Internet Acceptable Use Policy A council-wide information management policy. Version 1.5 June 2014

Transcription

1 Internet Acceptable Use Policy A council-wide information management policy Version 1.5 June 2014

2 Copyright Notification Copyright London Borough of Islington 20134This document is distributed under the Creative Commons Attribution 2.5 license. This means you are free to copy, use and modify all or part of its contents for any purpose as long as you give clear credit for the original creators of the content so used. For more information please see: Contacts If you need any further information about this document or any clarity about the contents of the document, please contact: Sinead Mulready (Data Security Manager). Revision History Date Version Reason for change Author Updated in light of changes to ICT policies and Sinead Mulready infrastructure Following discussion with Jeremy Tuck Sinead Mulready Review and revisions throughout the policy Jeremy Tuck Following revisions by Corporate management Sinead Mulready Board 21 June 1.4 Annual policy review Sinead Mulready 2013 June Annual policy review Sinead Mulready Page 2 of 10

3 TABLE OF CONTENTS 1 PURPOSE OF THIS DOCUMENT PART OF AN UMBRELLA ICT POLICY FRAMEWORK BACKGROUND APPLYING THE POLICY PERSONAL USE OF THE INTERNET IS SUBJECT TO MANAGEMENT APPROVAL EMPLOYEES MUST USE THE INTERNET ACCEPTABLY EMPLOYEES MUST NOT STORE COUNCIL DATA ON THIRD PARTY WEBSITES ACCESS TO ONLINE STORAGE SITES IS CONTROLLED WEB BASED PERSONAL MUST NOT BE USED FOR COUNCIL BUSINESS THE INTERNET MUST NOT BE USED FOR PRIVATE BUSINESS COUNCIL MUST NOT BE USED ON WEBSITES INTERNET USE WILL BE MONITORED REPORTING INCIDENTS POLICY COMPLIANCE GOVERNANCE, APPROVAL AND REVIEW CORPORATE GOVERNANCE GROUP FORMAL APPROVAL, ADOPTION AND REVIEW APPENDIX A: ACCOUNT MONITORING FORM APPENDIX B ACCESS TO ONLINE STORAGE...8 Page 3 of 10

4 1 PURPOSE OF THIS DOCUMENT This document sets out the policy on the use of the Internet on the Council network, how it is permitted and how it is monitored. 2 PART OF AN UMBRELLA ICT POLICY FRAMEWORK This policy should be read in conjunction with the Islington ICT Security Policy Framework, which sets out the overarching approach to Information and Communication Technology (ICT) policies in Islington Council. The framework lists the other policies, which together aim to protect the Council s information technology assets, such as computer hardware and software, telecommunications equipment and data held within the council s IT systems. 3 BACKGROUND The Internet provides the council with access to valuable sources of information as well as inexpensive connectivity to a wide range of third parties. It is seen as an important part of the council s communication infrastructure. Use of the Internet by employees of the council is permitted and encouraged where such use supports the goals and objectives of service delivery. However, the council has a policy for the use of the Internet whereby employees must ensure that they comply with current legislation, use the Internet in an acceptable way, and do not create unnecessary business risk to the council by their misuse of the Internet. This policy should be read in conjunction with the council s Social Media Policy, which sets out how council staff should use social media. 4 APPLYING THE POLICY 4.1 Personal Use of the Internet is subject to management approval Members of staff must obtain approval from their line manager to use the council network to browse the Internet for personal use. If a member of staff is asked to reduce the amount of personal time spent on the Internet, for any reason, they must comply. 4.2 Employees must use the Internet acceptably The following is deemed unacceptable use or behaviour by employees: a) visiting Internet sites that contain obscene, hateful, pornographic or otherwise illegal material b) using the computer to perpetrate any form of fraud, or software, film or music piracy c) using the Internet to send offensive or harassing material to other users d) downloading commercial software or any copyrighted materials belonging to third parties, unless this download is covered or permitted under a commercial agreement or other such licence e) gaining access to unauthorised areas ( hacking ) f) creating or supporting any Internet messages or postings that are intended to harass, annoy or alarm any person or organisation g) publishing defamatory and/or knowingly false material about the council, members of staff, or customers on social networking sites, blogs (online journals), or any online publishing format h) revealing confidential information about the council in a personal online posting, upload or transmission - including financial information and information relating to our customers, business plans, policies, staff and/or internal discussions i) undertaking deliberate activities that waste staff effort or networked resources j) introducing any form of malicious software into the corporate network. Page 4 of 10

