CFOP 50-22, Acceptable Use of Information Technology - Florida ...

This operating procedure supersedes CFOP 50-22 dated May 27, 2008. 

OPR: ITS 

DISTRIBUTION: A 

CFOP 50-22 

STATE OF FLORIDA 

DEPARTMENT OF 

CF OPERATING PROCEDURE CHILDREN AND FAMILIES 

NO. 50-22 TALLAHASSEE, December 1, 2011 

Systems Management 

ACCEPTABLE USE OF INFORMATION TECHNOLOGY RESOURCES 

This operating procedure establishes acceptable use of Department-owned information technology 

resources for Department employees, other personnel services (OPS), community-based providers 

connecting to the department’s network, as well as contractors and subcontractors. It further outlines 

the responsibilities of employees, other personnel services (OPS), community-based providers 

connecting to the department’s network, and contractors and subcontractors in ensuring the protection 

of confidential information. 

BY DIRECTION OF THE SECRETARY: 

(Signed original copy on file) 

SCOTT STEWART 

Assistant Secretary for 

Administration 

SUMMARY OF REVISED, DELETED, OR ADDED MATERIAL 

The operating procedure has been greatly expanded to provide a complete and concise description of 

the acceptable use of information technology resources.

December 1, 2011 CFOP 50-22 

CONTENTS 

Paragraph 

Chapter 1 – GENERAL 

Purpose ...................................................................................................................... 1-1 

Scope ......................................................................................................................... 1-2 

Authority ..................................................................................................................... 1-3 

Definitions .................................................................................................................. 1-4 

Policy Statement ........................................................................................................ 1-5 

Basic Principles .......................................................................................................... 1-6 

Monitoring of Employee Use of Agency Information Technology Resources ............ 1-7 

Chapter 2 – USE OF THE INTERNET AND E-MAIL 

Purpose ...................................................................................................................... 2-1 

Use of the Internet on Departmental Information Technology Resources ................. 2-2 

Use of E-mail .............................................................................................................. 2-3 

Chapter 3 – USE AND PROTECTION OF CONFIDENTIAL INFORMATION 

Purpose ...................................................................................................................... 3-1 

Guiding Principles ...................................................................................................... 3-2 

Types of Protected Information .................................................................................. 3-3 

Conditions of Use ....................................................................................................... 3-4 

Release of Information ............................................................................................... 3-5 

Sanctions and Other Consequences for Misuse ........................................................ 3-6 

ii


Chapter 1 

GENERAL 

1-1. Purpose. This operating procedure establishes the Department’s policy for the use of 

Department-owned information technology resources (e.g., desktop computers, laptops, tablets, 

Blackberries, smartphones and associated devices). This operating procedure applies to Department 

employees, other personnel services (OPS), community-based providers connecting to the 

Department’s network, consultants, contractors and subcontractors (hereinafter collectively referred to 

as employees). This operating procedure outlines acceptable use of Department information 

technology resources, the responsibilities of employees in ensuring the security and confidentiality of 

Department data and outlines employee responsibilities in the event of a security incident. 

1-2. Scope. This operating procedure applies to all employees accessing Department information 

technology resources at any location. (71A-1.019(1)) 

1-3. Authority. Section 282.318, Florida Statutes, “Security of Data and Information Technology 

Resources,” Chapter 815, Florida Statutes, “Florida Computer Crimes Act,” and, Florida Administrative 

Code, Chapter 71A-1, “Florida Information Resource Security Policies and Standards.” 

1-4. Definitions. 

a. Automatic E-mail Forwarding. Defining a rule within an e-mail account that forwards some or 

all e-mails received to another e-mail account. 

b. Auto Responder. A computer program that automatically answers e-mail sent to it. 

c. Bandwidth. Refers to how much data can be sent or received through a network connection 

given an amount of time. 

d. Blog. A type of website or part of a website usually maintained by an individual with regular 

entries of commentary, descriptions of events, or other material such as graphics or video. Entries are 

commonly displayed in reverse-chronological order. 

e. Blocked Web Site. A web site to which a system administrator has refused users' access. 

