Acceptable Use Policy

Transcription

1 Acceptable Use Policy Document Owner : SCC Chief Information Officer Version : 3.2 Date : May 2011 We will on request produce this policy/procedure, or particular parts of it, in other languages and formats, in order that everyone can use and comment upon its content. Copyright 2011 Customer Service Direct - a partnership between BT, Suffolk County Council and Mid Suffolk District Council. Registered in England No Registered Office: 81 Newgate Street, London, EC1A 7AJ

2 Table of Contents 1 INTRODUCTION PURPOSE OBJECTIVES SCOPE LINKED/OTHER USEFUL POLICIES/PROCEDURES RESPONSIBILITIES SUFFOLK COUNTY COUNCIL CSD POLICY & COMPLIANCE TEAM MANAGERS USERS ETIQUETTE LEGAL LIABILITY & COMPUTER MISUSE INFORMATION SECURITY, VIRUSES, SPAM & MONITORING PERSONAL USE OF RECORDS MANAGEMENT AUTOMATIC FORWARDING OUT-OF-OFFICE MESSAGES ACCESSING MAILBOXES OF USERS MANAGING PERSONNEL CHANGES MANAGING COUNCILLOR CHANGES TEAM MAILBOXES PUBLIC FOLDERS GOVERNMENT CONNECT SECURE EXTRANET (GCSX) MAILBOXES SIGNATURES FOR & DISCLAIMERS SUFFOLK COUNTY COUNCIL EMPLOYEES SUFFOLK COUNTY COUNCILLORS EMPLOYEES WORKING FOR CUSTOMER SERVICE DIRECT (CSD) EMPLOYEES OF SUFFOLK COUNTY COUNCIL WORKING FOR OR ON BEHALF OF OTHER ORGANISATIONS (E.G. JOINT EMERGENCY PLANNING UNIT) FURTHER ADVICE GOVERNANCE DOCUMENT CONTROL Printed on: 12/05/2011 Page 2 of 28

3 1 INTRODUCTION 1.1 Purpose The purpose of this policy it to describe the etiquette and standards that users are expected to observe when using facilities provided by Suffolk County Council (SCC) and ensure that users are aware of the consequences of inappropriate use. 1.2 Objectives The primary objectives of this policy are: To set the expectations for etiquette and establish management standards; To help comply with the legal requirements for management and protect SCC, Councillors, employees and our partner organisations against litigation; To support the delivery of more efficient and effective front-facing services by providing timely access to full and accurate records; To minimise information storage and administration costs by ensuring the timely and secure disposal of expired s; To support the SCC Acceptable Use of ICT Policy. 1.3 Scope This policy applies to the use of ICT facilities to send, receive and manage messages (and attachments) and is applicable to SCC Councillors, the employees of SCC, any partners, voluntary groups, third parties and agents who SCC employees have authorised to access ICT facilities and staff seconded to, or working for, Customer Service Direct (CSD), including contractors and vendors with access to ICT systems. For the purposes of this Policy all these individuals are referred to as user or users. 1.4 Linked/Other useful policies/procedures This policy should be read in conjunction with the: SCC Acceptable Use of ICT Policy; SCC Password Management Policy; SCC ICT Remote Working Policy; SCC Software Policy; SCC Removable Media Policy; SCC Information Security Incident Management Policy; SCC Information Security Policy; SCC Protective Marking Policy. Printed on: 12/05/2011 Page 3 of 28

4 2 RESPONSIBILITIES 2.1 Suffolk County Council Training - SCC will train users in the appropriate use and management of . Training for Councillors will be provided as part of the Councillors Learning and Development Programme. 2.2 CSD Policy & Compliance Team Implementation and Monitoring of Policy - The CSD Policy & Compliance Team has been tasked to implement this policy and monitor its effectiveness. 2.3 Managers Induction, Training and Support - Managers are responsible for ensuring that adequate induction and training is undertaken by staff and that support is provided to them so as to implement this policy. The Monitoring Officer is responsible for ensuring that adequate induction and training is undertaken by Councillors and that support is provided to them so as to implement this policy User Access - Managers are responsible for ensuring the users they have approved and authorised to access Council Networks, ICT facilities and equipment are aware of and comply with this policy. 2.4 Users For Councillors, approvals and authorisations will be provided by the Head of Scrutiny and Monitoring Training - All users should attend the relevant training course. Outlook training is also available via the corporate training programme. Training for Councillors will be provided as part of the Councillors Learning and Development Programme Breach of this Policy - Users found to be in breach of this policy may be disciplined in accordance with the SCC Conduct and Capability Policy and the SCC Harassment & Bullying Policy. In certain circumstances, breach of this policy may be considered gross misconduct resulting in dismissal. Printed on: 12/05/2011 Page 4 of 28

