HomeMy WebLinkAboutResolutions - 2022.03.10 - 35341BOARD OF COMMISSIONERS
March 10, 2022
MISCELLANEOUS RESOLUTION #22-062
Sponsored By: Gwen Markham
IN RE: Information Technology - Policy Electronic Communications and Use of Technology Policy
Chairperson and Members of the Board:
WHEREAS Oakland County has been a leader in using technology to improve its operations and the services it
provides to our citizens and governments throughout the State of Michigan; and
WHEREAS the use of information technology has transformed significantly since Oakland County's Computer
Hardware/Software Usage and License Policy was adopted in 1997 in Miscellaneous Resolution 497156; and
WHEREAS the Remote Access and Agreement Policy was adopted in 2006 in Miscellaneous Resolution
#06021, and updated in 2014 and 2018 to address advancements in technology usage and accessibility; and
WHEREAS the Human Resources, Corporation Counsel, Risk Management, and Information Technology
departments have collaborated to update the policy to include statements about County data retention
compliance, and the usage of personal devices and accounts to perform County business.
NOW THEREFORE BE IT RESOLVED that the Oakland County Board of Commissioners adopts the
attached Electronic Communications and Use of Technology Policy.
BE IT FURTHER RESOLVED that the Human Resources Department will work with the Information
Technology Department to educate employees on the requirements of the Policy.
BE IT FURTHER RESOLVED that the Human Resources Department will distribute copies of the Oakland
County Electronic Communications and Use of Technology Policy to all County employees, and the
Information Technology and Purchasing and Compliance Divisions will require contractors with access to the
Electronic Communication System to comply with this Policy.
BE IT FURTHER RESOLVED that this Policy supersedes and replaces Miscellaneous Resolutions #97156,
#06021, #14250, and #18263.
Chairperson, the following Commissioners are sponsoring the foregoing Resolution: Gwen Markham.
6ZJU Date: March 10, 2022
David Woodward, Commissioner
Lisa Brown, County Clerk / Register of Deeds Date: March 21, 2022
COMMITTEE TRACKING
2022-03-02 Finance - recommend to Board
2022-03-10 Full Board
VOTE TRACKING
Motioned by Commissioner Penny Luebs seconded by Commissioner Charles Cavell to adopt the attached
Policy: Electronic Communications and Use of Technology Policy,
Yes: David Woodward, Michael Spisz, Karen Joliat, Kristen Nelson, Eileen Kowall, Christine Long, Philip
Weipert, Gwen Markham, Angela Powell, Thomas Kuhn, Chuck Moss, Marcia Gershenson, William Miller
III, Yolanda Smith Charles, Charles Cavell, Penny Luebs, Janet Jackson, Gary McGillivray, Robert
Hoffman, Adam Kochenderfer (20)
No: None (0)
Abstain: None (0)
Absent: (0)
The Motion Passed.
ATTACHMENTS
02.04.2022 FINAL Proposed Electronic Communications and Use of Technology Policy
COVER MEMO - ELECTRONIC COMMUNICATIONS AND USE OF TECHNOLOGY POLICY
STATE OF MICHIGAN)
COUNTY OF OAKLAND)
I, Lisa Brown, Clerk of the County of Oakland, do hereby certify that the foregoing resolution is a true and
accurate copy of a resolution adopted by the Oakland County Board of Commissioners on March 10, 2022, with
the original record thereof now remaining in my office.
In Testimony Whereof, I have hereunto set my hand and affixed the seal of the Circuit Court at Pontiac,
Michigan on Thursday, March 10, 2022.
�f� -IepLArlt--
Lisa Brown, Oakland County Clerk / Register of Deeds
ELECTRONIC COMMUNICATIONS AND USE OF TECHNOLOGY POLICY
I. Authority. This Electronic Communications and Use of Technology Policy (herein
referred to as this "Policy") is adopted and approved by the Oakland County Board of
Commissioners.
