Guidelines for Developing Internet and Email Use Policy
- Questions to Ask In Developing An Agency Internet Use Policy
- E-mail Issue
- Security Issues
- Update and Dissemination of Internet Policy
- Checklist of Issues
- Agency Need for Internet
- Responsible Use of the Internet
- Electronic Mail
- Copyright Guidelines
- Public Domain Material
- Regulation, Enforcement, and Penalties
- Employee Consent
- Other State Resources
The Internet is an efficient and timely communication tool that can be used by state employees to accomplish government functions and to conduct the state’s business within an organization, with other governmental agencies, and with the public. The use of this resource should be limited to legitimate state business and governed by rules of conduct similar to those applicable to the use of other information technology resources.
As required by Act 1287 (2001), each Arkansas state agency, board, commission, and institute of higher learning that provides access to the Internet is responsible for establishing and implementing a policy regarding the appropriate use of the Internet.
Act 1287 states “ A statement of the agency’s policy regarding the use of the Internet shall include:
(A) The penalties for violations of the agency’s Internet policy;
(B) The number of employees and computers which have access to the Internet and the percentage of those employees and computers to the total number of employees and computers;
(C) The needs of the agency and how it relates to the use of the Internet; and
(D) The responsibilities of the agency’s employees as it relates to the efficient and responsible use of the Internet.
Additional reasons for establishing an Internet Use Policy are:
- To avoid liability if an employee uses the agency’s Internet access or intranet facilities for unlawful purposes
- To reduce inappropriate Internet use by providing guidance to employees
- To inform employees and secure employee consent if e-mail and Internet use are monitored by an agency
The purpose of these guidelines is to define the acceptable and unacceptable uses of the Internet by state employees in the performance of their duties and to help agencies plan for Internet usage when it is the most cost effective and technologically efficient vehicle for the dissemination and exchange of information.
Questions to Ask In Developing An Agency Internet Use Policy
The following questions are suggested to assist in the development of an agency’s Internet policy. Agencies should develop their policies in coordination with their overall IT strategies and address the following issues in doing so.
- Who needs access to the Internet and why?
- Should there be certain criteria for determining who really needs Internet access, or should Internet access be automatically available to anyone on a department LAN?
- What type of Internet access will be allowed? Filtered? Unfiltered?
- What restrictions should there be, if any?
- How should the use of the Internet be monitored, or should it be monitored at all?
- Who will determine access restrictions?
- Should there be restrictions on the size of downloaded files, and if so, who will establish these restrictions? What about other bandwidth-intensive applications?
- What will be the consequences of misuse or abuse of Internet access? Be specific!
- What procedures should be establishedto prevent abuse of network monitoring practices by network administrators (or their delegates)?
- What federal and state legal issues concerning Internet use should be addressed?
- How will proper distribution of agency information be enforced?
- How will the distribution, whether inadvertent or intentional, of restricted, inappropriate or proprietary information be prevented?
- Should there be a department-wide standard for the technical means to access the Internet, i.e., for software, security measures, modems, or network connections?
- How will IT resources supporting Internet usage be managed including but not limited to those resources used for other IT functions?
- What functional unit will be responsible for technical support of accessing and using the Internet and will that unit also be responsible for supporting the home page and related links?
- What will be the policies for appropriate Internet e-mail usage?
- How strict should the e-mail policy be? Why?
- Should an e-mail etiquette policy be published?
- What will the policy for storing and purging e-mail messages be?
- Who will be responsible for developing, maintaining, and monitoring Internet access security policies?
- What are the security risks? (For example aliases, file downloading, e-mail viruses, etc.)
- How will security compromises best be prevented?
- How will confidentiality be maintained where required?
- What will be the consequences for failing to follow security rules?
Update and Dissemination of Internet Policy
- Should the Internet policy be included in the department’s operations manual? In the employee handbook?
- How often should the policies be reviewed for currency and accuracy given the rate at which technology becomes obsolete?
- How will employees be informed of this policy and amendments to it? By signing a consent form?
Checklist of Issues
The following is a checklist of issues with associated policy statements that may be used to describe your agency’s policy requirements for Internet use. Some of these statements may overlap or be contradictory since they represent a wide range of thought concerning Internet Use. Examine these statements with care, and decide if they further the Internet Use Policy to be established for your organization.
Agency Need for Internet
Agencies provide access to the Internet as a privilege and a tool for employees who agree to use the resource in a considerate and responsible manner. The Internet can be used to:
- Provide an efficient method to exchange information within state agencies, between governmental agencies, and to the public.
- Facilitate the implementation of statewide e-mail systems.
- Provide sources of data to assist state organizations in accomplishing their stated mission and program goals.
- Serve as a conduit to state information systems (for example, AASIS).
Responsible Use of the Internet
It is unacceptable for a user to use, submit, publish, display, or transmit any information which:
- Violates or infringes on the rights of any other person, including the right to privacy;
- Contains defamatory, false, inaccurate, abusive, obscene, pornographic, profane, sexually oriented, threatening, racially offensive, or otherwise biased, discriminatory, or illegal material;
- Violates agency or departmental regulations prohibiting sexual harassment;
Restricts or inhibits other users from using the system or the efficiency of the computer systems;
- Encourages the use of controlled substances or uses the system for the purpose of criminal intent; or
- Uses the system for any illegal purpose.
It is also unacceptable for a user to use the facilities and capabilities of the system to:
- Conduct any non-approved business;
- Solicit the performance of any activity that is prohibited by law;
- Transmit material, information, or software in violation of any local, state or federal law;
- Conduct any political activity;
- Conduct any non-governmental-related fund raising or public relations activities;
- Engage in any activity for personal gain or personal business transactions; or
- Make any unauthorized purchases.