5 4.3 Employees must NOT store council data on third party websites The council cannot guarantee the security of third party websites or data storage. Therefore, no council data may be stored or sent to such websites. This includes such storage and file transfer sites as Dropbox or Googledocs. All business-related information produced, collected and/or processed in the course of council work remains the property of the council. This includes such information stored on third-party websites such as webmail service providers and social networking sites, such as Facebook and LinkedIn. Where the council has a legal requirement to share data with another organisation and it is necessary to upload the data onto a third party website, this must be approved by an appropriately senior person within that department. 4.4 Access to online storage sites is controlled The council blocks access to online storage sites by default. However, the council acknowledges that partner organisations do use such sites to distribute necessary documentation and that council staff may periodically require access to such sites as a result. Requests for access to online storage must be logged on ICT Help Me. The online storage form (Appendix B) must be completed and attached to the work request. They must confirm that they will not upload any council data containing personally identifiable data into the site. This must be approved by the Data Security Manager or a member of her team before access to the site is provided. When a member of staff needs to retrieve a one-off document from an online storage site, Digital Services will pick this document up and save it to the council network in an appropriate location. Where access to an online storage site is granted to a member of staff, it will be allowed only for the necessary period of time. 4.5 Web based personal must not be used for council business Web-based personal must never be used to conduct council business. Council data must not be forwarded to personal web-based without the knowledge and explicit written consent of a manager. 4.6 The Internet must not be used for private business No member of staff is permitted to use council Internet access, at any time, for private business activities. 4.7 Council addresses must not be used on websites Council addresses may not be used when registering on web sites for personal use. 4.8 Internet use will be monitored Islington Council accepts that the use of the Internet is a valuable business tool and provides Internet-related resources for business purposes. However, its misuse can have a negative impact upon employee productivity and the reputation of the business. The council will monitor Internet access by staff and will maintain a log of volume of Internet and network traffic, together with all websites visited by council staff. The council also blocks and filters access to Internet sites that are considered inappropriate or offensive. The ability to access a website does not in itself mean you are permitted to visit it. Page 5 of 10

6 If a manager has concerns about the level of personal Internet use by a member of staff, they may request an investigation be carried out, by logging a work request on ICT Help Me. They must complete the Account Monitoring Form which can be found in Appendix A. 5 REPORTING INCIDENTS It is the duty of all users to immediately report any actual or suspected breaches in information security to Digital Services in line with the council s Security Incident Management Policy. Any such incidents must be reported through ICT Help Me and labelled Data Security Incident. 6 POLICY COMPLIANCE If any user is found to have breached this policy, they may be subject to the Council s disciplinary procedure. If a criminal offence is considered to have been committed further action may be taken to assist in the prosecution of the offender(s). If you do not understand the implications of this policy or how it may apply to you, seek advice from Digital Services. 7 GOVERNANCE, APPROVAL AND REVIEW 7.1 Corporate Governance Group This policy framework and the commitment to security management is subject to continuous, systematic review and improvement. This council-wide technology policy will be governed by the Corporate Governance Group (CGG), chaired by the Director of Finance, who is also the council s Senior Information Risk Owner. The CGG has a clear terms of reference and reports directly into the Corporate Management Board. 7.2 Formal approval, adoption and review This policy will be formally signed off by the Corporate Management Board. The Data Security Manager will lead an annual review of all ICT Security Policies. Page 6 of 10

7 8 APPENDIX A: ACCOUNT MONITORING FORM Digital Services ACCOUNT MONITORING REQUEST FORM Due to our obligations under the Data Protection Act 1998 it is necessary to complete this form if you wish to access information from the council s network relating to any members of staff. By signing this form you agree that you are requesting this information for the purpose(s) you state below and it will be held for these purpose(s) only. INFORMATION ABOUT THE MEMBER OF STAFF WHO IS THE SUBJECT OF THE SEARCH: Name: Job title: Place of work: Line manager: Please list below the purpose(s) of your request (provide as much details as possible): If there is additional need for confidentiality about this request, please provide additional information by to the Data Security Manager. AUTHORISING REQUESTER: Page 7 of 10

8 Print Name: Signature: Job title: Place of work: Date: Authorising Manager: Signature: Date: You agree to make no further uses of the information you obtain other than for the purposes stated above. You agree to keep secure any information you obtain or securely destroy the information, when it is no longer required. 9 APPENDIX B ACCESS TO ONLINE STORAGE Page 8 of 10

9 The council blocks access to websites that allow online storage of data. It is important to note that personal data about residents, staff, customers and clients may NEVER be stored in or transferred via online storage sites. 1. If you need to access a single document, Digital Services will retrieve this document and store it in a location on the council network of your choice 2. If you need to share council data with a third party, please contact Digital Services to discuss secure ways of doing so 3. If you believe that you need access to an online storage site to regularly retrieve third party data, please complete this form 4. Please log a work request on ICT HelpMe and attach this form to it 5. Your request will need to be approved by the Data Security Manager before it is progressed. Name of site you need access to: Are you retrieving or sharing data? I am retrieving a single document I need to retrieve a number of documents over a period of time I need to share council documents with a third party How long to you need access to the site Please list below the purpose(s) of your request and the data that you will be handling (provide as much detail as possible): Page 9 of 10

10 If given access to this site, I confirm that I will not UPLOAD any council data into the site: Print Name: Signature: Job title: Department: Date: Authorising Manager: Signature: Date: Page 10 of 10