PURPOSE
_______________________________________________________________

To ensure that all County e-mail communications are used in accordance with applicable laws and County Use of Information Technology Policies. This policy also requires that electronic mail systems be secured to prevent unauthorized access, to prevent unintended loss or malicious destruction of data, and to provide for their integrity and availability.

REFERENCE
_______________________________________________________________

July 13, 2004, Board Order 10 - Board of Supervisors Policy – Information Technology and Security Policy

Health Insurance Portability and Accountability Act (HIPAA) of 1996.

POLICY
_______________________________________________________________

E-mail is provided as a County resource for conducting County business. Access to County e-mail services is a privilege that may be wholly or partially restricted without prior notice or without consent of the user. All e-mail messages are the property of the County and subject to review by authorized County personnel. Staff cannot expect a right to privacy when using the County e-mail system. All County e-mail is subject to audit and periodic unannounced review by authorized individuals as directed by County management. The County reserves the right to access and view all electronic mail messages for any business purpose. Monitoring/investigating employee access to County I/T resources (i.e., e-mail, Internet or employee generated data files) must be approved by department management. If evidence of abuse is identified, notice must be provided to the Auditor-Controller’s Office of County Investigations. County departments shall take appropriate steps to protect all e-mail servers from various types of security threats. Internet based e-mail services shall not be accessed using County information technology resources except for County purposes. E-mail retention must comply with legal requirements, but must be minimized to conserve information technology resources and prevent risk of unauthorized disclosure. Encryption of e-mail may be appropriate or required in some instances to secure the contents of an e-mail message. Compliance Employees who violate this policy may be subject to appropriate disciplinary action up to and including discharge as well as civil and criminal penalties. Non-employees including contractors may be subject to termination of contractual agreements, denial of access and/or penalties both criminal and civil. Policy Exceptions Requests for exceptions to this Board policy must be reviewed by the CIO and approved by the Board of Supervisors. Departments requesting exceptions should provide such requests to the CIO. The request should specifically state the scope of the exception along with justification for granting the exception, the potential impact or risk attendant upon granting the exception, risk mitigation measures to be undertaken by the department, initiatives, actions and a time frame for achieving the minimum compliance level with the policies set forth herein. The CIO will review such requests, confer with the requesting department and place the matter on the Board's agenda along with a recommendation for Board action.

RESPONSIBLE DEPARTMENT
_______________________________________________________________

Chief Information Office (CIO)

DATE ISSUED/SUNSET DATE
_______________________________________________________________

Issue Date: July 13, 2004	Sunset Date: July 13, 2008
Issue Date: August 25, 2008	Sunset Date: July 13, 2012