II. Puruose of Policv. This Policy has the following purposes: (1) communicate to all Users
the requirements for use of the Electronic Communications Systems; (2) communicate
to all Users the requirements for use of Personal Devices to perform County Business;
(3) communicate to Users the prohibition of using Personal Accounts to perform County
Business (4) facilitate County business and serve our citizens; (5) ensure that all County
Technology used by Users (including County Technology that is free of charge) is
properly acquired and licensed; (6) ensure the County's Electronic Communications
System is not exposed to interference, unauthorized intrusion, corruption, or damage;
(7) protect and preserve Oakland County Data, information, records, networks, systems,
accounts, and other property; and (8) ensure compliance with the legal requirements
associated with the use of the Electronic Communications System and associated
Technology.
III. Definitions.
A. "Account" means an online service such as email, social media, commercial
website, or any other service of a company or organization that requires an
electronic login.
B. "County" means the County of Oakland, MI, and for the purposes of this policy
also means any Account, Device, or Technology, that is supplied by the County.
C. "County Business" means any service, function, and/or activity that is expressly
or impliedly mandated or authorized for the County by constitution, statute, local
charter, ordinance, or other law.
D. "County Data" means electronically stored information, documents, records,
messages, etc. that involve or relate to County Business.
E. "County Employees" mean full and part-time employees of the County, elected
and appointed officials.
F. "Device" means a laptop, computer, tablet, smartphone, radio, cellular
telephone, or other similar hardware.
G. "Electronic Communication(s)" means information that is received and sent
over or through the Electronic Communications System, including but not limited
to messages transmitted through the Internet, e-mail messages, voicemail
messages, and data maintained on the County's System and Devices.
H. "Electronic Communications System(s)" or "System(s)" means the County's
computer network, electronic mail system, digital communication system
(including messaging and audio/visual communication), Internet, phone or
February 4, 2022 Electronic Communications and Use of Technology Policy Page 1 of 6
voicemail system, facsimiles, and County Devices.
"Personal" means any Account, Device, or Technology, that is not supplied by the
County.
J. "Technology" means computer hardware, Devices, data backups, software,
cloud/online services, Internet, Internet storage, applications, URLs, Systems,
and other related technical methods used in the delivery or performance of
County Business.
K. "Users" mean County Employees, contractors working on behalf of the County,
and volunteers approved by County to access the Electronic Communications
System and County Technology.
IV. ADDlicability to Emplovees. Part-time Emplovees. Contractors, and Other Users. This
Policy applies to all Users and other individuals who are provided access to the
Electronic Communications System. Contractors and third parties should only be
provided access to the Electronic Communications System as necessary, and only if they
agree to abide by all applicable rules set forth in this Policy.
V. County Ownership of Svstems, Countv Data. Countv Technologv, and Countv Devices.
The Electronic Communications System, all Electronic Communications within the
Electronic Communications System, and County Data are the property of the County.
All County Technology and County Devices, with or without a cost, shall be owned in
the name of the County, unless otherwise required by the contract or license
agreement.
VI. Preservation and Disclosure of Countv Data and Records: County Data may be subject to
disclosure to third parties as required by law, regardless of the location of the data.
County Data located outside County Systems that is under control or possession of a User
must be saved to an appropriate County System as soon as reasonably possible.
VII. Management. The Department of Information Technology is responsible for
maintaining the Electronic Communications System and all County Technology utilized
by Users.The Director of the Department of Information Technology is authorized to
make reasonable rules governing the security and use of County Devices, Systems, and
Technology, including remote access to the Electronic Communications System by
Personal Devices. The County's Chief Information Security Officer and/or his or her
designee is authorized to block access to inappropriate content and to shut down a
User's County Device if a potential security breach is discovered. The User's
department head shall be notified prior to, or as soon as possible after, the shut down
or taking of a County Device for further investigation.
A. Technoloev Audits. The Department of Information Technology shall conduct
annual and random audits of all Technology. Any unauthorized Technology that
is found may be removed and notification will be sent to the User's Department
Head or Supervisor for determination if disciplinary or contractual action is
appropriate.
