10 The Acceptable Use of Information and Communication Systems policy outlines entitlements and responsibilities for the acceptable use of the information and communications systems at WHO.
20 Information and communications systems represent a considerable investment by the Organization and underpin the functioning of critical WHO business processes. The purpose of this policy is to protect the Organization and its staff, interns, consultants, contractors and visitors, referred to hereafter as "WHO users", from illegal or damaging actions. It seeks to promote the efficient, ethical and lawful use of information and communication systems of WHO.
30 Inappropriate use of the WHO information and information and communications systems exposes the Organization to risks, including but not limited to virus attacks, compromise of network and systems integrity, loss of assets, privacy, business continuity, reputation damage and litigation.
40 This policy is applicable to all WHO users who have been given access to WHO information and systems at any location.
50 Irrespective of whether users use WHO provided equipment or personally owned equipment to access WHO information and communication systems, all WHO users are required to respect this policy, any applicable appropriate use policy and all information security directives, standards and guidelines issued by any office of the Organization when using any of WHO's information and communications systems.
60 Any information produced by anyone through use of WHO's information and communication systems is covered by this policy.
70 WHO information and communication systems (including all computing networks, telephony equipment, computers, applications, storage devices, printers and software owned, licensed or leased by or on loan to WHO) are provided to WHO users to support the technical, administrative and other functional areas of WHO.
80 All WHO users are responsible for safeguarding the confidentiality and integrity of the resources to which they were granted access.
Personal use
90 Occasional personal use of WHO information and communication systems for private purposes is permitted if this use does not negatively affect the work performance of the user and does not conflict with the interests of the Organization.
100 Any use for private purposes during work hours should be kept to a minimum, and must not cause any disruption to the work of the individual, or of WHO.
110 Users of WHO telephony systems, including fixed desktop phones and mobile phone devices are accountable for all private calls made. They must observe any policy, including that relating to the reimbursement of the cost of private calls that applies in their workplace.
Specific prescriptions on use
120 Usage that interferes with service to other users in any way, such as the misuse of mailing lists or the propagation of chain letters, viruses or hoaxes.
130 Use not essential to the user's work responsibilities that may lead to a major overload of the system due to the processing of very large quantities of data. This refers in particular to:
- Listening to or viewing audio/video streams via the Internet;
- Use of interactive message services (chat boards);
- Downloading and storing music files;
- Downloading and storing images, including videos;
- Downloading and storing games or playing games online.
140 Use of resources for commercial, political or profit making purposes without prior written authorization, including but not limited to construction and/or hosting of a personal web sites.
150 Use damaging the integrity of WHO or other information and communication systems. This category includes the following activities:
- Attempts to probe or defeat system security: users must not attempt to probe or defeat information and communication system security in any way, including but not limited to, by using scanning, "cracking" or guessing and/or applying the identification or password of another user (this provision does not prohibit WHO authorized staff such as system administrators from using security tools, within the scope of their responsibility and according to the WHO policies and procedures.)
- Unauthorized access or use: users must neither seek to obtain unauthorized access to information or communication systems, nor permit or assist others in doing the same. Users are prohibited from accessing data on information or communication systems they are not authorized to access. Users must not make any deliberate, unauthorized changes to data on any information or communication system.
- Disguised use: users must not conceal their identities when using information or communication systems, except when the option of anonymous access is explicitly authorized. Users are also prohibited from impersonating others or otherwise using any false identity.
- Use of unauthorized devices: without specific authorization, users must not physically or electrically attach any additional devices (including but not limited to non-WHO computers and wireless network routers), or install any software that could potentially impair the performance, integrity, or security of any WHO network, information or communication system.
160 Use in violation of law: illegal use of information and communication systems - that is, use in violation of civil or criminal law at the international or national levels - is prohibited. Depending on where the offence occurs, examples of such uses could include promoting a pyramid scheme; receiving, transmitting, or possessing child pornography; or infringing copyrights.
170 Copyright infringement: users should be aware that copyright laws govern (among other activities) the copying, display, or use of software or other works in digital form (text, sound, images, and other multimedia). Many laws permit use of copyrighted material for research and educational purposes without authorization from the copyright holder (in some jurisdictions, referred to as "fair use"). However, research or educational purposes does not automatically mean that use is permitted without authorization.
180 Use in violation of WHO contracts: all use of information and communication systems must be consistent with WHO's contractual obligations, including limitations defined in software and other licensing agreements.
