ICT-PR-004: Using the Department's Corporate ICT Network

• Adoption of Children Act 1964 Part 5 s45 - Restrictions on publication of identity of parties http://www.legislation.qld.gov.au/LEGISLTN/CURRENT/A/AdoptChildA64.pdf
• Child Protection Act 1999 Pt 6 Ch 6 s189 - Prohibition of publication of info leading to identity of children http://www.legislation.qld.gov.au/LEGISLTN/CURRENT/C/ChildProtectA99.pdf
• Criminal Code Act 1899 http://www.legislation.qld.gov.au/LEGISLTN/CURRENT/C/CriminCode.pdf
• Defamation Act 2005 Part 2 General Principles - Div 1 s4(1) - Defamation and the general law http://www.legislation.qld.gov.au/LEGISLTN/CURRENT/D/DefamA05.pdf
• Education (General Provisions) Act 2006 Ch.2 - Pt 1, s12 and Pt 6, s47; Ch.19 - s425 and s426 http://www.legislation.qld.gov.au/LEGISLTN/CURRENT/E/EducGenPrA06.pdf
• Electronic Transactions (Queensland) Act 2001 Ch 2 s8 - Validity of electronic transactions http://www.legislation.qld.gov.au/LEGISLTN/CURRENT/E/ElectronTrQA01.pdf
• Evidence Act 1977 (new window) s95 Admissibility of statements produced by computers http://www.legislation.qld.gov.au/LEGISLTN/CURRENT/E/EvidceA77.pdf
• Financial Management Standard 1997 s56(2)(a) - Elements of systems for financial information management http://www.legislation.qld.gov.au/LEGISLTN/CURRENT/F/FinAdminAudSt97.pdf
• Juvenile Justice Act 1992 (new window) Part 9 s301 - Prohibition of publication of identifying information about a child http://www.legislation.qld.gov.au/LEGISLTN/CURRENT/J/JuvenJusA92.pdf
• Public Service Act 2008 Chapter 6, Sections 187 - 192 http://www.legislation.qld.gov.au/Acts_SLs/Acts_SL_P.htm
• Spam Act 2003 (new window) Sch 1 Clauses 3 (Govt bodies, political parties, etc.) and 4 (Educational institutions) http://www.comlaw.gov.au/ComLaw/Legislation/ActCompilation1.nsf/0/DED153276FD7C6F9CA2570260013908A/$file/SpamAct03WD02.pdf

• Code of Conduct http://education.qld.gov.au/corporate/codeofconduct/index.html
• Department of Education, Training and the Arts - Information and Knowledge Strategic Plan http://education.qld.gov.au/strategic/planning/iksp.html
• Information Standard 18 (IS18) - Information Security http://www.qgcio.qld.gov.au/qgcio/architectureandstandards/informationstandards/current/Pages/index.aspx
• Information Standard 25 (IS25) - Intellectual Property http://www.qgcio.qld.gov.au/qgcio/architectureandstandards/informationstandards/current/Pages/index.aspx
• Information Standard 26 (IS26) - Internet http://www.qgcio.qld.gov.au/qgcio/architectureandstandards/informationstandards/current/Pages/index.aspx
• Information Standard 38 (IS38) - Use of ICT Facilities and Devices http://www.qgcio.qld.gov.au/qgcio/architectureandstandards/informationstandards/current/Pages/index.aspx
• Information Standard 42 (IS42) - Information Privacy http://www.qgcio.qld.gov.au/qgcio/architectureandstandards/informationstandards/current/Pages/index.aspx
• School Security Handbook (new window) http://iwww.qed.qld.gov.au/facilities/security/schools/school_security_hbook.pdf

• IFM-PR-003: Classification and Handling of Information Assets /strategic/eppr/information/ifmpr003/
• IFM-PR-006: Information Security - Maintaining the Security of Department Information and Systems /strategic/eppr/information/ifmpr006/
• IFM-PR-010: Managing Electronic Identities and Identity Management /strategic/eppr/information/ifmpr010/
• LGS-PR-001: Consent to Use Copyright Material, Image, Recording or Name /strategic/eppr/legal/lgspr001/
• SMS-PR-012: Student Protection /strategic/eppr/students/smspr012/
• SMS-PR-027: Enrolment in State Primary, Secondary and Special Schools /strategic/eppr/students/smspr027/

Statement of intent

This policy and its associated guidelines and documents, set the framework for the requirements for safe and secure access and usage of the departmental ICT network by students, school and departmental staff. In addition, the policy provides guidance for the publishing of information via the intranet, extranet or internet and the connection of private devices to the departmental network.

