RES 2024-41 Approving an Information Technology PolicyCITY OF OTSEGO
COUNTY OF WRIGHT
STATE OF MINNESOTA
RESOLUTION NO: 2024-41
APPROVING AN INFORMATION TECHNOLOGY POLICY
WHEREAS, The City has developed an Information Technology Policy to protect the City; and
WHEREAS, the City has followed guidelines and recommendations ofthe League of Minnesota Cities when drafting the policy;
and
WHEREAS, the City Council has met to discuss and review the Information Technology Policy; and
WHEREAS, the City Council has determined that the Information Technology Policy shall be in force and effect upon the date
of adoption of this resolution.
NOW, THEREFORE, BE IT RESOLVED BY THE CITY COUNCIL OF THE CITY OF OTSEGO, MINNESOTA:
1. That the Information Technology Policy as attached hereto is hereby adopted effective immediately.
ADOPTED by the Otsego City Council this 10th day of June, 2024.
MOTION BY: Moores
SECONDED BY: Dahl
IN FAVOR: Stockamp, Dahl, Dunlap, Goede, and Moores
OPPOSED: none
CITY OF OTSEGO
Jessica L. Stockamp, •
ATTEST:
Audra J. Efzel, Ci y Jerk
CITY OF
e o
MINNESOTA
Contents
Information Technology Policy
May 30, 2024
GeneralInformation.................................................................................................................2
Personal Use of Equipment.......................................................................................................2
CellDevices.............................................................................................................................3
EmployeeResponsibilities....................................................................................................3
Technology Acquisition, Development & Deployment................................................................4
Situations requiring advance review and approval during planning..........................................4
Situations requiring review and approval of vendor selections, consultant engagements,
development plans and/or contract documents.....................................................................4
Software..................................................................................................................................5
Hardware\Equipment...............................................................................................................5
Electronic Mail & Messages.......................................................................................................6
Records................................................................................................................................6
DataRequests & Litigation....................................................................................................7
EmployeeResponsibilities....................................................................................................7
RetentionSchedule..............................................................................................................7
SocialMedia Use......................................................................................................................8
DataOwnership....................................................................................................................8
ArtificialIntelligence.................................................................................................................9
UseCases............................................................................................................................9
DataSecurity and Privacy......................................................................................................9
EthicalConsiderations........................................................................................................10
Employeesignature................................................................................................................10
1
General Information
This policy serves to protect the security and integrity of the City's electronic communication and
information systems by educating employees about appropriate and safe use of available
technology resources.
This policy applies to all individuals who access, use, or manage technology resources owned or
operated by the City. This includes employees, elected officials, contractors, vendors, and any other
authorized users. Failure to adhere to this policy may result in disciplinary action, up to and including
termination of employment, or contract termination.
Computers and related equipment used by City employees are property of the City. The City
reserves the right to inspect, without notice, all data, emails, files, settings, or any other aspect of a
City -owned computer or related system, including personal information created or maintained by
an employee. The City may conduct inspections on an as -needed basis as determined by the
Information Technology Manager.
Personal Use of Equipment
The City recognizes that some personal use of City -owned computers and related equipment has
and will continue to occur. City devices are not intended to replace personal devices. Some
controls are necessary, however, to protect the City's equipment and computer network and to
prevent abuse of this privilege.
Reasonable, incidental personal use of City computers and software (e.g., word processing,
spreadsheets, email, Internet, etc.) is allowed but should never preempt or interfere with work. All
use of City computers and software, including personal use, must adhere to provisions in this
policy, including the following:
Employees shall not connect personal peripheral tools or equipment (such as printers, digital
cameras, disks, USB drives, or flash cards) to City -owned systems, without prior approval from
the Information Technology Manager. If permission to connect these tools/peripherals is
granted, the employee must follow provided directions for protecting the City's computer
network.
• Personal files should not be stored on City computer equipment. This also applies to personal
media files, including but not limited to mp3 files, wav files, movie files, iTunes files, or any
other file created by copying a music CD, DVD, or files from the Internet. Information
Technology staff will delete these types of files if found on the network, computers, or other
City -owned equipment. Exceptions would be recordings for which the City has created, owns,
purchased, or has a license.
• City equipment or technology shall not be used for personal business interests, for -profit
ventures, political activities, or other uses deemed by the Information Technology Manager to
2
be inconsistent with City activities. If there is any question about whether a use is appropriate,
it should be forwarded to the Information Technology Manager for a determination.
