Chapter 6 - Limited Personal Use of Information Technology Resources
Part 8 - Information Resources Management
Title | Section |
---|---|
Introduction | 8-6.1 |
Purpose | 8-6.1A |
Background | 8-6.1B |
Acronyms | 8-6.1C |
Policy | 8-6.1D |
Scope | 8-6.1E |
Roles and Responsibilities | 8-6.1F |
Applicable Laws/Guidance | 8-6.1G |
Definitions | 8-6.1H |
Prohibited Use of IHS IT Resources | 8-6.1I |
Specific Provisions on Use of IT Resources | 8-6.1J |
Misuse or Inappropriate Personal Uses | 8-6.1K |
Proper Representation | 8-6.1L |
Access Management | 8-6.1M |
Privacy Expectations | 8-6.1N |
Individual Privacy Rights | 8-6.1O |
Implied Consent | 8-6.1P |
Monitoring Tools | 8-6.1Q |
Penalties | 8-6.1R |
Labor Relations | 8-6.1S |
- PURPOSE. The purpose of this chapter is to establish the Indian Health Service (IHS) policy for limited acceptable personal use of Agency-owned Information Technology (IT) resources by IHS staff and contract personnel. Indian Health Service employees may use IHS IT resources for non-Government purposes when such use involves minimal additional expense to the Government, is performed on the employee's non-work time, does not interfere with the mission or operations of the IHS, and does not violate the Standards of Ethical Conduct for Employees of the Executive Branch. This chapter supplements the "Department of Health and Human Services (HHS) Information Resources Management (IRM) Policy for Personal Use of Information Technology Resources" approved on January 8, 2001, as amended.
- BACKGROUND. The IHS serves the American Indian and Alaska Native (AI/AN) people through hundreds of employees located in offices across the nation. The IHS is called upon to deliver more and better services to a growing population that continues to expect increasing improvements in service delivery. Much of the increase in productivity has resulted from the use of modem IT such as computers, facsimile machines, and the Internet. This technology engenders new opportunities for employees and enables them to perform their jobs more efficiently.
Taxpayers expect to receive the maximum benefit for their tax dollars, and they depend on the IHS to manage this money wisely and effectively. The reputation of the IHS in enhanced when members of the public are confident that their Government is well-managed and assets are used appropriately. The relationship between the Executive Branch and the employees who administer the functions of the IHS is one based on trust. Consequently, employees are expected to follow rules and regulations and to be responsible for their own personal and professional conduct. The Standards of Conduct for Employees of the Executive Branch, (Section 2635.101 (b)(5)) states, "Employees shall put forth honest effort in the performance of their duties."
The IHS believes employees should be provided with a professional and supportive work environment that includes the appropriate tools needed to effectively carry out their assigned responsibilities. Allowing limited personal use of these tools helps enhance the quality of the workplace and helps IHS to retain highly qualified and skilled workers.
- ACRONYMS.
(1) AI/AN American Indian/Alaska Native
(2) CIO Chief Information Officers
(3) FOIA Freedom of Information Act
(4) HHS Department of Health and Human Services
(5) IHS Indian Health Service
(6) IT Information Technology
(7) IRM Information Resources Management
(8) WWW World Wide Web
- POLICY. It is the policy of the IHS to permit, at the discretion of management, all IHS employees the limited use of IHS IT resources for personal needs provided such use does not interfere with official business and involves minimal additional expense to the Government. The limited personal use of IHS IT resources must occur during the employee's non-work time, without exception. The privilege to use IHS IT resources for non-Government purposes may be revoked or limited at any time by appropriate IHS or HHS officials. This chapter does not limit IHS personnel in the use of IHS-owned IT resources for official activities.
- SCOPE. This chapter applies to all IHS organizational components including but not limited to Headquarters, Area Offices, and service units conducting business for and on behalf of the IHS through contractual relationships when using IHS IT resources. The policies contained in this chapter apply to all IHS IT activities including the equipment, procedures, and technologies that are employed in managing these activities. The policy includes teleworking, travel, other off-site locations, and all IHS office locations. Agency officials shall apply this policy to contractor personnel, interns, externs, and other non-Government employees by incorporating such reference in contracts or memorandums of agreement as conditions for using Government-provided IT resources.