5 Councillors found to be in breach of this policy may be deemed to be a breach of the Members Code of Conduct leading to action by the Standards Committee Breach of Information Security - Users must report all suspected breaches of information security to the CSD Policy & Compliance Team via the CSD IT Helpdesk using the Information Security Incident report form on COLIN User Accounts Users will be allocated one business account only except where they work for more than one organisation (see 2.4.5). In addition there may be business cases where, due to data security issues, an additional account is required. Assistant Directors and/or Strategic Information Agents must formally approve each business case. For Councillors, approvals and authorisations will be provided by the Head of Scrutiny and Monitoring. The CSD Policy & Compliance Team must be made aware of any such approvals via ICT Self Service. The CSD Policy & Compliance Team will provide final approval where appropriate Users Working For More Than One Organisation Where a user works for more than one organisation (e.g. SCC and CSD) they may be provided with a separate mail account for each organisation. The CSD Policy & Compliance Team will provide final approval where appropriate Users Moving from One Organisation to Another Where a user moves from one organisation to another (e.g. SCC to CSD) they will be provided with a new mail account for the new organisation. (see 2.13 Managing Personnel Changes) Users Moving from One Directorate or Department to Another If a user moves from one directorate or department to another within the same organisation then they may be provided with a new mail account dependent on the information security risk of keeping the original mail account. The CSD Policy & Compliance Team will provide final approval where appropriate. (see 2.13 Managing Personnel Changes) 2.5 Etiquette Alternatives to - Do not use as the only method of communication. A face-to-face meeting or telephone conversation may be more suitable for sensitive or complex issues Numbers of s - People feel overwhelmed by the number of s they receive. Keep the use of to a minimum Plain English - Maintain a concise, professional standard of communication using plain English. Printed on: 12/05/2011 Page 5 of 28

6 2.5.4 Standard Font, Size and Colour - If using formats other than plain text, users must select as standard the font Arial, size 12, colour black, using capitals and lowercase as normal. (Note: the standard size can be increased from 12 where visual clarity is required). The CSD IT Helpdesk can assist users in changing their settings Spell Check - applications should be set up to automatically spell check before sending . The CSD IT Helpdesk can assist users in changing their settings Single Topic and Facts - Restrict to a single topic, and only record facts and evidence-based opinions. This facilitates better corporate record-keeping Personal and Business Content - Do not mix personal and business content within the same Distribution - Only distribute s to colleagues who need to receive the message. Where feasible, make it clear what you are expecting recipients to do, and to what timescale e.g. For Information or For Action by dd/mm/yyyy. Users do not always need to Cc colleagues or Reply to all Blind Copies (bcc) - In the interests of transparency and accountability, Blind copies (bcc) must not be used. The only exception is when sending mail to a large distribution list and it is appropriate to hide the individual addresses to protect privacy Title - Give s a meaningful title in the Subject field and include the appropriate Protective Marking Level (see SCC Protective Marking Policy). Re-title an before forwarding if appropriate s to All Staff - Do not attempt to send an message to all members of the organisation the Internal Communications team will do this if appropriate Response - Reply to s as soon as possible if the sender requires a response. Do not assume that a sent message has been read Read Receipts - Only request read receipts where it is absolutely necessary. Do not set request read receipts as a default. 1 Check with the Internal Communications team to see if is the best method of getting your message across. Consider the following points: What is the intended result of the communication exercise? What needs to be communicated? Have you used plain English? Who does it need to be communicated to? When does it need to be communicated? Who needs to communicate it? Have you included details of the sender, their role & contact information in the footer? Have you included the phrase Please do not hit Reply to respond to this , contact the individual named above? Printed on: 12/05/2011 Page 6 of 28

7 Large s - Do not send large s (e.g. mails with large attachments) because they fill up their recipients mailbox (see Records Management) Outlook Calendars - Users must keep their outlook calendar up to date and ensure that it is accessible on a read-only basis to other users in their organisation, amending the access permissions as appropriate. The CSD IT Helpdesk can assist users in changing their settings, and in hiding from general view any private appointments. In order to appropriately separate the diary activities of Councillors and staff, the default will be that the outlook calendars of Councillors and staff will not be open to each group. 2.6 Legal Liability & Computer Misuse Formal Business Wording - Give s the same level of attention as drafting a formal letter. s could commit SCC to an agreement with suppliers and other third parties or provide evidence of harassment, defamation, libel and discrimination if worded incorrectly Personal or Non-Work Accounts - Users must not use a personal or nonwork account to send or receive business s Users must not: use a false identity in s nor use for the creation or transmission of anonymous messages; create s, or alter a message and then forward it, with the intention of deceiving the recipient; create, transmit, or forward any illegal, offensive, obscene or indecent images, data, or other material, or any data capable of being resolved into obscene or indecent images; create, transmit, or forward material that is designed or likely to cause annoyance, inconvenience or needless anxiety; create, transmit, or forward material that is designed to or would conflict with the business, or undermine the business in any way; create, transmit, or forward s containing customers personal information, or information that is commercially sensitive, to a personal or non-work account or to a work account where the user does not require it for a legitimate business use Sensitive Personal Data - Do not include sensitive personal data within s. For more information on Data Protection please contact the Information Management Services Helpdesk, or see Managing Information on COLIN. Sensitive personal data is defined as: Racial or ethnic origin; Political Opinions; Printed on: 12/05/2011 Page 7 of 28

