Recommendations. That the Cabinet approve the withdrawal of the existing policy and its replacement with the revised document.

Transcription

1 Report to: Cabinet Date: 14 th October Report: of Head of Corporate Personnel Services Report Title: USE of INTERNET POLICY Summary of Report. The use of the Internet is growing rapidly. Over the next few years it will be used by increasingly larger numbers of employees for the management and delivery of services and for communicating with the public. This Policy recognises the requirement to gain the maximum benefits from new technology whilst maintaining security, legality, avoiding abuse and protecting the good name of the Authority. The purpose of the Policy is to highlight the procedures to be adopted when using the Internet. It applies to all employees and elected members carrying out work on behalf of the Council and/or using Council owned equipment and facilities. Consultation on the revised Policy has taken place with the trade unions, Corporate Directors and Heads of Service. Specialist input was also received from the Legal, I.T and Audit Departments. It was also considered and received the support of CMT on 14 TH September Recommendations. That the Cabinet approve the withdrawal of the existing policy and its replacement with the revised document. Background Papers. Environmental Statement. Community Safety Implications Personnel Implications. Financial Implications. Human Rights Act. 1) I.T. Strategy Document 2) Disciplinary Policy. 3) Data Protection Act ) Data Protection Code on Monitoring at Work (Part 3) 5) The Regulation of Investigatory Powers Act 2000 (R.I.P.A.). 6) Personnel Today One Stop Guide: Employee Monitoring. 7) Internet Policy. This Report does not contravene the Council s Agenda 21 policies. None. As described in the Policy. None. This report and the attached Policy have been audited for potential breaches of Articles in the European Convention on Human Rights. Any breach or breaches are included in the report itself or in the Policy. conwy/pmd/internet/cab Page 1 07/10/2004

2 abcde INTERNET POLICY Corporate Personnel Services 3rd Draft July 2004

3 USE OF INTERNET POLICY INDEX 1. Policy Statement 2. The purpose of the Policy 3. Applicability 4. Connection and access to the Internet 5. Publication on the Internet 6. Use of the Internet 7. Misuse of the Internet 8. Monitoring 9. Virus Protection and Downloading 10. Security 11. The Human Rights Act 12. Good Practice Guide 13. Review 2

4 1. POLICY STATEMENT 1.1 The use of the Internet is growing rapidly. Over the next few years it will be used by increasingly large numbers of employees for the management and delivery of services and for communicating with the public and third parties. As such, the Authority is keeping pace with these developments so that employees and the Authority can fully exploit these facilities. 1.2 This policy applies to the use of the Internet only. 2. THE PURPOSE OF THE POLICY 2.1 This policy recognises the requirement to gain the maximum benefits from new technology whilst maintaining security, legality, avoiding abuse and protecting the good name of the Authority. 2.2 The purpose of this policy is to highlight the procedures to be adopted when using the Internet. 3. APPLICABILITY 3.1 This policy applies to all employees (for the purpose of this policy employees includes agency workers) and elected members carrying out work on behalf of the Council and/or using Council owned equipment and facilities. Whether working from the office, home or any other remote site from which the Council conducts its business and operation. 4. PUBLICATION ON THE INTERNET 4.1 The Council s Web-sites Policy includes the following statements; Conwy County Borough Council is committed to the core strategic role of the websites as channels of communication both externally and internally. In order to achieve this, the websites should be fully owned by the whole Council at all levels and across all services. The Authority seeks to establish and maintain the websites as a reliable repository for information, to be exploited both as a communications channel and a means of delivering services 5. CONNECTION AND ACCESS TO THE INTERNET 5.1 The ability to connect to the Internet must be authorised by the appropriate Director, Head of Service, or nominated person, who will provide details of employees within their department who can use the facility. He /she must also sign the enrolment form for submission to the IT section. 3

