How to Develop an Internet Use Policy

Worried about employee Internet use? Concerned about security, copyright, public records requirements? A practical guide to these and other issues.

by / May 31, 1997
As government jurisdictions and agencies across the country provide access to the Internet for their employees, questions arise about policies for employee use.

Most jurisdictions and agencies already have a policy that covers network use and e-mail. To avoid duplicate or inconsistent provisions, it is best to approach the development of an Internet use policy within the context of existing policies. In addition, regulations may need to be developed to assist employees in implementing the policy. The need for detailed regulations is particularly evident in areas affecting public records and confidentiality.

When Internet access is provided to government employees, it is important to make it clear that access is for a limited government purpose and all activities using the Internet should be work-related -- research, participation in mailing lists or newsgroups and correspondence.

Many employees will need guidance in determining what activities are work-related and the impact of the Internet on their productivity. The Internet can be addicting, particularly mailing lists and newsgroups. Group electronic communication can contribute to cross-jurisdictional sharing of creative ideas. But employees can lose track of the amount of time they devote to such activities and it is easy to rationalize that such activities are in furtherance of their job. This is primarily a training and personnel management issue, but the policy should emphasize restraint in group communication activities.

Most policies also enumerate the kinds of activities that would not fall within the limited governmental purpose. These include commercial, political and lobbying, collective bargaining and illegal activities. Personal use is also prohibited, but most jurisdictions and agencies will allow a small amount of private electronic communication for personal reasons. Fundraising activities, unless they are government approved or sponsored, are also generally prohibited. Employees should be made aware in training that their e-mail address provides an easy way to discover if they are using public resources for inappropriate purposes.

To reduce misuse of public resources, jurisdictions and agencies may want to restrict access to only those employees who can demonstrate a work-related reason to have it. This can be done on either an individual approval basis or through an analysis of job classifications with the option of individual approval.

Many policies contain a laundry list of prohibited, inappropriate speech, such as "offensive and abusive speech, flaming, etc." A more effective and positive approach can be captured in one simple statement: "Employees are expected to communicate in a professional manner that will reflect positively on them and [the jurisdiction or agency]."

With a greater number of employees communicating via e-mail, mailing lists and newsgroups comes the concern that a statement by one employee may be perceived by the recipient as an expression of official policy. One approach to handling this concern is to require the use of a disclaimer when an employee's views may not necessarily represent those of their jurisdiction or agency. A more restrictive approach would be to dictate that all viewpoints expressed must be in accord with official policy. This would substantially limit the benefits derived through cross-jurisdictional information sharing.

Another approach is to provide a cautionary statement in the policy and trust that employees will understand the limits of their communication in various contexts. Regardless of approach, it is clear that employee training should include instruction on how such issues are to be handled.

E-mail is a public record and subject to public record regulations with respect to inspection and disclosure, and scheduled retention and disposition. Unfortunately, from the information services perspective, excess mail storage is a system administration nightmare, leading to the recommendation of provisions such as: "delete your mail on a regular basis." The Internet policy must be in accord with the public records law.

In addition to a policy statement, regulations should be developed that set forth a workable strategy for handling e-mail that is in compliance with the state's public records laws, manageable from a systems operations perspective, and easily implemented from an employee perspective. Since public records have varying time requirements depending on the type of record, employees will need guidance on a process for sorting both outgoing and incoming mail into the appropriate retention files.

The issue of confidentiality of information transmitted electronically will need to be addressed in the development and implementation of an Internet use policy. This issue is of particular concern to agencies that frequently handle private information. The policy and regulations must be in compliance with both state and federal privacy laws.

We are entering an era of growing emphasis on integrated case management for social service clients. Integrating case management requires communication between government agencies and education institutions, and sometimes, with private agencies. As these parties gain Internet access, the most efficient means of sharing information will be electronic. This will raise concerns about the security of the transmission, as well as the handling of information stored in electronic form by the sender and recipient.

