The University intends that authorization for non-law-enforcement University personnel to monitor or review electronic communications or files of employees, including faculty and staff, will not be granted casually. Such authorization will require justification based (a) on business needs or (b) on sufficient cause from reasonably substantiated allegations of violation of law or policy on the part of the faculty or staff member. Authorization must be granted by the University President.
Examples of business needs include but are not limited to :
- the need to have access to the e-mail of an employee who is unexpectedly unavailable and who is conducting time-sensitive negotiations with an outside entity — negotiations of sufficient importance to justify review of the employee’s electronic communications and files when that employee is unable to give consent for that review
- an urgent and sufficiently serious issue of health or safety.
Often it will be desirable for the University to exercise diligence in enlisting the help of the employee to extract the business materials and in considering other steps to respect the personal nature of any other materials present if that help is unavailable. Such steps may include the use of an independent confidential reviewer — a person on the University staff who does not have supervisory or management responsibilities for the employee whose materials are being reviewed — to extract the business materials.
Investigations of Violations of Law or Policy
Requests for authorization to monitor or review electronic communications or files because of allegations of violations of policy or law by faculty or staff members usually originate with supervisors. They may also originate with a University investigatory authority (looking into a sexual harassment claim, for example). The President will use his or her judgment in determining if there is sufficient reason to grant such authorization. In these situations, the President will maintain confidentiality and will consult with the Office of the Attorney General if needed in determining whether to authorize monitoring or review and in determining if the affected employee or anyone else should be notified that the monitoring or review is taking place.
Circumstances Not Requiring Authorization
Most security tests of computing systems do not constitute monitoring or review of employee electronic communications or files. Consequently, presidential authorization (or that of the Vice President for Strategy and Policy) is not required for appropriate University staff to conduct such security testing, including testing done by system administrators to determine the strength of protection afforded by the passwords its employees select. In no case, of course, should employees reveal their passwords to anyone, including their system administrators. This testing is aimed at revealing weak or “guessable” passwords, and the appropriate action in responding to identification of a weak password is for the employee to change it immediately.
Similarly, presidential authorization is not required for appropriate University staff to review attempted access of its systems by persons (employees or others) not authorized to use them.
Presidential authorization is also not required for review by appropriate University staff of records of the numbers employees call using the University’s long-distance telephone system. Such reviews may be routinely conducted as part of departmental management reviews or Internal Audit reviews.
Confidentiality of User Files and Communications
In Case of Death or Serious Disability
As a courtesy to preserve the confidentiality and dignity of our users, in the case of death or a permanent disability that prevents an account holder from determining these issues himself or herself, here is how the Division of Information Technologies will deal with materials present in our systems that were previously available only to the individual account holder:
- We will immediately disable the accounts when we are informed of the death or disability (it is permissible to change a password on e-mail and send a bounce message that tells correspondents whatever the department wishes to be communicated (i.e., “This account is no longer accepting e-mail — you may contact [name, department, e-mail address] for further information”)).
- We will archive the materials to CD or other appropriate media when it is no longer appropriate or practical to keep them on servers, and securely store them for a minimum of one year.
- All personal materials will only be released per instruction of the executor of the estate (for a death) or the person recognized by courts of law as legally representing the account holder (in cases of serious disability as described above).
- If there is an institutional need for access to business/departmental materials, they will be made available separate from any personal materials upon review of all of the materials by the executor or legal representative, assisted by IT staff, or by an independent confidential reviewer selected by the VP for Information Technologies/CIO if the executor or legal representative is not available or elects not to perform this duty.
All of this is done in the context of the University’s policies related to privacy and confidentiality of on-line files and communications (see http://www.boarddocs.com/va/umw/Board.nsf/goto?open&id=8QA4AA7941E4).