This policy sets out the SPCB’s position on the use of its IT systems. It also covers your use of social media through channels internal to the Parliament and in your personal life. You are trusted to use social media and the SPCB’s IT systems in a sensible and responsible manner, exercising good judgement. This policy is intended to support you in doing so by setting out what is and is not considered acceptable, both from an organisational and legal perspective.
The SPCB’s IT systems which are covered in this policy include, but are not limited to:
This policy applies to all SPCB staff, staff on secondment and contractors who are authorised to use the SPCB’s IT Systems.
In the rare event that there is an alleged breach of this policy, this will be dealt with in accordance with the SPCB’s Disciplinary Procedures. Sanctions up to, and including, dismissal may be imposed. If you are a member of contractor’s staff and you are found to be in breach of this policy, this will be reported to the contract manager and your services may be terminated under the terms of the contract. If it is suspected that the SPCB’s IT systems are being used for anything illegal, these concerns will be reported to the police or any other relevant authority.
This policy is subject to regular monitoring and review to take account of legislative changes, identified best practice and experience.
The principles under which you are authorised to use the SPCB IT systems are as follows:
Should you have any queries in relation to use of the SPCB’s IT Systems, please contact the IT Helpdesk on 0131 348 6100
You are responsible for any action carried out under your IT account and must take all reasonable steps to ensure that you do not unnecessarily compromise the security of the Scottish Parliament's information and associated assets. Further guidance can be accessed through BIT’s Information Security Guide. To avoid misuse, you should:
Viruses can be introduced through use of email and the internet. You must take all reasonable steps to ensure that you do not knowingly allow a virus to affect the SPCB’s IT systems and that no viruses are transmitted by you to any third parties. The deliberate introduction of a virus onto a third party's IT systems may be a criminal offence whilst accidental introduction may, in certain circumstances, give rise to a claim against the SPCB by that third party. All e-mail transmitted via the SPCB network is automatically scanned for viruses. Since a virus may, nevertheless, slip through, please beware of all unsolicited e-mails and e-mails from unknown sources. You may also receive e-mails warning of viruses, encouraging you to forward the e-mail on to others. These are usually hoax messages designed to overload IT systems. If you have any reason to be suspicious, do not open or run any attached file or forward any message. Please contact the IT Helpdesk immediately on 86100.
Unless strictly necessary for the proper conduct of your duties, the SPCB’s IT Systems must not be used for the creation, transmission, downloading, browsing, viewing, reproduction or accessing of any image, material or other data of any kind which is illegal or otherwise unacceptable to the SPCB. This includes, but is not limited to:
If you have any doubt as to whether a particular activity is/is not permissible, you should ask the IT Helpdesk before acting. You should also note that the prohibitions in this policy still apply even if the material is located on a part of the systems which is personal or password protected.
These restrictions apply to both business (unless otherwise stated) and personal use. The SPCB considers that it is important that all use is restricted in this way to avoid disruption in the workplace and embarrassment, distress or offence to others.
In using email, you should bear in mind that it is not a secure means of transmitting information due to the risks that it may be intercepted, copied and widely distributed and/or inadvertently sent to the wrong person/organisation. It is important that you do not delete, alter or otherwise interfere with the disclaimer which is automatically attached to emails sent from the SPCB systems.
The commercial and legal effects of sending and receiving emails are the same as any other form of written communication. The style, tone and content of emails have a direct effect on the way the SPCB, and indeed the Parliament itself, is perceived by others. Emails can contractually bind the SPCB and any commercial advice, opinion, guarantee, representation or other statement contained in an email may be relied upon by third parties. You must not, therefore, send emails which make representations, contractual commitments or any form of legally binding statement concerning the SPCB unless you have specific authority to do so. It is your responsibility to ensure that appropriate 5 records are retained in accordance with the SPCB records retention schedule, including records of any commercial or legally binding emails which are sent in the course of SPCB business. Such emails should be captured in the document and records management system.
As contents of the email system are archived regularly, you should file all essential emails in the Document and Records Management system in the appropriate area to create a record for ease of retrieval. You should regularly delete messages which do not require to be retained.
In circumstances where you:
You are not permitted to:
The Document and Records Management system is an open by default system which enables staff to operate in a collaborative environment. You should only access information stored in the Document and Records Management system where you have a genuine business reason for doing so. Similarly, you must not provide access to anyone unable to access information contained within the system. It is important to note that the system maintains an audit log of activity concerning documents and records held within it.
The Parliament’ s Protective Marking system should be adhered to in order that information is safeguarded in terms of its storage, security, distribution and destruction. Specifically, you should use the Document and Records Management system ’ s protective marking feature whenever it is necessary to send sensitive information internally. Documents and records should not be distributed internally as email attachments but should be shared as links from SPShare. This ensures that information remains secure and maintains a complete and accurate audit trail of activity.
Within the DRM system are private storage areas (currently known as MySites) that give you a central location to manage and store private, work related content which colleagues do not require access to (e.g. performance appraisal documents). You should bear in mind that whilst designated as private sites, these areas are nonetheless corporate resources. As such you should not expect to have total privacy for the content stored on Parliament systems and you should be aware that all information stored on corporate systems may be subject to Freedom of Information requests. The following items may not be stored in your personal areas of the DRM system:
As only you will normally have access to your own private area of the DRM system, corporate information should not be stored here. The information and records produced or received by the Scottish Parliament during the course of its business activities are owned by the SPCB and not by the individuals who compile or receive them. It is important to ensure that corporate information is saved to an area where it can be accessed and used as a corporate resource.
The SPCB recognises the occasional need to make short, important, personal telephone calls using its network. In the case of SPS staff this is allowed so long as this does not interfere with the completion of work or disturb colleagues. No one, however, may make personal use of international calls, unless:
If you have been supplied with a mobile phone, you may only use it for personal calls:
You may also use the fax system for personal use, provided you make arrangements to reimburse the cost. You may not, however, under any circumstances, use the SPCB’s postage or stationery for personal purposes.
It is not the SPCB’s intention to routinely monitor data which is transmitted over its IT systems. This data is, however, automatically logged and includes the viewing, creation and editing of documents and records. We may, from time to time, monitor the systems for the following purposes:
No audit information is captured from personal MySites. If you are absent from work, or in the event of an emergency it may be necessary to: