The URL can be used to link to this page

Item 3.5 Approving an Information Techonology Policy Request for City Council Action DEPARTMENT INFORMATION ORIGINATING DEPARTMENT REQUESTOR: MEETING DATE: Information Technology Information Technology Manager Boyd June 10, 2024 PRESENTER(s) REVIEWED BY: ITEM #: Consent City Administrator/Finance Director Flaherty Assistant City Administrator/Human Resources Hille 3.5 – Information Technology Policy STRATEGIC VISION MEETS: THE CITY OF OTSEGO: X Is a strong organization that is committed to leading the community through innovative communication. Has proactively expanded infrastructure to responsibly provide core services. Is committed to delivery of quality emergency service responsive to community needs and expectations in a cost-effective manner. Is a social community with diverse housing, service options, and employment opportunities. Is a distinctive, connected community known for its beauty and natural surroundings. AGENDA ITEM DETAILS RECOMMENDATION: City staff is recommending that the City Council adopt a resolution approving the Information Technology Policy. ARE YOU SEEKING APPROVAL OF A CONTRACT? IS A PUBLIC HEARING REQUIRED? No No BACKGROUND/JUSTIFICATION: The City of Otsego does not currently have an Information Technology Policy in place. Due to cybersecurity concerns as well as the recommendation from the League of Minnesota Cities that Cities have a policy for Information Technology. It would be in the City’s best interest to have an Information Technology Policy in place to help protect the City. The Administrative Subcommittee was presented with this information at their June 5, 2024, meeting and provided direction for City Council consideration of approval. SUPPORTING DOCUMENTS ATTACHED: • Information Technology Policy • Resolution 2024-41 POSSIBLE MOTION PLEASE WORD MOTION AS YOU WOULD LIKE IT TO APPEAR IN THE MINUTES: Motion to adopt Resolution 2024–41 approving an Information Technology Policy. BUDGET INFORMATION FUNDING: BUDGETED: N/A N/A 1 Information Technology Policy May 30, 2024 Contents General Information ................................................................................................................. 2 Personal Use of Equipment ....................................................................................................... 2 Cell Devices ............................................................................................................................. 3 Employee Responsibilities .................................................................................................... 3 Technology Acquisition, Development & Deployment ................................................................ 4 Situations requiring advance review and approval during planning. ......................................... 4 Situations requiring review and approval of vendor selections, consultant engagements, development plans and/or contract documents. .................................................................... 4 Software .................................................................................................................................. 5 Hardware\Equipment ............................................................................................................... 5 Electronic Mail & Messages ....................................................................................................... 6 Records ................................................................................................................................ 6 Data Requests & Litigation .................................................................................................... 7 Employee Responsibilities .................................................................................................... 7 Retention Schedule .............................................................................................................. 7 Social Media Use ...................................................................................................................... 8 Data Ownership .................................................................................................................... 8 Artiflcial Intelligence ................................................................................................................. 9 Use Cases ............................................................................................................................ 9 Data Security and Privacy ...................................................................................................... 9 Ethical Considerations ........................................................................................................ 10 Employee signature ................................................................................................................ 10 2 General Information This policy serves to protect the security and integrity of the City’s electronic communication and information systems by educating employees about appropriate and safe use of available technology resources. This policy applies to all individuals who access, use, or manage technology resources owned or operated by the City. This includes employees, elected officials, contractors, vendors, and any other authorized users. Failure to adhere to this policy may result in disciplinary action, up to and including termination of employment, or contract termination. Computers and related equipment used by City employees are property of the City. The City reserves the right to inspect, without notice, all data, emails, flles, settings, or any other aspect of a City-owned computer or related system, including personal information created or maintained by an employee. The City may conduct inspections on an as-needed basis as determined by the Information Technology Manager. Personal Use of Equipment The City recognizes that some personal use of City-owned computers and related equipment has and will continue to occur. City devices are not intended to replace personal devices. Some controls are necessary, however, to protect the City’s equipment and computer network and to prevent abuse of this privilege. Reasonable, incidental personal use of City computers and software (e.g., word processing, spreadsheets, email, Internet, etc.) is allowed but should never preempt or interfere with work. All use of City computers and software, including personal use, must adhere to provisions in this policy, including the following: • Employees shall not connect personal peripheral tools or equipment (such as printers, digital cameras, disks, USB drives, or fiash cards) to City-owned systems, without prior approval from the Information Technology Manager. If permission to connect these tools/peripherals is granted, the employee