190 Concealing information: tools that conceal the content of a document, such as encryption or document passwords, should only be used in exceptional circumstances. Whenever these documents form part of the corporate records, access to the content of such documents by authorized parties needs to be accommodated by the document creator. These tools should not be used to deliberately conceal information from authorized parties.
Personal account responsibility
200 Users are responsible for maintaining the security of their own information and communication system accounts and passwords. Password changes must follow published guidelines for passwords. Accounts and passwords are normally assigned to individual users and must not to be shared with any other person. Users are responsible for any activity carried out with their information and communication system accounts.
Access to information and communication systems
210 Use of security scanning systems: by connecting privately owned personal computers or other private information and communication system resources to WHO's network, users consent to the WHO policy on use of scanning programs for security purposes on those resources while connected to the WHO network. For information concerning the use of such devices, please refer to XIV.1.1 paragraph 150.
220 Logs: most information and communication systems routinely log user actions in order to facilitate recovery from system malfunctions and for other management purposes.
230 WHO recognizes users' interest in protecting confidential and private information which might be stored in WHO information and communication systems from unauthorized access. There are nonetheless circumstances in which, following prescribed processes, WHO may access relevant information and communication systems, as described below.
Access for technical purposes
240 Circumstances which may require access by WHO for technical purpose to relevant information and communication systems without the knowledge or consent of the user include the following:
- When it is necessary to identify or diagnose systems or security vulnerabilities and problems, or otherwise preserve the integrity of the information and communication systems;
- When such access to information and communication systems is required to carry out essential WHO business functions.
250 Access for technical purposes does not normally require access to confidential and private material. In case of access to such material, staff members performing the access are bound to maintain confidentiality of information accessed.
260 Process: WHO access for technical purposes without the knowledge and/or consent of the user will normally require the approval of a senior officer appointed for this purpose, such as a regional director or an assistant director-general of the cluster to which the user is assigned, except when access is considered necessary to preserve the integrity of facilities and requires immediate intervention. WHO, through the responsible system administrators, may log all instances of access without consent or knowledge, including cases where approval was not obtained from the appointed senior officer (which case will be brought to the attention of the appointed senior officer for subsequent review).
270 In case of need to access an E-mail account, specific provisions protecting E-mail privacy apply (see section XIV.1.4).
280 The above processes and provisions do not apply when access for technical purposes is made in the presence of the user concerned, or with his or her knowledge or agreement.
290 User access deactivations: in addition to accessing the information and communication systems, WHO, through the appropriate systems administrator, may deactivate a user's information and communication system access privileges. This may be done whether or not the user is suspected of any violation of this policy, where such action is considered necessary to preserve the integrity of facilities, user services, or data. The systems administrator will normally notify the user of any such action.
Access in the context of an investigation of possible misconduct
300 WHO may access the relevant information and communication systems when there are grounds to believe that a breach of WHO's regulations, rules or policies may have taken place and access to such systems may reveal information relevant to an investigation of possible misconduct.
310 Process: WHO access in the context of an investigation of possible misconduct will require the approval of Director, IOS (or a duly designated IOS staff member). Such access will be conducted by IOS with any required technical assistance. To the extent appropriate, the user concerned will be informed of the access and invited to be present when the access is performed. If the user concerned is not present, or in case of refusal to accept or to participate in the access, IOS, through the responsible system administrator, will log all instances of access performed.
320 Reporting of alleged violations: all alleged violations of this policy should be reported to the Global or Regional Service Desk or the appropriate information and communication systems authority responsible for administering this policy in the WHO location involved, who will investigate the allegation and (if appropriate) refer the matter to the relevant WHO authorities.
330 Clearance for staff members leaving the Organization: as part of the clearance process for staff leaving the Organization, all WHO information and communication equipment must be returned, all access revoked and all sums owed to the Organization for any private use must be paid (e.g. private calls made from fixed and mobile phones).
340 Disciplinary procedures: for non-staff members, failure to comply with this policy may result in various measures being taken against the individual or entity concerned, including ongoing compliance measures, removal of access, or for serious cases, termination of contract or initiation of legal proceedings. For staff members, such failure may result also in disciplinary proceedings being initiated, which could ultimately result in a disciplinary measure up to and including dismissal in accordance with WHO Staff Regulations and Rules.