms

Peripheral Device Forms

Remote Access Forms

Employee Forms Phone FormsDesktop/Laptop

Forms

Electronic Mail, Intranet and

Internet Usage

Standard Operating

Environment for End-User Devices

Usage of Remote Access

Telephone, Facsimile and

Mobile Telephone Usage

Software and Data Set Usage

Moves, Adds & Changes Forms

Conditions of Use

Component of ICT Policy Framework

Working From Home Policy

ICT Security Policy

Disciplinary Policy

Telstra Pay Telephone Policy

Right to Information and

Information Provision Policy