NIH POLICY MANUAL

1. Explanation of Material Transmitted: This policy provides for expanded personal use of NIH-owned information technology (IT) resources by NIH staff as authorized in DHHS policy HHS-IRM-2000-0003, "Personal Use of Information Technology Resources."  The August 14, 1996, NIH policy on appropriate use of NIH email and Internet previously located at http://irm.cit.nih.gov/policy/e-mail&i.html is also superseded by this issuance.

This policy is intended to allow the maximum flexibility possible for using NIH IT resources without compromising the integrity of NIH and/or its IT resources.  NIH Institutes and Centers (IC) may use this policy to develop their own internal policies and may apply additional or more stringent controls on the use of IC IT resources by their respective IC staff, as appropriate. IC-developed policies and procedures should not be implemented until the labor unions, if applicable, have been provided notice of the proposed  changes and given the opportunity to fully exercise their representational rights. 

2. Filing Instructions:

   Remove: None
   Insert: NIH Manual Chapter 2806 dated 02/08/02

PLEASE NOTE: To sign up for email notification of future changes, please go to the NIH Manual Chapters LISTSERV Web page.

A. Purpose: The purpose of this issuance is to establish the policy for limited authorized personal use of NIH-owned information technology (IT) resources by NIH staff. This policy applies to the use of NIH IT resources regardless of location (e.g., office, home, on travel, field locations, telecommuting sites, etc.).

This policy shall be in effect for all NIH staff (defined in section E.) and is intended to allow the maximum flexibility possible for using NIH IT resources without compromising the integrity of NIH and/or its IT resources. NIH Institutes and Centers (IC) may use this policy to develop their own internal policies and may apply additional or more stringent controls on the use of IC IT resources by their respective IC staff, as appropriate. IC-developed policies and procedures should not be implemented until the labor unions, if applicable, have been provided notice of the proposed changes and given the opportunity to fully exercise their representational rights. 

This policy replaces the August 14, 1996, NIH policy on use of NIH email and Internet previously located on the CIT Management Policy webpage. However, this policy does not impact the utilization of the Internet to acquire information for official NIH or IC business, nor does it supersede existing policies or agreements concerning the use of voice communications devices. Further, this policy does not supersede any other applicable law or higher-level agency directive, policy guidance, or existing labor management agreement in effect as of the effective date of this policy.

B. Background: The mission of NIH requires its staff to have access to certain NIH-provided IT resources to support official programmatic and administrative duties. NIH IT resources are intended for official use; however, NIH staff are authorized to use NIH-owned IT resources, such as workstations, printers, electronic mail, and other IT resources listed in section E.3. for limited personal use as authorized in this policy.

C. Policy:  

1. General

For the purposes of this chapter, the term ‘staff’ is inclusive of all persons working for NIH in a non-contract position (See listing of “NIH staff” types in section E.5.). Contractors may be permitted the same limited use of government IT resources with written approval of the responsible contract project officer (COR/COTR). Authorization and scope of use, and disciplinary action for misuse, shall be specifically addressed in the contracting document(s).

In summary, NIH staff are permitted limited personal use of authorized IT resources if the use (1) is incidental and involves minimal additional expense to the government, (2) does not interfere with staff productivity, the NIH mission or operations, (3) is not used to misrepresent oneself or NIH, (4) does not have the potential to cause public embarrassment to NIH, (5) does not compromise the integrity of any NIH system or system security safeguards, and (6) does not violate federal laws or policies or any provisions of this policy or other NIH policies. (See section C.3. for specific examples of prohibited uses.)

Limited or incidental personal use of NIH IT resources by staff during non-work time is considered to be "authorized use" of government property as that term is used in the Standards of Ethical Conduct for Employees of the Executive Branch. Limited personal use is a privilege and staff are expected to use professional judgment, follow rules and regulations and to be responsible for their own personal and professional conduct while using these IT resources. 

NIH managers are responsible for ensuring that they and their staff are aware of this policy with respect to the unauthorized use of IT resources, and for taking appropriate and immediate action—as described in section C.5. of this chapter--when unauthorized or inappropriate use of IT resources is suspected or known.

