FAQs-Visitor Access to IT Systems, Data, and Restricted Facilities Policy and Procedures

What is the Visitor Access to IT Systems, Data and Restricted Facilities Policy and why is it needed? 

The Visitor's Access Policy governs how visitors are granted access to University IT systems, internal, sensitive or restricted data, and restricted facilities. The policy is aligned to the New Zealand Government protective security guidance for managing inward visits and supports the University’s research security processes addressing espionage, interference and export controls. The policy also supports compliance with other legal obligations, including health and safety obligations, by ensuring that risks associated with visitors are carefully assessed and mitigated to the extent reasonably practicable. 

Who does this policy apply to?

The policy applies to all visitors, including student visitors and visiting student researchers, or non-university members, who require access to the University’s sensitive data, systems, or restricted facilities. This includes visitors to digital systems or data, even if they do not physically visit University property.

Casual visitors, such as conference or event attendees, are not subject to this policy unless they require access beyond public facilities or publicly available information. The University Data classification standard provides more information on when data can or cannot be shared publicly.

This policy does not apply to honorary and adjunct staff, contractors and subcontractors, consultants, co-locators, tenants, landlords and landlord’s agents. The process these University members go through is managed by their line manager, co-location host or tenancy host.

What is the Sponsored Visitor Registration Form?

The Sponsored Visitor Registration Form will be a new form populating a visitor’s database. In addition to recording basic information about the visitor and sponsor, this form will record the purpose of the visit, assist the approval authority with identifying risks associated with a prospective visitor, and help identify policies, procedures, controls, and building-specific processes relevant to the activities to be undertaken by the sponsored visitor. Guidance in this form will also help the approval authority understand when a request should be escalated to the Risk Office or Research Risk & Compliance Office for specialist advice.

What is the difference between a low, medium and high-risk visits?

The policy applies the same criteria as the University’s technology risk assessment for international travel requirements when classifying visits as low, medium or high-risk.

Visitors from countries subject to New Zealand or United Nations sanctions are considered high-risk for all types of data that the visitors may have access to.

Visitors from European Union (EU), Organization for Economic Cooperation and Development (OECD) and Pacific Island countries are considered medium-risk for restricted data and low-risk for internal and sensitive data.

Visitors from all other countries are considered high-risk for restricted data and medium-risk for internal and sensitive data.

What is the significance of a visit being classified as medium risk or high risk?

Approval authorities considering medium-risk and high-risk visits should obtain specialist advice from the University Risk Office who may in turn refer the matter to the University’s Research Risk and Compliance Manager or New Zealand Government agencies for further specialist advice.

How do I sponsor a visitor to have access to IT Systems, Data, and Restricted Facilities?

As a sponsor, you must:

  • Be a University staff member
  • Obtain written approval from a Level 3 manager or above, like an academic head, DFO or their delegate.
  •  Ask your visitor to create a University Identity.
  •  Complete the Sponsored Visitor Approval and Registration Form, and arrange for completion of the IT Service Access for Contractors, Visitors & External Collaborators form on behalf of your visitor.
  • If your visitor requires access to restricted facilities, follow the processes set by the space manager for the specific facility, and make sure your visitor completes any necessary induction, training and/or access requirements for the facility.
  •  Ensure your visitor understands and complies with University policies and completes any required training.
  • Oversee your visitor during their stay and de-provision their access once the visit concludes.

When should I decline to sponsor or approve a visitor?

Although we are an open University and embrace collaboration, providing unsupervised access to restricted facilities, IT systems, and internal, sensitive or restricted data should be carefully considered.

If someone you don’t know or don’t have a reason to collaborate with reaches out to ask that you share sensitive data or access to a restricted facility, you should decline their request.

If you are asked to sponsor or approve a visitor who may present any health & safety, security, privacy, reputational or financial risk that falls outside the University’s Risk appetite, you should consider declining the request, or reach out to relevant parties or committees to discuss the request.

Te Kāwanatanga o Aotearoa | New Zealand Government offers additional guidance on managing inwards visits.