HHS IRM Policy for Personal Use Of Information Technology Resources

February 17, 2006

HHS-OCIO-2006-0001

Table of Contents

• 1. Nature of Changes
• 2. Purpose
• 3. Background
• 4. Scope
• 5. Policy
• 6. Roles and Responsibilities
  • 6.1. The OPDIV CIOS
  • 6.2. Management Officials
  • 6.3. HHS Employees and Users of HHS IT Resources
• 7. Applicable Laws/Guidance
• 8. Information and Assistance
• 9. Effective Date/Implementation
• 10. Approved
• Glossary

1. Nature of Changes

This is a revision to the November 23, 2004 issuance of the HHSIRM Policy for Personal Use of Information Technology Resources, in response to HHS moving to a new contractual support model for operations whereby ownership of said equipment is no longer a given. However, HHS must enforce Standards of Ethics for all who perform work on behalf of and at the direction of HHS (employees, contractors, interns and others). Modifications to this policy can be found in the following sections:

1. Section 2, Purpose, has been modified to cite the nature of the change and that this version supercedes the November 23, 2004 version of same Policy.
2. Section 4, Scope, has been modified to cite this version supercedes the November 23, 2004 version of same Policy.
3. Section 5, Policy, has been modified to remove the Peer-to-Peer examples in 5.4.18.
4. Section 6.3, has been updated to add clarity.
5. Section 8, has been updated for title correction.
6. Section 10, Approval, updated signature line and (effective date) date.
7. Glossary: added IT Resources definition; Employee definition.
8. General changes have been made to update the organization titles from the Deputy Assistant Secretary Information Resources Management to the Deputy Assistant Secretary for Information Technology; from the Office of the Deputy Chief Information Officer to the Office of the Chief Information Officer.

2. Purpose

The purpose of this Department of Health and Human Services (HHS) document is to convey the established policy for limited acceptable personal use of HHS information technology (IT) resources by staff, contractor, intern and other HHS personnel in light of HHS moving to a new contractual support model for operations whereby ownership of said equipment is no longer a given. This policy has established new privileges and additional responsibilities for employees in HHS. It recognizes these employees as responsible individuals who are the key to making government more responsive to its citizens. It allows employees to use HHS IT resources for non-government purposes when such use involves minimal additional expense to the government, is performed on the employee’s non-work time, does not interfere with the mission or operations of HHS and does not violate the Standards of Ethical Conduct for Employees of the Executive Branch.

This policy supercedes HHSIRM Policy for Personal Use of Information Technology Resources, HHS-IRM-2004-0001 dated November 23, 2004. This policy does not supersede any other applicable law or higher level agency directive, policy guidance, or existing labor management agreement in affect as of the effective date of this policy.

3. Background

The Executive Branch of the Federal Government serves the American people through hundreds of thousands of employees located in offices across the nation. Increasingly, the Government is called upon to deliver more and better services to a growing population that continues to expect ever-increasing improvements in service delivery. Much of this productivity increase has come about through the use of modern information technology such as computers, facsimile machines, and the Internet. This technology has raised new opportunities for its use by employees to live their lives more efficiently in balance with the overriding imperative that American taxpayers receive the maximum benefit for their tax dollars.

Taxpayers have the right to depend on their Government to manage their tax dollars wisely and effectively. Public confidence in the productiveness of government is increased when members of the public are confident that their government is well managed and assets are used appropriately. The relationship between the Executive Branch and the employees who administer the functions of the Government is one based on trust. Consequently, employees are expected to follow rules and regulations and to be responsible for their own personal and professional conduct. The Standards of Conduct states “Employees shall put forth honest effort in the performance of their duties” [Section 2635.101 (b)(5)].

HHS employees shall be provided with a professional supportive work environment. They shall be given the tools needed to effectively carry out their assigned responsibilities. Allowing limited personal use of these tools helps enhance the quality of the workplace and helps the Government to retain highly qualified and skilled workers.

This policy is based on a model policy adopted by the Chief Information Officers Council for the Executive Branch and has been updated to implement OMB’s memo M-04-26, Personal Use Policies and “File Sharing” Technology, dated September 8, 2004.

