Menu
Education
Global Search

Policy library Staff only

Digital devices, services and information – staff use procedures

Direction and guidance on using authorised digital devices, services and information.

Audience

All staff, including contractors, and any parties that access or use the department’s digital devices, services and information.

Version Date Description of changes Approved by
V02.0.0 10/05/2024 Updated under the 2023 Policy and procedure review program, including conversion into the new template and improving document readability. Added requirements for taking or accessing department devices, services and information from overseas. Chief Operating Officer

About the policy

These procedures are designed to be read in conjunction with the Digital devices, services and information – staff use policy.


Term Definition

Staff

Includes persons directly employed by the department, as well as contractors, volunteers and tertiary practicum students provided access to the department’s digital devices, services or information.

Digital devices

Electronic devices that can receive, store, process and share digital information and connect to applications, websites and other digital services. They include desktop computers, laptops, tablets, smartwatches, smartphones and other devices whether department or personally owned.

Digital services or services

Any software, website or application that can gather, process or communicate information.

Systems

Any application or information and communications technology (ICT) configuration items that store, transmit, create or use information. For example, end user devices such as mobiles, laptops, portable hard drives.

Information

Any communication or representation of knowledge such as facts, data, or opinions in any medium or form.

Personal or bring your own device (BYOD)

Any personal digital devices used for work purposes, including accessing department services and information.

‘Five eyes’ countries

Australia, New Zealand, Canada, the United States of America and the United Kingdom.

Overseas or international

Any destination outside Australia. This excludes Lord Howe Island and Norfolk Island, which for the purposes of this policy are to be treated as domestic travel.

Official travel

Where a public sector organisation or service responsible to a minister uses public monies to pay for the travel of a public official or any other person.

Overseas excursion

A school excursion taking place in a country outside Australia and which includes overnight accommodation the school organises.

Personally identifiable information

Any piece of information or data, that can be used to identify and individual including:

  • non-sensitive personal information
  • sensitive personal information
  • health information.

Should

Valid reasons to deviate from the item may exist in particular circumstances, but the full implications need to be considered before choosing a different course.

No policy exception required if condition is not met.

Should not

Valid reasons to implement the item may exist in particular circumstances, but the full implications need to be considered before choosing this different course.

No policy exception required if condition is not met.

Must

The item is mandatory.

Any request for deviation must be requested from the Chief Information Security Officer.

Must not

Not using the item is mandatory.

Any request for deviation must be requested from the Chief Information Security Officer.

Deputy Secretaries (or equivalent):

  • comply with and champion this policy
  • assess requests from staff to take department devices overseas or access department digital services and information from overseas.

Chief Information Security Officer (CISO):

  • ensure the department develops, implements and maintains effective policies and procedures for accessing and using department digital devices, services and information based on the department’s cyber security risk tolerance
  • assess and consult on requests from staff to take department devices overseas or access department digital services and information from overseas.

Directors and Executive Directors:

  • assess requests from staff within their directorates to take or access department devices, services and information from overseas
  • assess and take relevant disciplinary action for escalated non-compliance incidents.

Principals and managers:

  • use digital devices, services and information in safe, responsible and respectful ways
  • maintain a positive workplace culture that includes and promotes safe, responsible and respectful use of all digital devices, services and information
  • inform staff of the Digital devices, services and information – staff use policy and these procedures
  • coordinate with the Information Technology directorate to procure and maintain department devices in accordance with this policy and associated guidelines
  • model appropriate use of digital devices and services
  • report and respond to any breaches and incidents of inappropriate use of digital devices, services and information as required by school procedures, department policy and any statutory and regulatory requirements.

Staff (including contractors):

  • use and access digital devices, services and information responsibly, economically, efficiently and in compliance with legal requirements
  • ensure that the security of the department’s digital devices, services and information is maintained and not compromised
  • take reasonable steps to ensure unauthorised persons cannot access departmental information in any form
  • ensure they have deputy secretary (or equivalent) approval to access department digital devices, services and information from overseas
  • report inappropriate use of digital devices, services and information to their line manager and the Professional and Ethical Standards directorate in accordance with workplace procedure, department policy and the department’s Code of conduct policy.
  • ensure licenses are held or purchased for any software installed on a device other than software in the device’s base build as provided and installed by the department.

What needs to be done

The department provides standardised digital devices, operating systems and software to schools, department workplaces and staff.

1. Setup and security

1.1 Secure all department digital devices, services and information

1.1.1 Securing digital devices

All staff must:

  • ensure that department digital devices are protected from compromise, loss and damage
  • ensure security measures are appropriate to the setting. For example, school locations will require different security considerations to education support locations.
  • lock any digital devices when leaving them unattended
  • save any open files and close any applications when leaving a digital device unattended
  • not give unauthorised persons access to areas where department devices or infrastructure is stored
  • not share their login information or provide access to department devices and services through their login to any other person, including students
  • conclude concurrent logins as soon as practicable
  • store digital devices in a lockable container or other secured area both at home or at department locations
  • cover laptop webcams and unplug desktop webcams when not in use
  • not leave department digital devices in any unsecured location, including common areas and motor vehicles
  • only access department digital devices using a department-provided login or identity
  • not take any action to alter or diminish the security of any department digital device.

