R895-7. Acceptable Use of Information Technology Resources  

Information technology resources are provided to state employees to assist in the efficient day to day operations of state agencies. Employees shall use information technology resources in compliance with this rule.

All agencies of the executive branch of state government including its administrative sub-units, except the State Board of Education and the Board of Regents and institutions of higher education, shall comply with this rule.

This rule is issued by the Chief Information Officer under the authority of Section 63F-1-206 of the Utah Technology Governance Act, Utah Code, and in accordance with Section 63G-3-201 of the Utah Rulemaking Act, Utah Code.

  (1) Providing IT resources to an employee does not imply an expectation of privacy. Agency management may:

  (a) View, authorize access to, and disclose the contents of electronic files or communications, as required for legal, audit, or legitimate state operational or management purposes;

  (b) Monitor the network or email system including the content of electronic messages, including stored files, documents, or communications as are displayed in real-time by employees, when required for state business and within the officially authorized scope of the person's employment.

  (2) An employee may engage in incidental and occasional personal use of IT resources provided that such use does not:

  (a) Disrupt or distract the conduct of state business due to volume, timing, or frequency;

  (b) Involve solicitation;

  (c) Involve for-profit personal business activity;

  (d) Involve actions, which are intended to harm or otherwise disadvantage the state; or

  (e) Involve illegal and/or activities prohibited by this rule.

  (3) An employee shall:

  (a) comply with the Government Records Access and Management Act, as found in Section 63G-2-101 et seq., Utah Code, when transmitting information with state provided IT resources.

  (b) Report to agency management any computer security breaches, or the receipt of unauthorized or unintended information.

  (4) While using state provided IT resources, an employee may not:

  (a) Access private, protected or controlled records regardless of the electronic form without data owner authorization;

  (b) Divulge or make known his/her own password(s) to another person;

  (c) Distribute offensive, disparaging or harassing statements including those that might incite violence or that are based on race, national origin, sex, sexual orientation, age, disability or political or religious beliefs;

  (d) Distribute information that describes or promotes the illegal use of weapons or devices including those associated with terrorist activities;

  (e) View, transmit, retrieve, save, print or solicit sexually-oriented messages or images;

  (f) Use state-provided IT resources to violate any local, state, or federal law;

  (g) Use state-provided IT resources for commercial purposes, product advertisements or "for-profit" personal activity;

  (h) Use state-provided IT resources for religious or political functions, including lobbying as defined according to Section 36-11-102, Utah Code, and rule R623-1;

  (i) Represent oneself as someone else including either a fictional or real person;

  (j) Knowingly or recklessly spread computer viruses, including acting in a way that effectively opens file types known to spread computer viruses particularly from unknown sources or from sources from which the file would not be reasonably expected to be connected with;

  (k) Create and distribute or redistribute "junk" electronic communications, such as chain letters, advertisements, or unauthorized solicitations;

  (l) Knowingly compromise the confidentiality, integrity or availability of the State's information resources.

  (5) Once agency management determines that an employee has violated this rule, they may impose disciplinary actions in accordance with the provisions of DHRM rule R477-11-1.