Policy Area:	User	Effective Date:	September 23, 2004
Contact:	Information Technology Division- policy@doit.ri.gov Public Records Administrator - records@sec.state.ri.us Personnel - HRinfo@hr.ri.gov	Revision Date:	n/a

Summary
This policy outlines the rules and responsibilities for users of the State's computers, software and computer systems.

Goals
This policy is designed to:

1. reinforce that existing standards and policies regarding professional conduct also apply to computer usage.
2. ensure that state employees use information technology resources in an efficient and effective manner.
3. protect state data and computer systems from intentional misuse.
4. ensure that state data and records are professionally managed.

Applicability
This policy applies to all state employees, interns, contractors and all other users of state computers and computer systems except for the state colleges and universities. Computer systems include any software or equipment used to store or transmit state data and the actual data.

Policy Statements

1. Ethics and Professional Conduct
   
   
Users shall:

The State of Rhode Island owns the information technology resources that it provides to state employees and other users who have a responsibility to use these resources ethically and for professional purposes.


• use computers to assist them in performing their assigned jobs,
• comply with all general personnel policies governing employee behavior while using computers and computer systems,
• only use approved and properly licensed software,
• ensure that equipment, systems and data (particularly laptop computers) are stored securely,
• ensure that the computers purchased for their use are appropriately labeled and registered as state property,
• notify Information Technology staff when equipment is no longer needed so that it may be reassigned or disposed of according to asset disposal procedures.

Users shall not use state computers or systems in any way that is:



• illegal,
• disruptive, threatening, harassing, demeaning, obscene, profane or otherwise offensive.

Users shall not:



• download or install their personal copies of software on machines provided by the State, including shareware or freeware, without permission of Information Technology staff,
• introduce data into the system that does not serve a legitimate business purpose,
• use computers or state data provided to an employee to perform his/her job following termination of employment.

Personal use of computers is permissible provided it does not:



• interfere with work responsibilities,
• promote political, religious, profit-making businesses,
• increase state costs.
2. Efficiency and Cost Effectiveness

The State owns and operates computers, telecommunication systems, networks, software and data to support the State's program missions. These tools and the work products they contain are finite. It is the shared responsibility of state employees and contractors to ensure that these resources are utilized in an efficient and cost effective manner.

Users shall:



• utilize computers and computer systems to further work goals,
• use hardware and software, protocols and procedures that have been adopted as standards by the Division of Information Technology,
• avoid practices which are wasteful of storage or processing capacity.
3. Security and Privacy

The State maintains confidential employee, customer and business records. Privacy must be fully protected when records with potentially identifiable information are accessed for state purposes. Software and access rights intended to protect confidentiality must not be modified in any way by unauthorized staff. Computer usage may be monitored to ensure there is no unauthorized access to confidential information.

Users shall:



• use passwords, which are regularly changed, to properly protect data and system integrity,
• only access or change systems and data as authorized,
• only acquire, use, alter, or dispose of data with proper authorization.

Users shall not:



• violate the confidentiality of data or systems,
• use software or hardware that jeopardizes the security or integrity of the network or state data,
• use another individual's user id.
4. Information Access and Retention

Records and data that are stored on computer systems are no different than paper records with respect to statutory requirements for retention and disposition.

Users shall:



• store electronic files in a manner that allows records to be easily located when they are needed,
• share data with other State entities when it promotes legitimate program purposes (subject to the restrictions imposed by data confidentiality),
• make efforts to provide access to public information,
• ensure that records are backed up appropriately
• archive files according to records retention schedules approved for their division or department and the General Records Schedule. In the absence of a division or department schedule, consult with the Public Records Administrator before disposing of records.

Users shall not:



• retain messages or files that do not have a business purpose (as defined by the appropriate record retention schedule),
• store information in a manner that creates a burden to a computer or the network.

Responsibilities
Users - responsible for reading, understanding and adhering to this policy.

Managers - are responsible for the effective utilization of technology by subordinates and compliance with policy standards. Reports of misconduct will be brought to the attention of the appropriate agency and Human Resources authority(ies) for corrective action. Minor transgressions will be handled at the lowest possible level. Incidents that involve ethical, security or privacy issues or are disruptive to a large user-group must be reports to human resources and IT staffs.

