Which University office is primarily responsible for the Policy?
The Policy and these FAQs have been developed by the Provost’s office in collaboration with, among others, the Office of Legal Counsel, IT Services, Human Resources, the University’s Office of Campus Life and Student Services, and the Board of Computing and Academic Services. The FAQs are subject to change and will be updated as needed.
The Office of Legal Counsel, in consultation with IT Services, will prepare annual aggregated summaries of electronic information preservation and access requests pursuant to this Policy for review by the Audit committee of the University Board of Trustees and the Board of Computing and Academic Services.
How will the Policy be disseminated?
The Policy, with a link to these FAQs, will be posted and be distributed electronically to faculty, other academic appointees, postdoctoral researchers, students, staff, affiliates, and guests.
What kinds of electronic information are covered by the Policy?
The Policy covers all electronic information generated, used, or stored by any user of University Information Technology Resources, including documents, files, emails and attachments, research data, voice mails, text messages, and associated metadata.
What equipment is covered by the Policy?
All equipment and information technology services provided by the University are covered by the Policy. University-related information stored on personal computers, laptops, tablets, cell phones, and other electronic devices may also be involved, and the user’s rights and responsibilities in this regard are set forth in other University policies including, but not limited to, the University’s personnel, financial and administrative policies, the Employee Handbook, the Handbook for Faculty and Other Academic Appointees, the Postdoctoral Researcher Policy Manual, the Student Manual, and any other divisional, departmental, or school handbook, manual, policy, or procedure.
How will the Policy apply in the University’s decentralized information technology environment?
As noted in the Policy, local information technology services at the University may have supplemental policies, but those policies cannot diminish University responsibilities or user privacy expectations as provided in the Policy. Questions regarding potential conflicts between the University’s umbrella policy or these FAQs and local policies, rules, and practices should be addressed by local information technology personnel in consultation with their respective chairs, deans, or senior administrators and IT Services and the Office of Legal Counsel.
Who has the authority to initiate preservation and access processes?
Any administrative or academic unit may initiate preservation and access processes. Those requests should be made to the IT organization responsible for that unit and the Office of Legal Counsel. The Office of Legal Counsel will review the nature of the request and relevant facts and then will approve, modify or reject the request in consultation with, depending on the circumstances and user involved, IT Services, the Office of the Provost, the cognizant Dean of Students and/or Office of the Vice President of Campus Life and Student Services, Human Resources, or the relevant Dean’s Office. Although the Office of Legal Counsel works closely with decision makers across the campus, its ultimate legal and ethical duties are to the institution itself.
Is there a difference between preserving electronic information and accessing that information?
Yes. Sometimes the need arises to obtain a backup copy for the purpose of preserving information, while at other times there is a need to access and review the content itself.
Preservation requests typically arise when the University has a legal duty to gather information that is or may become relevant to an actual or potential legal proceeding. In those instances, the Office of Legal Counsel works with the pertinent IT organization to capture the information, secure it for later review, and document a “chain of custody” that reassures everyone involved that the electronic information has not been tampered with. Often, this is the only action that is required. If the preserved information later needs to be accessed and reviewed for purposes of, for example, confirming compliance with applicable laws and University policies, the Office of Legal Counsel will work with IT Services and senior decision makers in the academic or business unit to develop search terms and date ranges that identify only relevant information. If there is no risk of compromising an investigation, complying with the law, or protecting the interests of the University or others, the Office of Legal Counsel will alert the user before conducting such searches.
By contrast, access requests typically arise when an academic or administrative unit has an operational need for access to information that was created or maintained by somebody who has left the University. For example, to ensure research integrity and continuity, a department may seek to have access to the email account of a research administrator who abruptly resigned. A departmental administrator would initiate the process by making a written request to the relevant IT organization and the Office of Legal Counsel. If the request is appropriate, the Office of Legal Counsel would approve the request on the conditions that the requesting unit identify specifically who would need access to the email account; that the access would be time-limited (e.g., 60 days); and that no personal email unrelated to University matters will be accessed.
What situations typically prompt a preservation request?
Often, preservation requests that do not involve an immediate need to access records are made when the University has an obligation to preserve documents in connection with threatened or pending litigation or to comply with federal, state, or local document preservation requirements. For example, the federal Public Health Service Policies on Research Misconduct require institutions to take “all reasonable and practical steps to obtain custody of all research records and evidence needed to conduct” a research misconduct proceeding. Having a clear and complete snapshot of available information not only meets compliance obligations, it also protects users from their own inadvertent mistakes in deleting relevant information or being unable to locate it in their own files. Preservation obligations also arise in connection with threatened or pending litigation. The legal duty to preserve evidence that may be relevant to legal claims is now quite clear, and the failure to take prompt and effective action to secure it may result in severe negative consequences; for more information, see University Policy 2708, Electronic University Records Relevant to Pending or Anticipated Litigation.
What situations typically involve access to content?
The Office of Legal Counsel reviews the content of communications and documents only when legally required to do so or there are other compelling circumstances. Compelling circumstances might be present as part of an internal investigation involving a serious policy violation (e.g., financial non-compliance with a grant or an alleged violation of the University’s Policy on Unlawful Discrimination and Harassment). Convenience and curiosity are never considered compelling circumstances. And when the Office of Legal Counsel determines that a user’s records must be accessed and reviewed, the review is tailored to meet the specific need for information; thus, if a review of metadata, filenames, or directories without content is sufficient, a search will proceed no further. In those circumstances where the content of communications or documents must be reviewed, the search is limited to the maximum extent practicable by working with the senior University decision makers having supervisory authority or control over the user to develop appropriately narrow search terms and date ranges. If a review is needed for business continuity purposes (e.g., email of a departed employee), then approval to access the information is given to a single person or limited set of people, for a limited period of time, and with a directive that no personal email unrelated to University matters will be reviewed.
