Access and Accounts Procedures

[See Policy Framework and Policy Development and Review Guidelines for further information about policy development.]

Overview

These Procedures are made under the IT Acceptable Use and Security Policy to further the aims of that Policy by:

a) Governing the provision and maintenance of accounts giving access to University IT facilities;

b) Ensuring that the University provides its staff, titleholders, students and visitors with secure and timely access to the online services and resources necessary for undertaking their work and study; and

c) Providing mechanisms for the modification of access or disabling of accounts when relationships with the University change or end.

For the purpose of these procedures, the term visitors includes all people who are not staff, but who perform some service for the University. Examples of visitors include visiting academics, contractors and volunteers.

Procedures

1. Creation of staff, titleholder and visitor accounts

Responsibility: Head of School or Branch Head

a) Staff and titleholder accounts are created once their appointment is processed through the Human Resources system.

b) Casual staff accounts are created when their first payment is processed through the Human Resources system.

c) For casual staff to be granted access from the commencement of their employment, or for contract or continuing staff who require their account to be created in advance of the commencement of their employment, a Visitor Access to IT Services form must be completed and authorised by the Head of School or Branch Head where the staff member will be working.

d) For visitors to be granted access to IT facilities, the Visitor Access to IT Services form must be completed and authorised by the Head of School or Branch Head where the visitor will be working. The application must specify an end date.

2. Activation of Accounts

Responsibility: All staff, titleholder and visitor account holders

Staff, titleholders and visitors must attend Card Services with photographic identification to set their password. Visitors must sign a declaration when they set their password agreeing to abide by this Policy and its associated procedures.

3. Access to IT facilities

a) If a staff member, visitor or titleholder requires a level of access different to that usually given to people in their relevant area, their Head of School or Branch Head must give written approval of the level of access required and submit that approval to Information Technology Services (ITS).

b) Any IT account holder who is given designate access to another IT account holder's email, online calendar or other online service, must comply with this Policy and its associated Procedures while acting as the designate.

4. Creation of student accounts

a) Student accounts are created at the time the student is entered into the University system for the purpose of offering the student a place at the University.

b) When students accept an offer to study at the University, their student number and password are sent to them with their enrolment instructions.

c) If students do not accept an offer to study at the University, or fail to enrol, their details are routinely deleted from the system by Student Services and their IT accounts will be deleted when that occurs.

5. Generic accounts

a) Generic accounts are manually created by ITS from time to time to meet the University's operational needs. Authorisation for generic accounts must be given by the Head of School or Branch Head and submitted to ITS using the Generic Accounts Form.

b) Generic accounts must have one person nominated as responsible for that account.

c) Generic accounts are manually deleted by ITS when the account expires, or at the request of the person responsible for the account.

6. Password requirements

Responsibility: All account holders

a) Passwords must be between 7 and 50 characters, and must contain at least one number (0-9), at least one non-alphanumeric character ! ( ~ ` @ # $ % ^ & * ( ) _ + - = { [ } ] | \ : ; " ' < > , . ? /), and must not be identical to the last 20 passwords used.

b) Passwords must be changed at least once per year. Accounts with passwords that are more than one year old may be disabled. Account holders whose accounts are to be disabled for this reason will be notified in advance and given the opportunity to change their password before the disable date.

7. Resetting passwords

Responsibility: General Manager, Student Services

Account holders who forget their password, or who have their account disabled due to their password being more than one year old, can have their password reset by the Student Centre. The General Manager, Student Services, is responsible for the process of resetting passwords for both student and non-student accounts.

8. Modification of visitor access when their relationship with the University changes

Responsibility: Branch Head or Head of School

a) The relevant Branch Head or Head of School must notify ITS when visitors who are IT account holders ceases their relationship with the University prior to the original contract end date.

b) If visitors' relationship with the University changes but does not end, the relevant Branch Head or Head of School must ensure that ITS is advised of this change.

c) The access of such visitors to online services and IT facilities will be modified to reflect any changes in their relationship with the University.

9. Modification of staff access when their relationship with the University changes

Responsibility: Branch Head or Head of School; Director, Human Resources

a) The relevant Branch Head or Head of School must notify Human Resources of any change in the relationship of their staff with the University that might affect their entitlement to IT facilities.

b) If staff members' relationship with the University changes but does not end, the Director, Human Resources must ensure that the appropriate changes are made in the Human Resources system to reflect the modified duties and/or work area within the University.

c) The access of such staff member to online services and IT facilities will be modified to reflect any changes in their relationship with the University.

