Agencies should ensure that any monitoring of employees' internet use and interception of employees' email, including email originating from sources external to Government, is undertaken in compliance with any relevant Commonwealth legislation such as the Telecommunications (Interception and Access) Act 1979 (Cth), (the TIA Act), Criminal Code Act 1995 (Cth), Cybercrime Act 2001 (Cth) and the relevant Queensland Government Information Standard (IS42 or IS42A).

Amendments made to the TIA Act in September 2007 do not affect the majority of agencies and the amendments made in June 2006 (detailed below) still apply. However, the September 2007 amendments do affect “eligible authorities” which in Queensland are the Queensland Police Service (QPS) and the Crime and Misconduct Commission (CMC). As a result, the QPS and the CMC are now provided with particular powers in relation to monitoring their own computer systems and should consult with their own legal departments to determine changes to agency policies and procedures.

Future amendments to the TIA Act are expected and to ensure that agency processes continue to remain in accordance with this legislation, this review will continue to be monitored and advice provided to agencies as soon as it becomes available.

Amendments made to the TIA Act in June 2006, permits access to employees' stored emails only after they have become 'accessible' to the intended recipient. This does not require that an addressee has read the email, but means that the email must have been delivered to or received by the telecommunications service provided to the addressee, or is under the control of the addressee. In broad terms, this means that agencies may copy and view emails once they are available to an employee on the mail or server or on the employees' computer, even if the employee has not yet opened the email. As before, however, agencies must pay close attention to the provisions of the Act and obtain advice where necessary in formulating and updating their monitoring practices.

Agencies are encouraged to read and refer to further information on the monitoring of email located in the Email Monitoring Reference Sheet located in the ICT Facilities and Devices (IS38) Toolbox.

However, the ongoing amendments to the prohibition on interception under the Telecommunications (Interception and Access) Act 1979 (Cth), only serves to highlight the existence of a range of restrictions which may limit the activities of network owners and administrators in accessing emails and using certain categories of information contained in them. The activities of the owners and administrators of networks and computers in accessing stored emails are subject to a range of restrictions such as:

. the principles regulating the exercise of administrative power;
. privacy standards and legislation;
. common law privileges; and
. agency specific legislation.

To ensure the confidentiality and privacy of information, agencies must ensure that they expressly state the kinds of personal information they record in the course of intercepting incoming emails (from external sources) and the purposes for which the information will be used.

To address a wide range of security issues particularly in relation to internet and email, agencies should refer to Security (IS18) when implementing and documenting security systems and processes for the monitoring and access of ICT facilities and devices. Agencies should consider the following:

• information classification and control; operational and access control security management for example prohibiting connection of unauthorised portable ICT storage devices, virus protection, firewall polices, remote access polices; use of mobile technology;
• minimising unsolicited and inappropriate emails (in accordance with the Spam Act 2003 (Cth)); and
• incident reporting and escalation including incident response management.

In 2003 the Federal Government passed the Spam Act 2003 (Cth), which provides standards for commercial electronic messages including those sent by Government. The Spam Act 2003 (Cth) says that unsolicited commercial electronic messages must not be sent. A message should only be sent to an addressee when that person has consented to receive it. The Act does provide some exemptions for government bodies, however these are limited.

Agencies should refer to the Department of Communications, Information Technology and the Arts "Spam Act 2003: An overview for government" to ensure that the provisions of the Act are addressed in agency policies.

Agencies should ensure that processes and policies are in place to maintain appropriate records resulting from misuse of ICT facilities and devices, these should include:

• establishing a process to identify an audit trail for identification of misuse;
• data collection policies and procedures (in accordance with IS42 or IS42A and compliance in principle with the Crimes Legislation Amendment (Telecommunications Offences and Other Measures) Bill 2004);
• maintaining appropriate record keeping systems to comply with obligations under the Public Records Act 2002, Recordkeeping (IS40), Managing Technology Dependent Records (IS41) and to assist with any FOI requests; and
• maintaining records that verify evidentiary requirements such as:
• training undertaken by staff on the use of ICT facilities and devices; and
• employee agreements to comply with agency policies and guidelines.