1.1.2 Securing digital services and information

All staff must:

  • only access department digital services and information using a department-provided login or identity
  • take reasonable steps to ensure unauthorised persons cannot access departmental information in any form
  • not share their login information, or provide access to department services and information through their login to any other person, including students
  • not take any action to alter or diminish the security of any department services or information
  • practice good cyber hygiene (refer to 1.1.3 below, 'How to secure digital services and information').

1.1.3 How to secure digital services and information

Securing the department’s digital services and information is critical. Staff must practice good cyber hygiene and follow the guidelines outlined in these procedures.

Table 1 Securing digital services and information
Digital services and information types Actions and information

Email

The department provides an email account for the period of employment. Staff may be held accountable for all activity on the department’s network, applications or data systems that has been accessed using this user ID and password.

A department email account:

  • may be accessed from any department-provided digital device or personal device subject to the provisions of this policy
  • remains the department’s property throughout your employment and will be terminated at the end of tenure. Any information lost on termination cannot be recovered.

Cyber hygiene

Staff must:

  • never use work email accounts and passwords for accounts on non-work-related sites
  • report suspicious emails, SMS and phone calls to EDConnect (1300 32 32 32 Option 5) or abuse@det.nsw.edu.au
  • never use public Wi-Fi for work-related activities
  • never plug in devices from unknown sources, including USBs or external hard drives given as gifts or found lying around. Only use plug-in devices from known, trusted sources
  • update devices and back up files in accordance with this policy.

Passwords, passkeys and other authentication methods

Passwords, passkeys and other forms of authentication, allow a user to prove they own a particular account or user ID.

Staff must:

  • comply with the rules established by the administrator of that network, application or system, or the Password Standard (refer to Policies, strategies and standards)
  • use password or PIN protection on all digital devices, including personal digital devices with access to the department’s information assets
  • never use common password/passphrase words, sayings and patterns (for example, ‘Password1234’ or ‘LetMeIn’)
  • use multifactor authentication where available
  • never login to a device or service to allow another person access, including students
  • never share their passwords with anybody, including executive assistants, managers, staff, colleagues, IT service desk or desktop support staff, students and family members
  • use passphrases and/or the department’s recommended password manager where supported
  • never write down password information where other people could access it
  • never reuse passwords across different accounts
  • ensure passwords and password reset mechanisms (such as secret questions) are not obvious or predictable
  • where they discover others may know their password, or their accounts have been used inappropriately, immediately update their password and advise their manager
  • contact their supervisor or manager if approached by someone, in person or electronically, asking them to disclose password or account details.

The Password Standard (refer to Policies, strategies and standards) provides more information on the department’s password requirements.

Network security

Staff must have the approval of the Executive Director, Digital Operations before connecting any external data services to the department’s network. This includes connecting an external data service to any site owned or leased by the department.

The department will disconnect from its wide area network any department-owned site found to be connected to an unauthorised external data service until it has been disconnected. External connections can include:

  • internet connections (such as NBN), regardless of the technology
  • site-to-site data connections (such as an optical fibre service between 2 campuses)
  • 4G or 5G data services for anything other than a mobile phone handset.

The department regularly carries out network data backups, operating system security updates, virus protection software updates and scans on all network computers.

To ensure these important processes operate effectively, staff must:

  • restart updated software (such as web browsers or Microsoft Office) as soon as it is practical to do so
  • not tamper with, unnecessarily delay or disable data backups, security updates or virus protection updates and scans.

Sensitive and confidential information

Staff must:

If there is a need to store, access or share department data on a personal device, staff must:

  • only store information in the department’s approved cloud storage platform, OneDrive. Private, sensitive or confidential information is expressly prohibited from being stored on any personal device
  • protect the device with a PIN or password, ensure devices automatically lock and, where technology permits, protect the data by encryption
  • protect the device using appropriate physical measures based on the sensitivity of the information it contains (see the NSW Government Information Classification, Labelling and Handling Guidelines for more information).

1.1.4 Monitoring digital devices, services and information

The department monitors its digital systems to ensure the confidentiality, integrity and availability of business and education services in line with the Workplace Surveillance Act 2005 (NSW).The department reserves the right to inspect any digital device issued to staff while investigating breaches, incidents and allegations of misconduct. This data may be passed on to police or other investigative bodies. The department may also monitor personal devices used for work.

1.2 Secure personal devices used for work

Staff can choose to use personal digital devices for work under Bring Your Own Device (BYOD) programs. The department does not manage or support these devices.

