List of active policies
| Name | Type | User consent |
|---|---|---|
| Acceptable Use of ICT Facilities Policy | Site policy | All users |
| EDC e-Learning Privacy Policy | Site policy | All users |
Summary
This policy sets out the authorised use of East Dunbartonshire Council’s ICT Facilities by employees, Elected Members, pupils and members of the public.
Failure to comply with this policy could result in access to ICT facilities being suspended or withdrawn completely.
Employees may also face disciplinary action.
Full policy
Acceptable Use Policy for East Dunbartonshire Council’s ICT Facilities
Overview:
This policy sets out the authorised use of East Dunbartonshire Council’s ICT Facilities by employees, Elected Members, pupils and members of the public.
Failure to comply with this policy could result in access to ICT facilities being suspended or withdrawn completely.
Employees may also face disciplinary action.
1 Acceptable Use Policy for Employees and Elected Members Using East Dunbartonshire Council’s ICT Facilities
Purpose:
This policy sets out the authorised use of:
· All electronic equipment capable of information processing;
· All peripherals such as scanners, printers and photocopiers;
· All software including, but not restricted to, Internet browsers, email and Instant Messaging
· All cabling and sockets;
· All other Council communication facilities such as telephones, mobile telephones and answer-phones and faxes.
Contacts
ICT Support Team Leader 601 8626
ICT Service Desk (General ICT related issues) 601 8888
Freedom of Information 601 8057
Data Protection Officer 601 5651
2 Compliance with Information Security Policies
2.1.1
Failure to comply with the Acceptable Use Policy, Mobile Devices Policy and Information Classification and Protection Policies may result in disciplinary action being taken under the Council’s disciplinary procedures the consequences of which can include dismissal, or the withdrawal of permission to use the Council's ICT equipment for personal purposes. If there is anything in this policy that you do not understand, please discuss it with your line manager.
2.1.2
Please note that the procedures and policies outlined in this policy, and in any related policy, may be reviewed or changed at any time. You will be alerted to important changes, and updates will be published on the Council’s intranet.
2.1.3
You must sign this page to indicate that you understand, and will abide by, the contents of the Council’s Information Security Policies.
2.1.4
I agree to:
· Comply with the terms of the Acceptable Use Policy, Mobile Devices Policy and Information Classification and Protection Policy;
· Take all reasonable steps to safeguard the ICT equipment and information of the Council;
· Ensure that my use of Council ICT facilities is limited, reasonable, responsible and not excessive, as defined in the Acceptable Use Policy;
· Only use Council authorised equipment and / or access the Corporate network for the purposes which I have been authorised;
· Not view or distribute racist, sexist, pornographic material or any material which seeks to encourage religious hatred or could cause offense
· Not to use email, instant messaging, the internet or any other software to insult, bully, harass or defame;
· Not infringe copyright or intellectual property laws, including downloading files which it is illegal / a breach of copyright to use;
· Not remove or subvert security measures or otherwise making unauthorised changes to equipment or software, or allowing others to do so;
· Not knowingly distribute viruses, or any form of malware (any software or code with malicious intent);
· Not to install any software without authorisation from ICT Services;
· Respect people’s privacy and confidentiality and comply with the Data Protection Act 1998;
· Safeguard my passwords and not share them;
· Not to allow unauthorised third-parties (e.g. children or friends) to use EDC equipment;
· Log out or lock my computer if I leave my workstation unattended (to do this press ctrl-alt-del and select ‘lock workstation’); and ensure that regular rest breaks are taken.
3 Introduction
East Dunbartonshire Council’s (The Council’s) information and communications facilities are provided by Information and Communications Technology Services (ICT) and made available to users for the purposes of the Council’s business. A certain amount of limited, reasonable and responsible personal use is permitted.
· Limited – means limited to business use and, where permitted, personal use subject to the discretion of line managers and the constraints set in this policy. Personal use should only take place outwith your working hours – i.e. before and after you begin work or in lunch or other official breaks.
· Reasonable – means that personal usage of Council ICT facilities must not interfere with the performance of work duties and must not impede the operation of East Dunbartonshire Council ICT facilities or Services.
· Responsible – means that users must be cognisant of the contents of this policy and other applicable Council policies, which set out the rights and responsibilities of employees or Elected Members of East Dunbartonshire Council.
· Excessive use - is usage which interferes with the performance of employees’ or Elected Members’ duties to the Council.
East Dunbartonshire Council is committed to the utilisation of advances in Information and Communications Technology. Information and communication plays an essential role in the conduct of the Council’s business. Corporate communications not only reflect on individuals but also on the Council as an organisation. The Council values the capacity that ICT gives employees and Elected
Members to communicate with colleagues, members of the public and work contacts, and the Council invests substantially in information technology and communications systems which enable you to work more efficiently. The Council trusts employees and Elected Members to use ICT responsibly.
Anybody seen misusing the system or any inappropriate material encountered should be reported to the appropriate line manager.
3.1 Scope
This policy applies to all employees and Elected Members of East Dunbartonshire Council who use the Council’s ICT facilities. ‘employees’ refers to all personnel whether they are full-time, part-time or fixed-term employees, trainees, tutors, volunteers, contractors, temporary employees or home-workers.