must follow provided directions for protecting the City’s computer network. • Personal flles should not be stored on City computer equipment. This also applies to personal media flles, including but not limited to mp3 flles, wav flles, movie flles, iTunes flles, or any other flle created by copying a music CD, DVD, or flles from the Internet. Information Technology staff will delete these types of flles if found on the network, computers, or other City-owned equipment. Exceptions would be recordings for which the City has created, owns, purchased, or has a license. • City equipment or technology shall not be used for personal business interests, for-proflt ventures, political activities, or other uses deemed by the Information Technology Manager to 3 be inconsistent with City activities. If there is any question about whether a use is appropriate, it should be forwarded to the Information Technology Manager for a determination. • Only City staff may use City equipment. Use of City equipment by family members, friends, or others is strictly prohibited. • Employees are responsible for the proper use and care of City-owned computer equipment. City computer equipment must be secured while off City premises; do not leave computer equipment in an unlocked vehicle or unattended at any offsite facility. Computer equipment should not be exposed to extreme temperature or humidity. If a computer is exposed to extreme heat, cold, or humidity, it should be allowed to achieve normal room temperature and humidity before being turned on. Cell Devices The City recognizes the need of certain employees to use cell phones or other cell equipment in order to perform the duties of their position. Therefore, a City-owned cell phone or other cell equipment may be provided to City employees when there is a business necessity to do so. A City employee who has been provided a City-owned cell phone must return the City-issued cell phone and equipment to the City upon termination of employment. City employees will be required to reimburse any account charges\overages that have not been previously approved by their supervisor. If a City-owned cell phone is lost or stollen it must be reported to their department head and the Information Technology Manager. City information such as email, flles, or Teams may not be accessed from personal cell phones. Personal cell phones are not allowed on the internal City network. City data is not allowed to be stored on personal cell phones. Employee Responsibilities A City employee covered by this policy must: • Have the phone or equipment available for use during the employee’s business hours and on-call times, as established by the department head. • Comply with all applicable laws regarding the use of cell phones and equipment while operating a motor vehicle. • When practical, refrain from using cell phones or equipment while operating a motor vehicle. When cell phones or equipment are used while operating a motor vehicle, use of a hands - free device is required. 4 • Provide adequate security to prevent unauthorized persons from gaining access to private data stored in the memory of the device. Technology Acquisition, Development & Deployment Staff must consult with the Information Technology Manager before developing, purchasing, or contracting for technology products, services, support, or consulting. This set of guidelines and processes deflnes when consultations are appropriate. All acquisitions and deployments of information technology within the City must conform to these guidelines to maximize functionality and efficiency, while minimizing cybersecurity risks and liability, and be reviewed as indicated. The following are speciflc instances where the City requires that the Information Technology Manger examines and approves of information technology. This policy is not limited to these cases. All IT projects require the sign-off of the Information Technology Manager prior to flnal payment. The Information Technology Manager will ensure all aspects of the project have been completed as agreed upon in the contract(s). Situations requiring advance review and approval during planning. • Changes to networks, Information Technology must review and approve, in advance of investigation, purchase, or deployment, any information technology that changes the City’s network structure or could compromise the physical or logical security of the network. • Information Technology acquisitions as part of capital projects. Any network-attached computing technologies, that are to be acquired with capital project funds, must be reviewed and approved by Information Technology during planning. • Information Technology acquisitions as part of software projects. Any software license acquisitions must be reviewed and approved by the Information Technology Manager. Software installation will be done under the supervision of the Information Technology office. • Information Technology acquisitions or contracts as part of department projects. Any computer- related technologies, that are to be acquired or contracted with any other funds, must be reviewed and approved by Information Technology during planning. In any contract involving data transfer, the flnal payment must be large enough to ensure the project is completed without any remnant data left on servers scheduled for retirement. Situations requiring review and approval of vendor selections, consultant engagements, development plans and/or contract documents. In certain cases, where such services are being considered for purchase or new systems are being considered for deployment, Information Technology must review and approve vendor selections, 5 consultant engagements, development plans, and contract language to ensure that work rules, vendor or consultant competencies, system interface requirements, and legal protections are appropriate to protect City information and assets. The Information Technology Manager ensures that any individual or company entering into a contract with the City to deliver IT project services will comply with appropriate policies, related standards, processes and deliverables, or provides written proof of acceptable methods and documentation. Software In general, the City will provide the software required for an employee to perform his or her job duties. Requests for new or different software should be made to your supervisor, who will forward the request to the Information Technology Manager. All software purchases must be approved by the Information Technology Manager. Employees shall not download or install any software on City equipment without the prior approval of the Information Technology Manager. Exceptions to this include updates to software approved by Information Technology such as Microsoft updates, or other productivity software updates. The Information Technology Manager