1.2.1 Securing personal devices

Staff must:

  • protect the device with a PIN (personal identification number) or password that complies with the department’s Password Standard (refer to Policies, strategies and standards) and ensure the device/s locks automatically
  • protect the device using appropriate physical security measures (such as storing in a lockable container, ensuring the device is in a secure area not accessible by the public and not leaving devices in your car)
  • only store the department’s information in the approved cloud storage platform, OneDrive
  • allow the deployment of a digital certificate to enable network traffic decryption and inspection by the department
  • comply with the responsibilities and security controls for use of BYOD specified below
  • comply with all provisions of this policy and the department’s Cyber security policy and procedures.
  • report the loss or theft of a personal device used to access or store department data to their manager and EDConnect (1300 32 32 32 option 5) as soon as practicable once the incident becomes known
  • comply with ITD directives, within 24 hours if no other deadline is specified, to update system software or take actions (such as changing device settings) to ensure device security.

Support for personal devices

EDConnect provides support for department-issued digital devices and services only. Staff using personal devices should refer to the manufacturer or retailer for technical support.

1.2.2 Remote wiping of personal devices

To protect the confidentiality, integrity and availability of its information, the department may remotely wipe department accounts from any personal device connected to or configured to use its services. Wiping these accounts will erase data such as department email and documents but may also erase any personal data associated with software licensed to the department (such as Microsoft Office 365). The department is not obliged to inform staff of its intention to wipe accounts from the device or provide any support in recovering lost personal data or functionality. Devices will not be remotely wiped without due diligence.

1.2.3 BYOD security requirements

The department requires staff to implement the following controls for any personal device that accesses the department’s digital services or information.

Staff must:

  • enrol no more than 5 concurrent mobile devices with the department at any one time
  • ensure that personal devices are kept in good working order
  • only use approved applications to interact with the department’s data
  • not charge individual application, or digital device purchases to credit cards or facilities the department owns or manages
  • ensure that applications provisioned and used for work purposes are properly licensed
  • backup critical personal information on your preferred backup solution (do not use the department’s cloud storage solutions for personal information) in case of data wipes or corruption
  • not use non-department email accounts or cloud services to share the department’s information to and from a personal device
  • not modify device functionality unless ITD recommends or requires it. Staff cannot use devices that are ‘jailbroken’ or have been subjected to any other method of altering or disabling built-in protections. This constitutes a material breach of this policy
  • apply the most current approved software or firmware updates to personal digital devices, including backing up and restoring data as part of the upgrade and updating process. All software and firmware should be set to automatically update
  • enable antivirus and malware protection where it is available
  • take appropriate precautions to prevent others from obtaining access to their device(s)
  • take responsibility for all transactions made with their credentials
  • not provide access credentials for devices connected to department’s internal systems to any other individual
  • not download any application that the department has blacklisted (such as TikTok) on any personal device that contains or accesses the department’s information, even if those applications are not used for business purposes.

If the department needs to access a personal device, contact will be made via official channels and in accordance with relevant department policies and procedures. The department will only request access to personal devices or credentials for investigatory purposes

NEVER provide access to department or personal devices and credentials unless you are certain that the person is an approved staff member. If you are unsure, contact EDConnect on 1300 32 32 32 (Option 5).

1.2.4 Mandated software and certificates

The department may deploy any monitoring or decryption software deemed necessary to maintain the security of its digital services and information. Staff consent to this deployment and monitoring when they opt in to access the department’s network, digital services or information from a personal device.

Staff must:

  • allow the deployment of a digital certificate to enable network traffic decryption
  • install any mandated mobile device management tool or other software on the department’s advice.

The department conducts all monitoring and decryption practices in accordance with relevant legal and regulatory requirements.

1.2.5 Monitoring of personal devices

Staff who choose to use personal devices under a bring your own device (BYOD) program, trade a limited amount of control over the device’s data in exchange for access to the department’s network and information assets. All monitoring is in accordance with the Workplace Surveillance Act 2005 (NSW).

The department may monitor staff members through mobile device management (MDM) software, or any other software deemed necessary.

The department, and any associated entity providing MDM software, will not collect the following information from personal devices unless permitted by law:

  • keystroke activity
  • photos
  • texts composed or received in the built-in messaging application.

1.3 Procure digital devices and services

When approving the purchase or procurement of digital devices or services, staff must ensure the device or service:

  • best meets the business unit’s specific needs
  • is cost effective
  • represents an ethical and efficient use of department resources
  • satisfies the department’s ICT contract requirements (see the Cyber security policy).

Table 2 Procurement guidelines for staff
Type School staff Education support staff

Hardware

The department has a range of hardware suppliers with mandated contracts to purchase hardware from. Hardware can be purchased via the EDBuy Online Catalogue.

For a list of supported devices refer to Standard devices for schools.

Hardware not listed in EDBuy is not supported by the department and may not be suitable for the department’s digital environment. To discuss the suitability of devices, contact your local IT team.

For further requirements on managing information and communications technology (ICT) contracts, refer to Procurement.

Staff must only purchase digital devices provided through:

  • the ComFleet program (refer to Technology’s Non-school staff)
  • ITD’s telephony team, for digital devices requiring cellular connections, including mobile phones and smartphones (refer to Telephony).

