1. Not blocking and Not Monitoring
2. Blocking Only
3. Monitoring Only
4. Blocking and Monitoring

1. General Considerations
2. Agency Specific Considerations

1. Access to Computer Logs
2. Data Practices and Records Retention Issues
3. Blocking Tools
4. Monitoring Tools

Introduction

While there are different acceptable approaches to blocking or monitoring employee Internet activities, any approach requires strong written policies that clearly communicate the agency’s expectations to employees.  Agencies must take care to clearly and expressly notify employees that employer provided computers and computer systems are the property of the State, and therefore, the employee should have no expectation of privacy on issues dealing with any computer-related activity, including Internet browsing and e-mail.  The different approaches to employee computer use may be summarized as follows:

Not Blocking and Not Monitoring

Using this approach, the agency would only respond when agency officials or staff either discover or are told of incidents of computer abuse.  There is no reliance on any technical tools using this approach.  Agencies usually hear about the incidents through word of mouth, co-worker reports, or other "accidental" discovery of computer abuse.  The agency would then deal with these incidents on a case-by-case basis.  Even this approach utilizes computer "logs.”  Throughout the course of the investigation, history files, firewall logs and/or cache files are logged and reviewed.

Blocking Only

There are two basic approaches to blocking software: basic blocking and scan blocking.

Under the basic blocking approach, the agency would purchase a blocking software program and an ongoing subscription to a service that provides updated Internet site addresses to block.  Basic blocking software is a product designed to prevent employees from surfing to sites that have been deemed inappropriate.  When using basic blocking software, the agency may prevent access to a site, but not keep track of who is attempting to visit those sites.  A number of agencies are either currently blocking Internet sites or in the planning process to install basic blocking software. 

Under the scan blocking approach, the agency would again purchase software; however, this software is designed to scan incoming data to determine if it is suitable.  Based on this determination, the software either blocks the incoming data or allows the data to pass through.  This type of software does not require an on-going subscription.  Instead, it builds its own database of blocked sites based solely on agency-established criteria and the user’s activities.

No matter which type of software is used, employees must be notified that blocking software is in use, the sites that are blocked and how to report problems employees experience performing their duties because they are unable to access blocked sites.

Blocking software may also create logs that are used to improve the blocking mechanism.  To improve the blocking tool, the IT or HR professional needs to review the logs to see which inappropriate sites people are still accessing in spite of the blocking software.

Monitoring Only

Monitoring means watching and recording the sites employees are accessing on the Internet (or attempting to access) and the time spent engaged in these activities.  Monitoring usually means that there are people in the agency assigned to review the "logs" and highlight those visits that might be inappropriate.  When an agency monitors employee Internet activities, it is obviously linking individuals to Internet sites they have visited.  This will allow an agency to follow up with those employees who are identified as having visited inappropriate Internet sites.

Blocking and Monitoring

If an agency utilizes both of these methods the agency can prevent people from going to inappropriate sites (blocking) and it can identify those people who attempt to access blocked sites (monitoring).  The combined approach allows the agency to track the amount of time spent on the Internet.

Simply blocking and/or monitoring software will not eliminate the risk of employee misconduct. Even using the most aggressive approach to blocking and/or monitoring Internet transactions, there will always be mechanisms through which inappropriate materials can be downloaded and shared.

Blocking/monitoring software is a complex tool and requires considerable effort to configure correctly.  It is not as simple as just “plugging it in.”  Blocking/monitoring will not stop all inappropriate Internet activity, but it will allow an agency some measure of control over how employees are utilizing these tools.  Misconduct can continue to occur for a number of reasons:

1. A particular website may not be on the “blocked list."
2. Encrypted or zipped files may still be downloaded through third party e-mail accounts or instant messenger programs.
3. Modems may be connected directly to PCs, entirely bypassing firewalls and security systems.
4. Specialized computer programs (e.g., gnutella) or virtual private networks may be used and are extremely hard to track.
5. Different network protocols (i.e., newsgroups) may not be monitored by the products.
6. Floppy disks or CD ROMS or other media can still be exchanged, viewed and distributed without ever being subject to blocking/monitoring.

Agencies must make their own decisions about using blocking/monitoring tools. When exploring its options, an agency will want to bear in mind the following:

1. Agency size. The larger the agency, the more resources will be required to maintain the software, both in terms of employee time and financial resources.  The time and monetary commitment may be prohibitive to smaller agencies.
   
   
2. Agency distribution. It may be easier to communicate policy and administer the blocking/monitoring tools if an agency's web service flows through a single point (all in a single building vs. spread throughout the state).
   
   
3. Technical staff. If the agency has a centralized technical staff, that staff will need to be responsible for a number of administrative tasks associated with these products. If the agency does not have centralized technical staff, it may not be able to properly administer these products.
   
   
4. Agency leadership. Strong agency leadership will be vital in the installation and ongoing support of blocking/monitoring tools. In order for the products to be fully effective, agency leadership must be willing to dedicate the necessary resources. Otherwise, these very useful tools will become useless.
   
   
5. Policies. Blocking/monitoring may require changes to an agency's internal policies on e-mail and Internet use. Be sure to include cross-references to other policies that may be violated depending upon the nature of the e-mail or Internet activities (e.g., sexual harrassment policies, violence in the workplace policies). Determinations will need to be made regarding appropriate and inappropriate use of the Internet (defining inappropriate sites, excessive usage, etc.)
   
   
6. Privacy Issues. Employee response to blocking/monitoring may be negative and include concerns about loss of privacy. Employees should be informed that the State has the right to access and monitor employee use of State equipment, including use that may be of a personal nature. But employees need to also be told how the agency intends to use the data about their activities and that data about an employee's computer usage are classified as private data, in accordance with the Minnesota Government Data Practices Act. (See Minnesota Rules, Chapter 1205, section 1205.0400 for an explanation regarding who has access to private data).
   