Human Resources Division - responsible for the overall communication and enforcement of this policy, and subsequent revisions, to state employees. Also responsible for ensuring that the policy is consistent with other personnel policies adopted by the State and for recommending revisions to the policy as changes in working conditions may warrant.

Division of Information Technology (DoIT) - responsible for the components of this policy that pertain to the efficient use of information technology and resources. The information technology staff is also responsible for assisting the human resources staff with the effective communication and enforcement of the policy.

State Archivist & Public Records Administrator - responsible for the portions of this policy that pertain to records retention.

Office of Accounts and Controls - responsible for the maintenance of the inventory of capital assets including computer equipment.

Compliance
The state reserves the right to examine information systems for system performance monitoring and to investigate potential abuse of the State's information technology resources. Users will be held accountable for any breaches of policy, security or confidentiality. Violations may result in disciplinary actions. Abuse or misconduct can be reported (by employees, supervisors, IT staff, the public or others) to the appropriate agency authority for remedial action. Violations will be handled through the applicable union contracts, personnel rules, and state and federal statutes. Depending on the nature and severity of the abuse, violations will be subject to appropriate disciplinary action, up to and including termination. Criminal or civil action may be initiated in appropriate instances.

Exemptions
There are two exemptions to this policy.
1) The Colleges and Universities are bound by the policies adopted by the Board of Higher Education. (URI Policies)

2) The Department of Corrections does not allow for any personal use of computers. (DOC policy contact)

Agencies may choose to add to this policy, in order to enforce more restrictive requirements, provided that the additions to this policy are filed with, and approved by, the Chief Information Officer.

Appeals
Appeals to the findings and enforcement actions recommended by the Human Resources Division will follow the same procedures as other appeals to decisions made by Human Resources.

Authority

1. Ethics and Professional Conduct
• §34-14-1 Code of Ethics -- Declaration of Policy. "It is the policy of the State of Rhode Island that public officials and employees must adhere to the highest standards of ethical conduct, respect the public trust and rights of all persons, be open, accountable and responsive, avoid the appearance of impropriety, and not use their position for private gain or advantage…."
• -- State Personnel Rules 6.02 Conduct of State Employees. "It is the duty of every employee to so conduct himself/herself inside and outside his/her office as to be worthy of the esteem a public employee must enjoy….."
• Fixed asset citation***§37-2-54 (a) The chief purchasing officer, except as otherwise provided by law, shall purchase, or delegate and control the purchase of, the combined requirements of all spending agencies of the state including, but not limited to, interests in real property, contractual services, rentals of all types, supplies, materials, equipment, and services…
2. Efficiency and Cost Effectiveness
• The Information Resources Management Board § 29-8 et. seq.
• § 29-8-10. . .(a) Providing . . .policy direction. . .for the executive branch of state government and public universities. . .(c) defining, maintaining, and publishing a timely information resources management architecture. . . and implementing processes and procedures to ensure compliance.
3. Security and Privacy
• § 29-8-10. (n) Recommending procedures and legislation to ensure the privacy of individuals, with particular emphasis on the potential for invasion of individual privacy.
4. Information Access and Retention
• § 38-1-10. Disposal of records. No public official may mutilate, destroy, sell, loan, or otherwise dispose of any public record without the consent of the public records administration program of the secretary of state.
• §38-2 Access to Public Records Act, especially §38-2-2 (4)(i) "Public record" or "public records" shall mean all documents, papers, letter, maps, books, tapes, photographs, films, sound recordings, magnetic or other tapes, electronic data processing records, computer stored data (including electronic mail messages, except specifically for any electronic mail messages of or to elected officials with or relating to those they represent and correspondence of or to elected officials in their official capacities) or other material regardless of physical form or characteristics made or received pursuant to law or ordinance or in connection with the transaction of official business by any agency.

Related Documents
Statewide Information Technology Policies

• Email
• Internet

Asset Protection

• Fixed Asset Control Tracking System Manual

Definitions
General Records Schedule --a retention and disposition schedule that includes records created or received by all (or most) state agencies, municipalities, and other government entities. The schedule, listing records common to most agencies, facilitates the proper management and timely disposition of these records.