All staff must note that Microsoft Teams is available to all staff for internal communications. Mobile phones should not be provisioned to staff who do not have additional communication requirements outside of this (for example, staff required to be on call, or communicate with external vendors).

For further requirements on managing information and communications technology (ICT) contracts, see Procurement.

Software

The department has reviewed and rigorously assessed a range of products and programs for use in education settings.

Standardised software is available to all school users to support teaching and learning. For more information on available software, see Software.

Non-standardised software can also be purchased and sourced from:

All software on the above marketplaces has been reviewed and assessed for use by the department.

Staff seeking to use software that is not sourced from one of the above locations requires additional assessment in accordance with the Cyber security policy and procedures. For a list of assessed applications, see AssessedIT.

Staff seeking to procure new IT or digital goods and services must also ensure that the department’s ICT contract requirements be implemented. Staff should contact cyber support or the ITD Tenders teams for assistance.

For further requirements on managing information and communications technology (ICT) contracts, see Procurement.

Standardised software is available for download through the Company Portal available on all department devices. Some software may require licenses or additional access permissions to appear.

Software licences for non-standardised software may be purchased at the business unit’s discretion. All new contracts must incorporate the ICT contract requirements.

For further requirements on managing information and communications technology (ICT) contracts, contact Procurement.

2. Acceptable use

The department provides staff with digital devices and services to enable them to perform their duties. This section outlines acceptable and unacceptable uses of digital devices and services.

Staff must:

  • use department digital devices, services and information responsibly and comply with relevant NSW legislation
  • use department digital devices, services and information economically and efficiently
  • appropriately secure any digital device, service or information used for work purposes (includes personal devices)
  • use department digital devices primarily for work purposes.

The department monitors the use of its digital devices, services and information for breaches of this policy and relevant legislation.

2.1 Use department resources economically and efficiently

Use of department-provided digital devices and services must always be economical, efficient and responsible.

Staff must:

  • limit the duration of any time-charged communication, including internet sessions and any other data-intensive services
  • not use department digital devices or services for income-generating activities
  • cancel or handover any unused licences charged to your business unit.

The department reserves the right to adjust staff mobile data plans to ensure the most economic use of the department’s resources.

Approval to use personal mobile devices for department business purposes, and subsequent reimbursement of costs, should be limited to occasional or extraordinary circumstances. Any reimbursement must be reasonable, justified and not exceed the total cost of the mobile bill.

2.2 Comply with copyright and privacy requirements

The department’s information is subject to privacy and copyright legislation.

Staff must:

  • not copy or transmit any material in electronic or physical form that is protected by copyright, except as the law authorises or permits. Refer to Legal Services for more information about copyright
  • not disclose, access or use any department controlled personally identifiable information in a manner inconsistent with state and federal privacy legislation and regulatory frameworks. Refer to Information and Privacy Commission NSW for more information
  • label and handle official, sensitive and other confidential information in accordance with the NSW Government Information Classification, Labelling and Handling Guidelines
  • ensure that personal information is not stored, transmitted or used in department services to enable the separation of business monitored information from personal information. If staff do use department devices or services for this purpose, the department cannot be held responsible for the collection of this data.

2.3 Exercise good judgment when using department devices for personal use

The department acknowledges that staff may occasionally need to use its digital devices and online services for personal reasons.

Staff must:

  • only do so in a manner that is infrequent, brief, involves minimal cost and does not interfere with the performance of work, impact on the department’s service delivery, or create an exposure for the department to viruses, legal liability or reputational damage
  • accept that the devices are department property and therefore usage will be monitored
  • not engage in any unlawful, unacceptable, inappropriate or uneconomical activities.

Staff suspected of abusing their use of department-owned digital devices and online services may be subject to investigation and could face disciplinary action.

2.4 Examples of unacceptable use

Any use of the department’s digital devices or services that could be considered controversial or offensive, or that could potentially damage the department’s reputation or financial position, is unacceptable. The intentional unacceptable use of department digital devices or services may result in disciplinary action. These standards apply whenever departmental equipment (including BYOD) or communication lines are used.

Staff must report prohibited conduct, and the receipt or distribution of inappropriate or unacceptable material, immediately.

Table 3 Unacceptable and inappropriate use of digital devices, services and information
Use type Description Actions for staff

Unacceptable uses of digital devices, services and information

Staff must not use the department’s digital devices or services to create, access, store or transmit information that is:

  • subversive, illegal or unlawful
  • sexually related, pornographic or offensive (excluding curriculum material related to the delivery of sexuality or sexual health education)
  • violent or hate-related
  • discriminatory towards a particular group or individual or otherwise victimises or vilifies that group or individual
  • malicious or defamatory
  • inconsistent with child protection policy, privacy laws or copyright
  • unrelated to official purposes or is an uneconomic use of department resources.

If they receive such material or observe others engaging in prohibited conduct, staff must report it to their:

  • manager or principal
  • the Professional and Ethical Standards (PES) directorate (on 02 7814 3722 or email PES@det.nsw.edu.au).