All school and departmental staff must adhere to this policy when operating the departmental ICT network. It is a requirement under Information Standard 38: Use of ICT Facilities and Devices that all ICT facilities and device users are aware of the Government and school's network access and usage policies prior to accessing and using departmental ICT facilities and devices.

Additionally, all school and departmental staff are to ensure that access and usage of the departmental network is able to withstand public scrutiny and/or disclosure, as outlined in the State Government's Use of Internet and Electronic Mail Policy and Principles Statement 2007 (new window) .

School Network Access and Usage:

An essential tool for schools in the provision of innovative educational programs is the use of intranet, extranet, internet and network services and facilities. School Principals and teachers have the main responsibility for ensuring this policy, its associated guidelines and documents are understood, adhered to and are administered within the school community. However, staff and students using school ICT facilities also have a responsibility for good behaviour and adhering to the school's network access and usage requirements. Responsibility for conveying and ensuring students understand and follow these behaviour standards when using the school's network facilities also rests with their parents and guardians.

The Department of Education and Training encourages schools to explore new and innovative ways to incorporate safe and secure information and communication technologies into the curriculum and the operating school environment. School's network facilities are to be used for educational purposes only, unless otherwise arranged.

Schools reserve the right to restrict staff or student access to network services if access and usage requirements are not met or are breached. However, restricting or removing access to the network should not be undertaken where it will disrupt the provision of an educational program to a student. Alternatively, to ensure the continuation of the delivery of an educational program for a student whose network access has been restricted, the school could provide access to a stand-alone workstation.

Private Device Access:

All users of the departmental network should be aware that the Department reserves the right to restrict access (e.g. on-site, dial-in, etc.) of privately owned ICT devices (e.g. USB, mobile phones, laptop, PDAs, etc.) where that device is or has been used on departmental premises (e.g. school, District Office, Central Office) and/or is connected to the Department's Wide Area Network (WAN), and a security breach has been detected or the device is suspected to have compromised/could compromise the integrity of the network.

Wholly privately (e.g. non-departmental devices) owned ICT devices that do not meet network security and operational requirements should have restricted access (e.g. internet, printing) to maintain the network's integrity. The Department of Education and Training advises schools to ensure students do not connect solely privately owned devices to its corporate ICT network. This type of mass access of uncontrolled private devices would greatly compromise the integrity of the network.

Responsibilities

• Approves this policy and any subsequent reviews, amendments or associated departmental guidelines developed for operations of this policy.

• Develops procedures and guidelines for technology usage and access within schools.
• Provides direction and oversight of the development of policy guidelines for private device access to the network.

Executive Director, Information Management Services:

• Delivers quality ICT delivery and support services that align the Corporate ICT Network with the education and business needs of the Department.
• Develops processes, practices and guidelines for network connectivity, e-mail and office systems, web management and publishing.
• Provides on-going advice to the Assistant Director-General, Strategic Information and Technologies on information security, web access, network requirements, appropriate access and usage of the network, web and office solutions to inform guidelines for departmental and schools network access and usage (e.g. private device connection to the network).

Executive Director, Legal and Administrative Law Branch:

• Advises Minister, Director-General and departmental employees on privacy, intellectual property, security breaches and usage of the Consent to use copyright material, image, recording or name form and Consent Schedule for consent to use copyright material, image, recording or name.

  
  

Regional Executive Directors:

• Monitor adherence to the policy, associated guidelines and documents across the region, through updates from the Regional Technology Managers or through the region's usual reporting processes.
• Report incidents of breaches of network access and usage to the Executive Manager (Information Security), where breaches are of a critical nature and can not be resolved at the local level. Reporting of incidents to the Executive Manager, Information Security can be made via the Information Security Incident Reporting Form (new window) - For Internal use only.
  

• Resolves security matters reported from departmental officers, where security issues are unable to be resolved within work units or at the local level.
• Liaises with departmental officers and the Internal Audit Unit on matters or proceedings that may arise from breaches or complaints in relation to network usage and access.
• Provides advice and guidance on information security risks and recommends mitigation strategies.