ICT facilities refer to equipment and / or systems which include:
· Desktop PCs
· Laptops
· Printers
· Servers
· Instant Messaging
· Intranet
· Internet
· Miscellaneous Software
· USB sticks and other peripherals and devices
· Digital or still cameras
· Photocopiers and scanners
· Telephones, Mobiles, and telephone equipment
· Answer-phones / voicemail
· Faxes
· Tablets, SMART and Mobile devices
All use of the Council’s ICT facilities is governed by the terms of this policy. If the Council’s rules and procedures are not adhered to, then use of ICT facilities may be curtailed or withdrawn and disciplinary action may follow. In accordance with the Council’s Disciplinary Procedures, serious breaches of this policy may be treated as gross misconduct which can result in dismissal.
Teaching and Education Services Support Staff must abide by this policy whilst using equipment outwith the Council to access the National Educational Portal (GLOW)
Although the detailed discussion of this policy is limited to use of computing equipment, email and Internet facilities, telephone communications and fax machines, the general principles underlying all parts of this policy also apply to all ICT Hardware and Software.
Please contact the ICT Support Team Leader with any questions.
3.2 Legal Precedence
For the avoidance of doubt, and in the event of an apparent contradiction occurring between legislation, policy or best practice guidelines, legislation will take priority. This also applies to any future legislation that may be enacted.
3.3 General Principles
3.3.1
Employees and Elected Members must use the Council's ICT facilities sensibly, professionally, lawfully, in a manner consistent with their duties, with respect for their colleagues and the Council, in accordance with this policy and the Council’s other rules and procedures.
3.3.2
The Council permits limited personal use of ICT facilities provided that personal use:
· Takes place outwith working hours i.e. before or after work or during lunch or other breaks;
· Does not interfere with the performance of Council duties;
· Does not take priority over work responsibilities;
· Does not cause unwarranted expense or any liability to be incurred by the Council;
· Does not have a negative impact on the Council in any way; and
· Is lawful and complies with this policy.
3.3.3
Employees and Elected Members must treat the Council’s paperbased and electronic information with the utmost care. Individuals can request information held about themselves under the Data
Protection Act 1998 and business and individuals can request a very wide range of information under the Freedom of Information Scotland Act 2002. In all such cases, this could include information contained in emails and other communications by Council employees.
Communications, even internal communications, should be made with the assumption that they will be disclosed.
3.3.4
Particular care must be taken when using email, instant messaging, the intranet including Social Media sites or internal message boards as a means of communication because all expressions of fact, intention and opinion may be binding on individuals and / or the Council and can be produced in court in the same way as other kinds of written statements.
3.3.5
The advantage of the Internet, social media, email and instant messaging is that they are extremely easy and informal ways of accessing and disseminating information, but this means that it is also easy to send out ill-considered statements. Employees and Elected Members should ensure that messages sent on email systems, by instant messaging or over the Internet including social
media sites display the same professionalism they would apply when writing a letter or a fax. Employees and Elected Members must not use these electronic media to do or say anything which would be subject to disciplinary or legal action in any other context, such as sending any discriminatory (on the grounds of a person's sex, race, age, sexual orientation, religion or belief), defamatory or other unlawful material. Employees should take advice from their line manager or the ICT Support Team Leader if they have any queries regarding this aspect of the policy.
3.3.6
Many aspects of communication are protected by intellectual property rights, which can be infringed by downloading, uploading, posting, copying, possessing, processing and distributing material.
Employees and Elected Members should only use material in a manner consistent with copyright and intellectual property rights.
3.3.7
Employees and Elected Members using the Council’s systems to access the internet do so at their own risk. The Council will not be responsible for losses incurred by Elected Members or employees
while making use of the Internet or email services for personal transactions.
3.3.8
The Council reserves the right to monitor and log all aspects of its computer systems and networks, including Internet sites visited by users, information exchanged with Internet sites and the downloading of files of all types.
3.3.9
The content of email and instant message communications sent and received by users is automatically filtered and content may be accessed to resolve technical problems or where there is reasonable suspicion of a breach of the Policy. The Council reserves the right to access employees email where there is a legitimate business need to do so, for example, to ensure business continuity when employees are absent from work for lengthy periods.
3.3.10
The Council reserves the right to monitor all network activity without notice, to facilitate maintenance, improvements to the service, or where there is reasonable suspicion of a breach of this Policy. Therefore users can have no expectation of privacy while making use of any Council ICT facilities.
3.4 Responsibilities
3.4.1
All Employees and Elected Members
Employees and Elected Members are responsible for the following:
· Complying with the terms of this policy;
· Taking all reasonable steps to safeguard the ICT equipment and information of the Council;
· Only using Council authorised equipment or accessing the Council network for authorised purposes;
· Not viewing or distributing racist, sexist, pornographic or any material which seeks to encourage racial hatred or that may cause offense;
· Not infringing copyright or intellectual property laws, including downloading files which it is illegal / a breach of copyright to use;
· Respecting people’s privacy and confidentiality and complying with the Data Protection Act 1998;
· Safeguarding passwords – i.e. not writing them down or sharing them with colleagues;
· Reporting anyone who they believe to be using systems inappropriately to the relevant manager (who should report the incident to the ICT Support Team Leader);
· Not removing or subverting security measures or otherwise making unauthorised changes to equipment or software or allowing others to do so;
· Not knowingly distributing viruses, or any form of malware (any software or code with malicious intent);
· Not installing any software without authorisation from ICT Services;
· Not allowing unauthorised third-parties (e.g. children or friends) to use EDC equipment;
· Logging out or locking computers if their workstation is left unattended i.e.: when moving away from their PC (press ctrl-alt-del and select ‘lock workstation’);
· Not using email, instant messaging, the internet including Social Media or any other software to insult, bully, harass or defame; and
· Ensuring workstations comply with health and safety requirements and that regular rest breaks are taken.