The PES Reporting Guide provides guidance on when to use the PES Report Form.

Inappropriate uses of digital devices, services and information

Staff must not:

  • disclose confidential information without authorisation
  • use government data and services in ways that put the department’s cyber security at risk, including any action contrary to the provisions of this policy.

Staff must report any actual or suspected breach or risk to the department’s cyber security. Staff must:

1. Report to:

2. Consider reporting to other relevant teams, for example:

In the case of inappropriate emails (for example, phishing or smishing emails), delete the email without replying or attempting to remove your email address from any mailing list.

For more information or reporting unacceptable material, refer to Cyber safety.

3. Leaving the department

Staff may be provided with a digital device for work-related purposes during their employment with the department. These devices remain the property of the department and must be returned in situations where:

  • staff separate from the department
  • staff are terminated
  • staff take extended leave, including secondments longer than 3 months.

In these circumstances, staff must:

  • remove any personal information from the device
  • not copy or document department information in any way
  • cancel or transfer any software subscriptions paid for by the business unit
  • return any department-owned laptops to their principal (for school staff) or to EDConnect (for education support staff)
  • notify the ITD telephony team (via EDConnect) of any mobile phone/data services that will no longer be required. Department-owned mobile phones are to be retained by the business unit.

The department will disable access to departmental digital devices, services and information on separation or termination of employment, subject to department policy:

  • casual staff – 15 months from last casual pay period
  • temporary staff – 12 weeks from disengagement
  • permanent staff – 12 weeks after separation.

4. Taking or accessing department digital devices, services and information from overseas

4.1 Apply for or approve overseas travel

Taking and accessing department digital devices, services and information from overseas presents a significant cyber security risk to the department. In line with NSW Government requirements, there are various processes that must be followed before department staff can access digital services and information overseas. This section details the actions for staff, managers, principals, the Cyber Security team, the Chief Information Security Officer (CISO) and deputy secretaries (or equivalent executives).

4.1.1 Applying to access department devices, services or information from overseas

Staff planning to travel overseas must:

  • apply for approval if they would like to take or access department digital devices, services or information while overseas. Staff must apply for access at least 28 days before departure to allow time for approval
  • only apply for a maximum duration of 180 days access at a time. If a longer time is required, they must submit a new application.

Access will only be granted where necessary to satisfy business requirements and will generally not be granted for personal leave.

Staff can only access department digital devices, services or information from overseas with the appropriate approval. Any unapproved access may result in their account being locked and subject to disciplinary action. Staff must not submit false or misleading information as part of their application.

The provisions under this section do not:

  • apply to third-party service providers and vendors engaged under a Third-Party Agreement contract
  • contain provisions related to seeking or endorsing official travel, excursions or teacher exchange applications
  • cover work health and safety, insurance, physical security or any other matters related to working for the department while overseas.

4.1.2 Official travel, approved excursions and teacher exchange programs

Staff travelling on official business, approved excursions or approved department teacher exchange programs (refer to Scholarships and programs) must first have their travel approved under the appropriate policy or program:

Where travel has been approved under one of the above policies, approval to take or use department devices, services and information from overseas will only be required from the CISO. Staff will be required to provide evidence that travel has been approved under one of the above policies as part of their request.

4.1.3 Transitional arrangements

The provisions of this policy will be enforced from its implementation. Any staff member currently working from overseas, or who has an arrangement to do so in the future, must have their access to department devices, services and information reviewed by the Cyber Security team.

All managers, principals and other staff responsible for managing and approving travel or flexible working arrangements must notify the Cyber Security team (CyberSupport@det.nsw.edu.au) of any staff within their business unit who have working from overseas arrangements in place.

Staff who have arrangements to travel overseas and who plan to access department devices, services and information must complete an international access request per this policy and email CyberSupport@det.nsw.edu.au to ensure the request is managed efficiently.

The Cyber Security team will also work with Human Resources teams to review and document all current approved requests during the transitional period.

4.1.4 Considerations for endorsing and approving officers

Endorsing and approving officers must consider:

  • the purpose of the travel
  • the duration of the travel (requests have a maximum duration of 180 days)
  • the locations of travel and transit
  • the business need and associated risk of the travel
  • whether the request form is complete, accurate and true.

In assessing applications, endorsing and approving officers should pay particular attention to:

  • whether the work could be completed before travel, or handed over to a colleague
  • the minimum application, software, information or device requirements to complete the work
  • whether travel constraints, such as time zone differences, will have an effect on the achievement of work goals
  • the risk to the department’s information security that the requested access poses (see below)
  • any other constraints to work practices deemed relevant.

Requests must not be approved to take or access department digital devices, services or information to or from any overseas location determined to be high risk (non-Five Eyes [refer to 4.3 High-risk countries]) unless no other reasonable business solution exists.

Additional information from an applicant may be requested before endorsing or approving a request.

4.1.5 Application and approval guidelines

The following guidelines apply to staff, managers, principals, the Cyber Security team, the CISO and Deputy Secretary.

