Policy
Overview
Objective
Establish a minimum standard for appropriate use of all City mobile devices and personal mobile devices when conducting City business and/or accessing City data or networks.
Policy statement
By using a City mobile device or a personal mobile device to conduct City business or to access City data, networks, or other IT resources (e.g., email, voice communication, data, text, messaging, etc.), employees acknowledge, understand, and agree to comply with this policy and all applicable citywide policies. Employees who violate this policy may be subject to discipline, up to and including discharge.
Employees must protect the security, availability, and integrity of City of Minneapolis data stored, accessed, transmitted, or processed on a mobile device.
Scope
This policy applies to all employees of the City of Minneapolis.
Key terms and definitions
| Key term |
Definition |
| Mobile Device |
A portable and self-contained electronic device that can store, access, process, or transmit data, text, or email. This can include individual, shared, and test devices. Examples of mobile devices may include, but are not limited to, mobile phones, smartphones, laptops, tablets, and modems allowing laptops to connect to mobile data networks. |
| Personal Mobile Device |
Any mobile device that is not provided by the City. |
| City Mobile Device |
Any mobile device provided by the City. |
| City IT |
Information Technology department of the City of Minneapolis. |
| Incidental Use |
Personal use of City IT resources that is minimal in terms of duration and frequency. The use must not result in any additional costs to the City or loss of City time or resources for their intended business purpose. |
| Information Technology (IT) Resources |
Software, hardware (e.g. computers, telephones, etc.), documentation, programs (e.g. email, voicemail, etc.), systems, networks, information, and devices owned, leased, or provided by the City. |
| Mobile Device Management (MDM) |
Software and business processes that allow IT administrators to control, secure and enforce policies on mobile devices. |
| Security Measures |
Configurations, settings, and communication techniques on a mobile device that control the security, confidentiality, integrity, and availability of the device's data. |
General standards and expectations
This policy should be read in conjunction with other applicable policies.
The Minnesota Government Data Practices Act (the "Act") governs the collection, creation, storage, maintenance, dissemination, and access to government data. Government data is defined in the Act as all data collected, created, received, maintained, or disseminated by any government entity regardless of its physical form, storage media or conditions of use.
By using a City mobile device or a personal mobile device to conduct City business or to access City data, networks, or other IT resources (e.g., email, voice communication, data, text, messaging, etc.), employees acknowledge, understand, and agree to comply with this policy and all applicable Citywide or agency policies. Employees who violate this policy may be subject to discipline, up to and including discharge.
I. Mobile device usage
- Business need requirement. Departments may provide an employee with a City mobile device if the department determines, in its sole discretion, that the use serves a legitimate business need. To determine if there is a legitimate business need, one or more of the following criteria should be considered:
- A mobile device is essential for the employee to perform specific duties listed in their position description.
- A large portion of the employee's job or other factors require the employee to work away from their assigned office or work space.
- The employee does not have an assigned work space and needs to access City system technology to perform their job duties.
- There is a job requirement for a department to contact the employee when they are away from their assigned office or work space or outside their normal work hours.
- Other applicable criteria as determined by the City’s Information Technology department.
Personal mobile devices can only be used to access email and Microsoft 365 data using approved applications, such as the Outlook mobile app, SharePoint, OneDrive, and others in the Microsoft suite of applications
- Discretion to deny, prohibit, or limit use of mobile devices. The City may, at their sole discretion, deny, prohibit, limit, or discontinue employees use of a City mobile device or use of a personal mobile device to conduct City business or to access City data, networks, or other IT resources (e.g., email, voice communication, data, text, messaging, etc.). Although the City may deny, prohibit, limit, or discontinue mobile device usage for any reason, some reasons may include:
- The employee works with sensitive or not public data.
- The employee works in a high security area.
- The department or employee's work is subject to discovery, litigation, or compliance requirements.
- Active or previous misuse of device or access to City data.
- Other applicable criteria as determined by the City’s Information Technology department.
- No expectation of privacy. Employees do not have any right or expectation of privacy when using City mobile devices or when using personal mobile devices for City business and/or to access City data, networks, or other IT resources (e.g., email, voice communication, data, text messaging, etc.).
