TAC Electronic Communication Policy and Guidelines
Scope
These terms and conditions apply to anyone authorised by TAC to use electronic messaging systems for TAC business purposes. This includes TAC employees, contractors, service providers and any other authorised person. Throughout this document persons to whom the policy applies are covered by the term ‘users’.
Policy Terms and Conditions
TAC relies on electronic messaging systems for many of its core business operations. These systems will increase in importance as TAC continues to move to an e-business mode of operation, and as more TAC stakeholders adopt electronic messaging to deal with TAC.
TAC strives to maintain the highest standards of security and professionalism in its communications with all stakeholders. This document sets out the requirements of these standards for users of modern messaging technology.
This policy is designed to meet TAC's statutory obligations for the confidentiality of information and to protect TAC, its employees, claimants and other stakeholders, from potential risks caused by security breaches or other misuse of the internet and TAC's electronic messaging systems.
This policy is also designed to ensure that all electronic communications carried on for TAC's business purposes are conducted in a professional manner, in a way that would not bring disrepute to TAC should a message become known to a third party.
The purpose of this document is to ensure all users of electronic messaging systems have a clear understanding of the TAC's requirements and their own obligations.
Authorised users of the TAC electronic messaging systems are required to sign the Acknowledgement of TAC Electronic Communications Policy and Guidelines to acknowledge that they read, understood and will comply with the policy and guidelines.
Further Terms and Conditions
1. Coverage
This policy applies to use of all internet and electronic messaging systems used for TAC business purposes, including TAC's internal systems and any systems owned by other parties and used for such purposes.
All types of electronic messaging systems are covered by this policy, including such technologies as Lotus Notes mail, Internet email, short message service, web forms, traditional fax and web fax, web mail, news groups, chat rooms and any other electronic system for transmission or storage of messages or both.
Throughout this document, the term ‘message’ is used to include all forms of electronic information sent between parties or stored on electronic messaging systems, such as text, images, video and sound clips, forms, programs, data files, web pages and the like.
2. Permissible Uses
TAC electronic messaging systems are to be used for TAC business purposes only. Incidental non-business use of these systems is acceptable, providing such messages are infrequent, based on genuine need in each instance, and otherwise complies with the content requirements set out in this policy. These messages should be phrased in professional language and their content should be such that it would not discredit TAC in the eyes of the recipient or any third party.
Users of TAC systems must take all reasonable steps to discourage people from sending non-business messages to their TAC e-mail address or fax number. It is the responsibility of users to delete upon opening, any messages sent to them that are unprofessional or which contain offensive content. The user should also advise the sender not to send any further such emails into TAC.
Users must not post their TAC e-mail address or fax number on web news groups or anywhere else that may generate unwanted messages to TAC, nor use their TAC address to subscribe to automatic e-mail or fax notification services or e-mail discussion lists unless required for TAC business purposes.
3. Permissible Message Content
Users must avoid any communication that might be construed as contravening any applicable laws, including laws on discrimination, harassment, racial vilification, defamation, trade practices, telecommunications and the like.
Message content that is offensive, threatening, obscene, disruptive or sexually explicit is strictly prohibited.
The TAC Workplace Equity Policy applies to use of the Internet and electronic messaging systems.
4. Internet Use Policies and Guidelines
Use of the Internet via a TAC account must be for TAC business purposes only. However, incidental personal usage (no more than 10 minutes per day) is acceptable provided that it does not encroach on work requirements or productivity. The downloading of material for non TAC business purposes is strictly prohibited.
Use of TAC internet accounts to access or process pornographic material, inappropriate text files, copyrighted material such as music or video, or files dangerous to the integrity of the local area network or any illegal use is prohibited.
Commercially sensitive or confidential business material must not to be published over the internet or transmitted via email.
Claim and /or client personal and health information can be transmitted via email where there is a legitimate business reason for doing so, as long as it compiles with the TAC Privacy Policy and e-mail communication work practices.
The TAC requires that some documents be submitted in original form in order to be accepted or processed. These documents include:
- Accounts
- Receipts
- Medical Certificates
- Claim Forms
5. System Access Control
Users will be provided with personal IDs and passwords to allow them to access electronic messaging systems. Personal IDs and passwords must not be shared without TAC authorisation, and users must protect the secrecy of their personal passwords at all times.
Users must choose only passwords that are difficult for others to guess and must avoid obviously weak passwords such as names, dates, etc. Users must not use simple sequences of passwords, such as a number that increases with each password renewal.
Users must always clearly identify themselves in their messages unless TAC work practices require use of an organisational rather than a personal signature title.
TAC reserves the right to review any material, including all messages, stored on its systems or transmitted over its data networks and to disclose any such material to any other party for any lawful purpose. Apart from the purposes of compliance monitoring and security investigations, electronic messages addressed to (or sent from) individual electronic mail addresses owned by TAC are to be accessed only by the addressees, authorised operators of the mailbox at that address, and authorised delegates. Unauthorised attempts to read, disclose, delete, copy, modify or forge other people's messages are strictly prohibited.
TAC will regularly audit usage for compliance, to ensure that TAC's Internet and email systems are being used in accordance with policy. Breaches will be pursued in accordance with HR policies and procedures and may result in disciplinary action including termination.
