Unofficial translation (needs review)

Article 1

Purpose, objectives and scope

These rules address how staff at the Centre for Education and School Services (MMS) should interact with work-related e-mail and use the Internet. The rules are also intended to provide staff with information on their rights and obligations in this regard.

These rules are part of the security of the information systems of the Centre for Education and School Services and are intended to increase the operational security of the institution. The rules are intended to ensure a balance between the interests of the MMS, on the one hand, of being able to monitor that the software and hardware provided by the institution is used for the benefit of the institution and on the other hand the interests of the staff of enjoying normal privacy rights in the workplace.

These rules do not apply to personal emails from staff that are not received or sent by the institution's e-mail address ( ).

The purpose of these rules is to inform the users of the Centre of Education and School Services how to handle digital content, interact with e-mail, computer equipment, software and smart devices and conduct online usage, as well as to clarify how the control and responsibility of the Centre of Education and School Services is conducted.

The objective of the rules is to promote a balance between the interests of the Centre for Education and School Services and the interests of users regarding the right to privacy in the workplace. Also to ensure the safety and supervision of users and others subject to electronic monitoring.

Article 2

Definitions

Private email: is an email sent or received by the staff of the Centre for Education and School Services using the Centre's machinery or software, and only concerns the person's private affairs but does not concern the interests of the MMS or the Centre's activities.

Employee-related e-mail: is an e-mail sent or received by MMS staff via MMS software and email address with the ending @mms.is / @midstodmenntun.is / @landsteymi.is and concerns its work or relates to the interests of the institution and its activities.

Internet usage: is the use of the software and hardware provided by the MMS by the person concerned, e.g. to browse the Internet, to receive and send emails or for quick chat (such as Teams).

Internet monitoring: irregular observations due to incidents and ongoing or regular recurrent monitoring by the employer of the use of the Internet by employees.

Electronic monitoring: Monitoring that is ongoing or repeated regularly and involves monitoring of individuals by remote or automatic means and is carried out in public or in an area that is normally visited by a limited group of people. The concept includes:

(a) monitoring that results, is to result or may result in the processing of personal data; and

(b) television monitoring carried out using television cameras, webcams or other equivalent equipment, without the collection of video content or other actions equivalent to the processing of personal data.

Computer system: includes e-mail system and software and hardware needed to connect to the network, i.e. printers, scanners, wireless points and servers.

Article 3

Home for personal use

MMS staff may use the computer system of the Centre for Education and School Services to both browse the Internet and receive and send e-mail, provided such personal use is proportionate and in accordance with these rules. Employees must use their own e-mail addresses for personal use and are strongly encouraged to set up a personal e-mail address to send and receive personal e-mail.

Article 4

Unauthorised Internet use

The following internet usage is not permitted for staff:

Sending circulars that are not relevant to the Centre for Education and School Services' activities, e.g. chain letters or circulars for sales or collections.

Automatic forwarding of e-mail from the e-mail system of the Centre for Education and School Services, e.g. to the personal e-mail address of the employee concerned, unless this is done with the permission of the director or system operator.

Submissions of material that is illegal, indecent, malicious, threatening, brutal, defamatory, hateful, inciting illegal activity or that could give rise to a liability claim against the institution. This applies both to the content of e-mail and to the content of an attachment. The same applies to the use of material that is liable to contain computer viruses.

Use of the institution's computer system to access indecent content on the Internet, such as pornography, and/or to view or save such content in the computer system of the Centre for Education and School Services or on another medium.

Employees are not allowed to connect or download content such as films and music from illegal sites, including Torrent sites and save it in MMS computer system.

To use the MMS computer system for operations that are considered excessive or too costly.

Because of the damage that computer viruses can cause to data in a computer system, staff may not open an email with an attachment from an unknown sender or open an attachment with an email identified by endings such as .exe, .vba, .sit or .zip unless they are satisfied beforehand that this is safe.

Use of the institution's computer system to access and/or download very large files on the Internet, such as films and music, and save them in the computer system of the Centre for Education and School Services.

Otherwise, staff shall comply with instructions from the Director, or another competent employee, not to open or delete emails or links, such as due to the risk of computer virus transmission or other damage to the IT system of the institution. The same applies to actions which may compromise the security of the data of the institution, or which are considered excessive, burdensome or too costly for the IT system of the institution.

If staff receives an e-mail or mistakenly accesses a website containing such content as referred to in paragraphs 3 and 7 to 1, they shall immediately inform their supervisor and, if applicable, delete the relevant content or close their web browser.