February 4, 2022 Electronic Communications and Use of Technology Policy Page 2 of 6
Vill. Use of Technologv. Technology shall not be used, loaded on, or transferred to County
Devices, other than originally installed or downloaded on, unless approved by the
Department of Information Technology. The Department of Information Technology
shall request a review from Corporation Counsel on installations that may impact license
terms. Copies of software shall be made only for backup purposes within the limits of
the specific software license. Backup copies of software may not be loaded on other
equipment unless authorized by the Department of Information Technology, which will
consult with the Purchasing Division and Corporation Counsel, if necessary.
A. Approval of Technoloev by the Department of Information Technoloev. All
Technology used by the County and Users must be approved by the Department
of Information Technology before it is acquired, implemented, or downloaded,
even if the Technology is available through the Internet and does not require a
payment to obtain. Technology that has not been approved by the Department of
Information Technology shall not be used or downloaded, because it may contain
malware and vulnerabilities compromising the security of the County's data and
Electronic Communications System. The use of free or shareware applications
such as ones that are used to schedule dates or answer a survey, may not be used
unless first approved as described in this Policy. Information Technology shall
maintain, on the Intranet, a current list of downloadable applications that may be
used without first seeking approval from the Purchasing Division. Requests for
Approval of Technology must be made to the Department of Information
Technology Service Center as a change order request.
B. Approval of Technoloev by Purchasing Division and Corporation Counsel. All
Technology is provided with legal terms governing its use, even Technology that
is obtained without a fee. Any terms for use of Technology must be
signed/accepted by the Purchasing Division before the Technology is used. The
Purchasing Division will determine if the terms should be sent to Corporation
Counsel for legal review. Users are not authorized to sign, accept terms, or click
"ok" to any terms or agreements governing use of Technology, unless the
application is listed as acceptable by the Department of Information Technology
or you are authorized to do so by the Purchasing Division. If a Department
would like to use Technology that has not been approved, as required by this
Policy, then it must submit a request to the Purchasing Division and to its
Information Technology Liaison. You are not required to submit a request for
Technology that is included in an I.T. Master Plan or is submitted through the
I.T. Master Planning/Leadership Group process.
C. CountvTechnologv Relocation. The Department of Information Technology is
solely responsible for the relocation of all County Technology, software,
peripherals, and any Devices that connect to the Electronic Communications
System, such as computers, printers,servers, hubs, wireless devices and
wireless access points switches, routers, etc. Requests for County Technology
relocations must be made to the Department of Information Technology
Service Center as a change order request. The Department of Information
February 4, 2022 Electronic Communications and Use of Technology Policy Page 3 of 6
Technology will make every attempt to respond timely to County Technology
relocations given adequate noticefrom the requesting Department.
D. Security. Users are responsible for securing their password(s) and shall not
share their password(s) with anyone, nor shall they allow unauthorized access
to the Electronic Communications System. If a User discloses their password or
suspects that it has been compromised, they are responsible for immediately
changing their password and contacting the Service Center at Information
Technology. A User who maintains a login to access an application or service on
behalf of the County, must provide their supervisor with the login and
password information to the application or service, unless passwords are
managed by the Department of Information Technology through an identity
management technology. It is recommended that the User establish a different
password to the external site than the password used for the Electronic
Communications System.
IX. Usage of Personal Accounts. Users shall not conduct County Business on or using
Personal Accounts. Users shall conduct all County Business using County Systems
and/or County Accounts.
X. Usage of Personal Devices. To the extent possible, all County Business shall be
conducted on or with County Devices. In the event County Business is not conducted on
County Devices, all of the following applies:
A. User Responsibilities. User must exercise reasonable and diligent care and
assume certain responsibilities when using their Personal Devices, including all
of the following:
1. Users must have and use a personal identification number (PIN),
password, biometric, or equivalent access authentication method to
access their Personal Device or Account.
2. Users must have a timeout period which automatically locks the
Personal Device after a predefined short period of inactivity, with the
only way to unlock the device to be entering the PIN, password, etc.
