Staff Computer Use

Effective date: September 30, 2011

Revised September 2018

Relevant Legislation:

Not applicable to this policy.

Intent:

LOFT Community Services is committed to a process of continuously improving on its computer technology to enable its staff to provide excellent service to our clients. LOFT encourages the use of these new technologies and their associated services because they make communication more efficient. This policy is intended to create uniform standards regarding the appropriate use of computers and information in the work place and ensure the maximum protection of the confidentiality of clients and all other LOFT data.

All staff should understand that the computer resources provided by LOFT Community Services are intended to assist staff in the performance of their jobs. These resources are the property of LOFT and all records or data (including electronic communications) that result from the use of the computers are also the property and responsibility of LOFT. LOFT reserves the right, in its discretion, to review any staff member’s electronic files, messages and usage to ensure that the electronic media are being used in compliance with this policy and the law. It is expected that the computers will be used appropriately and that computer resources be used for business purposes only, however, this expectation is similar to that for telephone usage, in that limited personal use of the computer is permissible. This is in the understanding that personal use does not interfere with the operation of network resources, the user’s job performance and that users never engage in unacceptable computer use.

Definitions:

Not applicable to this policy.

Policy:

GENERAL CARE OF COMPUTER RESOURCES

Every staff member is responsible for helping to reduce the possibility of damage or theft of computer work stations and the information they contain. This equipment is expensive and is usually an unfunded portion of program costs. Accidental damage or theft may be covered by LOFT’s insurance, as long as neither is due to negligence. Staff may be responsible for covering the costs of damage due to negligence. Staff members are responsible for returning any LOFT-provided devices at the end of their employment with LOFT. In the event that one or more of these devices are not returned at this time, or are returned in a condition deemed unacceptable by LOFT, the staff member will be responsible for covering the cost of repair or replacement as warranted.

Staff are responsible for adhering to the general care and maintenance practices as specified by LOFT. This will include:

  • Protecting the computers against extremes of temperature
  • Isolating the computers from possible electrical or magnetic interference
  • Keeping all food and drinks away from the computer and its keyboard,
  • Shutting down the computer at the end of the day,
  • Turning off the computer during an electrical storm.

Staff travelling with a laptop computer should keep them within reach at all times and NOT left behind in cars, hotel rooms, or coffee shops. If they cannot be carried at all times, the laptops should be left in a well-hidden area of the car or in a secure location at a hotel, i.e. a safe. All confidential material on the machine must also be removed and placed on a disk which should be kept secured.

 

COMPUTER SOFTWARE

Software Licenses

All software in use by LOFT is purchased from authorized vendors. This is because LOFT is required to have legal licenses for all software installed on its computers. Only IT staff are authorized to install any software to LOFT computers.  To ensure that LOFT does not violate the terms of the licenses and that software is only used within the terms of the license, staff must not:

  • Install any additional software.
  • Install pirated or personal software.
  • Copy authorized software onto other computers without proper approval.

 

DATA AND SECURITY

User Accounts and System Access

All users must be assigned an individual LOFT email address and user account for computer access. It is the responsibility of the Program Director to request the creation of these accounts for each user. Users should always access LOFT computers with their own user credentials and lock their devices when unattended. When using web-based or remote access systems, users must always log out of the system before disconnecting. Users are responsible for any actions performed on their own user account.

Any computer systems and services provided by LOFT may only be accessed in the capacity required by the user’s role at the organization. Users must only connect to these systems and services using LOFT-approved devices.

Passwords

Users are responsible for safeguarding their systems password and any other passwords required for their computer use. These passwords must not be transmitted, printed, stored online or be given to others (including IT staff). If users suspect that their passwords have been compromised, they should take immediate steps to change them. In the event that a password must be reset, a password reset request must be submitted to the LOFT IT Helpdesk either directly by the user or through their Program Director.

In addition to the above, passwords must:

  • Never include all or part of the user’s username.
  • Never include easily obtainable personal information about the user (e.g., names of family members, pets, birthdays, anniversaries, hobbies).
  • Never include three identical consecutive characters.
  • Never be changed in an easily recognized pattern.
  • Be different from passwords used to access personal non-LOFT accounts.
  • Be committed to memory or stored securely. If the latter, the username must not be written with the password.
  • Never be embedded in an automated sign on process.
  • Use passphrases (e.g. “ILik3K!ttens”).

