Code of Conduct for the Use of IT Facilities

For the purposes of these regulations, the following terms shall have the following meanings:

1. Employer: the Municipality of West Maas en Waal
2. Employee: the employee referred to in Article 1.1 of the Municipalities Collective Bargaining Agreement
3. Sanctions: punitive measures or other measures designed to enforce a certain behavior 

The internet is an open infrastructure accessible to everyone. The reliability of information on the internet cannot always be guaranteed.
Internet access from the workplace is intended to support the performance of your duties. There are “firewall filters” in place to prevent access to unsafe websites and unsafe downloads. These security systems are continuously updated centrally. In addition, we expect you to be vigilant and to use the internet safely.

2.1 Use of the Internet

• Websites marked as “unsafe” or containing inappropriate content are automatically blocked. If you believe a website has been blocked in error, you can report it to the I&A Service Desk. The Service Desk can then create an exception to the security settings.
• Be aware that "site administrators" often automatically register who or which organization visits the respective site. Prevent the integrity or good name of the municipality of West Maas en Waal from being compromised by your use of the internet or email. 
• General internet usage is monitored centrally. Individual internet usage may be monitored if we suspect that you are using the internet in violation of this code of conduct. For example, in the case of intensive use for non-business purposes. And when visiting sites that contain threatening, intimidating, racist, or offensive information (to the extent that these are not already blocked). Depending on the nature of the violation, sanctions may be imposed.

The municipality of West Maas en Waal has 1 general email address: info@westmaasenwaal.nl
All emails addressed to the general email address are treated as incoming mail.
In addition, you have access to an internet browser and a personal email address. You can email directly from your workstation. It is important that you register eligible messages in our case management system, Decos JOIN.

3.1 Legal Status

From a legal standpoint, a request sent to the municipality via email does not have to be processed. Decisions by administrative bodies must be recorded in writing and communicated to the addressee and interested parties.
However, a decision is preferably made on requests submitted digitally. 
An exception applies to requests made under the Government Information Act. Only written requests made under the Government Information Act will be processed. An applicant has no legal recourse if a digital application is not processed.

3.2 Processing

Every workday, an employee from the Customer Contact Center or Information Services checks whether any emails have been received at the general email address: info@westmaasenwaal.nl. 
Received email messages are treated the same as letters and faxes with regard to acknowledgment of receipt and registration. The employee in question reads the email sent to the general
email address and then decides whether the email:

• is recorded and processed,
• is forwarded directly to the employee concerned or
• will be deleted.

You may occasionally receive an email that, due to a legal requirement, must be signed. In such cases, as the employee handling the matter, you are responsible for requesting that the sender submit the document in writing as soon as possible.

As with physical mail, we distinguish between formal and informal emails. Please log formal emails in our case management system, Decos JOIN.

Official mail:

• Messages whose content has legal, administrative, financial, or other implications for the sender and/or the recipient municipal department;
• Messages whose content serves or may come to serve as evidence or documentation, or that may otherwise remain important to the organization for an extended period of time;
• Messages whose content is relevant to the proper interpretation of other data;
• Messages for which proof of existence or date of receipt must be recorded.

Informal post:

• Messages in which neither the sender nor the recipient can derive any rights or obligations from the content;
• Messages with a very short-lived significance: once the content has been read, they lose their relevance.

If you have any questions about the status of a message, please contact the information administrator.

3.3 Archiving

Email messages are archival records within the meaning of the "Archives Act of 1995." This law applies to you with regard to archiving and public access.

You should store relevant emails (emails that are “archivable”) digitally in the case management system, Decos JOIN. Once the case is closed, the Information Services department will archive the case, including the email messages. You no longer need to keep the email yourself. The Records Act governs the retention period for the case and, by extension, for the relevant email.

3.4 Using email 

If you have a personal email address, you should check your email every workday. When you are away, you should set up an automatic reply.

Decisions made by governing bodies must be recorded in writing and communicated to the addressee and interested parties. Therefore, they cannot be sent solely by email.  
Notifications that you would also be permitted to provide by phone may, of course, be sent by email. For outgoing emails, we use a standard email signature. The standard email signature includes a reference to the disclaimer regarding email correspondence.

3.5 Responsibility

Managers are responsible for both the content of the documents and the related processes. This applies to both physical and digital mail. Since a manager cannot monitor everything, you are personally responsible for adhering to the agreements.