may, without notice, remove any unauthorized programs or software, equipment, downloads, or other resources. Hardware\Equipment In general, the City will provide the hardware required for an employee to perform his or her job duties. Requests for new or different equipment should be made to your supervisor, who will forward the request to the Information Technology Manager. The Information Technology Manager must approve all new IT equipment purchases. City-owned equipment must be maintained in good working order outside of normal wear and tear. Clear signs of neglect of city-owned equipment will result in a deduction of the cost of equipment from the employee’s next paycheck. When an employee leaves the City, city-owned equipment must be returned in good working order to the Information Technology Manager prior to flnial termination date. Failure to turn in equipment will result in a deduction of equipment value from the employee’s flnal paycheck. In general, most City hardware such as laptops, servers, and network equipment will be on a flve- year replacement cycle. Once City equipment has reached its end-of-life the Information Technology Manager will recycle or donate the equipment. Before any City owned equipment is donated or recycled, all data will be destroyed following the U.S. Department of Defense 5220.22-M Standard. 6 Building Security The City has door access readers and camera systems placed throughout City offices. All door access and camera systems will be managed by the Information Technology Manager. Access to these systems must be requested to the Information Technology Manager for approval. Any camera recordings that must be pulled from the VMS (Video Management System) must be completed by the Information Technology Manager. All staff are given a door access fob when starting employment. If a door access fob is lost or misplaced the Information Technology Manager must be notifled ASAP for deactivating of the lost fob. Any changes to door access groups or door access schedules need to be approved and completed by the Information Technology Manager. Electronic Mail & Messages The City is subject to multiple laws regulating City information and records, including electronic mail (email) and text messages. Email and text messages are means of exchanging messages and documents using telecommunications equipment and computers. A complete email or text message not only includes the contents of the communication, but also the transactional information (dates and times that messages were sent, received, opened, deleted, etc.; as well as aliases and names of members of groups), and any attachments. If an email message is an official record, as deflned below, the responsible party must retain said record and the transactional information pursuant to the retention schedule and the user departments’ document management flling system or repository. Records Minnesota Statutes § 15.17 requires the City, its employees and officials, to make and preserve all records necessary to a full and accurate knowledge of their official activities. An official record is recorded information that is prepared, owned, used, in the possession of, or retained by the City in performance of an official function. The record of the official function may be the email or text message, attachments to the email or text message, or both. The law requires that all official records be listed on an approved retention schedule that identifles how long the records must be kept, and when they may be destroyed. Just like paper records, senders and recipients of email or text messages must evaluate each message to determine if they need to keep it as documentation of their role in the business process. Not all messages are an official 7 record. Just like paper records, the retention period for an email or text message is based upon its content and purpose, and it must be retained in accordance with the approved retention schedule. Official Records: If the email or text message itself has been determined to be an “official record,” it may be correspondence. Official correspondence can be destroyed pursuant to the adopted records retention schedule. Non-Official Records: If the email or text message is not an official record it may be a transitory record, non-record, or personal record. 1. Transitory Records are non-vital records relating to City business or activities which have a temporary value and do not need to be retained once their intended purpose has been fulfllled. 2. Non-records are information in the possession of the City that is not needed to document the performance of an official function. These records are not subject to any record retention schedule and do not need to be retained. 3. Personal records are messages or documents regarding non-government business or activities. These records are not subject to the records retention schedule and do not need to be retained. Data Requests & Litigation In accordance with the Minnesota Government Data Practices Act (MGDPA), email or text messages created or received as part of a public employee’s official duties are government data and are subject to requests for review and/or copying pursuant to the MGDPA. If a government data request is received for email or text message relating to a particular subject, emails will be identifled and produced without regard to whether they are official records or non -official records. If an employee is responding to a government data request, and that data is contained within the City’s email system, the employee must identify and produce the relevant email. Just like paper records, email and text messages may be subject to disclosure during the discovery phase of litigation. Attorneys representing the City are responsible for identifying if the records requested through the discovery process are stored in email. Attorneys are responsible for ensuring technology services staff is notifled that a discovery order involving email was received to prevent the destruction of relevant messages. Employee Responsibilities As public sector employees subject to MGDPA and Official Records Act, City employees are responsible for identifying emails that are official records and keeping the official record in the location and format their department has identifled for that type of document. Official records should not be maintained solely as emails in the email system, unless the department has established an email account for that particular purpose. For both emails and text messages, the preferred method for proper retention is conversion to a PDF format and stored in Laserflche. Retention Schedule The retention schedule for emails and text messages will be 365 days. 8 Social Media Use The City of Otsego respects employees and agents’ rights to post and maintain personal websites, blogs and social media pages and to