Users must not export and distribute the private key corresponding to their TAC digital signature certificate (this key is normally contained in their Lotus Notes ID file and protected by their Lotus Notes password) to any other person. Such a breach may allow the other party to assume the identity of the user and intercept, read, write, distribute and sign e-mail with the user’s signature.
Users are not permitted to export their TAC digital signature certificate (including their private key) for use on home personal computer systems.
Users must immediately report to TAC management any information which indicates a private key associated with a TAC digital signature certificate has been compromised, i.e. is no longer secret or under the sole control of the person to whom it was issued.
To prevent misuse of their digital signature, employees must always lock their workstation or Lotus Notes ID before leaving their workstation unattended.
TAC will retain an ‘escrow’ copy of each TAC digital signature certificate and private key for the purposes of password recovery and security investigations. This copy will be held in restricted secure storage and all access to it will be controlled, logged and audited in accordance with procedures defined by the Chief Information Officer.
6. Good Practice
To minimise network traffic and maximise information sharing, users should use Team Rooms or similar shared information environments for electronic communications, rather than person-to-person(s) electronic messages whenever possible.
Users should regularly check for new messages at intervals suited to their work role as required to ensure smooth and efficient performance of TAC's business processes, but not less than once per working day. Users who are absent on leave must take reasonable steps for their mail to be viewed and urgent items to be processed in their absence.
For planned leave users must setup an ‘Out of Office’ message for their mailbox. This message must explain that the user is unavailable and provide an alternative means of contact.
Users must maintain their mailbox and system storage space to efficiently use the system's resources. Large messages and files should regularly be reviewed for deletion to free up space.
Users must ensure that their message is relevant to the people to whom it is addressed. For example, messages regarding missing claim files should only be sent to mailing lists for claims divisions, and if possible, only to the specific division where the file is likely to be found.
Users should employ meaningful subject headings on their messages.
Use of blind copies is discouraged as its indiscriminate use conflicts with TAC's shared values of open and honest communication.
Users must always remain professional and polite in their electronic communication with others.
General messages to all employees can only be posted with the prior approval of the General Manager, Corporate Affairs. Unless they are very brief, such messages should contain a link to an appropriate on-line bulletin board.
8. Protection of Information
Users must take all reasonable steps to protect the confidentiality of all messages containing sensitive information. In this regard:
- Commercially sensitive information is content which, if disclosed, could lead to commercial disadvantage such as financial loss or damage to reputation, to TAC or any other party.
- Privacy sensitive information includes all content related to claimants or providers which potentially identifies a claimant or reveals any details of a claim, a provided service or a legal action. It also includes all personal information associated with TAC employees, contractors or other stakeholders.
Where appropriate, users may elect to transmit sensitive information outside the TAC using encryption and a digital certificate. Messages may be sent without encryption, provided there is a legitimate business requirement. For more information, as to what constitutes a legitimate business requirement refer to the TAC Privacy policy and e-mail communication work practices. Some documents the TAC can only accept originals.
Below is a list of these exclusions:
- Accounts
- Receipts
- Medical Certificates
- Claim Forms
- Pay slips and Group Certificates
Users must ensure all mailboxes under their control are kept secure against unauthorised access.
Users are not permitted to send commercially sensitive or confidential material to their home e-mail address (or their company e-mail address if they are a contractor to TAC) without prior authorisation by the Chief Information Officer. Such authorisation will only be given if the destination system meets TAC security standards.
Users must not send editable message files (for example Microsoft Word files) in messages unless there is a genuine business need for the other party to edit the message content.
9. Use of TAC digital signature certificates
Where appropriate, users will be issued with TAC digital signature certificates to enable the signing and encryption of electronic messages exchanged with external parties. Users should review the TAC Policy on Public Key Infrastructure to inform themselves in the proper use of digital signatures.
Users issued with a TAC digital signature certificate must only use their TAC digital signature to sign messages they are personally authorised to sign on behalf of TAC. Users should review the Subscriber Agreement at https://gatekeeper.esign.com.au/repository/gk_abndsc_sa.pdf and ensure they meet the obligations set out in it. Users should review the Relying Party Agreement at https://gatekeeper.esign.com.au/repository/gk_rpa.pdf and use their digital signature appropriately in the knowledge of how other parties may rely on it.
Users may distribute their TAC digital signature certificate to another person for TAC business purposes only, by sending a signed e-mail to that person. TAC digital signature certificates must not be used or distributed for non-business purposes under any circumstances. If this occurs, TAC may immediately revoke the digital certificate involved.
10. Reliance on Digital Signatures
Users will carefully assess the validity of a digital signature before relying on a signed e-mail for any significant business decision. If the potential consequences of an incorrect decision are significant and the identity of the sender cannot be established beyond doubt from the message contents, the user will first confirm the current valid status of the signing certificate by checking the certificate issuer's public revocation list and will also review the terms of the certificate issuer's Relying Party Agreement before relying on the signature.
11. Compliance Monitoring and Enforcement
TAC will regularly monitor and review electronic messages and Internet usage on its systems, regardless of whether messages or usage are business related or non-business in nature. This monitoring and associated investigations will be carried out under procedures defined by the Chief Information Officer to protect the security and performance of TAC systems and to enforce compliance with this policy.
Non-compliance by employees will be treated as a disciplinary matter and may lead to the termination of an employee's employment. Non-compliance by contractors will be treated as breach of commercial terms and conditions of their agreement with TAC.