OPM: Social Media Policy

Social Media Policy


Version:  1.0
Date Issued:  November 1, 2010
Date Effective: immediately
Supersedes: n/a
 

Purpose
 
The Chief Information Officer for the State of Connecticut Department of Information Technology (DOIT) has established this policy regarding the use of social media.
 
This policy should be read together with the State of Connecticut Policies on Security for Mobile Computing and Storage Devices, Acceptable Use Policy, the Network Security Policy and Procedures, and the Connecticut State Library’s State Agencies’ Records Retention/Disposition Schedules to ensure a full understanding of all relevant State policies.
 

Scope

This policy applies to use of social media that is not hosted by DOIT.  The policy covers State of Connecticut Executive Branch agencies’ employees, whether permanent or non-permanent, full or part-time, and all consultants or contracted individuals retained by an Executive Branch agency (herein referred to as “users”).
 
This policy does not apply to the Judicial or Legislative Branches of government, or State institutions of higher education. However, these branches and institutions may adopt any or all parts of this policy for their own use.
 

Authority
 
In accordance with Conn. Gen. Stat. §4d-2(c)(1), the Chief Information Officer (CIO) is responsible for developing and implementing policies pertaining to information and telecommunication systems for State Agencies.
 

Policy Statements
 

1.      Agencies are required to receive approval of DOIT’s Security Unit prior to launching a social media website or creating a social media account for State use. The approval request shall come from the Commissioner or agency head, and shall include documentation of the following:

    1. Business purpose of the proposed site or account;
    2. Name and position description of the individual who will manage the site or account;
    3. Description of the material which will be posted to the site or account;
    4. Description of the risks associated with the site or account and the agency’s risk mitigation efforts.

2.      Agencies are responsible for managing their use, retention, and disposal of public records associated with social media sites as specified in the State Library’s State Agencies’ Records Retention/Disposition Schedules.

3.      Agencies are required to limit Internet access to social media websites according to the State’s Acceptable Use Policy. The only acceptable use of social media sites is for official use on behalf of the State.

 

4.      Agencies shall develop procedures and conduct employee awareness and training programs to ensure compliance with this policy.

 

5.      DOIT and the agencies must obtain a formal acknowledgement from users indicating they understand, and agree to abide by, this policy.

 

6.      DOIT and the agencies shall adhere to this policy and the associated Guidelines; a user’s failure to do so may result in disciplinary action up to, and including, dismissal.

 

7.      If an agency’s inappropriate use of social media poses a risk to the State’s information technology infrastructure, DOIT may use its authority to suspend the agency’s use at any time.

 

8.      Users shall connect to, and exchange information with, only those social media websites that have been authorized by agency management in accordance with the requirements within this and other agency and State policies.

 

9.      Users shall not post or release proprietary, confidential or restricted State data including, but not limited to, personally identifiable information that is not in the public domain and, if improperly disclosed, could be used to steal an individual’s identity, violate the individual’s right to privacy, or otherwise harm the individual.

 

10.  Users who connect to social media websites through State systems provided at the State’s expense must use the systems solely to conduct the State’s business. Such system usage must be in conformance with applicable federal and State laws, this policy and an agency’s policies and procedures.

11.  System usage for social media must be in accordance with each user’s job duties and responsibilities as they relate to the user’s position with the State of Connecticut at the time of usage. Activities must reflect the position duties the employee is performing at the time of State system usage.

 

12.  Users must identify themselves clearly and accurately in all electronic communications.  Concealing or misrepresenting the individual’s name or affiliation is a serious violation of this policy.  Any use of other individuals’ identifiers as the user’s own, including, but not limited to, using a computer Logon ID other than the individual User ID authorized, constitutes a violation of this policy. Individuals may not provide their passwords or logon IDs to others.

 

13.  Users must follow DOIT’s applicable guidelines when creating a social media account or website for State use.

 

14.  All content, including, but not limited to, comments and postings on a State agency’s web page, relating to the conduct of the public’s business, are public records, pursuant to CGS §1-200(5). As such, comments and postings must be retained for the minimum retention period as listed on the Connecticut State Library’s State Agencies’ Records Retention/Disposition Schedules.

 

15.  In accordance with General Letter 2009-2, Management and Retention of Email and Other Electronic Messages, a public record may not be destroyed if any litigation, litigation hold notice (LHN), preservation order, claim, audit, Freedom of Information (FOI) request, administrative review, or other action involving the record is initiated before the record has been disposed of, even if its retention period has expired. The public record must be retained until the completion of the action and the resolution of all issues that arise from the action.  Agencies’ users must preserve such public records.

16.  In the event a LHN or order related to social media networking exists or is anticipated, then such LHN or order shall supersede the minimum retention period as listed on the Connecticut State Library’s State Agencies’ Records Retention/Disposition Schedules, until released by the Attorney General.

 

17.  The unauthorized destruction, removal, alteration, or use of public records is prohibited, pursuant to Conn. Gen. Stat. §53-153b and §1 240.  Agencies must request permission from the State Library to destroy public records after the minimum retention period has passed, pursuant to Conn. Gen. Stat. §11-8a`and §7-109.

 

Definitions
 
Hosted by DOIT: A system physically located in the state-owned Data Center, and for which DOIT provides infrastructure and/or system support services.
 
Litigation Hold Notice:  A formal document issued by the Attorney General’s Office to alert and require an agency and its employees to suspend the routine destruction procedures for Emails, documents, files, calendar entries, contacts lists, tasks lists, and
other relevant data, that may be or are anticipated to be required in an upcoming legal
proceeding.  The agency and employees have an ongoing duty to preserve this relevant data until the Attorney General’s Office issues a release.
 
Public Record:  Pursuant to the Freedom of Information Act, Conn. Gen. Stat. §1-200,
a “public record” means any recorded data or information relating to the conduct of the public's business prepared, owned, used, received or retained by a public agency or to which a public agency is entitled to receive a copy by law or contract under section 1-218, whether such data or information be handwritten, typed, tape-recorded, printed, photostated, photographed or recorded by any other method.  In addition, pursuant to Conn. Gen. Stat. §4d-33, "public record" also includes records of contractors or subcontractors.
 
Social Media:  A web-based system that enables people to interact with one another online via user-generated content, messaging, and other interactive tools.