3.4.2
Employees supervising third-party use of the Internet
Employees facilitating public or school children’s use of ICT facilities are responsible for the following:
· Ensuring that they have read and comply with the Council’s child protection policies;
· Ensuring that all users, or their parents, carers and /or guardians understand, and have signed to indicate that they understand, the Acceptable Use Policy;
· Ensuring that they are aware of the procedures for reporting misuse and ensuring that they notify the ICT Support Team Leader
· Ensuring that best endeavours are made to offer protection from material which may be deemed unsuitable to users of the Council’s ICT Services
3.4.3
Line Managers’ responsibilities
Line managers are responsible for ensuring that their employees abide by the above, and in addition:
· For ensuring that all users who report to them have signed to indicate that they understand and will abide by, the Acceptable Use Policy;
· For managing and reporting any inappropriate use in accordance with the Breach of Acceptable Use Procedure.
Breach of Acceptable Use Procedure;
· For assessing and addressing training requirements promptly so individuals can use systems effectively; and
· For ensuring that workstation assessments are carried out by the Council’s Health and Safety function.
3.4.4
Authorised Equipment
Only equipment authorised by ICT should be attached to the Council’s Network. ICT Service Desk will be able to confirm whether equipment is authorised. Personal and unencrypted USB devices should not be attached to Council ICT facilities without prior authorisation.
4 Use of Council Mobile Telephones
4.1 General
4.1.1
Employees who require a mobile device to perform work duties should request authorisation from their line manager.
4.1.2
Devices supplied by the Council must only be used by the designated user. Employees must be aware of their responsibilities under this Policy, the Council’s mobile phone policy and cognisant of the Council’s Health and Safety policies for using mobile phones.
4.1.3
Users must not use a Council-supplied device for anything that is illegal, for making offensive or threatening calls or whilst driving. All mobile devices should be set up with a Personal Identification Code by the user, to prevent unauthorised use. For instructions on how to do this consult the manual or Admin. Support Team.
4.1.4
The Admin Co-ordinator receives quarterly invoices for each user for all line rental and usage charges. At the same time, each individual user will have a Personal Mobile Phone Statement sent out, usually to their Line Manager, or departmental admin. / clerical contact.
4.1.5
Employees should refer to the Council’s Mobile Phone Policy if they require further information.
4.2 Lost or stolen mobile devices
4.2.1
The loss or theft of any Council-owned information asset must be reported to relevant line manager and the ICT Service Desk as soon as possible. No longer than 1 full working day.
4.2.2
If the loss or theft took place out with normal working hours or from an Employee home, car or location external to the Authority then the incident must be reported to the police as soon as possible and no longer than 1 full day and the relevant incident or crime reference numbers passed to the ICT Service Desk within 1 full working day.
4.3 Personal calls
4.3.1
Personal calls can be differentiated from business calls by appending an asterisk ‘*’ onto the end of the dialled number. Calls with an appended asterisk will appear on the bill with an asterisk at the end of the number, and so can be more easily identified for recharging purposes. Personal contact numbers can also be stored in the phone or SIM memory with an asterisk at the end.
4.3.2
It is the responsibility of employees and Elected Members to check their statements carefully for personal calls, which should then be refunded to the relevant department.
4.4 Personal text messages
4.4.1
Staff should identify personal text messages on their telephone bills in order that the costs can be paid to the Council.
4.5 Misuse
4.5.1
Employees must not send or receive text messages for downloading, or otherwise accessing ring tones, games, commercial competitions etc. Many of these services operate on an ongoing subscription basis and may incur significant charges.
4.5.2
There is an automatic bar on all Council mobile devices preventing the dialling of international and premium rate numbers. ‘Roaming’ to other mobile phone providers networks, for example whilst overseas is also automatically barred.
4.5.3
Employees who are aware of being able to access ‘barred’ numbers should immediately notify the ICT Service Desk, unless they have been authorised to access such numbers.
4.5.4
Employees needing to access any premium rate numbers in relation to their work, they should contact the ICT Service Desk.
4.5.5
If employees need to dial an international number or to ‘roam’ networks, an email request should be sent to the ICT Service Desk detailing the country for which access is required, and for how long the bar is to be lifted.
5 Use of Electronic Mail & Instant Messaging
5.1 General
5.1.1
Copying an email to internal or external parties, may breach the Data Protection Act if it reveals all recipients' email addresses to each recipient (e.g. in the case of mailing lists). It can also breach duties of confidentiality (e.g. in the case of emails sent to members of a benefit scheme).