Further details on maintaining audit logs and recordkeeping requirements can be found in Information Standards, Security (IS18), Record Keeping (IS40) and Managing Technology Dependent Records (IS41).

Disciplinary actions and processes implemented by the agency should be determined under the Public Service Act 1996 or other relevant agency legislative obligations.

When determining internal disciplinary processes agencies should refer to agency ethics manuals or Codes of Conduct for specific instructions. The course and extent of disciplinary action to be undertaken for the breach of agency policy should be determined by the CEO (or delegate) on a case-by-case basis and should reflect the severity of the breach. A pattern of behaviour (for example, repeated use) is a factor for consideration in determining disciplinary measures (including dismissal).

Agencies should indicate in their policies that employees have a right of appeal in relation to an agency undertaking disciplinary action. Agencies should also ensure that all cases of misuse are managed with industrial and procedural fairness.

Possible penalties arising from disciplinary action in addition to those set out in section 88(3) of the Public Service Act 1996 may include penalties such as:

• revocation of authorised access to ICT facilities and devices; and/or
• revoking of use for a period of time.

Agencies should ensure that incident reporting policies and processes include an escalation process for unlawful or criminal misuse of agency ICT facilities and devices. These processes should generally reflect the same processes as outlined in security incident reporting. The decision to involve law enforcement agencies or the Crime and Misconduct Commission should be determined by the CEO (or delegate). Agency policies should clearly identify the process to be undertaken to deal with unlawful or criminal use of ICT facilities and devices and that the appropriate authorities may need to be involved.

Cabinet decided on 10 April 2007 that agencies will report significant breaches of the Policy and Principles Statement to the Office of the Public Service Commissioner and an annual report will be prepared to the Premier.

Agencies are required to report on employees who have been disciplined or dismissed as a result of accessing pornography and/or offensive material, including advice on what disciplinary action was taken.

Reporting is to commence from 1 September 2007, with agency reports to be provided to the Office of the Public Service Commissioner within 30 days of the end of each financial year.

A copy of the form that agencies can use as the basis for report is located in the ICT Facilities and Devices (IS38) Toolbox. Agencies can submit this form via donna.andrews@qld.gov.au.

• Security (IS18);
• Record Keeping (IS40);
• Managing Technology Dependent Records (IS41);
• Information Privacy (IS42);
• Information Privacy Guidelines (IS42); and
• Information Privacy for the Queensland Department of Health (IS42A).

Agencies should develop clear policies and practices for internal agency email use, internet email use, internet use and the use of other various ICT facilities and devices. These should be based on the risks associated with the particular device and/or facility and the circumstances of use e.g. use of mobile phones (especially those capable of taking photos), wireless devices, laptop computers, PDAs, portable storage devices, private computers connected to agency networks etc.

An example template and associated reference sheet on developing a "Use of ICT Facilities and Devices Policy" is located in the ICT Facilities and Devices (IS38) Toolbox.

To ensure clarity of these policies and practices agencies should also consider inclusion of what resources can be used for private purposes and the limitations on the use of these devices in other agency policies and documentation such as terms of employment and/or information and systems access forms.

Communicating policies and guidelines to employees is critical to the successful implementation and operation of this Standard and the management of ICT facilities and devices across Government. Agencies need to determine when, how often and by what means this communication will occur.

The processes for regularly communicating all relevant policies and guidelines may take the form of notifying staff via email, newsletter distributed to all employees, briefing sessions, network log-on notices or on-line or face-to-face training.

When defining what is authorised and unauthorised use, agencies need to carefully consider the core business of their agency and the roles and responsibilities of their employees. It is recommended that agencies use the headings "authorised use" and "unauthorised use" in their policies and guidelines in order to decrease associated legal risks. Agencies need to ensure that use of agency ICT facilities and devices is closely linked to business but strikes a balance between official and limited personal use.

Agencies should ensure that practices are in place to ensure that employees are competent in the use of ICT facilities and devices. Access to these should be consistent with agency security requirements and practices.

For further information refer to the "Examples of Authorised and Unauthorised Use" Reference Sheet located in the ICT Facilities and Devices (IS38) Toolbox.

