016-14-05 Ark. Code R. § 11
Current through Register Vol. 49, No. 6, June, 2024
Rule 016.14.05-011 - DHHS Policy 5006 - Email Usage5006.0.0 EMAIL USAGE POLICY5006.0.1PurposeThe purpose of this policy is to define the terms and conditions under which the Department of Health and Human Services (DHHS) Email system may be utilized. The DHHS Chief Information Officer (CIO), Office of Systems and Technology manages access to DHHS Information Systems, including Email.
5006.0.2 This policy applies to any user of DHHS Information Systems who has a DHHS Email Account.5006.0.3 Email is provided as a service to DHHS employees and DHHS affiliates for the purpose of supporting the department's mission. Use of Email is encouraged to facilitate communication and the exchange of DHHS business-related information.5006.1.0 Definitions5006.1.1Access - Upon the presentation of appropriate credentials (User Name and Password), permission to use DHHS information systems, including the Email system. Access permissions are granted according to requirements set forth in DHS Policy 5001.5006.1.2DHHS Information Systems - DHHS Network services (Network access, Email, Internet, etc.) DHHS applications (client-server, web-based, mainframe, etc.), or any third-party software legally acquired and installed on the DHHS devices for which it was intended.5006.1.3User or End User - A person who has been granted access to any DHHS information system. A user may be a DHHS employee or an employee of a DHHS affiliate.5006.1.4DHHS User - A DHHS employee who has been granted access to any DHHS information system.5006.1.5Non-DHHS User - An employee of a DHHS affiliate who has been granted access to any DHHS information system.5006.1.6Public Record - As defined in Ark. Code Ann. § 25-19-101, a Public Record may exist in "any medium" and "all records maintained in public offices or by public employees within the scope of their employment shall be presumed to be public records."5006.2.0 DHHS Email System - Description and Terminology5006.2.1 Email consists of an evolving and growing range of network based messaging, calendaring, contact, and other on-line information management services. An Email system is deployed by an Email provider through an infra structure of network devices consisting primarily of Email Services and Email Clients on end user PCs.5006.2.2 Email Provider - An agent who deploys and manages an Email system.5006.2.3 Email Server - Equipment and software (e.g. Microsoft Exchange) dedicated to providing an Email system for a population of network user.5006.2.4 Email Client - The PC and software (e.g. Microsoft Outlook) utilized by an end user for the purpose of accessing an Email system.5006.2.5 Email Address - The address used by an Email Server to route messages to addressees (e.g. John Doe or John.Doe@mymail.com).5006.2.6 Email Record - Recorded user interaction or transaction history associated with any aspect of the DHHS Email system is an Email Record. Email records are Public Records subject to rules of privacy, disclosure and retention. Examples of Email Records: Email messages, Calendars, Contacts, DHHS Email Addresses.5006.2.7 DHHS Email Account - Approved users re assigned a unique Email Account that enables validation of user identity and authentication of access requests. The DHHS Email Account is a unique identifier that associates a user with Email activity stored on the Email Server. Users are responsible for the security of their Email Account as specified in the User Security Agreement and Confidentiality Statement, Form DHHS-359, and DHHS Policy 5001.5006.2.8 Email Mailbox - User activity is displayed on the Email Client in a virtual Mailbox. The Mailbox is a visual representation of the types of services offered by an Email Client. These typically include Inbox, Sent Items, Deleted Items, Calendar, Contacts, etc. Users are responsible for managing their own Mailbox within limitations provided for overall account space and size of individual messages.5006.2.9 Email Authoring - Authoring includes drafting, sending, replying or forwarding an Email message. See Section 5006.4 for rules pertaining to responsibility for authorship. 5006.2.10 Email Possession - A user is in possession of an Email message when the Email Server delivers it to the user's Email Client. See Section 5006.4 for rules pertaining to responsibility for possession.5006.2.11 Email Client Features - For the purpose of determining responsibility for authorship or possession of any given message, the content and transaction of the following typical Email Client features should be evaluated: Message Authoring; Message Received; Message Reply; Message Forward; Sent Message; Message Read, Opened or Previewed, Message Headers; Message Internet Headers Message Body, Personal Folders (a term used by Microsoft Outlook to identify file space on a local PC where Mailbox items can be stored).5006.3.0 General Provisions5006.3.1 The DHHS Email system and all associated Email Records, DHHS Email Addresses, and DHHS Email Accounts and Mailboxes are the property of the state of Arkansas.5006.3.2Service RestrictionsA. Users are expected to utilize Email responsibly, to comply with laws, policies, and regulations governing the use of Email, and to exercise professional and personal courtesy in the use of Email.B. Access to the DHHS Email system is a privilege that may be wholly or partially restricted without prior notice.C. Users may hold to no expectation of privacy in the use of DHHS Network services, including Email.D. DHHS reserves the right to monitor all aspects of Email usage.5006.3.3Misuse:A. Evidence of misuse may result in termination of access to DHHS Network services without prior notice. Theft or abuse of DHHS Information Systems, including the Email system, is subject to penalties imposed by law and DHHS policies.B. Misuse includes, but is not limited to: 1. Theft, unauthorized disclosure, unauthorized destruction of Email Records2. Unauthorized entry, use, transfer, and tampering with one's own Email account or the accounts and Email Records of others3. Interference with others' work in the use of DHHS Information Systems4. Failure to comply with rules of privacy and disclosure5. Failure to comply with the rules of allowable use, as provided in Section 5006.7.5006.3.4Disclaimers:DHHS cannot protect users from receiving Email they may find offensive. DHHS cannot guarantee protection from Email messages containing Viruses, Worms, malicious attachments or malicious code. DHHS cannot guarantee that any Received Message was in fact sent by the purported sender. DHHS cannot assure that original content in any Forwarded Message, or message Replied To, had not been modified.
