Appendix 19 – Protocol for use of ICT by Members/Use of Resources

 

1.             Introduction

 

1.1     This protocol sets out to support Members to carry out their role effectively with the Information Communication Technology (ICT) provided whilst protecting the Council and its Members from the risks associated with its use.  The protocol helps Members to stay compliant with the law and good security practice and is intended to assist and enable them in carrying out their activities.

 

1.2       This protocol must be used in conjunction with agreed policies and procedures around ICT security and use of systems such as internal email.  Any breach of the requirements of the protocol or the agreed policies and procedures may amount to a breach of the Members’ Code of Conduct and the removal of access to the Council’s assets, systems and resources.

 

2.              ICT Equipment

 

2.1            Members are provided with equipment to support their needs.  Support is available from ICT to help Members understand what each item can and cannot support and to match the device to the Member’s individual requirements, such requirements may include a laptop, tablet or mobile phone.  Printers will not be supplied.

2.2            All items are procured through the standard ICT procurement process and will be covered by standard warranty and insurance policies.  All equipment issued belongs to and will remain the property of City of York Council.  The equipment provided must be used for all democratic work, including use at Council meetings, reading/annotating agendas, reports, minutes and accessing City of York Council emails and for constituent work related to the Council and Council business.  It is not to be used for purely political purposes or private business purposes.  Where members are also appointed to other bodies, arrangements may be made to share equipment.

2.3            All reasonable steps must be taken to ensure that equipment is kept secure and protected from theft/damage.  Particular care must be taken to ensure that equipment is not left on view in cars or in public transport, etc.  In the event of theft, loss or damage to any part of the equipment, members must inform the ICT Service Desk, by telephone (01904 552222) or email (ictservicedesk@york.gov.uk) immediately.  In the event of theft of the equipment, the theft must be reported to the Police without delay in order to obtain an Incident Number and then provide this information to the ICT Service Desk and Insurance @ insurance.claims@york.gov.uk.

2.4            The member will only grant access to any equipment to an authorised employee or agent of the Council for the purpose of service, repair or audit and will make the equipment available at reasonable notice and in working hours.  Use by family/friends or any other third party is not permitted, family members can provide assistance to members in the use of the equipment as long as the Member remains in overall control and does not divulge their user name or password.

2.5            If a member ceases to be a Member of the Council, the equipment must be returned to the Council within 10 working days and in such an event access to Council systems will be disabled within 10 working days.

 

Lending any equipment to a third party is strictly forbidden.

 

 

 

3.              Software

 

3.1            Members ICT equipment is configured to comply with the Council’s ICT Security Policy and to meet the requirements of the Public Services Network.  Any unauthorised changes may contravene these policies therefore configurations must not be changed and Members must not attempt to add additional hardware or software to any equipment. 

3.2            If any additional applications are required, these can be requested by contacting the ICT Service Desk.  Each request will be evaluated on its merits.  Members should never delete any of the Council supplied software or any applications.

3.3            In the event of any maintenance or updates becoming necessary, the ICT Service desk may be able to do this upon request remotely, but where this is not possible the equipment must be returned to West Offices at an agreed time for such works to be carried out.

3.4            If there is a suspicion of a virus infecting any equipment or any notifications of untoward activity, this must be reported immediately to the ICT Service Desk.  Do not ignore warnings as this could lead to more widespread infections and serious disruption to Council ICT systems. 

3.5            All software provided by the Council with any equipment remains the property of the Council, or the licensing organisation and may not be shared or copied to another computer/device.

 

4.              Access to Systems

 

4.1            Access to the Council’s systems is via a username and password and individual applications may need their own username and password.  Members are required to adhere to the Council’s password policy.  Regular audits of all passwords are undertaken as part of the security audits of the Council.  Care must be taken to keep passwords secure and passwords must not be disclosed to anyone and must be changed when required by ICT should security concerns be identified. 

