Code of Conduct for the Use of ICT Facilities

In this regulation, the following terms shall have the following meanings:

1. Employer: the Municipality of West Maas en Waal
2. Employee: the employee referred to in Article 1.1 of the Municipalities Collective Labor Agreement
3. Sanctions: punitive measures or other measures to enforce certain behavior 

The internet is an open infrastructure that is accessible to everyone. The reliability of information on the internet cannot always be guaranteed.
Internet access from the workplace is intended to support the performance of work tasks. Firewall filters are in place to prevent access to unsafe websites and unsafe downloads. These security systems are updated centrally on a regular basis. In addition, we expect you to be alert and to use the internet safely.

2.1 Use of the Internet

• Websites marked as "unsafe" or sites with inappropriate content are automatically blocked. If you believe a website has been blocked unjustly, you can report this to the I&A service desk. The service desk can then make an exception to the security settings.
• Be aware that "site administrators" often automatically register who or which organization visits the site in question. Avoid damaging the integrity or good name of the municipality of West Maas en Waal through your use of the internet or email. 
• General internet usage is monitored centrally. Individual internet usage may be monitored if we suspect that you are using the internet in violation of this code of conduct. For example, in the case of intensive use for purposes other than business. And when visiting sites that contain threatening, intimidating, racist, or offensive information (insofar as these are not already blocked). Depending on the nature of the violation, sanctions may be imposed.

The municipality of West Maas en Waal has one general email address: info@westmaasenwaal.nl
All emails sent to the general email address are treated as incoming mail. 
You also have access to an internet browser and a personal email address. You can send emails directly from your workstation. It is important that you register the relevant messages in our case management system, Decos JOIN.

3.1 Legal status

From a legal perspective, an application sent to the municipality by email does not have to be processed. Decisions made by administrative bodies must be recorded in writing and communicated to the addressee and interested parties.
However, decisions are preferably made on applications submitted digitally. 
An exception applies to requests made under the Government Information (Public Access) Act. Only written requests made under the Government Information (Public Access) Act will be processed. An applicant has no legal recourse if a digital application is not processed.

3.2 Handling

Every working day, an employee of the Customer Contact Center or Information Provision checks whether any emails have been received at the general email address: info@westmaasenwaal.nl. 
Received email messages are treated in the same way as letters and faxes in terms of confirmation of receipt and registration. The employee in question reads the email sent to the general
email address and then decides whether the email:

• will be registered and processed,
• is forwarded directly to the employee concerned or
• will be deleted.

You may receive an email that must be signed in accordance with certain legal requirements. In that situation, as the employee handling the matter, you are responsible for requesting the sender to submit the document in writing as soon as possible.

For email, as with physical mail, we distinguish between formal and informal mail. Formal emails are registered in our case management system, Decos JOIN.

Formal mail:

• Messages whose content has legal, administrative, financial, or other consequences for the sender and/or recipient municipal department;
• Messages whose content has or may have an evidentiary or accountability function or may otherwise remain important to the organization for a longer period of time;
• Messages whose content is important for the correct interpretation of other data;
• Messages for which proof of existence or date of receipt must be recorded.

Informal post:

• Messages from which the sender or recipient cannot derive any rights or obligations;
• Messages with a very short-lived meaning: once the content has been read, it loses its importance.

If you are unsure about the status of a message, you can consult with the information manager.

3.3 Archiving

Email messages are archival documents within the meaning of the "Archives Act 1995." This law applies to you when it comes to archiving and public access.

Relevant emails (emails that are 'worthy of archiving') are stored digitally in the case management system, Decos JOIN. Once the case has been closed, it is archived by Information Services, including the email messages. You no longer need to store the email yourself. The Public Records Act determines the retention period for the case and therefore automatically also for the relevant email.

3.4 Use of email 

As the holder of a personal email address, you check your email every working day. When you are absent, you set up an automated reply.

Decisions made by administrative bodies must be recorded in writing and communicated to the addressee and interested parties. These cannot therefore be sent by email alone.  
Communications that you would also be allowed to give by telephone can, of course, be sent by email. We use a standard email signature for outgoing emails. The standard email signature contains a reference to the disclaimer regarding email traffic.

