HHS Policy for Personal Use of Information Technology Resources
The purpose of this Department of Health and Human Services (HHS or the Department) Office of the Chief Information Officer (OCIO) document is to state the policy for limited acceptable personal use of Department IT resources by federal staff, contractors, temporary employees, and other HHS personnel authorized to use HHS resources, hereafter referred collectively as “HHS personnel." The Department must enforce standards of ethics in regard to the use of IT resources for all who perform functions on behalf of and at the direction of HHS. This policy allows HHS personnel to use HHS IT resources for non-government purposes when such use:
- Is minimally disruptive to personnel productivity;
- Does not interfere with the mission or operations of HHS; and
- Does not violate the HHS Policy for Information Systems Security and Privacy (IS2P) or the Rules of Behavior for Use of HHS Information Resources.
This policy is a revision to and supersedes the HHS Policy for Personal Use of Information Technology Resources, version HHS-OCIO-2006-0001, dated February 17, 2006. This policy does not supersede any other applicable law or higher level agency directive, policy, guidance, or existing labor management agreement in effect as of the effective date of this policy.
Operating Divisions (OpDivs) may adopt policies that are more restrictive, but not less, than those contained in this departmental policy. Future labor management agreements must comply with this policy. In the event that one or more of these policies are found to be contrary to existing law or labor management agreements, the existing law or labor management agreements take precedence.
The executive branch of the federal government serves the American people through hundreds of thousands of employees located in offices across the nation. Increasingly, the government is called upon to deliver more and better services to a growing population that continues to expect ever-increasing improvements in service delivery. Much of this productivity increase has come about through the use of information technology, along with the extensive use of third-party websites and applications (TPWAs).
Taxpayers have the right to depend on their government to manage their tax dollars wisely and effectively. Public confidence in the productivity of government is increased when members of the public are confident that their government is well managed and assets are used appropriately. The relationship between the executive branch and the employees who administer the functions of the government is one based on trust. Consequently, employees are expected to follow rules and regulations and to be responsible for their own personal and professional conduct. The Employee Standards of Conduct published by the U.S. Office of Government Ethics states, “Employees shall put forth honest effort in the performance of their duties” [Section 2635.101 (b)(5)].
HHS personnel must be provided with a professional and supportive business environment. They must be given the tools needed to carry out their assigned responsibilities effectively. Allowing limited personal use of these tools helps enhance the quality of the workplace and helps the government to retain highly qualified and skilled workers.
This policy is based on a model policy adopted by the Chief Information Officers Council and has been updated to implement the Office of Management and Budget (OMB) Memorandum (M) 04-26, Personal Use Policies and “File Sharing” Technology and M-11-27, Implementing the Telework Enhancement Act of 2010: Security Guidelines.
This policy applies to all departmental OpDivs, Staff Divisions (StaffDivs), and organizations conducting business for and on behalf of the Department through contractual relationships when using HHS IT resources. This policy applies to all HHS IT activities including the equipment (to include copiers, three-in-one scanners, and telephones), procedures, and technologies that are employed in managing these activities. The policy includes use of HHS IT resources regardless of location (e.g., teleworking, travel, and other off-site locations as well as all of the office locations of the Department). Department officials must apply this policy to contractor personnel, temporary employees, interns, and other non-government employees through incorporation by reference in contracts or memoranda of agreement as conditions for using government-provided IT resources. Lastly, personally-owned devices are not considered HHS resources and are therefore are not considered within the scope of this document.
4.1 Requirements for all HHS Personnel
All HHS personnel must adhere to the following requirements at a minimum:
4.1.1 HHS permits personnel limited personal use of HHS IT resources (including government-furnished equipment (GFE) such as mobile devices), which involves no more than minimal additional expense to the government as long as the personal use:
126.96.36.199 Is minimally disruptive to personnel productivity;
188.8.131.52 Does not interfere with the mission or operations of HHS; and
4.1.2 HHS does not recognize any enumerated right of personnel to operate HHS IT resources for personal use (including any right to use GFE, such as mobile devices, for personal use inside or outside of the traditional business environment).
