Category: Information Technology
Policy No.: IT-1
Subject: IT Policy
Date Issued: 7/15/2011
Staff Contact: Finance Director
Last Updated: 1/2/2019
To facilitate the effective and efficient conduct of City business, including encouraging and facilitating the free exchange of business-related communication, ideas and information; to ensure that the City complies with all legally-mandated requirements in order to provide appropriate and reliable information to the public and other agencies to serve the public interest; and, to outline appropriate and inappropriate uses of technology. This policy applies to all users of the City’s computer and electronic systems, including employees, elected officials, consultants, volunteers who serve in an administrative capacity, have been appointed to a city position, or exercise supervisory or delegated city authority, and members of commissions serving on behalf of Council (hereinafter collectively referred to as “users”) except where a paragraph specifically identifies employees as the intended subjects or the paragraph is asterisked.* Regardless of the record holder, the City shall keep all records it is required to retain under local, state, and federal law.
*These paragraphs refer exclusively to employees.
The City Manager has the authority to modify this policy as he/she deems necessary for the effective and efficient conduct of City business.
By using the City’s computer and other electronic systems (including but not limited to smart phone, email, internet and hosted applications), users acknowledge and agree that they have no expectation of privacy or confidentiality in their use of the systems or in any data that they create, store, or transmit on or over the systems, including any data created, stored or transmitted during the user’s incidental personal use of the computer system as permitted under this policy. All usage of, and data stored on, the City’s systems is subject to inspection by the City. Users of the City’s systems should assume that email and text messages and other documents created on the systems are public records and may be subject to public disclosure pursuant to the Washington Public Records Act, Chapter 42.56 RCW (the “PRA”).
Failure to follow this policy may result in a revocation or restriction of use of the City’s electronic systems and equipment and/or other disciplinary action, up to and including termination of employment, if applicable.
All City electronic communications and network equipment and services, including the messages transmitted or stored by the City, are the property of the City.
A. 
Stewardship of City resources is a responsibility that all users share.
B. 
The City is responsible for keeping its equipment in good working order, and for establishing protocols and procedures for the use and maintenance of such equipment.
C. 
All users of City-provided or City-utilized electronic devices and equipment are responsible for using technology in an effective, ethical, safe, and lawful manner. All usage should be consistent with the City’s Vision and Values and used for City business, except as provided for in this policy.
D. 
Responsibility and accountability for the appropriate use of City resources ultimately rests with the individual user, or with the City official or City employee who authorizes such use.
E. 
When using City devices and equipment, the same rules apply whether on City property or off-site.
F. 
It is the responsibility of individual users to protect personal, sensitive or confidential information and to take care not to leave information exposed to view while unattended (whether paper or electronic device).
A. 
There is no expectation of privacy in the use of City technology tools. Internet usage on the City’s devices and/or systems (including details regarding accessed content and use practices) is accessible information that may be monitored by the City and may also be subject to disclosure under the PRA.
B. 
Both the individual user and the City are identified as the “sender” or “recipient” when the City’s systems are used for email communications and/or Internet activities. There is no “confidentiality” with respect to the use of the City’s systems and users should conduct themselves as “representatives” of the City in this regard.
C. 
The City of Kenmore will take those steps it deems necessary to protect the confidentiality, integrity, security and availability of all of its critical information. Critical information is defined as information which if released could damage the City financially; put employees at risk; put facilities at risk; or could cause legal liability. Examples of critical data include: employee health information, social security numbers, credit card holder information, banking information, police crime investigation information, etc.
D. 
Password Protection: Usernames and passwords are one of the most basic and critical lines of defense against unauthorized activity on the City’s network and computer equipment. A strong password helps mitigate risk against unauthorized activity and attacks, such as dictionary password and brute force password hacks. As a government agency, the City is also required to abide by applicable policies related to regional, state, and federal networks.
E. 
Users will be required to change their passwords every 120 days, and new passwords must meet complexity requirements of 7 or more characters from at least 3 of the following 4 categories: upper case letter, lower case letter, numeric, and symbol (#,*,&, etc.). (Dinopass.com is a good resource for strong, easy-to-remember passwords.)
F. 
Users are responsible for keeping passwords confidential and not sharing them with other users.
G. 
Users may not log in as another user or use another user’s password.
H. 
Users are prohibited from using “loopholes” or knowledge of a special password to damage computer systems, obtain extra resources, or to gain access to systems for which proper authorization has not been granted.
I. 
In order to prevent unauthorized access, City devices and computer equipment must be password protected and logged off from (computers) and/or locked (personal devices) when left unattended. Damage to or theft of City devices should be promptly reported to your supervisor and/or the Finance & Administration Department.