1. Obtain principal or manager endorsement – staff

Staff must demonstrate the need for accessing department digital devices, services or information from overseas with their principal or manager.

Principals or managers must:

  • analyse the business need and, where necessary, help coordinate endorsement from their director and executive director
  • consider requests on a case-by-case basis taking into account the factors outlined in ‘Considerations for endorsing and approving officers’.

Manual applications for staff without SAP access

Contractors or other staff members without SAP access will need to submit a manual request form, following the same steps outlined in this section. The various stages must be coordinated manually to ensure the International Access Request (Working from Overseas) (PDF 1382 KB) form is completed satisfactorily (refer to Accessing digital systems while overseas for more information).

2. Obtain written endorsement – staff

Staff need to obtain written endorsement of their requirement to access department digital devices, services or information from overseas from their director and executive director.

Staff should use the Endorsement template (PDF 158 KB) as a guide when seeking written endorsement.

Directors and executive directors must consider requests on a case-by-case basis taking into consideration the factors outlined in section 4.1.4 ‘Considerations for endorsing and approving officers’.

If the delegated line manager is a member of the senior executive, the prior tiers of delegated approvers are not required.

3. Submit SAP request – staff

Staff must submit a request via the International Access (Working from Overseas) (staff only) SAP form with written endorsements from their director or executive director attached. Staff travelling on official business, approved excursions or approved department teacher exchange programs (refer to Scholarships and programs) should instead attach evidence that travel has been approved under the relevant policy.

The SAP workflow item will be forwarded to the relevant principal or manager for review and consideration.

4. Approve the SAP request – principal or manager

Principals or managers should review the contents of the SAP workflow item to ensure accuracy before choosing to approve or reject the request. If approved, the request will be forwarded to the Cyber Security team.

5. Perform a Cyber Security Risk Assessment – Cyber Security team

The Cyber Security team will initiate and document a Cyber Security Risk Assessment for the Chief Information Security Officer (CISO) on receipt of the endorsed request. Once the assessment is finalised, the request will be forwarded to the CISO for endorsement.

The Cyber Security team will maintain a centralised register of all requests, approvals and rejections for staff requests to access department devices, services and information from overseas.

Risk assessment review

The Cyber Security team conducts risk assessments based on internal criteria and procedures. Risk assessments consider the details provided by the requestor against the associated risks of the requested access from overseas locations. At the conclusion of the risk assessment process, the team must provide:

  • the Risk Assessment Review to the CISO for feedback and to the Deputy Secretary (or equivalent) should the CISO choose to endorse
  • a summary to the requestor should the CISO reject the request.

6. Endorse or reject application - CISO

The CISO must review the request and provide feedback on the risk assessment before choosing to endorse or reject an application. If the CISO chooses to approve an application, they will forward a recommendation to the approving Deputy Secretary.

The CISO must consider:

In the case of staff travelling on official business, approved excursions or approved department teacher exchange programs, the CISO will provide final approval subject to the risk mitigation strategies outlined in step 8 below.

7. Approve or reject application – Deputy Secretary

If approved by the CISO, the relevant Deputy Secretary (or equivalent) must review the request and risk assessment, and approve or reject the application.

The Deputy Secretary (or equivalent) must consider:

Approval to take or access department devices, services and information overseas should only be considered where the Deputy Secretary (or equivalent) can accept that every effort has been made to mitigate the department’s residual risk.

8. Risk mitigation for approved staff – Cyber Security team

If the application is approved, the Cyber Security team will contact the applicant to complete further actions for risk mitigation.

Staff who have had their request approved must:

  • comply with the policies and procedures relevant to their access and travel arrangements
  • collaborate with the Cyber Security team and comply with all risk mitigation strategies the team deems appropriate
  • complete and submit the Cyber Security team’s relevant checklist (refer to Case studies – Access from overseas) at least one week before travel.

If the Cyber Security team is not satisfied that staff have implemented their risk mitigation strategies, the team may submit a recommendation to revoke any approved access or lock an account.

4.2 Additional cyber security risk mitigation

The Cyber Security team will outline any additional risk mitigation strategies that staff may need to complete before departure. Any additional requirements will be implemented on a case-by-case basis.

If assistance is needed to complete these steps, contact CyberSupport@det.nsw.edu.au.

4.3 Low- and high-risk countries

The Five Eyes partnership is an intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom and the United States. Each of the Five Eyes countries conducts interception, collection, acquisition, analysis and decryption activities, sharing all intelligence information obtained with the others by default.

For travel within Five Eyes countries:

  • risk is considered low
  • department devices may be approved to be taken to these countries
  • generally, no restrictions on digital services or information will be enforced.

For transit or travel within non-Five Eyes countries:

  • risk is considered higher and subject to more rigorous risk management
  • standard department devices must not be taken or accessed
  • ‘clean’ devices (see below) may be taken and accessed where approved
  • personal devices may be used to access department digital services and information only where approved. Digital service and information access will be limited to Microsoft Office 365 applications access via the web browser.