- ROLES AND RESPONSIBILITIES.
- Chief Information Officer. The IHS Chief Information Officer (CIO) is responsible for:
- disseminating this policy to all employees within the IHS, and
- developing and maintaining the IHS personal-use policy.
- Management Officials. The IHS management officials, in their supervisory roles, are responsible for the following:
- Informing users of their rights and responsibilities, including the dissemination of the information in this chapter, to individual users.
- Addressing inappropriate use by employees who report to them.
- Receiving reports of inappropriate use from IT resource management officials and sharing these reports, as appropriate, within their own management structure.
- Notifying law enforcement officials when misuse involves committing a crime.
Managers of IHS IT resources may use system monitoring software to improve the performance of the resource (See Section 8-6.1P Monitoring Tools). When a management official identifies an inappropriate use, he/she shall notify the IHS CIO through the normal chain of command and, as appropriate, terminate the individual's access to the IT resource after informing the IHS CIO of the action to be taken.
Management officials may further restrict their organization's personal use of IHS IT resources within their areas of responsibility.
- Users of IHS IT Resources. Users, including IHS employees and contractors, are responsible for the following:
- Seeking guidance from their supervisors when in doubt about the implementation of this policy.
- Following policies and procedures in their use of IHS IT resources and refraining from any practices that might jeopardize IHS computer systems and data files including but not limited to virus attacks when downloading files from the Internet.
- Learning about Internet etiquette, customs and courtesies, including those procedures and guidelines to be followed when using remote computer services and transferring files from other computers (e.g., Internet Engineering Task Force, Request for Comments - Number 1780).
- Familiarizing themselves with any special requirements for accessing, protecting, using data, including Privacy Act and copyright requirements, and procurement-sensitive data.
- Adhering to all conditions set forth in this chapter.
- Completing IT security training on agency personal use policies. Policies include a waiver or exception process.
- Chief Information Officer. The IHS Chief Information Officer (CIO) is responsible for:
- APPLICABLE LAWS/GUIDANCE. Generally, IHS employees may use IHS IT resources for authorized purposes only. As set forth below, limited personal use of IHS IT resources by employees during non-work time is considered to be an "authorized use" of Government property. The "HHS IRM Policy for Personal Use of Information Technology Resources" approved on January 8, 2001, as amended, authorizes HHS operating divisions to adopt policies on personal use of IT resources. Title 5 United States Code (U.S.C.), Section 301, provides that the head of an executive department or military department may prescribe regulations for the use of its property. Also, Executive Order 13011, "Federal Information Technology," Section 3(a)(1), delineates the responsibilities of the Federal Chief Information Officer Council by providing recommendations to agency heads relating to the management and use of IT resources. Other authorities include:
- Computer Security Act of 1987, Public Law (P.L.) 100-235, 101 Stat. 724
- The Privacy Act
- The Hatch Act (Standards of Conduct)
- The Freedom of Information Act (FOIA)
- Office of Management and Budget (OMB) Circular A-130, "Management of Federal Information Resources"
- "Standards of Ethical Conduct for Employees of the Executive Branch" promulgated by the Office of Government Ethics
- Internet Engineering Task Force, Request for Comments - Number 1780, J. Postel, "Internet Official Protocol Standards," March 28, 1995
- DEFINITIONS.
- Browser. A browser is a software tool used to locate and view data in standardized formats on other computers.
- Employee Non-work Time. Non-work time is when the employee is not expected to be conducting official business. Employees may use IHS IT resources for personal use during their own off-duty hours, such as before or after a workday (subject to local office hours), lunch periods, authorized breaks, or weekends or holidays (if their duty station is normally available at such times).
- Indian Health Service IT Resources. The IHS IT resources include, but are not limited to: personal computers and related peripheral equipment and software, network and Web servers, library resources, telephones, facsimile machines, photocopiers, Internet connectivity and access to Internet services, all forms of e-mail and, for the purposes of this policy, office supplies. It does not include data stored in or transported by such resources.
- Information Technology. Information technology is any equipment or interconnected system or subsystem of equipment used in the automatic acquisition, storage, management, manipulation, movement, control, display, switching, interchange, transmission, or reception of data.
- Internet. The Internet is a worldwide electronic system of computer networks, which provides communications and resource-sharing services to Government employees, businesses, researchers, scholars, librarians, and students, as well as the general public.