5 5.2 A standard level of access will be granted. If a differing level is required the Director or Head of Service must liaise with the IT and Audit sections. 5.3 Each employee or member granted access to the Internet must be issued with a copy of this policy and provide acknowledgement that it has been received by signing the enrolment form. 5.4 The Internet connection will normally be via the Authority s corporate network, with its firewall facility to ensure that maximum control and protection are achieved. Access to the internet via independent ISPs is prohibited unless approved by the Departmental Head of Service and the IT Department, for example, a presentation or meeting in the course of work outside Council premises at which an ISP will be used with permission. 5.5 All users will be provided with their own user identification with a system of password control used to access the system. 5.6 When given access to the Internet the individual is responsible for the security of their own workstation and Internet facility. Personal passwords should be kept confidential and not be shared. Users should not use any remember password type features. 6. USE OF THE INTERNET 6.1 Use of the Internet is for business purposes, however personal use is permitted but must be outside of core working hours as follows : Between the hours of am Between the hours of pm Between the hours of pm No personal use of the Internet should therefore take place during core working hours. Accessing the Internet for non-work related purposes must be done in the employee s own time. For example, if an individual arrives at work at am and accesses the Internet for non-work related purposes for thirty minutes, the time recorded as commencing work should be am. The only exception is for designated public access points in libraries and certain offices. 6.2 Allowing personal use represents a change in the policy previously adopted by the Authority. This will be on a trial basis for six months from the launch date of this policy. 6.3 Departmental Managers are to supervise the use of the Internet, regularly reviewing the need for users to have access and / or which other officers require access. Access should be revoked when people leave the Authority via the completion of a system access withdrawal form. 4

6 7. MISUSE OF THE INTERNET 7.1 Misuse of the Internet and any associated Information Technology includes - Creating, sending, encouraging the receipt of, printing or downloading material which can be construed to be derogatory, defamatory, obscene or pornographic, offensive, or anything that may be construed as harassment or disparagement based on race, colour, national origin, sex, sexual orientation, age, disability, or religious or political beliefs. Unauthorised access of the Authority s IT facilities. Expressing personal views which could be misinterpreted as those of the Authority. Committing the Authority to purchasing or acquiring goods of services without proper authorisation. Disclosing confidential information via Internet mechanisms such as and news groups. Sending or participating in chain letters, pyramid schemes or illegal schemes, or to solicit others for commercial purposes, causes, outside organisations, chain messages, or other non job-related purposes. Encrypting files or taking any steps that block access to files, other than the use of Authority passwords or approved programmes; without the permission of the IT Department. Installing software on a computer in an attempt to erase records of Internet activity. Downloading software applications without prior approval of the IT department. 7.2 This is not an exhaustive list but is an indication of the types of conduct that could result in the Internet facility being withdrawn and the implementation of the Disciplinary procedure where necessary. If illegal material is involved, or the law is broken, this could also lead to criminal or civil action. 7.3 The Disciplinary Policy makes explicit reference as follows : Misconduct Section 2.5 ( C ) Improper use of working hours, Council equipment or facilities Gross Misconduct Section 3.23 ( 1 ) Accessing inappropriate material from the Internet for personal use (includes transmission of material to others and encouraging/failing to discourage the transmission of material to the employee from others) 7.4 It is possible to access offensive or inappropriate material on the Internet accidentally. Anyone doing so should inform his/her Line Manager immediately. 5

