Internet Policies for Municipalities
(from Maine Townsman, January 1998)
by JeriAnn Holt, Municipal Information Network Manager

As more and more municipal officers plan to connect to the Internet and make e-mail capability available, fears of misuse of this privilege arise. Municipalities need to be proactive and develop policies for use of the Internet and e-mail and incorporate these policies and technology issues into employee training. Before hooking up, there should be two or three policies in effect to protect the municipality and to make clear the rights and responsibilities of employees using the system.

The Center for Technology in Government conducted a two-year study of government use of the Internet. As part of this study they looked at Internet policies around the nation. They concluded that there were various styles of policies; however, three main areas were included in most government Internet policies:

In addition, newer Internet policies also contained web site design criteria.

The necessary policies can be written separately or can be combined into one Internet policy. For the purposes of discussion here, they will be divided into the three separate policy issues: Internet Acceptable Use Policy; E-mail Policy; and Policy for Retention of E-mail. This article will deal with the Internet Policy. E-mail and Retention will be discussed in the next issue because of space constraints.

Internet Acceptable Use Policies should contain the following:

I. A purpose statement that explains why the Internet policy is being written.

Some sample language:

"Electronic mail, Internet and telecommunication access are resources made available to city employees to communicate with each other, other governmental entities, companies and individuals for the benefit of the city." City of Portland

"To ensure that use of the Internet among employees of the City of Seattle is consistent with City policies, all applicable laws, and the individual user's job responsibilities.

To establish basic guidelines for appropriate use." City of Seattle

"The agency connection to the global Internet exists to facilitate the official work of ________________. The Internet facilities and services will contribute broadly to the missions of _________________.

The Internet connection and services are provided for employees and persons legitimately affiliated with _____________ for the efficient exchange of information and the completion of assigned responsibilities consistent with the ___________ statutory purposes.

The use of the Internet facilities by any employee or other person authorized must be consistent with this Acceptable Use Policy and security policies." State of New York

II. The next section should be the policy statements that would include acceptable and unacceptable activities. These statements should:

    • Indicate appropriate use and/or prohibit anything but work related activities;
    • Prohibit downloading and/or distributing copyrighted materials or software;
    • Prohibit unlawful activities or solicitations; and

Some sample language:

"The system is city property and intended for city business. The system is not to be used for employee personal gain or to support or to advocate for non-city related business or purposes." City of Portland

"All use of the Internet must be in compliance with all applicable laws and policies (federal, state and local, in addition to City policies); for example sexual harassment. Internet access via City resources, therefore, must not be used for illegal purposes." City of Seattle

"Principles of Acceptable Use - users are required:

To respect the privacy of other users; for example, users shall not intentionally seek information on, obtain copies of, or modify files or data, belonging to other users, unless explicit permission to do so has been obtained.

To respect the legal protection provided to programs and data by copyright and license.

To protect data from unauthorized use or disclosure as required by state and federal laws and agency regulations.

To respect the integrity of computing systems: for example, users shall not use or develop programs that harass other users or infiltrate a computer or computing system and/or damage or alter the software components of a computer or computing system.

To safeguard their accounts and passwords. Any user changes of password must follow published guidelines for good passwords. Accounts and passwords are normally assigned to single users and are not to be shared with any other person without authorization. Users are expected to report any observations of attempted security violations." State of New York's Sample Agency Policy

Unacceptable activities are those "that do not conform to the purpose, goals, and mission of the department and to each user's authorized job duties and responsibilities. The following list, although not all-inclusive, provides some examples of unacceptable uses:

Private or personal, for-profit activities (e.g., consulting for pay, sale of goods such as Avon and Amway products, etc.);

Use for private or personal business and/or gain;

Use for any illegal purpose, including communications that violate any laws or regulations;

Transmitting threatening, obscene, or harassing messages;

Intentionally seeking information about, obtaining copies of, or modify files, other data, or passwords belonging to other users, unless explicitly authorized to do so by those users;

Interfering with or disrupting network users, services, or equipment. Such disruptions could include, but are not limited to, (1) distribution of unsolicited advertising or messages, (2) propagation of computer worms or viruses, and (3) using the network to gain unauthorized entry to another machine on the network; and

Seeking/exchanging information, software, etc. that is not directly related to one's duties and responsibilities. " State of Virginia's Sample Acceptable Use Policy

Reserve the right to monitor transactions. Software is available to track which sites have been visited and the amount of time spend at each site.

