View Current

Email and Internet Procedures

This is the current version of this document. You can provide feedback on this policy to the document author - refer to the Status and Details on the document's navigation bar.

Section 1 - Purpose and Context

(1) These procedures provide information to assists students and staff to understand their rights and responsibilities while using Email and Internet services. These procedures should be read in conjunction with the Email and Internet Policy.

Top of Page

Section 2 - Definitions

(2) Refer to the Email and Internet Policy for a full list. Definitions that apply only for the purposes of these Procedures include:

  1. Commercial Email: A commercial email sent by the University is an email designed to advertise or promote the University's services (or other similar opportunities).
  2. Digital Signature: electronic code used to:
    1. authenticate the identity of the sender of the email or document; and
    2. confirm the email or document has not been altered since it was originally signed
  3. Mailing List: list of email addresses hosted on servers using specialised mail list software to process incoming and outgoing messages (this policy does not address personal lists created in your local email software)
Top of Page

Section 3 - Policy Reference

(3) Refer to the Email and Internet Policy.

Top of Page

Section 4 - Procedures

Part A - Conditions of Use

(4) When using University email and internet, Authorised Users must:

  1. respect confidentiality, privacy and legal/professional privilege, and ensure that the content and distribution of email will not undermine responsibilities in regard to these requirements [Ref. ISO 27002 section 13.2.3d];
  2. ensure that their usage is legal and complies with all relevant University policies and procedures, in particular those governing record management (see the Email and Internet Guide document for more details);
  3. not broadcast unsolicited personal views on non-University related matters (see the Media Policy and the Code of Conduct for more detail).

(5) University email and internet resources must not be used:

  1. for any private commercial activity or external private work, except where the University has specifically granted exemption from this restriction in accordance with the External Work Policy. In these circumstances, use of Western Sydney University IT Resources should be kept to a minimum.
  2. in a manner that constitutes unlawful discrimination, including vilification, or in a manner that intimidates, offends or humiliates any person contrary to the University's policies on harassment, vilification, discrimination and bullying. This includes language, imagery, and all other forms of communication.

(6) Staff must use their University email address and provide their University identity when sending official University correspondence via email and must determine and abide by any additional record-keeping obligations that apply. [Ref. Spam Act 2003, section 6; State Records Act 1998, section 3)

(7) Official correspondence to students must be sent to students' University email addresses, although copies may also be sent to students' personal addresses [Ref. Spam Act 2003, section 6].

(8) Automatic Redirection of University emails to an external/personal email address or to another email client is not permitted.

Personal Use of University Email and Internet

(9) The University Permits incidental personal use of University email and internet on the proviso that such use is legal, consistent with all relevant University policies and does not interfere with or conflict with University business. Authorised Users should note that:

  1. University email resources are the property of the University. Even personal emails remain subject to the provisions of the Email and Internet Policy and as such may be accessed in accordance with the procedures authorised by the Workplace Surveillance Policy;
  2. University email and internet usage is logged at all times for reasons of security and to ensure system validity, integrity and confidentiality, and may be restricted without warning if a University Information System is breached, or if the CIDO (or nominee) believes there is the potential for a breach; and
  3. Incidental and occasional use of university email for personal use is acceptable. However, use of the email system as a personal email solution is not authorised.

(10) When staff and students leave the University, their User accounts — including documents, email and internet access — are archived and retired. Before leaving the University, students and staff are responsible for tidying their own documents and mailboxes and making a copy of any personal information that they will require (See the Acceptable Use of IT Resources Policy for more detail). Additionally, staff should ensure that information that will be needed for business continuity purposes are provided to their supervisor (or designee) prior to their departure. Refer to KnowledgeBase Article KB0012730 within ServiceNow for more details.

(11) While the University allows reasonable personal use of its email system, Authorised Users are strongly advised to use other email providers if they have concerns about personal information or private content being accessible in the University's systems. Organising email folders so that personal email is not interspersed with University related email could also help to protect privacy.

Official Email — Related to Work or Study

(12) Emails dealing with University business are University records. As such, staff are obliged to ensure these emails are placed on formal University files (such as TRIM), preventing the need for access to the Authorised User's email account. Staff who will be absent from the University must ensure that information held in their email accounts that is relevant and necessary to conducting the University's business is accessible to those having a need for it. Refer to the Records and Archive Management Policy for further information.

(13) Emails sent by staff members of the University, especially when acting in their official capacity, should include a signature line in keeping with the University's branding resources (requires staff login). Staff are advised that disclaimers or other common signature line messages are able to be added as described in the branding resources.

Verification of Student Emails

(14) Occasionally, the University's ITDS staff receives requests from staff seeking verification that an email has been sent or received by a nominated University student email address. Such requests should be requested through the IT Service Desk, and include the information necessary to enable the transaction to be traced.

(15) In these cases the CIDO (or nominee) will normally advise whether the email described was sent or received by a nominated University student email address at the date and time indicated.