Virus Protection

All of LOFT’s computers are protected with anti-virus software and may have other security hardware or software installed for further protection. The purpose of this is to minimize the risk of data loss or reduced system performance as a result of malicious software infection. Staff must do everything possible to ensure that the security features are operating as planned, which includes:

  • Ensuring that the installed anti-virus software is never disabled
  • Not knowingly importing viruses into the computer network
  • Not downloading materials from external networks or the internet without subjecting the files to anti-virus checking

Staff may wish to seek assistance or approval on opening an electronic message from an unrecognizable sender, as viruses are often introduced to a network this way. Care should be taken to avoid opening such emails.

Intentional Misuse

Users must not, at any time:

  • Attempt to disable, override, or willfully bypass any information security control.
  • Attempt to exploit any suspected security weakness.
  • Knowingly perform an act that interferes with normal operations in any way.

Security Incidents

Suspected or confirmed information security incidents must be immediately reported to the appropriate point of contact (e.g. helpdesk, Privacy Officer, manager, or supervisor). Users must provide their full cooperation to LOFT in any information security incident investigation.

Communication

All staff email communication relating to any part of the staff’s work at LOFT must be sent from a LOFT-provided email address. All emails containing sensitive information must be encrypted and must only be sent when necessary for the purpose of providing or assisting health care.

Data

All information created or collected on the computers regarding LOFT and its clients should be treated as confidential and is to be protected at all times. To ensure this confidentiality of information, the computers are to be used only by persons employed by LOFT, (i.e. no client or family use) and only for conducting LOFT business or for purposes authorized by LOFT. Staff should not allow others, especially members of the public, to read their screens when working on this information. All sensitive data must be stored securely and made restricted to any users who do not directly require access to that data. Any materials that are printed from the computer must be retrieved from public printers as soon as they are available.

Staff should realize that most information sent out over the internet is unprotected. While the sharing of public information regarding LOFT is allowed, any Agency and client data or information that is intended to be confidential will not be transmitted over the internet unless protected by encryption software. This includes any material that is considered sensitive, proprietary or privileged. LOFT will install encryption software for Programs that are required to transmit confidential information over the internet.

Computers that are connected to LOFT’s network shares will be regularly backed up by the network servers. For any computers that do not have connectivity to LOFT’s network shares, it will be the responsibility of each staff member to ensure that backup copies are made of all of their data files. This means that there be at least two copies of each data file, and that those copies be kept on different storage media, e.g. fixed or removable disks or tape. At minimum, these files should be backed up on a weekly basis.

Cryptography

Any connections established with external services must be encrypted using cryptographic algorithms approved by the providers of these services. All cryptographic keys must have the fewest number of key custodians necessary.

 

UNACCEPTABLE COMPUTER USE

This is not meant to be an exhaustive list of the inappropriate use of computers in the work place, as other rules, procedures and guidelines may be instituted as the need arises, or as required locally by an individual program. The following will outline those practices, in addition to the ones provided earlier that are improper and unacceptable.

They are:

• Sending or soliciting communications containing material that is fraudulent, discriminatory, harassing, threatening, pornographic, profane, obscene, vulgar, intimidating or unlawful.

• Participating in inappropriate internet discussion groups such as pornographic, hate-based or terrorist discussion groups.

• Downloading copyrighted content from web sites on the internet except for research or non-commercial use. All copyrights must be respected and staff may not copy, retrieve, modify or forward copyrighting materials except as permitted.

• Using LOFT computers to intentionally broadcast messages, producing and/or propagating non-business documents or messages such as chain letters, or knowingly transmitting destructive programs.

• Sending unauthorized mass mailings.

• Using the computer to interfere with, or impair the computer of another staff member, and engaging in any activity which may cause congestion or disruption to the networks.

• Attempting to gain unauthorized access to other systems, passwords or to breach computer/network security measures.

• Attempting to send anonymous communications or to falsify information regarding the origin of the message by any means, including the use of another user’s identification.

• Sending communications purporting to represent the interests of LOFT, its management or Board of Directors.

• Sending or soliciting transmissions of commercial or personal advertisements, solicitations, promotions or political material for unauthorized or personal use.

• Storing great amounts of personal information on the computer.

• Conducting personal business or money making activities.

Staff who are found to be abusing their computer privileges will be subject to corrective action. This includes possible loss of computer privileges and discipline, up to and including dismissal.

Procedures:

See program manual.