Printer friendly (PDF, 80 kB)
Purpose
The purpose of this Standard is to ensure the implementation of consistent policies and practices in the management of information and communication technology (ICT) facilities and devices including internet and electronic mail (email). This standard should be read in conjunction with the Cabinet endorsed Use of the Internet and Electronic Mail Policy and Principles Statement (PDF, 70 kB). This Standard extends the application of the Cabinet Statement to all Government-owned ICT facilities and devices.
For the purposes of this Standard:
- ICT facilities and devices cover computers (including palm and handheld devices); telephones (including mobiles); removable media; radios or other high frequency communication devices; television sets; digital or analogue recorders (including DVD and video); cameras; photocopiers; facsimile machines; printers (and other imaging equipment); electronic networks, internet; email; web mail; and fee-based web services; and
- Employees are defined as those engaged on a tenured, temporary, or seconded basis as defined by the Public Service Act 2008 and/or relevant agency legislation. Where contractors are engaged to provide services for, or on behalf of, the agency, contract conditions must clearly reflect the Government’s policy on this issue. Agencies must ensure that other persons, such as students, volunteers, work experience, or other external bodies authorised by the agency to use Government-owned ICT facilities and devices, are aware of and acknowledge the Government policy on the restrictions and consequences of misuse of these facilities and devices.
Policy
ICT facilities and devices, including the internet and email are important sources of information and means of communication that can assist Government to provide more effective services to the community. The use and/or access to these must be able to withstand public scrutiny and/or disclosure.
The provision of Government-owned ICT facilities and devices including internet and email facilities and devices are for officially approved purposes. Limited personal use of internet and email facilities and devices should be available on a basis approved by the agency's chief executive officer.
Employees are accountable to their employing agency for the use of these technologies. Employees found to be intentionally accessing, downloading, storing or distributing pornography using Government-owned ICT facilities and devices will, subjecct to industrial and procedural fairness, be dismissed.
Employees may also be disciplined or dismissed for the misuse of the internet or electronic mail in respect of material which is offensive or unlawful, although not pornographic. A pattern of behaviour (for example, repeated use) is a factor for consideration in determining disciplinary measures (including dismissal).
To ensure consistent and effective management of ICT facilities and devices agencies must:
- develop and implement clear policies and guidelines relating to the use of government-owned ICT facilities and devices;
- clearly inform employees what their responsibilities are under the policies and guidelines and the consequences if those policies and guidelines are broken; and
- clearly inform employees of procedures that will be used to monitor compliance with the policies and guidelines.
Scope
This standard applies to all Government agencies.
Issue and review
This QGEA information standard is published within the QGEA and is administered by the Queensland Government Chief Information Office (QGCIO). It was developed by the Department of Justice and Attorney-General, the Crime and Misconduct Commission, Crown Law, Public Service Commission and the QGCIO and approved by the Director-General, Department of Public Works on 18 June 2009.
This QGEA information standard will be reviewed on an annual basis. The next review date is June 2010.
Implementation
The authority for the implementation of the mandatory principles of the Information Standard is primarily derived from the Financial and Management Standard 2009. Based on this the implementation schedule for the Standard is:
- a risk assessment must be completed on all the mandatory principles within a period of 6 months from endorsement;
- all mandatory principles that the department or agency has designated “high risk” should be implemented within 12 months of endorsement; and
- where an agency proposes to declare a mandatory principle as “low risk” and defer its implementation, it should consider the possible legal liability of the Queensland Government to third parties such as clients or suppliers who suffer loss or damage as a result of the department or agency not implementing that mandatory principle.
The implementation dates for this standard are:
High-level risk assessment: 31 December 2009
High risk principles implementation: 30 June 2010
Reporting requirements
This Standard has reporting requirements and the submission date is as follows:
|
Report on employees who have been disciplined or dismissed as a result of accessing pornography and/or offensive material, including advice on what disciplinary action was taken |
30/07/09
(annually) |
*Due dates will be updated when necessary
Implementation advice and toolboxes have been provided to assist agencies in implementing the mandatory principles of the standard.
IS38 implementation toolbox
Mandatory principles
Principle 1 – Agency responsibilities
The provision of Government-owned ICT facilities and devices including internet and email are for officially approved purposes. When managing and monitoring the use of ICT facilities and devices, agencies must:
- ensure employees are aware of and understand agency policies, practices and their responsibilities;
- ensure disciplinary procedures and penalties imposed on employees for breaches of use are clear, unambiguous, proportionate to the offence and are applied in a manner which is timely, fair and decisive;
- ensure that the penalty for intentionally accessing, downloading, storing or distributing pornography is communicated to all employees in clear and unambiguous language;
- minimise security risks including disruption to agency operations and unauthorised use (intentional or unintentional) by employees;
- address issues relating to record keeping, archiving, freedom of information, privacy and audit requirements;
- ensure any breaches discovered are thoroughly investigated and all issues identified and addressed;
- develop and implement procedures for reporting potential breaches of agency policy or the law to the relevant authority; and
- submit, as per the reporting schedule, to the Public Service Commission, a report on employees who have been disciplined or dismissed as a result of accessing pornography and/or offensive material, including advice on what disciplinary action was taken.
Principle 2 – Agency policy
Agencies must develop, implement and communicate clear and unambiguous policies and guidelines addressing the use and monitoring of ICT facilities and devices within the agency. At a minimum, agencies must ensure that these policies and guidelines:
- are consistent with the requirements of the Cabinet endorsed Use of the Internet and Electronic Mail Policy and Principles Statement (PDF, 70 kB), the Employment Separation Procedures Directive 2/09, the agency’s approved code of conduct and all other relevant legislative or statutory obligations under which the agency operates;
- are reviewed on an ongoing basis, are readily accessible and regularly communicated to all employees;
- define which employees within the agency are authorised to use ICT facilities and devices, and the conditions and constraints relating to their use in terms of agency security, privacy, copyright, confidentiality and delegation polices;
- define what is considered authorised and unauthorised use and provide clear definitions, comprehensive examples and permitted levels of such use;
- define the range of disciplinary procedures and penalties which may be applied as a consequence of unauthorised use of internet and email including that the penalty in the case of an employee being found to have intentionally accessed, downloaded, stored or distributed pornography using Government-owned ICT facilities and devices is, subject to industrial and procedural fairness, termination of employment;
- define what ICT facilities and devices will be monitored and the conditions under which this monitoring will take place;
- expressly state the kinds of personal information the agency will record in the course of intercepting incoming emails and the purposes for which the information will be used; and
- define who has access to intercepted emails, monitoring reports and the delegation chain of authority and actions for dealing with reports or information collected or generated from this activity.
Principle 3 – Agency responsibilities to employees
Agencies must provide appropriate training to ensure that all employees are made aware of their responsibilities and obligations when using ICT facilities and devices. At a minimum, agencies must ensure that employees are:
- aware of, understand, acknowledge, and have access to the relevant agency policies on use of ICT facilities and devices including internet and email, and their responsibilities as outlined in the Cabinet endorsed Use of the Internet and Electronic Mail Policy and Principles Statement (PDF, 70 kB), including procedures that apply when an employee is separating from the public service;
- aware of, and acknowledge what is authorised and unauthorised use of ICT facilities and devices;
- informed that systems and processes will be used to monitor, audit and report on employee use and/or access;
- aware that penalties may be imposed following disciplinary actions arising from a breach of these policies; and
- aware that, when receiving unsolicited inappropriate material from the internet or through email, they delete such material from agency systems immediately. Action to delete this material would not constitute unauthorised use.