In line with the Cabinet endorsed - Use of the Internet and Electronic Mail Policy and Principles Statement (PDF, 158kb), agency CEOs should determine the level and nature of personal use. Limited personal use is generally expected to take place during the employee's non-work time, incurs minimal additional expense to the Government, is infrequent and brief, does not interfere with the operation of the Government and does not violate any State/agency policy or related State/Federal legislation and regulation.

When defining what constitutes limited personal use of ICT facilities and devices, agencies should ensure that employees and regulatory bodies would perceive any restrictions to be sufficiently justifiable. Agencies should ensure that where limited personal use is permitted (for example internet banking) that employees are aware that the Government accepts no liability for any loss or damages suffered by the employee as a result of this personal use.

To ensure clarity of the agency policy on personal use, the agency should also clearly define the parameters of use and agency protocols for internal email and external email (for example the classification of information which can be circulated through internal email will vary considerably from the information that can be circulated through internet mail). Agencies should ensure that employees are aware of the agency security policies in relation to information classification schemes.

For further information refer to the "Examples of Authorised and Unauthorised Use" Reference Sheet located in the ICT Facilities and Devices (IS38) Toolbox.

Agencies must ensure that their processes regarding the monitoring of ICT facilities and devices are clearly stated in the agency policy. The extent of monitoring should be commensurate with the risk involved. When developing monitoring policies and procedures, agencies should ensure they:

• indicate that the use of ICT facilities and devices, will be monitored to identify any breaches of the agency policy;
• clearly identify who will be conducting this monitoring;
• indicate what action will be taken if unauthorised activity is detected and that the agency may in these circumstances also check the history of use of ICT facilities and devices by the employee;
• detail monitoring practices which may include logs indicating internet sites employees have visited or billing charges for telephone services; and
• indicate which groups of employees are authorised to analyse logs that show use of ICT facilities and devices by employees or content of employees' electronic files or email and to whom such authorised employees may disclose this confidential information about employees and for what purposes.

As legislation takes precedence over the administratively based Information Standards, agencies will need to ascertain those laws which specifically relate to their activities in disclosing and using private and personal information.

To ensure the privacy of information sent to the agency by a source outside of government, the agency must ensure that they have clear policies and practices for dealing with information and reports generated from the interception of such emails. The agency needs to ensure that it expressly states:

• the kinds of personal information they record in the course of intercepting incoming emails and the purposes for which the information will be used;
• identify who has access to intercepted emails and email monitoring reports;
• what the process for recording or dealing with personal information collected from this activity will be; and
• what the delegation chain of authority and actions for dealing with reports or information collected will be.

Agencies should also consider reviewing their agency privacy statement in light of these amendments. This issue will be addressed further when Privacy (IS42) is reviewed.

For further information refer to the "Email Monitoring" Reference Sheet located in the ICT Facilities and Devices (IS38) Toolbox .

As outlined in the Cabinet endorsed - Use of the Internet and Electronic Mail Policy and Principles Statement (PDF, 158kb), agencies should include in their policies that employees receiving inappropriate material from the internet or through an email should delete such material from agency systems immediately and notify their supervisor/manager of their actions.

Such an action should not constitute unauthorised use. However, storage or dissemination of inappropriate or unacceptable material by whatever means constitutes unauthorised use. Deleting unsolicited emails not relating to the business of the agency does not constitute unauthorised disposal under the Public Records Act 2002.

When defining processes for the management of any misuse of ICT facilities and devices, agencies should consider addressing the following issues:

• the process if employees discover unauthorised, unlawful or criminal use of ICT facilities and devices, informing them as to whom they can report such use;
• the process for employees to report unintentional access or unsolicited emails that contain inappropriate material to managers or supervisors;
• the process for dealing with incidents where employees receive inappropriate emails;
• specifying the roles, responsibilities and procedures for investigating misuse of staff and management for example, the process for who monitors, how often, who decides what is appropriate or not and what needs to be escalated and who escalates it; and
• identifying the authority for commencing any disciplinary process and the delegation chain of authority to be followed.