• Only City staff may use City equipment. Use of City equipment by family members, friends, or
others is strictly prohibited.
• Employees are responsible for the proper use and care of City -owned computer equipment.
City computer equipment must be secured while off City premises; do not leave computer
equipment in an unlocked vehicle or unattended at any offsite facility. Computer equipment
should not be exposed to extreme temperature or humidity. If a computer is exposed to extreme
heat, cold, or humidity, it should be allowed to achieve normal room temperature and humidity
before being turned on.
Cell Devices
The City recognizes the need of certain employees to use cell phones or other cell equipment in
order to perform the duties of their position. Therefore, a City -owned cell phone or other cell
equipment may be provided to City employees when there is a business necessity to do so.
A City employee who has been provided a City -owned cell phone must return the City -issued cell
phone and equipment to the City upon termination of employment.
City employees will be required to reimburse any account charges\overages that have not been
previously approved by their supervisor.
If a City -owned cell phone is lost or stollen it must be reported to their department head and the
Information Technology Manager.
City information such as email, files, or Teams may not be accessed from personal cell phones.
Personal cell phones are not allowed on the internal City network. City data is not allowed to be
stored on personal cell phones.
Employee Responsibilities
A City employee covered by this policy must:
• Have the phone or equipment available for use during the employee's business hours and
on -call times, as established by the department head.
• Comply with all applicable laws regarding the use of cell phones and equipment while
operating a motor vehicle.
• When practical, refrain from using cell phones or equipment while operating a motorvehicle.
When cell phones or equipment are used while operating a motor vehicle, use of a hands -
free device is required.
3
• Provide adequate security to prevent unauthorized persons from gaining access to private
data stored in the memory of the device.
Technology Acquisition, Development & Deployment
Staff must consult with the Information Technology Manager before developing, purchasing, or
contracting for technology products, services, support, or consulting. This set of guidelines and
processes defines when consultations are appropriate.
All acquisitions and deployments of information technology within the City must conform to these
guidelines to maximize functionality and efficiency, while minimizing cybersecurity risks and liability,
and be reviewed as indicated.
The following are specific instances where the City requires that the Information Technology Manger
examines and approves of information technology. This policy is not limited to these cases.
All IT projects require the sign -off of the Information Technology Manager prior to final payment. The
Information Technology Manager will ensure all aspects of the project have been completed as
agreed upon in the contract(s).
Situations requiring advance review and approval during planning.
• Changes to networks, Information Technology must review and approve, in advance of
investigation, purchase, or deployment, any information technology that changes the City's
network structure or could compromise the physical or logical security of the network.
• Information Technology acquisitions as part of capital projects. Any network -attached
computing technologies, that are to be acquired with capital project funds, must be reviewed
and approved by Information Technology during planning.
• Information Technology acquisitions as part of software projects. Any software license
acquisitions must be reviewed and approved by the Information Technology Manager. Software
installation will be done under the supervision of the Information Technology office.
• Information Technology acquisitions or contracts as part of department projects. Any computer -
related technologies, that are to be acquired or contracted with any other funds, must be
reviewed and approved by Information Technology during planning. In any contract involving data
transfer, the final payment must be large enough to ensure the project is completed without any
remnant data left on servers scheduled for retirement.
Situations requiring review and approval of vendor selections, consultant
engagements, development plans and/or contract documents.
In certain cases, where such services are being considered for purchase or new systems are being
considered for deployment, Information Technology must review and approve vendor selections,
2
consultant engagements, development plans, and contract language to ensure that work rules,
vendor or consultant competencies, system interface requirements, and legal protections are
appropriate to protect City information and assets. The Information Technology Manager ensures
that any individual or company entering into a contract with the City to deliver IT project services
will comply with appropriate policies, related standards, processes and deliverables, or provides
written proof of acceptable methods and documentation.
Softwa re
In general, the City will provide the software required for an employee to perform his or her job
duties. Requests for new or different software should be made to your supervisor, who will forward
the request to the Information Technology Manager. All software purchases must be approved by
the Information Technology Manager.
Employees shall not download or install any software on City equipment without the prior approval
of the Information Technology Manager. Exceptions to this include updates to software approved by
Information Technology such as Microsoft updates, or other productivity software updates. The
Information Technology Manager may, without notice, remove any unauthorized programs or
software, equipment, downloads, or other resources.