2. Federally Prohibited Uses

Use of NIH IT resources are subject to federal laws and regulations including, but not limited to:

• Anti-Lobbying Statutes, e.g., Lobbying Congress on behalf of causes, individuals, or organizations; promoting or conducting political activities; 
• Copyright Act, e.g., violating copyrights or software licensing agreements by installing, downloading, or copying (in whole or in part) copyrighted materials in any format;
• Privacy and Freedom of Information Acts, e.g., accessing or using information inappropriately which is protected by the Privacy Act, or other federally mandated confidentiality provisions including the release of trade secrets, confidential business information, and other government information that is not available to the public;
• Standards of Ethical Conduct for Employees of the Executive Branch, e.g., making use of NIH IT resources for commercial purposes or in support of for profit activities, e.g., running a private business. See the detailed listing of “Principles of Ethical Conduct” available on the NIH Office of Government Ethics web site; and,
• Other illegal activities or activities otherwise prohibited by federal regulations, including creating, downloading, intentionally viewing, storing, copying or transmitting materials that exhibit or imply involvement with gambling, illegal weapons or drugs, child pornography, terrorism, and related activities. 

3. Other Prohibited Uses

NIH staff shall not use NIH IT resources and systems in any manner that is prohibited by policy, causes unnecessary costs, congestion, disruption, or damage to government IT services, systems or equipment, or in a manner that demeans other staff, groups, individuals, and organizations, including:

• Using large amounts of bandwidth (data transmission exchange) for activities that are not related to NIH business, professional development, or is needed to accommodate staff with disabilities in accordance legislative mandates. Such prohibited activities that use large amounts of bandwidth include: sending chain letters, e-mailing or downloading large files, e.g., music, graphics, games, videos, etc., using continuous on-line connections for data or video streaming, interactive/on-line games, music, or other similar activities; 
• Intentionally or unintentionally permitting the use of NIH IT resources by unauthorized persons, e.g., friends, family or others;
• Overriding or avoiding NIH security and system integrity procedures and devices or using NIH systems as staging ground to compromise the security of NIH and non-NIH systems;
• Intentionally accessing, viewing, disseminating, or storing offensive or disparaging information or graphical depictions, including hate, sexually explicit, violent, or racist materials;
• Installing and using hardware and/or software that is not in accordance with NIH or IC internal guidance. ICs should develop approval policies/processes that allow staff who need to add software and hardware as a part of their jobs to do so. Blanket authority can be granted, where/when appropriate, so that approval would not be required for each action.
• Conducting or participating in fund drives or monetary charitable events. The Combined Federal Campaign is the only authorized solicitation of federal employees for money.
• Creating, receiving, transmitting, or storing any information that is considered ‘classified’ which could potentially compromise national security and/or cause public alarm (e.g., unconfirmed health epidemic);
• Establishing personal and/or non-work-related web sites or bulletin board systems;
• Using NIH logos or titles to misrepresent personal materials or intentionally misrepresenting, either implicitly or explicitly, personal views or comments in electronic forums or e-mail as official NIH or IC policy or position.

Also, see “NIH Information Technology General Rules of Behavior” for more detailed information on the appropriate use of NIH IT resources plus useful guidance on effectively safeguarding NIH IT resources on- and off-site.

4. Privacy Expectations

Staff cannot expect a right to privacy while using government-provided IT resources or equipment at any time, including during authorized personal use time. 

NIH system administrators, agency officials, and supervisors and other authorized individuals, may access information, files, materials and messages which reside in hardware or software used by staff if there is reasonable suspicion that an individual is using NIH IT resources in an unauthorized or illegal manner. 

Further, in the legitimate performance of their duties, e.g., technical, administrative, or legal reasons, authorized persons may access files, etc., for business purposes.

5. Disciplinary Action for Misuse

Individuals who abuse these resources, knowingly interfere with the operation of federal IT systems, or otherwise fail to comply with the provisions of this policy are subject to loss of associated privileges, may be held financially liable for any costs associated with the improper use, and/or may be subjected to disciplinary action, and/or criminal penalties.

