HHS IRM Policy for Personal Use Of Information Technology Resources
January 8, 2001
HHS-IRM-2000-0003
TABLE OF CONTENTS
- Purpose
- Background
- Scope
- Policy
1. Purpose
The purpose of this Department of Health and Human Services (HHS) document
is to establish policy for limited acceptable personal use of HHS owned
information technology (IT) resources by staff and contract personnel. This
policy establishes new privileges and additional responsibilities for employees
in HHS. It recognizes these employees as responsible individuals who are
the key to making government more responsive to its citizens. It allows
employees to use HHS IT resources for non-government purposes when such
use involves minimal additional expense to the government, is performed
on the employee’s non-work time, does not interfere with the mission or
operations of HHS and does not violate the Standards of Ethical Conduct
for Employees of the Executive Branch.
This policy does not supercede or replace policies, procedures and responsibilities
which encourage the utilization of the Internet to acquire information that
will enable employees to achieve the Department’s mission, nor does it supersede
existing agreements concerning the use of voice communications devices.
This policy does not supersede any other applicable law or higher level
agency directive, policy guidance, or existing labor management agreement
in affect as of the effective date of this policy.
2. Background
The Executive Branch of the Federal Government serves the American people
through hundreds of thousands of employees located in offices across the
nation. Increasingly, the Government is called upon to deliver more and
better services to a growing population that continues to expect ever-increasing
improvements in service delivery. Much of this productivity increase has
come about through the use of modern information technology such as computers,
facsimile machines, and the Internet. This technology has raised new opportunities
for its use by employees to live their lives more efficiently in balance
with the overriding imperative that American taxpayers receive the maximum
benefit for their tax dollars.
Taxpayers have the right to depend on their Government to manage their
tax dollars wisely and effectively. Public confidence in the productiveness
of government is increased when members of the public are confident that
their government is well managed and assets are used appropriately. The
relationship between the Executive Branch and the employees who administer
the functions of the Government is one based on trust. Consequently, employees
are expected to follow rules and regulations and to be responsible for their
own personal and professional conduct. The Standards of Conduct states "Employees
shall put forth honest effort in the performance of their duties" [Section
2635.101 (b)(5)].
HHS employees shall be provided with a professional supportive work environment.
They shall be given the tools needed to effectively carry out their assigned
responsibilities. Allowing limited personal use of these tools helps enhance
the quality of the workplace and helps the Government to retain highly qualified
and skilled workers.
This policy is based on a model policy adopted by the Chief Information
Officers Council for the Executive Branch.
3. Scope
This policy applies to all Departmental Operating Divisions, including
the Office of the Secretary, and organizations conducting business for and
on behalf of the Department through contractual relationships when using
HHS IT resources. The policies contained in this HHS document apply to all
HHS IT activities including the equipment, procedures and technologies that
are employed in managing these activities. The policy includes teleworking,
travel and other off-site locations as well as all of the office locations
of the Department. This policy does not supersede any other applicable law
or higher level agency directive or policy guidance. Agency officials shall
apply this policy to contractor personnel, interns, and other non-government
employees through incorporation by reference in contracts or memorandums
of agreement as conditions for using Government provided IT resources.
This policy supersedes the memorandum on "Limited Personal Use Policy
of Government Equipment," dated August 5, 1999.
4. Policy
The following policies shall be in effect for each Operating Division unless
the Operating Division adopts a more restrictive set of personal use policies
or existing labor management agreements preclude one or more if the policies
listed below.
4.1 Employees are permitted limited personal use of HHS IT resources.
This personal use shall not result in loss of employee productivity, interference
with official duties or other than "minimal additional expense"
to HHS in areas such as:
- communications costs for voice, data, or video image transmission;
- use of consumables in limited amounts (e.g., paper, ink, toner);
- general wear and tear on equipment;
- data storage on storage devices; and
- transmission impacts with moderate e-mail message sizes, such as e-mails
with small attachments.
4.2 Employees have no inherent right to employ HHS IT resources for personal
use.
4.2 Unauthorized or inappropriate use of HHS IT resources could result
in loss of use or limitations on use of equipment, disciplinary or adverse
actions, criminal penalties and/or employees or other users being held financially
liable for the cost of inappropriate use.
4.4 Employees are expected to conduct themselves professionally in the
workplace and to refrain from using government office equipment for activities
that are inappropriate. Misuse or inappropriate personal use of HHS IT resources
includes:
- any personal use that could cause congestion, delay, or disruption of
service to any HHS IT resource. For example, greeting cards, video, sound
or other large file attachments can degrade the performance of the entire
network as does some uses of "push" technology, such as audio
and video streaming from the Internet.