f. Brief and Occasional Use of E-mails. Brief refers to the size of the message sent, received or 

downloaded. Usually, a message less than 300 words is considered brief. Occasional use means 

once in a while for a short period of time, similar to the occasional use of the telephone for personal use 

or the occasional trip to a cafeteria or vending machine. 

g. Browsing of Data. To inspect, read or look through information with no specific work 

purpose. 

h. Chain Letter E-mail. A message that attempts to induce the recipient to make a number of 

copies of the e-mail and then pass them on to other recipients. 

i. Chat Room. An interactive, online discussion (by keyboard) about a specific topic hosted on 

the Internet. 

j. Confidential Information. Information that has specific statutory exemption from the public 

records laws. Specific requirements for appropriate levels of data security remain under the purview of 

each agency. 

1-1


k. Data. A collection of facts; numeric, alphabetic and special characters which are processed 

or produced by a computer. 

l. Data Streaming (or Streaming Data/Multimedia). Streaming media technology allows real 

time or on-demand delivery of multimedia content (e.g., YouTube). The media (video, voice, data) is 

received in a simultaneous, continuous stream rather than downloaded all at once then displayed later. 

m. E-Mail Bomb. A form of e-mail abuse consisting of sending huge volumes of e-mail to an 

address in an attempt to overflow the mailbox or overwhelm the server where the e-mail address is 

hosted. 

n. Employee. Department employees, other personnel services (OPS), community-based 

providers connecting to the Department’s network, consultants, contractors, subcontractors, volunteers 

and non-paid staff. 

o. Exempt or Exemption. A provision of general law which provides that a specified record, or 

portion thereof, is not subject to the access requirements of s. 119.07(1), s. 286.011, or s. 24, Art. I of 

the State Constitution. 

p. Firewall. A computer or computer software that prevents unauthorized access to private 

data (as on a company's local area network or Intranet) by outside computer users (as on the Internet). 

q. E-Greeting Card. Electronic greeting card message sent via e-mail; an electronic message 

that looks like a greeting card requesting the recipient to download or install a computer file or visit a 

site. 

r. Inappropriate E-Mail. An e-mail message and/or attachment that contains offensive material. 

This material may include but is not limited to cartoons, messages, jokes, pictures, or stories that make 

fun of or insult a person because of his or her race, color, religion, gender, national origin, disability, 

marital status, or age; fully or partially nude images; pornography; or messages designed to promote a 

particular religion or political activity. 

s. Internet. A global system of interconnected computer networks that are linked together by a 

broad array of electronic, wireless and optical networking technologies and carrying a vast array of 

information resources and services such as hypertext documents; the World Wide Web and the 

infrastructure to support electronic mail. 

t. Inappropriate (Internet) Website. A website that contains offensive material. This material 

may include but is not limited to cartoons, messages, jokes, pictures, or stories that make fun of or 

insult a person because of his or her race, color, religion, gender, national origin, disability, marital 

status, or age; fully or partially nude images; pornography; gambling sites; messages designed to 

promote a particular religion or political activity; or sites that utilize an excessive amount of bandwidth 

such as online radio, television, or movies for purposes other than work. 

u. Information Security Manager. The person designated by the Secretary of the Department to 

administer the Department’s data and information technology resource security program. 

v. Information Technology Resources. Data processing hardware (including desktop 

computers, laptops, tablets, Blackberries, smartphones and associated devices), software and 

services, supplies, personnel, facility resources, maintenance, training, or other related resources. 

w. Mailbot. A software agent in a mail server that is typically used to send an automatic 

response to the sender. 

1-2


x. Malware. Programming (code, scripts, active content, and other software) designed to 

disrupt or deny operation, gather information that leads to loss of privacy or exploitation, gain 

unauthorized access to system resources, and other abusive behavior. A general term used to mean a 

variety of forms of hostile, intrusive, or annoying software or program code. 

y. News Group and Bulletin Board Service (BBS). A discussion group on the Internet in which 

participants with similar interests leave messages or other information for participants to read. 

z. Non-Work Hours. Before and after the employee’s supervisor-approved work schedule and 

during the employee’s scheduled lunch. 

aa. Occasional Personal Use (of e-mail, the Internet, or Department computer-related 

equipment). Occasional personal use is the infrequent or limited use of Department e-mail or access of 

the Internet through the Department’s network, and/or Department owned computer-related equipment. 

