Communications and acceptable use of equipment policy

Statement of policy and purpose of policy

  1. Stamford International University (the “Employer”) provides staff with access to a range of communications and information technology equipment and systems (Resources) both as a shared resource in the workplace and also through individual allocation of items for use inside or outside the workplace. It is our aim and responsibility to:
    1. provide you with all the Resources necessary for the proper performance of your duties, in a reasonable and economical manner;
    2. ensure the security of Resources against unauthorised access or abuse whilst ensuring their accessibility to authorised and legitimate users.
  2. The purpose of this document is to explain to staff the standards we require them to observe in using our Resources and the consequences of not adhering to these as well as to explain our policy in respect of monitoring use of our Resources.
  3. This is a statement of policy only and does not form part of your contract of employment. We may amend this policy at any time, in our absolute discretion.

Who and what does this policy cover?

  1. This policy and the rules contained in it apply to:
    1. All staff of the Employer, irrespective of seniority, tenure and working hours, including all employees, directors and officers, consultants, and contractors, casual or agency staff, trainees, homeworkers and fixed-term staff and any volunteers (hereinafter referred to as “Staff”); and
    2. All use of our Resources including but not limited to use (and misuse) of computer servers and other hardware or equipment, desktop or portable computers, laptops and mobile telephones, smart phones, tablets networks and systems, software, applications, subscriptions to databases and electronic resources, fax machines, scanners, printers, memory or storage devices, USB devices, copiers, CCTV, and electronic keys, passes and cards,  email, the internet and any data sent from, received by, or stored on our computer or communications equipment or systems.
  2. The University executive body of the Employer has overall responsibility for this policy and has appointed the IT Director as the person with day-to-day responsibility for the Employer’s Resources.
  3. All Staff have personal responsibility to use our Resources in a professional, ethical, and lawful way and ensure compliance with this policy. You are expected to protect our Resources from unauthorised use or access at all times. Managers have special responsibility for leading by example and monitoring and enforcing compliance.
  4. Any breach of this policy will be taken seriously and may result in disciplinary action. All disciplinary actions taken or to be taken on the breach shall be without prejudice to any other rights and remedies of Stamford International University under this policy or the law.

Personal use of Resources

  1. Our Resources are provided to support Staff in the proper performance of their duties.  We allow Staff to make occasional and incidental personal use of Resources, so long as all use complies with this policy and does not interfere with the proper performance of work duties or business use of the Resources. Personal use of Resources must not consume more than a trivial amount of Resources or commit us to any marginal cost. It must take place substantially out of normal working hours or during lunch hours. You should be aware that use of the Resources is monitored by the Employer and so you should have no expectation of privacy as regards any personal or business use of the Resources. 
  2. Personal use of our Resources is a discretionary privilege that we offer and which we may withdraw at any time, either in general or for particular members of Staff. Staff who do not comply with our guidelines for personal use of Resources or who otherwise abuse the privilege may have their right to personal use or to access to certain telephone numbers or internet sites withdrawn and/or disciplinary action may be taken.

Guidelines for PC and Laptop Use

  1. Each Staff has responsibility for the appropriate use and day-to-day care of their office computer workstation and any computer equipment provided for use on or off our premises.
  2. You may not connect personal equipment or peripherals, for example, flash memory cards and sticks, mp3 players or digital cameras, to our Resources unless this has been authorized in advance by the IT Director.
  3. You will log on your computer using an individual username and password. You must not log on to any computer using someone else’s name and password or otherwise use our Resources in a way that would lead us to believe that your activities are somebody else’s, unless this has been approved in advance by the IT Director even if you have the consent of the individual concerned.
  4. Do not leave your computer accessible to others when you are not at your computer. Lock your screen or logout whenever you are away from your computer for more than a few minutes.

Using Resources outside work

  1. If you are given authorization to use any Resources away from our premises, including at home, (Remote Resources) then you must take appropriate care of the any equipment provided to use, ensure it is well-maintained and used in accordance with our rules, including this policy and with specific instructions given to you by the IT Director. We may inspect Remote Resources without prior notice and, if asked, you must immediately return any equipment to us for inspection or maintenance.
  2. Remote Resources provided to you are your responsibility. You must take reasonable steps to ensure the security of any equipment provided to you for use outside the workplace. If you are transporting equipment by car, it should be locked and left out of sight when the vehicle is unattended (e.g. in the boot of a car).
  3. We provide equipment and other Resources for use outside the workplace in our absolute discretion and may withdraw this entitlement at any time. You must immediately return any Resources to us if we ask you to and, in any case, when your employment ends.