Part B - Security of Internet Access and the Email System

(16) Current email transportation methods cannot be regarded as secure. Email forgery and phishing can and does occur, and Spam email will occasionally appear legitimate enough not to be detected by automatic filtering. To prevent the misuse of email, Authorised Users should:

  1. verify the authenticity of emails that suggest an unusual course of action;
  2. verify the authenticity of email attachments from email that they were not anticipating before opening them;
  3. be cautious when using emails to communicate sensitive personal, commercial or other information;
  4. use their own passwords, their own email accounts, and not permit others to use them;
  5. not look at other Authorised Users' emails without their consent;
  6. be aware that by sending messages to open groups their email addresses will become public, and could be misused; and
  7. be aware that a forwarded message's contents can be changed from the original

(17) Just as email is a potential vector for spreading malicious code or conducting crime, the internet can and does get used in this way, and should not ever be considered entirely safe or secure. The steps Authorised Users should take to make sure there is not any misuse of the University's Internet Resources include:

  1. not putting any sensitive or personal information, including your Credentials or parts thereof, into a website that seems suspicious;
  2. not clicking on advertisements;
  3. not downloading files or software that appear suspicious;
  4. not opening downloaded files that appear suspicious (too large or small, the wrong name or file type), and instead reporting the file to the IT Service Desk;
  5. ensuring activities taking place are abiding by the University's Codes of Conduct for staff and students, as well as the Acceptable Use of IT Resources Policy; and
  6. not obtaining software without appropriate review and approval.

Reviewing Performance of University Email and Internet

(18) The University takes steps to safeguard its Authorised Users and its email and internet resources by logging email and internet activity, running virus scans, placing firewall blocks around its Information Systems, and retaining logs and backups of all of the above. Staff authorised by the CIDO may observe these logs for the purposes of analysis and examination; as required by law; for ensuring the confidentiality, integrity, and availability of the University Information Systems; or as directed in the Workplace Surveillance Policy.

(19) In order to efficiently manage the University Email and Internet Services, the University reviews performance and retains logs, backups and archives related to these services. Only staff approved by the CIDO may examine such records, and only for the purposes of this policy, as required by law or for ensuring the confidentiality, integrity and availability of the University Information Systems, or as directed in the Workplace Surveillance Policy.

(20) As part of reviewing and maintaining the system the University may limit:

  1. the size of individual emails sent using University Email Resources,
  2. the total volume of email sent using University Email Resources,
  3. the amount of email retained on University Email Resources, and
  4. the type of content sent or received using University Email and Internet Resources.

(21) The University may block emails that are determined by the University and/or its security software to:

  1. contain attachments of a type that can carry malicious computer code,
  2. possibly be spam,
  3. possibly contain malicious computer code, and/or
  4. contains demeaning or threatening language, or
  5. is contrary to University policy. [Ref. ISO 27002 section 13.2.1].

(22) Users should not use University email resources in a manner that could reasonably be expected to directly or indirectly cause excessive strain on any part of the University Information System, or unwarranted or unsolicited interference with other use of the University Information System. This would include use that consumes a large amount of bandwidth (e.g. through the use of large attachments) or the distribution of screen savers, games, spam or the like. [Ref. ISO 27002 section 7.2].

Part C - Mailing Lists

(23) The University provides directories of email addresses ("University Email List"). These are important to our ongoing work and their integrity and usefulness must be preserved. There are three types of mailing list:

  1. A General Email List may be established for all, or a defined sub-set, of the University population. Membership of the list is mandatory for members of the University population who fall within the defined membership of the list. It does not include lists established by Schools or Units for communications to their own staff.
  2. Unit Email Lists may be established by any unit for communications to its own staff.
  3. Special Interest Email Lists may be requested by any Authorised User for the recurrent dissemination of information relating to the functions of the University to the subscribers. Membership of such lists is voluntary.

(24) All University emails sent via University Email Lists are subject to the following:

  1. the content of emails sent using the University Email Lists must relate to the business of the University or further the vision, mission or goals of the University.
  2. staff must not provide external people or organisations with copies of University Email Lists content or members listings.
  3. the transmission of unsolicited email should only occur where the recipient can be identified as having a high probability of having a particular interest in the subject matter. If a recipient indicates that they do not wish to receive further messages on a topic, or from an individual or group, no further messages should be sent unless the message is sent as part of a General Mailing List.
  4. The List owners are the CIDO (or nominee) for a General List, the Unit Head for a Unit List, or the Owner for a Special Interest List.
  5. The Owner of the List is required to maintain up-to-date list information, including the addresses of all subscribers, any identification that is requested and provided, and conduct periodic reviews of membership and remove any addresses that are no longer current (for example, when staff or students have left the University).

(25) General email lists:

  1. can only be established with the permission of the CIDO.
  2. will be moderated by a person approved by the CIDO.
  3. members can only unsubscribe from the list with the permission of the moderator.
  4. only emails that are approved by the moderator or the CIDO may be sent via a General email list.

(26) Unit email lists:

  1. can only be established with the permission of the Unit Head or their delegate.
  2. will be managed by a person approved by the Unit Head or their delegate.
  3. Members can only unsubscribe from the list with the permission of the Unit Head.

