Technology Use Policy
Version: | 1.0 |
---|---|
Approved: | June 26th, 2024 |
Purpose:
The Mycological Society of Toronto owns, maintains and manages Information Technology (IT) resources to support the educational, instructional, and administrative activities of the MST.
This policy sets out the acceptable and responsible use of MST IT Resources, in order to protect the MST and its Members, and to ensure the appropriate use of IT Resources and Information Assets in compliance with privacy law and in accordance with MST policies.
This policy applies to all MST Staff’s use of IT Resources. The use of personally-owned equipment that involves the use of IT Resources is also covered by this Policy. This Policy does not affect the rights of MST Staff to their intellectual property stored or transmitted using IT Resources.
Definitions:
Member | A member is an individual who is either the account holder of an individual membership or an individual included in a family membership. |
Board | The Board of Directors of the MST. |
Director | A member of the Board of Directors of the MST. |
Volunteer | A member of the MST acting on behalf of the MST. Includes members and Directors. |
Staff | An individual working on behalf of the MST on a volunteer or paid basis. |
IT Resources | Information technology resources provided by the MST, whether on premises or hosted remotely. IT Resources include but are not limited to: networks, servers, databases, business systems, websites, computers and computer systems, laptops, storage devices, and online collaborative tools including email and social media sites. |
Electronically-Stored Information | MST members’ personal electronic information, that is created and communicated in digital form and which is accessible through IT Resources. |
Personal Information | According to the Personal Information Protection and Electronic Documents Act in Canada, and for the purposes of this policy, "Personal Information" means information about an identifiable individual (e.g. name, address, email address and telephone number). |
Shared Account | An account that can be accessed by multiple MST Staff to accomplish a single shared function, such as supporting the functionality of a process, system, device or application. |
References:
- Mission and Values of the MST
- Anti-Harassment Policy
- Code of Conduct Policy
- Membership Policy
- Bylaws: 2.1 - 2.7 (Membership)
- Personal Information Protection and Electronic Documents Act (PIPEDA)
- Canada's Anti-Spam Legislation (CASL)
Policy:
- Authorized Use
- MST Staff will:
- Use IT Resources for which the MST has given express authorization only for intended purpose(s);
- Take all reasonable steps to avoid compromising the confidentiality, integrity, and availability of IT Resources;
- Abide by applicable laws and regulations;
- Abide by applicable MST policies, and;
- Respect the rights and privacy of other MST Members and those outside of the MST community.
- MST Staff who fail to comply with this Policy will be subject to one or more of the consequences listed in Section 9.
- The MST reserves the right to limit or restrict access to IT Resources by MST Staff based on:
- institutional priorities;
- financial considerations;
- one or more violations of this Policy or other MST policies;
- contractual agreements; or
- provincial or federal laws.
- MST Staff will:
- Limitations on Personal Use by MST Staff
- MST Staff are permitted to use IT Resources for occasional and limited personal use and consistently with this policy.
- The viewing or distribution of harassing, defamatory, discriminatory, pornographic or hateful material and messages by MST Staff using IT Resources is prohibited.
- MST Staff should not store or transmit personal information using the MST’s network, equipment, or accounts.
- Use of MST Email
- MST-provided email accounts must not be considered secure or private.
- MST Staff will not use their personal, educational or employer email accounts for MST correspondence.
- MST Staff will not use MST-provided email accounts for personal communication or when subscribing to personal mailing lists.
- Automatic forwarding of MST email to domains not controlled by the MST is prohibited.
- Sending email from MST-provided email accounts via mail servers in domains not controlled by the MST is prohibited.
- Email transmission of Members’ Personal Information to an external email account is prohibited.
- Email is primarily a transactional communication tool and should not be used as a system of record or for long-term storage of files. When appropriate or necessary, emails and/or email attachments should be transitioned to appropriate MST electronic storage systems.
- MST Staff will not delete email necessary for business continuity, either during or upon termination of their term of volunteering and/or employment, including but not limited to:
- legal correspondence;
- proprietary or confidential information, and;
- compliance-related correspondence.
- Security and Ownership Rights
- MST Staff are required to protect confidential information regarding members and affairs of the MST, including but not limited to:
- identity of or details about members, except as governed by the Privacy Policy;
- financial information and records;
- contracts, and;
- technical information such as databases, login credentials, passwords and software license keys.
- Login credentials and passwords shall not be shared with any person without the explicit approval of the Board of Directors.
- It is the duty of the Technical Director to change passwords as necessary, and to disseminate login credentials and passwords in a secure manner to authorized persons.
- The Technical Director, the President and the Vice-President shall have access to current login credentials and passwords for all MST Shared Accounts and related tools and services at all times
- Login credentials and passwords for Shared Accounts (i.e. accounts to which multiple MST Staff require access) may only be changed by the Technical Director, the President, or the Vice-President.
- If login credentials and/or passwords for a Shared Account is changed, the new login credentials and/or passwords must be immediately stored in the MST’s password escrow in accordance with current procedure.
- Staff have the right to reset or request a reset of passwords for accounts to which they are the only individual requiring access, including their:
- email account;
- document repository account;
- wiki account;
- password escrow account, and;
- Slack account.
- MST Staff who have deleted files from one IT Resource, such as a computer hard drive are responsible for managing copies that may continue to exist in or on other IT Resources, such as shared drives. MST Staff are responsible for ensuring file management and disposition of Information Assets in accordance with MST policies and procedures.
- Information Assets created or received outside of IT Resources, such as on a personal smartphone or computer must be stored on MST-controlled IT Resources as soon as possible to ensure continuity during a Staff member’s absence.