4. Scope

This policy applies to all Departmental Operating Divisions, including the

Office of the Secretary, and organizations conducting business for and on behalf of the Department through contractual relationships when using HHS IT resources. The policies contained in this HHS document apply to all HHS IT activities including the equipment, procedures and technologies that are employed in managing these activities. The policy includes teleworking, travel and other off-site locations as well as all of the office locations of the Department. This policy does not supersede any other applicable law or higher level agency directive or policy guidance. Agency officials shall apply this policy to contractor personnel, interns, and other non-government employees through incorporation by reference in contracts or memorandums of agreement as conditions for using Government provided IT resources.

This policy supersedes HHSIRM Policy for Personal Use of Information Technology Resources, HHS-IRM-2004-0001 dated November 23, 2004.

5. Policy

The following policies shall be in effect for each Operating Division unless the Operating Division adopts a more restrictive set of personal use policies or existing labor management agreements preclude one or more of the policies listed below.

5.1 Employees are permitted limited personal use of HHS IT resources. This personal use shall not result in loss of employee productivity, interference with official duties or other than “minimal additional expense” to HHS in areas such as:

5.1.1 communications costs for voice, data, or video image transmission;

5.1.2 use of consumables in limited amounts (such as: paper, ink, toner);

5.1.3 general wear and tear on equipment;

5.1.4 data storage on storage devices; and

5.1.5 transmission impacts with moderate e-mail message sizes, such as e-mails with small attachments.

5.2 Employees have no inherent right to employ HHS IT resources for personal use.

5.3 Unauthorized or inappropriate use of HHS IT resources could result in loss of use or limitations on use of equipment, disciplinary or adverse actions, criminal penalties and/or employees or other users being held financially liable for the cost of inappropriate use.

5.4 Employees are expected to conduct themselves professionally in the workplace and to refrain from using government office equipment for activities that are inappropriate. Misuse or inappropriate personal use of HHS IT resources includes:

5.4.1 any personal use that could cause congestion, delay, or disruption of service to any HHS IT resource. For example, greeting cards, video, sound or other large file attachments can degrade the performance of the entire network as does some uses of “push” technology, such as audio and video streaming from the Internet.

5.4.2 the intentional creation, downloading, viewing, storage, copying or transmission of sexually explicit or sexually oriented materials;

5.4.3 the intentional creation, downloading, viewing, storage, copying or transmission of materials related to gambling, illegal weapons, terrorist activities, and any other illegal activities or activities otherwise prohibited;

5.4.4 use for commercial purposes or in support of “for-profit” activities or in support of other outside employment or business activity (such as consulting for pay, sales or administration of business transactions, sale of goods or services);

5.4.5 engaging in any outside fund-raising activity, including non-profit activities, endorsing any product or service, participating in any lobbying activity, or engaging in any prohibited partisan political activity;

5.4.6 posting agency or personal information to external newsgroups, bulletin boards or other public forums without authority, including information which is at odds with Departmental missions or positions. This includes any use that could create the perception that the communication was made in one’s official capacity as a Federal Government employee, unless appropriate Agency approval has been obtained;

5.4.7 establishing personal, commercial and/or non-profit organizational web pages on government owned machines;

5.4.8 use of HHS systems as a staging ground or platform to gain unauthorized access to other systems;

5.4.9 the creation, copying, transmission, or retransmission of chain letters or other unauthorized mass mailings regardless of the subject matter;

5.4.10 use of HHS IT resources for activities that are illegal, inappropriate, or offensive to fellow employees or the public. Such activities include, but are not limited to: hate speech, or material that ridicules others on the basis of race, creed, religion, color, age, sex, disability, national origin, or sexual orientation;

5.4.11 the addition of personal IT resources to existing HHS IT resources without the appropriate management authorization, including the installation of modems on HHS data lines and reconfiguration of systems;

5.4.12 use that could generate more than minimal additional expense to the government;
5.4.13 the intentional unauthorized acquisition, use, reproduction, transmission, or distribution of any controlled information including computer software and data that includes information subject to the Privacy Act, copyrighted, trade marked or material with other intellectual property rights (beyond fair use), proprietary data, or export controlled software or data; and

5.4.14 use or creation of unauthorized list servers or the distribution of unauthorized newsletters;

5.4.15 using another person’s digital authentication;

5.4.16 sending anonymous messages;

5.4.17 avoiding established security procedures;

5.4.18 using Peer-to-Peer (P2P) software without OPDIV CIO (or delegate) approval;

5.5 Operating Divisions may adopt policies that are more restrictive than those contained in this Departmental policy.

5.6 Future labor management agreements shall comply with this policy.

5.7 Any use of HHS IT resources, including e-mail, is made with the understanding that such use may not be secure, is not private, is not anonymous and may be subject to disclosure under the Freedom of Information Act (FOIA). HHS employees do not have a right to, nor shall they have an expectation of, privacy while using HHS IT resources at any time, including accessing the Internet through HHS gateways and using e-mail, which may be subject to release pursuant to the Freedom of Information Act. To the extent that employees wish that their private activities remain private, they shall avoid making personal use of HHS IT resources.