J. 
Users should only use technology equipment and software purchased and/ or licensed through the City unless written permission is obtained from Department Director and the Finance & Administration Department.
K. 
If using file sharing or similar cloud services (i.e., Dropbox, OneDrive or other file transfer protocol “FTP” site), download all received files and save them to the City network so that they are discoverable in case of public records requests.
L. 
Consider before uploading or sending documents whether they should be in Word format or PDF to preserve integrity of information.
M. 
There is an expectation that all users of the City’s technology will exercise their best judgement and discretion, in a manner consistent with City standards and this policy.
N. 
USB ports on City equipment should not be used to charge personal devices. Anything plugged into City computers could give the City access to your information, as well as transfer viruses or harmful files to the City network. There are wall chargers for both iPhone and android/other devices available to borrow from the Finance and Administration Department.
A. 
The City’s computer systems are provided to assist users in the performance of job responsibilities, to share information, and to communicate with each other and with outside individuals and organizations on City business.
B. 
There is an expectation that users will be professional and utilize common sense when accessing and using the Internet, and that users will recognize that representatives of government agencies are held to a high ethical standard.
C. 
Internet use and communication outside of City business should be conducted, as a first choice and whenever possible, on a personal device rather than City computers.
D. 
*The City’s computer systems, including email and Internet, may be utilized by employees during breaks for occasional, incidental, limited personal use that, in the judgment of a supervisor or department director, does not interfere with individual or department productivity or otherwise compromise the City’s interests and operations or violate other City policies or general work-place standards and expectations.
E. 
*Examples of acceptable use by employees include:
1. 
Accessing the Internet to learn about City-provided benefits;
2. 
Using the Internet to investigate issues surrounding a commute;
3. 
Using a City computer to take online job-related training courses pre-approved by supervisor or City Manager (in lieu of attending similar class off site).
4. 
Reading news online during breaks.
F. 
Users will consider bandwidth demands and potential impact on City network performance when determining appropriateness of occasional, incidental personal use (for instance, streaming internet radio).
Usage for any activity that could adversely affect the City’s image or reputation is expressly prohibited.
The following are examples, but not an exhaustive list, of unacceptable uses of the City’s systems:
A. 
*Employees’ personal use of computer or internet outside of designated breaks, or which is otherwise excessive or interferes with productivity or City business. As noted above, first choice for personal use should be to use a personal device and only during breaks.
B. 
Conducting any outside business endeavors or activities, regardless of whether such endeavors or activities are “profit” or “nonprofit” in nature.
C. 
Any campaign or political activities, whether related to candidates, parties or ballot measures. Users must understand that absolutely no City resources may be used to support or defeat any political campaign, or political activities, as this is a violation of state ethics laws.
D. 
Commercial activities, such as advertising or selling, whether for personal or business purposes, other than City-sponsored charitable or community-based promotions.
E. 
Any use for private benefit or gain, including use of City contracts with vendors for the purchase of personal goods or services (such as office supplies).
F. 
Any illegal activity, including any use of the Internet, software, or any other property or resource that infringes upon patents or violates copyright or other laws.
G. 
Violation of software license agreements.
H. 
Obscene, vulgar, profane, pornographic or otherwise offensive language, portrayals or displays, whether by transmission via email or by accessing nude, sexually explicit or offensive or inappropriate materials on Internet sites.
I. 
Transmitting or otherwise communicating harassing, retaliatory, threatening or demeaning language, or any other expression of bias or malice toward individuals or groups.
J. 
Usurping name, position or authority of another individual or misrepresenting one’s own position or authority or sending anonymous messages.
K. 
Use of aliases while using the Internet.
L. 
Disclosure of passwords to anyone.
M. 
Unauthorized access to systems or programs.
N. 
Intentional disruption of the network.
O. 
Downloading of software, data, and graphics without authorization.
P. 
Downloading or installing non-business-related software applications or programs without authorization, such as games or screen savers that have the potential to undermine the security of City information and systems.
Q. 
Accessing or disclosing Protected Health Information (PHI per HIPAA) without authorization.
R. 
Deletion of electronic files unless specifically authorized in the Office of the Secretary of State Washington State Archives Local Government Common Records Retention Schedule (CORE) and authorized by the City.
S. 
Fraudulent offers of services or products under City of Kenmore name.
T. 
Gambling, Fantasy Sports, E-Bay or other bidding sites.
U. 
Any use that would be a violation of any law, City policy or workplace standards.
A. 