Some sample language:

"Agency Rights Pursuant to the Electronic Communications Privacy Act of 1986 (18 USC 2510 et seq), notice is hereby given that there are NO facilities provided by this system for sending or receiving private or confidential electronic communications. System administrators have access to all mail and user access requests, and will monitor messages as necessary to assure efficient performance and appropriate use. Messages relating to or in support of illegal activities will be reported to the appropriate authorities.

The agency reserves the right to log network use and monitor file server space utilization by users and assumes no responsibility or liability for files deleted due to violation of file server space allotments.

The agency reserves the right to remove a user account from the network." State of New York's Sample Agency Policy

    1. The next section should contain information on responsibility for complying with this policy.

Some sample language:

" Each individual user is responsible for complying with this and all other relevant policies when using the City's resources for accessing the Internet. Use of these same resources in violation of this policy or of applicable department policies is grounds for disciplinary action." City of Seattle

"All users of . . . Internet services are required to acknowledge acceptance of and intention to comply with this policy by signing the attached "Use Agreement . . . . Signed agreements will be forwarded to the Office of Security." State of Virginia's Sample Acceptable Use Policy

The policy should be followed by a statement that summarizes the issues covered in the policy; or as in the sample, covers additional issues of security. (Sample agreement in sidebar.) This should be gone over and signed by each employee before he or she is given access to the Internet.

Always remember that the municipality is ultimately responsible, as the owner of the system, for "allowing" the use or abuse of the technology. With policies, training, and disciplinary procedures in place, the municipality can "control" that liability as they would any other personnel issue. Good, clear policies let both municipality and employee know exactly what their rights and responsibilities are.

Resources available on the Internet or from MMA's Local Government Resource Center:

"Acceptable Use Policy for Bulletin Boards, On-Line Subscriptions, and Internet Services." [Link is no longer valid]

"Administrative Regulation No. 43: Internet and Electronic Mail Policy" City of Portland.

"A Brief Survey of Government Internet Policies: Internet Services Testbed" Center for Technology in Government. http://www.ctg.albany.edu/projects/inettb/polsurv.html#2

"Department of Administrative Services Number: 03-13" and "Department of Administrative Services Number: 03-21." http://www.state.or.us/IRMD/policies/03-13net.htm and http://www.state.or.us/IRMD/policies/03-21aup.htm [Links no longer available]

"Governor's Task Force on Information Resource Management Technology Policy 96-8." http://www.irm.state.ny.us/policy/tp_968.htm

"Memorandum - City of Seattle." http://mrsc.org/infoserv/seattle.htm

"Municipal Policies on Internet Usage and E-Mail Document Retention" by Isabel R. Sofora, Senior Port Counsel, Port of Seattle. http://mrsc.org/infoserv/safora.htm

"Richland, WA Computer & Networks Use Policies." http://mrsc.org/infoserv/richland.htm

"Whatcom County Computer Services Policies and Procedures." http://mrsc.org/infoserv/whatcom.htm

 

Use Agreement for Internet Services

[Sample adapted from the State of Virginia's Policy]

I have been authorized access to Internet services. This access is provided through municipal-owned personal computers and/or networks.

I have read, understand, and agree to abide by the Acceptable Use Policy for Internet Services and the following additional terms and conditions that govern my use of these services.

Employee or Consultant Name (Print):

Employee or Consultant Signature:

Date: