La protection des données c’est toute l’année. Conseil du jour :
Ayez une utilisation d’internet responsable au travail   

IT charter: operating instructions

Today, most employers make computing resources available to their employees to allow them to accomplish the mission with which they have been entrusted. A “charter of the correct use of emerging information and communication technologies”, commonly known as the “IT charter”, which all employees must follow proves to be indispensable to control the access to these computer resources (workstations, shared network, Internet...) as well as to protect the data that pass through them, are stored, and exchanged.

This document written for the attention of the users comprises a set of rules that establishes the responsibilities of the different players and reconcile on one hand the employer’s interests (to protect the company’s information and administration systems) with, on the other hand, those of the employees (to guarantee their rights and freedom both individually and collectively).

The establishment of an IT charter helps to avoid all kinds of misuse of the computer software tools and establishes a rule of reference in case of conflict assuming the charter is correctly deployed.

Finally, although this IT charter is not mandatory, it can be used as a means to inform users of the collecting of their personal data for the needs of the information systems and the implementation of software tools.

A code of good conduct

Intended to be used as a reminder of the rights and obligations of both the employees and the employers, the IT charter is now an essential element of the global security policy of information systems (IS). By establishing a framework of standards and good practices for an optimal use of computer resources, it informs users especially of:

  • At-risk behaviours likely to damage the common interests of the company or the administration, as well as the requirements in terms of security;
  • Possible surveillance measures (phone tapping, video surveillance, and so on) implemented by employers in the work place;
  • A framework defining the proper use of software tools and the limits between professional and personal use;
  • The penalties applied in case of failure to apply the IT charter.

Its objective is to establish a policy consistent with the technical reality and human resources policies to address all of the risks.

Moreover, it must be deployed as an appendix to the work contract or to the company’s rules and regulations if the implementing company or administration’s wishes to control and penalize.

The contents of the IT charter

The IT charter cannot be a standard document. Indeed, it must always be written to take into account the specific activity of the company or administration implementing it including specific security constraints. Its writing requires careful consideration often involving multiple services and/or departments, and it must obey to the principle of proportionality depending on the pursued purpose, which may require frequent updates.

The IT charter must indicate in particular the following themes:

Access management of the company network and Internet

This section defines the rules relating to the identifiers and passwords communicated to employees to allow them to connect to the company network and to the Internet. It may specify the allocation rules, the prohibition to disclose them as well as their responsibility with regards to these data.

The credentials (identifier and password) of the user are strictly personal, it is therefore necessary to forbid their disclosure to another employee or third party with the exception to the situations described in section “Leave management” herein.

It is also recommended to ask users to lock their sessions (screensaver with password) when they leave their workstations and to plan measures to block accounts after a certain number of failed attempts to connect.

Furthermore, access rights to particular files or folders could be restricted to authorised users only. This clearance policy must be defined according to the specific user allocations of each employee and to the sensitive nature of the data being processed.

The conditions of use of the business messaging system

It might be indicated in this section that a limited and reasonable use of the business messaging system for the private purpose is tolerated.

The respect of secrecy of private correspondence is an inviolable principle, the employer shall therefore not access the content of private messages sent from or received by his or her employees on the business messaging system without the presence of the said employee.

However, for such messages to be considered private, employees must identify them as such, for example:

  • By indicating in the subject line of the message words such as “private”, “[PRV]”, or even “personal”;
  • By mentioning in the subject line of the message an indication that denotes the obvious private nature of the message, such as, “holidays in Japan”;
  • By storing such messages in a folder entitled “personal” or “private”.

Furthermore, it should also be recalled that messaging shall not be used to commit any violation of the law, whether by the contents conveyed or by the words that were exchanged. Under no circumstances shall messages contain content susceptible to endanger the security of the information system (for example, oversized or at-risk attachments). Anti-spam and antivirus systems may therefore place certain messages in quarantine.

It is also necessary to indicate if the log files from the messaging system are susceptible to be verified for security purposes of the IS and maintenance and/or to detect any misuse of the messaging system with regards to the established rules (for example, too many messages flagged as personal, problematic volume or nature of the attachments).

The conditions of use of the Internet

It may be reminded in this section that the internet connection made at the disposal by the employer shall be used for business purposes, but private use may be tolerated as long as this use remains reasonable. This criterion of reasonableness might be, for example, a specific time slot (or duration) of the connection after which the use of Internet for private purposes shall be considered excessive.