- Minimal Additional Expense. An employee's personal use of IHS IT resources is limited to those situations where the Government is already providing equipment or services and the employee's use of such equipment or services shall not result in any additional expense to the Government or the use will result in only normal wear and tear or the use of small amounts of electricity, ink, toner, or paper. Examples of minimal additional expenses include making a few photocopies, using a computer printer to print out a limited number of pages of material, making occasional brief personal phone calls (within IHS policy and 41 Code of Federal Regulations (CFR) 101-35.201, which states that an employee may make a personal long-distance call charged to his/her personal calling card), infrequently sending personal e-mail messages, and using the Internet in a limited way for personal reasons.
- Personal Use. Personal use means any activity that is conducted for purposes other than accomplishing official or Government business. This includes use by employees on behalf of professional organizations or associations.
- Privilege. The IHS is extending the opportunity to its employees to use IHS IT resources for personal use in an effort to create a more supportive work environment. This chapter does not create the right to use IHS IT resources for non-Government purposes and does not extend the privilege to modifying such equipment, including loading personal software or making configuration changes.
- Shared IHS IT Resource. A shared IHS IT resource is one managed by one IHS organization but used by many (e.g., the IHS homepage).
- World Wide Web. The World Wide Web (WWW) is a collection of Web pages (documents), which are developed in accordance with the Hyper Text Markup Language Web format standard and may be accessed via Internet connections using a WWW browser.
- PROHIBITED USE OF IHS IT RESOURCES. Employees are specifically prohibited from using IHS IT resources to maintain or support a personal private business. Employees may not use a Government computer and Internet connection to run a consultant business, travel service, or investment service. The ban on using IHS IT resources to support a personal private business also includes employees using IHS IT resources to assist relatives, friends, or other persons in such activities. However, employees may, for example, make limited use of IHS IT resources to check their Thrift Savings Plan or other personal investments, or to seek employment or communicate with a volunteer charity organization.
- SPECIFIC PROVISIONS ON USE OF IT RESOURCES. Employees are authorized limited personal use of IHS IT resources. This personal use must not result in loss of employee productivity or interference with official duties. Moreover, such use should incur only minimal additional expense to the Government in areas such as the following:
- Communications infrastructure costs, e.g., telephone charges (personal long distance calls are to be charged to the employee's personal calling card), telecommunications traffic, etc.
- Use of consumables in limited amounts, e.g., paper, ink, toner, etc.
- General wear and tear on equipment.
- Data storage on storage devices.
- Transmission impacts with moderate e-mail message sizes, such as e-mails with small attachments.
- MISUSE OR INAPPROPRIATE PERSONAL USES. Employees are expected to conduct themselves professionally in the workplace and refrain from using IHS IT resources for activities that are inappropriate. Misuse or inappropriate personal use of IHS IT resources include the following:
- Congestion, Delay, or Disruption of Service. Any personal use that could cause congestion, delay, or disruption of service to any Government system or equipment. For example, greeting cards, video, sound, or other large file attachments can degrade the performance of the entire network. "Push" technology on the Internet and other continuous data streams would also degrade the performance of the entire network and be an inappropriate use.
- Sexually Explicit or Sexually Oriented Materials. The intentional creation, downloading, viewing, storage, copying, or transmission of sexually explicit or sexually oriented materials for personal use.
- Illegal Gambling/Weapons/Activities, Terrorist Activities, or Activities Otherwise Prohibited. The intentional creation, downloading, viewing, storage, copying, or transmission of materials related to gambling, illegal weapons, terrorist activities, and any other illegal activities or activities otherwise prohibited, etc.
- Commercial Purposes,"For-profit" Activities, or Business Activity. Use for commercial purposes, in support of "for-profit" activities, or in support of other outside employment or business activity (e.g., consulting for pay, sales or administration of business transactions, sale of goods or services).
- Outside Fund-raising Activity, Endorsing, Lobbying, or Prohibited Partisan Political Activity. Engaging in any outside fund-raising activity including non-profit activities, endorsing any product or service, participating in any lobbying activity, or engaging in any prohibited partisan political activity.