Incidents of inappropriate, unauthorized, or risky use will be reported to the immediate staff supervisor, who will report the incident to the IC Executive Officer (EO), as appropriate. The EO will make the initial assessment of the reported action and determine the appropriate course of action. The EO may involve the IC CIO (or equivalent), IC Information Systems Security Officer (ISSO), and the NIH Incident Response Team (IRT), as appropriate, if matter involves risk to NIH IT resources. Matters involving inappropriate staff conduct on NIH IT resources should be reported to the IC Human Resource Management Officer for guidance on further disciplinary action, depending on the nature or seriousness of the misuse conduct.

Incidents involving the violation of laws or regulations or matters that pose potential public embarrassment to the NIH shall also be reported by the EO to the NIH Chief Information Officer, and the NIH Deputy Director for Management (DDM). 

If management determines that disciplinary action is warranted against an individual, action shall be pursued through the established adverse action/progressive disciplinary process prescribed in NIH human resources policy. Proposing/Deciding Officials should refer to the information provided at the OHR website and consult with their respective HR Office. The following table describes the suggested penalties that may be imposed on staff for cases of misuse of NIH IT resources. 

Suggested Penalties for Misuse of Electronic Resources [1]

Nature of Misconduct:  using or allowing the use of government property or government leased property of any kind (including equipment, supplies, services, information technology resources (including the internet, etc.) for other than authorized activities

First Action:  reprimand to 14-day suspension

Second Action:  7-day suspension to removal

Third Action:  removal

Nature of Misconduct:  using NIH information removal technology resources for downloading or storage of child pornography purposes will result in an immediate proposal of removal and referral for prosecution.

First Action:  removal

[1] Excerpted from NIH Table of Suggested Penalties.  For more information on appropriate action/penalties for misuse, contact your respective human resources office.

D. References

1. HHS-IRM-2000-0003, HHS IRM Policy for Personal Use Of Information Technology Resources, January 8, 2001 (based on GSA’s Model ‘Limited Personal Use Policy’ of Use of Government Office Equipment)

2. Principles of Ethical Conduct for Government Officers and Employees 

3. NIH Information Technology General Rules of Behavior 

4. NIH Policy Manual 26101-26-6, Cellular Telephone Services and Equipment 

5. NIH Policy Manual 26101-26-08, Remote Access to the NIH Network 

6. Security Guidelines for NIH Remote Access Users 

7. NIH Policy Manual 26101-25-2-2, Personal Property Management Guide: Authorities and Responsibilities in Personal Property 

8. Section 504 of the Americans with Disabilities Act of 1990 

9. NIH Policy Manual 2204, Reasonable Accommodations 

10. Section 508 of the Rehabilitation Act, as amended by the Workforce Investment Act of 1998 

11. 5 CFR 2635 Section 101: Basic Obligation of Public Service; Section 704, Use of Government Property; Section 705, Use of Official Time

12. 17 USC, Copyrights, Sections 106-110, Exclusive Rights and Limitations

13. 18 USC 1913, Lobbying With Appropriated Moneys

14. 45 CFR 5, Freedom of Information Regulations

15. 45 CFR 5b, Privacy Act Regulations 

16. 41 CFR 101-35.201, Telecommunications Management Policy, Authorized Use of Long Distance Telephone Services

17. OMB Circular A?130, Appendix III, Security Of Federal Automated Information Resources

E. Definitions:

1. Authorized use: Use of government/NIH-provided IT resources as permitted in this policy, IC-internal policies or as specifically authorized by management.

 2. Bandwidth: The capacity of a networked connection to send data along the networked wires. 

 3. IT resources:

a. may include: personal workstations and related peripherals and software, personal digital assistants (PDAs), telephones, facsimile machines, photocopiers, connectivity for access to Internet services and electronic mail and needed supplies for IT equipment. Cellular phone use policy is described in NIH Manual 26101-26-6, Cellular Telephone Services and Equipment.  Also see NIH Manual 26101-26-8, Remote Access to the NIH Network, for special requirements for acquiring and managing remote access to the NIHnet.

b. may not include unless specifically authorized: medical, laboratory, and other valuable equipment, e.g., videoconferencing equipment, supercomputers, and desktop publishing equipment. 