8 Religious Beliefs (or other beliefs of a similar nature); Membership of a trade union; Physical or mental health condition; Sexual life; Criminal convictions / alleged offences In addition to the sensitive personal data listed above, as specified by the Data Protection Act, staff should be mindful of all of the characteristics protected under the Equality Act 2010 (age, disability, gender, gender reassignment, marriage and civil partnerships, pregnancy and maternity, race, religion or belief and sexual orientation). Staff should only make reference to these characteristics in s where it is necessary and relevant to do so, and should mark such s PROTECT Payment Card Data - You must not include or request Credit or Debit card numbers within s. If you receive an containing a Credit or Debit card number you must delete it immediately. Credit or Debit card numbers include the long card/account number (PAN), the Card Security Code (CSC number printed on reverse of card) and the PIN number. If you process Credit or Debit card payments in the course of your work, you must do this in accordance with the Payment Card Industry Data Security Standard (PCI DSS) and any job-specific guidance on handling payment card data. Your line manager can provide you with job-specific guidance on handling payment card data. 2.7 Information Security, Viruses, Spam & Monitoring Temporarily Away From Desk - Users must log out from or lock their PC when temporarily away from their desk to prevent unauthorised use of accounts. This applies wherever the user is located at the time of use (e.g. home or office) PROTECT, RESTRICTED or CONFIDENTIAL Information - Do not send PROTECT, RESTRICTED or CONFIDENTIAL information by unencrypted , particularly to an external recipient if accidental disclosure could lead to significant harm or embarrassment. Where possible do not use data that makes it easy to identify individuals e.g. Use initials instead of names. Please refer to COLIN for details of how to send encrypted . For further advice on when encrypted should be used please contact Information Management Services. Please refer to the Acceptable Use of ICT Policy for Third Party Access to Data Encrypting - The transmission of sensitive, RESTRICTED, or CONFIDENTIAL information should be limited to exceptional circumstances. In these exceptional circumstances the encryption service must be used. The encryption service should not be used for the routine exchange of information. Please refer to COLIN for details of how to send encrypted . For further advice on when encrypted should be used please contact the Information Compliance Helpdesk. Printed on: 12/05/2011 Page 8 of 28

9 2.7.4 Protective Marking Categorisation of Messages When creating an , the information contained within it must be assessed and classified by the owner according to the content. All s should be protectively marked in accordance with the SCC Protective Marking Policy. The marking classification will determine how the , and the information contained within it, should be protected and who should be allowed to access it. How it is handled, published, moved and stored will also be dependant on this scheme. The owner should add the classification of the in CAPITALS to the start of the subject line of the e.g. PROTECT: Normal Title of , or RESTRICTED: Normal Title of . may be used but this is not an absolute requirement (see also SCC Protective Marking Policy) Suspicious Activity - Do not open any from an unrecognised source or s that have dubious or missing subject lines. Do not open unsolicited attachments unless sure of the source. Disable the preview pane within Outlook to minimise the risk of opening an infected . Report any suspicious activity to the CSD Policy & Compliance Team via the CSD IT Helpdesk immediately Unwanted s - Report all problems with unwanted s, including any received that are defined in paragraphs and 2.6.4, to the CSD Policy & Compliance Team via the CSD IT Helpdesk immediately. Do not forward these to any other person unless requested by the CSD IT Helpdesk or the CSD Policy & Compliance Team. Never send or forward chain messages or virus warnings. The vast majority are bogus and they waste user s time and network bandwidth Personal Messages - Do not forward s containing anyone s personal messages without their permission Copyright - Do not forward material via in breach of copyright Inspection of Records - Users must comply with a request from a manager to inspect records and/or to printout items relevant to a particular individual, case or subject. This will only be requested when required under the Data Protection Act, under a Freedom of Information request, as allowed for in the Sections Monitoring and Accessing Mailboxes of Users of this policy or for other legitimate business reasons. Deletion of relevant s following such a request may be a criminal offence. For Councillors, requests will be made by the Head of Scrutiny and Monitoring will be checked if: There is reasonable cause to believe the user has violated or is violating this policy, any guidelines or procedures established to implement this policy; An account appears to be engaged in unusual or unusually excessive activity; Printed on: 12/05/2011 Page 9 of 28