- Posting IHS Information Without Authority. Posting IHS or personal information to external news groups, bulletin boards, or other public forums without authority, including information that is at odds with the IHS mission or positions. This includes any use that could create the perception that the communication was made in one's official capacity as a Federal Government employee, unless appropriate IHS approval has been obtained.
- Web Pages. Any use that establishes personal, commercial, and/or non-profit organizational Web pages on IHS-owned machines.
- Unauthorized Access. Using the Government systems as a staging ground or platform to gain unauthorized access to other systems.
- Chain Letters or Other Unauthorized Mass Mailings. The creation, copying, transmission, or retransmission of chain letters or other unauthorized mass mailings regardless of the subject matter.
- Illegal, Inappropriate, or Offensive Use. Using IHS IT resources for activities that are illegal, inappropriate, or offensive to fellow employees or the public. Such activities include, but are not limited to: hate speech or material that ridicules others on the basis of race, creed, religion, color, age, sex, disability, national origin, or sexual orientation.
- Addition of Personal IT Resources. The addition of personal IT resources to existing IHS IT resources without the appropriate management authorization, including the installation of modems on IHS data lines and the reconfiguration of systems.
- Additional Expense. Any use that could generate more than minimal additional expense to the Government.
- Transmission, or Distribution of any Controlled Information, Copyrighted, Trademarked or Material With Other Intellectual Property Rights, Propriety Data, or Export Controlled Software or Data. The intentional unauthorized acquisition, use, reproduction, transmission, or distribution of any controlled information including computer software and data that includes information subject to the Privacy Act, copyrighted, trademarked or material with other intellectual property rights (beyond fair use), proprietary data, or export controlled software or data.
- Unauthorized List Servers and Newsletters. Use or creation of unauthorized list servers or the distribution of unauthorized newsletters.
- Digital Authentication.. Use of another person's digital authentication.
- Anonymous Messages. Sending anonymous messages.
- Security Avoidance. Avoiding established security procedures.
- Peer-to-Peer Software. Using Peer-to-Peer (P2P) software without the CIO's (or his/her designee's) approval.
- PROPER REPRESENTATION. Each employee is responsible for ensuring he/she does not give the false impression of acting in an official capacity when using IHS IT resources for non-Government purposes. If there is an expectation that such personal use could be interpreted to represent the IHS, an adequate disclaimer must be used. One acceptable disclaimer: "The contents of this message are mine personally and cannot be construed to be endorsed (inferred or implied) by the Federal Government or the IHS."
- ACCESS MANAGEMENT. Employees have no inherent right to use IHS IT resources for personal use. Therefore, the IHS will establish appropriate management controls to ensure that IHS IT resources are used appropriately.
- PRIVACY EXPECTATIONS. Any use of IHS IT resources, including e-mail, is made with the understanding that such use may not be secure, is not private, is not anonymous, and may be subject to disclosure under the FOIA. Employees do not have a right to, nor shall they have an expectation of, privacy while using IHS IT resources at any time, including accessing the Internet through IHS or HHS gateways and using e-mail, which may be subject to release pursuant to the FOIA. To the extent that employees wish their private activities to remain private, they shall avoid making personal use of IHS IT resources.
- INDIVIDUAL PRIVACY RIGHTS. The privacy rights of an individual may not be violated.
- IMPLIED CONSENT. Employees imply their consent to disclosing the contents of any file(s) or information maintained or passed through IHS IT resources. By using IHS IT resources, consent to monitoring and recording is implied with or without cause, including but not limited to accessing the Internet and using e-mail.
- MONITORING TOOLS. The IHS system managers and supervisors may access any electronic communications and employ monitoring tools to detect improper use. Electronic communications may be disclosed within the IHS to employees who have a need to know in the performance of their duties (e.g., with manager approval, technical staff may employ monitoring tools in order to maximize the use of their resources, which may include the detection of inappropriate use).
- PENALTIES. Unauthorized or improper use of IHS IT resources could result in the loss of use or limitations on the use of IHS IT resources, disciplinary or adverse actions, criminal penalties, and/or employees being held financially liable for the cost of improper use.
- LABOR RELATIONS. These policies and procedures will not be implemented in any recognized bargaining unit until the Union is provided notice of the proposed changes and given an opportunity to fully exercise its representational rights.
Future labor management agreements shall comply with this chapter.