Electronic mail is provided to support open communication and the exchange of information between staff and other appropriate entities who have access to a network. This communication allows for the collaboration of ideas and the sharing of information. E-mail is a necessary component of teamwork at the agency.
E-mail is considered network activity, thus, it is subject to all policies regarding acceptable/unacceptable uses of the Internet and the user should not consider e-mail to be either private or secure.
Sample statements regarding agency monitoring and privacy of e-mail:
- The agency reserves the right to monitor or log all network activity with or without notice, including e-mail and all web site communications, and therefore, users should have no reasonable expectation of privacy in the use of these resources.
- The agency will not monitor e-mail transmissions on a regular basis, though the construction, repair, operations and maintenance of electronic messaging systems may occasionally result in monitoring random transmitted or stored messages.
- Messages may be monitored during the course of investigations of illegal activity.
- Managers may require access to data (including e-mail) under their employee’s control when necessary to conduct agency business.
- The agency will permit third party access to private e-mail only where written consent has been obtained from both the sender and recipient except to investigate illegal activity, misuse of the system, to resolve a technical problem, or similar circumstances. Any electronic record (including e-mail) that serves to document the organization, functions, policies, decisions, procedures, operations or other activities is considered public record and subject to FOI (FOI exempts any electronic record that would compromise an agency’s security).
- Electronic messages are often stored for backup purposes. Agency employees should assume that all electronic messages are stored for a period of ____ days on ______ (type of media).
- Agency employees shall not read the e-mail of other employees without a legitimate business purpose consistent with the agency’s policies and business practices. Doing so will result in disciplinary action.
Sample statements identifying unacceptable uses of e-mail:
- Any activity covered by inappropriate use statements included herein;
- Sending / forwarding chain letters, virus hoaxes, etc.;
- Sending/forwarding or opening executable files (.exe) or other attachments; unrelated to specific work activities, as these frequently contain viruses;
- Use of abusive or profane language in messages;
- Use that reflects poorly on the agency or state of Arkansas;
- Violating the agency’s e-mail etiquette policy (if one has been published).
Sample statements addressing e-mail as a public record:
- The agency will attempt to provide an electronic messaging environment that provides data confidentiality and integrity. However, the agency cannot be responsible for web-based e-mail systems such as Yahoo, Juno, etc. State employees should always be aware of the risks associated with the use of both types of systems.
- Users should take note that the agency business generated on e-mail is a public record, subject to public inspection, and is not confidential, unless specifically cited by statute. When an e-mail message is a public record, it shall be retained in accordance with State statutes. E-mail messages of only transitory value need not be saved. In fact, the failure to routinely delete these messages clogs information systems, strains storage resources, and creates agency liability risks.
Users may download copyrighted material, but its use must be strictly within the agreement as posted by the author or current copyright law. The federal Copyright Act at 17 U.S.C. 101 et. seq. (1988), protects and prohibits misuse of all original works of authorship in any tangible medium of expression. This includes a prohibition on plagiarism.
Sample statements addressing copyright issues:
- Each user is responsible for observing all local, state, and federal laws, especially in regard to copyright laws. The agency will not be responsible for the cost of any legal action taken against any user that violates such laws regardless of the situation or the intent or purpose of the user.
- All staff that use software owned by the agency must abide by the limitations included in the copyright and license agreements entered into with software providers. It is unlawful to copy most software products.
Public Domain Material
Any user may download public domain programs for job-related use, or may redistribute a public domain program non-commercially. However, doing so assumes all of the risks regarding the determination of whether or not a program is in the public domain.
Regulation, Enforcement, and Penalties
Agency Directors (or their delegated representatives) are responsible for enforcing compliance with provisions of this policy and investigating suspected non-compliance. Penalties for non-compliance include, but are not limited to:
- Suspension of Internet service to users with or without notice.
- Internal disciplinary measures, including discharge for instances of non-compliance that result in damage or otherwise compromise the agency or its employees, agents, or customers.
- Initiation of criminal or civil action, if appropriate.
All state employees having access to the Internet must consent to the policies developed by their employing agencies. Proof of this should be accomplished through a signed Consent Form or some other established procedure. The method to obtain and maintain these forms (or other formal method of ensuring the employee understands and accepts the policy) should be included in the agency’s policy. The purpose is to clarify both the agency’s and the employee’s expectations concerning access and use of Internet service provided through the agency, reducing the liability of both. Each time this policy is modified in any way, employees should be notified, and if necessary, repeat the consent process.
Sample Consent Form
I _______________ have read this Internet Use Policy and agree to comply with all its terms and conditions. Furthermore, I _____________ understand that the agency will not monitor e-mail transmissions or Internet access on a regular basis, though the construction, repair, operations and maintenance of systems may occasionally result in monitoring random user activity.
This state agency makes no warranties of any kind, whether expressed or implied, for the service that is the subject of this policy. In addition, state agencies will not be responsible for any damages whatsoever which employees may suffer arising from or related to their use of any state agency electronic information resources, whether such damages be incidental, consequential or otherwise, or whether such damages include loss of data resulting from delays, non-deliveries, mistaken deliveries, or service interruptions whether caused by either a state agency’s negligence, errors, or omissions. Users must recognize that the use of state agency electronic information resources is a privilege and that the policies implementing usage are requirements that mandate adherence.
Other State Resources
It may be useful to review policies found at the following links. The presence of these links on this site does not indicate OIT’s endorsement of the policy content. In addition, the legislation establishing requirements for an Internet Use policy for agencies in Arkansas may differ markedly from that of other states.
- State of California
- Commonwealth of Kentucky
- State of Pennsylvania
- State of South Carolina
- State of Washington
- State of West Virginia
Last edited: 04/23/03