184.108.40.206 HHS personnel must ensure that all GFE is used only for authorized purposes, except for the limited personal use stated in 4.1.1; and
220.127.116.11 Individuals other than the employee (e.g., family members, friends, etc.) are not authorized to use GFE.
4.1.3 Any use of HHS IT resources, including HHS e-mail and HHS TPWA technologies, is made with the understanding that such use may not be secure, is not private, is not anonymous, and may be subject to disclosure under the Freedom of Information Act (FOIA). HHS personnel do not have a right to, nor do they have an expectation of, privacy while using HHS IT resources at any time, including while accessing the Internet through HHS gateways and using e-mail, which may be subject to release pursuant to the FOIA. To the extent that HHS personnel wish that their private activities remain private, they must avoid making personal use of HHS IT resources.
4.1.4 HHS may impose sanctions on personnel who use HHS IT resources for unauthorized or inappropriate purposes.
18.104.22.168 Sanctions may be an administrative action; and
22.214.171.124 Disciplinary or adverse actions may also include criminal actions to include penalties and/or holding personnel or other users financially liable for the cost of inappropriate use if the violation warrants.
4.1.5 HHS expects personnel to conduct themselves professionally in the workplace and to refrain from using GFE and TPWA for activities that are not related to any legitimate/officially-sanctioned HHS business purpose, except for the limited personal use stated in 4.1.1. Misuse or inappropriate personal use of HHS IT resources includes, but is not limited to:
126.96.36.199 Any personal use that could cause congestion, delay, or disruption of service to any HHS IT resource, for example, sending electronic greeting cards, or viewing streaming audio and video content from the Internet;
188.8.131.52 The intentional creation, downloading, viewing, storage, copying, or transmission of sexually explicit or sexually oriented materials;
184.108.40.206 The intentional creation, downloading, viewing, storage, copying, or transmission of materials related to gambling, illegal weapons, terrorist activities, and any other illegal activities;
220.127.116.11 Use of HHS IT resources for activities that are inappropriate or offensive to fellow personnel or the public. Such activities include, but are not limited to: hate speech or material that ridicules others on the basis of race, creed, religion, color, age, sex, disability, national origin, or sexual orientation;
18.104.22.168 Use for commercial purposes or in support of commercial “for-profit” activities or other outside employment or business activity (such as consulting for pay, sales or administration of business transactions, and/or sales of goods or services); HHS personnel are specifically prohibited from using GFE to maintain or support a personal private business. Examples of this prohibition include personnel using a government computer to run a personal business such as an eBay “store.” The ban on using GFE to support a personal private business also includes personnel using HHS IT resources to assist relatives, friends, or other persons in such activities. Personnel may, however, make limited use of GFE under this policy to, for example, check their Thrift Savings Plan or other personal investments, to seek employment, or communicate with a volunteer charity organization;
22.214.171.124 Engaging in any outside fund-raising activity, including non-profit activities, endorsing any product or service, participating in any lobbying activity, or engaging in any prohibited partisan political activity;
126.96.36.199 Posting agency or personal information to external newsgroups, bulletin boards, or other public forums to include TPWA technologies without authority, including information which is at odds with departmental missions or positions. This includes any use that could create the perception that the communication was made in one’s official capacity as a federal government employee, unless appropriate agency approval has been obtained;
188.8.131.52 Establishing personal, commercial, and/or non-profit organizational websites on government owned machines;
184.108.40.206 Creation of a website, TPWA, etc. on behalf of HHS without the proper official authorization;
220.127.116.11 The creation, copying, transmission, or retransmission of chain letters or other unauthorized mass mailings, regardless of the subject matter;
18.104.22.168 The addition of personal IT resources to existing HHS IT resources and reconfiguration of systems; modifying GFE, including loading personal software or making configuration changes without the appropriate management authorization;
22.214.171.124 The connection of personally-owned mobile devices (e.g., bring your own device (BYOD)) outside of OpDiv-managed and approved methods;
126.96.36.199 The intentional unauthorized creation, downloading, viewing, storage, copying, or transmission of any controlled information including computer software and data that includes information that is subject to the Privacy Act, copyrighted, or trademarked or material with other intellectual property rights (beyond fair use), proprietary data, or export controlled software or data;
188.8.131.52 Use or creation of unauthorized automated mailing lists or the distribution of unauthorized newsletters;
184.108.40.206 Using another person’s digital authentication, including another person’s personal identity verification (PIV) card;
220.127.116.11 Using HHS systems as a staging ground or platform to gain unauthorized access to other systems;
18.104.22.168 Sending anonymous messages other than through Department-approved surveys;
22.214.171.124 Circumventing established security procedures;
126.96.36.199 Using Peer-to-Peer (P2P) software without OpDiv Chief Information Officer (CIO) (or delegate) approval; and
188.8.131.52 Any use of TPWA technologies that is not compliant with the HHS Policy for Managing the Use of Third-Party Websites and Applications.