For example, receiving or sending an e-mail from/to your child’s school to schedule a teacher 

conference is an occasional and appropriate use of the Department’s e-mail. Similarly, reading an 

online article published by the local newspaper is an example of an occasional and appropriate use of 

the Department’s network to access the Internet. 

bb. Privately-Owned Devices. Information technology resources that are not the property of the 

Department. 

cc. Proxy Server. A device that allows other devices to connect to the Internet. It sits between 

information technology resources on a network and the Internet allowing for a secure connection and 

allowing only certain kinds of connections to exist. Proxy servers can be used to log Internet use and 

block access to banned sites. 

dd. Push Technology. The prearranged updating of news, weather, or other selected 

information on a computer user's desktop through periodic and unobtrusive transmission over the 

Internet. 

ee. Social Networking Sites and Social Media. Social media and Web 2.0 are umbrella terms 

that define the various activities that integrate technology, social interaction, and content creation. 

Through social media, individuals or collaborations of individuals create web content, organize content, 

edit or comment on content, combine content, and share content. Social media and Web 2.0 use many 

technologies and forms, including RSS and other syndicated web feeds, blogs, wikis, photo–sharing, 

video–sharing, podcasts, social networking, social bookmarking, mashups, widgets, virtual worlds, 

micro–blogs, and more. Also an Internet-based social site such as LinkedIn, Facebook, and Twitter 

that allows users to build virtual communities for communicating and sharing information. 

ff. Social Security Administration Data. Data provided to the Department by the Social Security 

Administration to help determine eligibility, among other uses. This includes Personally Identifiable 

Information including information used to distinguish or trace an individual’s identity (e.g., name, social 

security number, biometric records, or when combined with other personal or identifying information, 

which is linked or linkable to a specific individual, such as date, place of birth or mother’s maiden 

name). 

gg. System Owner(s). The entity that owns the data and has the primary responsibility for 

decisions relating to a particular data processing system’s specification and usage. 

hh. System Users. Any person or employee who, through State employment, contractual 

arrangement, charitable service, or any other service arrangement and with appropriate approvals, 

would have access to the Department’s facilities, the Department’s information technology resources, 

or the Department’s data for the purpose of conducting business or providing services. 

1-3


ii. Trojan Horse. A program in which malicious or harmful code is contained inside seemingly 

harmless programming or data in such a way that it can get control and do its chosen form of damage. 

jj. Virus. Programming code usually disguised as something else that causes an unexpected 

and usually undesirable event. Many viruses are designed to automatically spread to other computers. 

Viruses can be passed on as attachments to an e-mail, as downloads, or introduced on a non- 

Department media device. 

kk. Work Hours. An employee’s supervisor-approved work schedule, including breaks. 

1-5. Policy Statement. 

a. Employees may be provided access to Department-owned information technology resources 

for Department business purposes. Except as provided herein, all Department data, information, and 

technology resources shall only be used for official Department business. 

b. Inappropriate use of information technology resources, the Internet, Department e-mail, or 

the Department or State’s automated applications and the data contained therein will subject 

employees to disciplinary action, up to and including dismissal as well as criminal charges. 

(71A-1.019(2)) 

c. Inappropriate use of Department owned information technology resources, the Internet, 

Department e-mail, or the Department or State’s automated applications and the data contained therein 

by contracted employees is sufficient cause to terminate the contractual relationship and may result in 

criminal charges. The Florida Computer Crimes Act, Chapter 815, Florida Statutes, addresses the 

unauthorized change, destruction, disclosure, or taking of information resources. 

d. Any requests for exception to any portion of this policy must be in writing, approved by the 

employee’s supervisor and forwarded to the Office of the Chief Information Officer for approval. 

1-6. Basic Principles. 

a. Access to the Internet, Intranet, and e-mail may be granted to an employee as a part of their 

employment. Employees must adhere to all applicable State policies, Department policies and 

procedures, Federal regulations, as well as State and local laws. (71A-1.019(24)) 

b. Employees may use the Internet to access sites for personal use during work and non-work 

hours, provided use is brief, the content is appropriate, and the employee adheres to the guidelines 

contained herein. (71A-1.019(27)) 

c. Only Department approved software shall be installed on Department information technology 

devices. 