- City mobile device
- The City maintains the right to monitor, read, examine, seize, or confiscate any City mobile device at any time, with or without cause or notice.
- Employees are expected to maintain the security and privacy of all data classified as private, not public, or confidential under the Act or any other law.
- Personal mobile device
- The use of a personal mobile device for City business and/or to access City data may result in the collection, creation, storage, or maintenance of government data, and this data is subject to the provisions of the Act and all other legal requirements.
- Employees are expected to maintain the security and privacy of all data classified as private, not public, or confidential under the Act or any other law.
- If the City receives a request for data under the Act, or if the City receives a request for data in discovery or in relation to other legal proceedings, the employee is responsible for providing to the City access to any personal mobile device used for City business, and must cooperate with the City’s efforts to obtain such data from the mobile device, which may include providing the personal mobile device to City IT.
- Employees are expected to cooperate with requests from the department or City IT to access personal mobile devices that are used to conduct City business and/or access City data in order to:
- Respond to discovery requests in administrative, civil, or criminal proceedings.
- Audit compliance with City policies and procedures regarding the use of City data.
- Conduct investigations into employee misconduct.
- Other business purposes as determined by the department of City IT.
- To the extent reasonably possible, the City will not retain or use any personal data stored or maintained on the personal mobile device.
- Wage and hour issues
Non-exempt employees under the Fair Labor Standards Act must be compensated for agency work they conduct with their mobile devices, including if the work occurs outside of their normal working hours. The employee must keep track of the time worked and promptly report this time to their supervisor. Non-exempt employees must obtain supervisory pre-approval before working overtime hours.
- Employee safety
In accordance with the City’s Distracted Driving Policy, employees must not talk on a mobile device while driving on work time unless there is a hands-free option. Employees must follow all state laws regarding mobile devices and motor vehicle operation, including the hands-free law and not, under any circumstances, compose, read, or send an electronic message when the vehicle is in motion or a part of traffic, in accordance with state law.
II. City mobile devices
Employees who are issued City mobile devices may use the device for City business purposes only, except as otherwise specifically provided in City policy.
- Authorization
Departments providing City mobile devices are expected to maintain and oversee compliance with this policy, City IT standards, and all applicable municipal, state, and federal laws. Departments are responsible for:
- Determining and documenting the business need for the City mobile device.
- Reviewing and documenting on an annual basis that there is a continued business need for the device.
- Ensuring related documentation is retained in accordance with applicable record retention schedules.
- By using a City mobile device, employees agree to the following conditions:
- The employee allows any required software to be loaded onto the device.
- The employee agrees and abides by the security measures and user authentication methods deemed necessary by City IT and their department.
- At their sole discretion, the employee's department or City IT may remotely wipe all data (business and personal) from the device if required by business necessity.
- The device must be provided on demand for security audits; if there is data content related to a disciplinary or legal proceeding or a data request; or for any other business purpose.
- Private or confidential government data must not be stored or downloaded onto the device except through secure portals established by City IT.
- Device functionality may not be modified except as permitted by City IT or the employee's department.
City mobile devices are City property and employees must comply with all IT requirements with respect to the City mobile device. When an employee is no longer authorized to use a City mobile device, or when the employee separates from the City, the employee must turn in their City mobile device to their supervisor or to City IT.
- Government data
Data collected, created, received, maintained, or disseminated from City mobile devices is considered government data and is subject to the Government Data Practices Act. This information may include but is not limited to:
- Call detail (e.g., time, number, date, duration) of calls appearing on the City mobile device billing account.
- Text messages and emails sent to or received from City-owned mobile devices.
- Any other files such as photos, voicemails, or attachments received or generated while performing City job duties.
- Personal use
Personal use of City mobile devices is allowed only for minimal, incidental use. City IT reserves the right to seek reimbursement for personal use of any City mobile device.
- Loss or theft
If the City mobile device is lost or stolen, the employee must notify the IT Service Desk as soon as possible but no later than the next business day.