10 It is necessary to do so to protect the integrity, security, or functionality of ICT resources or to protect SCC or its partners from liability; Establishing the existence of facts relevant to the business; Ascertaining or demonstrating standards which ought to be achieved by those using the facilities; Preventing or detecting crime; Investigating or detecting unauthorised use of facilities; Ensuring effective operation of facilities; Determining if communications are relevant to the business (for example, in the last resort where an employee is off sick or on holiday and business continuity is threatened); It is otherwise permitted or required by law Monitoring - Any necessary monitoring will be carried out in accordance with the Information Commissioner s Office (ICO) Code of Best Practice on Monitoring Employees Violation of this Policy - Where an individual has reasonable cause to believe that another user has violated, or is violating this policy, or any guidelines, or procedures established to implement this policy then they shall in the first instance inform a Senior Manager who may refer the matter to the HR Professional Services Team (via the HR Helpdesk) for investigation under the SCC Conduct and Capability Policy see If the HR Professional Services Team advise the Senior Manager that use needs to be checked in accordance with then the Senior Manager should refer this to the CSD Policy & Compliance Team directly or via the CSD IT Helpdesk. In these circumstances the checks may necessitate the immediate suspension of the user s access to relevant Council Networks, ICT facilities and equipment, ICT systems and applications in order that any potential evidence is not compromised. Where an individual has reasonable cause to believe that a Councillor has violated, or is violating this policy, or any guidelines, or procedures established to implement this policy then they shall in the first instance inform a Senior Manager who should refer the matter on to the Head of Scrutiny and Monitoring for investigation. If the Head of Scrutiny and Monitoring advises that use needs to be checked in accordance with then they should refer this to the CSD Policy & Compliance Team. In these circumstances the checks may necessitate the immediate suspension of the Councillor s access to relevant Council Networks, ICT facilities and equipment, ICT systems and applications in order that any potential evidence is not compromised User Access Suspension - If the HR Professional Services Team advise the Senior Manager that the user s access to Council Networks, ICT facilities and equipment, ICT systems and applications needs to be suspended in order that use can be checked in accordance with then the Senior Manager should refer this to the CSD Policy & Compliance Team directly or via the CSD IT Helpdesk. Printed on: 12/05/2011 Page 10 of 28

11 Councillor User Access Suspension If the Head of Scrutiny and Monitoring advises that the Councillor s access to Council Networks, ICT facilities and equipment, ICT systems and applications needs to be suspended in order that use can be checked in accordance with then they should refer this to the CSD Policy & Compliance Team Automatic Monitoring - SCC will apply automatic message monitoring, filtering and rejection systems as appropriate and deny transmission or receipt of messages with content that represents a threat to the ICT network or is unacceptable in the terms of this and other corporate policies. An ICT administrator may examine messages placed in quarantine, and forward or delete them as appropriate. 2.8 Personal Use of Personal Use - Limited personal use by Councillor s, or in an employee s own time at work is permitted, but this must comply with the Acceptable Use of ICT Policy Multimedia Attachments - Do not use corporate systems to send or receive multimedia attachments that are not related to work e.g. containing images, video or sound clips Users must not use the corporate systems to send: personal adverts; personal sponsorship requests; personal appeals; or details of events that are not corporately supported Title Mail as Personal - Clearly title personal and folders as personal to reduce the risk of administrators inadvertently viewing private, non-work . Delete personal mail from SCC systems as soon as possible Personal and Business Content - Do not mix personal and business content within the same Registering with any Organisation or Web-Site - Do not use your work account as the registration mail address when registering with any organisation or web-site for personal use Management of Personal s - Personal s should be managed as if they are non-records (see 2.9.7). Printed on: 12/05/2011 Page 11 of 28

12 2.9 Records Management Size of Mailbox - Users are responsible for keeping control of the size of their mailbox by managing their s and all folders (including their inbox, sent and deleted items). Users must operate within a mailbox limit of 100 megabytes (MB). 2 There may be business cases where, for operational reasons, this limit needs to be exceeded. Assistant Directors and/or Strategic Information Agents must formally approve each business case and keep to a minimum any operational exceptions. For Councillors, approvals and authorisations will be provided by the Head of Scrutiny and Monitoring. The CSD Policy & Compliance Team must be made aware of any such approvals using the Request for a Mailbox Size Increase. The CSD Policy & Compliance Team will provide final approval where appropriate Records - records must be saved in accordance with the SCC Freedom of Information & Records Management Policy, either as a hardcopy printout or as electronic.msg file on a shared file-server alongside related business documents and spreadsheets. records should be saved for business needs only, not for defensive filing purposes. For more information on records, nonrecords and managing them see the Essential Guidance to Managing Electronic Records on COLIN, or contact the Information Compliance Helpdesk for further details Outlook Personal Folders (PST Files) - records must not be stored within Outlook personal folders (or PST files), as these are generally inaccessible to other people. Do not use the Outlook Auto-archiving function to manage records. Users who currently use personal folders (or PST files) for records must migrate the s contained within to a shared file system and delete all folders. In exceptional circumstances additional storage or archiving functionality can be purchased where there is a clear business need. If however, following determination that there is not a clear business need and that the personal folders are not migrated following a request to do so, then ICT will remove any folders that are not deleted. Assistant Directors and/or Strategic Information Agents must formally approve each business case for additional storage or archiving functionality and keep to a minimum any operational exceptions. The CSD Policy & Compliance Team must be made aware of any such approvals via ICT Self Service. The CSD Policy & Compliance Team will provide final approval where appropriate. 2 You can find out how big your mailbox is by right-hand clicking Outlook Today Mailbox Your name and selecting Properties for Mailbox Your Name. Select Folder Size and note the Total Size (Fld+SubFld). The number is in kilobytes. Divide by a 1000 to gain an approximation of the number of megabytes e.g K = 75 MB. Printed on: 12/05/2011 Page 12 of 28

