DGD13-042
Standard Operating Procedure
Information and Communication Technology Resources:
Acceptable Use
Purpose
ACT Health aims to ensure Information and Communication Technology (ICT) resources are
accessed and utilised in an appropriate and effective manner to support both clinical and
administrative functions.
This Standard Operating Procedure (SOP) should be read in conjunction with the Whole of
Government (WhoG) Acceptable use of Information and Communications Technology (ICT)
Resources Policy, managed by Shared Services ICT.
Scope
This SOP applies to all ACT Health employees, visiting health professionals, contractors,
students, volunteers and others who use and access ACT Health ICT Resources. In this
document ICT Resources refers to the resources utilised throughout ACT Health to
communicate, create, distribute, store, and manage information.
Examples of ICT Resources include:





Health owned devices i.e. Computers, laptops, iPads, Toughbooks, mobile devices etc
Files, Folders, software and applications
All related drives i.e. C, G,H,P,Q,S,W
ACT Government Email and Internet usage
Removable storage devices i.e. USB sticks, hard disk drives, portable devices and
memory cards.
While mobile communication devices are considered an ICT resource, and as such are
covered broadly in this document, specific information for mobile device utilisation within
ACT Health is not in scope for this SOP and can be found in the ACT Health Mobile
Communication Devices: Management and Use Policy and related SOPs.
Procedure
Managers will:
1. Ensure Staff and Users are aware of their responsibilities under the WhoG Acceptable
use of Information and Communications Technology (ICT) Resources Policy.
Doc Number
DGD13-042
Issued
Aug 2013
Review Date
Aug 2016
Area Responsible
E-Health & Clinical
Records Branch
Page
1 of 6
DGD13-042
2. Ensure Staff and Users are aware of the procedures in this SOP.
3. Ensure Staff and Users know where to go for information and assistance in locating ICT
Services such as obtaining a user account, resetting passwords, accessing mailboxes and
obtaining access to shared network drives and folders such as the G: and Q: drives.
Information and online forms can be accessed on the ACT Health Intranet:
healthHUB IT and Data page > IT Portal. For further information Staff and Users should
contact their manager or the Shared Services ICT Service Desk.
4. For standard requests for access to ICT Resources, provide approval via the Identity and
Access Management (IAM) Portal accessed from the IAM Service link on the main page
of the ACT Health Intranet: healthHUB
5. Approve in writing, appropriate requests for use of ICT Resources, which are normally
prohibited under section 7 of the Whole-of-Government Acceptable use of Information
and Communications Technology (ICT) Resources Policy. An example is a requirement to
access Facebook from a workstation to update or conduct research as part of the
position’s duties.
Approvals and requests of this nature need to be forwarded to the Executive Director,
People Strategy and Services Branch in accordance with responsibilities as the Senior
Executive Responsible for Business Integrity Risk (SERBIR).
6. Notify the appropriate Executive Director of any suspected or alleged breaches involving
non-compliance with the WhoG Acceptable use of Information and Communications
Technology (ICT) Resources Policy and this standard operating procedure. Staff
responsible for such incidents should be managed in accordance with ACT Health
disciplinary procedures.
7. Be aware of their responsibilities concerning the appropriate behaviour of staff under
section 9 of the Public Sector Management Act 1994-34 and the ACT Government ACT
Health Code of Conduct.
8. Escalate significant incidents, inappropriate access of confidential patient information
and serious breaches relating to this SOP to the SERBIR. Possible outcomes for the Staff
member/User may include:
 Risk Incident Investigation
 Interview and / or Counselling
 Formal disciplinary action
 Internal Audit Review
 Termination of Employment/contract or cancellation of service provider
arrangements.
Staff and Users:
1. Will be aware that at any time the ACT Health or Shared Services ICT can confiscate and
retain devices, regardless of ownership, which have been connected to the ACT
Government Network or used in the workplace, including but not limited to: USB sticks,
hard disc drives, portable devices and memory cards.
Doc Number
DGD13-042
Issued
Aug 2013
Review Date
Aug 2016
Area Responsible
E-Health & Clinical
Records Branch
Page
2 of 6
DGD13-042
2. Will not create, send or access information that could damage the ACT Government’s
reputation, be misleading or deceptive, result in victimisation or harassment, lead to
criminal penalty or civil liability, or be reasonably found to be offensive, obscene,
threatening, abusive or defamatory.
3. Will not save software or large personal files to any network drive. These drives are
regularly monitored, particularly when disk space is at a premium. In particular, graphics,
music and video files, and ‘.exe’ files will be targeted.
4.
Will be aware that the same general restrictions apply to personal C: drives as for H:
drives. In particular, they must not store on their C: drive prohibited or inappropriate
material, software or material that is subject to copyright. Note that the Directorate
may prohibit storage of any data – personal or corporate – on the H: drive.
5.
Will be aware of their responsibilities in regard to inappropriate access or use of
prohibited material which is further detailed under Section 7 Prohibited Use of the
WhoG Acceptable Use of ICT Resources Policy as follows:
6.
Will seek permission through their manager if they need to access legitimate sites for
their work but find them filtered, for example research that is associated with breast
cancer. The manager will notify the Senior Executive Responsible for Business Integrity
Risk (SERBIR) in writing of the decision to permit access to these sites.
7.
Where installation of any application, software or ICT hardware is required, staff and
users will contact their manager in the first instance and then lodge a request with the
Shared Services ICT Helpdesk.
8.
Will be wary of using email to send confidential information to other persons, either
inside or outside the ACT Government network. E-mails within the ACT Government
and to Southern NSW Local Area Health Network are encrypted by SSICT and are
therefore secure. If there is a need to transmit confidential information by email
outside of these areas, staff should consult with Shared Services ICT Security or the
Director of Clinical Records Service for advice on the best way to do this.
9.
Must report to a manager any incidents, inappropriate access of confidential patient
information or any breaches relating to this SOP. The manager will advise the SERBIR, as
appropriate.
Possible outcomes for the Staff member/User may include:
 Risk Incident Investigation
 Interview and / or Counselling
 Formal disciplinary action
 Internal Audit Review
 Termination of Employment/contract or cancellation of service provider
arrangements
Any staff queries regarding access to ICT resources within the ACT Health
should be discussed with their manager in the first instance.
Doc Number
DGD13-042
Issued
Aug 2013
Review Date
Aug 2016
Area Responsible
E-Health & Clinical
Records Branch
Page
3 of 6
DGD13-042
General Information about Network and Local Drives:
1. Corporate information should be stored on Q: drive in an appropriate place with
appropriate access control. Folders with access restrictions can be requested through
the Identity and Access Management (IAM Service).
2.
Corporate information stored on removable devices (such as USB sticks, hard disk
drives, portable devices and memory cards etc.) must be secured by passwords and
encryption.
3.
All network drives, including personal drives (such as H: drive), are ACT Government
resources provided for official ACT Government business use.
4.
Reasonable personal data, such as CVs or job applications, may be temporarily stored on
a computer’s local C: drive, noting that C: drive is neither secure nor backed up. Such
personal files should be stored on personal storage such as a USB thumb drive or a CD
removed from C: drive as soon as practicable. Corporate (i.e. business-related) files must
not be stored on C: drive.
Evaluation
Outcome Measures