Privileged Attorney-Client Communication –
Electronic mail to or from lawyers working on the City’s behalf should be marked both in the subject header and in the body of the message as “Privileged Attorney-Client Communication.” Communication to or from the city’s lawyers for the purposes of obtaining legal advice or handling threatened or actual lawsuits is usually privileged and exempt from public disclosure. If privileged electronic communications are printed, they should be clearly marked and identifiable as privileged and filed separately from regular communications to prevent inadvertent disclosure for public records requests.
B. 
The City utilizes software for spam detection, but users should be attentive to emails that have unusual or questionable subject lines to mitigate spam, phishing and script-borne viruses that come into the network through email attachments or by clicking on links that lead to hostile web sites. Users should immediately contact the Finance & Administration Director upon encountering any suspicious email or attachments.
C. 
City business should only be conducted on a user’s City-provided email account, not on personal email accounts. Users who do not follow this policy should understand that electronic records involving City business, whether created and/or stored on the user’s personal equipment and/or account, nonetheless constitute “public records,” and the user’s personal equipment and/or account potentially becomes subject to inspection, download and/or disclosure under the PRA.
D. 
When using City email, users are representing the City and should be professional and reflect the policies of the City.
E. 
Management and retention of emails by individual user doesn’t impact public records requests because emails and attachments are automatically archived in a separate database when received or created through the City email system.
1. 
An exception to this is the receipt of files using a file transfer protocol (FTP) site. Files received via this method should be downloaded & retained per CORE retention requirements.
F. 
*Employees’ occasional, incidental personal use of City email that does not interfere with individual or department productivity is allowable, although first choice should be to use a personal device for personal email or messaging during breaks. An example of this would be communicating logistical details with children/spouse during breaks.
A. 
City-owned cell phone devices are to be used primarily for City business. All City business should be transacted through the City’s cloud-based service (currently Office 365), whether using a City-owned or (with authorization) personal device. Users should understand that emails, voice mail and text messages on both City cell phones and personal devices used for or relating to City business or the conduct of government or the performance of any governmental or proprietary function are subject to the PRA and Records Retention laws (and, in the case of City elected officials, the Open Public Meetings Act).
1. 
Email messages transmitted via the City’s cloud-based service (whether using cell phone or City computer) are automatically captured in the City’s archiving email system.
2. 
Voice mail and text messages originating from or sent to the device are subject to disclosure through public records requests, and all non-transitory records should therefore be preserved/retained for the period of time required by retention rules. These records should be forwarded to a City email address, deleted from the phone, and retained in City email for the period of time required by records retention rules.
B. 
*Personal devices may only be used by employees for City business if authorized through the City Manager or the appropriate Department Director, and shall be subject to the terms and conditions in Appendix A, “Personal Device Use Agreement[1].”
A. 
Text messages are subject to the Public Records Act (PRA).
B. 
The use of text messaging for City business is prohibited for most employees and generally discouraged due to the difficulty of consistently capturing messages for potential disclosure under the Public Records Act.
C. 
*Only authorized employees may utilize text messaging for City business, whether on City-issued or personal devices.
D. 
The use of texting by Councilmembers and authorized personnel for City business carries with it responsibility to ensure that the City and the user are protected.
E. 
Each time a text message is utilized for City business or relates to the conduct of government or the performance of any governmental or proprietary function, the user must forward the text message to the City email account set up for this purpose.
F. 
Users who have any question as to whether a text relates to City business or the conduct of government or any governmental function should refer the text to their Department Head or City Clerk for review. When in doubt, users should treat the text as relating to City business or the conduct of government and forward the text pursuant to this policy.
G. 
Failure to forward business-related text messages puts the user at risk for having his/her phone confiscated by the courts in case of a lawsuit or allegation of a PRA violation.
A. 
When the City, in its discretion, determines to issue a cell phone to a City employee or Councilmember, the City shall be responsible for the purchase of the device and the monthly bill amounts.
B. 
All City-issued devices are owned by the City and remain the exclusive property of the City.
C. 
City-owned devices are intended primarily for business use. Limited incidental personal use is acceptable; however, it should not significantly impact work nor result in any additional expense or liability to the City. (Due to the diverse workgroups within the City, Department Directors are responsible for developing and communicating department-specific policy regarding appropriate personal use of City-owned devices by employees.)
D. 
Where no other policy, contract, or agreement exists, this Policy should be followed.
E. 
City-issued devices will be replaced in accordance with a schedule established by Department Directors and/or the IT Committee.
F. 
If negligence results in a City-issued device being lost, destroyed, or rendered unusable for reasons other than typical “wear and tear,” then the user may be responsible for replacement cost.