Hardware\Equipment
In general, the City will provide the hardware required for an employee to perform his or her job
duties. Requests for new or different equipment should be made to your supervisor, who will
forward the request to the Information Technology Manager. The Information Technology Manager
must approve all new IT equipment purchases.
City -owned equipment must be maintained in good working order outside of normal wear and tear.
Clear signs of neglect of city -owned equipment will result in a deduction of the cost of equipment
from the employee's next paycheck.
When an employee leaves the City, city -owned equipment must be returned in good working order
to the Information Technology Manager prior to finial termination date. Failure to turn in equipment
will result in a deduction of equipment value from the employee's final paycheck.
In general, most City hardware such as laptops, servers, and network equipment will be on a five-
year replacement cycle.
Once City equipment has reached its end -of -life the Information Technology Manager will recycle or
donate the equipment. Before any City owned equipment is donated or recycled, all data will be
destroyed following the U.S. Department of Defense 5220.22-M Standard.
5
Building Security
The City has door access readers and camera systems placed throughout City offices. All door
access and camera systems will be managed by the Information Technology Manager. Access to
these systems must be requested to the Information Technology Manager for approval.
Any camera recordings that must be pulled from the VMS (Video Management System) must be
completed by the Information Technology Manager.
All staff are given a door access fob when starting employment. If a door access fob is lost or
misplaced the Information Technology Manager must be notified ASAP for deactivating of the lost
fob. Any changes to door access groups or door access schedules need to be approved and
completed by the Information Technology Manager.
Electronic Mail & Messages
The City is subject to multiple laws regulating City information and records, including electronic mail
(email) and text messages. Email and text messages are means of exchanging messages and
documents using telecommunications equipment and computers. A complete email or text
message not only includes the contents of the communication, but also the transactional
information (dates and times that messages were sent, received, opened, deleted, etc.; as well as
aliases and names of members of groups), and any attachments.
If an email message is an official record, as defined below, the responsible party must retain said
record and the transactional information pursuant to the retention schedule and the user
departments' document management filing system or repository.
Records
Minnesota Statutes § 15.17 requires the City, its employees and officials, to make and preserve all
records necessary to a full and accurate knowledge of their official activities. An official record is
recorded information that is prepared, owned, used, in the possession of, or retained by the City in
performance of an official function. The record of the official function may be the email or text
message, attachments to the email or text message, or both.
The law requires that all official records be listed on an approved retention schedule that identifies
how long the records must be kept, and when they may be destroyed. Just like paper records, senders
and recipients of email or text messages must evaluate each message to determine if they need to
keep it as documentation of their role in the business process. Not all messages are an official
A
record. Just like paper records, the retention period for an email or text message is based upon its
content and purpose, and it must be retained in accordance with the approved retention schedule.
Official Records: If the email or text message itself has been determined to be an "official record," it
may be correspondence. Official correspondence can be destroyed pursuant to the adopted records
retention schedule.
Non -Official Records: If the email or text message is not an official record it may be a transitory
record, non -record, or personal record.
1. Transitory Records are non -vital records relating to City business or activities which have a
temporary value and do not need to be retained once their intended purpose has been
fulfilled.
2. Non -records are information in the possession of the City that is not needed to document the
performance of an official function. These records are not subject to any record retention
schedule and do not need to be retained.
3. Personal records are messages or documents regarding non -government business or
activities. These records are not subject to the records retention schedule and do not need
to be retained.
Data Requests & Litigation
In accordance with the Minnesota Government Data Practices Act (MGDPA), email or text messages
created or received as part of a public employee's official duties are government data and are subject
to requests for review and/or copying pursuant to the MGDPA. If a government data request is
received for email or text message relating to a particular subject, emails will be identified and
produced without regard to whether they are official records or non -official records. If an employee
is responding to a government data request, and that data is contained within the City's email
system, the employee must identify and produce the relevant email.
Just like paper records, email and text messages may be subject to disclosure during the discovery
phase of litigation. Attorneys representing the City are responsible for identifying if the records
requested through the discovery process are stored in email. Attorneys are responsible for ensuring
technology services staff is notified that a discovery order involving email was received to prevent
the destruction of relevant messages.
Employee Responsibilities
As public sector employees subject to MGDPA and Official Records Act, City employees are
responsible for identifying emails that are official records and keeping the official record in the
location and format their department has identified for that type of document. Official records
should not be maintained solely as emails in the email system, unless the department has
established an email account for that particular purpose. For both emails and text messages, the
preferred method for proper retention is conversion to a PDF format and stored in Laserfiche.