Article 5

Treatment of e-mail

5.1 Private email

Private emails of staff are not allowed to be checked. In order to determine whether such emails are present, consideration should be given to whether they are:

Identified as a private matter in the subject line, or otherwise so that it is obvious that there is only a private matter.

Stored in a special folder in the employee's work area in the email system that is identified in this way or if otherwise it can be assumed that it is a private matter.

By way of derogation from paragraph 1, the personal e-mail of employees may be inspected if there is an urgent need, such as due to a computer virus or similar technical incident. Such inspection may only be carried out on the instructions of the Director. However, always first, the approval of the employee shall be sought if possible. Even if the employee refuses to grant such approval, he shall be given the opportunity to be present at the inspection. If the employee cannot be present at the inspection himself, he shall be given the opportunity to appoint another person to replace him. If it is not possible to notify the employee of the inspection beforehand, he shall be informed of it as soon as possible. An employee shall have the right to know who or who has inspected his personal e-mail.

5.2. Work-related e-mail

Employee-related e-mail is an e-mail received or sent from addresses that have the following addresses: @mms.is, @midstodmenntun.is and @landsteymi.is is the property of the Centre for Education and School Services.

Employment-related e-mail can be viewed if:

It is necessary because of the legitimate interests of the MMS, such as to find data when an employee is disqualified, has left his/her job or suspected of abuse or violations in the workplace.

It is necessary due to incidents, such as if improvements, maintenance or control of computer systems inevitably lead to an email opening or need to open.

The inspection of e-mail pursuant to paragraph 1 may only be carried out according to the instructions of the Director, but always shall endeavour to seek the approval of the employee concerned and to give him the opportunity to be present at the inspection. If the employee cannot be present at the inspection himself, he shall be given the opportunity to appoint another person to replace him. This does not apply, however, if the urgent interests of the employee are against waiting for him, such as in the case of a serious failure in the computer system, and the personal interests of the employee are not considered to be of greater importance. If doubt arises, the e-mail may not be inspected unless the employee has been given the opportunity to be present at the inspection first. An employee has the right to know who or who has inspected his e-mail.

5.3. Storage and preservation of e-mail

E-mails and their supporting documents that relate to matters in a material manner shall be recorded and stored in the MMS Document Management System. An employee who is not a user of the Document Management System but receives or sends e-mail/mails related to individual matters shall send the e-mail/mails to the person working on the matter or to the document manager. E-mails and their supporting documents may be deleted from e-mail boxes once they have been registered and stored in the MMS Document Management System. E-mails and supporting documents that do not relate to specific matters may be deleted. If an employee is temporarily out of work, he/she shall take steps to ensure that the institution's message that is received by e-mail to him/her is not left unhandled, such as by activating an automatic reply e-mail stating where the message can be searched for.

5.4 About handling e-mails at retirement etc.

An employee shall delete his/her personal e-mail when he/she leaves his/her post. If he/she does not do so, such e-mail will be deleted one month after the employee has left his/her post. At the time of retirement, no e-mail from the employee's e-mail address may be sent to the director's or other staff's e-mail address. At the time of retirement, the employee shall be given the opportunity to take a copy of the personal e-mail.

When an employee leaves his/her post, his/her email address must be immediately blocked. The automatic transmission of e-mails that reach his/her email address at the MMS must then be blocked. The institution's e-mail system must be configured at the same time so that all e-mails to that email address will be returned in the future, along with a indication that the employee has left his/her post and to which institution's email address the message should now be sent. It must specify the employee's new email address, if he/she wishes to have it included.

Employees may not identify or store e-mails that only concern the activities of the Centre for Education and School Services in such a way that they can be assumed to be private e-mails. E-mails that only concern the activities of the Centre for Education and School Services shall be immediately entered by staff in the relevant matters in the institution's register of issues.

Article 6

Internet and e-mail usage

In the case of work-related e-mail, employees should be careful about finishing, spelling and language. Employees should keep in mind that communication via the Internet is not entirely secure and e-mail is often not suitable for sensitive data or confidential information, especially because of the risk that an unaccounted party may get over and read the e-mail somewhere along their way or it may be lost. If it is necessary to send sensitive personal information by e-mail, it is important to send it in a attached document that is locked with a password. The password can be called to the recipient or sent by text message.

Due to the risk of misappropriation of e-mail, all e-mails sent by the Centre for Education and School Services must contain a standard download text, which stipulates that the e-mail may contain confidential information not intended for the reader, along with instructions on how to react in that case. When there is material, e-mails must be encrypted.