Email guidelines

  1. Email is an efficient and cost-effective means of communication, and we encourage its appropriate use for business related purposes. However, inappropriate, or negligent use of email carries significant risks.
  2. Your communications by email, like all other modes of communication, must not breach our disciplinary or workplace rules or any other policy and procedure, or laws, and must not cause us to be in breach of obligations we owe to others. See the Misuse of Resources section of this policy, below, for further information.
  3. Confidentiality is a particular concern when using email. You must be careful in addressing messages to make sure that communications are not inadvertently sent to unintended recipients. In addition, although we take steps to protect data security, you should be aware that the confidentiality of data (including email messages) sent via the internet cannot be assured. You should only send price sensitive or commercially sensitive information belonging to or relating to us with the prior authority of the IT Director unless the emails and any attachments are password protected or encrypted in line with our guidelines.
  4. Delivery of email cannot be guaranteed. If your email is urgent or important, check that it has arrived safely with the intended recipient.
  5. In general, you should not:
    1. distribute chain mail, junk mail, jokes or gossip, trivial or unnecessary messages; or.
    2. agree to terms, enter into contractual commitments, or make representations by email unless you are authorised to do so.
  6. If you are sent an email in error, you should delete it and notify the sender. You should not disclose or use any confidential information it contains.
  7. Bear in mind that viruses may lurk in attachments or links sent by email. While we take measures to protect against viruses, do not open emails or attachments or click on links unless they are from a source that you know and trust. If you see any virus alert or notification on your computer, contact the IT Director immediately.
  8. In using email, you should observe the standards for communication that we expect for other forms of writing, including as to style, content and choice of language.
  9. Always consider whether there is a more suitable method of communication, for example, where there is a need to preserve confidentiality or in the case of sensitive issues which should be communicated face to face.
  10. Do not use your work email address to register or sign up for online services or otherwise to communicate with any provider of goods or services, since this is likely to increase the amount of spam email that we receive as a business.
  11. You must comply with any guidelines that we issue concerning filing, archiving and deletion of emails.
  12. If you are out of the office on a working day you must create an automated “out of office” message to alert correspondents to your absence and the arrangements for dealing with any urgent queries.

Guidelines for Internet Use

  1. When using the internet, remember that each website that you visit has the ability to detect information about you, including our identity as an organization and, potentially, your identity and who you are, and whom you represent. The information that you input on a website may be accessed by third parties, anywhere in the world. Accordingly, judgement and discretion should be used in determining the websites that you choose to access and your activities on that site.
  2. You must read and comply with the terms and conditions of any website that you access using our Resources.
  3. You must not:
    1. disable, alter settings on or interfere in any way with any measures implemented by us to ensure the security of Resources and/or avoid computer viruses in connection with internet use, including our firewall arrangements;
    2. visit any gambling, gaming, adult, or other inappropriate website, including any website that is offensive, insulting, discriminatory or obscene or is likely to damage your reputation or our reputation;
    3. use illegal file sharing websites;
    4. download any program, data, game, or other material from the internet except with the prior approval of the IT Director, because of the prevalence of viruses on the internet.

Guidelines for Software Use

  1. Most of the software and applications we use are licensed from third parties and our use is subject to terms and conditions. You must always comply with the terms of any software license we hold. You must not copy, download, or install any software or application except with the prior approval of the IT Director.
  2. If any computer, phone, smart device, tablet or other hardware we have provided to you prompts you to update or renew any software or application licensed to us, then you must do so promptly, unless we have told you not to.
  3. Only software or applications provided or authorized by the IT Director may be installed on our Resources including but not limited to on your desk computer or laptop and any Remote Resources. You may not install other computer games, internet files, software, applications, or other programmes on our Resources.

Monitoring of use of our Resources

  1. We may monitor and intercept your use of our Resources, including your internet use and communications sent to you or received by you, by phone, email (including associated files or attachments), fax or any other means, involving our Resources for a number of relevant business reasons, including but not limited to:
    1. ensuring compliance with the terms of this policy;
    2. training and monitoring standards of service;
    3. ensuring compliance with regulatory practices or procedures imposed or recommended by any regulatory body relevant to our business;
    4. ascertaining whether internal or external communications are relevant to our business;
    5. preventing, investigating, or detecting unauthorised use of our IT systems or criminal activities;
    6. maintaining the effective operation of our Resources – in particular, all emails received by the Employer are automatically scanned for viruses;
    7. establishing the existence of facts.
  2. Where it becomes apparent in the course of monitoring emails or other communications that a particular message is obviously private, we will take reasonable steps to respect your privacy in respect of that message. However, it may not be possible to determine whether that communication is personal or business-related until it is already open and read. You should therefore not have any expectation of privacy as to your use of our Resources, including communications sent to you or received by you, by phone, email (including associated files or attachments), fax or any other. If you wish to maintain the privacy of your communications, you should not use our Resources for personal use.
  3. Certain authorised employees involved in administering our Resources may necessarily have access to the contents of email messages in the course of their duties. Any knowledge thus obtained should not be communicated to others, unless necessary for legitimate business reasons.
  4. We may also take any action in administering email or other communications that is reasonably necessary to preserve the integrity or functionality of our Resources including as part of a firewall or spam or virus protection arrangements. This could include the deletion or non-transmission of any emails or communications (including any personal communications).
  5. You should note that a CCTV system monitors 24 hours a day and this data is recorded. Further details on CCTV usage and recording can be sought in our CCTV Policy.