(example, your smartphone screen auto -locks after 60 seconds).
3. Users must ensure their Personal Device is up to date with
manufacturer and network provided patches.
4. Users must not disable, tamper, alter, or otherwise subvert any
security protections of the Personal Device.
5. Users must not share their PIN, password, biometric, or equivalent
access authentication method with any other individual.
6. Users must not use any application, software, service, or other
Technology that fails to preserve County Data. For example, the use of
"disappearing" messaging services, as provided by Signal, Telegram, or
other applications is strictly prohibited for County Business.
February 4, 2022 Electronic Communications and Use of Technology Policy Page 4 of 6
B. County Responsibilities.
1. The County is not responsible for a damaged, lost, corrupted, or stolen
Personal Device.
2. The County is not responsible for any maintenance, support, repair,
usage, or any costs associated with a Personal Device.
3. The County may remove County Data and/or access to County Data or
System from a Personal Device at anytime.
4. The County may require the installation of County software on a User's
Personal Device for a User to access a System and/or Technology on
their Personal Device and to ensure the proper protection of County
Data, County Technology, or Systems.
XI. No Expectation of Privacv. Users of the Electronic Communications System shall have
no expectation of privacy. The confidentiality of any Electronic Communication created,
transmitted, received, deleted, or stored in the Electronic Communications System
should not be assumed. Electronic Communications may be retrievable even if they
have been deleted. The Department of Information Technology may monitor the
Electronic Communications System under the direction of the Human Resources
Department and Corporation Counsel for violations of federal or state law, Oakland
County's Merit System Rules, this Policy, and other County policies.
A. Users who are separated have no right to the contents of their Electronic
Communications and are not allowed access to the Electronic Communications
System.
B. All Electronic Communications are subject to federal and state law and including
but not limited to the Open Meetings Act, MCL 15.261 — 15.275, and the
Freedom of Information Act, MCL 15.231— 246. Electronic Communications are
also subject to the County's Merit System Rules, as applicable.
C. Electronic Communications shall not be used to hide the identity of the sender or
represent the sender as another person. All Electronic Communications may be
subject to monitoring, retrieval, and access by authorized County personnel
under the direction of the Human Resources Department and Corporation
Counsel.
XI I. Prohibited Uses. Electronic Communications and the Electronic Communications System
shall not be used for the following: (1) circulation of non -County sponsored or affiliated
functions, activities, or programs; (2) non -County sanctioned solicitation of funds or
sales; (3) to convey political activities prohibited by the County's Merit System Rules; (4)
to defame individuals; or (5) to convey messages or images that would violate federal or
state law, the County's Merit System Rules, and other County policies including but not
limited to the County policy that strictly prohibits illegal discrimination and harassment.
Users shall not send Electronic Communications using the County's Electronic
Communications System to a large group (large group is defined as 100 persons or
more) without the approval of their department head. All large -group Electronic
February 4, 2022 Electronic Communications and Use of Technology Policy Page 5 of 6
Communications to be sent using the Electronic Communications System must be sent
to the Department of Information Technology for distribution. However, Departments
may authorize a -mails and/or text messages to be sent using the County's approved
vendor system(s) to any number of people as long as the User has been trained and is
authorized to send Electronic Communications on behalf of the department and/or
County.
XIII. Electronic Communications Svstem. The Electronic Communications System provides
the County with significant access and dissemination of information. The use of the
Electronic Communications System is intended for County Business. Electronic
Communications are capable of being forwarded without express permission of the
original author. Therefore, Users must use caution in the transmission and
dissemination of information outside, as well as inside the County, andmust comply
with federal and state law, the Oakland County Merit System Rules, this Policy and other
applicable County or departmental policies.
XIV. Enforcement of Policv. The Department of Information Technology can monitor the
Electronic Communications System under the direction of the Human Resources
Department and Corporation Counsel. Users who observe a violation of this Policy
should bring it to the attention of their immediate supervisor or manager. Supervisors
or managers who receive a complaint or observe a violation of this Policy shall
investigate the matter and determine the appropriate action. Questions related to this
section should be referred to the Labor Relations Unit within the Human Resources
Department.