The system manager will enter coordinated signatures by e-mail to the institution's staff.

In the MMS e-mail system, the correspondence is linked (Disclaimer) containing the following text: Please note that this e-mail and its attachments are intended for the addressee only and may contain information that is confidential. If you have received this e-mail and its attachments by chance, mistake or without special permission, we ask you to comply with Article 47, paragraph 9 of the Electronic Communications Act no. 81/2003 and to remain strictly confidential, not read, copy, or otherwise use their content and notify us immediately that they have been received incorrectly. Violations of this concern liability and punishment according to Article 74 of the Act. Please note that this e-mail and its attachments are intended for the named addressee only and may contain information that is confidential and privileged. If you have by chance or mistake or without special authorization received this e-mail and its attachments, we request that you notify us immediately that you have received them in error, maintain strict confidentiality and neither read, copy, nor otherwise use their content in any way.

Article 7

Preservation of information on e-mail and internet usage

All e-mails sent from the e-mail system of the Centre for Education and School Services or received shall be automatically stored. It shall, in accordance with the security policy of the institution, be copied as other data, i.e. every working day.

Employees should be informed that information on their online consultations is stored both on the institution's server and in a browser on each employee's computer. Information on staff's online consultations is stored as information cookies in a browser on computers. Each user can delete his or her information from a browser if he or she wishes.

It is ensured that information on e-mail and, where applicable, internet usage is safely stored so that only the director, system operator and the employee concerned have access to it.

It is not permitted to take measures to preserve information on employee internet usage after retirement. Otherwise, preservation is governed by Article 8 of Act No. 90/2018.

Article 8

System management and user support staff

MMS staff and service providers who manage the institution's computer systems, including the e-mail system and equipment to connect to the network, are absolutely prohibited from using their knowledge and facilities to connect to the computer systems under the username and password of other staff, from passing access control, from opening and reading e-mails they may access during operation and maintenance of the computer system. This applies, among other things, when they assist individual employees, without prejudice to the exception clauses in Articles 5.1. and 5.2.

The same applies to the inspection of any information that may be stored in the MMS computer system on the internet usage of employees and their other personal data, unless there is a reasonable suspicion of criminal conduct and the person concerned shall then be called to the police.

Article 9

Presentation and publication of the Code of Conduct

The MMS managers shall inform staff of these rules upon their entry into force and ensure that they are always accessible to staff and service providers on the MMS website and internal website.

Article 10

Supervision

The supervision of compliance with these rules shall be carried out by the Director or by the person to whom he or she delegates such supervision and shall be in accordance with the applicable laws and regulations at any given time. If the supervision is delegated to a person other than the Director, it shall be notified to the staff of the Agency.

Information obtained for the purpose of monitoring these rules may be used solely for the purpose of monitoring. It may not be disclosed to others, further processed or stored unless with the agreement of an employee. However, material containing information about a suspected criminal act may be disclosed to the police, in which case other copies must be destroyed unless special legitimate interests stand otherwise. In this case, data may be used to contain, present or defend legal claims for judicial proceedings and other legal necessities, e.g. in connection with dismissal from employment.

A person who has been subject to supervision pursuant to paragraph 1 shall be entitled to examine the data obtained about him in connection with the supervision. When a request for such a supervision is received, the Director shall, as soon as possible and no later than within one month, accept the request.

Article 11

The consequences of infringements

Violations of these rules can, according to Act No. 70/1996 on the Rights and Obligations of State Employees, as other violations in the work, concern reprimands or, in the case of repeated or serious violations, dismissal from the work.

Article 12

Entry into force etc.

These rules are prepared with reference to the Act on the Protection of Privacy and the Processing of Personal Data no. 90/2018, the Data Protection Authority’s notice no. 1001/2001 on guidelines regarding employer supervision of employees’ e-mail and internet usage, the Data Protection Authority’s rules no. 50/2023 on electronic monitoring and in accordance with the National Archives of Iceland’s rules no. 331/2020 on handling, preservation and deletion of e-mails of persons required to deliver. Furthermore, these rules take into account the Electronic Communications Act no. 70/2022 as well as the Public Records Act no. 77/2014, the Data Protection Authority’s rules no. 331/2020 on handling, preservation and deletion of e-mails of persons required to deliver and the Data Protection Authority’s rules on handling e-mail and internet usage.

These rules will take effect as soon as possible.

These rules shall be reviewed as necessary, but not every two years.

June 2025

Þórdís Jóna Sigurðardóttir, director of the Centre for Education and School Services