Accordingly, it may be appropriate to use the 'BCC' (blind carbon copy) field instead of the usual ‘To’ or 'CC' (carbon copy) fields when addressing an email. If in doubt, employees or Elected Members should seek advice from their line manager or the Data Protection Officer.
5.1.2
Users are recommended to delete unwanted email to conserve system resources. However the email retention policy will archive on a continuous basis all email messages over 90 days old, these messages are then backed-up and are held indefinitely.
5.1.3
All incoming emails are scanned by a third party on behalf of the Council, using virus-checking software. The software will also block password protected and encrypted documents, unsolicited marketing email (spam) and emails which have potentially inappropriate attachments. If there is a
suspected virus in an email which has been sent to the Council, the sender will automatically be notified and a notice will be received that the email is not going to be delivered because it may contain a virus.
5.1.4
Employees and Elected Members must not set mailbox rules to automatically forward email to an external (i.e. non-Council) mailbox. If you have a business need for remote access to email, request this from your Head of Service via an IT11.
5.2 Attachments
5.2.1
Employees and Elected Members should not send overly large file attachments with their email as they slow down the Council’s systems for all users. There are restrictions on the size and type of files employees and Elected Members can transmit between 09:00 and 17:00. The policy regarding acceptable file sizes and file types for both outgoing and incoming mail attachments is listed accordingly.
· Attachments greater than 20 megabytes will only be transmitted by special arrangement. Contact the ICT Service Desk for advice.
· Messages with more than 5 attachments may be held for transmission outwith normal working hours.
· Incoming and Outgoing File Attachment Type Restrictions:
· Allowed:
o Document Files e.g. (.pdf,.doc,.lwp,.txt)Not Generally Allowed:
o Vulnerable file types e.g. (.csv)
o Images e.g. (.bmp)
o Movies e.g. (.mov, .mpg, .avi, .asf)
o Compressed files e.g. (.zip, .bin, .sit, .sea)
o Executable files e.g. (.exe, .com, .bat)
o Sound Files e.g. (.mp3, .wav)
Users requiring special arrangements must contact the ICT Service Desk.
5.3 Business use
5.3.1
Email is not a secure means of communication therefore employees
and Elected Members should confirm with the members of the public
or contractors that the use of email as a means of communication is
acceptable.
5.3.2
In light of the security risks inherent in some web-based email accounts, employees and Elected Members should not email business documents to citizens’ or contractors’ personal web-based
accounts without their express permission to do so.
5.3.3
Under no circumstances should employees and Elected Members send information that would be classified under the Council’s Information Classification and Protection Policy as ‘RESTRICTED’ or
‘CONFIDENTIAL’ to an external or non-GSi email address. (Contact the ICT Support Team Leader for further details.)
5.3.4
Employees and Elected Members needing to work on documents / data outside of their our normal place of work must ensure that they have taken steps to protect information from theft / loss in proportion to the impact that unauthorized disclosure could have on the Council or citizens. Encrypted USB memory sticks, which are available from ICT, must be used if employees or Elected Members need to take sensitive data about staff or members of the public outwith the office.
At all times employees and Elected Members must comply with the Home Working and Information Classification and Protection Policies.
5.3.5
If an email message or attachment contains information which is time-critical, employees and Elected Members should bear in mind that email is not an instant form of communication and may take minutes or hours to arrive. If an email is time-critical, employees and Elected Members should consider telephoning to confirm that it has been received and read.
5.4 Personal use
5.4.1
The Council’s email and instant message facilities are provided for the purposes of the Council’s business; however, the Council accepts that employees and Elected Members may occasionally want to use them for their own personal purposes. This is permitted on condition that all the rules set out in this policy are complied with. Employees and Elected Members must be aware that, if they choose to make use of the Council’s ICT facilities for personal correspondence, they can have no reasonable expectation of privacy because the Council may need to monitor communications for the reasons given in item 10.1.
5.4.2
Personal use of email and instant messaging, in common with the
use of the Council’s other ICT facilities:
· Must take place outwith working hours i.e. before or after work,
during lunch or other breaks.
· Must not interfere with the performance of Council duties;
· Must not take priority over work responsibilities;
· Must not cause unwarranted expense or any liability to be
incurred by the Council;
· Should not have a negative impact on the Council in any way;
and
· Must be lawful and comply with this policy.
5.4.3
Users must not sign up to receive mailings from companies or organisations unrelated to the Council’s business.
5.4.4
Users must not make personal purchases and use their Council email address.
5.4.5
Under no circumstances may the Council’s facilities be used in connection with the operation or management of any business other than that of the Council.
5.4.6
While emails and instant messages in Lotus Notes can be deleted from the ‘live’ system, emails and chat transcripts will have been copied (perhaps many times) onto the backup tapes and in that form
may be retained.
5.4.7
By making personal use of the Council’s facilities for sending and receiving email and instant messages employees and Elected Members signify their agreement to abide by the conditions imposed for their use, and signify their consent to the Council monitoring their personal email and chat transcripts in accordance with item 10 of this policy.
6 Use of Internet and Intranet
6.1.1
The terms and conditions of third-party websites should be complied with.