4.1.6 Electronic data communications and online activity may be monitored and disclosed to external law enforcement agencies or within the Department to those who have a need to know in the performance of their duties. For example, after obtaining management approval, technical staff may employ monitoring tools in order to maximize the utilization of their resources, which may result in the detection of inappropriate usage.
4.1.7 The privacy rights of an individual may not be violated. Personnel must therefore not use HHS IT systems or TPWA technologies to obtain or attempt to obtain any information about any individual that they do not have a legitimate business need and authorization to view or access or to distribute or use any information about an individual unless authorized to do so.
4.1.8 HHS users must ensure that they are not giving the false impression that they are acting in an official capacity when they are using HHS IT resources for non-government purposes. If there is expectation that such personal use could be interpreted to represent the Department, then an adequate disclaimer must be used. For example: “The contents of this message are mine personally and cannot be construed to be endorsed (implicitly or explicitly) neither by the United States Government nor by my agency.”
4.1.9 HHS users must follow policies and procedures in their use of IT resources (for example, Internet and e-mail) and refrain from any practices which might jeopardize HHS computer systems and data files;
4.1.10 HHS users must familiarize themselves with both privacy and security procedures and guidelines to be followed when using remote access;
4.1.11 HHS users must familiarize themselves with any special requirements for accessing, protecting, and using data, including requirements imposed by the Privacy Act, copyright, and other intellectual property law;
4.1.12 HHS users must familiarize themselves with laws and policies governing procurement and acquisitions; and
4.1.13 HHS expects personnel to seek guidance from their supervisors and delegated official and/or Contracting Officer’s Representative/Contracting Officer’s Technical Representative (COR/COTR) as applicable when in doubt about the implementation of this policy.
4.2 Requirements for Management Officials
Management officials, in their supervisory role, are responsible for:
4.2.1 Informing users of their rights and responsibilities, including the dissemination of the information in this policy to individual users;
4.2.2 Addressing inappropriate use by personnel who report to them;
4.2.3 Receiving and reviewing reports of inappropriate use from IT resource management officials and sharing these reports, as appropriate, in accordance with HHS standard operating procedures;
4.2.4 Notifying, when appropriate, senior Department officials of inappropriate use and/or abuse of HHS IT resources; and
4.2.5 IT Managers must generate and deliver the reports, noted in 4.2.3 above, when necessary.
Direct questions, comments, suggestions, or requests for further information about this topic to the HHS Cybersecurity Program at HHS.Cybersecurity@hhs.gov or (202) 205-9581.
The effective date of this policy is the date the policy is approved.
These policies and procedures will not be implemented in any recognized bargaining unit until the union has been provided notice of the proposed changes and given an opportunity to fully exercise its representational rights.
“The HHS policies contained in this issuance must be exercised in accordance with Public Law 93-638, the Indian Self-Determination and Education Assistance Act, as amended, and the Secretary’s policy statement dated December 14, 2010, as amended, titled “U. S. Department of Health and Human Services Tribal Consultation Policy.” It is HHS policy to consult with Indian people to the greatest practicable extent and to the extent permitted by law before taking actions that affect these governments and people; to assess the impact of the Department’s plans, projects, programs, and activities on tribal and other available resources; and to remove any procedural impediments to working directly with tribal governments or Indian people.”
/s/ August 1, 2013
Frank Baitman DATE
HHS Chief Information Officer