Data Protection

  1. Monitoring of our Resources use will be conducted in accordance with an impact assessment that we have carried out to ensure that monitoring is necessary and proportionate. Monitoring our Resources is in our legitimate interests and ensures this policy is being complied with. For the purposes of the law on data protection, the Employer is a data controller of the personal information in connection with your employment. This means that we determine the purposes for which, and the manner in which, your personal information is processed. The person responsible for data protection compliance is our Data Protection Officer.
  2. Monitoring will normally be carried out by our IT Security team.
  3. Information obtained through monitoring may be shared internally, including with members of the HR team, your line manager, managers in the business area in which you work and IT staff, if access to the information is necessary for performance of their roles. Information is only shared internally if we have reasonable grounds to believe that there has been a breach of this policy. We will not share information gathered from monitoring with third parties, unless we have a duty to report matters to a regulatory authority or law enforcement agency. Personal information gathered through monitoring will not be transferred outside of the Kingdom of Thailand.
  4. You have a number of rights in relation to your personal information, including the right to make a subject access request and the right to have your information rectified or erased in some circumstances. You can find out more about these rights and how to access them in our Data Protection and Data Security Policy, which you can find here: [Link to data protection and data security policy][PS1] . If you believe that we have not complied with your data protection rights, you can complain to the Personal Data Protection Committee (PDPC).

Password policy

  1. Appropriate passwords are vital to maintaining the security of our Resources.
  2. In general, to access certain Resources such as computers, mobile phones or other devices or certain information sources or accounts, it will be necessary to enter a password or personal identification code. Passwords should be kept private and are the direct responsibility of the person to whom the account or device is allocated. Where access to any device or equipment that we provide to you can be secured by a password or code, you must use that facility.

Password standards

  1. Passwords used on our Resources should adhere to the following standards, where permitted by the device or account in question:
    1. they must contain at least 8 characters in total and at least one of each of the following:
      1. uppercase character
      2. lowercase character
      3. symbol
      4. numeric character
    2. they should not be a dictionary word in any language, slang, dialect, jargon, etc.
    3. they should not be based on readily available information about you like your date of birth, spouse’s or child’s name, telephone numbers or address.
    4. they should not be the same as or contain your name or username.
    5. you must not use the same password on our Resources as you do for your personal accounts or devices.
    6. they must differ materially from previous passwords.

Password security

  1. You are personally responsible for maintaining the security of your passwords used on our Resources. You must not disclose your password to anyone else, inside or outside the Employer, except as directed by the IT Director. You may not keep a written record of your passwords anywhere on our premises or any device unless it has been encrypted.
  2. You must not attempt to access any restricted area of our Resources or to guess or determine the password of any other user.
  3. You must change your main computer log in password when prompted to do so either automatically or by the IT Director or, if sooner, every 90 days.
  4. If you become aware or suspect that your password has become known to another person then you must immediately change it and notify the IT Director of the situation.
  5. On termination of your employment, however arising, or if requested to do so by the IT Director, you must provide details of all passwords used on our Resources to the IT Director.

Misuse of Resources

  1. The same principles apply to your use of Resources for communication including through email, telephone and the internet as apply to any means of communication, and you must not use these for any purpose or in any way which could be subject to disciplinary or legal action in any other context. In particular, you must not use our Resources in any way that:
    1. breaches obligations of confidentiality which you owe to us or to any third party or which causes us to breach duties of confidence which we owe to any third party.
    2. breaches the rights of any other Staff member to privacy, data protection and confidentiality or which amounts to bullying or harassment;
    3. is offensive, insulting, immoral, discriminatory, obscene, pornographic or sexually explicit;
    4. poses a threat to our confidential information and intellectual property;
    5. infringes the intellectual property rights of any other person or entity;
    6. defames or disparages us or our associated companies or to any party with whom we have a business relationship, such as suppliers or customers;
    7. breaches or causes us to breach any law or the rules or guidelines of any regulatory authority relevant to our business;
    8. breaches data protection rules;
    9. breaches our rules, policies, or procedures for the use of our IT Systems or other equipment or resources;
    10. is dishonest, improper, unethical, or deceptive (e.g., pretending to be someone or attempting to access another employee’s computer, computer account, email, files, or other data);
    11. is likely to damage your reputation or our reputation;
    12. wastes Resources or use them excessively or to the exclusion of others;
    13. interferes with the work of others or our computer, technology, or communications systems.
  2. Further, you must not:
    1. delete, destroy, or attempt to modify our Resources or any information contained on them except in line with this policy or instructions given to you by the IT Director;
    2. use our resources to conduct any business other than our business.
  3. You should also note that the following activities are criminal offences:
    1. unauthorised access to computer material (hacking); and
    2. unauthorised modification of computer material.

Other relevant policies

  1. Staff are referred to the Staff Handbook for other policies and procedures which may be relevant to the issues covered in this policy.