6.1.2
The Council trusts employees and Elected Members to use the Internet and Intranet sensibly. Employees and Elected Members should be aware that when visiting an Internet site, information
identifying a PC as belonging to the Council may be logged and thereby affect the Council’s reputation.
6.1.3
The Council recognises the need for individuals to carry out some personal tasks during working hours, e.g. Internet banking or on-line shopping, and this is permitted subject to the same rules as are set out for personal email use in item 6.4 of this policy.
6.1.4
The following types of files should not be downloaded without authorisation from ICT:
· ‘Vulnerable’ file types e.g. (.csv)
· Movies e.g. (.mov, .mpg, .avi, .asf)
· Compressed files e.g. (.zip, .bin, .sit, .sea)
· Executable files e.g. (.exe, .com, .bat)
· Sound Files e.g. (.mp3, .wav)
6.1.5
Access to certain websites is blocked. If there is a particular business need to access a blocked site, please follow the procedure for accessing blocked sites which can be found on the intranet.
7 System Security
7.1.1
Security of the Council’s ICT systems is of paramount importance. The Council owe a duty to members of the public and contractors to ensure the Council process their details confidentially. It is essential that the Council are able to demonstrate the integrity of information and systems as information might need to be relied upon in court. Employees and Elected Members must take responsibility for the security implications of their use of the Council’s ICT facilities.
7.1.2
The Council’s ICT facilities must not be used in any way which may cause damage, overloading or which may affect its performance or that of the internal or external network.
7.1.3
All material which is RESTRICTED, CONFIDENTIAL or subject to the Data Protection Act must be kept secure - as directed in the Information Classification and Protection Policy. Such types of information
must only be used for the purposes intended and not disclosed it to any unauthorised third party.
7.1.4
System passwords must be kept safe and not disclosed to anyone. Those who have a legitimate reason to access other users' inboxes must be given permission under the Access to Mailboxes Procedure.
7.1.5
Any Elected Member or employee, who receives a call from a member of ICT staff asking for a password, should verify their name on the intranet directory and call them back. Details can also be confirmed with ICT Service Desk.
7.1.6
If a password has to be given to ICT staff, ensure that the password is changed once the ICT employees no longer need it. Guidance on how to change your password is available on the ICT section of the Hub (EDC Intranet).
7.1.7
Documents should be marked and treated in accordance with the Council’s Protective Marking Scheme which is set out in the Information Classification and Protection Policy.
7.1.8
Elected Members and employees must ensure that material from outside the Council which is loaded onto corporate PCs via a disk or CD Rom is from a secure and safe source. If there are any doubts about such material ICT Service Desk should be contacted for assistance. No software should
be loaded on to a corporate PC unless it has been authorised by ICT Services.
7.1.9
Programs, applications or software must not be downloaded or installed - regardless of their source - without authorisation from ICT Services. This includes programs, toolbars, instant messaging software, screensavers, photos, video clips and music files. ICT Service Desk are able to offer advice if required.
7.1.10
No device or equipment should be attached to the Council’s systems without the prior approval of ICT Services. This includes, cameras, external USB devices or flash drives, MP3 players (or similar devices), or telephones. It also includes use of the USB port, infra-red or any other port.
7.1.11
The Council monitors all emails passing through its system for viruses. However, caution should be exercised when opening emails from unknown external sources or when, for any reason, an email appears suspicious. ICT Service Desk should be informed immediately if a suspicious communication or suspected virus is received.
8 Working Remotely
8.1.1
This chapter and the procedures it sets out, apply to employees and Elected Members use of the Council’s ICT facilities, to the use of the Council’s laptops, and also to the use of personal computer equipment or third party computer equipment where work is being undertaken away from Council premises. The Council’s Home Working Policy contains more details on how to work at home safely
and securely.
8.1.2
When working remotely employees and Elected Members must:
· Position themselves so that work cannot be overlooked by another person;
· Switch off laptop computers when not in use or ensure that a password protected screensaver is in place.
· Take reasonable precautions to safeguard the security of the Council’s laptop computers or any computer equipment which is used to undertake the Council’s business;
· Keep passwords secret;
· Inform ICT Service Desk as soon as possible if a Council laptop / mobile device in their possession or any computer equipment on which Council’s work has been undertaken has been lost or stolen;
· Ensure that any work which is done remotely is saved on the Council’s system or is transferred to a Council system as soon as reasonably practicable and deleted on any personal device;
and
· Password-protect access to any mobile or similar hand-held devices containing any personal data of which the Council is a data controller or any information relating the Council’s business.
8.1.3
An awareness of what information is stored on mobile devices or mobile storage should be maintained so that in the event of a theft or loss, the impact of any compromise of council data can be estimated.
9 Private Blogs and Websites
9.1.1
This part of the policy and procedures in it apply to personal blogs, websites, virtual reality games and all other personal web content (e.g. personal podcasts) even if created, updated, modified or contributed to outside of working hours or when using personal or third-party ICT systems.
9.1.2
Employees and Elected Members may wish to contribute to online forums, blogs and message boards, ‘podcast’, ‘webcast’ or similar. For the avoidance of doubt such activities are expressly prohibited during work time or using Council ICT facilities - except where such activities are in pursuance of duties to the Council.
