Policy for Monitoring Employee Use of HHS IT Resources

Department of Health and Human Services
Office of the Secretary

FROM: E.J. Holland, Jr.
Assistant Secretary for Administration
THROUGH: Frank Baitman
HHS Chief Information Officer and Deputy Assistant Secretary for Information Technology
TO: Operating Division and Staff Division Heads
SUBJECT: Policy for Monitoring Employee Use of HHS IT Resources
DATE: June 26, 2013

The purpose of this memorandum is to call to action each Operating Division (OpDiv) Head and Staff Division (StaffDiv) Head, working with their respective OpDiv Chief Information Officer (CI0),1 to establish policies and procedures that will strengthen the ability to effectively document, analyze, authorize, and manage requests for HHS employee2 computer monitoring.3 The Department's Policy for Information Systems Security and Privacy (JS2P), dated July 7, 2011, requires the use of a warning banner on all Department information technology (IT) systems. The warning banner must state that, by accessing an HHS IT system,4 (e.g., logging onto a Department computer or network), the employee consents to having no reasonable expectation of privacy regarding any communication or data transiting or stored on that system, and the employee understands that, at any time, the Department may monitor the use of Department IT resources for lawful government purposes. While the warning banner gives OpDivs the authority to monitor employee use of IT resources, it is each OpDiv's responsibility to carry out monitoring in a fashion that protects employee interests and ensures the need for monitoring has been thoroughly vetted and documented. This memorandum does not authorize intrusions into systems not administered by the Department or its components. This memorandum becomes effective upon the issuance of OpDiv policies or procedures or 90 days after issuance of this memorandum, whichever is earlier.5

Each OpDiv Head, working with the respective OpDiv CIO and in consultation with the Office of the General Counsel (OGC) and the HHS CIO, is to develop and deliver written policies and procedures that include the elements described in this memorandum within 90 days of issuance. This memorandum recognizes that computer monitoring also may be requested by outside law enforcement authorities (e.g., Federal Bureau of Investigation and Department of Homeland Security)6 or the HHS Office of the Inspector General (OIG). All requests from outside law enforcement agencies shall be coordinated through the OIG, except for requests relating to national security or non-criminal insider threat matters, which shall be coordinated with the Office of Security and Strategic Information (OSSI) and/or the appropriate OpDiv Intelligence/Counterintelligence Office. Such external computer monitoring requests are subject to different standards partly because they are covered by the internal controls of the requesting agency or judicial process.

Express Written Authorization of Monitoring: No agency official, including Institute and Center (IC) CIOs, may initiate computer monitoring without advance written authorization by the OpDiv Head or the OPDIV CIO. This authority to authorize monitoring may not be delegated below the OpDiv CIO. Prior to submission of a monitoring request, OpDiv CIOs, or OSSI, should consult with the OGC, as described below. The requesting organization shall document the basis for approving any request for computer monitoring.

Basis for Monitoring: Computer monitoring may be authorized only for the following reasons: (1) monitoring has been requested by OSSI, the OIG, or an outside law enforcement authority; (2) there are reasonable grounds to conclude that the individual to be monitored may be responsible for an unauthorized disclosure of legally protected information (e.g., confidential commercial information or Privacy Act-protected information); or (3) there are reasonable grounds to believe that the individual to be monitored may have violated an applicable law, regulation, or written HHS or OpDiv policy.

Note that routine IT equipment examinations are permissible when malware searches are involved. Any unintended discoveries of problematic content and resulting follow-up actions are not subject to this memorandum, although follow-up actions that involve computer monitoring are subject to this memorandum.

Monitoring Requests from OIG and Outside Law Enforcement:

Requests from OIG--In circumstances in which OIG requests computer monitoring for purposes of an OIG investigation, or where OIG requires assistance in the conduct of computer monitoring, OIG will provide such information or notification as is consistent with its responsibilities, duties, and obligations under the Inspector General Act of 1978.

Requests from Outside Law Enforcement--In concert with the OGC, the OpDiv will develop a Memorandum of Understanding (MOU) or similar written agreement with outside law enforcement agencies as a precondition for approving monitoring requests from these organizations. The MOU shall include the following: (1) the title and organizational component of the person(s) authorized to make monitoring requests on behalf the law enforcement agency; (2) documentation of the source of the official request, demonstrating approval by an official of the governmental entity that has the authority to request the initiation of such monitoring (e.g., a subpoena [administrative or grand jury], warrant, national security letter [NSL], or other acceptable documented request [e.g., a written law enforcement administrative request that meets applicable requirements of the Privacy Act and/or the HIPAA Privacy Rule's requirements for certain disclosures to law enforcement agencies]); (3) any restrictions applicable to the handling and disclosure of confidential information that may be produced by the monitoring; and (4) other items consistent with this memorandum, including handling sensitive communications, as described below.

Documentation: The written authorization for computer monitoring must describe the reason for the monitoring. If the monitoring is initiated at the request of outside law enforcement authorities, the authorization must document that the request was approved, consistent with the applicable MOU with that organization, by an official of the governmental entity that has the authority to request the initiation of such monitoring.