13 2.9.4 Service Area Saving Conventions - Conventions should be established within each service area to determine who saves what and when to reduce duplication e.g. the author of an internal mail and the primary recipient of an external mail has the responsibility to file it Records Retention - records must be kept for an appropriate period according to their content. Information Agents or the Information Compliance Helpdesk can help in applying the Corporate Records Retention Guidelines Non-Records business non-records must not be stored within Outlook personal folders (or PST files) and should remain in your mailbox. Users who currently use personal folders (or PST files) for business non-records must migrate the s contained back to their mailbox and delete all personal folders. If however, the personal folders are not migrated following a request to do so, then ICT will remove any folders that are not deleted. It may be necessary to keep three months worth of business non-records in your mailbox in order to provide context for current tasks however these must be deleted promptly and within 3 months of receipt or sending Personal s - Personal s must not be stored within Outlook personal folders (or PST files) and should remain in your mailbox. Users who currently use personal folders (or PST files) for personal s must migrate the s contained back to their mailbox and delete all personal folders. If however, the personal folders are not migrated following a request to do so, then ICT will remove any folders that are not deleted. All personal s must be deleted promptly and within 1 month of receipt or sending Attachments - Try not to send attachments with internal s. Where there are no technical barriers, save the file to a shared file-server and send a short cut by , use the Electronic Document Management System (if available) or ask a web editor to place the file on the intranet and send a link Large Attachments - Do not send attachments on the corporate network larger than 10MB Automatic Forwarding Forwarding to an External Address - Do not set up an automatic forwarding rule to an external address. It is recommended that use is made of the Outlook Web Access service for those users who need to access s away from the office Forwarding to a CSD user - If you are a SCC user do not set up an automatic forwarding rule to a CSD user, or vice versa. Printed on: 12/05/2011 Page 13 of 28

14 Forwarding if Leaving Employment - Where a user is leaving the employment of SCC then they may set up an automatic forwarding rule to another team member, their line manager or a team mailbox prior to leaving however their mail account will be closed when they leave. (see Managing Personnel Changes) Forwarding if Absent - Where a user is absent and unable to set up an automatic forwarding rule (e.g. due to sickness) a request that one is set up to another team member, or a team mailbox can be made by contacting the CSD IT Helpdesk. Such requests should be from the line manager of the user who is absent. If the line manager is the user who is absent then the request needs to be from the next higher level manager. If in addition access is required to the user s account this can be requested by their line manager (see Accessing Mailboxes of Users). For Councillors, approvals and authorisations will be provided by the Head of Scrutiny and Monitoring. The CSD Policy & Compliance Team will provide final approval where appropriate GCSx Forwarding - If you are a GCSx user do not set up an automatic forwarding rule to a non GCSx user Out-of-Office Messages Use of Out-of-Office Messages - Users should set out-of-office messages prior to all periods of leave or absence and remove them immediately upon their return. An out-of-office message should not be set when a user is working from home and has access to as they are available to receive and respond to s in the usual way. Out-of-office messages should not be used for any other purpose Out-of-Office Message Content - Alternative contact details for urgent enquiries must be provided e.g. I am out of the office between 1 st and 3 rd July. Please contact John Smith on XXXXX XXXXXXX (john.smith@suffolk.gov.uk) for urgent matters relating to recycling or Jane Jones on XXXXX XXXXXX (jane.jones@suffolk.gov.uk) for enquiries regarding waste disposal Managers Out-of-Office Messages - Managers should detail a named alternative contact in their out-of-office message and not simply refer people to generic mail accounts, or helpdesks Personal Details - Personal details about holiday, leave or sickness must not be revealed within out-of-office messages Alternative Contacts - If you are a SCC user do not set an out-of-office message detailing a CSD user as an alternative contact, or vice versa. Printed on: 12/05/2011 Page 14 of 28