5.8 Electronic data communications may be disclosed within the Department to employees who have a need to know in the performance of their duties (such as, with manager approval technical staff may employ monitoring tools in order to maximize the utilization of their resources, which may include the detection of inappropriate use).

5.9 The privacy rights of an individual may not be violated.

6. Roles and Responsibilities

6.1. The OPDIV CIOS

Operating Division CIOs are responsible for:

6.1.1. the dissemination of this policy to all employees within their respective organizations;
6.1.2. training all employees on personal use policies and to include inappropriate use;
6.1.3. implementing security controls to prevent and detect improper file sharing; and,
6.1.4. establishing waiver procedures and signature file for any and all approved Peer-to-Peer software purchases and implementations.

6.2. Management Officials

6.2.1. Management officials, in their supervisory role, are responsible for:

6.2.1.1. informing users of their rights and responsibilities, including the dissemination of the information in this policy to individual users;
6.2.1.2. addressing inappropriate use by employees who report to them;
6.2.1.3. receiving reports of inappropriate use from IT resource management officials and sharing these reports, as appropriate, within their own management structure; and
6.2.1.4. notifying, when appropriate, law enforcement officials.

6.2.2. Managers of HHS IT resources may use system monitoring software in order to improve the performance of the resource. When a resource manager identifies an inappropriate use, he/she shall notify the Operating Division CIO through the normal chain of command and, as appropriate, terminate the access of the individual(s) to the IT resource after informing the Operating Division CIO of the action to be taken.

6.3. HHS Employees and Users of HHS IT Resources

Users, including employees, contractors, interns and others, when using IT equipment that HHS uses in official capacity, are responsible for:

6.3.1. seeking guidance from their supervisors when in doubt about the implementation of this policy;
6.3.2. ensuring that they are not giving the false impression that they are acting in an official capacity when they are using HHS IT resources for non-government purposes. If there is expectation that such a personal use could be interpreted to represent an agency, then an adequate disclaimer shall be used. For example: "The contents of this message are mine personally and can not be construed to be endorsed (inferred or implied) by the Government nor by my agency.”

6.3.3. following policies and procedures in their use of IT Resources (for example: Internet and e-mail) and refraining from any practices which might jeopardize HHS computer systems and data files, including but not limited to virus attacks, when downloading files from the Internet;

6.3.4. learning about Internet etiquette, customs and courtesies, including those procedures and guidelines to be followed when using remote computer services and transferring files from other computers (such as, IETF RFC 1780);

6.3.5. familiarizing themselves with any special requirements for accessing, protecting and utilizing data, including Privacy Act requirements, copyright requirements, and procurement sensitive data;

6.3.6. adhering to all conditions set forth in section 5, Policy; and,

6.3.7. completing IT security training on agency personal use policies. Policies include a waiver or exception process.

7. Applicable Laws/Guidance

Generally, HHS employees may use HHS IT resources for authorized purposes only. As set forth below, limited personal use of the government office equipment by employees during non-work time is considered to be an “authorized use” of Government property. Authority for this policy is 5 U.S.C. sec 301, which provides that the head of an executive department or military department may prescribe regulations for the use of its property; and Executive Order 13011, Federal Information Technology, section 3(a)(1), which delineates the responsibilities of the Chief Information Officer (CIO) Council by providing recommendations to agency heads relating to the management and use of information technology resources. Other authorities include:

• Computer Security Act of 1987, PL 100-235, 101 Stat. 1724
• The Privacy Act
• The Hatch Act (Standards of Conduct)
• The Freedom of Information Act
• OMB Circular A-130, "Management of Federal Information Resources"
• Standards of Ethical Conduct for Employees of the Executive Branch" promulgated by the Office of Government Ethics
• IETF RFC 1780 J. Postel, "Internet Official Protocol Standards," March 28, 1995
• Federal Information Security Management Act of 2002 (FISMA)
• OMB Memorandum M-04-26, “Personal Use Policies and ‘File Sharing’ Technology”, dated September 8, 2004

8. Information and Assistance

Direct questions, comments, suggestions or requests for further information to the Deputy Assistant Secretary for Information Technology, (202) 690-6162.