3.5 Responsibility

Managers are responsible for both the content of the documents and the processes associated with them. This applies to both physical and digital mail. Because a manager cannot check everything, you are responsible for complying with the agreements yourself.

3.6 Email address notation

A personal email address from the municipality of West Maas en Waal is composed as follows:

• the first initial of your first name followed by your last name, e.g., vachternaam@westmaasenwaal.nl or,
• first name, followed by last name, e.g., voornaamachternaam@westmaasenwaal.nl. 

The second option is chosen if there are several employees with the same initial and surname working within the municipality.

You also have a right to privacy in the workplace. Private contact is permitted, unless it has a negative impact on your work. What does this mean for email and internet use during working hours, for example?
An employer may impose conditions on the use of email and the internet at work and/or prohibit certain types of use. An employer may then exercise control over this. However, when monitoring the use of email and the internet, the employer must comply with the rules of the Personal Data Protection Act (Wbp). Monitoring may be necessary, for example, to protect trade secrets, system security, or to detect fraud. Monitoring shall not go beyond what is necessary for the purpose in question. The importance of monitoring must outweigh your interests in terms of privacy protection. And the infringement of your privacy must not be disproportionate to the purpose of the monitoring. There must also be no other, less intrusive ways of achieving this purpose. 
This code of conduct informs you about the email and internet policy, so that you know what is and is not allowed, that checks may be carried out, and what penalties apply for violating the rules. The works council has approved this code of conduct.

4.1 General principles

This code of conduct sets out the agreements on how the municipality of West Maas en Waal handles the recording, collection, and monitoring of data that can be traced back to an individual in relation to email and internet use. The aim is to strike a good balance between responsible use of the internet and email. The interests of the organization and its employees are paramount. At the same time, the privacy of employees in the workplace remains fully protected.

1. Data relating to internet and email use that can be traced back to an individual will not be recorded, collected, monitored, combined, or processed in any way other than as described in this code of conduct.
2. Personal data will only be used for the purpose for which it was collected.
3. The recording of data that can be traced back to a single person is kept to a minimum. The privacy of employees in the workplace is protected to the maximum extent possible.

4.2 Email usage

1. It is permitted to use the email system for non-business messages, such as receiving and sending personal emails. However, this must not interfere with the smooth progress and quantity of daily work. The assessment of this is the responsibility of the immediate supervisor.
2. The ability to receive and send personal email messages is subject to the following conditions:
   1. The email sent contains a reference to the disclaimer of the municipality of West Maas en Waal, which is published on the municipal website. 
   2. Certain types of email use are not permitted, namely: gambling, sending chain letters, viewing or distributing pornographic material, discriminatory or sexually harassing comments, or downloading or sending illegal software. 
   3. The interests of the municipality of West Maas en Waal must not be infringed upon in any way.
   4. If an email message raises questions regarding the above-mentioned topics, please contact your manager.
3. The content of personal or business email messages is not read, except in cases where there is a compelling reason, as indicated in section 4. No individual data regarding the number of emails, email addresses, or other related data is recorded and/or checked.
4. Inspections may occasionally be carried out if there is a compelling reason to do so. For example, if there are indications that the rules under 1 and 2 of this article have been violated. The works council will be notified of such an inspection afterwards, but as soon as possible.

Article 4.3 Internet use

1. The internet system may occasionally be used for non-business purposes, provided that the rules under 2 are complied with. This should not interfere with the smooth progress and quantity of daily work. The assessment of this is the responsibility of the immediate supervisor. 
2. It is not permitted to deliberately visit or distribute sites that are pornographic or discriminatory in nature or that have a criminal background or intent (cracking, hacking, etc.).
3. Unless there is a compelling reason, as indicated in section 4, no data relating to internet visits that can be traced back to individual persons will be recorded and/or monitored. However, it is possible that an anonymous overview of the sites visited by employees and the frequency of those visits may be generated.
4. Checks on internet use may be carried out if the anonymous overview referred to in point 3 gives cause to do so. Your internet use may be checked without prior notice if there is a compelling reason to do so. The works council will be notified of such checks retrospectively, but as soon as possible.

4.4 Penalties

If it is found that you are violating the rules, your manager will address this with you. In the event of serious violations or repeat offenses, the Mayor and Aldermen (and in certain cases the council) may impose organizational measures. These may include, for example, temporarily or permanently revoking your access to certain IT facilities.