10. Disabling and deletion of accounts

10.1 Notification of end of relationship with the University

Responsibility: General Manager, Student Services; Director, Human Resources; Branch Heads or Heads of School

a) Where students' relationship with the University ends (e.g. per completion of program, discontinuance, lapse, withdrawal or expulsion), the General Manager, Student Services must ensure that the appropriate changes are made in the Student Administration system to reflect their end date.

b) If a staff members' relationship with the University ends (e.g. per retirement, resignation, termination or end of contract), the Director, Human Resources must ensure that the appropriate changes are made in the Human Resources system to reflect their end date.

c) The relevant Branch Head or Head of School must notify Human Resources when they become aware that a staff member's or titleholder's relationship with the University will be ending, or has ended, prior to their expected end date.

d) The relevant Branch Head or Head of School must notify ITS when a visitor's relationship with the University ends before the specified end date.

10.2 Automatic disabling and deletion when relationship with University ends

Responsibility: Director Infrastructure (Property and Technology)

Upon modification of the Human Resources or Student Administration system, the Director Infrastructure (Property and Technology) will ensure that the accounts are disabled in accordance with this Procedure.

a) Notification of pending action - Account holders whose accounts are scheduled to be disabled will be sent an email up to 30 days before the disable date Account holders who will continue to have a relationship with the University after this date will be advised in that email of the process they must follow to retain their accounts and access. No notification will be sent for deceased account holders.

b) Disabling of accounts - Accounts will be disabled according to the following timelines:

Relationship	Date at which access disabled
Staff members - continuing	Date of resignation/retirement etc.
Staff members - contract	Date of end of contract
Staff members - casual	On termination of casual contract as indicated in the HR system
Titleholders	At end date
Visitors	At end date
Students - completed	365 days after completion
Students - discontinued	14 days after date of discontinuation
Students - expulsion	On the date expulsion becomes final
Students - withdrawal	14 days after date of withdrawal
Students - lapsed	92 days after date of lapse
Deceased student, staff, title holder or visitor	On the day their deceased status is recorded in the Human Resources or Student Administration system

c) Deletion of accounts - Accounts will be deleted 30 days after the account is disabled. Heads of School and Branch Heads can request a 30 day extension of the deletion date by contacting Human Resources or the Student Centre. When an account is deleted, the associated email address will be available to be reassigned to another person with the same name.

11. Records Management

Responsibility: All non-student IT account holders and their Supervisors

a) Files and email messages created by non-student account holders in the course of their University duties are the property of the University and subject to its control, and they may be official records covered by the State Records Act 1997 and the Freedom of Information Act 1991. Electronic documents are subject to the same requirements as hardcopy records and must be captured in accordance with the University's Record Management Policy.

b) Non-student account holders whose relationship with the University is coming to an end must ensure that all relevant files and email messages are transferred to the University's record management system, or disposed of in accordance with the approved Records Disposal Schedules, before their IT account is disabled. Further advice can be obtained from Corporate Information.

c) Where such non-student account holders are unable to ensure that the procedure in paragraph b) above is complied with before they leave the University (for instance, due to illness or death), the relevant supervisor of that account holder may request that the Director, Infrastructure (Property and Technology) authorise another University account holder to view and deal with the records associated with the account before it is disabled.

12. Special Requirements for people working in ITS

Responsibility: People employed by ITS

a) People working in ITS who are enrolled in University courses or programs will not usually be granted access to IT facilities where that access enables them to change their or others' academic results.

b) People working in ITS must not use the access granted to them to:

i. change the academic results of any current or former student of the University of Adelaide, unless they have written permission from the relevant course co-ordinator or Head of School;

ii. create, modify or delete course material for any course in which they are enrolled, unless they have written permission from the staff member, lecturer, tutor, teacher or instructor who prepared the material, or from the course co-ordinator or relevant Head of School;

iii. view course material for any course, before that material is made available for viewing by students enrolled in the course, unless they have written permission from the staff member, lecturer, tutor, teacher or instructor who prepared the material, or from the course co-ordinator or relevant Head of School;

iv. take any action that would result in them or any other person gaining an academic advantage over other students, or

v. perform any other action that is inappropriate for or unauthorised by their position or duties.

Definitions

[Include most definitions in the separate Glossary of Terms on the Policy and Procedures website. This section is only for definitions with highly specialised meanings that do not apply to any other University policy. Hyperlink the relevant words in the policy to these definitions. Hyperlink words included in the Glossary of Terms to the Glossary.]

Please use the following URL instead of linking to individual documents:
http://www.adelaide.edu.au/policies/2783