XV. Violations. VIOLATION OF THIS POLICY MAY RESULT IN DISCIPLINARY ACTION,
TERMINATION OF A CONTRACT, REVOCATION OF ACCESS TO THE ELECTRONIC
COMMUNICATIONS SYSTEM, AND/OR OTHER LEGAL REMEDIES PROVIDED BY LAW,
INCLUDING DISMISSAL FROM COUNTY EMPLOYMENT OR COUNTY ASSIGNMENT.
QUESTIONS REGARDING THIS POLICY SHOULD BE FORWARDED TO THE DEPARTMENT
OF INFORMATION TECHNOLOGY SERVICE CENTER.
XVI. Implementation of Policv. The County Executive, through the Director of the
Department of Information Technology, shall implement and administer this Policy. The
Director of Human Resources will work in conjunction with the Director of Information
Technology to ensure that the Policy is administered properly.
February 4, 2022 Electronic Communications and Use of Technology Policy Page 6 of 6
COVER MEMO - ELECTRONIC COMMUNICATIONS AND USE OF TECHNOLOGY POLICY
Backeround. Oakland County's current Electronic Communications and Use of Technology Policy was
approved by the Board of Commissioners in July 2018. This Policy was an update of Oakland County's
existing Policy about the acceptable and appropriate use of County Technology.
Summary. This proposed Policy further refreshes the 2018 policy, contemplating new types of
technology, ways of working, and new situational factors that have changed in the intervening four
years. Updating these types of policies to encompass new and evolving situations is commonplace
among state and local governments. In particular:
• The prior Policy had no direct statements about the need for complying with legal requirements
for retention of County data.
• The prior Policy did not address the usage of personal accounts to perform County business.
• The prior Policy did not address the usage of personal devices to perform County business.
The new Policy addresses these issues, along with making some clarification and simplification of
sections of the old Policy. The new Policy better aligns with modern ways of working (including remote
work) along with ensuring the protection and retention of County data on non -County systems.
Chanee Summary. Below is a list of all material and administrative changes to the prior Policy
Section in New, Proposed Policy
I. Authority.
II. Purpose of Policy
III. Definitions.
Summary of Changes
No material changes, slight clarifications of words
Additions to address:
• Personal accounts
• Personal devices
• Preservation of County data
Addition of several definitions, in particular
• Account
• County Business
• Device (both Personal and County)
• Technology (both Personal and County)
as well as other minor definition clarifications
IV. Applicability to Employees, No changes —this section is identical to Section X in the prior
Part-time Employees, Contractors, policy, moved earlier in the Policy
and Other Users.
V. County Ownership of
Systems, County Data, County
Technology, and County Devices.
VI. Preservation and Disclosure
of County Data and Records
VII. Management.
No changes — this is identical to section IV in the prior policy,
but with the title updated to explicitly mention Systems, Data,
Technology and Devices
New section —explicitly captures the requirement to retain
County data
No changes —this section is identical to Section V in the prior
policy
Vill. Use of Technology. No material changes —only a collapse of sections VI
subsections C, D and E into one section in new policy
X. Usage of Personal Accounts.
New section — explicitly captures the requirements for
personal accounts
X. Usage of Personal Devices.
New section — explicitly captures requirements for usage of
personal devices
XI. No Expectation of Privacy.
No changes —this section is identical to Section VII in the prior
policy
XII. Prohibited Uses.
No changes —this section is identical to Section VIII in the prior
policy
XIII. Electronic Communications
No changes —this section is identical to Section IX in the prior
System.
policy
XIV. Enforcement of Policy.
No changes— this section is identical to Section XI in the prior
policy
XV. Violations.
No changes — this section is identical to Section XII in the prior
policy
XVI. Implementation of Policy.
No changes — this section is identical to Section XIII in the prior
policy