 4. Minimal additional expense: Use is limited to those situations where the government is already providing equipment or services and the staff's use of such equipment or services will not result in loss of employee productivity, interfere with official duties or other than "minimal additional expense." Examples include: limited communications costs for voice (telephones), data, or video image transmission, use of paper, ink, toner or other consumables in limited amounts, general wear and tear on equipment, data storage on storage devices; and transmission impacts with moderate e-mail message sizes, such as e-mails with small attachments.

 5. NIH staff: For the purposes of this chapter, includes: personnel employed by the Federal Government under a career or career-conditional appointment, guest researchers, adjunct investigators (volunteers), individuals on temporary appointments (including student appointments), Fogarty International Center scholars, Special Experts, Visiting Fellows, Intramural Research Training Award fellows, IC fellowship award recipients, research fellows, research fellows (VP) and clinical fellows, clinical fellows (VP), volunteers and special volunteers, and Commissioned Corps personnel. 

6. Personal or non-work time - times when the staff are not otherwise expected to be conducting official business. Staff may, for example, use government office equipment during their own off-duty hours such as before or after a workday, lunch periods, authorized breaks, or weekends or holidays.

7. Personal use – authorized activity that is conducted for purposes other than accomplishing official or government business.

8. Sexually explicit material – obscene or pornographic in nature; depiction of human nudity and other provocative material that could be viewed as offensive to other staff or could be perceived as sexual harassment. Note: Any activity involving child pornography is a criminal offense and will be referred to the Office of Inspector General, as appropriate.

9. Religious Expression - May be restricted under the following conditions:
a. when/where it interferes with employee's work performance or creates a hostile work environment or could be viewed as harassing by other employees; b. when work time is used to pursue religious or ideological agendas; c. when/where it creates the impression that government is endorsing or sponsoring a particular religion or religious ideology. 

10. IC system manager – Individual within the IC who is the primary contact with oversight responsibility for an automated information system (AIS) facility or operation and any related issues. This usually includes an organizationally defined set of personnel, hardware, software, communications, and physical facilities--a primary function of which is the operation of an AIS and an application system(s). As applicable, a system manager is responsible for the management of a major IC application system, workstations, and distributed computing applications, including local and wide-area networks. System managers are also involved with security considerations in applications systems development, implementation, and operation and maintenance activities.

F. Responsibilities:

1. Supervisors shall:

• ensure that employees have a copy of this NIH policy and, if available, their IC personal use policy, and for advising employees to be familiar with the information.
• ensure that staff using IT resources off-site have been issued, and keep current, necessary government property passes and are aware of all relevant property regulations for the property.
• include information regarding the appropriate use of NIH IT resources in relevant orientation materials. 
• restrict a staff’s right to use government equipment for personal use if his/her use conflicts with any federal policies, is excessive, or interferes with official government business. 
• report to IC EO, incidents of misuse that are of a serious nature or are unlawful.

2. NIH staff shall:

• be familiar with the provisions of this policy and, if applicable, their respective IC personal use policy. 
• use IT resources for authorized purposes as set forth in this policy and other related NIH policies, including any IC-developed internal policies. 
• refrain from using the equipment that in any way compromises federal or agency policy on privacy, Standards of Conducts, copyright laws, etc.
• protect all government IT resources made available to them from unauthorized use or access by other persons, and from damage or theft (see NIH Information Technology General Rules of Behavior).
• request approval from IC system manager to make changes to equipment configurations, including the loading of software or downloading free software from outside sources and connecting other peripherals, e.g., scanners, digital cameras, etc., to government equipment.
• obtain necessary approvals and property passes for equipment that is to be used off-site.
• consult with their supervisor on any questions relating to appropriate use practices of their respective office. 