9.1.3
Employees and Elected Members must ensure that any content posted to the Internet, be it written, vocal or visual, which identifies them as a member of the Council and/or discusses their work or anything related to the Council or its business, contractors, members of the public or colleagues, must be appropriate, consistent with their contract of employment and with the Council’s policies and procedures.
9.1.4
If a blog posting expressing any idea or opinion clearly identifies that an employee works for the Council then a disclaimer should be added such as "these are my own personal views and not those of the Council”.
9.1.5
The following matters will be treated as gross misconduct (this list is not exhaustive):
· Revealing confidential information about the Council.
This might include revealing information relating to the Council’s contractors, business plans, policies, employee, financial information or internal discussions. Managers should be contacted in the first instance to advise on what might be confidential; and
· Using a personal blog or any website to harass, criticise or embarrass the Council, its clients or employees.
The reputation of the Council and the privacy and feelings of others should be respected at all times.
9.1.6
Complaints about colleagues or workplace matters should be dealt with by raising a grievance using the Council’s Grievance Procedure or by following the Council’s ‘Whistle-Blowing’ policy. Both documents can be found on the Intranet. Employees may also wish to consult their Trade Union;
9.1.7
The Council provides a ‘Whistle-Blowing’ hotline 0300 123 4512, which can be used to raise issues of concern.
9.1.8
Employees or Elected Members who have concerns that something on their blog or website could give rise to a conflict of interest, and in particular raise concerns over issues of impartiality or confidentiality, should discuss this with their line manager.
9.1.9
Employees must talk to their line manager and the Council’s Public Affairs Team if the media or press make contact about information on their blog or website relating to the Council.
9.1.10
Personal blogs or websites which do not identify the blogger as a member of the Council and do not mention the Council and are purely concerned with personal matters will normally fall outside the scope of this policy.
10 Monitoring of Communications by the Council
10.1 General Principles
10.1.1
The Council will, so far as possible and appropriate, respect the privacy of employees and Elected Members and their autonomy while working.
10.1.2
The Council may monitor i.e. keep records of email sender, receiver, subject line; attachments to email, instant messaging statistics, telephone numbers called and the duration of calls; domain names of websites visited, the duration of visits, files downloaded from the
Internet. The Council may also intercept i.e. record and listen to calls, scan or read emails and chat transcripts.
10.1.3
The Council does not routinely intercept telephone calls or routinely manually intercept emails. However, emails are automatically scanned for inappropriate content and they will then be subject to manual review.
10.1.4
The Council may carry out the monitoring and interception of business communications for reasons which include:
· Providing evidence of business transactions;
· Ensuring that the Council’s business procedures, policies and contracts with are adhered to;
· Complying with any legal obligations;
· Monitoring standards of service, performance, and for training;
· Preventing or detecting unauthorised use of the Council’s communications systems or criminal activities; and
· Maintaining the effective operation of the Council’s communication systems.
10.1.5
ICT employees who operate and support electronic communications facilities need, from time to time, to monitor transmissions or observe transactional information to ensure proper functioning of Council facilities and services. On these and other occasions, such personnel might inadvertently become aware of the contents of electronic communications. Except as provided for under the terms of this policy and the Lawful Business Practice Regulations, employees are not permitted to intentionally examine the contents of communication or disclose or otherwise use what they have seen, heard or read. However, if violations of Council policies or law are discovered, employees should report these to their line manager.
10.1.6
It is not possible for the Council to distinguish between personal and business communications so staff must be aware that monitoring and any interception may cover both personal and business communications for the purposes specified at item 10.1.1.
10.1.7
Employees and Elected Members need to be aware that such monitoring might reveal sensitive personal data about them. For example, if they regularly visited websites which contained information about health or sexuality, or which detailed the activities of a particular political party or religious group, then those visits might indicate their health, sexual orientation, political opinions or religious beliefs. By carrying out such activities using the Council’s ICT facilities employees consent to the Council’s holding and processing of any sensitive personal data about them which may be revealed by monitoring. Data on sites visited is kept for up to 3 years and is collected for the purposes of ensuring that the Council’s policies are complied with.
10.1.8
Sometimes it is necessary for the Council to access employees’ business communications during their absence, such as when they are unexpectedly taken ill, or while they are on holiday. Unless mailbox settings are such that the individuals who need to access mail can already do this, access will be granted only with the permission of a Head of Service.
10.2 Personal Communications
10.2.1
Employees must abide by the terms of use set out in Chapter 5 of this policy.
10.2.2
Employees and Elected Members are responsible to any third-party who sends them, or receives from them, a personal email, for the consequences of any breach of that third-parties’ privacy which may be caused by that employee’s or Elected Member’s failure to follow this policy.
11 Data Protection
11.1.1
Employees and Elected Members will inevitably be involved in processing personal data for the Council. The Data Protection Act 1998 sets out the rules governing the privacy of individuals’ data.
The following terms defined by the Act:
· "Data" refers to information which is computerised or in hard copy form;
· "Personal data" is data which can identify a living individual, such as a name, a job title, a photograph;
· "Processing" is anything done with data – just having data amounts to processing; and
· "Data controller" is the person who controls the purposes and manner of processing of personal data – this will be the Council, in the case of personal data processed for business purposes.