   
7. Communication. An agency will need to document an education/communication plan. An agency will want to demonstrate that its employees had been informed as to what constitutes acceptable and unacceptable use of Employer-provided computers and computer systems.

Please note that it is important to understand that blocking/monitoring tools will not only provide better information about inappropriate content, but also better information about inappropriate use.  The agency will need a strategy on how to deal with this information.

Agencies must realize that blocking/monitoring is a tool; it is not a final solution.  Due to the fact that these tools must be maintained, and occasionally updated, the costs associated with these tools are ongoing.  There are also costs associated with the staff time required for installation/administration of these tools.  Without the staff to adequately maintain and administer these tools, they become useless.  If an agency elects to utilize a monitoring software tool, the agency will also need to take a careful look at what the needs of the agency are, and whether the agency has the staff to fulfill the level of administration necessary with a given program.  The agency must carefully study the strengths and shortcomings of the tools it is considering.

Access to Computer Logs

Agencies will need to consider who will have access to the blocking/monitoring information (e.g., the computer logs).  The most logical answer is someone within the IT division, but there may be reasons to have that task lie in other divisions.  The IT staff will need to update, maintain, and administer the tools so it may not be reasonable to expect that staff to also review all of the generated logs.  Instead, agencies may want to have an HR professional review the logs.

Data Practices and Records Retention Issues

Remember that computer logs are subject to data practices and record retention laws.  Agencies will need to consider how to handle requests from the affected employee, the public and perhaps the Unions for access to the computer logs.  There are several considerations here:

1. An approved record retention schedule must be in place that specifies the length of time computer reports and/or logs will be retained.
   
   
2. If firewall logs contain vital information about the agency’s security systems that could substantially jeopardize security if released, such logs could be classified as nonpublic data, in accordance with Minn. Stat. §13.37, Subd. 1(a), and should not be released unless such security information could be effectively redacted.
   
   
3. If the computer logs contain the employee’s name, or other personal information about the employee, such logs are classified as private data, in accordance with Minn. Stat. §13.43, Subd. 4.  This means that the employee is entitled to access that part of the log that contains data about him or her.  In addition, if someone who is not the subject of the data in the logs requests access, all private data will need to be redacted before access is provided.
   
   Please note that according to Minnesota Rules, §1205.0400, because the logs contain private data about employees, access to the logs must be restricted to those employees who reasonably need access to perform their job duties.
   
   
4. If blocking/monitoring logs do not contain security data and do not contain private personnel data, they WILL have to provided on request.
   
   
5. Employees may use the Internet to conduct personal transactions, resulting in personal data being recorded in computer logs, including firewall, blocking, and monitoring logs.  Personal data may include, but is not limited to:

1. Personal financial data (e.g., banking or investment information);
2. Account numbers (e.g. banking, investment, credit card); and
3. Personal e-mail accounts.

Blocking Tools

Once the agency has selected an appropriate blocking tool, it will need to generate a list of sites that will be blocked.  Usually the company that developed the program will have a pre-established list of sites or case sensitive words, but the agency will want to consider if there are any other sites that it would like to add.  If there are, the agency will need to develop procedures for determining which sites or type of content that will be blocked.  For example, it is easy to decide to block all “hate based” Internet sites, but what specifically does that mean?  Does it include white supremacist or racist groups?  Ultra-right wing or ultra-left wing political sites?  Religious group sites?  These are not easy decisions to make, and the agency will want to carefully consider how to handle these questions.

In addition to blocking sites that are inappropriate in their very content, the agency will want to decide if it will attempt to block non-business related sites such as news, weather, cooking, and/or medical based sites.  Please note that the Statewide Policy – “Appropriate Use of Electronic Communication and Technology” – does allow for incidental personal use of State technology, such as e-mail and Internet access.

Agencies and employees need to keep in mind that even if the employee is “surfing” the Internet over his/her lunch or break period for brief periods of time that activity is still subject to monitoring and blocking and the sites visited must conform to agency policy.

Monitoring Tools

Using a monitoring tool, an agency will be able to identify specific individuals who are viewing material that is unacceptable according to the agency’s policies and guidelines.  In light of this ability, an agency must have a plan in place to deal with these types of issues as they arise.  The agency may be assuming some level of legal liability if it becomes aware that an employee is viewing inappropriate Internet sites and does nothing to stop it.

The agency will also need to consider how it will ensure an "objective" review of the monitoring logs and where to draw the line between appropriate and inappropriate use.  The agency will need to designate someone to make these determinations.  The person who is charged with viewing the logs is critically important, due to the potential for viewing sensitive information and private personnel transactions, such as banking or investment sites.  The agency will want to make sure that access to this information is not abused. 

Finally, agencies may also use monitoring tools to determine the length of time an employee spends on an Internet site, which becomes of particular importance when the site is not business related.

Considerations for Not Blocking or Monitoring

If the agency decides to "do nothing" with regards to blocking/monitoring, there remain policy and procedure issues that need to be considered. If an agency has an Internet connection it will generate Internet transaction data and have technical staff reviewing transaction logs to see if the servers are secure, that traffic is flowing freely, etc. What if, in the course of these duties, a server administrator sees what s/he suspects is inappropriate" web access? What procedure should this person follow? Should s/he immediately contact HR? Should s/he conduct some further investigation before making that call? The agency will also want to consider adopting a policy regarding the sharing, distributing, and reporting of Internet transaction data that complies with the Data Practices Act and its implementing rules.