- MST Staff are required to protect confidential information regarding members and affairs of the MST, including but not limited to:
- Privacy
- IT Resources are exclusively the property of the MST. The MST respects MST Members’ reasonable privacy expectations but MST Members will not have an expectation of complete privacy when using the MST’s IT Resources.
- MST Members’ privacy rights may be superseded by the MST’s right to protect:
- the integrity of its IT Resources;
- the rights of other MST Members; or
- the MST’s property.
- The MST reserves the right to monitor and log usage of its IT Resources.
- The MST also reserves the right to examine and preserve material stored on or transmitted through its IT Resources at its sole discretion. Examples of situations where the MST may exercise this right include but are not limited to situations where the MST suspects:
- this Policy has been violated;
- any other MST policy has been violated;
- any federal or provincial law has been violated; or
- examination is necessary to protect the integrity of its resources.
- The MST will not normally access an MST Member’s Electronically-Stored Information without consent except for certain limited and specific circumstances, including but not limited to:
- investigations regarding security, illegal activity, or activity that may contravene the MST's policies and procedures;
- compassionate circumstances, as permitted by law;
- where necessary to carry out urgent operational requirements during an volunteer's absence when alternative arrangements have not been made; and
- compliance with law or legal obligations.
- Authorized MST Staff or service providers under contract with the MST, who operate and support IT Resources, may access Electronically-Stored Information without notice to MST Members in order:
- to address emergency problems;
- to perform routine system maintenance; or
- for any other purpose required to maintain the integrity, security and availability of the IT Resources.
- In the process of monitoring IT Resources, the MST will:
- use all reasonable efforts to limit access to MST Members’ Electronically-Stored Information; and
- not disclose or otherwise use any MST Members’ Electronically-Stored Information that has been accessed, except in accordance with the applicable MST policies, procedures and guidelines, and as permitted or required by law.
- If the MST is required to disclose a MST Member’s Electronically-Stored Information, in accordance with the law, such disclosure will be reviewed and approved by the Board of Directors, prior to the release of the Electronically-Stored Information.
- Specific Violations
- Unauthorized Use. Violations of Section 1.1.a include, but are not limited to:
- using IT Resources without specific authorization where specific authorization is required;
- using another person’s electronic identity, password or log-in credentials for IT Resources;
- accessing files, data or processes without authorization;
- using IT Resources to hide a persons’ actual identity;
- using IT Resources to interfere with other systems or persons;
- using IT Resources to harass or stalk another person or entity;
- sending threats, “hoax” messages, chain letters, or phishing;
- intercepting, monitoring, or retrieving any network communication without authorization; or
- circumventing or attempting to circumvent security mechanisms.
- Breach of Confidentiality, Integrity and Availability of IT Resources. Violations of Section 1.1.b include, but are not limited to:
- obtaining or using someone else’s password or other authentication credentials for IT Resources;
- disclosing a personal password or other authentication credentials for IT Resources;
- permitting other MST Staff to access or use their account(s) provided by the MST;
- propagating computer viruses, worms, Trojan Horses, malware or any other malicious code;
- preventing others from accessing an authorized service;
- spreading material that supports bulk mail, junk mail, or spamming;
- degrading or attempting to degrade performance or deny service; or
- corrupting, altering, destroying, or misusing data or information.
- Unlawful Use. Violations of Section 1.1.c include, but are not limited to, using or attempting to use IT Resources to:
- pirate software;
- access material that is illegal, or that advocates or facilitates illegal acts;
- download, install, use, stream, or distribute unlawfully or illegally obtained media (e.g., software, music, movies);
- override, remove or pause any security software installed on IT Resources by the MST or at its direction;
- access technology that is considered a controlled good under federal law on an unencrypted connection;
- commit criminal harassment, hate crimes, or libel and defamation;
- commit theft or fraud; or
- violate child pornography criminal laws.
- Breach of MST policies. Violations of Section 1.1.d include, but are not limited to, using or attempting to use IT Resources to:
- engage in discrimination and harassment, including making threats, stalking, or distributing malicious material; or
- direct others to breach any provision of this policy.
- Breach of Privacy. Violations of Section 1.1.e include, but are not limited to:
- accessing, attempting to access, or copying another person’s Electronically-Stored Information without authorization; or:
- divulging sensitive personal data to which certain MST Staff have access concerning Members and/or Staff without a valid and lawful administrative reason.
- Unauthorized Use. Violations of Section 1.1.a include, but are not limited to:
- Reporting
- MST Staff are responsible for guarding against misuse or abuse of IT Resources.
- MST Staff will promptly report any known or suspected misuse of IT Resources or violation of this Policy to the Technical Director.
- Investigation
- Reports of conduct by MST Staff in contravention of this Policy will be addressed by the following means:
- Harassment, violence or discrimination will be investigated under the Anti-Harassment Policy.
- Other violations can be addressed under the Code of Conduct Policy.
- Reports of conduct by MST Staff in contravention of this Policy not addressed by another policy will be addressed by the Board of Directors.
- Reports of conduct by MST Staff in contravention of this Policy will be addressed by the following means:
- Consequences
- Members who violate this Policy or any other MST policy may be subject to disciplinary action up to and including, but not limited to:
- suspension of access to some or all IT Resources;
- termination of membership in accordance with the Membership Policy and Bylaws; and
- legal action.
- Members who violate this Policy or any other MST policy may be subject to disciplinary action up to and including, but not limited to:
- Relevant Legislation
- Canada’s Anti-Spam Legislation (CASL)
- Personal Information Protection and Electronic Documents Act (PIPEDA)