15 Internal & External Out-of Offices Messages - Out-of-office messages should be set for all internal and external contacts. Certain versions of Outlook require the setting up of 2 types of out-of office message, one internal and the other external. Other versions of Outlook require one type of out-of-office message which is then sent to all internal and external contacts Setting an Out-of-Office Message if Absent - Where a user is absent and unable to set an out-of-office message (e.g. due to sickness) a request that one is set up can be made by contacting ICT Self Service. Such requests should be from the line manager of the user who is absent. If the line manager is the user who is absent then the request needs to be from the next higher level manager. The out-of-office message should warn the sender of the user s absence, including timescales where possible and provide alternative contact details. If in addition access is required to the user s account this can be requested by their line manager (see Accessing Mailboxes of Users). Please note that a request for setting an out-ofoffice message where the user has just forgotten to do so will not in normal circumstances be actioned. For Councillors, approvals and authorisations will be provided by the Head of Scrutiny and Monitoring. The CSD Policy & Compliance Team will provide final approval where appropriate Professional Group Subscriptions - Users should unsubscribe from any professional groups while away or when they leave the employment of SCC to avoid sending out-of-office or undeliverable messages to forum members Accessing Mailboxes of Users Access Permission - Do not attempt to gain access to any other user s mailbox without their permission Access to a User Mailbox where the User is Absent and has Granted Permission - Where the user is absent (e.g. due to sickness), has granted permission to access their mailbox however is unable to set this up themselves, the set up can be requested via ICT Self Service). The request must be from the line manager of the person requiring access detailing the business need to do so. If the line manager is the user who is absent then the request needs to be from the next higher level manager. Managers should be aware that access would be time limited and strictly limited to business . For Councillors, approvals and authorisations will be provided by the Head of Scrutiny and Monitoring. The CSD Policy & Compliance Team will provide final approval where appropriate. Printed on: 12/05/2011 Page 15 of 28

16 Access to a User Mailbox where the User is Absent and Unable to Grant Permission - Where the user is absent and unable to provide permission to access their mailbox do not attempt to gain access without the express permission of the CSD Policy & Compliance Team (available via ICT Self Service). Such requests should be from the line manager of the person requiring access detailing the business need to do so. If the line manager is the user who is absent then the request needs to be from the next higher level manager. Managers should be aware that such permission would only be granted in the last resort in the interests of business continuity, that access would be time limited and strictly limited to business . For Councillors, approvals and authorisations will be provided by the Head of Scrutiny and Monitoring. The CSD Policy & Compliance Team will provide final approval where appropriate Access to a User Mailbox where the User is Absent for a Long Period so as to Manage their Mailbox Prior to Return - Where the user has been absent for a long period (over 1 month) access to their mailbox can be requested in order that unnecessary s can be deleted and the mailbox managed prior to the user s return to work. In these cases express permission needs to be granted by the CSD Policy & Compliance Team (available via ICT Self Service). Such requests should be from the line manager of the person requiring access detailing the business need to do so. If the line manager is the user who is absent then the request needs to be from the next higher level manager. Managers should be aware that access would be time limited and strictly limited to business . For Councillors, approvals and authorisations will be provided by the Head of Scrutiny and Monitoring. The CSD Policy & Compliance Team will provide final approval where appropriate Access to a User Mailbox where the User is Absent so as to Check for any Inappropriate or Sensitive s - Where the user has been absent access to their mailbox can be requested in order to check for any inappropriate or sensitive s that may require deletion prior to the user s return to work. In these cases express permission needs to be approved by the CSD Policy & Compliance Team (available via ICT Self Service). Such requests should be from the line manager of the person requiring access detailing the business need to do so. If the line manager is the user who is absent then the request needs to be from the next higher level manager. Managers should be aware that access would be time limited and strictly limited to business . For Councillors, approvals and authorisations will be provided by the Head of Scrutiny and Monitoring. The CSD Policy & Compliance Team will provide final approval where appropriate. Printed on: 12/05/2011 Page 16 of 28

17 Access to a User Mailbox where the User Changes Roles or is Leaving Employment - Where the user changes roles or leaves the employment of SCC and their account is closed down do not attempt to gain access to the closed account without the express permission of the CSD Policy & Compliance Team (available via ICT Self Service). Such requests should be from the line manager of the person requiring access detailing the business need to do so. If the line manager is the person who is changing roles or leaving then the request needs to be from the next higher level manager. Managers should be aware that such permission would only be granted in the last resort in the interests of business continuity, that access would be time limited and strictly limited to business . For Councillors, approvals and authorisations will be provided by the Head of Scrutiny and Monitoring. The CSD Policy & Compliance Team will provide final approval where appropriate Managing Personnel Changes Management of Records where the User Changes Roles or Moves from one Organisation to Another or is Leaving Employment - Users must ensure that all records are transferred to their manager if they change roles within the organisation, or if they move from one organisation to another and the records are no longer required for the new role, or if they leave the employment of SCC. All personal messages must be removed from their account Deletion of a User who Leaves Employment - If a user leaves SCC, it is the manager s responsibility to ensure that CSD ICT is informed immediately by logging a Delete User Account request via ICT Self Service so that they revoke access rights and shut down the personal account as soon as the user has left. For audit purposes, the contents of the mailbox will be kept for a 3 month period after the user has left before it is deleted Notification to Contacts of a User who is Leaving Employment - If notice is worked out the user should be asked to inform all business and personal contacts when they will be leaving and who should be contacted instead Notification to Contacts of a User Changing Roles or Leaving Employment where the User is Dealing with Issues where Responses are Awaited - Where the user changes roles or leaves the employment of SCC and is dealing with issues where responses are awaited which would be sent to their account, the user or their line manager should ensure that all relevant contacts are made aware that no future responses should be sent to that individual and provide an alternative address Informing ICT that a User is leaving the Employment of SCC quickly or is on Discretionary Leave If a user is leaving the employment of SCC quickly (e.g. due to redundancy), or is on discretionary leave, and the account is required Printed on: 12/05/2011 Page 17 of 28