Privacy is privacy, whether the private information is contained in a letter or an e-mail message. What raises concern is the ease with which private information can be transmitted when it is in electronic form, leading to inadvertent, inappropriate disclosure.

System security issues fall into two categories. The first category is illegal actions. This includes attempts to break into or exceed authorized limits on a computer system and the intentional distribution of viruses or worms. The Internet use policy may reference specific criminal laws on these issues.

The second category are those actions that employees should take to assist in keeping the network secure. These include following the account authorization process, logon procedures, password protection requirements and the actions required if an employee detects a breach of security.

System integrity issues relate to damaging or overloading the computer system through inappropriate actions. Standard provisions include the requirement that employees follow established virus protection procedures when downloading material, and provisions that address the requirements for sending broadcast messages to large distribution lists. System integrity provisions may limit when large files can be downloaded and require employees to unsubscribe from mailing lists if they will be out of the office for an extensive period of time.

Employees should be reminded of the need to be respectful of copyright laws in their use of material found on the Internet. In many cases, it is unclear whether an action would be considered an infringing use of a copyrighted work. Employees should be instructed to make a practice of contacting the owner of the copyright and request written permission for their proposed use.

Employee electronic records are public records and employee work products, therefore, there is no expectation of privacy. This legal reality flies in the face of the perception of employees when they are using the Internet, which is that their activities are generally private. Additionally, since administrators do not generally have the time to spend poking through employee files, employee files will only be inspected if there is a suspicion of a problem.

From an effective employee man-agement perspective, the standards under which employee files are accessed or their activities are monitored should be respectful and fair. Employees should be advised that they do not have an expectation of privacy and that their files may be accessed or activities monitored under the following circumstances:

Routine system maintenance.
General inspection or monitoring, with or without notice, if there is reasonable suspicion of widespread inappropriate use.
Specific review of individual files or monitoring of individual activity, with or without notice, if there is an individualized reasonable suspicion of inappropriate use.
In the event of a public records request.
Standards should also express who has the right to authorize such access or monitoring. The fact that the department administrator has the right to access employee files does not mean that every employee should be able to access every other employee's files.

The natural evolutionary step after providing Internet access is the establishment of an Internet Web site for the jurisdiction or agency, and an intranet site for distribution of information internally. A Web policy will be separate from the Internet use policy. It should cover issues such as the chain of authority and responsibility in posting material on the site, specifications on what kinds of material should be posted and specific style requirements.

It is important to recognize that an Internet use policy is only the first requirement. In addition to learning basic Internet skills, employees need ongoing training on using the Internet appropriately and productively. During implementation, managers should pay close attention to the Internet use habits that are being established. Agencies should not be surprised to find that patterns of behavior will begin to change as employees gain Internet access. Many of the principles of restructured government can be facilitated through greater electronic communication and information access. The Internet use policy, along with training activities, can facilitate such restructuring.

Nancy Willard is an information technology consultant and author of "The Cyberethics Reader," published by McGraw-Hill. She provides consulting services in technology planning and Internet use policies.

Willard is currently establishing The Center for Cyberethics Studies, a research institute that will focus on policy, instruction and intervention strategies related to appropriate use of the Internet and information technologies. The initial focus of the center will be on K-12 strategies.
E-mail: . Internet:.


Internet Policy Pet Peeves
In reviewing a substantial number of policies, here is a list of personal policy pet peeves. These pet peeves generally affect the style of the policy, rather than the substance, but all contribute to a lack of clarity.

Extensive discussion on the wonders of the Internet or specific features of the Internet in a policy document.
Lack of organization.
Provisions addressing the same issue dispersed throughout the document.
Provisions that mix very important issues with minor issues in the same sentence.
Failure to distinguish between system integrity and system security issues.
Failure to distinguish between manner of use and purpose of use issues.
Cute statements, such as, "Never put in e-mail something that you would not want to see on the evening news."
Inconsistent provisions generally caused by the merger of provisions from several different policies.