4.2            Systems and equipment must only be used for Council business.  ICT equipment left unattended must be locked or logged off.  Members are responsible for all activity undertaken when logged onto the equipment and must not allow any unauthorised person access to the Council’s systems.

4.3            Members are permitted to connect their equipment to their home or third party Wi-Fi, subject to any provisions of the Council’s ICT policies.

 

5.              Storage

 

5.1            Various places are available to store electronic data and specific guidelines will be provided as part of Member training/Member induction.  All council meeting papers will be accessible by Modern.gov.  Members are discouraged from printing off meeting papers.  Members are encouraged to be as paperless as possible and should only print essential material.

5.2            Any data stored locally on equipment is not backed up and will be lost in the event of loss or damage to the equipment.  All data that you need to retain should be moved where possible to central storage.  Council data should not be transferred to removable media, should it be necessary only City of York Council items that are provided by the Council and are encrypted are to be used and this must not then be transferred to personal or third party equipment without the necessary permissions from the Corporate Governance Team.

 

 

6.              Internet Access

 

6.1            Do not access any area that could be construed as unfit, obscene or would otherwise be considered inappropriate for a Member of the Council.  All internet sites visited by any user (Member or Officer) when connected via Council equipment will be recorded, monitored and if necessary will be available for audit purposes.  If you accidentally visit any area that could be construed as unfit, obscene or inappropriate you must leave it immediately and inform the Monitoring Officer.

6.2            Care must be taken when downloading files via the internet.  Computer viruses may be contained in files and/or emails and can severely damage the operation of the equipment and the Council’s systems.  If in doubt, do not click on links or download files.

6.3            The equipment provided to Members should not be used to access personal social media sites such as Facebook or Twitter.  It is however permissible for Members to use the equipment provided for social media for legitimate Council reasons such as communicating with residents or maintaining corporate sites.  It is recommended that Members have separate social media accounts for Council business.  Members are required to adhere to the provisions of any Council ICT policies around social media. Passwords for social media accounts must never be the same as the passwords used for logging onto the device or any CYC system.

 

 

 

7.              Email

 

7.1            Members will be allocated a Council email address for use on Council business.  This email must not be used for personal or political purposes.  If you receive any unsolicited emails (e.g. junk or chain mail) do not forward to any other recipients and delete them or move them into the junk folder.

7.2            You must not use anonymous emailing services to conceal your identity when sending emails, falsify emails to make them appear to originate from someone else, or provide false information to any internet service which requests a name, email address or other details.

7.3            Members must not automatically forward emails from a Council email account onto a webmail account hosted on the internet by a third party, for example Google, Yahoo, Hotmail, etc. and should not manually do so as a matter of course as this can lead to Council data being placed on an insecure domain.

7.4            All Council ICT policies are available on the Council’s Intranet.  These policies must be adhered to at all times.

 

8.              Cameras

 

8.1     Any camera on ICT equipment must not be used to take inappropriate, illicit or sexually explicit photographs or videos, nor be used to embarrass anyone in any way.  Members must use their judgement on appropriate use of cameras.  Good practice is to ensure that any person to be photographed has given their consent.

 

9.              Monitoring

 

9.1       The Council has the capability to monitor all use of the internet and intranet and retains logs of all use.  The reason that monitoring takes place is to ensure compliance with legislation and the standards and rules set by the Council.  We record and monitor:

 

·        Details of websites visited or attempted to be visited;

·        Pages accessed;

·        Files downloaded;

·        Graphic images examined;

·        Any file attachments (e.g. pictures or Word documents).

 

9.2      The Council has the capability to monitor, log and retain email correspondence.  Any email and internet traffic being sent or received through the Council system will be scanned for potential viruses.