18 to have the access rights revoked and the personal account shut down due to potential information security/integrity risks, it is the Assistant Director s responsibility to ensure that the CSD Policy & Compliance Team are contacted immediately User Leaving Employment - If the user leaves the employment of SCC then see 2.10 Automatic Forwarding and 2.12 Accessing Mailboxes of Users Managing Councillor Changes Management of Records where a Councillor s Role Changes Within the Council or their Term of Office Ends - Councillors must ensure that all records are transferred to the Head of Scrutiny and Monitoring if the Councillor s term of office ends, or if their role changes within the Council and the records are no longer required for the new role Informing ICT when a Councillor s Term of Office Ends - The Head of Scrutiny and Monitoring is responsible for ensuring that CSD ICT is informed immediately when a Councillor s term of office ends, by logging a Delete User Account request via ICT Self Service so that access rights can be revoked and the personal account shut down as soon as the Councillor has left. For audit purposes, the contents of the mailbox will be kept for a 3 month period after the Councillor has left before it is deleted Team Mailboxes Requests to Set Up a Team Mailbox - Where there is a business need a request to set up a team mailbox can be made via ICT Self Service. The line manager of the team needs to make the request. An owner for the Team Mailbox also needs to be stated. For Councillors, approvals and authorisations will be provided by the Head of Scrutiny and Monitoring. The CSD Policy & Compliance Team will provide final approval where appropriate Size of Mailbox The owner of the Team Mailbox is responsible for keeping control of the size of the mailbox by managing the s and all folders (including the inbox, sent and deleted items). The owner must operate within a mailbox limit of 100 megabytes (MB). 3 There may be business cases where, for operational reasons, this limit needs to be exceeded. Assistant Directors and/or 3 You can find out how big your mailbox is by highlighting the Team Mailbox under All Mail Folders, then right-hand clicking and selecting Properties for Mailbox the Team Mailbox. Select Folder Size and note the Total Size (Fld+SubFld). The number is in kilobytes. Divide by a 1000 to gain an approximation of the number of megabytes e.g K = 75 MB. Printed on: 12/05/2011 Page 18 of 28

19 Strategic Information Agents must formally approve each business case and keep to a minimum any operational exceptions. For Councillors, approvals and authorisations will be provided by the Head of Scrutiny and Monitoring. The CSD Policy & Compliance Team must be made aware of any such approvals using the Request for a Mailbox Size Increase. The CSD Policy & Compliance Team will provide final approval where appropriate Auto Forwarding by Team Members to and from a Team Mailbox - Auto forwarding of mail to and from the team mailbox by the team membership can be set up however this should be managed appropriately and kept to a minimum due to mailbox size and storage restrictions Public Folders Use of Public Folders SCC is phasing out the use of Public Folders and no new Public Folders will be created Public Folder Management - The owner of an existing Public Folder is responsible for keeping control of the Public Folder and ensuring that its use is phased out in order that it can be deleted by 1 st April Government Connect Secure extranet (GCSx) Mailboxes GCSx Mailbox Format All s sent via the Government Connect Secure extranet (GCSx) must be sent using address RESTRICTED Information s sent outside this Council network travel over the public communications network and are liable to interception or loss. There is a risk that copies of the are left within the public communications system. Therefore any s containing RESTRICTED information must not be sent outside of the Council network, unless encrypted, or sent from a GCSx account Addressing s Care should be taken when addressing all s, but particularly where they include PROTECT or RESTRICTED information, to prevent accidental transmission to unintended recipients External Messages via GCSx Connection Where GCSx is available to connect sender and receiver of the message, this must be used for all external use between those parties GCSx Forwarding - If you are a GCSx user you must not set up an automatic forwarding rule to a non GCSx user. Printed on: 12/05/2011 Page 19 of 28