ACT Health ICT Resources are accessed and utilised in accordance with the WhoG
Acceptable use of Information and Communications Technology (ICT) Resources Policy
and this SOP.
Method
 The Content Keeper reports on the number of documented exceptions granted to the
Whole of Government Acceptable use of Information and Communications Technology
(ICT) Resources Policy on an annual basis.
 Incidents of breaches of this policy reported annually as part of the WHoG discipline
reporting framework.
Related Legislation, Policies and Standards
Legislation
Applicable legislation includes, but is not limited to:
Public Sector Management Act 1994
Health Records (Privacy and Access) Act 1997
Privacy Act 1988
Workplace Privacy Act 2011
Policies
Applicable policies include, but are not limited to:
ACT Health Mobile Communication Devices: Management and Use Policy
ACT Government Acceptable Use of ICT Resources Policy-136
ACT Public Service Code of Conduct 2012
Doc Number
DGD13-042
Issued
Aug 2013
Review Date
Aug 2016
Area Responsible
E-Health & Clinical
Records Branch
Page
4 of 6
DGD13-042
ACT Public Service Code of Conduct
ACT Government Code of Ethics
ACT Password Policy WhoG 131
ACT Health Clinical Record Management Policy
ACT Health Standard Operating Procedure for the Release or Sharing of Clinical Records or
Personal Health Information
Whole of Government Mobile Devices Policy
ACT Protective Security Policy and Guidelines
ACT Government Encryption Policy
ACT Government ICT Security Policy
Definition of Terms
SERBIR
Senior Executive Responsible for Business Integrity Risk
Users
Any authorised individual that accesses or uses ACT Government ICT equipment, information
systems or applications.
Content Keeper
Designated role held by the Director Employment Service Strategy & Corporate.
References
ACT Public Service Code of Conduct 2012
http://www.cmd.act.gov.au/__data/assets/pdf_file/0017/363230/codeofcond2012.pdf
ACT Health Workplace Induction Pathway
Attachments
Appendix 1: Reference Sheet
Disclaimer: This document has been developed by ACT Health, E-Health and Clinical Records Branch specifically
for its own use. Use of this document and any reliance on the information contained therein by any third party
is at his or her own risk and ACT Health assumes no responsibility whatsoever.
Doc Number
DGD13-042
Issued
Aug 2013
Review Date
Aug 2016
Area Responsible
E-Health & Clinical
Records Branch
Page
5 of 6
DGD13-042
Appendix 1
Reference Sheet
Identity Access Management (IAM)
Request Access to a:
 Computer/network
 Folders on Q: Drive
 Remove computer access
 Citrix access
 Outlook web access
 Create a new generic mailbox
Requests can be made directly with Identity and Access
Management located at The Canberra Hospital or TCH
Intranet homepage
healthHUB/IT Portal/IAM
Ph: 02 6244 7174 or Ext. 47174
Email: IAM.Health@act.gov.au





Shared Services ICT
(SSICT)
Software/Hardware installation
Moving computers
Leasing new computers
Buying & installing new software
Installing new ACTGOV network ports
Ph: 02 6207 5555 or ext: 75555
Email SSICT Service Desk ICT.ServiceDesk@act.gov.au
Orientation to ICT
Include ICT responsibilities in department/service/ward
orientation programs
SERBIR
Senior Executive Responsible for Business Integrity Risk
(SERBIR)
At present the SERBIR responsible for this position is:
Judi Childs
Executive Director, People Strategy and Service Branch
(02) 6205 1083
Judi.Childs@act.gov.au
Designated role held by the Director Employment Service
Strategy & Corporate reporting to the Executive Director,
People Strategy and Service Branch.
Content Keeper
The present Content Keeper is:
Sean McDonnell
Director Employment Service Strategy and Corporate
(02) 6207 7600
Sean.McDonnell@act.gov.au
Doc Number
DGD13-042
Issued
Aug 2013
Review Date
Aug 2016
Area Responsible
E-Health & Clinical
Records Branch
Page
6 of 6