Furthermore, it should be reminded that an employee is expected to refrain from committing any act that might be in violation of the law, or that might jeopardise the security of the information system in any way whatsoever, through inappropriate use of the Internet (downloads, consulting at-risk sites, and so on).

The employer might also decide to prohibit access to certain sites (pornographic, discriminatory, violent, or more broadly, contrary to public order and to good moral standards, social networks, and so on).

Furthermore, when the log files showing the global use of Internet in the company or administration may be subject to verification for IS security and maintenance purposes, it shall be mentioned in this section.

The conditions of telephone use

This section should specify whether private phone calls are tolerated and whether a control is carried out.

When a device to record phone conversations is installed, it is necessary to describe precisely, notably, the detailed steps of the control, its terms and conditions, the telephone devices impacted (fixed or cell), the final purpose of the intended controls, and the conditions of the right of access.

Furthermore, the Commission recommends that the charter include the possibility to deactivate the recording function by pressing a predefined key on the telephone before making a private call, assuming that the company tolerates that the telephone be used for private purposes. Otherwise, if this is not the case, it will be necessary to authorise the collaborator to use a telephone on his or her work place that is not subject to being recorded, or to use his or her personal cell phone.

Leave management

The charter must provide a procedure to access the electronic mailbox by authorised persons in case of a temporary absence or permanent leave of a user. In this respect, the charter must indicate that it is possible to access the electronic mailbox of the absent person only for reasons strictly necessary to ensure the continuity of the activities of the company and administration, provided that the emergency of the situation justifies it.

For example, the charter may provide a way to set up an automatic out-of-office reply to the sender of the message to indicate a person to contact in case of an emergency, appoint a substitute who has the same access rights to the mailbox of his or her colleague, or even transfer all incoming messages to a substitute.

However, it must also specify that the substitute shall under no circumstances read any messages identified in the subject line as “personal”, or “private”, and that the employee must be informed of the identity of his or her substitute.

The same rules shall apply with regards to the access of the workstation of an employee who is absent.

Finally, in the event of the permanent departure from the company or administration, the employee’s accounts and mailbox shall be deactivated within the three months following the departure of the said colleague.

The obligation of confidentiality and security

It is important to restrict users to an obligation of confidentiality with regards to all of the data to which they have access.

These employees shall for that matter demonstrate common sense and loyalty in how they manage the computer resources placed at their disposal.

The protection of personal data

The IT charter must imperatively inform users of all of the automated processing of personal information that have been implemented by the company or by the administration.

In accordance with the article 14 of the law no. 1165, this information must include the following information:

  • The final purpose or purposes of the processing;
  • The names of the persons authorised to access the processing;
  • The storage period of the collected data;
  • The terms and conditions for the persons to exercise their right to access their data

The penalties

It must be clearly specified when a failure to comply with the provisions of the charter is subject to a disciplinary or judiciary procedure in case of a violation of the law. These penalties might be mentioned, although specified that they cannot be contrary to the rules defined by the labour law and shall comply with the principle of proportionality.

The IT administrator’s charter

In parallel to the IT charter, which concerns the users, the Commission also recommends the implementation of a specific charter for IT administrators. These latter have in fact particular rights and obligations, especially with regards to their access to data that can be private and to their obligation of confidentiality. Therefore, it is necessary to establish some ethics that they agree to adhere to.

The IT administrator must in particular:

  • Not read any of the user’s personal data, except, periodically, on the express request of the user him or herself, and must not grant access to anyone, except in particular cases provided for by law (for example, judicial enquiry) or upon previously declared formal and legitimate authorisations;
  • Comply to his or her engagement of confidentiality and non disclosure by not taking notice of and not using the information to which he or she may be given to learn within the scope of his or her activities;
  • Not connect to an IS resource without express authorisation from the person to whom the resource is allocated, in particular, in the case of using remote control software on a user’s workstation;
  • Not take advantage of his or her privileges and to limit his or her actions to only those computer resources of which he or she has the responsibility, by respecting the final purpose of his or her mission (he or she must not modify any configurations and access rights other than in compliance to the predefined administrative or operating procedures);
  • Not take orders from an unidentified person and to inform his or her immediate supervisor of any request that he or she feels is inappropriate;
  • Not circumvent established security procedures, and in particular, not deactivate on his or her own initiative the tracing mechanisms, and not interfere with the integrity of the log files;
  • Log all of his or her actions.