Retention Schedule
The retention schedule for emails and text messages will be 365 days.
7
Social Media Use
The City of Otsego respects employees and agents' rights to post and maintain personal websites,
blogs and social media pages and to use and enjoy social media on their own personal devices during
non -work hours. The City requires employees and agents to act in a prudent manner with regard to
website and internet postings that reference the City of Otsego, its personnel, its operation or its
property. Employees, agents, and others affiliated with the City may not use a City brand, logo or
other City identifier on their personal sites, nor post information that purports to be the position of
the City without prior authorization.
City employees and agents are discouraged from identifying themselves as City employees when
responding to or commenting with personal opinions or views. If an employee chooses to identify
themselves as a City employee, and posts a statement on a matter related to City business, a
disclaimer similar to the following must be used:
These are my own opinions and do not represent those of the City of Otsego.
There may be times when personal use of social media (even if it is off -duty or using the employee's
own equipment) may spill over into the workplace and become the basis for employee coaching or
discipline. Examples of situations where this might occur include:
• Friendships, dating or romance between co-workers;
• Cyber-bullying, stalking or harassment;
• Release of confidential or private data; if there are questions about what constitute
confidential or private data, contact the City Administrator.
• Unlawful activities;
• Misuse of City -owned social media;
• Inappropriate use of the City's name, logo or the employee's position or title;
• Using City -owned equipment or City -time for extensive personal social media use.
Each situation will be evaluated on a case -by -case basis because the laws in this area are complex.
If you have any questions about what types of activities might result in discipline, please discuss the
type of usage with the City Administrator.
Data Ownership
All social media communications or messages composed, sent, or received on City equipment in an
official capacity are the property of the City and will be subject to the Minnesota Government Data
Practices Act. This law classifies certain information as available to the public upon request. The City
also maintains the sole property rights to any image, video or audio captured while a City employee
is representing the City in any capacity.
The City retains the right to monitor employee's social media use on City equipment and will exercise
its right as necessary. Users should have no expectation of privacy. Social media is not a secure
means of communication.
A
Artificial Intelligence
City staff should adhere to the following guiding principles when using Al models.
• Ethical Use: Al models should be used in a manner that upholds ethical standards, respects
human rights, and avoids harm or discrimination against individuals or groups.
• Transparency: The use of Al models should be transparent, with staff disclosing when Al
assistance is being utilized in interactions with the public or colleagues.
• Accountability: Local government staff should be accountable for their use of Al models,
ensuring compliance with relevant laws, regulations, and this policy.
• Privacy: Protecting the privacy of residents and sensitive data is paramount. Staff should
handle data with care, following data protection and privacy laws and guidelines, including
the MGDPA.
• Equity: Al models should be used in a waythat promotes fairness and avoids biases, ensuring
that all residents receive equal and just treatment.
• Continuous Learning: Staff should engage in continuous learning and trainingto stay updated
on Al technology, best practices, and ethical considerations.
Use Cases
City staff may use Al models, including ChatGPT, for various purposes, including but not limited to:
• Information and Assistance: Al models can assist staff in providing residents with information
about local services, programs, and events, as well as answering common questions and
offering support.
• Data Analysis: Al models can aid in data analysis, helping staff to generate insights, make
data -driven decisions, and improve the efficiency of government operations.
• Process Automation: Al models can be employed to automate routine and repetitive tasks,
enabling staff to focus on more complex and strategic activities.
• Accessibility: Al models can enhance accessibilityfor residents with disabilities by providing
alternative means of communication and support.
Data Security and Privacy
City staff must:
• Secure Data: Implement robust data security measures to protect any data collected,
processed, or accessed through Al models.
• Anonymize Data: Ensure that personally identifiable information (PII) is not stored or used
without proper consent and anonymization.
• Compliance: Comply with relevant data protection and privacy laws, including obtaining
consent when necessary and adhering to data retention policies.
9
Ethical Considerations
Staff should be aware of the ethical implications of Al model use and take measures to address them,
including:
• Bias Mitigation: Regularly assess and mitigate biases in Al models and their data to prevent
discriminatory outcomes.
• Accountability: Establish clear lines of responsibility for Al model outcomes, including
mechanisms for handling errors and addressing concerns.
Employee signature
I have received and read the above policy and have had an opportunity to ask any questions. I
understand that my failure to follow this policy may result in disciplinary action, including
revocation of system privileges or termination.
(Print Employee Name)
(Employee Signature)
(Print Department Name)
(Date)
10