(1) Employees are prohibited from using the Department’s Internet or e-mail facilities to 

knowingly download or deliver software or data files. Violations of any software license agreements or 

information services contracts by the unauthorized duplication of software, files, operating instructions 

or reference manuals is prohibited. Employees will not download or install software unless approved by 

the Department’s Office of Information Technology Services. Contact the Information Technology 

Services Help Desk with questions about downloading or installing software. (71A-1.019(31)) 

(2) Any software or files approved for downloading onto Department information 

technology resources become the property of the Department. 

1-4


(3) Any files or software approved for downloading and installation may be used only in 

ways that are consistent with license and copyright. 

d. Employees are prohibited from duplicating licensed software. (71A-1.019(32)) 

e. Employees will protect information from unauthorized change, destruction, or disclosure, and 

will safeguard sensitive and confidential information. 

f. Employees will not attempt to access information technology resources and information to 

which they do not have authorization or explicit consent. (71A-1.019(35)) 

g. Employees must obtain documented authorization before taking information technology 

resources, software, or information away from an agency facility. (71A-1.019(5)) 

h. No privately-owned devices shall be connected to Department-owned information technology 

resources without documented agency authorization. (71A-1.019(33)) 

i. Employees are prohibited from disabling or modifying the installed configuration of encryption 

software, anti-virus protection and personal firewall software on Department-owned information 

technology resources. 

1-7. Monitoring Employee Use of Agency Information Technology Resources. 

a. The Department may check, log, and/or audit Internet activity, e-mail use, and the use of 

Department information technology resources. Employees shall have no expectation of privacy in their 

use of Department information technology resources and the use of Department information technology 

resources constitutes consent to monitoring activities with or without a warning and monitoring and 

auditing may take place without the employee’s knowledge. (71A-1.019(20), 71A-1.019(22), and 

71A-1.019(23)) 

b. The Department may inspect files stored on any network or local computer system, including 

removable media. Employees shall have no expectation of privacy of documents created, stored, sent, 

received, or deleted on Department’s information technology resources (including business and 

personal external and internal e-mails), or any other information technology resource related activity. 

(71A-1.019(21)) 

c. The Department has installed firewalls, proxy servers, Internet web site blocking, reporting 

programs and other security systems to assure the safety and security of the Department network. Any 

employee who attempts to disable, defeat or evade any Department security feature without 

authorization from the Chief Information Officer may be subject to disciplinary action, up to and 

including dismissal. (71A-1.019(2)) 

d. Information technology security activities such as network monitoring, sniffing, penetration 

testing and related security activities shall be performed only by Department Information Technology 

Services employees or those under the direct authority of the Chief Information Officer. 

(71A-1.019(34)) 

1-5


Chapter 2 

USE OF THE INTERNET AND E-MAIL 

2-1. Purpose. This chapter establishes the Department’s policy for the use of Department-owned 

information technology resources by employees when accessing and using the Internet and e-mail for 

business or personal use. (71A-1.019(6), 71A-1.019(7)) 

2-2. Use of the Internet on Departmental Information Technology Resources. 

a. During non-work hours, such as lunch break or before/after scheduled work hours, 

employees may access the Internet for personal use by means of the Department network and 

Department information technology resources provided such use is not inappropriate as described 

herein. 

(1) Personal use must not interfere with or disrupt the normal performance of the 

employee’s job duties. (71A-1.019(8)) 

(2) Usage must not consume significant amounts of IT resources (e.g., bandwidth, 

storage) or compromise the normal functionality of the Department’s systems. (71A-1.019(9)) 

(3) Personal use must not result in any additional cost to the Department. 

b. Examples of Internet activities that are inappropriate and may subject the employee to 

disciplinary action include, but are not limited to, the following: 

activities. 