Article 4.5 Rights of the employee

As an employee, you have the following rights with regard to the recording of email and internet usage. 

1. Right of access: You have the right to access the data recorded about you relating to email and internet use. A request for access must be made in writing to your manager and will be granted within four weeks.
2. Right to obtain a copy: You have the right to obtain a copy of the data recorded about you. A request for a copy must be submitted in writing to your immediate supervisor and will be granted within four weeks. 
3. Right to correction: You have the right to correct or supplement factually incorrect data in the registered data (or have it corrected or supplemented). Requests for correction or supplementation will be decided within four weeks. If a request for correction or supplementation is granted, the correction will be made immediately.
4. Right to erasure: You have the right to have data about you that is no longer relevant or that violates this code of conduct or a legal requirement erased and destroyed. A decision on a request for erasure and destruction will be made within four weeks. If the request is granted, the erasure and destruction will take place immediately.

To guarantee system availability and data security, Cluster I&A performs the following activities centrally:

• 
  antivirus program An antivirus program is installed for optimal protection against viruses. This program is updated regularly.
• Installation of patches
  Suppliers of system and application software regularly release patches to correct errors in their products. As far as Windows updates are concerned, installation is managed centrally.
• 
  Firewall A firewall ensures that the system is closed off to external abuse. 
• 
  backup I&A makes a daily backup of all files that are retrieved and/or stored on the network.

You are responsible for the safe use of the systems and the security and confidentiality of data outside the municipal network. You must limit the exchange of data and software to what is necessary for your work.
The following rules apply:

• Email with attachments
  Despite having antivirus software, you should still be cautious when opening email attachments. Make sure that the email is from a known sender, that you were expecting an email with an attachment from that sender, and that the subject line matches the name of the attachment.
• Messages with a false sender
  It is possible to send email using someone else's name and email address. You should always be careful when providing confidential information via email. Never send passwords by email.
• Fake login pages
  Various internet services require you to enter a username and password. It is possible that an internet site has been replicated. You will then be directed to this site with the intention of reading your password. If you encounter such a situation, change your password immediately and report the incident to the Chief Information Security Officer (CISO), who is part of the Information Provision team.
• Downloading files
  Always exercise caution when downloading files from the internet and first check whether they are executable programs for the municipality's systems.
• Hardware and software
  Installing, adding, modifying, moving, or removing software and hardware (devices and programs) is only permitted in consultation with the I&A cluster. Maintenance and repair of equipment is the responsibility of I&A. In the event of malfunctions or if you have questions about how something works, please contact the I&A service desk. Troubleshooting malfunctions and making changes to applications is the responsibility of the application manager for the software in question. Please report any malfunctions in applications or requests for changes to the application manager. If no application manager has been designated, please contact I&A.
• 
  workspace You use and manage your workspace carefully and ensure that confidential or sensitive information is not left unattended. You lock your PC when you leave your workspace. 
• Responsible use of passwords
  You are responsible for keeping your passwords private. Passwords should not be shared, not even with colleagues! If third parties request your password, this will be considered a security incident. You must report this to the municipality's Chief Information Security Officer (CISO).
  Every 60 days, the password for logging into the West Maas en Waal municipality network must be changed. This is set centrally and you will receive a notification. The criteria that the password must meet are also set centrally.
  If you notice any misuse of the password, change the password and report this immediately to the CISO.

The following rules apply to the responsible use of passwords for the network and various applications:

• You use different passwords for different systems/purposes/applications.  
• You don't write down passwords. 
• Do not disclose passwords via email, chat, or other digital communication. If this is necessary, do so separately (via another channel) from the username.
• You use a strong password. Password verification questions are not easy to guess. 
• You are not using the "remember password" feature of some web browsers.
• You are not using the stay logged in feature.
• You do not use passwords in automatic login procedures (for example, stored under a function key or in a macro).

This code of conduct also applies to the use of equipment provided on loan.
If you are given a laptop, iPad, and/or mobile phone by the municipality of West Maas en Waal, you will be required to sign a loan agreement. The municipality is and remains the owner of the equipment and software. The loan agreement sets out the rules (of conduct) relating to use and liability.