4.4 Clean devices for travelling

It is recommended that staff travelling on official business to high-risk locations use a special ‘clean’ device for travel. Clean devices have never been connected to a NSW Government IT network and never will be. Clean devices will be arranged by the Cyber Security team for loan as part of risk mitigation.

On return from overseas travel, staff must:

  • return all clean devices to ICT support staff for inspection and wiping
  • report any suspected compromise of the ‘clean’ device or other suspicious behaviour to EDConnect.

See Telephony for more information on purchasing mobile devices or data services.

4.5 Appealing a decision

If the request is rejected, staff must not access department digital devices, services or information from overseas. If the CISO rejected the request, staff may submit a formal appeal by:

  • contacting the relevant executive director and presenting a case for review
  • attaching the Risk Assessment Summary document provided by Cyber Security.

If appeals are rejected, they must not be resubmitted. If appeals are approved, they will be subject to any additional risk mitigation controls deemed necessary.

The Appeal template (refer to Accessing digital systems while overseas)provides further direction.

If the direct escalation for an appeal is a Deputy Secretary (or equivalent), the applicant must raise the appeal with them directly.

4.5.1 Evaluating requests for review

When an appeal is escalated, the reviewer must:

  • review the request rationale in light of the Risk Assessment Summary decision
  • endorse or reject the appeal request.

If a reviewer endorses the appeal, they must:

  • raise the appeal with the relevant Deputy Secretary (or equivalent) via a briefing, email or minuted meeting
  • notify the Cyber Security team (CyberSupport@det.nsw.edu.au) that the appeal has been escalated to the Deputy Secretary (or equivalent) and include the team in all related correspondence.

4.5.2 Endorsement of an appeal

Deputy secretaries (or equivalent) who have had an endorsed appeal request escalated to them must:

  • review the original request and any new evidence or information provided as part of the appeal
  • consult the Cyber Security team for additional information or clarification if required.

If a Deputy Secretary (or equivalent) chooses to overturn the CISO’s original decision, they must notify the Cyber Security team (CyberSupport@det.nsw.edu.au) so the decision can be updated on the central register.

4.6 Variations to itineraries, locations and/or dates

If there are changes or cancellations to the submitted itinerary, staff must:

  • contact their delegated approvers as soon as possible
  • submit a travel itinerary variation request or resubmit a new application (see below).

Variations to travel locations:

  • changes before initial approval – staff must withdraw their request in SAP and resubmit a new request (including re-obtaining written endorsement)
  • changes before departure but after obtaining approval from the Deputy Secretary – contact CyberSupport@det.nsw.edu.au for further information.

Variations to travel dates:

Changes to travel dates before or after obtaining approval, require staff to

  • notify their principal or manager of changes
  • notify CyberSupport@det.nsw.edu.au and provide the approval reference number and new dates
  • submit a new travel request if the changes to dates put the travel period over 180 days.

4.7 Approvals for staff already overseas

Staff must not take department devices overseas before obtaining approval from the Deputy Secretary or equivalent. Access to department devices while already overseas therefore cannot be granted.

If staff are contacted directly by their principal or manager to advise or action a business-critical assignment while overseas, access may be granted in exceptional circumstances. In these cases:

  • the onus of submitting a request for access is on the requesting principal or manager
  • access will be restricted to Microsoft Office 365 applications used explicitly via the web browser.

Requesting principals or managers should contact the Cyber Security team at CyberSupport@det.nsw.edu.au.

4.8 Overseas travel checklist

4.8.1 Before travelling overseas

Before travelling overseas, staff must take a number of precautionary measures to safeguard department devices, services and information.

Staff intending to work from overseas must:

Before travelling, staff must comply with the following mandatory requirements for device security.

Staff must:

  • remove all department accounts and related information from any unapproved personal devices while overseas
  • remove all department contact details from their department or personal devices, other than those required for travel (such as contact details for your principal or manager)
  • ensure all your devices automatically lock (15-minute locking standard) and a secure authentication mechanism is in place (for example, passcode, fingerprint, or other biometric identification)
  • create different passwords for all department digital services they will access overseas (to avoid the risk of having to change expiring passwords while overseas).

In addition, staff should:

4.8.2 Using department devices, services and information overseas

While working overseas, staff must comply with this policy, as well as the following department policies:

4.9 Reporting emergencies

Staff must report any loss, theft, potential compromise or unusual behaviour of devices during overseas travel to EDConnect (1300 32 32 32). EDConnect can be contacted Monday-Friday from 7:30am-6pm AEST.

4.10 Mandatory and discretionary requirements

There are a number of mandatory requirements for staff while they are working from overseas. These are outlined below, along with discretionary considerations.