7 Accidental access will obviously not invoke the disciplinary procedure; but failure to report it may do so. 7.5 In order to improve reporting procedures, an e mail address itsecurityincidents@conwy.gov.uk has been set-up for staff to record details of a suspected or actual IT security incident and send it directly to internal audit and IT management for information/investigation. 8. MONITORING 8.1 Use of the Internet will be monitored by the Authority in any way it sees fit including real time or other regular monitoring of activity to include web-pages accessed or attempted to access, words searched for, files downloaded, graphic images viewed. No individual should expect privacy when using the Internet. In addition the Authority may restrict access to certain sites that it deems are not necessary for business purposes, by means of filtering software. 8.2 If users are regularly getting challenged when seeking to access a web-site for business related purposes then they should contact the IT Department to address the issue. 9. VIRUS PROTECTION AND DOWNLOADING 9.1 Software must not be downloaded from the Internet unless a prior agreement has been reached with the IT department. This could introduce a computer virus on to the Authority s network or be incompatible with the current PC set up and impact on other IT applications. Downloading software could also be introducing incompliance with software licensing rules. 9.2 The unauthorised downloading of software will lead to the implementation of the Disciplinary procedure where necessary. Explicit reference is made in the policy as follows : Misconduct, Section 2.6 Introducing software into the computer system which is not required for the purpose of the Authority s business. Gross Misconduct, Section 3.23 (3) Section 3.23 (4) Using unauthorised, pirated software Wilfully and knowingly introducing a virus into the system, or failure to conduct a virus check on software originating outside the Authority before introducing to the Authority s system. 6

8 9.3 Computer viruses can be transferred by files and attachments, thus threatening the security of the Council s networks. Consequently, files must not be downloaded or accepted from sources or sites which are not well-established and known to the Authority i.e a trusted source. 9.4 All software purchased must be made via the IT department. Anyone wishing to acquire software must be aware of the differences between : copyright software, which requires payment for a licence to use it; freeware, which is licensed and requires no payment; shareware, which is copyrighted but often free for a trial period; and public domain software, which is free. 9.5 The downloading and disseminating of copyright material that is available on the Internet is an infringement of copyright law. Likewise, the posting of copyright material from any Internet source to the Authority s network is an infringement of copyright law. Permission to copy the material must be obtained from the owner, publisher, or any other person entitled by the owner to give such permission. This applies to publications in digital and electronic form in the same way as it does to books and other forms of publication. 9.6 The downloading of files and documents is permissible, for example,.pdf or MS Office format files, provided the content of such files and documents is appropriate. 10. SECURITY 10.1 When given access to the Internet the individual is responsible for the security of their own workstation and Internet facility. Personal passwords should not be shared, but should be kept confidential and changed regularly. When leaving the workstation unattended or on leaving the office, individuals should ensure that they log off the system to prevent unauthorised use in their absence. There are mechanisms in place to temporarily secure the PC for this purpose Employees and members will be accountable for all activities undertaken under their password. Unauthorised use of a password will be dealt with within the framework of the Authority s Disciplinary Procedure Anyone receiving offensive or suspicious material which may be a threat to the security of the Council s network and / or data must report the matter to their Line Manager immediately. The purpose is not to apportion blame but for the Line Manager, with the assistance of the IT department, to investigate and take appropriate action so as to reduce risk. 11 THE HUMAN RIGHTS ACT This policy does not contravene the Human Rights Act. 7

9 12. GOOD PRACTICE GUIDE 12.1 The following bullet points indicate several areas of good practice which should be adopted across the Authority as a general guide : Use the Internet for non-work related purposes in own time. Use only GOOGLE search engine on the Internet to prevent unnecessary advertising being accessed ( Never connect to the Internet directly by using independent Internet service providers such as Freeserve, Demon, AOL etc. Do not unnecessarily give details of your account on the Internet.. Do not express personal views on the Internet that could be misinterpreted as those of the Authority. When a personal opinion is being voiced a disclaimer should be used. Do check that the information you access is accurate and current. Report any offensive or suspicious material that may be a threat to the Council s security to your Line Manager immediately Individuals who feel that they may benefit from further training on using the Internet should first contact their Line Manager and then the Corporate Training and Development Officer in Corporate Personnel Services at Bodlondeb. 13. REVIEW 13.1 This policy will be reviewed jointly with the Trade Unions three years after its implementation, or earlier if monitoring indicates that amendments are required and / or there are changes in legislation which impact upon its contents. 8