(27) Special interest email lists are subject to the following:

  1. no person may be included in the list unless they have subscribed to it. This does not prevent the use of a list to send an unsolicited email containing an invitation to join the list to one or more people provided that the email clearly states that the person will receive no further emails unless they elect to join the list.
  2. subscribers have the right to unsubscribe at will.
  3. only subscribers to the list, or a person who has been authorised by the CIDO, can send emails via the list. This does not prevent a person asking a subscriber to the list to send an email on their behalf; however, the subscriber is responsible for ensuring that any such email complies with these Procedures and all other relevant University policies.
  4. the List Owner must provide a list of the subscribers to the CIDO when requested to do so unless this would reveal sensitive personal information (as defined in the Privacy and Personal Information Protection Act, 1998) about a subscriber.
  5. list Owners must remove a subscriber from the list where the subscriber has used the list in a manner contrary to law or the University's policies.
  6. list Owners must create a meaningful list title

Part D - Commercial Emails

(28) From time to time University staff may engage in the sending of commercial emails that offer goods or services from the University. The definition of what constitutes commercial email for the purposes of this document is contained in the definitions (Section 2), and is otherwise defined within section 6 of the Spam Act, 2003. All Commercial Emails are governed by the Spam Act.

(29) A Commercial Email must contain:

  1. the University's name, logo and contact details, or
  2. the email author's name and contact details; and
  3. a statement to the effect that the recipient may use an electronic address specified in the email to send an unsubscribe message.

(30) Staff sending Commercial Emails must ensure that the unsubscribe facility specified in the email is functional and requests are acted upon.

(31) Commercial Email must not be sent to a person who has submitted an unsubscribe request.

(32) University staff must not use email address harvesting software or an email address list that has been produced using such software. For this reason, care must be taken when using email lists provided by sources outside the University.

Part E - Formats and Encryption

(33) Attachments must be in a format that can be read by a readily available program for which the University holds a license in order to ensure that they can be read in the future. This means that attachments that are documents (not including spreadsheets, databases and the like) should be in ASCII, TXT, RTF, DOC or PDF format.

(34) Official Emails must only be encrypted and sent using software approved by the CIDO.

Part F - Webpage Blacklisting

(35) ITDS maintains a register of 'blacklisted', or blocked, websites that University systems will not allow Authorised Users to navigate to or load. Authorised Users of University Internet Resources should not attempt to circumvent the blacklist without consent from the CIDO and assistance from ITDS staff (see the Cyber Security Policy for more information).

Part G - Digital Signatures

(36) By law, digital signatures can have the same legal status as written signatures. Staff must not use digital signatures on either email or as part of online forms in place of written signatures without authorisation from the CIDO.

Part H - Backup and Archiving

(37) Emails, including emails of a private or personal nature, are regularly backed up and/or archived by the University. It is not feasible to separate private or personal email from this process. Nothing in this procedure document prevents such backups or archiving. Requests for copies of backed up or archived emails will be treated in the same way as requests for copies of the original email.

(38) ITDS is not obliged to provide an Authorised User with copies of personal emails that it has backed up or archived.

Part I - Tagging of Unconfirmed Spam Email

(39) The University makes use of systems to automatically detect spam email. In the event these systems are unable to determine if an email is spam or genuine, it appends a [SPAM] tag to the front of the subject line and delivers it to the intended recipient. This may result in Authorised Users receiving spam email from time to time. Report spam emails to the IT Service Desk (itservicedesk@westernsydney.edu.au). Refer to KB0011503 for more details.

Part J - Other Applicable Guidelines for Authorised Users

(40) The Policy on Allowed Access to AARNet provides guidelines on allowable access and conditions of access to Internet services. Any Authorised User of University Internet Resources is expected to follow it.

(41) Eduroam users: Eduroam users access University Internet Resources through a separate wireless Network, set up to cater exclusively to the standards for connectivity outlined in Eduroam's Compliance Statement. Through the Eduroam wireless network, Eduroam users are granted access to University Internet Resources. However, a University email account is not generated for these users. Eduroam users are expected to comply with this procedure document as far as it applies to them, such as reasonable and courteous internet usage, as well as any applicable University Policies, such as the Acceptable Use of IT Resources and Email and Internet Policy.

Top of Page

Section 5 - Guidelines

(42) See the Email and Internet Guide document.

(43) This procedure makes reference to the International Standard for Information Security, AS/NZS ISO/IEC 27002, which can be accessed under "Standards On-line Premium (SAI Global)" via the alphabetical listing in the e-Resources section of the University Library.

Top of Page

Section 6 - Reference Documents

(44) The following University policies are referenced in this procedure:

  1. Acceptable Use of IT Resources Policy
  2. Bullying Policy
  3. Code of Conduct
  4. Cyber Security Policy
  5. Discrimination, Harassment, Vilification and Victimisation Prevention Policy
  6. Email and Internet Policy
  7. External Work Policy
  8. Media Policy
  9. Privacy Policy
  10. Records and Archive Management Policy
  11. Workplace Surveillance Policy

(45) The following legislation, framework, or standards are referenced in this procedure:

  1. Spam Act
  2. State Records Act
  3. Privacy and Personal Information Protection Act 1998
  4. AARNet access
  5. eduroam Compliance