3. IC System Managers shall:

• remind NIH users of their responsibilities for appropriate personal use with system log-on messages on a regular frequency.
• approve or disapprove staff requests to install or download software or connect other equipment to government equipment that is outside the standard system configuration. IC System Managers need to assess the potential impact on the system before approval and/or to assist the individual in identifying an alternative means to accomplish the intended goal or to adjust the system to accommodate his/her needs prior to actions being taken that may interfere with the work of many individuals.
• ensure the security of the computer systems which staff use and as well as those computer systems which he/she operates or administers.
• take the necessary actions(s) for assuring that user access is rescinded when it is no longer needed, e.g., when a user's employment with the IC ends or when otherwise advised by management.
• report suspected misuse of IT resources to IC EO (and the IC CIO (or equivalent) as needed, who can advise on the technical aspects of the situation) and take appropriate action to respond to incidents as advised by IC senior management.
• provide guidance or clarification to IC managers and staff, as requested, on technical issues or questions related to the use of NIH IT resources.

4. IC Executive Officers shall:

• make an initial assessment of the any reported incidents of inappropriate, unauthorized, or risky use and determine the appropriate course of action as described in section C. 5. above. 

G. Records Retention and Disposal: All records (e-mail and non-e-mail) pertaining to this chapter must be retained and disposed of under the authority of NIH Manual 1743, "Keeping and Destroying Records, Appendix 1, "NIH Records Control Schedule," Section 1100-M-1 - General Administrative Files at IC and Lower Levels.

NIH e-mail messages. NIH e-mail messages, including attachments that are created on NIH computer systems or transmitted over NIH networks, that are evidence of the activities of the agency or have informational value are considered Federal records. These records must be maintained in accordance with current NIH Records Management guidelines. Contact your IC Records Officer for additional information. 

All e-mail messages are considered Government property, and, if requested for a legitimate Government purpose, must be provided to the requester. NIH staff conducting official reviews or investigations, and the Office of Inspector General may request access to or copies of the e-mail messages. E-mail messages must also be provided to Congressional oversight committees if requested and are subject to Freedom of Information Act requests. Since most e-mail systems have back-up files that are retained for significant periods of time, e-mail messages and attachments are likely to be retrievable from a back-up file after they have been deleted from an individual's computer. The back-up files are subject to the same requests as the original messages. 

H. Management Controls:  The purpose of this manual issuance is to establish policy for appropriate personal use of NIH IT resources by staff. 

1. Offices Responsible for Reviewing Management Controls Relative to this Chapter*: 

• The CIT Office of the Deputy Chief Information Officer (ODCIO) will be responsible for communicating to IC senior management the policy on appropriate use of IT resources and for the review (and correction and reporting, as needed) of issues that are raised to the NIH level in accordance with section C. 5. of this chapter. 
• The NIH ICs will be responsible for ensuring that management controls are implemented in accordance with this policy and for the review of (and correction, as needed) issues that do not warrant NIH-level review or action. 

2. Frequency of Review: Ongoing.

3. Method of Review: 
IC supervisors are responsible for reviewing and maintaining information they receive related to inappropriate use of IT resources by staff, and for taking appropriate action that includes reporting incidents, when appropriate, to the IC EO.

Incidents involving serious risk to NIH IT resources through improper staff use will be reported by the IC to the NIH Incident Response Team (IRT). Reports of findings and recommendations resulting from IRT reviews will be issued to the IC EO. The EO will consult with the IC CIO (or equivalent) and IC ISSO, as necessary, to determine appropriate action. 

The IRT, through the NIH ISSO, will prepare and submit reports of activities that are allegedly illegal, or have the potential to cause embarrassment to the NIH, to the NIH CIO and the NIH DDM for review and approval of any actions required. 

Recurring issues that indicate a possible policy or material weakness in the management of staff personal use of IT resources will be brought to the attention of the NIH Chief Information Officer (CIO) and, if necessary, the NIH Information Technology Management Committee (ITMC) for discussion and corrective action at the NIH level. Corrective actions may include: (1) a request for IC system managers to conduct a review of computer activity to identify the magnitude of a frequently identified problem and/or (2) revisions to this policy.

4. Review Reports are sent to: DDM 

*Also see Management Control Review information contained in NIH Manual Chapters covering the use of specific NIH IT Resources, e.g., Cellular Telephone Services And Equipment, Remote Access to the NIH Network, etc.