What does it mean to say that the Office of Legal Counsel will use “reasoned judgment to determine whether requests are legitimate, consistent with this policy and the law”?
The Office of Legal Counsel is accountable both to the University and outsiders that have a legal right to gather and review records maintained here, e.g., regulatory agencies, parties to lawsuits, grand juries, and law enforcement personnel. Reasoned judgment requires a balancing of our obligations to gather information against a user’s privacy interests, and that balance shifts depending on the circumstances. For example, there is little flexibility in responding to valid subpoenas. On the other end of the spectrum, the Office of Legal Counsel typically refuses outright to produce information voluntarily (unless expressly authorized in writing by the person whose information is sought) and discourages or refuses to approve requests when the information can be obtained by other means, preferably, directly from the user or from some other, less invasive source.
What “conditions or other parameters” will the Office of Legal Counsel establish for access to content under the Policy?
The content of a user’s communications or documents will never be reviewed without the approval of the Office of Legal Counsel in consultation with the user’s relevant supervisor, chair, dean or director or, in the event of a conflict, with an appropriate alternative senior administrator. The Office of Legal Counsel responds to access requests with a series of probing questions. Who is seeking the information? Why is the information needed? What specific information is being sought and how will it be used? How important is the need: is it a legal requirement or a business necessity? Are there other, less invasive sources for the information being sought and, if so, have those options been pursued? Has the user been asked to cooperate and, if not, why not? Can notice be provided to the user in advance without compromising an investigation or our obligations to gather, preserve, and review records as required by law or University policies? If advance notice cannot be provided to the affected user, what would be the earliest anticipated opportunity to inform him or her? Who has a genuine “need to know” about the request and process? This type of analysis ensures that valid requests will be honored in a way that respects the user’s privacy as much as practicable under the circumstances.
Will my personal email or internet activity be subject to review if it is unrelated to the matter that prompted a preservation or access request?
Although the Office of Legal Counsel tries to develop search terms and date ranges to obtain only relevant information, it is not always possible to do so. When screening reveals information that is not pertinent to the matter at hand, it is excluded from the information turned over to the requesting party.
What records will be maintained regarding preservation and access requests?
The Office of Legal Counsel has developed a log that records the following information: who made a preservation or access request; the date of the request; the substance of the request; who was consulted in connection with making the decision; the decision itself; whether the user was notified and when; who else at the University was informed of the request, the decision, or the data/information gathering; and when the information was gathered and disclosed to the requesting party.
Do the same standards and processes apply to University monitoring of network activity or traffic logs as they do to preservation and access requests?
IT Services routinely analyzes network activity and traffic logs for the sole and limited purpose of monitoring and addressing University network security and system maintenance needs. If such routine monitoring raises a need to review personal information or the content of communications or documents, IT Services must seek approval from the Office of Legal Counsel.
When do affected parties receive notice of the preservation or access efforts?
Affected users are notified at the earliest opportunity consistent with our obligations to protect others, meet legal requirements, and conduct internal investigations effectively. Preferably, users will receive advance notice. At no time will a user’s personal information be duplicated or accessed without the knowledge of senior University decision makers and the approval of the Office of Legal Counsel. Moreover, absent countervailing legal or business considerations, the Office of Legal Counsel will typically share with the user, on request, the basic types of information collected in its log.
Who else is alerted to preservation or access requests?
The Office of Legal Counsel seeks to limit knowledge of information gathering and review activities only to those with a genuine “need to know.” Typically, University decision makers with a need to know are officers and other University leaders, supervisors, department chairs, deans, or representatives in the Office of the Provost.
Can I object to the preservation or access of electronic information?
Yes, and the Office of Legal Counsel will take all such concerns into consideration when using its reasoned judgment to deny, approve, or modify a preservation or access request. However, sometimes action must be taken without alerting the user; likewise, at times action must be taken over a user’s objection. Unless there are countervailing legal or business considerations, the Office of Legal Counsel normally responds to objections by confirming to the user the reasons for the preservation or access, its scope (e.g., search terms and date ranges), and offering the user a reasonable opportunity to review the information that has been gathered from them. When litigation is anticipated (or pending), such review may be deferred until formal discovery is conducted pursuant to court rules.
Who else will have access to the gathered information?
Typically, the Office of Legal Counsel works with IT Services and/or departmental IT staff to gather electronic information and, if needed, conduct targeted searches for relevant information. The screened information is then disclosed only to University decision makers having a genuine “need to know” and outsiders having a legal right to review the information under applicable law (including, for example, FERPA and HIPAA). The Office of Legal Counsel seeks to protect not only the user’s privacy interests, but also to assure that the smallest number of University decision makers have access only to the smallest practicable volume of relevant information. No one’s interests are served by turning over volumes of unscreened information to outsiders or to decision makers at the University.
Can the University preserve or access information maintained by outside entities?
Although IT Services does have some ability to monitor network traffic between the University network and services hosted by outside entities (for example, Gmail and cloud storage services), this information is not under the University’s control. For this reason, faculty and staff are strongly discouraged from using outside services for University- related academic or business reasons; students and all other users of remotely-hosted services should expect to be personally responsible for not only securing such information as required to comply with applicable privacy and confidentiality laws and University policies, but also for preserving and turning over such information to the University or outsiders having a right to access that information.