use and enjoy social media on their own personal devices during non-work hours. The City requires employees and agents to act in a prudent manner with regard to website and internet postings that reference the City of Otsego, its personnel, its operation or its property. Employees, agents, and others affiliated with the City may not use a City brand, logo or other City identifler on their personal sites, nor post information that purports to be the position of the City without prior authorization. City employees and agents are discouraged from identifying themselves as City employees when responding to or commenting with personal opinions or views. If an employee chooses to identify themselves as a City employee, and posts a statement on a matter related to City business, a disclaimer similar to the following must be used: These are my own opinions and do not represent those of the City of Otsego. There may be times when personal use of social media (even if it is off-duty or using the employee’s own equipment) may spill over into the workplace and become the basis for employee coaching or discipline. Examples of situations where this might occur in clude: • Friendships, dating or romance between co -workers; • Cyber-bullying, stalking or harassment; • Release of confldential or private data; if there are questions about what constitute confldential or private data, contact the City Administrator. • Unlawful activities; • Misuse of City-owned social media; • Inappropriate use of the City’s name, logo or the employee’s position or title; • Using City-owned equipment or City-time for extensive personal social media use. Each situation will be evaluated on a case-by-case basis because the laws in this area are complex. If you have any questions about what types of activities might result in discipline, please discuss the type of usage with the City Administrator. Data Ownership All social media communications or messages composed, sent, or received on City equipment in an official capacity are the property of the City and will be subject to the Minnesota Government Data Practices Act. This law classifles certain information as available to the public upon request. The City also maintains the sole property rights to any image, video or audio captured while a City employee is representing the City in any capacity. The City retains the right to monitor employee’s social media use on City equipment and will exercise its right as necessary. Users should have no expectation of privacy. Social media is not a secure means of communication. 9 Artificial Intelligence City staff should adhere to the following guiding principles when using AI models. • Ethical Use: AI models should be used in a manner that upholds ethical standards, respects human rights, and avoids harm or discrimination against individuals or groups. • Transparency: The use of AI models should be transparent, with staff disclosing when AI assistance is being utilized in interactions with the public or colleagues. • Accountability: Local government staff should be accountable for their use of AI models, ensuring compliance with relevant laws, regulations, and this policy. • Privacy: Protecting the privacy of residents and sensitive data is paramount. Staff should handle data with care, following data protection and privacy laws and guidelines, including the MGDPA. • Equity: AI models should be used in a way that promotes fairness and avoids biases, ensuring that all residents receive equal and just treatment. • Continuous Learning: Staff should engage in continuous learning and training to stay updated on AI technology, best practices, and ethical considerations. Use Cases City staff may use AI models, including ChatGPT, for various purposes, including but not limited to: • Information and Assistance: AI models can assist staff in providing residents with information about local services, programs, and events, as well as answering common questions and offering support. • Data Analysis: AI models can aid in data analysis, helping staff to generate insights, make data-driven decisions, and improve the efficiency of government operations. • Process Automation: AI models can be employed to automate routine and repetitive tasks, enabling staff to focus on more complex and strategic activities. • Accessibility: AI models can enhance accessibility for residents with disabilities by providing alternative means of communication and support. Data Security and Privacy City staff must: • Secure Data: Implement robust data security measures to protect any data collected, processed, or accessed through AI models. • Anonymize Data: Ensure that personally identiflable information (PII) is not stored or used without proper consent and anonymization. • Compliance: Comply with relevant data protection and privacy laws, including obtaining consent when necessary and adhering to data retention policies. 10 Ethical Considerations Staff should be aware of the ethical implications of AI model use and take measures to address them, including: • Bias Mitigation: Regularly assess and mitigate biases in AI models and their data to prevent discriminatory outcomes. • Accountability: Establish clear lines of responsibility for AI model outcomes, including mechanisms for handling errors and addressing concerns. Employee signature I have received and read the above policy and have had an opportunity to ask any questions. I understand that my failure to follow this policy may result in disciplinary action, including revocation of system privileges or termination. ______________________________________________________ (Print Employee Name) _______________________________________________________ (Employee Signature) ______________________________________________________ (Print Department Name) _______________________________________ (Date) 1 CITY OF OTSEGO COUNTY OF WRIGHT STATE OF MINNESOTA RESOLUTION NO: 2024-41 APPROVING AN INFORMATION TECHNOLOGY POLICY WHEREAS, The City has developed an Information Technology Policy to protect the City; and WHEREAS, the City has followed guidelines and recommendations of the League of Minnesota Cities when drafting the policy; and WHEREAS, the City Council has met to discuss and review the Information Technology Policy; and WHEREAS, the City Council has determined that the Information Technology Policy shall be in force and effect upon the date of adoption of this resolution. NOW, THEREFORE, BE IT RESOLVED BY THE CITY COUNCIL OF THE CITY OF OTSEGO, MINNESOTA: 1. That the Information Technology Policy as attached hereto is hereby adopted effective immediately. ADOPTED by the Otsego City Council this 10th day of June, 2024. MOTION BY: SECONDED BY: IN FAVOR: OPPOSED: CITY OF OTSEGO __________________________________ Jessica L. Stockamp, Mayor ATTEST: __________________________________ Audra J. Etzel, City Clerk