Red X iconGreen tick iconYellow tick icon
Skip to main content
Category Information and Communications Technology
Type Policy
Approved by Vice-Chancellor
Date policy took effect 9 June 2025
Last approved revision 
Sponsor Chief Digital Officer
Responsible Officer Head of IT Assurance and Cyber Security

Purpose

To define what the University considers appropriate usage of Information and Communication Technology ( ICT ) resources provided to members of the University Community to perform their academic or operational activities.

Organisational scope

This policy applies to all University of Otago ICT Resources.

All members of the University Community must comply with this policy and are responsible for their use of ICT Resources.

Definitions

Access Credentials
The University approved method by which all the University Community access ICT Resources including (but not limited to) username, password, bio-metric authentication, or swipe card.
ICT Resources
Any Information and Communication Technology ( ICT ) Resources provided by the University of Otago or provided by an individual or organisation and used for University official activities, including (but not limited to): access credentials, devices, software, information, data, telephones, mobile devices and mobile plans, video facilities, internet access, networks, websites and other computer systems and the means to interact with them.
Sponsor
The person approving the creation of a username for someone who is not in the University HR/Payroll system or is not enrolled as a student of the University.
University Community
Includes all University of Otago staff members (whether permanent, temporary, full or part time, emeritus or honorary), all members of the Council of the University, students (whether full time or part time), contractors, subcontractors, consultants, alumni, associates, business partners or official visitors or guests of members of the University.
User
Any individual member of the University Community using ICT Resources.

Content

  1. Confidentiality and Privacy

    1. The University of Otago holds private and confidential information related to the University Community and its operation. Users of ICT Resources must only access personal information that is required by them to carry out a function of their university academic or operational activity. Any subsequent use of the information must also be clearly based on professional need (refer the University’s Privacy Policy). Private and confidential information (not public information) can only be used for the purpose for which that authority was granted.
    2. Users must respect the confidentiality and the privacy or information and report any matter of concern to their manager or academic supervisor. If it is necessary for personal and/or confidential information to be given to a person in connection with the provision of a service to the University, everything reasonably within the power of the User must be done to prevent unauthorised use or unauthorised disclosure of the information.

  2. Use of ICT Resources

    1. The University provides ICT Resources to members of the University Community who need them for official University use. These Users are responsible for all activity related to their use of ICT Resources.
    2. Users must ensure that:
      1. Access Credentials are not reused, shared, or disclosed, and are always protected.
      2. ICT Resources and all information contained within ICT Resources are always kept safe and secure.
      3. ICT Resources are used efficiently to support the academic and operational activities of the University.
      4. University ICT systems are not compromised and are protected against unauthorised or negligent modification or disclosure through their actions.
      5. The University is not brought into disrepute through their actions.
      6. Regarding emails, users must take care to:
        • Send emails to the correct recipients, particularly where the content of the email relates to personal and/or confidential information, and
        • Send the correct information securely, ensuring that best practices are followed.
    3. ICT Resources must be always kept physically secure and safe. Users are responsible for the security of their device(s) and must ensure they do not leave them insecure, unattended in public places or publicly visible in locations such as homes or vehicles. Users must report the loss or damage of ICT Resources to their manager, academic supervisor or sponsor immediately.
    4. When a User leaves/finishes their engagement with the University, the person’s manager must ensure that:
      1. Remote access to ICT Resources (e.g., email, applications, etc.) is disabled.
      2. All ICT assets and equipment are recovered.

  3. Personal Use

    1. Limited personal use of ICT Resources is permissible if it does not interfere with the User’s official academic or operational activities and is in accordance with the requirements below:
      1. Must not consume unreasonable amounts of resources.
      2. Must not create unapproved costs or costs outside of normal operation.
      3. Must not introduce security risks.
      4. Should not be used to store personal private or confidential personal information unrelated to university purposes. The University is not responsible for any such information that is inadvertently exposed, accessed, or lost.

  4. Unacceptable Use of ICT Resources

    1. Unacceptable use of ICT Resources creates disruption to academic and operational activities and risk for the University, including costs, network interference and criminal and civil liabilities.
    2. Unacceptable use of ICT Resources includes (but is not limited to):
      1. Illegal or unlawful activity of any kind, including altering, copying, sending, playing, viewing, downloading, uploading, sharing, or continuing to use copyrighted or licensed materials on ICT Resources without permission from the rightful owner.
      2. Accessing, viewing, creating, downloading, or transmitting any data and/or anything else that is:
        • Pornography, obscene, indecent, defamatory or discriminatory; and/or
        • Intended to annoy, harass, offend, bully, or intimidate other people.
      3. Knowingly (or negligently) compromising, circumventing, disabling, overriding, or overloading any ICT Resource or any other system intended to protect the privacy, confidentiality, security, or integrity of ICT Resources or the University Community.
      4. Using ICT Resources to carry out personal business for the purpose of commercial gain.
      5. Impersonating the University or a member of the University Community in social, political, commercial or any other commentary without appropriate authority.
      6. Publishing, releasing, discussing, or otherwise disseminating any commercially sensitive, private, or confidential information (by any means) without authority.

  5. Responsibilities Regarding Access to Unacceptable Material

    1. If a User accidentally accesses unacceptable, inappropriate, or illegal material (or what appears to be), a copy may remain on their ICT Resources. Routine monitoring can find this material. To protect themselves from cases of accidental access, Users must follow these steps:
      1. The material must not be shown to others, and the display window should be closed immediately.
      2. The incident should be reported as soon as practicable to their manager, academic supervisor or Sponsor.

  6. Bring Your Own Device ( BYOD )

    1. Any User using a device not owned by the University for academic and/or operational work purposes, or that interacts with a University ICT Resource, must abide by the requirements contained in this Policy for any period their device is accessing university ICT Resources.
    2. All ICT Resources must be removed from devices not owned by the University once employment or engagement ceases with the University, or if the device is no longer going to be used for a university related purpose.
    3. If a device not owned by the University is involved in a cyber security or other incident, Users are required to cooperate with the University during an incident response and investigation.

  7. Monitoring

    1. The University monitors usage and interaction with its network and other ICT Resources for operational and security purposes and may use third party services to facilitate this monitoring.
    2. The University may at any time without prior notice to the person examine the content of ICT Resources as part of an operational process, security process, or any official investigation.

  8. Breach of Policy

    1. Breach of this Policy and/or supporting policies may result in the loss of access to ICT Resources and/or disciplinary action being taken. Any concerns or breaches will be investigated in accordance with the Ethical Behaviour Policy
    2. Any member of the University Community who wishes to raise a concern or report a breach of this Policy should contact IT Assurance and Cyber Security ( ITACS ) at the email provided below.
    3. ITACS works with other University areas (such as Human Resources, Proctor’s Office, Office of the Registrar and Secretary to the Council, etc.) when undertaking or assisting with any investigation.

  9. Exemptions

    1. There may be situations where exceptions to this Policy are necessary due to academic, research, operational, security or business-critical reasons. In such a situation, an exemption must be requested by contacting IT Assurance and Cyber Security ( ITACS ) via the email address provided below.

Related Policies, Procedures, and forms

Contact for further information

If you have any queries regarding the content of this policy or need further clarification, contact:

IT Assurance and Cyber Security Team ( ITACS )
Email cybersecurity@otago.ac.nz

Back to top