 

10.           Complying with legislation

 

10.1     The following is a summary of areas to be aware of:

 

a.   Data Protection - You are responsible for complying with the Data Protection Act 2018, which covers information held in electronic and paper-based form about individuals.  It is a criminal offence to collect and process personal data on your ICT equipment unless the use is registered with the Data Protection Registrar.  The Director of Governance has copies of all of the Council’s Data Protection registrations and can give Members advice if necessary.

 

b.   Computer Misuse – The Computer Misuse Act 1990 covers unauthorised or malicious use of any computer system.  It is the law used to prosecute hackers and people who write and distribute computer viruses deliberately.  It is a criminal offence to access or attempt to access any computer system you are not authorised to access.  The law protects against employees and members of the public who deliberately cause damage to systems and data.  The Act also makes it illegal for a person to deliberately delete data or sabotage systems to the detriment of the Council.

 

c.   Harassment – The Protection from Harassment Act 1997 covers harassment either by using email to send a harassing message to someone or by downloading and distributing material from the Internet which constitutes harassment because it creates an intimidatory working environment.

 

Harassment and discrimination are unlawful under the Protection from Harassment Act 1997, the Sex Discrimination Act 1975, the Disability Discrimination Act 1995 and the Race Relations (Amendment) Act 2000.  As with any form of harassment under the anti-discrimination legislation, the intention of the parties is irrelevant.  The problem with email is that, written communication can be misinterpreted and offence may be caused where none was intended.

 

d.   Obscene Material – Publishing legally “obscene” material is a criminal offence under the Obscene Publications Acts 1959 and 1964.  This includes electronic storing and/or transmitting obscene materials that would tend to deprave and corrupt or paedophiliac material.

 

e.   Defamation or False Statements – The liability for defamation or false statements applies to electronic communication just as it does to more traditional forms of communication.  Anyone who emails a libellous or false email message or posts such a message on the Internet will be responsible for it and liable for any damage it causes to the reputation of the victim.  In addition to the liability of the individual who made the libellous or false statement, the Council may also be held liable.   This could be either under the normal principles of:

 

·        Indirect Liability – because the Council is considered responsible – known as “vicarious liability”; or;

·        Direct Liability – as a publisher because of providing the link to the Internet and email system.

An untrue statement that damages the reputation of a person or company by causing people to think worse of them will generally be defamatory.  Similarly, a false statement intended to cause damage to a person or their economic interests can bring a claim for damages.

 

Do not put anything on an email or an attachment, which you would not put in a normal letter on Council headed paper.  Treat email as you would a postcard going through the open post.

 

f.     Copyright – Although any material placed on the Internet or in public discussion areas is generally available, the originator still has moral and, possibly, legal rights over it.  You should not copy it without acknowledging the original source and, where appropriate, gaining their permission.  This applies even if you modify the content to some extent.  Please note that any official material placed on a website is subject to copyright laws.

 

Copyright laws are different for each piece of software.  In general, the copyright to every piece of software run on a system is owned by whichever company or person who wrote it.  The Council has a legal duty to make sure sufficient licences of the correct type are present to cover the use of all software.  Members must be aware of these issues and make sure that the Council has correct licences for any software used.

 

g.   Contracts – Electronic communication, such as email, is generally regarded as an informal means of communication but it is, nevertheless, capable of creating or varying a contract in just the same way as a written letter.  You should be careful not to create or vary a contract accidentally.

 

h.   Disclaimer – despite putting confidential disclaimers and, where appropriate, personal disclaimers, on external communications, there is still nevertheless a legal connection to the Council.  Always remember that any statement you make may still be construed as representing the Council.

 

11.           Points of Contact

 

11.1         The ICT Service Desk is the first point of contact for all ICT enquiries, queries and support problems.  Calls can be logged via the ICT Self Service Portal icon that you will see on your CYC desktop or by telephoning 01904 552222.

11.2         Further assistance on the issues covered in this protocol may be obtained from the Council’s Monitoring Officer or the Council’s Head of ICT, or by consulting the ICT Policies page on the Council’s Intranet website.