Manager, Network Services:

• Delivers the Corporate ICT Network (EdNet) and the Managed Internet Service (MIS), which enable internet, extranet and network access and electronic mail services.
• Provides advice and information on web resourcing and network access and usage.
  
  

Regional Technology Managers:

• Provide guidance to all State schools to develop, implement and maintain school network access and usage statements or guidelines, which adhere to this policy and are adapted to the effective and efficient operations of the school.
• Advise the Regional Executive Director on the progress of implementation, the on-going compliance with and any associated operational issues with the policy and associated guidelines and documents.
• Report incidents of breaches of network access and usage to the Regional Executive Director, where breaches are of critical nature and can not be resolved at the local level. If required, additional reporting of incidents to the Executive Manager, Information Security can be made via the Information Security Incident Reporting Form (new window) - For Internal use only.
  

Intranet, Extranet, Internet and Network Access and Usage:

• Develop and maintain an up-to-date school network usage and access statement or guideline, in-line with this policy and Government policy on network access and usage. Guidance on information to be included in school's network usage and access statement or guideline can be found in Implementation Advice (new window) 36k ; Information for student and parents (new window) 24k ; Information for staff (new window) 27k ; and the Principal 's Checklist (new window) 20k .
• Ensure the school's network usage and access statement or guideline is understood, acknowledged and signed by school staff, students and parents at least once, either:
  • on enrolment (e.g. add school's usage and access statement/guideline and consent request to the enrolment package (refer to SMS-PR-027: Enrolment in State Primary, Secondary and Special Schools or
  • through an annual collection at the start of each school year.
• Ensure implementation of authorised risk management measures to reduce likelihood of network access to harmful information (e.g. filtering processes, limit timeframe for access), including undertaking monitoring/auditing activities of internet and e-mail usage (e.g. monitor sites access, level of usage of e-mail). Guidance to fulfill this responsibility can be sought from the Manager (Information Security).

Publication of personal information to school websites:

• Approve publishing, using school facilities, of information on the Internet by students and/or staff of the school under the school's name only where this meets legal requirements and standards in relation to intellectual property, copyright, privacy and child safety. (Refer to Web Publishing for Schools - Risk Management). Further guidance around practical application can be found at Conditions for including personal information on publicly accessible school Internet websites (new window) 29k
• Obtain informed consent, where appropriate, as per Information Standard 42 , for personal information to be published on school websites in line with legislation, departmental procedures and guidelines for web publishing at the school level. Refer to EGPA 2006 s426 (new window) for former, current and prospective students and IS42 for all other people.
• Ensure contracts for engagement of contractors employed to develop/manage school websites include requirement to adhere to the policies and legislation governing the network operations of Queensland Government agencies (refer to the departmental Standard Conditions of Contract (new window) - For Internal use only).

Connection of private devices to network:

• Seek advice from Regional Technology Manager in relation to current departmental network requirements for maintaining integrity of the ICT network.
• Establish and maintain school protocols for connection of private devices to the school network, outlining school's approval process and coverage of authorised use of private devices when connected to the school's network. These protocols will be aligned with this policy and any subsequent departmental network access and usage policies and guidelines.
• Investigate and report security incidents, which are critical and can not be addressed at the local level, as per IFM-PR-006: Maintaining the Security of Department Information and Systems. Reporting of incidents to the Manager, Information Security can be made via Information Security Incident Reporting Form (new window) - For Internal use only.
  

• Exercise their duty of care in the provision of student access and usage of the school's ICT facilities.
• Provide guidance for the usage of ICT's within the classroom, including making sure students understand and follow this policy and its associated guidelines and documents.
• Obtain Principal approval prior to connecting private devices to the network, once the device meets departmental set security standards.
• Maintain the security of their user name and password (do not disclose (e.g. write down or allow another staff member, student, etc.) the user name and password) and report any suspected unauthorised access (e.g. hacking, using another person's user ID and password) to the network, to their immediate supervisor.
  

• Be aware of, understand and adhere to this policy and the Queensland Government policy (new window) on usage of departmental networks and make limited personal use of departmental network services.
• Report incidents of security, privacy and safety breaches of network access and usage, which are critical and can not be addressed at the local level, as per IFM-PR-006: Maintaining the Security of Department Information and Systems. Reporting of incidents to the Manager, Information Security can be made via the Information Security Incident Reporting Form (new window) - For Internal use only.