11.1.2
Personal data processed by the Council must be kept confidential and secure, and must take particular care not be disclosed to any other person (whether inside or outside the Council) without authorisation. Personal data must only be used by the Council for the purposes for which it was collected. The Council’s FoISA and Data Protection Officer or line managers can be contacted for advice.
11.1.3
Emails or documents relating to Council business, containing personal information covered by the Data Protection Act, should not be sent outside of the European Economic Area without first
consulting the FoISA and Data Protection Officer.
11.1.4
The 1998 Act gives every individual the right to see all the information which any data controller holds about them, subject to certain exemptions. Employees and Elected Members should bear this in mind when recording personal opinions about someone. Personal remarks and opinions must be made or given responsibly, and must be relevant, appropriate as well as accurate and justifiable.
11.1.5
Section 55 of the 1998 Data Protection Act states that it is a criminal offence knowingly or recklessly to obtain or disclose personal data without the consent of the data controller, unless this is necessary to detect or prevent crime, or is authorised by another statute or rule of law. "Obtaining" would include the gathering of personal data by employees at work without the authorisation of the Council. This offence may be committed, if without the appropriate authority, employees and Elected Members:
· exceed their authority in collecting personal data;
· access personal data held by the Council; or
· pass data on to someone else (whether inside or outside the
Council).
11.1.6
While the Council is data controller of all personal data processed for the purposes of the Council’s business, employees and Elected Members will be data controller of all personal data processed in any personal email which they send or receive. Use for social, recreational or domestic purposes attracts a wide exemption under the 1998 Act, but if, in breach of this policy, the Council’s communications facilities are being used for the purpose of a business which is not the Council’s business, then extensive personal liability under the 1998 Act will be taken on by an employee or
Elected Member.
11.1.7
To help you understand and comply with the Council’s obligations as data controller under the 1998 Act employees and Elected Members may be offered, or may request, training. In the event of any uncertainty over the requirements of the Data Protection Act, the Council’s Data Protection
Officer should be contacted. The Council’s privacy statements and information about the Council’s data protection policies can also be found on the Hub.
12 Inappropriate Use of ICT Facilities
12.1 General
12.1.1
Misuse or abuse of the Council’s ICT facilities in breach of this policy will be dealt with in accordance with the Council’s disciplinary procedure.
12.1.2
The receipt of inappropriate material or instances of misuse of Council ICT facilities should be reported to ICT Service Desk or the relevant line manager.
12.1.3
Access to ICT facilities may be suspended without warning pending investigations of suspected misuse and may be removed altogether if a breach of the ICT policy is found. Where potentially illegal material is found to be viewed or stored on any Council ICT facility, the Police should be informed immediately in coordination with the ICT Support Team Leader.
12.1.4
Employees and Elected Members must not forward on material which they feel is inappropriate or seek to investigate suspected misuse themselves. Such matters should be referred to the ICT Support Team Leader or Human Resources via their line manager.
12.1.5
The following would be considered ‘misuse’ that could result in disciplinary action. This list is indicative, not exhaustive:
· Breaching the Council’s security policies;
· Accessing, downloading, installing or distributing offensive, obscene or indecent material e.g.: pornography, racist or sexist material and violent images;
· Accessing, downloading, installing or distributing material likely to be of use in the commission of a crime;
· Using images, text or material which are copyright-protected, other than in accordance with the terms of their license;
· Using Council ICT facilities to convey messages which contain expletives, threats or defamatory or discriminatory statements;
· Excessive private use of email, instant messaging, Internet, telephones, faxes or any other Council ICT facility;
· Entering into contracts, in breach of the Council’s standing orders, without authority by using the Council’s name in emails or on the Internet;
· Accessing or using unauthorised personal web based email accounts
· Accessing or using instant messaging software or other similar services out with the council approved list
· Accessing or using Internet chat rooms;
· Downloading or forwarding software, games or programs without the authorisation of ICT Services;
· Installing or storing any executable files (e.g. .exe, .scr or.com) without proper authorisation
· Changing the configuration or set up of Council ICT facilities in such a way as to impair their operation, without proper authorisation from ICT Services;
· Removing or interfering with the cabling or power supply of any ICT facilities so as to impair its operation, without proper authorisation;
· Attaching any device e.g.: USB memory sticks, PDA’s, Blackberries etc. to an EDC ICT facility which has not been specifically approved by ICT Services;
· Breaching or attempting to breach the security of any ICT facility;
· Sharing passwords or permitting others to access an ICT facility that has been assigned to their use, without proper authorisation;
· Removing ICT equipment or software from Council premises without proper authorisation;
· Accessing another user’s email or personal files without the knowledge of the user or outwith the terms of the Access to Mailboxes Procedure;
· Accessing or trying to access data which is known to be, or could be reasonably expected, to have been known to be confidential;
· Disclosing or trying to access data which is known to be, or could be reasonably expected, to have been known to be confidential;
· Introducing deliberately any form of viruses or ‘malware’, i.e. software with malicious intent, into any ICT system
· Introducing packet-sniffing, keystroke logging or password detecting software;
· Seeking to gain access to restricted areas of the Council’s network; and
· Encrypting or password protecting important data or files to which other require access.