- the intentional creation, downloading, viewing, storage, copying or
transmission of sexually explicit or sexually oriented materials;
- the intentional creation, downloading, viewing, storage, copying or
transmission of materials related to gambling, illegal weapons, terrorist
activities, and any other illegal activities or activities otherwise prohibited;
- use for commercial purposes or in support of "for-profit"
activities or in support of other outside employment or business activity
(e.g. consulting for pay, sales or administration of business transactions,
sale of goods or services);
- engaging in any outside fund-raising activity, including non-profit
activities, endorsing any product or service, participating in any lobbying
activity, or engaging in any prohibited partisan political activity;
- posting agency or personal information to external newsgroups, bulletin
boards or other public forums without authority, including information
which is at odds with Departmental missions or positions. This includes
any use that could create the perception that the communication was made
in one’s official capacity as a Federal Government employee, unless appropriate
Agency approval has been obtained;
- establishing personal, commercial and/or non-profit organizational web
pages on government owned machines;
- use of HHS systems as a staging ground or platform to gain unauthorized
access to other systems;
- the creation, copying, transmission, or retransmission of chain letters
or other unauthorized mass mailings regardless of the subject matter;
- use of HHS IT resources for activities that are illegal, inappropriate,
or offensive to fellow employees or the public. Such activities include,
but are not limited to: hate speech, or material that ridicules others
on the basis of race, creed, religion, color, age, sex, disability, national
origin, or sexual orientation;
- the addition of personal IT resources to existing HHS IT resources without
the appropriate management authorization, including the installation of
modems on HHS data lines and reconfiguration of systems;
- use that could generate more than minimal additional expense to the
government;
- the intentional unauthorized acquisition, use, reproduction, transmission,
or distribution of any controlled information including computer software
and data that includes information subject to the Privacy Act, copyrighted,
trade marked or material with other intellectual property rights (beyond
fair use), proprietary data, or export controlled software or data; and
- use or creation of unauthorized list servers or the distribution of
unauthorized newsletters;
- using another person’s digital authentication;
- sending anonymous messages; and
- avoiding established security procedures.
4.6 Operating Divisions may adopt policies that are more restrictive than
those contained in this Departmental policy.
4.7 Future labor management agreements shall comply with this policy.
4.8 Any use of HHS IT resources, including e-mail, is made with the understanding
that such use may not be secure, is not private, is not anonymous an may
be subject to disclosure under the Freedom of Information Act (FOIA). HHS
employees do not have a right to, nor shall they have an expectation of,
privacy while using HHS IT resources at any time, including accessing the
Internet through HHS gateways and using e-mail, which may be subject to
release pursuant to the Freedom of Information Act. To the extent that employees
wish that their private activities remain private, they shall avoid making
personal use of HHS IT resources.
4.9 Electronic data communications may be disclosed within the Department
to employees who have a need to know in the performance of their duties
(e.g., with manager approval technical staff may employ monitoring tools
in order to maximize the utilization of their resources, which may include
the detection of inappropriate use).
4.10 The privacy rights of an individual may not be violated.
5. Roles and Responsibilities
5.1 The OPDIV CIOS
Operating Division CIOs are responsible for:
5.1.1. the dissemination of this policy to all employees within their respective
organizations;
5.2.2. developing and maintaining the OPDIV personal use policy if, and
only if, the OPDIV develops more restrictive policy.
5.2 Management Officials
5.2.1. Management officials, in their supervisory role, are responsible
for:
5.2.1.1. informing users of their rights and responsibilities, including
the dissemination of the information in this policy to individual users;
5.2 1.2. addressing inappropriate use by employees who report to them;
5.2.1.3. receiving reports of inappropriate use from IT resource management
officials and sharing these reports, as appropriate, within their own management
structure; and
5.2.1.4. notifying, when appropriate, law enforcement officials.
5.2.2. Managers of HHS IT resources may use system monitoring software
in order to improve the performance of the resource. When a resource manager
identifies an inappropriate use, he/she shall notify the Operating Division
CIO through the normal chain of command and, as appropriate, terminate the
access of the individual(s) to the IT resource after informing the Operating
Division CIO of the action to be taken.
5.3 HHS Employees and Users of HHS IT Resources
Users, including employees, and contractors when using HHS IT equipment,
are responsible for:
5.3.1. seeking guidance from their supervisors when in doubt about the
implementation of this policy;
5.3.2. ensuring that they are not giving the false impression that they
are acting in an official capacity when they are using HHS IT resources
for non-government purposes. If there is expectation that such a personal
use could be interpreted to represent an agency, then an adequate disclaimer
shall be used. For example:
"The contents of this message are mine personally and can not be
construed to be endorsed (inferred or implied) by the Government nor by
my agency."
5.3.3. following policies and procedures in their use of IT Resources (e.g.,
Internet and e-mail) and refraining from any practices which might jeopardize
HHS computer systems and data files, including but not limited to virus
attacks, when downloading files from the Internet;
5.3.4 learning about Internet etiquette, customs and courtesies, including
those procedures and guidelines to be followed when using remote computer
services and transferring files from other computers (e.g., IETF RFC 1780);
5.3.5. familiarizing themselves with any special requirements for accessing,
protecting and utilizing data, including Privacy Act requirements, copyright
requirements, and procurement sensitive data; and
5.3.6 adhering to all conditions set forth in section 4.5.
6. Applicable Laws/Guidance
Generally, HHS employees may use HHS IT resources for authorized purposes
only. As set forth below, limited personal use of the government office
equipment by employees during non-work time is considered to be an "authorized
use" of Government property. Authority for this policy is 5 U.S.C.
sec 301, which provides that the head of an executive department or military
department may prescribe regulations for the use of its property; and Executive
Order 13011, Federal Information Technology, section 3(a)(1), which delineates
the responsibilities of the Chief Information Officer (CIO) Council by providing
recommendations to agency heads relating to the management and use of information
technology resources. Other authorities include:
- Computer Security Act of 1987, PL 100-235, 101 Stat. 1724
- The Privacy Act
- The Hatch Act (Standards of Conduct)
- The Freedom of Information Act
- OMB Circular A-130, "Management of Federal Information Resources"
- Standards of Ethical Conduct for Employees of the Executive Branch"
promulgated by the Office of Government Ethics
- IETF RFC 1780 J. Postel, "Internet Official Protocol Standards," March
28, 1995
7. Information and Assistance
Direct questions, comments, suggestions or requests for further information
to the Deputy Assistant Secretary for Information Resources Management,
(202) 690-6162.
8. Effective Date/Implementation
The effective date of this policy is the date the policy is approved.
These policies and procedures will not be implemented in any recognized
bargaining unit until the union has been provided notice of the proposed
changes and given an opportunity to fully exercise its representational
rights.
The HHS policies contained in this issuance shall be exercised in accordance
with Public Law 93-638, the Indian Self-Determination and Education Assistance
Act, as amended, and the Secretary's policy statement dated August 7, 1997,
as amended, titled "Department Policy on Consultation with American Indian/Alaska
Native Tribes and Indian Organizations." It is
HHS' policy to consult with Indian people to the greatest practicable extent
and to the extent permitted by law before taking actions that effect these
governments and people; to assess the impact of the Department's plans,
projects, programs and activities on tribal and other available
resources; and to remove any procedural impediments to working directly
with tribal governments or Indian people.
9. Approved
____/s/______________________________ 01/08/01
John J. Callahan
Assistant Secretary for Management and Budget
Glossary
- Browser - a software tool used to locate and view data in standardized
formats on other computers.
- Employee non-work time - times when the employee is not otherwise
expected to be addressing official business. Employees may, for example,
use government office equipment during their own off-duty hours such as
before or after a workday (subject to local office hours), lunch periods,
authorized breaks, or weekends or holidays (if their duty station is normally
available at such times).
- HHS Information Technology resources - includes but is not limited
to: personal computers and related peripheral equipment and software,
network and web servers, telephones, facsimile machines, photocopiers,
Internet connectivity and access to internet services, e-mail and, for
the purposes of this policy, office supplies. It does not include data
stored in or transported by such resources.
- Information technology - any equipment or interconnected system
or subsystem of equipment that is used in the automatic acquisition, storage,
manipulation, management, movement, control, display, switching,
interchange, transmission, or reception of data.
- Internet - a worldwide electronic system of computer networks
which provides communications and resource sharing services to government
employees, businesses, researchers, scholars, librarians and students
as well as the general public.
- Minimal additional expense - the employee’s personal use of HHS
IT resources is limited to those situations where the government is already
providing equipment or services and the employee’s use of such equipment
or services shall not result in any additional expense to the government
or the use will result in only normal wear and tear or the use of small
amounts of electricity, ink, toner or paper. Examples of minimal additional
expenses include making a few photocopies, using a computer printer to
printout a few pages of material, making occasional brief personal phone
calls (within agency policy and 41 CFR 101-35.201), infrequently sending
personal e-mail messages, or limited use of the Internet for personal
reasons.
- Personal use - activity that is conducted for purposes other
than accomplishing official or government business. HHS employees are
specifically prohibited from using government office equipment to maintain
or support a personal private business. Examples of this prohibition include
employees using a government computer and Internet connection to run a
travel business or investment service. The ban on using government office
equipment to support a personal private business also includes employees
using HHS IT resources to assist relatives, friends, or other persons
in such activities. Employees may, however, make limited use under this
policy of government office equipment to, for example but not limited
to, check their Thrift Savings Plan or other personal investments,
or to seek employment, or communicate with a volunteer charity organization.
- Privilege - in the context of this policy, that HHS is extending
the opportunity to its employees to use HHS IT resources for personal
use in an effort to create a more supportive work environment. However,
this policy does not create the right to use HHS IT resources for non-government
purposes. Nor does the privilege extend to modifying such equipment, including
loading personal software or making configuration changes.
- Shared HHS IT resource - any HHS IT resource that is managed
by one HHS organization but used by many (e.g., the PSC Network).
- World-wide Web (WWW) - The collection of web pages (documents)
which are developed in accordance with the HTML (hypertext) Web format
standard and may be accessed via Internet connections using a WWW browser.
|