9. Effective Date/Implementation

The effective date of this policy is the date the policy is approved.

These policies and procedures will not be implemented in any recognized bargaining unit until the union has been provided notice of the proposed changes and given an opportunity to fully exercise its representational rights.

The HHS policies contained in this issuance shall be exercised in accordance with Public Law 93-638, the Indian Self-Determination and Education Assistance Act, as amended, and the Secretary's policy statement dated August 7, 1997, as amended, titled "Department Policy on Consultation with American Indian/Alaska Native Tribes and Indian Organizations." It is

HHS' policy to consult with Indian people to the greatest practicable extent and to the extent permitted by law before taking actions that effect these governments and people; to assess the impact of the Department's plans, projects, programs and activities on tribal and other available

resources; and to remove any procedural impediments to working directly with tribal governments or Indian people.

10. Approved

 

 

         /s/                              __February 17,  2006___________

Charles Havekost                              DATE

HHS Chief Information Officer

 

Glossary

• Browser - a software tool used to locate and view data in standardized formats on other computers.
• Employee – any person (includes interns, contractors, visitors, and state, local or foreign government exchange program participants), company or service provider who performs work, tasks, duties for or at the direction of HHS.
• Employee non-work time - times when the employee is not otherwise expected to be addressing official business. Employees may, for example, use government office equipment during their own off-duty hours such as before or after a workday (subject to local office hours), lunch periods, authorized breaks, or weekends or holidays (if their duty station is normally available at such times).
• HHS Information Technology resources - includes but is not limited to: personal computers and related peripheral equipment and software, network and web servers, telephones, facsimile machines, photocopiers, Internet connectivity and access to internet services, e-mail and, for the purposes of this policy, office supplies. It includes data stored in or transported by such resources for HHS purposes.
• Information Technology (IT) - any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data.
• Internet - a worldwide electronic system of computer networks which provides communications and resource sharing services to government employees, businesses, researchers, scholars, librarians and students as well as the general public
• Minimal additional expense - the employee’s personal use of HHS IT resources is limited to those situations where the government is already providing equipment or services and the employee’s use of such equipment or services shall not result in any additional expense to the government or the use will result in only normal wear and tear or the use of small amounts of electricity, ink, toner or paper. Examples of minimal additional expenses include making a few photocopies, using a computer printer to printout a few pages of material, making occasional brief personal phone calls (within agency policy and 41 CFR 101-35.201), infrequently sending personal e-mail messages, or limited use of the Internet for personal reasons.
• Peer-to-Peer (P2P) file sharing – as defined in OMB’s memo M-04-26, Personal Use Policies and “File Sharing” Technology, dated September 8, 2004, as: “…any software or system allowing individual users of the Internet to connect to each other and trade files….While there are many appropriate uses of this technology, the majority of files traded on P2P networks are copyrighted music files and pornography. …P2P is a common avenue for the spread of computer viruses within IT systems”.
• Personal use - activity that is conducted for purposes other than accomplishing official or government business. HHS employees are specifically prohibited from using government office equipment to maintain or support a personal private business. Examples of this prohibition include employees using a government computer and Internet connection to run a travel business or investment service. The ban on using government office equipment to support a personal private business also includes employees using HHS IT resources to assist relatives, friends, or other persons in such activities. Employees may, however, make limited use under this policy of government office equipment to, for example but not limited to, check their Thrift Savings Plan or other personal investments, or to seek employment, or communicate with a volunteer charity organization.
• Privilege - in the context of this policy, that HHS is extending the opportunity to its employees to use HHS IT resources for personal use in an effort to create a more supportive work environment. However, this policy does not create the right to use HHS IT resources for non-government purposes. Nor does the privilege extend to modifying such equipment, including loading personal software or making configuration changes.
• Shared HHS IT resource - any HHS IT resource that is managed by one HHS organization but used by many (such as, the PSC Network).
• Tridoc – A decimal numbering system used to identify specific “units of issue”. Technical Reference Information Document (TRIDOC) numbers reflect the Policy number which includes the part, chapter, section, and subsection numbers; organizing text into "Units of Issue, " or stand alone Sections containing relative "chunks" of information.
• World-wide Web (WWW) - The collection of web pages (documents) which are developed in accordance with the HTML (hypertext) Web format standard and may be accessed via Internet connections using a WWW browser.