3.6 Email Address Format

A personal email address from the municipality of West Maas en Waal is composed as follows:

• the first initial of your first name followed by your last name, e.g., vachternaam@westmaasenwaal.nl or,
• first name, followed by the last name, e.g., voornaamachternaam@westmaasenwaal.nl. 

The second option is chosen if there are multiple employees within the municipality who share the same first initial and last name.

You also have a right to privacy in the workplace. Personal communication is permitted, unless it has a concrete negative impact on your work. What does this mean, for example, for email and internet use during work hours?
An employer may Requirements for the use of email and the internet at work and/or prohibit certain types of use. An employer may then monitor this. However, when monitoring email and internet use, the employer must comply with the rules of the Personal Data Protection Act (Wbp). Monitoring may be necessary—for example, to protect trade secrets, ensure system security, or detect fraud. The monitoring does not go beyond what is necessary for the specific purpose. The importance of the monitoring must outweigh your interests regarding privacy protection. And the infringement on your privacy must not be disproportionate to the purpose of the monitoring. Furthermore, there are no other—less intrusive—ways to achieve this purpose. 
This Code of Conduct informs you about the email and internet policy, so that you know what is and is not permitted, that monitoring may take place, and what penalties apply for violating the rules. The Works Council has approved this Code of Conduct.

4.1 General Principles

This code of conduct lays down the agreements on how the municipality of West Maas en Waal handles the registration, collection, and monitoring of data traceable to one person regarding email and internet usage. The aim is to find a good balance between responsible use of the internet and email. The interests of the organization and employees are central. At the same time, employee privacy at the workplace remains maximally protected.

1. Data relating to internet and email use that can be traced back to an individual will not be recorded, collected, monitored, combined, or processed in any way other than as described in this code of conduct.
2. Personal data will only be used for the purpose for which it was collected.
3. The collection of personally identifiable information is kept to a minimum. Employee privacy in the workplace is protected to the fullest extent possible.

4.2 Email Use

1. You are permitted to use the email system for non-business-related messages, such as sending and receiving personal emails. However, this must not interfere with the smooth progress and volume of daily work. The decision on this rests with your immediate supervisor.
2. The ability to receive and send personal email messages is subject to the following Requirements:
   1. Sent email contains a reference to the disclaimer of the municipality of West Maas en Waal, which is published on the municipal website. 
   2. Certain uses of email are not permitted, including: gambling, sending chain letters, viewing or distributing pornographic material, making discriminatory or sexually harassing statements, or downloading or sending illegal software. 
   3. The interests of the municipality of West Maas en Waal may not be violated in any way.
   4. If an email raises questions regarding the topics mentioned above, please contact your supervisor.
3. The content of personal or business email messages is not read, unless there is a compelling reason to do so, as indicated in section 4. Furthermore, no individual data regarding the number of emails, email addresses, or other related information is recorded and/or monitored.
4. Inspections may be conducted on an ad hoc basis if there is a compelling reason to do so. For example, if there are indications that the rules set forth in paragraphs 1 and 2 of this article have been violated. The works council must be notified of such an inspection afterward, but as soon as possible.

Section 4.3 Internet Use

1. The internet system may be used occasionally for non-business purposes, provided that the rules set forth in section 2 are followed. This must not interfere with the smooth progress and quality of daily work. The decision on this matter rests with the immediate supervisor. 
2. It is not permitted to intentionally visit or distribute websites that are pornographic or discriminatory in nature, or that have a criminal background or intent (such as squatting, hacking, and the like).
3. Unless there is a compelling reason, as indicated in section 4, no data regarding internet visits that can be traced back to individual persons is recorded and/or monitored. However, it is possible that an anonymous summary may be generated of the websites visited by employees and the frequency of those visits.
4. Checks on internet usage may be conducted if the anonymous report mentioned in section 3 gives cause to do so. Your internet usage may be monitored without prior notice if there is a compelling reason to do so. The works council will be notified of such a check afterward, but as soon as possible.

4.4 Penalties

If it is determined that you have violated the rules, your supervisor will address the matter with you. In the event of a serious violation or a repeat offense, the Mayor and Aldermen (and, in certain cases, the City Council) may impose disciplinary measures. These may include, for example, temporarily or permanently revoking your access to certain IT resources.