An example process for the "Receipt of Inappropriate Emails" is located in the ICT Facilities and Devices (IS38) Toolbox. Agencies should also refer Security (IS18) when implementing and documenting incident management processes to ensure alignment with existing agency security policy.

Agencies should ensure that the agency delegation and authorisation policies and procedures clearly address the authorisation of employees, who in the course of their duties, are required by the agency, to access, download or store pornography for investigation purposes.

The roles and responsibilities for investigating misuse will vary across agencies; ideally these responsibilities should be delegated to senior staff. In addressing this issue agencies should consider implementing written agreements and/or clear role descriptions for employees involved in these activities to clearly detail the circumstances and processes under which investigations are to be conducted.

Agencies should also refer to the "Email Monitoring" Reference Sheet located in the ICT Facilities and Devices (IS38) Toolbox when developing processes for monitoring of employee email to ensure compliance with relevant legislative obligations.

• Security (IS18);
• Record Keeping (IS40);
• Managing Technology Dependent Records (IS41);
• Information Privacy (IS42);
• Information Privacy Guidelines (IS42); and
• Information Privacy for the Queensland Department of Health (IS42A).

Agencies need to ensure all employees are informed of the agency's policies, guidelines and practices including the Cabinet endorsed - Use of the Internet and Electronic Mail Policy and Principles Statement (PDF, 158kb) on an ongoing basis. This may be through employee induction processes and ongoing training.

Agencies should define the processes they will use to ensure that all employees are aware of and acknowledge their responsibilities when using ICT facilities and devices. Issues that need to be considered include, the mechanisms that will be used to ensure access to policies by all employees including when, how often and by what means these policies will be communicated.

Agencies should ensure that training, education and communication of authorised usage policies are carried out on a regular basis. Methods for this training and awareness could include:

• Code of Conduct, Acceptable Usage Policy updates and security "refresher" training or briefing sessions;
• Notification of staff via email; and
• Newsletters distributed to all employees, briefing sessions on employee responsibilities.

Agencies should maintain a register of when employees undertook training for recordkeeping and evidentiary collection purposes. For example an agency may require employees to sign a form which states that they have undertaken training, have read and understood the agency's policy and that their internet and email use will be monitored.

To ensure employees have an understanding of, and acknowledge their obligations and responsibilities when using ICT facilities and devices, agencies may wish to consider the implementation of formal employee acknowledgement/agreements through written agreements.

To highlight the agency policy on the use of ICT facilities and devices agencies should consider inclusion of what resources ie, mobile phone, laptop computers etc can be used for private purposes and the limitations on the use of these devices in other agency policies and documentation such as terms of employment and/or information and systems access forms.

An example "Employee Agreement on use of Internet and Email" template is located in the ICT Facilities and Devices (IS38) Toolbox.

All cases of misuse should be considered on a case-by-case basis and the agency should ensure that procedural fairness is applied in all cases. When investigating instances of unauthorised Internet and email use, and whether such use was intentional or unintentional, agencies may wish to consider the following factors:

• Did the employee delete the material from agency systems?
• Did the employee report the incident to their manager or supervisor?
• Did the employee advise the sender by email not to send further inappropriate emails or report the receipt of the inappropriate email/s to the departmental IT unit?
• How much time did the employee spend on the site?
• What is the employee's history of accessing inappropriate sites?

Agency policies should also ensure that processes are in place and communicated to employees regarding the process for employees to report unintentional access or un-solicited emails that contain inappropriate material to managers or supervisors.

In addition to specific agency policies and procedures on the use of ICT facilities and devices, agencies should also ensure that they inform employees where they can freely access all other relevant information including:

• workplace health and safety and appropriate use of ICT facilities and devices. For example this may include information on how to use adjustable workstations or 'in car' mobile phone headsets;
• the penalties which apply to unlawful and criminal use of ICT facilities and devices;
• the consequences of sending large attachments with emails, forwarding of chain letters or mass mailing of unsolicited junk mail (spam), or the downloading of data or programs that may strain system resources;
• the potential for downloading viruses, worms, Trojan horses and spyware through email, files and attachments; and
• obligations on capturing and creating records including emails, instant messages etc under the Public Records Act 2002.