20 Requests to Set Up a GCSx Mailbox - Where there is a business need a request to set up a GCSx mailbox for a user or team can be made via the ICT Service Catalogue. The line manager of the user or team needs to make the request. The Section 151 Officer is responsible for approving the request. The CSD Policy & Compliance Team will provide final approval where appropriate GCSx Mailbox Creation Where a user has been approved to be provided with a GCSx mailbox, in accordance with paragraph , then their normal mail account will be amended to a GCSx one; the user will not be provided with a separate GCSx mailbox. There may be business cases where, for operational reasons, a separate GCSx mailbox is required. Assistant Directors must formally approve each business case however the request to set up the mailbox must also be approved by the Section 151 Officer in accordance with paragraph The CSD Policy & Compliance Team will provide final approval where appropriate GCSx Mailboxes and the SCC Webmail and Blackberry Services Where a user has been approved to be provided with a GCSx mailbox, in accordance with paragraph , then, for reasons of information security, currently they will be barred from using the SCC Webmail (OWA) and Blackberry Services. In addition a user is not authorised to have send as or send on behalf of permissions to a GCSx mailbox unless that user also has a GCSx mailbox. 3 SIGNATURES FOR & DISCLAIMERS 3.1 Suffolk County Council Employees Footer Statement - All s that are sent to external addresses will automatically include the following statement in the footer: s sent to and from this organisation will be monitored in accordance with the law to ensure compliance with policies and to minimize any security risks. The information contained in this or any of its attachments may be privileged or confidential and is intended for the exclusive use of the addressee. Any unauthorised use may be unlawful. If you receive this by mistake, please advise the sender immediately by using the reply facility in your software. The following signature must be used by Suffolk County Council employees: Standard Signature - Users must not include logos, animation, scanned images, home addresses, personal addresses or personal telephone numbers in their standard signature Standard Background - The background of s must be white and with no patterns. Printed on: 12/05/2011 Page 20 of 28

21 3.1.4 Standard Signature Font, Size and Colour If using formats other than plain text, users must select as standard the font Arial, size 12, colour black, using capitals and lowercase as normal. (Note: the standard size can be increased from 12 where visual clarity is required). The CSD IT Helpdesk can assist users in changing their settings Standard Signature - Users must use the following corporate text for their signature. All of the text below should be copied into an signature box so that it appears every time a work is signed. Forename Surname (in bold) Job Title Service Area Directorate Suffolk County Council Postal address (which can be presented horizontally, rather than vertically, to save space) Tel: XXXXXX Mob: 0XXXX XXXXXX (if required) Fax: XXXXXX (if required) forename.surname@ suffolk.gov.uk Postal Address - s sent to internal colleagues do not require the inclusion of the postal address in the signature Disclaimer - SCC users are not required to add a disclaimer to their . However, where users wish to include one to help protect against messages being misused, the following disclaimer can be added: The information contained in this is intended for the named addressee only, and may be confidential and privileged. If you have received it in error, I apologise and ask that you destroy it and notify me that you have done so Copyright - Where the user wishes to note that the contents are protected by copyright they should attach a copyright notice: Copyright (Year) Suffolk County Council or (Year) Suffolk County Council Personal Disclaimer - Users sending genuinely personal messages from their corporate account may use the following disclaimer, although the message will be identified as having come from SCC and great care must be taken to avoid any possibility of being left vulnerable to legal action or loss of reputation: The views contained in this message are those of the individual and do not necessarily represent the views of Suffolk County Council. Printed on: 12/05/2011 Page 21 of 28

22 3.2 Suffolk County Councillors Footer Statement - All s that are sent to external addresses will automatically include the following statement in the footer: s sent to and from this organisation will be monitored in accordance with the law to ensure compliance with policies and to minimize any security risks. The information contained in this or any of its attachments may be privileged or confidential and is intended for the exclusive use of the addressee. Any unauthorised use may be unlawful. If you receive this by mistake, please advise the sender immediately by using the reply facility in your software. The following is the suggested signature format for Councillors to use: Standard Signature - Councillors should not include logos, animation, or scanned images in their standard signature Standard Background - The background of s should be white and with no patterns Standard Signature Font, Size and Colour - If using formats other than plain text, Councillors should select as standard the font Arial, size 12, colour black, using capitals and lowercase as normal. (Note: the standard size can be increased from 12 where visual clarity is required). The CSD IT Helpdesk can assist Councillors in changing their settings Standard Signature - Users can use the following text for their signature. All of the text below can be copied into an signature box so that it appears every time an is signed. Councillor xxxxx (in bold) Name County Councillor for xxxxx Division Post (e.g. portfolio holder for xx, Chairman of xx) (if applicable) Postal Address (SCC or Home Address) Tel: xxxxx xxxxxx Mobile: xxxx xxxxx Fax: xxxx xxxxxx forename.surname@ suffolk.gov.uk Councillors own website (if applicable) Disclaimer - Councillors are not required to add a disclaimer to their . However, where they wish to include one to help protect against messages being misused, the following disclaimer can be added: Printed on: 12/05/2011 Page 22 of 28