5006.4.0Responsibility for Authorship or Possession5006.4.1Responsibility: A user may be held accountable for authorship or for possession of an Email message. Responsibility applies to two types of messages - those authored by the user and those received by the user.5006.4.2Responsibility for Messages Authored: A user assumes authorship responsibility for (1) the content of any Email message authored by the user, and (2) for user authored revisions in messages replied to or forwarded. A user assumes no authorship responsibility for messages sent by a third party, in the user's name, and without the user's knowledge.5006.4.3 Responsibility for Messages Received:A. When the Email server delivers an Email message to the user's Mailbox, the user is considered to be in possession of the received message, but is held accountable only for those portions of the received message that may have been authored or revised by the user.B. An Email user assumes responsibility for possession of messages delivered to the user's Mailbox under the following circumstances:1. When the user effectively exercises control of authorship of a received message. Control of authorship includes but is not limited to forwarding or replying to a received message (whether or not the original message is modified);2. When the user exercises control over the storage of a received message, Received messages deleted from a user's Mailbox, and not stored, are not considered to be the user's responsibility if such messages were not authored by the user;3. Exercising control of the storage of a message includes, but is not limited to: Saving the message anywhere on the Email Server; saving the message to any medium off the Email Server (examples: CD, Hard Drive, storage device, server share, etc.), moving the message to Personal Folders.5006.5.0 Security and Confidentiality 5006.5.1 Email Records are subject to the same rules, with respect to employee responsibilities for safeguarding privacy and preventing unauthorized disclosure, as DHHS records created in any other communication medium.5006.5.2 Email Records are subject to DHHS Policies and statutes pertaining to HIPAA. Users are subject to penalties for violation of HIPAA rules and for violations of related Arkansas laws and DHHS policies.5006.5.3 Confidentiality of Email cannot be assured. Email security should always be assumed to be reactive rather than preventive of potential malicious intrusions. Extreme caution should be exercised in using Email for confidential or sensitive matters.
5006.5.4 Email's ease of distribution and its unrestricted copying and forwarding features make its use highly susceptible to breaches of confidentiality. Email intended for one person may be widely forwarded to others, may be posted to bulletin boards or subscription services, may be attached for other messages, may be saved in other users' mailboxes, and Email may persist in system backups and archives.5006.5.5 Email Records are subject to disclosure in response to Freedom of Information Act requests, subpoenas for legal and administrative hearings, and client requests for access to pertinent case records. Before releasing information in such cases, related DHHS policies should be consulted and guidance obtained from the Office of Chief Counsel.5006.6.0 Archiving and RetentionArkansas law pertaining to records retention does not distinguish between media with regard to the definition of Public Record. Email Records are subject to the provisions of Arkansas records and retention statutes and subject to retention requirements specified in regulations governing conduct of programs administered by DHHS.
5006.7.0 Allowable Use of the DHHS Email System5006.7.1Allowable Use: Email is provided as a service to DHHS employees and DHHS affiliates for the purpose of supporting the department's mission. Use of Email is encouraged to facilitate communication and exchange of DHHS business related information.5006.7.2Restrictions: The DHHS Email system may not be used for: A. Any activity in violation of local, state, or federal laws or regulationsB. Sending or disseminating proprietary data or other confidential or sensitive information in violation of state or federal law, proprietary agreements, or DHHS policyC. Commercial or fund-raising purposes not under the auspices of DHHSD. Operating or promoting a business or soliciting for personal gainE. Promoting any political campaignF. Transmitting offensive or harassing materials disparaging others on the basis of race, national origin, sex, sexual orientation, age, disability, religious or political beliefsG. Engaging in any activity in violation of DHHS Policy 1085, Minimum Conduct StandardsH. Sending Email messages under the following conditions: Anonymous authoring, employing a false identity, misrepresenting oneself as a state agency, as the Legislature, as a legislator, falsely representing oneself as a state employee or as an agent of the stateI. Interfering or causing excessive load on DHHS Information Systems or the disrupting of others' use of the Email system. Such uses include, but are not limited to: sending or forwarding of chain letters, Spam, hoaxes, mass mailings not related to DHHS business, introducing worms, viruses or messages containing malicious codeJ. Personal use inconsistent with provisions of this section.5006.7.3Personal Use: Email may be occasionally used for personal purposes provided that such use does not: A. Interfere with DHHS Information Systems or the DHHS Email SystemB. Burden DHHS with added administrative or incremental Email System costC. Interfere with the user's employment responsibilities and duties5006.8.0 Disciplinary Action for Violation of Policy:DHHS employees are subject to disciplinary action for violations of this policy s provided in DHHS Policy 1084, Employee Discipline.
5006.9.0 Originating Section Department Contact:Chief Information Officer Office of Systems and Technology 1st Floor, Donaghey Plaza North P.O. Box 1437, SlotNlOl Little Rock, AR 72203-1437 Telephone: 501-682-0032
016.14.05 Ark. Code R. § 011