Intranet, Extranet, Internet and Network Access:

• Do not engage in activities that access (including, for example, distribution of messages anonymously, use of other officers' user IDs or a false identity), transmit or stores material that brings the Department into disrepute.
• Maintain security of their user name and password (do not disclose (e.g. write down or allow another staff member, student, etc.) the user name and password) and report any suspected unauthorised access (e.g. hacking, using another person;s user ID and password) to the network, to their immediate supervisor.
• Obtain authorisation in order to access restricted information; are accountable for authorising or allowing access to information they create on behalf of the Department; and ensure that any departmental information accessed unwittingly or by accident remains undamaged, intact, and unaltered in any way.

Intranet, Extranet, Internet and Network Usage:

• Respect departmental and personal information, and safeguard confidentiality.
• Take reasonable precautions to protect and operate the intranet, extranet, internet and network information and systems against unauthorised access, illegal and unauthorised use, disclosure, modification, duplication, disruption, interference and/or destruction.
• Use only approved protocols to transmit departmental information or make it available via the intranet, extranet, internet or network. Including, adding a signature block (e.g. name, position, business unit, contact phone number) and disclaimer to all e-mail messages.
• Ensure that they never create, knowingly access, download, distribute, store or display any form of offensive, defamatory, discriminatory, malicious or pornographic material and report to their supervisor any accidental access to unauthorised internet sites, including, but not limited to:
  • sites that are illegal; sites that are pornographic or contain inappropriate sexual material; sites that advocate hate/violence; sites that offer games or software whose content could be considered pornographic or offensive on the grounds of gender, ethnicity, religious or political beliefs.
• Seek authorisation from senior management and the technology support officer before downloading software, which will ensure compliance with licensing requirements, established policies and necessary checks of all software for viruses.
• Maintain corporate electronic records, including those of continuing value (emails that need to be kept for any specified length of time and those that are required for use by others; affect the work of others or are required to be held for evidential, accountability or legal reasons).
• Use the Department's secure email communications system for authorised/approved distribution of confidential or sensitive material (e.g. this material should not be transmitted over unsecured networks) within/between schools, district/regional offices, and central office or to an authorised entity of the Queensland State Government.

Connection of private devices to network:

• Seek manager/Principal approval to connect private devices to the network for departmental work purposes and follow departmental network usage guidelines (refer to Information for staff using the Departments corporate ICT network (new window) 27k .;

• Consider, and give or refuse consent to usage and access of the school's network facilities, and operate these facilities with an awareness of, and adherence to, the Queensland Government's and School's network usage and access requirements.

Forms

• Information Security Incident Reporting Form (For Internal use only) (new window)

• Implementation Advice (new window) 36k

Other relevant documents

• Information for Students and their Parents on School Network Usage (new window) 24k /strategic/eppr/ict/ictpr004/studinfo.pdf
• Information for Staff on using the Department's Corporate ICT Network (new window) 27k /strategic/eppr/ict/ictpr004/staffinfo.pdf
• Principal's Checklist - Management of School ICT Networks (new window) 20k /strategic/eppr/ict/ictpr004/checklist.pdf
• Conditions for including personal information on publicly accessible school Internet websites (new window) 29k /strategic/eppr/ict/ictpr004/conditions.pdf
• Wording of Email Disclaimers/strategic/eppr/ict/ictpr004/disclaimer.html
• Use of Internet and Electronic Mail Policy and Principles Statement 2007 (new window) http://www.psc.qld.gov.au/library/document/policy/internet-and-electronic-mail.pdf

Contacts

For further advice on using the Department's Corporate ICT Network, contact:

For further advice on information security, contact:

For current departmental network standards, contact:

For ICT support contact the Service Centre:

• CM11-1: Internet - Student Usage - Version: Not Applicable
• WFR-PR-003: Use of Intranet, Internet and Electronic Mail Services and ICT Devices by all Staff - Version: 2.0
• SMS-PR-001: Publishing Student and Staff Information on School Web Sites - Version: 1.0
• ICT-PR-004: Using the Department's Corporate ICT Network - Version: 1.0