Staff must:

  • only take approved department digital devices during overseas travel period
  • only access department digital services and information approved for use during overseas travel period from approved devices
  • only connect department or personal devices to the Internet using a private mobile personal hotspot created by a device that only you have access to (for example, create a hotspot requiring authentication to connect using a department or personal mobile phone)
  • put devices in ‘flight mode’ when travelling and only enable Wi-Fi when required for use
  • power off devices during transit, inside airport buildings or when device is not in use for an extended period
  • lock your devices when not in use for short periods
  • place department devices in carry-on luggage
  • cover or unplug webcams when not in use
  • assume that any digital devices that have been taken out of your sight, once returned to you, have potentially been compromised (such as for inspection by foreign government officials, lost or stolen and later found or returned)
  • use encrypted Voice over IP (VoIP) applications such as Microsoft Teams for making business calls or attending business meetings.

Staff must not:

  • take or create any hard copies of protected, secret or top secret information without first seeking advice from the Department of Foreign Affairs and Trade. Refer to Protective Security Policy Framework: Classification system for more information
  • access any department information or digital service that contains any personally identifiable information or other sensitive or confidential information
  • use any public network connections including those in hotels or airports
  • use any local support facilities (such as a computer or mobile repair shop)
  • use removable media (USB sticks) especially those provided by other organisations for data transfers. It is best to transfer any documents via filesharing utilities such as Microsoft Teams or OneDrive
  • store any department information on personal devices for offline use. Only cloud storage may be used such as Microsoft Teams or OneDrive
  • share department credentials or devices with any other person
  • use department digital devices, services or information for personal use.

Staff should:

  • exercise discretion when disclosing information about work and overseas travel to another person
  • consider powering down devices when sensitive information is to be discussed in person
  • ensure devices (and peripherals such as chargers) are with them at all times or locked in a secure storage facility
  • be alert to suspicious behaviour and their surroundings in public so that people can’t see their screen or see them entering sensitive information
  • practise caution when giving out their personal email address and phone number
  • consider support limitations from the department due to signal strength, bandwidth and other factors.

Staff members are required to assume certain responsibilities for any device that contains the department’s information or directly connects to the department’s resources.

Staff must:

  • only access department digital services and information while overseas from approved personal devices
  • remove any department services and information from unapproved personal devices before travel
  • change department login credentials before and after overseas travel in line with the department’s Password Standard (refer to Policies, strategies and standards)
  • comply with all other provisions that relate to BYOD within this policy.

Additionally, if travelling to a high-risk location, staff must:

  • only access Office 365 software via a web browser using an ‘incognito’ (private browsing) window. No desktop versions may be used or synced
  • create a separate operating system user profile on the device for work-related purposes only. The profile must be secured via a secure authentication mechanism such as a strong biometric or a hardware security token like a Yubikey
  • use an incognito browser window for all work to ensure that no cookies or login information or tokens are saved in your browser cache
  • not access department digital services that require software to be installed on your device.

4.11 Responsible use of digital devices, services and information

Staff using the department’s digital devices, services and information overseas must do so appropriately and in accordance with local and Australian law.

Staff travelling overseas are subject to the laws and regulations of the country to which they are travelling. The department is not responsible for any illegal activity they undertake during this time.

Before travel, staff should review the Smartraveller website and any other relevant sites for information regarding local laws that may impact use of digital devices, services and information in overseas locations.

Refer to section 2 ‘Use digital devices, services and information responsibly’ for information regarding unlawful use within Australia.

The following are considered inappropriate use of department digital devices and services specific to overseas travel:

  • taking any department digital devices or information overseas without relevant approval
  • accessing any department digital services or information while overseas using either work or personal digital devices without relevant approval
  • connecting approved digital devices to any overseas unsecured networks
  • sharing department digital devices, services and information with unapproved users in any capacity
  • using department digital devices overseas for purposes unrelated to business activities
  • continuing to use department digital devices where a known or potential compromise occurs.

Refer to section 2 ‘Use digital devices, services and information responsibly’ for information regarding inappropriate use in all circumstances.

4.12 International roaming

The department’s standard mobile contracts incur high usage charges when used overseas. If you are taking an approved department mobile device overseas for use, use the international roaming option infrequently and economically. If you will require extended use of international roaming, contact the Mobile Devices team (mobilecomms@det.nsw.edu.au) for advice, additional information or assistance with mobile devices or contracts before travelling overseas.

4.13 Arriving back in Australia

On returning to the country, staff must:

  • return all clean devices to ICT support staff for inspection and wiping
  • confirm that passwords for any digital service used or accessed while overseas have been changed
  • hand over any suspicious gifts or compromised devices to ICT support staff for examination
  • report any suspected compromise of a device or other suspicious behaviour to EDConnect.

Record-keeping requirements

Refer to Functional Retention and Disposal Authority: FA387 (PDF 106 KB) for information on retaining and disposing of records.

Staff members need to preserve relevant business communications and ensure they comply with the department’s Records Management Program when deleting any electronic business communication.

Business communications, including email and other forms of messaging sent electronically become official records, subject to the State Records Act 1998 and the department’s Records Management Program. Electronic records are subject to the same standards of record keeping that apply to paper records.

Supporting tools, resources and related information

Policy contact

The Chief Information Security Officer monitors the implementation of this procedure, regularly reviews its contents to ensure relevance and accuracy, and updates it as needed.

Return to top of page Back to top