(1) Engaging in any illegal activities or behavior. (71A-1.019(28)) 

(2) Conducting activities related to the employee’s outside business or commercial 

(3) Using Department-owned information technology resources or the Internet for 

matters directed toward the success or failure of a political party, candidate for political office, or 

partisan political advocacy group. (71A-1.019(28)) 

(4) Using the Internet or any Department-owned information technology resource for 

personal financial gain. (71A-1.019(36)) 

(5) Using Department information technology resources to harass, threaten, or abuse 

others. (71A-1.019(38)) 

(6) Disrupting or causing security breaches to network communication, or 

circumvention, reconfiguration, or other subversion of system and network security measures. 

(71A-1.019(40)) 

(7) Unauthorized access of hacker web-sites/software. (71A-1.019(28)) 

(8) Unauthorized access of peer-to-peer file sharing web-sites/software. 

(71A-1.019(28)) 

(9) Editing, posting comments, providing information, or engaging in any interactive 

online discussions or blogs. 

(10) Access to or joining non-business related chat rooms, singles clubs, bulletin 

boards, or dating services. (71A-1.019(28)) 

2-1


(11) Intentionally accessing, installing, introducing, downloading, or distributing: 

(a) Viruses, worms, Trojan horses, e-mail bombs, malware, or any unauthorized 

files from the Internet. Files obtained from sources off the Department’s network should be scanned for 

viruses before use or distribution. No file received from an unknown source should be opened, 

including files attached to an e-mail message. Call the Information Technology Services Help Desk 

with any questions. 71A-1.019(26) 

(b) E-greeting cards, video files, audio files, screen savers, games, non-work 

related streaming data/multimedia including push technology, auto responder, mailbot, radio, or 

television. If there is a business related purpose to access streaming media or data, you must obtain 

approval from your supervisor and request an exception through your local Regional/Facility 

Information Systems Security Officer. 

(c) Sexually suggestive, sexually explicit, pornographic, offensive, indecent, 

obscene or vulgar material (including off-color jokes or images). (71A-1.019(28), 71A-1.019(37)) 

(d) Material containing profanity or inappropriate language, including, but not 

limited to, obscene material, or material with racial, ethnic, gender or other discriminatory content. 

(e) Material relating to gambling, weapons, illegal drugs and/or drug 

paraphernalia, terrorist activities or violence. 71A-1.019(28) 

c. Although the Department may install filters to block access to inappropriate Internet sites, not 

every inappropriate site can be blocked by a filter. The items above identify examples of inappropriate 

activities and employees should apply careful judgment whenever using Department-owned information 

technology resources to access the Internet. If an employee is connected unintentionally to a site that 

contains inappropriate material (e.g., sexually explicit) the employee must disconnect from that site 

immediately and notify their supervisor. 

d. Social Networking Sites such as LinkedIn, Facebook, and Twitter allow users to build virtual 

communities for communicating and sharing information. Use of specific Social Networking Sites for 

Departmental purposes must demonstrate business value and be approved by the appropriate Director 

or Bureau Chief and Assistant Secretary with concurrence from the Office of the Chief Information 

Officer. Permission to use Department information technology resources or networks to access 

individual social networking sites for non-business purposes, such as college or university sites like 

Blackboard or WebCT requires written authorization from the employee’s supervisor and/or director. 

2-3. Use of E-Mail. Business and personal e-mails sent/received from a Department e-mail account or 

information technology resource are public records. E-mails containing exempt or confidential 

information may be redacted pursuant to Florida statute but the e-mails are still public records. 

a. Confidentiality Notice on E-Mail. The following text is automatically included on all e-mail 

messages sent from the Department to external recipients: 

“CONFIDENTIALITY NOTICE: This message and any attachments are for the sole use 

of the intended recipient(s) and may contain confidential and privileged information that 

is exempt from public disclosure. Any unauthorized review, use, disclosure, or 

distribution is prohibited. If you have received this message in error please contact the 

sender (by phone or reply electronic mail) and then destroy all copies of the original 

message.” 

2-2


b. E-mails received that contain threats to the Department’s information technology resources 

should be reported to your immediate supervisor, Information Technology Services Help Desk, and the 

Office of the Inspector General. 

c. Examples of e-mail activities that are inappropriate and may subject the employee to 

disciplinary action include but are not limited to: 

(1) Participation in any e-mail communication from a Department e-mail account or 

personal Internet e-mail account on Department information technology resource by sending, 

forwarding, or storing any message: 

(a) Which supports a particular religious preference, belief or group. 