Except for monitoring initiated at the request of an outside law enforcement authority or the OIG, the party requesting the monitoring must document the factual basis justifying the request for monitoring and the proposed scope of the request. Requests for such monitoring shall include an explanation of how the monitoring will be conducted; how the information collected during monitoring will be controlled and protected; and a listing of individuals who will be provided access to the resultant monitoring information.

A record of all requests for monitoring shall be maintained by the OpDiv CIO, along with any other summary results or documentation produced during the period of monitoring. The record also shall reflect the scope of the monitoring by documenting search terms and techniques. All information collected from monitoring must be controlled and protected, with distribution limited to the individuals identified in the request for monitoring and other individuals specifically designated by the OpDiv CIO as having a specific need to know such information.

Limiting the Time, Scope, and Invasiveness of Monitoring: The OpDiv Head or OpDiv CIO shall authorize computer monitoring that is appropriately narrow in scope, time-limited, and takes the least invasive approach to accomplish monitoring objectives. The OpDiv Head or OpDiv CIO, in reviewing requests for monitoring, shall also consider whether there are alternative information-gathering methods that the OpDiv can utilize to address the concern in lieu of monitoring. When the monitoring request originates from OIG or outside law enforcement, the OpDiv authorizing the monitoring will grant appropriate deference to a request made in accordance with this memorandum.

Sensitive Communications: No monitoring authorized or conducted may target Communications with law enforcement entities, the Office of Special Counsel, members of Congress or their staff, employee union officials, or private attorneys. If such communications are inadvertently collected or inadvertently identified from more general searches, they may not be shared with a non-law enforcement party who requested the monitoring, or anyone else, without express written authorization from the OGC and other appropriate Department official(s).

Legal Review: When a request for computer monitoring is made by a party other than an outside law enforcement authority or the OIG, the OpDiv shall consult with the OGC as to whether the monitoring is consistent with all applicable legal requirements, including the Whistleblower  Protection Act, the Privacy Act, and the HIPAA Privacy and Security Rule, and consider whether there should be any additional limits. In addition, except for monitoring initiated at the request of outside law enforcement or the OIG, parties that receive information derived from monitoring shall consult with the OGC as to potential restrictions on the use of such information under applicable law.

Periodic Review of Monitoring: The OpDiv CIO shall review all computer monitoring on a monthly basis and, in consultation with the party who requested the monitoring, assess whether it remains justified or must be discontinued. OpDiv CIOs should consider if the decision for ongoing monitoring should be reviewed by the OGC. A decision to continue monitoring shall be explained and documented in writing by the OpDiv CIO, who shall report at least monthly, to the OpDiv Head regarding the status of any ongoing monitoring.

Special Circumstances: The OpDiv CIO and the OGC may make recommendations to the OpDiv Head for additional procedures, if necessary, to address specific circumstances not addressed in this memorandum. Policies and procedures that deviate from the elements of this memorandum, however, may not be implemented without the written concurrence of the HHS CIO in consultation with the OGC.

 

June 26, 2013                                                  /s/                 

Date                                                  E.J. Holland, Jr.

 

 


1  For purposes of this memorandum,  the Assistant Secretary for Administration has determined  that the HHS Chief Information Officer will function as the CIO for the StaftDivs.

2 For the purposes of this memorandum, the term "employee" includes all individuals who have been provided and currently have access to HHS IT resources. For example, the term employee is intended to also mean contractors, guest researchers, visiting scientists, and fellows. The term does not include individuals who were, but no longer are, affiliated with the agency, and other affiliates who are provided access to HHS IT resources.

3 For the purposes of this memorandum, the term "computer  monitoring" covers monitoring of HHS IT resources, including real-time or contemporaneous  observation, prospective monitoring, (e.g., using monitoring software) and retrospective review and analyses (e.g., of e-mail sent or received, or of computer hard-drive contents) targeting an individual employee. This memorandum does not apply to passive monitoring (computer incident response monitoring) of systems relating to national security or the Federal Information Security Management Act of 2002 that perform general system and network monitoring, or examinations of computers for malware. Additionally, "computer monitoring" excludes any review and analysis requested by or approved by the employee(s) being covered. This memorandum also does not apply to retrospective searches for documents in response to valid information requests in the context of litigation, Congressional oversight, Freedom of Information Act (FOIA) requests, and investigations by the Government Accountability Office (GAO) and the Office of Special Counsel. Such retrospective searches may be conducted with the consent of the employee or the authorization of the OpDiv CIO.

4 According  to the warning banner, an HHS IT system includes "(l) the computer being accessed, (2) the computer network, (3) all computers connected to this network, and (4) all devices and storage media attached to this network or to a computer on this network."

5 The Office of lnspector General (OIG) has developed a detailed policy governing computer monitoring within the OIG. The OIG will follow its own policy for its internal monitoring activities.

6 For the purposes of this memorandum, the term "law enforcement authority" includes national security and intelligence agencies of the U.S. Government.