12.2 Computer Misuse Act 1990
12.2.1
Hacking, i.e. attempting to gain unauthorised access into Council ICT facilities is a crime and could lead to your prosecution under the Computer Misuse Act 1990, which creates the following offences:
· Unauthorised access to computer material
· Unauthorised modification of computer material; and
· Unauthorised access with intent to commit or facilitate the commission of further offences.
12.2.2
ICT staff must not attempt to recreate or emulate a security incident without authorisation as this can also constitute a breach of this policy or an offence.
Summary
This Notice tells you what personal information East Dunbartonshire Council collects about people who work for and with us and train with us, why we need it, how we use it and what protections are in place to keep it secure.
Full policy
East Dunbartonshire Council
PRIVACY NOTICE – MULTI-AGENCY LEARNING AND DEVELOPMENT
Who will process my information?
The personal information you provide to East Dunbartonshire Council (“us” / “we”) or which we collect about you (“Your Information”) will be processed by us.
You can contact us at:
12 Strathkelvin Place, Kirkintilloch, G66 1TJ
0300 123 4510
customerservices@eastdunbarton.gov.uk
Why will my information be processed?
Your Information will be processed by us so we can provide you with multi-agency learning and development opportunities as required to enable you as a partner agency employee to improve your public protection knowledge and skills. We provide these opportunities through a programme of events and courses coordinated by East Dunbartonshire Adult and Child Protection Committees. The Council remains responsible for controlling Your Information.
Your Information may also be processed to:
· check the information we hold is accurate;
· prevent and/or detect crime; and
· protect public funds.
The Council may also be given personal information about you by another person or organisation, for example your employer when they are arranging your attendance at a multi-agency learning event on your behalf. We will let you know when we receive such information and give you an updated privacy notice if the law says we must.
What sort of information will you process?
We will process identifying information, such as your name, job role, email address, organisation role and address, as well as information on the type of learning or training undertaken or to be undertaken, and any information provided by you for quality monitoring and assurance purposes.
Who might my information be shared with?
Your Information might be shared with
·
Your employer
· The training facilitator
Your Information will always be shared with these people and organisations on a “need to know” basis.
We will also share Your Information where necessary in order to protect children and adults at risk of harm, prevent crime and preserve life.
Your Information may also be shared with such people if we are required by law to provide such information to them.
Why is it necessary for the Council to process my information?
The processing of your information is necessary to allow the Adult Protection Committee set up by the Council to undertake its statutory functions under Section 42 of the Adult Support & Protection (Scotland) Act 2007, and in particular to make arrangements to improve the skills and knowledge of local partner agency managers and staff who have legal and regulatory responsibilities in relation to adult support and protection.
It is also necessary to enable the Council to undertake its public task in relation to the provision of child, adult and other public protection services. The ongoing provision of awareness and training and enables the Council to effectively provide up to date information as well as serving the interests of the Council as the lead agency for statutory Child and Adult Protection activity. Such training allows other statutory and regulatory processes to be delivered effectively.
Do I have to provide my information to you?
Without the correct information about you we will not be able to provide you with the learning and training you or your employer has requested to enable you to improve your public protection knowledge and skills.
How long will you keep my information for?
East Dunbartonshire Council uses the Scottish Council on Archives Records Retention Schedules (SCARRS) to manage the amount of time the Council keeps information. Further information on these can be found here. http://www.scottisharchives.org.uk/scarrs
Your information will kept for a minimum period of time after you access learning or training from us.
· 01.006.032 and 01.006.031 Adult Protection Committee records
We will keep your information for a minimum of five years after you access ASP learning or training from us to enable the Committee to fulfil its functions, after which it will be deleted or destroyed.
· 10.008.001 Education and Skills: Lifelong Learning
We will keep this information for a minimum of five years after you access other learning and training from us to develop your public protection knowledge and skills, after which it will be deleted or destroyed.
What are my rights?
- Right of Access
You have the right to access the personal information we hold about you. This right is called a Subject Access Request, often referred to as a SAR.
You can receive a copy of your personal data held by us, details on why it is being used, who it has been/ will be shared with, how long it will be held for, the source of the information and if we use computer systems profile or take decisions about you. Details on how to submit a Subject Access Request can be found here. https://www.eastdunbarton.gov.uk/council/data-protection/subject-access-request
- Right to rectification
You have the right to request we correct any information held about you that is inaccurate.
- Right to erasure
You have the right to request that we delete the personal information about you. This right is known as the right to be forgotten.
- Right to restrict processing
You have the right to request that we stop using your personal information, while retaining a copy of it.
- Right to object
You have the right to object to our use of your personal data. The Council will have to demonstrate why it is appropriate to continue to use your personal data.
Who do I contact if I have any complaints or concerns about how my information has been handled?
You have the right to complain to the Information Commissioner’s Office should you be unhappy with the way the Council has processed your personal data. Details on how to report a concern can be found here https://ico.org.uk/concerns/
Should you have any questions or concerns about the Council’s handling of Your information, you can contact our Data Protection Officer who will be happy to discuss these with you.
East Dunbartonshire Council Data Protection Officer
Karen Donnelly
12 Strathkelvin Place, Kirkintilloch, G66 1TJ
Email: Karen.Donnelly@eastdunbarton.gov.uk
Tel: 0300 123 4510