(b) That is harassing, intimidating, threatening, or disruptive. (71A-1.019(38)) 

(c) That contains profanity or inappropriate language, including, but not limited 

to, sexually suggestive, sexually explicit, pornographic, obscene or vulgar (including off-color jokes or 

images), or material with racial, ethnic, gender or other discriminatory content. 

activities or violence. 

(d) Related to gambling, weapons, illegal drugs or drug paraphernalia, terrorist 

(e) Directed toward the success or failure of a political party, candidate for 

political office, political campaign, fund raising or partisan political advocacy group. (71A-1.019(39)) 

(f) Any chain letter e-mail. (71A-1.019(26)) 

(2) Using a Department e-mail account to conduct activities concerning the employee’s 

outside business or commercial activities, including sending, storing, or forwarding any message for 

personal gain or associating in any way the employee’s Department e-mail account with an outside 

business or commercial activity. (71A-1.019(36)) 

(3) Automated forwarding of Department e-mail to a destination outside the 

Department’s Intranet. (71A-1.019(26)) 

(4) Deceiving in order to appear as someone else's e-mail account (for example, 

misrepresent an e-mail address) or forging headers is prohibited. Capturing, altering, and 

retransmitting a communication stream in a way that misleads the recipient is prohibited. 

(71A-1.019(26)) 

(5) Solicitations for activities that are not sponsored by the State or the Department. 

This includes, but is not limited to, the advertising or sale of personal property; announcing the sale of 

cookies, candy, magazines, etc, on behalf of an organization or individual; or announcing personal 

events (weddings, showers, or events not related to work). Recognition of employment or retirement 

and ceremonies for employee award programs are State business related functions. 

(6) Sending or participation in any e-mail communication of unencrypted confidential 

client, employee, or Departmental data. (71A-1.019(25)) 

(7) Further, using instant messaging, text messaging, SMS messaging or PIN 

messaging for Department business is prohibited 

2-3


c. Appropriate Use of Personal E-Mail. 

(1) During non-work hours, such as lunch break or before/after scheduled work hours, 

employees may access the personal email accounts such as Gmail or Yahoo for personal use by 

means of the Department network and Department information technology resources provided such 

use is not inappropriate as described herein. This privilege applies only to the browser-based e-mail 

functionality; employees shall not use Outlook, Outlook Express, Eudora, or any other e-mail clients to 

access non-Department e-mail. 

(2) Personal Internet e-mails sent from the Department’s network are permitted as long 

as they are brief, occasional, and not inappropriate. Personal e-mail use must not: 

(a) Interfere with the employee’s productivity or work performance. 

(b) Interfere or disrupt any other employee’s productivity or work performance. 

(c) Adversely affect the security or performance of the network. 

(d) Disclose any government or employer confidential data. 

(3) An employee should contact their Regional/Facilities Information Systems Security 

Officer if any personal or work-related e-mail is suspected of containing a virus. 

2-4


Chapter 3 

USE AND PROTECTION OF CONFIDENTIAL INFORMATION 

3-1. Purpose. This chapter establishes the Department’s policy for use and protection of confidential 

information including personally identifiable information from the Social Security Administration, 

protected health information, Federal tax information from the Internal Revenue Service, vital statistics 

information from the Department of Health, driver license information from the Department of Highway 

Safety and Motor Vehicles, and other confidential or protected information provided to Department 

employees to assist the public. 

3-2. Guiding Principles. The Department is guided by principles of common sense and good 

stewardship in this operating procedure. Employees are expected to help the people we serve, respect 

their rights to privacy and/or confidentiality, and adhere to State and Federal laws that protect those 

rights. Guided by these precepts, the Department sets the following direction for use of confidential or 

protected information: 

a. Employee responsibilities for maintaining confidentiality and security of information are 

defined in this operating procedure as well as required annual security awareness training and form 