Section 4.5 Employee Rights

As an employee, you have the following rights regarding the monitoring of email and internet use. 

1. Right of access: You have the right to access the data we have recorded about your email and internet usage. You must submit a written request for access to your supervisor, and it will be granted within 4 weeks.
2. Right to a copy: You have the right to receive a copy of the data we have on file about you. You must submit a written request for a copy to your immediate supervisor, and it will be granted within 4 weeks. 
3. Right to Rectification: You have the right to have factually incorrect information in the recorded data corrected or supplemented. Decisions on requests for correction or supplementation will be made within 4 weeks. If a request for correction or supplementation is granted, the correction will be made immediately.
4. Right to Erasure: You have the right to have data recorded about you that is no longer relevant, or that violates this Code of Conduct or a legal requirement, erased and destroyed. A decision on a request for erasure and destruction will be made within 4 weeks. If the request is granted, the erasure and destruction will take place immediately.

To ensure system availability and data security, the I&A cluster centrally performs the following activities:

• 
  Antivirus Software To ensure optimal protection against viruses, antivirus software has been installed. This software is updated regularly.
• Installing patches
  System and application software vendors regularly release patches to fix bugs in their products. As far as Windows updates are concerned, installation is managed centrally.
• Firewall
  A firewall ensures that the system is protected against external attacks. 
• Backup
  I&A performs a daily backup of all files retrieved and/or stored on the network.

You are personally responsible for the safe use of the systems and for ensuring the security and confidentiality of data outside the municipality’s network. You must limit the exchange of data and software to what is necessary for your work.
The following rules apply:

• Emails with attachments
  Even if you have antivirus software, you should exercise caution when opening email attachments. Make sure the email is from a sender you know, that you were expecting an email with an attachment from that sender, and that the subject line matches the name of the attachment.
• Messages with a fake sender address
  It is possible to send emails using someone else’s name and email address. You should always be cautious about sharing confidential information via email. Never share passwords via email.
• 
  Fake Login Pages Many online services require you to enter a username and password. It is possible that a website has been cloned. You may be redirected to this site with the intention of stealing your password. If you encounter such a situation, immediately change your password and report the incident to the Chief Information Security Officer (CISO), who is part of the Information Services team.
• Downloading files from
  Always exercise caution when downloading files from the internet, and first verify that they are executable programs compatible with the municipality’s systems.
• Hardware and Software
  Installing, adding, modifying, moving, or removing hardware and software (devices and programs) is permitted only in consultation with the I&A cluster. Maintenance and repair of equipment is the responsibility of I&A. In case of malfunctions or if you have questions about how something works, contact the I&A service desk. Troubleshooting and making changes to applications is the responsibility of the application administrator for the relevant software. Report application malfunctions or requests for changes to the application administrator. If no application administrator has been designated, contact I&A.
• Workstation
  You must use and manage your workstation with care and ensure that confidential or sensitive information is not left unattended. You must lock your computer when you leave your workstation. 
• Responsible use of passwords
  You are responsible for keeping your passwords personal. Passwords are not to be shared, not even with colleagues! If third parties request the password, this is considered a security incident. You report this to the municipality's Chief Information Security Officer (CISO).
  Every 60 days, the password for logging into the network of the municipality of West Maas en Waal must be changed. This is centrally configured, and you will receive a notification. The criteria that the password must meet are also centrally configured.
  If you detect misuse of the password, change it and report it immediately to the CISO.

The following rules apply to the responsible use of passwords for the network and various applications:

• You use different passwords for different systems, purposes, and applications.  
• You shouldn't write down your passwords. 
• Do not share passwords via email, chat, or other digital communication channels. If this is absolutely necessary, ensure that the password is sent separately (via a different channel) from the username.
• You use a strong password. The security questions associated with the password are not easy to guess. 
• You do not use the "remember password" feature found in some web browsers.
• You are not using the "Stay logged in" feature.
• Do not use passwords in automated login procedures (such as those stored under a function key or in a macro).

This code of conduct also applies to the use of loaned equipment.
If you are provided with a laptop, iPad, and/or mobile phone by the municipality of West Maas en Waal, you will sign a loan agreement for it. The municipality is and remains the owner of the equipment and software. The (conduct) rules regarding use and liability are laid down in the loan agreement.