If you have questions or concerns about this policy, please contact the ISD Help Desk at 650-363-4108.

I. Introduction

Overview

Policy created on April 28, 2003

This  policy  outlines  the  proper  use  of portable  computers  and  portable  computing  devices available to or used by County of San Mateo employees in support of their assigned duties.

Background

In recent years an increasing number of County employees have acquired access to portable computers to enhance their work. Additionally new portable computing technologies, including Personal Data Assistants (PDA), have become common with employees uploading and downloading County information to these devices. In some cases these tools, both portable computers and portable computing devices, are the personal property of the employee rather than the County but information obtained from any County-owned network or system is the property of the County and devices containing County information are subject to County policies with respect to the acceptable use and security of that information.

As used here a portable computing device is any portable electronic device employed by the user to communicate with, download information from or upload information to the County network or any device attached to the County network.

Portable computers and portable computing devices pose an increased security risk because they may contain private, confidential or sensitive County information, and being portable, are more at risk for loss, theft, or other unauthorized access than the County's desktop computers.

Portable computers and portable computing devices may be more vulnerable to viruses and other such threats because the user may not regularly use virus protection software and other safeguards available to the County's desktop computers.

Portable computers and portable computing devices may be the personal property of County Employees and as such not included in County inventories or known to County management.

Other County Policies

The County has other policies that address specific areas of information security including policies on Internet use, Email and portable computing. Departments may have internal policies that also address information security issues. These policies are cumulative and in the event of conflict, the policies providing the County with the greatest level of security apply.

II. Policy

No County employee or contractor may download to, upload to, or maintain on a portable computer or portable computing device County information considered to be sensitive without the authorization of his or her department head or designee. County Information is defined as sensitive if it considered by the County to be confidential or may be damaging to the County, its employees, its customers and clients.

No County employee or contractor may use a portable computer or portable computing device which is the personal property of the employee or some entity other than the County for a County business purposes or a purpose that supports County business without the written authorization of his or her department head or designee.

III. Employee Responsibilities

County employees who use portable computers are responsible for insuring that the following requirement are met

  1. County owned computers, associated equipment and software are for business use only, not for the personal use of the employee or any other person or entity. Employees will not permit anyone else including, but not limited to, the employee's family and/or associates, clients, clients families, or unauthorized of icers, employees or agents of the County to use County owned personal computers for any purpose.
  2. Employees may not download or instal any software onto any County owned computer except as permitted by department information technology policies.Employees will not connect any additional peripherals to County owned computers without the authorization of the department head or his or her designee.
  3.  Employees assigned portable computers are responsible for the security of the computer, al associated equipment and al data when the equipment is taken to locations outside of County facilities.
  4. Sensitive information that resides on portable computers and portable computing devices must be encrypted.
  5. Portable Computers may remotely attach to the County only through Remote Access systems maintained by the Information Services Department. 
  6. Employees must report any lost or stolen equipment, including personal y owned equipment if it contains County data, or any breach of security or confidentiality to his or her supervisor as soon as possible.

IV. County Department Responsibility

Departments must supply locking security devices with County supplied portable computers. Such devices must al ow the portable computers to be tethered to a non-portable object via the computer's universal security cable slot. Employees are responsible for using the locking device when leaving the computers for any length of time in unsecured locations including County offices.

Department Heads are responsible for the maintenance of an up-to-date list of employees within their organizations who are using portable computers or portable computing devices that may be subject to this policy.

V. HIPAA Compliance

Employees using a portable computer or portable computing device that contains Protected Health Information must maintain client confidentiality as specified in the County's HIPAA compliant information privacy policies.

VI. Violations

Violations will be investigated and may result in disciplinary action up to and including dismissal from County employment. For violations of patient confidentiality, the procedures of the Patient Confidentiality Sanctions Policy as regulated by HIPAA apply.