G. 
All electronic use rules apply to City-issued devices.
A. 
All users authorized to utilize their own personal devices for City business must complete a “Personal Device Use Agreement” (See Appendix A[1]) to be submitted to the City Manager for approval.
B. 
Because use of a personal device for City Business may make information on the device subject to the PRA, one express condition shall be the user’s consent to the City’s search of the personal device in the case of a relevant internal/external investigation, the City’s response to PRA request(s), and any other legal obligation of the City.
C. 
If an employee uses a personal device (with authorization), the employee is responsible for the purchase of the device and the monthly bill amounts.
D. 
All devices must have a Personal Identification Number (PIN) and time-out setting to prevent unauthorized access to City information.
E. 
All wireless phone devices that have the capability to connect to City data must be approved by the Finance and Administration Department prior to use. These devices must support remote wiping of data and passwords and encryption to protect against unauthorized access to City data in case of a lost or stolen device.
F. 
The City Manager may authorize the issuance of a stipend for use of personal electronic devices such as smart phones or tablets, depending upon the needs of the City and the employee’s position. If stipend is authorized, in addition to “Personal Mobile Device Agreement,” the employee must also complete a “Personal Mobile Device Stipend Agreement” (See Appendix B[2]).
G. 
Maximum monthly stipend amount shall not exceed the amount the City would pay for a data plan on a City-issued device. The monthly stipend amount may be changed at any time with City Council approval.
H. 
This Stipend program may be terminated by the City at any time.
A. 
Use of your personal mobile device for City business may make information on your device subject to the PRA. This includes all email messages, text messages and other forms of communication. To minimize (but not eliminate completely) the risk of information on your device being subject to the PRA:
1. 
All City email, contacts and calendar items should only be accessed using the Microsoft Outlook app that is available from your phone’s App Store. Do not set up the default email, contact or calendar application on your phone to access City systems as it will be very difficult to differentiate between what is personal and what is work related on your device.
2. 
The Microsoft Outlook app should only be configured to access the City email system and no other non-city personal or business accounts.
3. 
While it is strongly recommended that you do not use your personal device for conducting any City business via text messaging (SMS, MMS or otherwise), should it be necessary (and only with prior authorization and as outlined in Text Messaging section above), the messages should be forwarded to the City’s email system for retention and potential disclosure.
B. 
All email messages and attachments received at City email addresses are automatically archived, with the exception of documents received through FTP sites. These documents should be downloaded, saved on the City network and retained per CORE retention requirements.
C. 
As a public agency, all City business records, even if located on personal equipment or devices, are public records subject to disclosure unless a specific exemption in the PRA exempts the record from disclosure. As a result, emails and text messages, phone and text messaging logs, and all other documents related to City business or the conduct of government or the performance of any governmental or proprietary function located either on City equipment or on personal equipment or personal accounts are subject to public disclosure, if requested. Records that mix City business and personal business are nonetheless still considered public records that may be subject to disclosure. Users should not expect any right to privacy in the public records located on their city equipment or on their personal equipment.
D. 
Personal records, ones that are entirely unrelated to City business or the performance of duties, located on City equipment or on personal equipment are not considered public records and are not subject to disclosure. The City retains the discretion to determine which records do not qualify as “public records” under the PRA.
E. 
No City funds may be used to purchase applications, City-approved or otherwise, on personal mobile computing devices.
F. 
Except with authorization and as outlined in section titled, “Personal Electronic Devices for Authorized Personnel”, personal phones and personal computers should not be used for City business.
G. 
In order to be in compliance with the PRA and Public Records Retention laws, all users bear responsibility for ensuring that:
1. 
All City-business-related phone records associated with personal phones are retained for a minimum of one year from the date the call was made or received;
2. 
Records are locatable and will be readily accessible in the event of a public records request. Toward this end, a user may be requested to provide his or her phone to the City for purposes of identifying and downloading public records; anyone who uses his/her personal phone for City business other than use of City email through the City’s cloud-based service shall comply with any such requests.
3. 
No City business may be conducted on private social media (tweets, blogs, web posts, etc.). City business may be conducted on a City-sponsored social media site, under the guidelines outlined in Social Media Administrative Policy.
4. 
Records and/or messages that are transitory in function/content should be deleted from computers and other devices as soon as is practicable, provided that they are not material to the business of the City. However, if they have not been deleted and a public records request has been received, transitory messages must be retained and included in the response to the public records request. “Transitory” is specifically defined in the Office of the Secretary of State Washington State Archives Local Government Common Records Retention Schedule (CORE) but is generally understood as messages for short-term, temporary informational use[1].