III. Personal mobile devices
Departments cannot require an employee to conduct City specifically on a personal mobile device. However, if an employee is required to perform work away from their assigned office or work space, or outside their normal work hours, the department can require the employee to be available to perform work via a method provided by the employee (e.g., personal mobile device, land line, Internet voice). The use of a personal mobile device for multi-factor authentication using a City-approved authentication application does not create or store any data on the personal device. As such, there is no data that could be retrieved from the personal device for data collection.
- Authorization
By using a personal mobile device to conduct City business or access City data or networks, employees agree to the following conditions:
- The City has the authority to monitor use in conducting City business or accessing City data or networks.
- To abide by the security measures and user authentication methods deemed necessary by City IT.
- City IT may, at their sole discretion, wipe all government data and remove access to applications on the device if required by business necessity. During this process, attempts will be made to safeguard personal data and applications, but it cannot be guaranteed.
- The device must be provided on demand for security audits; if there is data content related to a disciplinary or legal proceeding; or for any other business purpose.
- Private or confidential government data must not be stored or downloaded onto the device except through secure portals established by City IT.
Employee must allow City IT to remove and disable any City provided third-party software, services, and government data from the device, or delete such items at the department’s or IT’s direction. Employees must allow this when they no longer use their personal mobile device for City business or to access City data or networks, including when they are no longer authorized to use it for City business, when they separate from the City, or if they choose to no longer use it.
- Government data
By using personal mobile devices to conduct City business, whether the personal mobile device accesses the City’s data or not, employees may intentionally or inadvertently create electronic records on those devices relating to their work. These records may include:
- Text messages
- Voicemails
- Emails
- Other electronic communications or files
In accordance with the Minnesota Government Data Practices Act, Minn. Stat. chapter 13, these work- related records are defined as government data. Employees are expected to manage government data consistent with the Act and in accordance with any applicable retention or security policies. Government data should not be stored solely on a personal mobile device but should also be saved on a City system network drive.
- Data requests
When needed to respond to requests under the Government Data Practices Act or in relation to legal proceedings, the employee must provide access to all requested government data that is on a personal mobile device. This may require the department or City IT to copy the entire device, including personal information, because it may not be able to differentiate or otherwise separate personal and government data.
- Loss or theft
When a personal mobile device that contains government data or accesses City data or networks is lost or stolen, the employee must take steps to protect the security and privacy of the data and networks and comply with applicable security incident requirements. The employee must:
- Report the incident to the IT Service Desk as soon as possible but no later than the next business day.
- Replacement
If the employee whose personal mobile device contains government data or accesses City data or networks gets a new device or replaces their personal mobile device the employee must:
- Remove all City applications and data from the personal mobile device being replaced.
Responsibilities
Department responsibilities
- Adopt and comply with the provisions of this policy.
- Authorize the use of City or personal mobile devices based on business necessity.
- Provide awareness of this policy and City IT’s standards to employees.
- Maintain an escalation process to ensure lost or stolen devices are addressed promptly.
- Develop supplemental addenda as needed, to address department specific needs that are consistent with this policy and the law.
- Safeguard and maintain City devices and applicable software to City security standards.
- Review monthly mobile device billings, just as any other type of billing the department receives. Departments may use their discretion in determining who performs this review.
- Conduct at least an annual review of the individual City mobile device assignments to determine if there is a continuing business need that remains cost justified.
- Collect City mobile devices when the employee separates from the department, or the business need for the City mobile device ceases.
- Ensure separating employees provide to the department (or delete if permitted by the records retention policy) all government data stored on a personal mobile device and ensure all applications on personal mobile devices that allowed access to City data or networks are deleted or disabled.
City IT responsibilities
- Procure City devices based on business necessity and manage applicable City contracts.
- Maintain the technology and security related policies and standards as it relates to mobile devices.
- Administer and maintain this policy.
Employee responsibilities
- Comply with all provisions of this policy.
- Protect the City mobile devices and personal mobile devices that contain government data or access City data or networks from theft, damage, abuse, and unauthorized use.
- Comply with City IT’s security measures and standards.
- Comply with department-specific policies and procedures.