CF 114 (available in DCF Forms). Employees are responsible for their use of confidential information 

and are expected to ask questions if they are uncertain about what they may access, how they may use 

information, or what they may share with co-workers, clients, and others. Employees are not to use 

confidential information for any purpose that conflicts with State policy (for example, checking 

information on family members, neighbors, acquaintances, or celebrities for purposes of personal 

curiosity, committing identity theft, or using information for other personal gain). The “browsing” of 

confidential, sensitive, or personal information is prohibited and will result in disciplinary action up to 

and including dismissal. 

b. Employees shall notify their supervisor, Information Systems Security Officer, Information 

Security Manager, or inspector general if they become aware of any actual or suspected misuse of 

information. 

c. Employees who violate confidentiality and security of information requirements will be subject 

to disciplinary and/or legal action in accordance with Department policy and State and Federal law. 

3-3. Types of Protected Information. The Department maintains multiple interagency information 

sharing agreements and obtains confidential information from many agencies, including: 

a. Social Security Administration. THE DEPARTMENT functions as the Florida “state transfer 

component” to share social security information, including personally identifiable information (PII) with 

other State and Federal agencies that have agreements with the Social Security Administration. 

b. Internal Revenue Service. The Department receives Federal tax information (FTI) for 

eligibility determination purposes for individuals who apply for public assistance. 

c. Department of Health. The Department has access to vital statistics information (birth, 

death, and cause of death data) for child welfare, adult protective services, criminal justice coordination, 

and substance abuse and mental health. 

d. Department of Highway Safety and Motor Vehicles. The Department has access to driver 

license information, including photographs, for human resources, child protective investigations, adult 

protective investigations, and public assistance eligibility purposes. 

3-1


3-4. Conditions of Use. The general conditions for using this information are specified in law, the 

employee code of conduct, Department security operating procedure CFOP 50-2, the Department 

security agreement, Security Awareness training, HIPAA training, and individual applications for system 

access. The specific conditions are specified in State and/or Federal law, the Department security 

agreement, annual IT Security Training, applications for access, and this operating procedure. 

Employees are responsible for ensuring that they understand and comply with these conditions. 

3-5. Release of Information. The system owner will make any decisions relating to the release and 

distribution of information in any form (e.g., on-line inquiry, printed reports, microfiche, or any magnetic 

media). No information will be released without the system owner’s prior approval. In an emergency 

situation, the Inspector General’s office may direct the Department Chief Information Officer (CIO) to 

release information. 

3-6. Sanctions and Other Consequences for Misuse. Employees who unlawfully inspect, disclose, or 

otherwise misuse confidential information are subject to disciplinary action by the Department as 

described in the employee code of conduct, and are subject to civil and criminal penalties under 

pertinent State and Federal laws. The table below shows the relevant State and Federal citations for 

misuse of information provided by the Internal Revenue Service, Social Security Administration, 

Department of Health, and Department of Highway Safety and Motor Vehicles: 

Data Source Data Type 

Social Security 

Administration 

Internal 

Revenue 

Service 

Department of 

Health 

Department of 

Highway Safety 

and Motor 

Vehicles 

Personally 

Identifiable 

Information (PII) 

Federal Tax 

Information (FTI) 

Department 

Sanctions 

• CFOP 60-5 


• CFOP 50-22 




Vital Statistics • CFOP 60-5 



Driver’s license 

information 

and/or 

photographs 




3-2 

State Sanctions Federal Sanctions 

• Chapter 382, 

F.S. 

• Section 

119.10, F.S. 

• Section 

775.083, F.S. 

• Privacy Act of 1974 (5 

USC 552a) as amended 

by the Computer Matching 

and Privacy Protection Act 

of 1988 

• Federal Information 

Security Management Act 

of 2002 (44 USC sections 

3541 et seq.) 

• IRC Sections 7431 

• IRC Section 6103 (l) (7) 

• IRC Sections 7213 and 

7213A, 18 USC Section 

1030 (a) (2) 

• IRC Section 7431 

• 45 CFR, Part 46 (Human 

Subjects Research) 

• Health Information 

Portability and 

Accountability Act, or other 

sections. 

• Driver Privacy Protection 

Act (DPPA) (18 USC 

sections 2721 et seq.)

CFOP 50-22, Acceptable Use of Information Technology - Florida ...

Create successful ePaper yourself

Delete template?

Save as template?